This operation can be very dangerous:
Only create the project from scratch if you know what you're doing.
Run:
./gce/init.sh init <instance>
Where <instance>
is prod
or staging
.
The command:
/volumes
diskTo regenerate the network rules:
./gce/init.sh firewall <instance>
Note: the Bazel CI's own firewall rules are managed automatically by GCP.
After this command, you can populate the /volumes
disk of the Jenkins controllers (“masters”). There‘s one controller for each <instance>
, i.e. there’s a prod controller and a staging controller.
/volumes
diskThe Jenkins controller is connected to a persistent disk. This disk is encrypted, and it is not erased between builds nor after Jenkins restarts.
This disk is mounted under /volumes
on the Jenkins controller and has two subdirectories:
/volumes/secrets
: stores credentials needed for CI/volumes/jenkins_home
: stores permanent files for the Jenkins controller, to keep history (logs and build artifacts) even after reimaging the controller/volumes/secrets
directory/volumes/secrets
directory is filled with RSA keys, authentication tokens, and passwords. Each file refers to one particular secret, some of which have corresponding placeholders in the //jenkins/config/secrets/*.xml
files.
The secrets are:
google.oauth.clientid
and google.oauth.secret
: OAuth authentication token to the Google Cloud APIs.
To regenerate:
Go to the Cloud Console: https://console.cloud.google.com/apis/credentials?project=bazel-public
Click on “Create credentials” > “OAuth client ID”.
Application type: Web application Name: Jenkins-staging Authorized redirect URIs: https://ci-staging.bazel.io/securityRealm/finishLogin
Click create, copy the resulting Client ID and Client secret into the two files in /volumes/secrets
, without a newline at the end:
echo -n '<client id>' > google.oauth.clientid echo -n '<client secret>' > google.oauth.secret
gerritcookies
: the Git cookies file for the CI user on Gerrit
You can fetch this from https://bazel-review.googlesource.com/#/settings/http-password.
github.bazel-io.jenkins.password
: the password for the CI user on Github
To regenerate:
Run the local, testing instance of Jenkins:
bazel run //jenkins:test [-- -p <port>]
This deploys some Docker images on your local machine and starts a testing Jenkins instance, by default on port 8080.
Wait for the server to start on localhost:8080
Click “Manage Jenkins” > “Manage Credentials”.
Enter the password for the GitHub account
Click on “Save”.
This updates /var/jenkins_home/credentials.xml
inside the local Docker container with the secret.
Find the container's ID and open an interactive terminal in it:
docker ps | grep "jenkins-test" docker exec -t -i <container ID> bash
In the interactive terminal, grep the transformed password:
# inside jenkins@<container ID> cat /var/jenkins_home/credentials.xml | grep password
Copy the value of the <password>
tag and write it to /volumes/secrets/github.bazel-io.jenkins.password
.
boto_config
: a boto config file with oauth token to access GCS
github_id.rsa
and github_id_rsa.pub
: private and public SSH keys for pushing to GitHub
The Jenkins job pushes to GitHub to sync the Gerrit and GitHub repositories.
To regenerate:
SSH into the Jenkins controller
Run:
ssh-keygen -t rsa -b 4096 -C "noreply@bazel.io" -N '' -f /volumes/secrets/github_id_rsa
You must add the public key to the list of deploy keys of all repositories to sync (e.g. for Bazel at https://github.com/bazelbuild/bazel/settings/keys
).
github_token
: the “Bazel Release Token” of the “Personal access tokens” of the “ci.bazel” user on GitHub
The Jenkins controller uses this token to push Bazel releases to GitHub.
You can't see the token itself, but you can update it and then GitHub shows you the new value.
github_trigger_auth_token
: the “Jenkins GitHub Pull Request Builder” of the “Personal access tokens” of the “ci.bazel” user on GitHub
The Jenkins controller uses this token to post comments on GitHub pull requests, e.g. “All tests passed”.
You can't see the token itself, but you can update it and then GitHub shows you the new value.
apt-key.id
and apt-key.sec.gpg
: GPG key to sign the Debian packages
smtp.auth.password
and smtp.auth.username
: authentication information for the mail provider
We use a jenkins-only identifier to send emails through SendGrid.
You can now use the vm.sh
script to manipulate the Virtual Machines and the setup_mac.sh
script to setup mac nodes.