Remove all references to Docker daemon and tcp port 2375
The Gerrit-CI is now a lot more secure and there isn't anymore
the need to allow anyone to access the Docker daemon that is
running Jenkins.
Change-Id: Iaacd85c95068188e049653535bafa06f8d199194
diff --git a/jenkins-docker/README.md b/jenkins-docker/README.md
index aa72340..c4cde81 100644
--- a/jenkins-docker/README.md
+++ b/jenkins-docker/README.md
@@ -53,65 +53,3 @@
If your not familar with docker please follow https://docs.docker.com/get-started/
-## Contributing agent to Gerrit Code Review verification
-
-* Set up root server with running docker service.
-* Generate ecdsa SSH key and send public key to CI maintainer:
-
-----
- $ ssh-keygen -t ecdsa -b 521
-----
-
-* Ask CI maintainer to generate for you unique agent id.
-
-* Run `cat /proc/cpuinfo` and report CI maintainer the number of CPUs, so
-that your agent would not get overloaded.
-
-* Clone gerrit-ci-scripts repository:
-
-----
- $ git clone https://gerrit.googlesource.com/gerrit-ci-scripts
-----
-
-* Make sure `ppp` package is installed, e.g. on Ubuntu run:
-
-----
- $ apt-get install ppp
-----
-
-* Activate Docker's remote API. On Ubuntu, add this option to systemd script:
-
-----
- $ cat /lib/systemd/system/docker.service
- [...]
- ExecStart=/usr/bin/dockerd -H tcp://10.0.9.1:2375 -H fd://
-----
-
-Caution: Don't expose generic interface: `-H tcp://0.0.0.0:2375`,
-otherwise, your Docker container could be hijacked.
-
-* Reload systemd and restart docker service:
-
-----
- $ systemctl daemon-reload
- $ systemctl restart docker.service
-----
-
-* Add this line to crontab job (replace <your_agent_id>):
-
-----
-*/5 * * * * /root/gerrit-ci-scripts/worker/tunnel.sh <your_agent_id>
-----
-
-* In case your server is behind a Firewall, open tcp/2375 port for
-incoming requests.
-
-* Check on https://gerrit-ci.gerritforge.com and running `docker ps`
-that your agent is up and running and build jobs are scheduled. If all
-went well and when jobs have arrived you should see something like:
-
-----
- $ docker ps
- CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
- d9ff4b6a8b1c gerritforge/jenkins-agent-bazel:debian "bash -x /bin/star..." 6 minutes ago Up 6 minutes 0.0.0.0:32792->22/tcp
-----
diff --git a/jenkins-internal/gatling-test-pipeline.groovy b/jenkins-internal/gatling-test-pipeline.groovy
index a21f365..389baf1 100644
--- a/jenkins-internal/gatling-test-pipeline.groovy
+++ b/jenkins-internal/gatling-test-pipeline.groovy
@@ -51,10 +51,6 @@
}
environment {
- DOCKER_HOST = """${sh(
- returnStdout: true,
- script: '/sbin/ip route|awk \'/default/ {print "tcp://"\$3":2375"}\''
- )}"""
HTTP_SUBDOMAIN = String.format("http-%s-%s.%s", "jenkins", epochTime, "${params.BASE_SUBDOMAIN}")
SSH_SUBDOMAIN = String.format("ssh-%s-%s.%s", "jenkins", epochTime, "${params.BASE_SUBDOMAIN}")
GERRIT_HTTP_URL = String.format("%s://%s.%s", "${params.GERRIT_HTTP_SCHEMA}", HTTP_SUBDOMAIN, "${params.HOSTED_ZONE_NAME}")
diff --git a/jenkins/set-docker-host.sh b/jenkins/set-docker-host.sh
deleted file mode 100755
index 15e66fa..0000000
--- a/jenkins/set-docker-host.sh
+++ /dev/null
@@ -1,2 +0,0 @@
-#!/bin/bash -e
-export DOCKER_HOST=`/sbin/ip route|awk '/default/ {print "tcp://"$3":2375"}'`
diff --git a/worker/README.md b/worker/README.md
deleted file mode 100644
index 9d608f9..0000000
--- a/worker/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-This holds scripts for spinning up extra workers for gerrit CI on GCE.
-
-VMs should be created as:
-
- * named $DESCRIPTION-40, $DESCRIPTION-41, etc; the numbers should
- be free in the CI master
-
- * Machine: 24 CPUs/90G RAM.
-
- * Disk: RHEL 7 hardened image on 100G SSD Persistent Disk
-
- * SSH: add your personal key.
-
-Run `setup-all.sh` to start workers.
diff --git a/worker/daemon.json b/worker/daemon.json
deleted file mode 100644
index 4a77f1e..0000000
--- a/worker/daemon.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{
- "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
-}
diff --git a/worker/setup-all.sh b/worker/setup-all.sh
deleted file mode 100644
index cf6784e..0000000
--- a/worker/setup-all.sh
+++ /dev/null
@@ -1,59 +0,0 @@
-#!/bin/sh
-
-if [[ -z "$num" ]]; then
- echo "Must set 'num'"
- exit 1
-fi
-
-if [[ -z "$DESCRIPTION" ]]; then
- echo "Must set 'DESCRIPTION'"
- exit 1
-fi
-
-if [[ -z "$GCE_PROJECT" ]]; then
- echo "Must set 'GCE_PROJECT'"
- exit 1
-fi
-
-n=num
-for zone in us-east4-a \
- us-central1-c \
- us-east1-b \
- us-west1-b \
- europe-west1-b \
- europe-west4-a ; \
-do
- gcloud \
- --project=${GCE_PROJECT} \
- compute instances create \
- --custom-cpu=24 \
- --custom-memory=90 \
- --image-project eip-images \
- --image-family rhel-7-drawfork \
- --boot-disk-size=100GB \
- --boot-disk-type=pd-ssd \
- --zone=${zone} \
- ${DESCRIPTION}-${n} &
- n=$(($n+1))
-done
-wait
-
-
-# Install our key
-KEY=$(ssh-add -L |grep -v cert)
-for n in $(seq ${num} $((${num} + 5))) ; do
- gcloud --project=${GCE_PROJECT} compute ssh ${DESCRIPTION}-${n} \
- --command="echo ${KEY} >> .ssh/authorized_keys"
-done
-
-# setup docker.
-IPS=$(gcloud --project=${GCE_PROJECT} compute instances list | awk '{print $9;}')
-for DEST in $IPS ; do
- echo $DEST && \
- scp -o StrictHostKeyChecking=no $HOME/.ssh/gerritforge/id_ecdsa ${DEST}: && \
- scp worker/* ${DEST}: && \
-
- # this takes a while.
- ssh ${DEST} 'sudo sh -x $(pwd)/setup.sh' &
-done
-wait
diff --git a/worker/setup-tunnel.service b/worker/setup-tunnel.service
deleted file mode 100644
index 2a3a0ac..0000000
--- a/worker/setup-tunnel.service
+++ /dev/null
@@ -1,10 +0,0 @@
-[Unit]
-After=network.target
-
-[Service]
-ExecStart=/root/tunnel.sh
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=default.target
diff --git a/worker/setup.sh b/worker/setup.sh
deleted file mode 100755
index 50675f4..0000000
--- a/worker/setup.sh
+++ /dev/null
@@ -1,32 +0,0 @@
-#!/bin/bash
-cd /root
-
-# install reqs.
-dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo && dnf update -y
-yum install -y docker-ce ppp telnet git
-
-mkdir -p .ssh
-
-src=$(dirname $0)
-cp $src/id_ecdsa .ssh/
-
-# recognize gerritforge.
-if ! grep --quiet 'gerrit-ci' .ssh/known_hosts ; then
- echo '[gerrit-ci.gerritforge.com]:1022,[8.26.94.23]:1022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUylKwtTDROpPce/sCfdMMR+N116TsZx5n4YHO8qPLaEhEXld+1T+hWe/HuITafW182hTnOjMHlK/GwH9A7KOS9XHHdBtHCYx0lH78kb+fvZsUtyuGlbQNXzQuyBIpJoYOtMRhn5aHR1sn1USHnnZp1V1dpDu/HYHjpj4pyA8I4i2BE89OVblxyggdulvgLfaLFJ+6Q9U+Mf+SHpufgsXDNlG/KTQVHioONoOnu47qbhJLSK+w5Q3dzaLa2CTPCZgdOFf3g6AQJWMKDEkTnReT9bR97lg1T59GoK2pLpem1gokiUQ052/qH/cL/b38XtW/IJCK9HmrV5Whc26dDg95' >> .ssh/known_hosts
-fi
-
-if ! grep --quiet net.ipv4.ip_forward=1 /etc/sysctl.conf; then
- echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
- sysctl net.ipv4.ip_forward=1
-fi
-
-cp ${src}/daemon.json /etc/docker/
-cp ${src}/setup-tunnel.service /etc/systemd/system/
-cp ${src}/tunnel.sh /root
-
-systemctl daemon-reload
-systemctl enable docker
-systemctl start docker
-systemctl restart docker
-systemctl enable setup-tunnel.service
-systemctl start setup-tunnel.service
diff --git a/worker/tunnel.sh b/worker/tunnel.sh
deleted file mode 100755
index cdc0f85..0000000
--- a/worker/tunnel.sh
+++ /dev/null
@@ -1,46 +0,0 @@
-#!/bin/bash
-
-
-if [[ -z "$1" ]]; then
- WORKER=$(hostname | sed 's|.*-\([0-9]*\)$|\1|')
- echo "using worker ID $WORKER"
-else
- WORKER=$1
-fi
-
-cd /root
-set -ue
-
-if [[ -f ".ssh/id_ecdsa" ]]; then
- chmod 0600 .ssh/id_ecdsa
-else
- echo "SSH ID missing."
- exit 1
-fi
-
-export TIMEOUT=10
-export SUBNET=10.0.$WORKER
-
-echo "Checking connectivity to new-ci ..."
-PIDS=$(ps -a -o pid,ppid,cmd | grep ssh | grep gerrit-ci.gerritforge.com | grep -v grep | awk '{print $1}')
-
-if [[ -n "$PIDS" ]] ; then
- if ping -q -c 1 -w $TIMEOUT $SUBNET.2 > /dev/null
- then
- echo OK
- exit 0
- fi
-fi
-
-echo "no connection; Killing stale PIDs $PIDS"
-for i in $PIDS; do
- kill -9 $i;
-done
-
-# Ugh. SELinux disallows PPPD to execute SSH.
-setenforce 0
-
-/usr/sbin/pppd \
- nodetach noauth silent nodeflate pty \
- "/usr/bin/ssh -p 1022 gerrit-ci.gerritforge.com /usr/sbin/pppd nodetach notty noauth" ipparam vpn $SUBNET.1:$SUBNET.2
-