Immutable CI

Summary

This project aims at describing our CI using jenkins DSL Plugin.

It starts Jenkins with Git and DSL Plugins, fetch a git repository to retrieve the DSL configuration and finally make sure this DSL is run at start and on every changes.

That way, you just have to write your jobs in build-script file and your jenkins or any future jenkins will make them run.

How to use it

Key container

We want our TLS keys to be in an other container. This allows us to publish our Jenkins stateless container, and to be able to easily change the TLS keys. Jenkins container will use the --volumes-from when run to access certificates.

• First put your TLS keys in the $PWD/keys folder

You are expected to provide :

• ca.pem : The CA of your server certificate

• cert.pem : Your client certificate

• key.pem : The key used to generate client certificate

To construct the key holding container :

$docker build -f DockerFileKeyContainer -t keys .
$docker run -v /keys --name keys keys

Launch Jenkins

To start a jenkins instance, you need to have a key container on the node you are launching jenkins. Then:

$docker build --tag myjenkins .
$docker run -p 8080:8080 --volumes-from keys --env-file=./env.file --name jks myjenkins

If you forecast to use slaves with your master, you should also export the 50000 port, so the previous line should be:

$docker run -p 8080:8080 -p 50000:50000 --volumes-from keys --env-file=./env.file --name jks myjenkins

You have to modify the env.file file with the following parameters:

• JENKINS_URL: is the external URL of your jenkins (ex. "http://ci-james.org:8080/")

• GITHUB_TOKEN: is the token used to access the GitHub API (https://github.com/settings/tokens)

• DOCKER_USER: is the Docker Hub user used to publish the build, see publishing section (ex. myuser)
  If not given, publishing to Docker Hub will not be enabled.

• GITLAB_TOKEN: is the GitLab token used to trigger a job generating packages on packages.linagora.com.Docker.
  If not given, packaging will not be enabled.

• DOCKER_PASSWORD: is the password of the Docker Hub user

Then, you can open it in your browser :

$firefox http://`docker inspect --format {{.NetworkSettings.IPAddress}} jks`:8080
or
$firefox http://JENKINS_URL

Starting a slave

You may need to start one (or several) Jenkins slave.

$docker build -f DockerfileSlave -t jenkins-slave .
$docker run -d -v /var/run/docker.sock:/var/run/docker.sock --volumes-from=keys --rm --name jenkins-slave jenkins-slave -url <master-url> <secret> <host>

Where:

• master-url: is the URL of your jenkins

• secret: is the agent secret

• host: is the agent name

Publishing to Docker

This feature is only available when building the master branch.

You may want to publish the image produced by the build on a Docker Hub account. To achieve that, you have to provide a user name and its password in the env.file file.

Jobs requirements

You need some extra container for the jobs to run well.

Cache for maven

We will then add a container for caching maven repositories ( accelerate builds, avoid errors on maven failing retrieving its dependencies). You will need it on nodes running James compilation through docker.

$docker build -f DockerFileMavenCache -t maven-cache .
$docker run -v /root/.m2 --name maven-cache -e affinity:container==keys maven-cache

James Keystore

If you want to use james deploy script, you need to have a docker container with the James TLS certificates. You may not want to publish a container with such sensitive content, or even commit it in a source code management system.

First copy James TLS certificate to the directory containing this README. Or you can generate them using :

$keytool -genkey -alias james -keyalg RSA -keystore keystore

Note	To generate James keystore this way, you need to have keytool installed. This tools comes from the JDK.

Be sure that the password you provide matches with James configuration. You will find it in james-parent project, in the destination/conf directory. These files are 'imapserver.xml', 'pop3server.xml' and 'smtpserver.xml'. Edit them locally before launching james image build. Default value is set to 'james72laBalle').

Then, run these command to set up this container on nodes that will hosts James servers :

$docker build -f DockerFileKeystoreContainer -t keystore .
$docker run -v /keys --name keystore keystore

Launch Jenkins on the specified branch

If you change the workflow-job and would like to launch Jenkins build on new branch

Create new "Workflow" which point to you james-jenkins branch with

Repositories point to your github repository Repositories point to your branch Script Path point to groovy script that you want to run

Clone new job from base job: create "New item" -→ Choose "Copy existing Item" with the base job’s name

Edit the new cloned job

GitHub project point to your github repository

Projects to build point to above workflow

Define the parameter

repoURL=<yours_repository> branch=<yours_branch> sha1=<your_last_commit_id_at_branch> version=<the_James_version_of_this_branch>