Google Git
Sign in
gerrit / gerrit-ci-scripts / refs/heads/master^! / .
commit3d8c7a19eb0255662846bab8fda7b7ae01a5a96b[log] [tgz]
authorLuca Milanesio <luca.milanesio@gmail.com>Wed Apr 17 13:13:13 2024 +0100
committerLuca Milanesio <luca.milanesio@gmail.com>Fri Apr 26 15:30:34 2024 +0000
tree37539f92135a39e760af85f7d21778fbe61aad99
parentf5d6d95ca7bdf748d40d793b0ad986430aa6db7a [diff]
Remove all references to Docker daemon and tcp port 2375

The Gerrit-CI is now a lot more secure and there isn't anymore
the need to allow anyone to access the Docker daemon that is
running Jenkins.

Change-Id: Iaacd85c95068188e049653535bafa06f8d199194

diff --git a/jenkins-docker/README.md b/jenkins-docker/README.md
index aa72340..c4cde81 100644
--- a/jenkins-docker/README.md
+++ b/jenkins-docker/README.md

@@ -53,65 +53,3 @@
 
 If your not familar with docker please follow https://docs.docker.com/get-started/
 
-## Contributing agent to Gerrit Code Review verification
-
-* Set up root server with running docker service.
-* Generate ecdsa SSH key and send public key to CI maintainer:
-
-----
-  $ ssh-keygen -t ecdsa -b 521
-----
-
-* Ask CI maintainer to generate for you unique agent id.
-
-* Run `cat /proc/cpuinfo` and report CI maintainer the number of CPUs, so
-that your agent would not get overloaded.
-
-* Clone gerrit-ci-scripts repository:
-
-----
-  $ git clone https://gerrit.googlesource.com/gerrit-ci-scripts
-----
-
-* Make sure `ppp` package is installed, e.g. on Ubuntu run:
-
-----
-  $ apt-get install ppp
-----
-
-* Activate Docker's remote API. On Ubuntu, add this option to systemd script:
-
-----
-  $ cat /lib/systemd/system/docker.service
-  [...]
-  ExecStart=/usr/bin/dockerd -H tcp://10.0.9.1:2375 -H fd://
-----
-
-Caution: Don't expose generic interface: `-H tcp://0.0.0.0:2375`,
-otherwise, your Docker container could be hijacked.
-
-* Reload systemd and restart docker service:
-
-----
-  $ systemctl daemon-reload
-  $ systemctl restart docker.service
-----
-
-* Add this line to crontab job (replace <your_agent_id>):
-
-----
-*/5 * * * * /root/gerrit-ci-scripts/worker/tunnel.sh <your_agent_id>
-----
-
-* In case your server is behind a Firewall, open tcp/2375 port for
-incoming requests.
-
-* Check on https://gerrit-ci.gerritforge.com and running `docker ps`
-that your agent is up and running and build jobs are scheduled. If all
-went well and when jobs have arrived you should see something like:
-
-----
-  $ docker ps
-  CONTAINER ID        IMAGE                                    COMMAND                  CREATED             STATUS              PORTS
-  d9ff4b6a8b1c        gerritforge/jenkins-agent-bazel:debian   "bash -x /bin/star..."   6 minutes ago       Up 6 minutes        0.0.0.0:32792->22/tcp
-----

diff --git a/jenkins-internal/gatling-test-pipeline.groovy b/jenkins-internal/gatling-test-pipeline.groovy
index a21f365..389baf1 100644
--- a/jenkins-internal/gatling-test-pipeline.groovy
+++ b/jenkins-internal/gatling-test-pipeline.groovy

@@ -51,10 +51,6 @@
         }
 
        environment {
-            DOCKER_HOST = """${sh(
-                returnStdout: true,
-                script: '/sbin/ip route|awk \'/default/ {print "tcp://"\$3":2375"}\''
-            )}"""
             HTTP_SUBDOMAIN = String.format("http-%s-%s.%s", "jenkins", epochTime, "${params.BASE_SUBDOMAIN}")
             SSH_SUBDOMAIN = String.format("ssh-%s-%s.%s", "jenkins", epochTime, "${params.BASE_SUBDOMAIN}")
             GERRIT_HTTP_URL = String.format("%s://%s.%s", "${params.GERRIT_HTTP_SCHEMA}", HTTP_SUBDOMAIN, "${params.HOSTED_ZONE_NAME}")

diff --git a/jenkins/set-docker-host.sh b/jenkins/set-docker-host.sh
deleted file mode 100755
index 15e66fa..0000000
--- a/jenkins/set-docker-host.sh
+++ /dev/null

@@ -1,2 +0,0 @@
-#!/bin/bash -e
-export DOCKER_HOST=`/sbin/ip route|awk '/default/ {print "tcp://"$3":2375"}'`

diff --git a/worker/README.md b/worker/README.md
deleted file mode 100644
index 9d608f9..0000000
--- a/worker/README.md
+++ /dev/null

@@ -1,14 +0,0 @@
-This holds scripts for spinning up extra workers for gerrit CI on GCE.
-
-VMs should be created as:
-
- * named $DESCRIPTION-40, $DESCRIPTION-41, etc; the numbers should
-   be free in the CI master
-
- * Machine: 24 CPUs/90G RAM.
-
- * Disk: RHEL 7 hardened image on 100G SSD Persistent Disk
-
- * SSH: add your personal key.
-
-Run `setup-all.sh` to start workers.

diff --git a/worker/daemon.json b/worker/daemon.json
deleted file mode 100644
index 4a77f1e..0000000
--- a/worker/daemon.json
+++ /dev/null

@@ -1,3 +0,0 @@
-{
-  "hosts": ["unix:///var/run/docker.sock", "tcp://0.0.0.0:2375"]
-}

diff --git a/worker/setup-all.sh b/worker/setup-all.sh
deleted file mode 100644
index cf6784e..0000000
--- a/worker/setup-all.sh
+++ /dev/null

@@ -1,59 +0,0 @@
-#!/bin/sh
-
-if [[ -z "$num" ]]; then
-  echo "Must set 'num'"
-  exit 1
-fi
-
-if [[ -z "$DESCRIPTION" ]]; then
-  echo "Must set 'DESCRIPTION'"
-  exit 1
-fi
-
-if [[ -z "$GCE_PROJECT" ]]; then
-  echo "Must set 'GCE_PROJECT'"
-  exit 1
-fi
-
-n=num
-for zone in us-east4-a \
-  us-central1-c \
-  us-east1-b \
-  us-west1-b \
-  europe-west1-b \
-  europe-west4-a ; \
-do
-  gcloud \
-   --project=${GCE_PROJECT} \
-   compute instances create \
-   --custom-cpu=24 \
-   --custom-memory=90 \
-   --image-project eip-images \
-   --image-family rhel-7-drawfork \
-   --boot-disk-size=100GB \
-   --boot-disk-type=pd-ssd \
-   --zone=${zone} \
-   ${DESCRIPTION}-${n} &
-   n=$(($n+1))
-done
-wait
-
-
-# Install our key
-KEY=$(ssh-add -L |grep -v cert)
-for n in $(seq ${num} $((${num} + 5))) ; do
-  gcloud --project=${GCE_PROJECT} compute ssh ${DESCRIPTION}-${n} \
-    --command="echo ${KEY} >> .ssh/authorized_keys"
-done
-
-# setup docker.
-IPS=$(gcloud --project=${GCE_PROJECT} compute instances list  | awk '{print $9;}')
-for DEST in $IPS ; do
-    echo $DEST && \
-    scp -o StrictHostKeyChecking=no $HOME/.ssh/gerritforge/id_ecdsa ${DEST}: && \
-    scp worker/* ${DEST}: && \
-
-    # this takes a while.
-    ssh ${DEST} 'sudo sh -x $(pwd)/setup.sh' &
-done
-wait

diff --git a/worker/setup-tunnel.service b/worker/setup-tunnel.service
deleted file mode 100644
index 2a3a0ac..0000000
--- a/worker/setup-tunnel.service
+++ /dev/null

@@ -1,10 +0,0 @@
-[Unit]
-After=network.target
-
-[Service]
-ExecStart=/root/tunnel.sh
-Restart=always
-RestartSec=10
-
-[Install]
-WantedBy=default.target

diff --git a/worker/setup.sh b/worker/setup.sh
deleted file mode 100755
index 50675f4..0000000
--- a/worker/setup.sh
+++ /dev/null

@@ -1,32 +0,0 @@
-#!/bin/bash
-cd /root
-
-# install reqs.
-dnf config-manager --add-repo=https://download.docker.com/linux/centos/docker-ce.repo && dnf update -y
-yum install -y docker-ce ppp telnet git
-
-mkdir -p .ssh
-
-src=$(dirname $0)
-cp $src/id_ecdsa .ssh/
-
-# recognize gerritforge.
-if ! grep --quiet 'gerrit-ci' .ssh/known_hosts ; then
-    echo '[gerrit-ci.gerritforge.com]:1022,[8.26.94.23]:1022 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUylKwtTDROpPce/sCfdMMR+N116TsZx5n4YHO8qPLaEhEXld+1T+hWe/HuITafW182hTnOjMHlK/GwH9A7KOS9XHHdBtHCYx0lH78kb+fvZsUtyuGlbQNXzQuyBIpJoYOtMRhn5aHR1sn1USHnnZp1V1dpDu/HYHjpj4pyA8I4i2BE89OVblxyggdulvgLfaLFJ+6Q9U+Mf+SHpufgsXDNlG/KTQVHioONoOnu47qbhJLSK+w5Q3dzaLa2CTPCZgdOFf3g6AQJWMKDEkTnReT9bR97lg1T59GoK2pLpem1gokiUQ052/qH/cL/b38XtW/IJCK9HmrV5Whc26dDg95' >> .ssh/known_hosts
-fi
-
-if ! grep --quiet net.ipv4.ip_forward=1 /etc/sysctl.conf; then
-    echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
-    sysctl net.ipv4.ip_forward=1
-fi
-
-cp ${src}/daemon.json /etc/docker/
-cp ${src}/setup-tunnel.service /etc/systemd/system/
-cp ${src}/tunnel.sh /root
-
-systemctl daemon-reload
-systemctl enable docker
-systemctl start docker
-systemctl restart docker
-systemctl enable setup-tunnel.service
-systemctl start setup-tunnel.service

diff --git a/worker/tunnel.sh b/worker/tunnel.sh
deleted file mode 100755
index cdc0f85..0000000
--- a/worker/tunnel.sh
+++ /dev/null

@@ -1,46 +0,0 @@
-#!/bin/bash
-
-
-if [[ -z "$1" ]]; then
-    WORKER=$(hostname | sed 's|.*-\([0-9]*\)$|\1|')
-    echo "using worker ID $WORKER"
-else
-    WORKER=$1
-fi
-
-cd /root
-set -ue
-
-if [[ -f ".ssh/id_ecdsa" ]]; then
-    chmod 0600 .ssh/id_ecdsa
-else
-    echo "SSH ID missing."
-    exit 1
-fi
-
-export TIMEOUT=10
-export SUBNET=10.0.$WORKER
-
-echo "Checking connectivity to new-ci ..."
-PIDS=$(ps -a -o pid,ppid,cmd | grep ssh | grep gerrit-ci.gerritforge.com | grep -v grep | awk '{print $1}')
-
-if [[ -n "$PIDS" ]] ; then
-  if ping -q -c 1 -w $TIMEOUT $SUBNET.2 > /dev/null
-  then
-      echo OK
-      exit 0
-  fi
-fi
-
-echo "no connection; Killing stale PIDs $PIDS"
-for i in $PIDS; do
-  kill -9 $i;
-done
-
-# Ugh. SELinux disallows PPPD to execute SSH.
-setenforce 0
-
-/usr/sbin/pppd \
-      nodetach noauth silent nodeflate pty \
-      "/usr/bin/ssh -p 1022 gerrit-ci.gerritforge.com /usr/sbin/pppd nodetach  notty noauth" ipparam vpn $SUBNET.1:$SUBNET.2
-