Some additional Jenkinsfile improvements#39661
Conversation
dfb2a7f to
b588501
Compare
Jenkinsfile
Outdated
There was a problem hiding this comment.
Hm, so looks like "validate" needs to have privileged;
[2019-08-03T18:16:40.092Z] + docker run --rm -t -v /home/ubuntu/workspace/moby_PR-39661-3CKP7XCGKUQMONDQU2RSP42V5SYBDIVL7PRW2C4KIVVRW2B5LUCQ/bundles:/go/src/github.com/docker/docker/bundles -v /home/ubuntu/workspace/moby_PR-39661-3CKP7XCGKUQMONDQU2RSP42V5SYBDIVL7PRW2C4KIVVRW2B5LUCQ/.git:/go/src/github.com/docker/docker/.git --name docker-pr9 -e DOCKER_GITCOMMIT=9b16baed380e8bf01675742438cb957733c0501f -e DOCKER_GRAPHDRIVER docker:9b16baed380e8bf01675742438cb957733c0501f hack/validate/default
[2019-08-03T18:16:40.656Z] mount: permission denied
[2019-08-03T18:16:40.657Z] Could not mount /sys/kernel/security.
[2019-08-03T18:16:40.657Z] AppArmor detection and --privileged mode might break.
[2019-08-03T18:16:40.657Z] mount: permission denied
script returned exit code 32
b588501 to
5a42229
Compare
|
dang; unit-tests also require privileged; we should check if we really need that; |
95a684e to
e1a280d
Compare
|
Argh.. jenkins is acting up |
a4eaa11 to
f461996
Compare
This patch removes the manual steps to resolve the Git commit, and instead, uses the `GIT_COMMIT` that's set by Jenkins's Git plugin. Behavior changes slightly, because `GIT_PLUGIN` contains the full commit-sha, not the short one. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Both of these tests are fairly short, and shouldn't interfer with eachother, so we can combine them and re-use the same dev-image (so that it'll only be built once). Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Having this information can help debugging issues in CI (which could be caused by missing/incorrect configuration of the machines). We ping to a fixed version of the script, because this script is ran directly on the host, and we don't want pull-requests modifying this script to have direct access to the machines. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
f461996 to
1f8ac35
Compare
The .git mount is only needed for the DCO check, and for building the binaries if `DOCKER_GITCOMMIT` is not set. Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
1f8ac35 to
ad28fec
Compare
| } | ||
| } | ||
| stage("Run tests") { | ||
| stage("Docker-py") { |
There was a problem hiding this comment.
I was a bit cautious with the order of these test, because they all bind-mount the bundles directory, and some of the tests will clean that up, which makes archiving artefacts from previous stages complicated (not sure if there's a recommended approach for that?)
| binary-daemon \ | ||
| dynbinary-daemon \ | ||
| test-integration-flaky \ | ||
| test-integration \ |
There was a problem hiding this comment.
Should probably split this up into separate stages as well, but here I was also cautious because we want to archive artifacts
|
Okay, this is all green now; we can do some further splitting-up and organising after this. We should also look at storing the This is what it looks like with these changes:
ping @zelahi @tiborvass @seemethere @andrewhsu PTAL |
zelahi
left a comment
There was a problem hiding this comment.
LGTM, I left one comment. But really liking how the different stages are looking
| @@ -36,35 +37,82 @@ pipeline { | |||
| steps { | |||
| sh 'docker version' | |||
There was a problem hiding this comment.
Was wondering, does the docker version and docker info need to be printed out?
There was a problem hiding this comment.
it helps to find out which version and graph driver has been configured for the node.
unless your question is more along the lines of, "why does docker info have the server version info but not the client version info in the output?"
There was a problem hiding this comment.
Yes, the idea of printing these is to help with debugging (e.g. why does something fail on X, but pass on Y, which could be due to a different version of docker installed, or a different configuration.
There was a problem hiding this comment.
Ahh thanks for clearing that up! I was wondering if it was left here for debugging purposes. It does make sense to have both since docker info doesn't show the client info
|
I don't think locking down As long as there is nothing interesting on the node that the user can get access to and as long as the admins of jenkins control the resources, the |
|
@andrewhsu more-so we shouldn't have the |
True, but the other ones are running inside the container, not on the host (although I spotted the |
| parameters { | ||
| booleanParam(name: 'unit', defaultValue: true, description: 'x86 unit tests') | ||
| booleanParam(name: 'unit_validate', defaultValue: true, description: 'x86 unit tests and vendor check') | ||
| booleanParam(name: 'janky', defaultValue: true, description: 'x86 Build/Test') |
There was a problem hiding this comment.
Also this is more of a knitpick but would it be useful to modify the description of janky. The reason is what's the difference between the tests being ran in unit_validate and janky?
There was a problem hiding this comment.
It really should be named integration-cli although I have no idea what the difference now between janky and experimental is now
nvm, I can see that experimental sets DOCKER_EXPERIMENTAL=y, but still not entirely sure what functionality is still hidden behind experimental
|
@andrewhsu @seemethere I don't understand #39661 (comment) but @thaJeztah made sure that only the people authorized modifying the Jenkinsfile can modify what check-config shell script to run, as the commit is hardcoded in the Jenkinsfile. |
| dynbinary-daemon \ | ||
| test-integration-flaky \ | ||
| test-integration \ | ||
| cross |
There was a problem hiding this comment.
this should be in an other stage. We can do that in a followup
There was a problem hiding this comment.
🤦♂️ ah, we actually discussed that, forgot doing it in the end.
Yes, some more improvements can be made overall (wrt artifacts as mentioned as well). Thought this was a good starting point to split up some steps
|
Ping @cpuguy83 @vdemeester |
playing with some changes to simplify stages, make the steps more consistent, and to move some steps around to reduce time and optimise for parallel stages