Page MenuHomePhabricator
Create Task
Maniphest T47499

[EPIC] Run CI jobs in disposable VMs
Closed, ResolvedPublic
Actions

Description

We need to run unit tests under Jenkins whenever someone submit a new patchset regardless of the submitter status (ie a potential attacker). To achieve that, the Jenkins job need to be properly isolated.

Following an internal WMF meeting, we could setup virtual machines using vagrant. They would be booted on a second box and controlled by Jenkins vagrant plugin.

Note: this tracking task comes from Bugzilla, although it still serves its purpose, most of the activity is tracked on the workboard for .Continuous-Integration-Scaling

Details

Reference
bz45499

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedhasharT60772 common gating job for mediawiki core and extensions
 ResolvedhasharT69216 Have unit tests of all wmf deployed extensions pass when installed together, in both PHP-Zend and HHVM (tracking)
 InvalidRyasmeenT90647 Create Jenkins builds for Editing across repositories (MobileFrontend, VisualEditor etc)
 DeclinedNoneT50407 Jenkins: Setup Vagrant for some jobs (tracking)
 DeclinedNoneT45266 Write and implement tests for Wikimedia's Apache configuration (redirects.conf, etc.)
 ResolvedhasharT47499 [EPIC] Run CI jobs in disposable VMs
 ResolvedhasharT55594 Jenkins: Configure jobs to be runnable on any slaves
 ResolvedhasharT55683 [OPS] publish Zuul git repositories over git protocol
 ResolvedhasharT56762 find a way to deploy PHPUnit on production machines
 ResolvedhasharT58317 Jenkins: Use phpunit from deployment system (srv/deployment/integration/phpunit) instead of local pear install
 DuplicateNoneT55978 Create labs project for continuous integration nodepool
 Resolvedbd808T53556 Investigate Linux containers
 DuplicateNoneT84988 Create labs project for CI disposables instances + OpenStack API credentials
 DeclinedNoneT84989 Support dedicating a specific virt node to a specific nova project
 DeclinedhasharT84940 Acquire old production API servers for use in CI
 ResolvedhasharT85933 Evaluate JClouds Jenkins plugin
 DeclinedNoneT86168 Isolate contintcloud nova project from the rest of the wmflabs cloud
 Declined chasempT85611 Neutron networking, with IPv6 at eqiad
 DeclinedNoneT85609 Labs available in the new data centre (with Neutron/IPv6)
 ResolvedcorenT85605 Set storage service up in codfw
 InvalidhasharT86172 Write a migration plan for CI infra to the disposable VMs infrastructure
 ResolvedhasharT86171 Design the Jenkins isolation architecture
 DeclinedhasharT97472 Create a Trusty labs image for CI isolation project
 Resolved CmjohnsonT86658 Phase out lanthanum.eqiad.wmnet
 Resolved CmjohnsonT105901 wipe disks for lanthanum
 ResolvedhasharT86659 Migrate all jobs to labs slaves
 ResolvedKrinkleT86175 Migrate jsduck jobs to run in labs (and jsduck-publish via integration-publisher)
 ResolvedKrinkleT86174 Migrate JSDuck to Ubuntu Trusty
 ResolvedKrinkleT93143 Migrate .*testextension-zend jobs to labs slaves
 ResolvedhasharT93559 Migrate mediawiki-core-code-coverage job to labs
 ResolvedKrinkleT93558 Add publishing macro for integration.wikimedia.org/cover
 ResolvedhasharT96463 Move integration-zuul-layout* jobs to labs slaves
 ResolvedhasharT95675 Migrate Jenkins job "Global-Dev Dashboard Data" to JJB and Zuul trigger
 ResolvedhasharT98737 Migrate operations-dns-lint Jenkins job to labs instances
 ResolvedhasharT101966 Remove use of label "hasSlaveScripts" in jobs
 ResolvedhasharT87294 Nodepool images need Gerrit mirror for git-clone performance
 ResolvedAndrewT113394 Evaluate impact of giant VM images on labs infrastructure
 ResolvedKrinkleT91996 Consolidate jobs to test entry points
 ResolvedhasharT91997 Replace project-specific "{name}-thing" jobs with generic "thing" ones
 ResolvedKrinkleT91854 Migrate jsduck-publish to use a single job and variable destination path
 ResolvedPaladoxT90943 Convert existing legacy phpcs jobs to use composer entry point + versioning
 ResolvedLegoktmT91176 Create composer validate --no-check-publish job for MediaWiki extensions
 ResolvedLegoktmT92557 Create generic "tox" jobs
 ResolvedLegoktmT94326 Create generic qunit job for MediaWiki extensions
 ResolvedLegoktmT94327 Create generic phpunit job for MediaWiki extensions
 ResolvedPaladoxT126682 Convert all MediaWiki extension phpunit jobs to use generic jobs
 ResolvedLegoktmT127362 Switch passing mwext-*-jslint jobs to jshint/jsonlint
 ResolvedLegoktmT96690 Have extensions with dependencies use the generic mwext-testextension-* job
 ResolvedhasharT109913 [keyresult] boot instances from OpenStack API
 ResolvedhasharT86170 OpenStack API account to control `contintcloud` labs project
 ResolvedyuvipandaT86167 Create labs project for CI disposables instances

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
faidon added a comment.Dec 3 2014, 1:45 PM
In T47499#515090, @hashar wrote:

(In reply to comment #13)

I experimented in the past with minijail0, from the Chromium/Chrome project.
It might be worthwhile to experiment some more, it will certainly be much much
faster than anything VM-related.

The documentation is sparse :( I am not sure how it manage to isolate a process, apparently it works using a chroot which I am not sure how we can set it up :(

There's a new kid on the block that seems to do similar things to minijail0 (seccomp etc.) but which seems far easier to use: https://l3net.wordpress.com/projects/firejail/ -- maybe worth a look. I haven't audited from a security perspective, so I'm definitely not recommending it just yet, just throwing it out there in case you want to consider it.

demon unsubscribed.Dec 3 2014, 6:04 PM
Mattflaschen-WMF unsubscribed.Dec 9 2014, 1:41 AM
hashar added a project: Epic.Dec 19 2014, 10:52 AM
hashar mentioned this in T84988: Create labs project for CI disposables instances + OpenStack API credentials.Dec 19 2014, 11:20 AM
hashar added subtasks: T84988: Create labs project for CI disposables instances + OpenStack API credentials, T84989: Support dedicating a specific virt node to a specific nova project, T84940: Acquire old production API servers for use in CI.Dec 19 2014, 11:25 AM
greg added a comment.Dec 20 2014, 12:47 AM

(Just came across this, pasting for record keeping: https://wiki.jenkins-ci.org/display/JENKINS/JClouds+Plugin )

valhallasw subscribed.Jan 6 2015, 10:09 AM
hashar added a comment.Jan 6 2015, 5:09 PM
In T47499#937396, @greg wrote:

(Just came across this, pasting for record keeping: https://wiki.jenkins-ci.org/display/JENKINS/JClouds+Plugin )

I am not sure how fast an instance will boot or whether the plugin is able to maintain a pool of VM to consume. Worth looking at though. Filled T85933 to evaluate it.

hashar added a subtask: T85933: Evaluate JClouds Jenkins plugin.Jan 6 2015, 5:09 PM
Krinkle added a comment.Jan 7 2015, 6:50 PM

Originally we were hinting towards using our OpenStack cloud for this. That seems to me still like the most feasible path forwards, because:

  • We don't have to ensure that it is secure and isolated sufficiently. Wikimedia Labs is already responsible for that. If other backends are better, they can evaluate that accordingly.
  • We know it scales.
  • It is already in-place for the most part. (Less set up overhead.)
  • We don't require operations resources we don't have to maintain it. If we were to use some other system, it will likely end up being created by someone who's allocating his/her resources on-off and isn't able to maintain it. Wikimedia Labs has maintainers (not many, but it has infrastructure and will naturally grow as needed).

As for the infrastructure for our pool of slaves specifically, that isn't part of plain OpenStack Cloud by default, however OpenStack maintains a package called nodepool that does this. And they're dedicated to maintaining it as they use it themselves for their Jenkins jobs.

More information: http://ci.openstack.org/nodepool/

Conversation with maintainers about how it works:
https://gist.githubusercontent.com/Krinkle/5aad511288e1515d01c7/raw

Krinkle mentioned this in T85933: Evaluate JClouds Jenkins plugin.Jan 7 2015, 7:45 PM
greg added a comment.Jan 7 2015, 8:08 PM

See also the draft RFC: https://docs.google.com/a/wikimedia.org/document/d/17g8cU2qkv256X5cb_TLfqubwMMgCIAxvJdoOwA5335g/edit (I *think* that's the latest version)

hashar closed subtask T85933: Evaluate JClouds Jenkins plugin as Resolved.Jan 7 2015, 8:40 PM

Yup definitely heading toward reproducing the OpenStack CI infrastructure which is supported/developped by more than a handful of person.

I found out today that the blocking tasks are rather messy, I talked to Greg about it and I would rewrite / split some of them.

greg set Security to None.Jan 7 2015, 10:31 PM
greg added a subscriber: mmodell.
Krinkle mentioned this in T78410: Move Parsoid and RESTBase testing from Travis CI to our Jenkins.Jan 8 2015, 11:25 AM
Krinkle mentioned this in T74011: Jenkins: Figure out long term solution for /tmp management.Jan 8 2015, 11:45 AM
hashar mentioned this in T55978: Create labs project for continuous integration nodepool.Jan 8 2015, 1:52 PM
hashar merged a task: T55978: Create labs project for continuous integration nodepool.
hashar added subscribers: Addshore, Petrb, Andrew and 2 others.
hashar mentioned this in T86167: Create labs project for CI disposables instances.Jan 8 2015, 1:56 PM
hashar mentioned this in T86170: OpenStack API account to control `contintcloud` labs project.Jan 8 2015, 2:04 PM
hashar added subtasks: T86170: OpenStack API account to control `contintcloud` labs project, T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud.Jan 8 2015, 2:07 PM
hashar added a subtask: T86167: Create labs project for CI disposables instances.
hashar mentioned this in T86171: Design the Jenkins isolation architecture.Jan 8 2015, 2:13 PM
hashar mentioned this in T86172: Write a migration plan for CI infra to the disposable VMs infrastructure.
hashar added subtasks: T86171: Design the Jenkins isolation architecture, T86172: Write a migration plan for CI infra to the disposable VMs infrastructure.Jan 8 2015, 2:16 PM
yuvipanda closed subtask T86167: Create labs project for CI disposables instances as Resolved.Jan 8 2015, 2:49 PM
hashar mentioned this in T86658: Phase out lanthanum.eqiad.wmnet.Jan 13 2015, 2:23 PM
hashar mentioned this in T86659: Migrate all jobs to labs slaves.Jan 13 2015, 2:25 PM
hashar added subtasks: T86658: Phase out lanthanum.eqiad.wmnet, T86659: Migrate all jobs to labs slaves.
hashar mentioned this in T86662: Create a green goal project for Continuous Integration isolation (superseding T47499).Jan 13 2015, 2:30 PM
JanZerebecki subscribed.Jan 14 2015, 12:47 PM
Krinkle mentioned this in T87294: Nodepool images need Gerrit mirror for git-clone performance.Jan 21 2015, 1:52 AM
hashar added a subtask: T87294: Nodepool images need Gerrit mirror for git-clone performance.Jan 21 2015, 1:54 AM
greg added a project: releng-201415-Q3.Feb 24 2015, 1:04 AM
greg assigned this task to hashar.Feb 24 2015, 1:07 AM
greg added a parent task: T55697: [EPIC] trigger browser tests from Gerrit (tracking).Feb 25 2015, 4:16 PM
Jdforrester-WMF moved this task from Tag to March 2015: Platform on the Epic board.Feb 25 2015, 4:20 PM
Krinkle mentioned this in T85800: V+1 checks for non-whitelisted users are missing some linters included in V+2 voting checks.Feb 26 2015, 4:02 AM
Tgr mentioned this in T52614: Configure a Jenkins job for Vagrant builds.Feb 26 2015, 9:59 PM
greg renamed this task from Jenkins: Run jobs in disposable VMs to [Quarterly Success Metric] Jenkins: Run jobs in disposable VMs.Feb 26 2015, 10:18 PM
Ricordisamoa subscribed.Feb 27 2015, 3:18 AM
Krinkle moved this task from Untriaged to Next on the Continuous-Integration-Infrastructure board.Mar 2 2015, 2:47 PM
greg mentioned this in T53492: Create hermetic test environment runnable on labs infra.Mar 4 2015, 8:32 PM
zeljkofilipin subscribed.Mar 5 2015, 8:58 AM
zeljkofilipin added a subscriber: Cmcmahon.Mar 5 2015, 5:28 PM
Krinkle mentioned this in T91996: Consolidate jobs to test entry points.Mar 9 2015, 6:57 PM
Eloquence moved this task from March 2015: Platform to Tag on the Epic board.Mar 10 2015, 5:43 AM
greg mentioned this in T422: [Quarterly Goal] Jenkins Performance improvements.Mar 20 2015, 6:12 PM
greg added a project: releng-201415-Q4.Mar 26 2015, 8:20 PM
hashar mentioned this in T90647: Create Jenkins builds for Editing across repositories (MobileFrontend, VisualEditor etc).Apr 10 2015, 10:15 PM
hashar added a project: Continuous-Integration-Scaling.
hashar added a parent task: T90647: Create Jenkins builds for Editing across repositories (MobileFrontend, VisualEditor etc).
Krinkle mentioned this in T96627: Jenkins jobs must wipe workspace.Apr 20 2015, 11:08 PM
hashar closed subtask T86170: OpenStack API account to control `contintcloud` labs project as Resolved.Apr 21 2015, 1:37 PM
greg added a project: releng-201516-q1.Jun 23 2015, 9:36 PM
hashar closed subtask T84940: Acquire old production API servers for use in CI as Declined.Jul 29 2015, 10:09 AM
Cmjohnson closed subtask T86658: Phase out lanthanum.eqiad.wmnet as Resolved.Jul 29 2015, 6:09 PM
greg added a subtask: T109913: [keyresult] boot instances from OpenStack API.Aug 21 2015, 10:46 PM
greg renamed this task from [Quarterly Success Metric] Jenkins: Run jobs in disposable VMs to [keyresult] Run CI jobs in disposable VMs.Aug 22 2015, 12:49 AM
greg updated the task description. (Show Details)
greg added a project: releng-201516-q2.Aug 22 2015, 12:57 AM
greg closed subtask T109913: [keyresult] boot instances from OpenStack API as Resolved.Aug 25 2015, 3:36 PM
greg renamed this task from [keyresult] Run CI jobs in disposable VMs to [EPIC] Run CI jobs in disposable VMs.Sep 2 2015, 4:18 PM
greg removed a project: releng-201516-q2.
greg removed a project: releng-201516-q1.Sep 19 2015, 1:29 AM
hashar updated the task description. (Show Details)Sep 19 2015, 10:30 AM
hashar changed the status of subtask T84989: Support dedicating a specific virt node to a specific nova project from Open to Stalled.Oct 7 2015, 8:14 PM
hashar closed subtask T86172: Write a migration plan for CI infra to the disposable VMs infrastructure as Invalid.Oct 7 2015, 8:20 PM
hashar changed the status of subtask T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud from Open to Stalled.Oct 20 2015, 3:18 PM
hashar closed subtask T86171: Design the Jenkins isolation architecture as Resolved.Oct 28 2015, 8:54 PM
hashar closed subtask T87294: Nodepool images need Gerrit mirror for git-clone performance as Resolved.Dec 21 2015, 2:39 PM
Peter601980 closed subtask T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud as Invalid.Dec 28 2015, 8:06 AM
TTO reopened subtask T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud as Open.Dec 28 2015, 9:12 AM
greg added a project: OKR-Work.Jan 13 2016, 8:32 PM
Paladox subscribed.Feb 29 2016, 3:38 PM
Krinkle closed subtask T91996: Consolidate jobs to test entry points as Resolved.Apr 1 2016, 11:59 PM
Krenair subscribed.Apr 22 2016, 1:54 AM
hashar mentioned this in T136249: Track what tests we have left to convert to nodepool.May 25 2016, 9:24 PM
hashar removed a parent task: T55697: [EPIC] trigger browser tests from Gerrit (tracking).Jun 6 2016, 9:42 PM
hashar mentioned this in T55697: [EPIC] trigger browser tests from Gerrit (tracking).
Krinkle unsubscribed.Jun 7 2016, 6:13 PM
hashar closed this task as Resolved.Nov 4 2016, 9:15 AM

I am closing this task, it is no more used and the progress is better tracked in Continuous-Integration-Scaling

hashar closed subtask T84989: Support dedicating a specific virt node to a specific nova project as Declined.Nov 18 2016, 3:18 PM
hashar closed subtask T86659: Migrate all jobs to labs slaves as Resolved.Nov 24 2016, 8:51 PM
Legoktm reopened subtask T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud as Open.Dec 1 2017, 6:37 AM
hashar closed subtask T86168: Isolate contintcloud nova project from the rest of the wmflabs cloud as Declined.Dec 4 2017, 9:40 PM
Phabricator_maintenance added a project: RelEng-Archive-FY201718-Q2.Dec 21 2017, 6:57 PM
EddieGP mentioned this in T192217: Remove the "check" pipeline and Zuul's user-filter.Apr 14 2018, 8:09 PM
hashar moved this task from Next to Done on the Continuous-Integration-Infrastructure board.Jun 4 2021, 9:52 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL