I set up a Jenkins Server with the swarm plugin and write a batch to autostart slaves. My Batch file looks like:
java -jar swarm-client-2.2-jar-with-dependencies.jar -mode exclusive
-master http://localhost:8080 -disableClientsUniqueId -username
MyUser -password ***** -executors 1 -labels MySlave
My Problem is, the slave is always adding the Label swarm.
My Question is:
How can I prevent the plugin from setting up swarm as a Label ?
I sympathize with the desire to perfectly control the labels attached to a slave, whether it's connected through the Swarm Plugin or not. But the source code makes it look like that "swarm" label is a mandatory prefix to the list of labels: https://github.com/jenkinsci/swarm-plugin/blob/ef02020595d0546b527b84a2e47bc75cde1e6e1a/plugin/src/main/java/hudson/plugins/swarm/PluginImpl.java#L199
The answer may be that you cannot avoid that label without forking the Swarm Plugin and updating that line.
Related
I would like to know if someone has an idea about how to identify commands ran by Ansible within a remote host.
To give you more context I'm gonna describe my workflow in-depth:
I have a scheduled job between 1 am to 6 am which runs a compliance Ansible playbook to ensure the production servers configuration are up to date and well configured, however, this playbook change some files inside the /etc folder.
Besides this, I have a Falco stack which keeps an eye on what is going on the production servers and raises alerts when an event that I describe as suspicious is found (It can be a syscall/ network connection/ sensitive file editing "/etc/passwd, pam.conf, ..." etc...
So the problem I'm running through is, my playbook triggers some alerts for example:
Warning Sensitive file opened for reading by non-trusted program (user=XXXX user_loginuid=XXX program=python3 command=python3 file=/etc/shadow parent=sh gparent=sudo ggparent=sh gggparent=sshd container_id=host image=<NA>)
My question is, can we set a "flag or prefix" to all Ansible commands, which will allow me to whitelist this flag of prefix and avoid triggering my alerts for nothing.
PS: whitelisting python3 for the user root is not a solution in my opinion.
Ansible is python tool, so the process accessing the file will be python3. The commands that Ansible executes are based on the steps that are in the playbook.
You can solve your problem by modifying the falco rules. You can evaluating the proc.pcmdline in falcon rule and the chain of the proc.aname to identify that the command was executed by the ansible process (ex. process is python3, parent is sh grandparent is sudo, etc.)
I'm trying to build an Oozie workflow to execute everyday a python script which needs specific libraries to run.
At the moment I created a python virtual environment (using venv) on a node of my cluster (consisting of 11 nodes).
Through Oozie I saw that it is possible to run the script using an SSH Action specifying the node containing the virtual environment. Alternatively it is possible to use a Shell Action to run the python script but this requires creating the virtual environment, with the same dependencies in terms of libraries, on the node where the shell will be executed (any of the cluster nodes).
I would like to avoid sharing keys or configuring all the cluster nodes to make this possible and looking in the docs I found this section talking about launching applications using Docker containers but in Hadoop version of my cluster this feature is experimental and not complete (Hadoop 3.0.0). I suppose that if you can launch Docker containers from shell you should be able to launch them from Oozie.
So my question is: has anyone tried to do it? Is it a trick to use docker this way?
I came across this question but to date 2019/09/30 there are no specific answers.
UPDATE: I tried to do it, and it works (you can find more info in my answer to this question). I'm still wondering if it's a correct way to do it.
I readed a lot of documentation.
I setup a Jenkins on GCC using kubernetes default creation.
When I go to enter, jenkins ask me about a password to unlock.
Im unable to find that password.
Thanks
Access the Jenkins container via cloud shell.
Get fist get the pod id :
kubectl get pods --namespace=yourNamespace
jenkins-867df9fcb8-ctfq5 1/1 Running 0 16m
Then execute a bash on the pod Id :
kubectl exec -it --namespace=yourNamespace jenkins-867df9fcb8-ctfq5 -- bash
Then just cd to the directory where the initialAdminPassword is saved and use the "cat" command to print its value.
the password will be in a file under folder /secrects/initialadminpassword.
You can go inside the container in case volume mapping is not done
I've had the same issue when creating a jenkins on a gke cluster and I couldn't even found the initialAdminPassword (tried to look inside the volume with no chances)...
As I was looking to have authentication on the cluster, I just created my own image with the google oauth plugin and a groovy file using this repo as a model: https://github.com/Sho2010/jenkins-google-login
This way when connecting I can use my google account. If you need other auth method, you should be able to found them on the net.
In the case you just want to test Jenkins and you don't need a password use the JAVA_OPTS without running the setup like this:
- name: JAVA_OPTS
value: -Xmx4096m -Djenkins.install.runSetupWizard=false
If you are using the basic jenkins image you shouldn't have any password and have full access to your jenkins (Don't live it like this if you are going to create production ready jobs)
For GKE Marketplace "click to deployment" Jenkins, instruction is pretty simple, and can be found in the application "Next steps" Description part after deployment:
Access Jenkins instance.
Identify HTTPS endpoint.
echo https://$(kubectl -njenkins get ingress -l "app.kubernetes.io/name=jenkins-1" -ojsonpath="{.items[0].status.loadBalancer.ingress[0].ip}")/
For HTTPS you have to accept a certificate (we created a temporary one for you).
Now you need a password.
kubectl -njenkins exec \
$(kubectl -njenkins get pod -oname | sed -n /\\/jenkins-1-jenkins-deployment/s.pods\\?/..p) \
cat /var/jenkins_home/secrets/initialAdminPassword
To fully configure Jenkins instance follow on screen instructions.
I've tested it and it works as expected.
Another guide with almost the same steps can be found here
Jenkins docker image usually shows the initial password in the container log.
How can one define log retention for kubernetes pods?
For now it seems like the log file size is not limited, and it is uses the host machine complete resources.
According to Logging Architecture from kubernetes.io there are some options
First option
Kubernetes currently is not responsible for rotating logs, but rather
a deployment tool should set up a solution to address that. For
example, in Kubernetes clusters, deployed by the kube-up.sh script,
there is a logrotate tool configured to run each hour. You can also
set up a container runtime to rotate application’s logs automatically,
e.g. by using Docker’s log-opt. In the kube-up.sh script, the latter
approach is used for COS image on GCP, and the former approach is used
in any other environment. In both cases, by default rotation is
configured to take place when log file exceeds 10MB.
Also
Second option
Sidecar containers can also be used to rotate log files that cannot be rotated by the application itself. An example of this approach is a small container running logrotate periodically. However, it’s recommended to use stdout and stderr directly and leave rotation and retention policies to the kubelet.
You can always set the logging retention policy on your docker nodes
See: https://docs.docker.com/config/containers/logging/json-file/#examples
I've just got this working by changing the ExecStart line in /etc/default/docker and adding the line --log-opt max-size=10m
Please note, that this will affect all containers running on a node, which makes it ideal for a Kubernetes setup (because my real-time logs are uploaded to an external ELK stack)
In my project, I'm using cloudify to start and configure the docker containers.
Now I'm wondering how to write YAML files to auto-heal/scale those containers.
My topology is like this: a Compute node contains a Docker-Container node, and in the latter runs several containers.
I've noticed cloudify does the job of auto-healing on the base of the Compute node. So can't I trigger an auto-heal workflow by containers' statuses?
And for auto-scale, I installed the monitor agent and configured the basic collectors. The CPU use percent seems not able to trigger the workflow. cloudify docs about diamond plugin mentions some built-in collectors. Unfortunately, I failed to figure out how to config the collectors.
In hope of some inspirations. Any opinions are appreciated. Thanks~
The docker nodes should be in the right groups for scale and heal.
You can look at this example
scale-heal example
It does exactly what you are looking for