Discussion:
[cbi-dev] [Jenkinsfile + Kubernetes agent] How to deploy to download.eclipse.org?
Mickael Istria
2018-10-09 22:02:27 UTC
Permalink
Hi,

When using a kubernetes agent in a Jenkinsfile on CJE (
jenkins.eclipse.org/wildwebdeveloper in this case), how can I copy the
build output (a p2 repository) to download.eclipse.org?
I tried mounting the download.eclipse.org volume with
```
apiVersion: v1
kind: Pod
spec:
containers:
- name: container
image: kdvolder/mvn-plus-npm
tty: true
command: [ "cat" ]
volumeMounts:
- mountPath: download.eclipse.org
name: download.eclipse.org
volumes:
- name: download.eclipse.org
hostPath:
path: /home/data/httpd/download.eclipse.org
type: Directory
```
But
```
io.fabric8.kubernetes.client.KubernetesClientException: Failure executing:
POST at: https://172.30.40.1/api/v1/namespaces/cje/pods. Message:
Forbidden!Configured service account doesn't have access. Service account
may have been revoked. pods "buildtestpod-7hf52-fgxqk" is forbidden: unable
to validate against any security context constraint: [spec.volumes[0]:
Invalid value: "hostPath": hostPath volumes are not allowed to be used].
```

Any suggestion?
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat DevelopersH <https://developers.redhat.com/>
Ed Willink
2018-10-10 05:02:13 UTC
Permalink
Hi

Isn't this just an ordinary copy to downloads problem that is solved by
a separate promoter/publish job e.g.
https://ci.eclipse.org/ocl/job/promoter ?

I evolved a couple of scripts so that ultimately the promote job is just
the shell commands parameterized by the upstream job, which of course
does not promote if the upstream job fails.

rm -f downloads.sh updates.sh
curl -s -k ${PUBLISH__DOWNLOADS_SH} > downloads.sh
curl -s -k ${PUBLISH__UPDATES_SH} > updates.sh
chmod +x downloads.sh updates.sh
bash -ex downloads.sh
bash -ex updates.sh

http://git.eclipse.org/c/ocl/org.eclipse.ocl.git/tree/releng/org.eclipse.ocl.releng.build-site/downloads.sh
http://git.eclipse.org/c/ocl/org.eclipse.ocl.git/tree/releng/org.eclipse.ocl.releng.build-site/updates.sh
http://git.eclipse.org/c/ocl/org.eclipse.ocl.git/tree/releng/org.eclipse.ocl.releng.build-site/publisher.properties

Regards

Ed Willink
Post by Mickael Istria
Hi,
When using a kubernetes agent in a Jenkinsfile on CJE
(jenkins.eclipse.org/wildwebdeveloper
<http://jenkins.eclipse.org/wildwebdeveloper> in this case), how can I
copy the build output (a p2 repository) to download.eclipse.org
<http://download.eclipse.org>?
I tried mounting the download.eclipse.org
<http://download.eclipse.org> volume with
```
apiVersion: v1
kind: Pod
  - name: container
    image: kdvolder/mvn-plus-npm
    tty: true
    command: [ "cat" ]
    - mountPath: download.eclipse.org <http://download.eclipse.org>
      name: download.eclipse.org <http://download.eclipse.org>
  - name: download.eclipse.org <http://download.eclipse.org>
      path: /home/data/httpd/download.eclipse.org
<http://download.eclipse.org>
      type: Directory
```
But
```
io.fabric8.kubernetes.client.KubernetesClientException: Failure
executing: POST at: https://172.30.40.1/api/v1/namespaces/cje/pods.
Message: Forbidden!Configured service account doesn't have access.
Service account may have been revoked. pods "buildtestpod-7hf52-fgxqk"
is forbidden: unable to validate against any security context
constraint: [spec.volumes[0]: Invalid value: "hostPath": hostPath
volumes are not allowed to be used].
```
Any suggestion?
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat DevelopersH <https://developers.redhat.com/>
_______________________________________________
cbi-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
Mickael Istria
2018-10-10 06:45:06 UTC
Permalink
Isn't this just an ordinary copy to downloads problem that is solved by a
separate promoter/publish job e.g. https://ci.eclipse.org/ocl/job/promoter
?
Nope, it's not, because when running from inside a Kubernetes container,
the usual /home/data/httpd/downloads.eclipse.org directory is not
accessible (container are isolated). In my previous mail, I tried to mount
this directory into the container as usual so I could use a similar copy to
the mounted directory, but see security context didn't allow it.
Mikaël Barbero
2018-10-10 07:58:22 UTC
Permalink
We don't provide access to /home/data/httpd/downloads.eclipse.org <http://downloads.eclipse.org/> via NFS on the new infra as we used to do. Instead, we provide ssh/sftp access to an isolated machine to push your bits. Do you want me to set this up for you?

Cheers,

Mikaël Barbero
Team Lead - Release Engineering | Eclipse Foundation
📱 (+33) 642 028 039 | 🐊 @mikbarbero
Eclipse Foundation <http://www.eclipse.org/>: The Platform for Open Innovation and Collaboration
Isn't this just an ordinary copy to downloads problem that is solved by a separate promoter/publish job e.g. https://ci.eclipse.org/ocl/job/promoter <https://ci.eclipse.org/ocl/job/promoter> ?
Nope, it's not, because when running from inside a Kubernetes container, the usual /home/data/httpd/downloads.eclipse.org <http://downloads.eclipse.org/> directory is not accessible (container are isolated). In my previous mail, I tried to mount this directory into the container as usual so I could use a similar copy to the mounted directory, but see security context didn't allow it.
_______________________________________________
cbi-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
Mickael Istria
2018-10-10 08:35:48 UTC
Permalink
On Wednesday, October 10, 2018, Mikaël Barbero <
Post by Mikaël Barbero
Instead, we provide ssh/sftp access to an isolated machine to push your
bits. Do you want me to set this up for you?
Yes, please.
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>
Mickael Istria
2018-10-10 10:54:22 UTC
Permalink
Post by Mickael Istria
On Wednesday, October 10, 2018, Mikaël Barbero <
Post by Mikaël Barbero
Instead, we provide ssh/sftp access to an isolated machine to push your
bits. Do you want me to set this up for you?
Yes, please.
By the way, do you want me to open a bug for that?
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>
Frederic Gurr
2018-10-10 10:58:40 UTC
Permalink
Yes, please open a bug for this.
On Wednesday, October 10, 2018, Mikaël Barbero
Instead, we provide ssh/sftp access to an isolated machine to
push your bits. Do you want me to set this up for you?
Yes, please.
By the way, do you want me to open a bug for that?
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>
_______________________________________________
cbi-dev mailing list
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cbi-dev
--
Frederic Gurr
Release Engineer | Eclipse Foundation Europe GmbH

Annastr. 44, D-64673 Zwingenberg
Handelsregister: Darmstadt HRB 92821
Managing Directors: Ralph Mueller, Mike Milinkovich, Chris Laroque
Mickael Istria
2018-10-10 11:07:02 UTC
Permalink
On Wed, Oct 10, 2018 at 12:58 PM Frederic Gurr <
Post by Frederic Gurr
Yes, please open a bug for this.
Let's continue this chat on
https://bugs.eclipse.org/bugs/show_bug.cgi?id=539991 then.
Thanks in advance!
--
Mickael Istria
Eclipse IDE <https://www.eclipse.org/downloads/eclipse-packages/>
developer, for Red Hat Developers <https://developers.redhat.com/>
Loading...