From 577ead111ed8bbc4f10d5446204bacfe49e050ea Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Wed, 15 Jul 2026 16:04:09 -0500 Subject: [PATCH 1/3] Moved create_swap_file.sh and initialize-user-data.sh from mender-qa/scripts to buildscripts/ci Ticket: ENT-11241 Changelog: none --- ci/create_swap_file.sh | 24 +++++++++ ci/initialize-user-data.sh | 101 +++++++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100755 ci/create_swap_file.sh create mode 100644 ci/initialize-user-data.sh diff --git a/ci/create_swap_file.sh b/ci/create_swap_file.sh new file mode 100755 index 000000000..1339d323d --- /dev/null +++ b/ci/create_swap_file.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +# bash is needed in order to use the "time" built-in and avoid needing +# an external utility. + +set -e # exit on error + +# Argument $1 is the size in megabytes +if [ x"$1" = x ] || echo "$1" | grep -q '[^0-9]' +then + exit 2 +fi +SIZE="$1" + +if swapon | grep /swapfile >/dev/null; then + echo "/swapfile already configured and setup. Exiting." + exit 0 +fi + +time dd if=/dev/zero of=/swapfile bs=1M count=$SIZE +chmod 0600 /swapfile + +PATH=$PATH:/sbin:/usr/sbin +mkswap /swapfile +swapon /swapfile diff --git a/ci/initialize-user-data.sh b/ci/initialize-user-data.sh new file mode 100644 index 000000000..8a40a19ef --- /dev/null +++ b/ci/initialize-user-data.sh @@ -0,0 +1,101 @@ +#!/bin/false + +# This file should be sourced, not run. + +# This script will do build slave setup, including creating credentials for the +# jenkins user, based on root's credentials (will copy its keys). The script is +# expected to be sourced early in the user-data phase after provisioning. + +# It will also create a port forwarding rule from port 222 to localhost:22. This +# is equivalent to logging in on port 22, but the reason this is necessary is to +# stop Jenkins from logging in too early. If it tries to login too early, it +# will find the port open, but the key for the jenkins user might not be +# accepted yet, and it will give up. However, if we keep port 222 closed until +# we know it's ready, it will keep trying and eventually succeed. + +# Make sure error detection and verbose output is on, if they aren't already. +set -x -e + +# Add jenkins user and copy credentials. +useradd -m -u 1010 jenkins || true +mkdir -p /home/jenkins/.ssh +# copy /root/.ssh/authorized_keys to /home/jenkins/.ssh, removing everything +# before 'ssh-rsa'. Some platforms have forcecommand='echo "root access disabled"' +# there. +sed 's/.*ssh-rsa/ssh-rsa/' /root/.ssh/authorized_keys >/home/jenkins/.ssh/authorized_keys || true + +# Enable sudo access for jenkins. +echo "jenkins ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Disable TTY requirement. +sed -i -e 's/^\( *Defaults *requiretty *\)$/# \1/' /etc/sudoers + +# Copy the mender-qa repository to jenkins user. +cp -r /root/mender-qa /home/jenkins +cp /root/mender-qa/data/known_hosts /home/jenkins/.ssh/known_hosts + + +# add authorized_keys file before chowning, so that initialize-build-host.sh can manage +touch /home/jenkins/.ssh/authorized_keys + +# Make sure everything in jenkins' folder has right owner. +chown -R jenkins:jenkins /home/jenkins + +groupadd -r kvm || true # In case it already exists. +usermod -a -G kvm jenkins + +# change hostname to localhost +# it will fix sudo complaining "unable to resolve host digitalocean", +# and some tests +hostname localhost +# Ensure reverse hostname resolution is correct and 127.0.0.1 is always 'localhost'. +# There's no nice shell command to test it but this one: +# python -c 'import socket;print socket.gethostbyaddr("127.0.0.1")' +if test -f /etc/hosts; then + sed -i -e '1s/^/127.0.0.1 localhost localhost.localdomain\n/' /etc/hosts +else + echo '127.0.0.1 localhost localhost.localdomain' >/etc/hosts +fi + +# Open SSH port on 222. +if type iptables >/dev/null 2>&1; then + iptables -t nat -I PREROUTING 1 -p tcp --dport 222 -j DNAT --to-dest :22 + iptables -t nat -I OUTPUT 1 -p tcp --dst 127.0.0.1 --dport 222 -j DNAT --to-dest :22 +else + # for RHEL8: change port number in sshd_config and allow it in SELinux policy + yum -e 0 -d 0 -y install policycoreutils-python-utils + semanage port -a -t ssh_port_t -p tcp 222 + sed -i '/Port 22/a Port 222' /etc/ssh/sshd_config + systemctl restart sshd +fi + +apt_get() { + # Work around apt-get not waiting for a lock if it's taken. We want to wait + # for it instead of bailing out. No good return code to check unfortunately, + # so we just have to look inside the log. + + pid=$$ + # Maximum five minute wait (30 * 10 seconds) + attempts=30 + + while true + do + ( /usr/bin/apt-get "$@" 2>&1 ; echo $? > /tmp/apt-get-return-code.$pid.txt ) | tee /tmp/apt-get.$pid.log + if [ $attempts -gt 0 ] && \ + [ "$(cat /tmp/apt-get-return-code.$pid.txt)" -ne 0 ] && \ + fgrep "Could not get lock" /tmp/apt-get.$pid.log > /dev/null + then + attempts=$(expr $attempts - 1 || true) + sleep 10 + else + break + fi + done + + ret_code=$(cat /tmp/apt-get-return-code.$pid.txt) + rm -f /tmp/apt-get-return-code.$pid.txt /tmp/apt-get.$pid.log + + return $ret_code +} +alias apt=apt_get +alias apt-get=apt_get From 7c859f0ad691bc7d7ea13fdf63533ff37aad3b10 Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Thu, 16 Jul 2026 13:36:46 -0500 Subject: [PATCH 2/3] Remove SSH port forwarding from initialization script Taken from mender-qa commit c4eb419bf32ad9b840e794dc5ec781c846e8ff22 Ticket: ENT-11241 Changelog: none --- ci/initialize-user-data.sh | 19 ------------------- 1 file changed, 19 deletions(-) diff --git a/ci/initialize-user-data.sh b/ci/initialize-user-data.sh index 8a40a19ef..435127570 100644 --- a/ci/initialize-user-data.sh +++ b/ci/initialize-user-data.sh @@ -6,13 +6,6 @@ # jenkins user, based on root's credentials (will copy its keys). The script is # expected to be sourced early in the user-data phase after provisioning. -# It will also create a port forwarding rule from port 222 to localhost:22. This -# is equivalent to logging in on port 22, but the reason this is necessary is to -# stop Jenkins from logging in too early. If it tries to login too early, it -# will find the port open, but the key for the jenkins user might not be -# accepted yet, and it will give up. However, if we keep port 222 closed until -# we know it's ready, it will keep trying and eventually succeed. - # Make sure error detection and verbose output is on, if they aren't already. set -x -e @@ -57,18 +50,6 @@ else echo '127.0.0.1 localhost localhost.localdomain' >/etc/hosts fi -# Open SSH port on 222. -if type iptables >/dev/null 2>&1; then - iptables -t nat -I PREROUTING 1 -p tcp --dport 222 -j DNAT --to-dest :22 - iptables -t nat -I OUTPUT 1 -p tcp --dst 127.0.0.1 --dport 222 -j DNAT --to-dest :22 -else - # for RHEL8: change port number in sshd_config and allow it in SELinux policy - yum -e 0 -d 0 -y install policycoreutils-python-utils - semanage port -a -t ssh_port_t -p tcp 222 - sed -i '/Port 22/a Port 222' /etc/ssh/sshd_config - systemctl restart sshd -fi - apt_get() { # Work around apt-get not waiting for a lock if it's taken. We want to wait # for it instead of bailing out. No good return code to check unfortunately, From c64cd58b7effa6d8efcd42da37cd7fcb2d85606d Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Fri, 17 Jul 2026 08:33:01 -0500 Subject: [PATCH 3/3] Tidied up initialize-user-data.sh and initialize-build-host.sh scripts for move from mender-qa to buildscripts Ticket: ENT-11241 Changelog: none --- ci/initialize-build-host.sh | 9 +++++---- ci/initialize-user-data.sh | 7 ++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ci/initialize-build-host.sh b/ci/initialize-build-host.sh index a7ab1cf81..90bbc9392 100644 --- a/ci/initialize-build-host.sh +++ b/ci/initialize-build-host.sh @@ -204,9 +204,9 @@ reset_nested_vm() { if sudo dmesg | grep -q "BIOS Google" then # We're in Google Cloud, so just need to run nested-vm script again - if [ ! -d $HOME/mender-qa ] + if [ ! -d $HOME/buildscripts ] then - echo "Where is mender-qa repo gone?" + echo "Where is buildscripts repo gone?" sudo ls -lap $HOME exit 1 fi @@ -231,6 +231,7 @@ reset_nested_vm() { sudo arp -d $ip fi fi + # TODO, remove this, we don't need or use or test nested-vms $HOME/mender-qa/scripts/nested-vm.sh $HOME/*.qcow2 login="`cat $(pwd)/proxy-target.txt`" if $RSH $login true @@ -363,9 +364,9 @@ then # the repository in provisioning. Permanent hosts don't keep it in HOME, # in order to avoid it getting stale, and will have it in the WORKSPACE # instead, synced separately below. - if [ -d $HOME/mender-qa ] + if [ -d $HOME/buildscripts ] then - $RSYNC -e "$RSH" $HOME/mender-qa $login:. + $RSYNC -e "$RSH" $HOME/buildscripts $login:. fi # Copy the workspace. If there is no workspace defined, we are not in the diff --git a/ci/initialize-user-data.sh b/ci/initialize-user-data.sh index 435127570..605251874 100644 --- a/ci/initialize-user-data.sh +++ b/ci/initialize-user-data.sh @@ -23,9 +23,10 @@ echo "jenkins ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers # Disable TTY requirement. sed -i -e 's/^\( *Defaults *requiretty *\)$/# \1/' /etc/sudoers -# Copy the mender-qa repository to jenkins user. -cp -r /root/mender-qa /home/jenkins -cp /root/mender-qa/data/known_hosts /home/jenkins/.ssh/known_hosts +# Copy the buildscripts repository to jenkins user. +cp -r /root/buildscripts /home/jenkins +# was copying build-artifacts-cache known host entry +#cp /root/mender-qa/data/known_hosts /home/jenkins/.ssh/known_hosts # add authorized_keys file before chowning, so that initialize-build-host.sh can manage