update_jdn.sh 25.5 KB
Newer Older
1
#!/bin/bash
2
# Copyright 2012-2017 Holger Levsen <holger@layer-acht.org>
3
4
# released under the GPLv=2

Holger Levsen's avatar
Holger Levsen committed
5
# puppet / salt / ansible / fai / chef / deployme.app - disclaimer
Holger Levsen's avatar
Holger Levsen committed
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# (IOW: this script has been grown in almost 500 commits and it shows…)
#
# yes, we know… and: "it" should probably still be done.
#
# It just unclear, how/what, and what we have actually mostly works.
#
# Switching to jenkins.debian.org is probably an opportunity
# to write (refactor this into) *yet another deployment script*
# (interacting with the DSA machine setup which is in puppet…),
# thus obsoleting this script gradually, though this is used on
# 47 hosts currently (of which quite some were initially installed
# manully…)
#
# so, yes, patches welcome. saying this is crap alone is not helpful,
# nor is just suggesting some new or old technology. patches most welcome!
21
22
#
# that said, there's a new one: init_node ;)
Holger Levsen's avatar
Holger Levsen committed
23

24
25
set -e

26
BASEDIR="$(dirname "$(readlink -e $0)")"
27
28
PVNAME=/dev/vdb      # LVM physical volume for jobs
VGNAME=jenkins01     # LVM volume group
29
STAMP=/var/log/jenkins/update-jenkins.stamp
30
TMPFILE=$(mktemp)
31
32
# The $@ below means that command line args get passed on to j-j-b
# which allows one to specify --flush-cache or --ignore-cache
33
JJB="jenkins-jobs $@"
34
DPKG_ARCH="$(dpkg --print-architecture)"
Holger Levsen's avatar
Holger Levsen committed
35

36
# so we can later run some commands only if $0 has been updated…
Philip Hands's avatar
Philip Hands committed
37
if [ -f $STAMP ] && [ $STAMP -nt $BASEDIR/$0 ] ; then
Holger Levsen's avatar
Holger Levsen committed
38
	UP2DATE=true
Philip Hands's avatar
Philip Hands committed
39
40
else
	UP2DATE=false
41
42
43
fi


Holger Levsen's avatar
Holger Levsen committed
44
explain() {
Holger Levsen's avatar
Holger Levsen committed
45
	echo "$HOSTNAME: $1"
Holger Levsen's avatar
Holger Levsen committed
46
47
}

48
49
50
51
52
set_correct_date() {
		# set correct date
		sudo service ntp stop || true
		sudo ntpdate -b de.pool.ntp.org
}
53

54
disable_dsa_check_packages() {
55
56
57
58
59
60
61
62
63
	# FIXME: remove the repair of /bin/true when all hosts has been
	# updated
	# ln -s /bin/true /usr/local/bin/dsa-check-packages was used which
	# broke /bin/true by overwriting it with the perl script dsa-check-packages
	if grep -q '/usr/bin/perl' /bin/true || grep -q '/bin/sh' /bin/true ; then
		sudo apt-get install --reinstall coreutils
	fi

	if [ -L /usr/local/bin/dsa-check-packages ] ; then
64
		sudo rm /usr/local/bin/dsa-check-packages
65
66
	fi

67
68
	# disable check for outdated packages as in the future (like this)
	# packages from security.d.o will appear outdated always…
69
70
	echo -e "#!/bin/sh\n# disabled dsa-check by update_jdn.sh\nexit 0" | sudo tee /usr/local/bin/dsa-check-packages
	sudo chmod a+rx /usr/local/bin/dsa-check-packages
71
72
}

73
echo "--------------------------------------------"
Holger Levsen's avatar
Holger Levsen committed
74
explain "$(date) - begin deployment update."
75

76
77
78
79
#
# temporarily test to check which hosts don't use systemd
#
if [ -z "$(dpkg -l|grep systemd-sysv||true)" ] ; then 
80
	echo "no systemd-sysv installed on $(hostname), please enter to continue…"
81
82
83
	read
fi

84
# some nodes need special treatment…
85
case $HOSTNAME in
86
	profitbricks-build4-amd64|profitbricks-build5-amd64|profitbricks-build6-i386|profitbricks-build15-amd64|profitbricks-build16-i386)
Holger Levsen's avatar
Holger Levsen committed
87
		# set correct date
88
		set_correct_date
89
		;;
90
	codethink-sled9*|codethink-sled11*|codethink-sled13*|codethink-sled15*)
91
		# set correct date
92
		set_correct_date
Holger Levsen's avatar
Holger Levsen committed
93
		;;
94
95
96
	*)	;;
esac

97
98
99
#
# set up users and groups
#
100
declare -A user_host_groups u_shell
101
sudo_groups='jenkins,jenkins-adm,sudo,adm'
102
103
104
105
106
107
108
109
110

# if there's a need for host groups, a case statement on $HOSTNAME here that sets $GROUPNAME, say, should do the trick
# then you can define user_host_groups['phil','lvm_group']=... below
# and add checks for the GROUP version whereever the HOSTNAME is checked in the following code

user_host_groups['helmut','*']="$sudo_groups"
user_host_groups['holger','*']="$sudo_groups"
user_host_groups['holger','jenkins']="reproducible,${user_host_groups['holger','*']}"
user_host_groups['mattia','*']="$sudo_groups"
111
user_host_groups['mattia','jenkins']="reproducible,${user_host_groups['mattia','*']}"
112
user_host_groups['phil','jenkins-test-vm']="$sudo_groups,libvirt,libvirt-qemu"
Philip Hands's avatar
Philip Hands committed
113
user_host_groups['phil','profitbricks-build10-amd64']="$sudo_groups"
114
user_host_groups['phil','jenkins']="$sudo_groups"
115
user_host_groups['lunar','jenkins']='reproducible'
116
117
user_host_groups['lynxis','profitbricks-build3-amd64']="$sudo_groups"
user_host_groups['lynxis','profitbricks-build4-amd64']="$sudo_groups"
118
user_host_groups['hans','profitbricks-build7-amd64']="$sudo_groups"
119
120
user_host_groups['vagrant','armhf']="$sudo_groups"
user_host_groups['vagrant','arm64']="$sudo_groups"
121

122
123

u_shell['mattia']='/bin/zsh'
124
u_shell['lynxis']='/bin/fish'
125
u_shell['jenkins-adm']='/bin/bash'
126

127
128
129
# get the users out of the user_host_groups array's index
users=$(for i in ${!user_host_groups[@]}; do echo ${i%,*} ; done | sort -u)

130
( $UP2DATE && [ -z "$(find authorized_keys -newer $0)" ] ) || for user in ${users}; do
131
	# -v is a bashism to check for set variables, used here to see if this user is active on this host
132
	if [ ! -v user_host_groups["$user","$HOSTNAME"] ] && [ ! -v user_host_groups["$user",'*'] ] && [ ! -v user_host_groups["$user","$DPKG_ARCH"] ] ; then
Holger Levsen's avatar
Holger Levsen committed
133
134
		continue
	fi
135

136
137
138
139
140
141
	# create the user
	if ! getent passwd $user > /dev/null ; then
		# adduser, defaulting to /bin/bash as shell
		sudo adduser --gecos "" --shell "${u_shell[$user]:-/bin/bash}" --disabled-password $user
	fi
	# add groups: first try the specific host, or if unset fall-back to default '*' setting
142
	for h in "$HOSTNAME" "$DPKG_ARCH" '*' ; do
143
		if [ -v user_host_groups["$user","$h"] ] ; then
Holger Levsen's avatar
Holger Levsen committed
144
			sudo usermod -G "${user_host_groups["$user","$h"]}" $user
145
			break
146
		fi
147
148
149
150
151
	done
	# add the user's keys (if any)
	if ls authorized_keys/${user}@*.pub >/dev/null 2>&1 ; then
		[ -d /var/lib/misc/userkeys ] || sudo mkdir -p /var/lib/misc/userkeys
		cat authorized_keys/${user}@*.pub | sudo tee /var/lib/misc/userkeys/${user} > /dev/null
152
	fi
153
154
done

155
# change defaults
156
157
158
$UP2DATE || grep -q '^AuthorizedKeysFile' /etc/ssh/sshd_config || {
	sudo sh -c "echo 'AuthorizedKeysFile /var/lib/misc/userkeys/%u %h/.ssh/authorized_keys' >> /etc/ssh/sshd_config"
	sudo service ssh reload
159
}
160
161
162
163
164
# change vagrants manual configuration on some armhf hosts
$UP2DATE || grep -q '/var/lib/misc/userkeys' /etc/ssh/sshd_config || {
	sudo sed -i "s#/var/lib/monkeysphere/authorized_keys/#/var/lib/misc/userkeys/#g" /etc/ssh/sshd_config
	sudo service ssh reload
}
165

166
167
168
169
170
sudo mkdir -p /srv/workspace
[ -d /srv/schroots ] || sudo mkdir -p /srv/schroots
[ -h /chroots ] || sudo ln -s /srv/workspace/chroots /chroots
[ -h /schroots ] || sudo ln -s /srv/schroots /schroots

171
if [ "$HOSTNAME" = "jenkins-test-vm" ] || [ "$HOSTNAME" = "profitbricks-build10-amd64" ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ] ; then
172
	# jenkins needs access to libvirt
173
	sudo adduser jenkins kvm
174
175
176
	sudo adduser jenkins libvirt
	sudo adduser jenkins libvirt-qemu

177
	# we need a directory for the VM's storage pools
178
	VM_POOL_DIR=/srv/lvc/vm-pools
179
	if [ ! -d $VM_POOL_DIR ] ; then
180
		sudo mkdir -p $VM_POOL_DIR
181
182
183
		sudo chown jenkins:libvirt-qemu $VM_POOL_DIR
		sudo chmod 775 $VM_POOL_DIR
	fi
184
185
186
187
188
189

	# tidy up after ourselves, for a while at least
	OLD_VM_POOL_DIR=/srv/workspace/vm-pools
	if [ -d "$OLD_VM_POOL_DIR" ] ; then
		sudo rm -r "$OLD_VM_POOL_DIR"
	fi
190
fi
191

192
193
# prepare tmpfs on some hosts
case $HOSTNAME in
Mattia Rizzolo's avatar
Mattia Rizzolo committed
194
195
196
197
	jenkins)
		TMPFSSIZE=100
		TMPSIZE=15
		;;
Holger Levsen's avatar
Holger Levsen committed
198
	profitbricks-build9-amd64)
199
		TMPFSSIZE=40
Mattia Rizzolo's avatar
Mattia Rizzolo committed
200
201
		TMPSIZE=8
		;;
Holger Levsen's avatar
Holger Levsen committed
202
	profitbricks-build*)
Mattia Rizzolo's avatar
Mattia Rizzolo committed
203
204
205
		TMPFSSIZE=200
		TMPSIZE=15
		;;
206
207
208
209
	codethink*)
		TMPFSSIZE=100
		TMPSIZE=15
		;;
210
211
212
	*) ;;
esac
case $HOSTNAME in
213
214
215
216
217
218
	profitbricks-build*i386)
		if ! grep -q '/srv/workspace' /etc/fstab; then
			echo "Warning: you need to manually create a /srv/workspace partition on i386 nodes, exiting."
			exit 1
		fi
		;;
219
	jenkins|profitbricks-build*amd64|codethink*)
220
		if ! grep -q '^tmpfs\s\+/srv/workspace\s' /etc/fstab; then
221
			echo "tmpfs		/srv/workspace	tmpfs	defaults,size=${TMPFSSIZE}g	0	0" | sudo tee -a /etc/fstab >/dev/null  
222
		fi
Mattia Rizzolo's avatar
Mattia Rizzolo committed
223
224
225
		if ! grep -q '^tmpfs\s\+/tmp\s' /etc/fstab; then
			echo "tmpfs		/tmp	tmpfs	defaults,size=${TMPSIZE}g	0	0" | sudo tee -a /etc/fstab >/dev/null
		fi
226
227
		if ! mountpoint -q /srv/workspace; then
			if test -z "$(ls -A /srv/workspace)"; then
228
				sudo mount /srv/workspace
229
			else
230
				explain "WARNING: mountpoint /srv/workspace is non-empty."
231
232
233
234
235
			fi
		fi
		;;
	*) ;;
esac
236
case $HOSTNAME in
237
	profitbricks-build10-amd64)
238
239
240
241
242
243
244
245
246
247
248
249
250
251
		[ -d /srv/lvc/vm-pools ] || sudo mkdir -p /srv/lvc/vm-pools
		if ! grep -q '^/dev/vdb\s\+/srv/lvc/vm-pools\s' /etc/fstab; then
			echo "/dev/vdb	/srv/lvc/vm-pools ext4	errors=remount-ro	0	2" | sudo tee -a /etc/fstab >/dev/null  
		fi
		if ! mountpoint -q /srv/lvc/vm-pools; then
			if test -z "$(ls -A /srv/lvc/vm-pools)"; then
				sudo mount /srv/lvc/vm-pools
			else
				explain "WARNING: mountpoint /srv/lvc/vm-pools is non-empty."
			fi
		fi
		;;
	*) ;;
esac
252

253
# make sure needed directories exists - some directories will not be needed on all hosts...
254
for directory in /schroots /srv/reproducible-results /srv/d-i /srv/udebs /srv/live-build /var/log/jenkins/ /srv/jenkins /srv/jenkins/pseudo-hosts /srv/workspace/chroots ; do
255
256
257
	if [ ! -d $directory ] ; then
		sudo mkdir $directory
	fi
Holger Levsen's avatar
Holger Levsen committed
258
	sudo chown jenkins.jenkins $directory
259
done
Holger Levsen's avatar
Holger Levsen committed
260
for directory in /srv/jenkins ; do
261
262
263
264
265
	if [ ! -d $directory ] ; then
		sudo mkdir $directory
		sudo chown jenkins-adm.jenkins-adm $directory
	fi
done
266

267
if ! test -h /chroots; then
Holger Levsen's avatar
Holger Levsen committed
268
	sudo rmdir /chroots || sudo rm -f /chroots # do not recurse
269
	if test -e /chroots; then
Holger Levsen's avatar
Holger Levsen committed
270
		explain "/chroots could not be cleared."
271
	else
272
		sudo ln -s /srv/workspace/chroots /chroots
273
274
275
	fi
fi

276
277
278
279
280
# only on Debian systems
if [ -f /etc/debian_version ] ; then
	#
	# install packages we need
	#
281
	if [ $BASEDIR/$0 -nt $STAMP ] || [ ! -f $STAMP ] ; then
Holger Levsen's avatar
Holger Levsen committed
282
283
		DEBS=" 
			bash-completion 
284
285
			bc
			bsd-mailx
286
287
			curl
			debian-archive-keyring
288
			debootstrap 
289
290
			devscripts
			eatmydata
291
			etckeeper
292
			figlet
Holger Levsen's avatar
Holger Levsen committed
293
			git
294
			haveged
Holger Levsen's avatar
Holger Levsen committed
295
			htop
296
			less
297
			lintian
298
			locales-all
Mattia Rizzolo's avatar
Mattia Rizzolo committed
299
			lsof
300
301
			molly-guard
			moreutils
302
			munin-node
303
304
			munin-plugins-extra
			netcat-traditional
305
306
			ntp
			ntpdate
307
			pigz 
308
			postfix
309
			procmail
310
			psmisc
311
			python3-psycopg2 
Holger Levsen's avatar
Holger Levsen committed
312
			schroot 
313
314
			screen
			slay
315
			stunnel
Holger Levsen's avatar
Holger Levsen committed
316
317
			subversion 
			subversion-tools 
318
			systemd-sysv
Holger Levsen's avatar
Holger Levsen committed
319
320
321
			sudo 
			unzip 
			vim 
322
			zsh
323
			"
324
		# install squid everywhere except on the armhf nodes
325
		case $HOSTNAME in
326
			jenkins|jenkins-test-vm|profitbricks-build*|codethink*) DEBS="$DEBS
327
				squid
328
329
				kgb-client
				python3-yaml" ;;
330
331
			*) ;;
		esac
332
333
		# needed to run the 2nd reproducible builds nodes in the future...
		case $HOSTNAME in
334
			profitbricks-build4-amd64|profitbricks-build5-amd64|profitbricks-build6-i386|profitbricks-build15-amd64|profitbricks-build16-i386) DEBS="$DEBS ntpdate" ;;
335
			codethink-sled9*|codethink-sled11*|codethink-sled13*|codethink-sled15*) DEBS="$DEBS ntpdate" ;;
336
337
			*) ;;
		esac
338
		# needed to run coreboot/openwrt/lede/netbsd/fedora jobs
339
		case $HOSTNAME in
340
		profitbricks-build3-amd64|profitbricks-build4-amd64) DEBS="$DEBS
Holger Levsen's avatar
Holger Levsen committed
341
				bison
342
				ca-certificates
Holger Levsen's avatar
Holger Levsen committed
343
344
345
				cmake
				diffutils
				findutils
346
				fish
Holger Levsen's avatar
Holger Levsen committed
347
348
349
350
351
352
353
354
355
356
357
358
359
360
				flex
				g++
				gawk
				gcc
				git
				grep
				iasl
				libc6-dev
				libncurses5-dev
				libssl-dev
				locales-all
				kgb-client
				m4
				make
361
362
				python3-clint
				python3-git
363
				python3-pystache
364
				python3-requests
Holger Levsen's avatar
Holger Levsen committed
365
366
				python3-yaml
				subversion
367
				tree
Holger Levsen's avatar
Holger Levsen committed
368
369
370
				unzip
				util-linux
				zlib1g-dev"
371
372
373
			;;
			*) ;;
		esac
374
375
376
		# needed to run fdroid jobs
		case $HOSTNAME in
			profitbricks-build7-amd64) DEBS="$DEBS
377
				android-sdk
378
				fdroidserver
379
				libvirt-clients
380
381
				libvirt-daemon
				libvirt-daemon-system
382
				python3-libvirt
383
				python3-vagrant
384
				qemu-kvm
385
386
387
				vagrant
				vagrant-mutate
				vagrant-libvirt"
388
			;;
389
390
			*) ;;
		esac
391
		# cucumber dependencies (for lvc jobs)
392
393
394
395
396
		case $HOSTNAME in
			profitbricks-build10-amd64|jenkins-test-vm) DEBS="$DEBS
				cucumber
				tesseract-ocr
				i18nspector
Holger Levsen's avatar
Holger Levsen committed
397
				imagemagick
398
399
				libav-tools
				libsikuli-script-java
400
401
402
				libvirt-clients
				libvirt-daemon
				libvirt-daemon-system
403
				ovmf
404
				pry
405
406
				python-jabberbot
				python-potr
407
				python3-yaml
408
				redir
409
				ruby-guestfs
410
				ruby-json
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
				ruby-libvirt
				ruby-net-irc
				ruby-packetfu
				ruby-rb-inotify
				ruby-rjb
				ruby-test-unit
				tcpdump
				unclutter
				virt-viewer
				x264
				xvfb
				x11vnc"
			   ;;
			*) ;;
		esac
426
427
428
429
		if [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
			# for phil only
			DEBS="$DEBS postfix-pcre"
		fi
430
		if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
Holger Levsen's avatar
Holger Levsen committed
431
432
433
434
			MASTERDEBS=" 
				apache2 
				apt-file 
				apt-listchanges 
435
				asciidoc
Holger Levsen's avatar
Holger Levsen committed
436
437
438
439
440
441
442
443
444
445
				binfmt-support 
				bison 
				build-essential 
				calamaris 
				cmake 
				cron-apt 
				csvtool 
				dnsmasq-base 
				dstat 
				figlet 
Holger Levsen's avatar
Holger Levsen committed
446
				flex
Holger Levsen's avatar
Holger Levsen committed
447
				gawk 
448
449
				ghc
				git-notifier 
Holger Levsen's avatar
Holger Levsen committed
450
451
452
453
				gocr 
				graphviz 
				iasl 
				imagemagick 
454
455
				ip2host
				jekyll
456
				kgb-client
Holger Levsen's avatar
Holger Levsen committed
457
458
459
460
461
462
				libcap2-bin 
				libfile-touch-perl 
				libguestfs-tools 
				libjson-rpc-perl 
				libsoap-lite-perl 
				libxslt1-dev 
463
				linux-image-amd64
Holger Levsen's avatar
Holger Levsen committed
464
465
466
467
468
				moreutils 
				mr 
				mtr-tiny 
				munin 
				ntp 
469
				obfs4proxy
Holger Levsen's avatar
Holger Levsen committed
470
471
				openbios-ppc 
				openbios-sparc 
Holger Levsen's avatar
Holger Levsen committed
472
				openjdk-8-jre 
473
				pandoc
474
				postgresql
475
				postgresql-autodoc
476
				postgresql-client 
Holger Levsen's avatar
Holger Levsen committed
477
478
479
				poxml 
				procmail 
				python3-debian 
480
				python3-pystache
481
482
483
				python3-sqlalchemy
				python3-xdg
				python3-yaml
Holger Levsen's avatar
Holger Levsen committed
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
				python-arpy 
				python-hachoir-metadata 
				python-imaging 
				python-lzma 
				python-pip 
				python-rpy2 
				python-setuptools 
				python-twisted 
				python-yaml 
				qemu 
				qemu-kvm 
				qemu-system-x86 
				qemu-user-static 
				radvd 
				ruby-rspec 
				seabios 
				shorewall 
				shorewall6 
				sqlite3 
				syslinux 
504
				tor
Holger Levsen's avatar
Holger Levsen committed
505
				vncsnapshot 
506
507
				vnstat
				whohas
Holger Levsen's avatar
Holger Levsen committed
508
				x11-apps 
509
				xtightvncviewer
510
				xvfb
511
				xvkbd
512
				zutils"
513
514
515
		else
			MASTERDEBS=""
		fi
516
		$UP2DATE || ( sudo cp --preserve=mode,timestamps -r hosts/$HOSTNAME/etc/apt/sources.list /etc/apt ; sudo apt-get update )
517
		$UP2DATE || sudo apt-get install $DEBS $MASTERDEBS
518
		# dont (re-)install pbuilder if it's on hold
519
		if [ "$(dpkg-query -W -f='${db:Status-Abbrev}\n' pbuilder)" != "hi " ] ; then
520
521
522
			case $HOSTNAME in
				codethink*) 	$UP2DATE || sudo apt-get install -t jessie-backports pbuilder
						;;
523
				*)		$UP2DATE || sudo apt-get install pbuilder lintian
524
525
526
				;;
			esac
		fi
527
		# remove unattended-upgrades if it's installed
528
		if [ "$(dpkg-query -W -f='${db:Status-Abbrev}\n' unattended-upgrades 2>/dev/null || true)" = "ii "  ] ; then
529
			 sudo apt-get -y purge unattended-upgrades
530
		fi
531
		# we need mock to build fedora
532
		if [ "$HOSTNAME" = "profitbricks-build3-amd64" ] || [ "$HOSTNAME" = "profitbricks-build4-amd64" ] || [ "$HOSTNAME" = "jenkins" ] ; then
533
			$UP2DATE || sudo apt-get install mock
534
		fi
535
536
537
538
		# for varying kernels:
		# - we use bpo kernels on pb-build5+15 (and the default i386 kernel on pb-build2+12-i386)
		# - we use the default amd64 kernel on pb-build1+11 (and the default amd64 kernel on pb-build6+16-i386)
		if [ "$HOSTNAME" = "profitbricks-build5-amd64" ] || [ "$HOSTNAME" = "profitbricks-build15-amd64" ] ; then
539
			$UP2DATE || sudo apt-get install linux-image-amd64
540
541
		elif [ "$HOSTNAME" = "profitbricks-build6-i386" ] || [ "$HOSTNAME" = "profitbricks-build16-i386" ] ; then
			$UP2DATE || sudo apt-get install linux-image-amd64
542
		fi
543
		# only needed on the main nodes # FIXME this is redundant
Holger Levsen's avatar
Holger Levsen committed
544
		if [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
545
			$UP2DATE || sudo apt-get install jenkins-job-builder
Holger Levsen's avatar
Holger Levsen committed
546
		elif [ "$HOSTNAME" = "jenkins" ] ; then
547
			$UP2DATE || sudo apt-get install ffmpeg libav-tools python3-popcon jenkins-job-builder dose-extra
548
		fi
Holger Levsen's avatar
Holger Levsen committed
549
		explain "packages installed."
550
	else
Holger Levsen's avatar
Holger Levsen committed
551
		explain "no new packages to be installed."
552
	fi
553
fi
554

555
#
Holger Levsen's avatar
Holger Levsen committed
556
# deploy package configuration in /etc and /usr
557
#
Holger Levsen's avatar
Holger Levsen committed
558
cd $BASEDIR
559
sudo cp --preserve=mode,timestamps -r hosts/$HOSTNAME/etc/* /etc
Holger Levsen's avatar
Holger Levsen committed
560
sudo cp --preserve=mode,timestamps -r hosts/$HOSTNAME/usr/* /usr
561
562
# we ship one or two service files…
sudo systemctl daemon-reload &
563
564
565
566
567

#
# more configuration than a simple cp can do
#
sudo chown root.root /etc/sudoers.d/jenkins ; sudo chmod 700 /etc/sudoers.d/jenkins
568
sudo chown root.root /etc/sudoers.d/jenkins-adm ; sudo chmod 700 /etc/sudoers.d/jenkins-adm
Holger Levsen's avatar
Holger Levsen committed
569
[ -f /etc/mailname ] || ( echo $HOSTNAME.debian.net | sudo tee /etc/mailname )
570
571

if [ "$HOSTNAME" = "jenkins" ] ; then
572
573
574
575
576
577
578
579
580
581
582
583
	if [ $BASEDIR/hosts/$HOSTNAME/etc/apache2 -nt $STAMP ] || [ ! -f $STAMP ] ; then
		if [ ! -e /etc/apache2/mods-enabled/proxy.load ] ; then
			sudo a2enmod proxy
			sudo a2enmod proxy_http
			sudo a2enmod rewrite
			sudo a2enmod ssl
			sudo a2enmod headers
			sudo a2enmod macro
			sudo a2enmod filter
		fi
		sudo a2ensite -q jenkins.debian.net
		sudo a2enconf -q munin
584
		sudo chown jenkins-adm.jenkins-adm /etc/apache2/sites-enabled/jenkins.debian.net.conf
585
586
587
		# for reproducible.d.n url rewriting:
		[ -L /var/www/userContent ] || sudo ln -sf /var/lib/jenkins/userContent /var/www/userContent
		sudo service apache2 reload
588
	fi
589
590
591
592
593
594
	if ! grep controlmaster ~jenkins/.ssh/config || ! grep controlpath ~jenkins/.ssh/config ; then
		echo
		echo "Please define controlmaster and controlpath in ~jenkins/.ssh/config manually, see https://debian-administration.org/article/290/Reusing_existing_OpenSSH_v4_connections"
		echo
		exit 1
	fi
595
596
fi

597
if [ $BASEDIR/hosts/$HOSTNAME/etc/munin -nt $STAMP ] || [ ! -f $STAMP ] ; then
598
	cd /etc/munin/plugins
Holger Levsen's avatar
Holger Levsen committed
599
	sudo rm -f postfix_* open_inodes interrupts irqstats threads proc_pri vmstat if_err_* exim_* netstat fw_forwarded_local fw_packets forks open_files users nfs* iostat_ios ntp* 2>/dev/null
600
	case $HOSTNAME in
601
			jenkins|profitbricks-build*|codethink-sled*) [ -L /etc/munin/plugins/squid_cache ] || for i in squid_cache squid_objectsize squid_requests squid_traffic ; do sudo ln -s /usr/share/munin/plugins/$i $i ; done ;;
602
603
			*)	;;
	esac
Holger Levsen's avatar
Holger Levsen committed
604
605
606
607
	case $HOSTNAME in
			jenkins) [ -L /etc/munin/plugins/postfix_mailstats ] || for i in postfix_mailstats postfix_mailvolume postfix_mailqueue ; do sudo ln -s /usr/share/munin/plugins/$i $i ; done ;;
			*)	;;
	esac
608
609
610
	if [ "$HOSTNAME" != "jenkins" ] && [ -L /etc/munin/plugins/iostat ] ; then
		sudo rm /etc/munin/plugins/iostat
	fi
611
612
	if [ "$HOSTNAME" = "jenkins" ] && [ ! -L /etc/munin/plugins/apache_accesses ] ; then
		for i in apache_accesses apache_volume ; do sudo ln -s /usr/share/munin/plugins/$i $i ; done
613
		sudo ln -s /usr/share/munin/plugins/loggrep jenkins_oom
614
	fi
615
	sudo service munin-node restart
616
fi
Holger Levsen's avatar
Holger Levsen committed
617
explain "packages configured."
Holger Levsen's avatar
Holger Levsen committed
618
619
620
621

#
# install the heart of jenkins.debian.net
#
Holger Levsen's avatar
Holger Levsen committed
622
cd $BASEDIR
623
[ -d /srv/jenkins/features ] && sudo rm -rf /srv/jenkins/features
624
for dir in bin logparse cucumber live mustache-templates ; do
625
626
	sudo mkdir -p /srv/jenkins/$dir
	sudo rsync -rpt --delete $dir/ /srv/jenkins/$dir/
Holger Levsen's avatar
Holger Levsen committed
627
	sudo chown -R jenkins-adm.jenkins-adm /srv/jenkins/$dir
628
done
629
630
HOST_JOBS="hosts/$HOSTNAME/job-cfg"
if [ -e "$HOST_JOBS" ] ; then
631
	sudo rsync -rpt --copy-links --delete "$HOST_JOBS/" /srv/jenkins/job-cfg/
632
633
	sudo chown -R jenkins-adm.jenkins-adm /srv/jenkins/$dir
else
Philip Hands's avatar
Philip Hands committed
634
635
	# tidying up ... assuming that we don't want clutter on peripheral servers
	[ -d /srv/jenkins/job-cfg ] && sudo rm -rf /srv/jenkins/job-cfg
636
637
fi

638

Holger Levsen's avatar
Holger Levsen committed
639
sudo mkdir -p /var/lib/jenkins/.ssh
640
641
642
643
644
645
if [ "$HOSTNAME" = "jenkins" ] ; then
	sudo cp jenkins-home/procmailrc /var/lib/jenkins/.procmailrc
	sudo cp jenkins-home/authorized_keys /var/lib/jenkins/.ssh/authorized_keys
else
	sudo cp jenkins-nodes-home/authorized_keys /var/lib/jenkins/.ssh/authorized_keys
fi
Holger Levsen's avatar
Holger Levsen committed
646
647
648
sudo chown -R jenkins:jenkins /var/lib/jenkins/.ssh
sudo chmod 700 /var/lib/jenkins/.ssh
sudo chmod 600 /var/lib/jenkins/.ssh/authorized_keys
Holger Levsen's avatar
Holger Levsen committed
649
explain "scripts and configurations for jenkins updated."
650

651
if [ "$HOSTNAME" = "jenkins" ] ; then
Holger Levsen's avatar
Holger Levsen committed
652
	sudo cp -pr README INSTALL TODO CONTRIBUTING d-i-preseed-cfgs /var/lib/jenkins/userContent/
653
	git log | grep ^Author| cut -d " " -f2-|sort -u -f > $TMPFILE
654
	echo "----" >> $TMPFILE
655
	sudo tee /var/lib/jenkins/userContent/THANKS > /dev/null < THANKS.head
Holger Levsen's avatar
Holger Levsen committed
656
657
	# samuel, lunar, josch and phil committed with several commiters, only display one
	grep -v -e "samuel.thibault@ens-lyon.org" -e Lunar -e "j.schauer@email.de" -e "mattia@mapreri.org" -e "phil@jenkins-test-vm" $TMPFILE | sudo tee -a /var/lib/jenkins/userContent/THANKS > /dev/null
658
	rm $TMPFILE
659
	TMPDIR=$(mktemp -d -t update-jdn-XXXXXXXX)
660
	sudo cp -pr userContent $TMPDIR/
Holger Levsen's avatar
Holger Levsen committed
661
662
663
	sudo chown -R jenkins.jenkins $TMPDIR
	sudo cp -pr $TMPDIR/userContent  /var/lib/jenkins/
	sudo rm -r $TMPDIR > /dev/null
664
665
666
667
668
669
670
671
672
	cd /var/lib/jenkins/userContent/
	ASCIIDOC_PARAMS="-a numbered -a data-uri -a iconsdir=/etc/asciidoc/images/icons -a scriptsdir=/etc/asciidoc/javascripts -b html5 -a toc -a toclevels=4 -a icons -a stylesheet=$(pwd)/theme/debian-asciidoc.css"
	[ about.html -nt README ] || asciidoc $ASCIIDOC_PARAMS -o about.html README
	[ todo.html -nt TODO ] || asciidoc $ASCIIDOC_PARAMS -o todo.html TODO
	[ setup.html -nt INSTALL ] || asciidoc $ASCIIDOC_PARAMS -o setup.html INSTALL
	[ contributing.html -nt CONTRIBUTING ] || asciidoc $ASCIIDOC_PARAMS -o contributing.html CONTRIBUTING
	diff THANKS .THANKS >/dev/null || asciidoc $ASCIIDOC_PARAMS -o thanks.html THANKS
	mv THANKS .THANKS
	rm TODO README INSTALL CONTRIBUTING
673
	sudo chown jenkins.jenkins /var/lib/jenkins/userContent/*html
Holger Levsen's avatar
Holger Levsen committed
674
	explain "user content for jenkins updated."
675
fi
676

677
if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
678
679
680
681
682
683
684
	#
	# run jenkins-job-builder to update jobs if needed
	#     (using sudo because /etc/jenkins_jobs is root:root 700)
	#
	cd /srv/jenkins/job-cfg
	for metaconfig in *.yaml.py ; do
	# there are both python2 and python3 scripts here
Philip Hands's avatar
Philip Hands committed
685
		[ -e ./$metaconfig ] || continue
686
		./$metaconfig > $TMPFILE
687
688
		if ! sudo -u jenkins-adm cmp -s ${metaconfig%.py} - < $TMPFILE ; then
			sudo -u jenkins-adm tee ${metaconfig%.py} > /dev/null < $TMPFILE
689
690
		fi
	done
Holger Levsen's avatar
Holger Levsen committed
691
	rm -f $TMPFILE
692
	for config in *.yaml ; do
693
694
695
696
697
698
699
		# do update, if
		# no stamp file exist or
		# no .py file exists and config is newer than stamp or
		# a .py file exists and .py file is newer than stamp
		if [ ! -f $STAMP ] || \
		 ( [ ! -f $config.py ] && [ $config -nt $STAMP ] ) || \
		 ( [ -f $config.py ] && [ $config.py -nt $STAMP ] ) ; then
700
			$JJB update $config
701
702
703
704
		else
			echo "$config has not changed, nothing to do."
		fi
	done
Holger Levsen's avatar
Holger Levsen committed
705
	explain "jenkins jobs updated."
706
fi
707

708
#
Holger Levsen's avatar
Holger Levsen committed
709
# configure git for jenkins
710
#
Holger Levsen's avatar
Holger Levsen committed
711
712
713
714
if [ "$(sudo su - jenkins -c 'git config --get user.email')" != "jenkins@jenkins.debian.net" ] ; then
	sudo su - jenkins -c "git config --global user.email jenkins@jenkins.debian.net"
	sudo su - jenkins -c "git config --global user.name Jenkins"
fi
Holger Levsen's avatar
Holger Levsen committed
715

716
717
718
719
720
if [ "$HOSTNAME" = "jenkins" ] ; then
	#
	# creating LVM volume group for jobs
	#
	if [ "$PVNAME" = "" ]; then
Philip Hands's avatar
Philip Hands committed
721
722
723
		figlet -f banner Error
		explain "you must set \$PVNAME to physical volume pathname, exiting."
		exit 1
Holger Levsen's avatar
Holger Levsen committed
724
	elif ! $UP2DATE ; then
Philip Hands's avatar
Philip Hands committed
725
726
727
728
729
730
		if ! sudo pvs $PVNAME >/dev/null 2>&1; then
			sudo pvcreate $PVNAME
		fi
		if ! sudo vgs $VGNAME >/dev/null 2>&1; then
			sudo vgcreate $VGNAME $PVNAME
		fi
731
	fi
732
733
734
735
736
fi

#
# generate the kgb-client configurations
#
737
if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "profitbricks-build3-amd64" ] || [ "$HOSTNAME" = "profitbricks-build4-amd64" ] || [ "$HOSTNAME" = "profitbricks-build7-amd64" ] || [ "$HOSTNAME" = "profitbricks-build2-i386" ] || [ "$HOSTNAME" = "profitbricks-build12-i386" ] ; then
738
739
740
	cd $BASEDIR
	KGB_SECRETS="/srv/jenkins/kgb/secrets.yml"
	if [ -f "$KGB_SECRETS" ] && [ $(stat -c "%a:%U:%G" "$KGB_SECRETS") = "640:jenkins-adm:jenkins-adm" ] ; then
Philip Hands's avatar
Philip Hands committed
741
		# the last condition is to assure the files are owned by the right user/team
742
		if [ "$KGB_SECRETS" -nt $STAMP ] || [ "deploy_kgb.py" -nt "$STAMP" ] || [ ! -f $STAMP ] ; then
Philip Hands's avatar
Philip Hands committed
743
744
745
746
			sudo -u jenkins-adm "./deploy_kgb.py"
		else
			explain "kgb-client configuration unchanged, nothing to do."
		fi
747
	else
Philip Hands's avatar
Philip Hands committed
748
749
750
		figlet -f banner Warning
		echo "Warning: $KGB_SECRETS either does not exist or has bad permissions. Please fix. KGB configs not generated"
		echo "We expect the secrets file to be mode 640 and owned by jenkins-adm:jenkins-adm."
Holger Levsen's avatar
Holger Levsen committed
751
752
		echo "/srv/jenkins/kgb should be mode 755 and owned by jenkins-adm:root."
		echo "/srv/jenkins/kgb/client-status should be mode 755 and owned by jenkins:jenkins."
753
	fi
754
755
fi

756
757
758
#
# Create GPG key for jenkins user if they do not already exist (eg. to sign .buildinfo files)
#
759
if sudo -H -u jenkins gpg --with-colons --fixed-list-mode --list-secret-keys | cut -d: -f1 | grep -qsFx 'sec' >/dev/null 2>&1 ; then
Holger Levsen's avatar
Holger Levsen committed
760
	explain "$(date) - Not generating GPG key as one already exists for jenkins user."
761
else
Holger Levsen's avatar
Holger Levsen committed
762
	explain "$(date) - Generating GPG key for jenkins user."
763

764
	sudo -H -u jenkins gpg --no-tty --batch --gen-key <<EOF
765
766
767
Key-Type: RSA
Key-Length: 4096
Key-Usage: sign
768
Name-Real: $HOSTNAME
769
770
771
772
773
774
Name-Comment: Automatically generated key for signing .buildinfo files
Expire-Date: 0
%no-ask-passphrase
%no-protection
%commit
EOF
775

776
	GPG_KEY_ID="$(sudo -H -u jenkins gpg --with-colons --fixed-list-mode --list-secret-keys | grep '^sec' | cut -d: -f5 | tail -n1)"
777
778
779
780
781
782

	if [ "$GPG_KEY_ID" = "" ]
	then
		explain "$(date) - Generated GPG key but could not parse key ID"
	else
		explain "$(date) - Generated GPG key $GPG_KEY_ID - submitting to keyserver"
783
		sudo -H -u jenkins gpg --send-keys $GPG_KEY_ID
784
	fi
785
786
fi

Holger Levsen's avatar
Holger Levsen committed
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
#
# There's always some work left...
#	echo FIXME is ignored so check-jobs scripts can output templates requiring manual work
#
if [ "$HOSTNAME" = "jenkins" ] || [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
	rgrep FI[X]ME $BASEDIR/* | grep -v echo > $TMPFILE || true
	if [ -s $TMPFILE ] ; then
		echo
		# only show cucumber FIXMEs when deploying on jenkins-test-vm
		if [ "$HOSTNAME" = "jenkins-test-vm" ] ; then
			cat $TMPFILE
		else
			cat $TMPFILE | grep -v cucumber
		fi
		echo
	fi
fi

805
#
806
# almost finally…
807
#
808
sudo touch $STAMP	# so on the next run, only configs newer than this file will be updated
Holger Levsen's avatar
Holger Levsen committed
809
explain "$(date) - finished deployment."
810
rm -f $TMPFILE
811

812
# finally!
813
case $HOSTNAME in
814
	# set time back to the future
815
	profitbricks-build4-amd64|profitbricks-build5-amd64|profitbricks-build6-i386|profitbricks-build15-amd64|profitbricks-build16-i386)
816
		disable_dsa_check_packages
817
818
		sudo date --set="+398 days +6 hours + 23 minutes"
		;;
819
	codethink-sled9*|codethink-sled11*|codethink-sled13*|codethink-sled15*)
820
		disable_dsa_check_packages
821
822
		sudo date --set="+398 days +6 hours + 23 minutes"
		;;
823
	jenkins)
824
		# notify irc on updates of jenkins.d.n
825
826
		MESSAGE="jenkins.d.n updated to $(cd $BASEDIR ; git describe --always)."
		kgb-client --conf /srv/jenkins/kgb/debian-qa.conf --relay-msg "$MESSAGE"
Holger Levsen's avatar
Holger Levsen committed
827
		;;
828
829
	*)	;;
esac
830
831
832
833

echo
figlet ok
echo
Holger Levsen's avatar
Holger Levsen committed
834
835
echo "__$HOSTNAME=ok__"