ansible: docker-host-x64 setup

nodejs · Oct 22, 2019 · 1baf51a · 1baf51a
1 parent 2e65cde
commit 1baf51a
Show file tree

Hide file tree

Showing 4 changed files with 89 additions and 1 deletion.
diff --git a/ansible/roles/baselayout/vars/main.yml b/ansible/roles/baselayout/vars/main.yml
@@ -120,7 +120,7 @@ packages: {
   ],
 
   ubuntu: [
-    'ccache,g++,gcc,git,libfontconfig1,sudo',
+    'ccache,g++,gcc,git,libfontconfig1,sudo,python3-pip',
   ],
 
   ubuntu1404: [

diff --git a/ansible/roles/jenkins-worker/files/docker-node-exec.sh b/ansible/roles/jenkins-worker/files/docker-node-exec.sh
@@ -0,0 +1,54 @@
+#!/bin/bash
+
+## This script is designed to be enabled in /etc/sudoers for the `iojs` user,
+## the only privileged access that user has to Docker.
+## Since there is considerable access given by selecting arbitrary images and
+## execution commands, there are still security concerns and additions of new
+## images and changes to existing ones as well as the Bash that's executed
+## inside them should be monitored for malicious activity.
+
+set -e
+
+OPTIND=1
+image_base="rvagg/node-ci-containers"
+image_tag=
+exec_script="node-ci-exec.sh"
+
+while getopts "i:" opt; do
+    case "$opt" in
+    i)
+        if [[ "$OPTARG" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+          image_tag=$OPTARG
+        else
+          echo "Bad -i value"
+          exit 1
+        fi
+        ;;
+    *)
+        echo "Wut?"
+        exit 1
+    esac
+done
+
+if test "$image_tag" = ""; then
+  echo "Did not provide the docker image [-i]"
+  exit 1
+fi
+
+if [ ! -f "$(pwd)/$exec_script" ]; then
+  echo "Did not provide a node-ci-exec.sh script"
+  exit 1
+fi
+
+set -x
+
+image="${image_base}:${image_tag}"
+docker pull "${image}"
+docker run \
+  --init \
+  --rm \
+  -v $(pwd):/home/iojs/workspace \
+  -v /home/iojs/.ccache/${image_tag}:/home/iojs/.ccache \
+  -u iojs \
+  "${image}" \
+  /bin/sh -xc "cd /home/iojs/workspace && . ./$exec_script"
diff --git a/ansible/roles/jenkins-worker/tasks/main.yml b/ansible/roles/jenkins-worker/tasks/main.yml
@@ -110,6 +110,10 @@
   when: "'scaleway-ubuntu1804-armv7l' in inventory_hostname"
   include: "{{ role_path }}/tasks/partials/scaleway-armv7.yml"
 
+- name: run docker-host-x64 jenkins-worker setup
+  when: "'ubuntu1804_docker-x64' in inventory_hostname"
+  include: "{{ role_path }}/tasks/partials/docker-host-x64.yml"
+
 # @TODO(mhdawson): get tap2junit working on zOS
 - name: prepare installing tap2junit
   when: type != "release" and not os|startswith("zos")

diff --git a/ansible/roles/jenkins-worker/tasks/partials/docker-host-x64.yml b/ansible/roles/jenkins-worker/tasks/partials/docker-host-x64.yml
@@ -0,0 +1,30 @@
+---
+
+- name: docker-host-x64 | check if docker exists
+  shell: which docker
+  register: docker_exists
+  ignore_errors: yes
+
+- name: docker-host-x64 | install docker from docker.com
+  when: "docker_exists.stdout == ''"
+  raw: curl -fsSL get.docker.com | bash -
+
+- name: docker-host-x64 | copy docker-node-exec.sh
+  copy:
+    src: "{{ role_path }}/files/docker-node-exec.sh"
+    dest: "/usr/local/bin/docker-node-exec.sh"
+    owner: root
+    group: root
+    mode: 0755
+
+- name: docker-host-x64 | give {{ server_user }} sudoers access to docker-exec script
+  lineinfile:
+    line: "{{ server_user }} ALL=(ALL) NOPASSWD: /usr/local/bin/docker-node-exec.sh"
+    dest: "/etc/sudoers"
+    regexp: docker-node-exec.sh$
+
+- name: docker-host-x64 | install shyaml
+  pip:
+    name: shyaml
+    state: present
+    executable: pip3