Installation and development
The ci-tron
container can in turn be run from a host OS, booted directly
using
boot2container
or netbooted over the internet using
iPXE boot server.
Requirements
The CI-tron gateway container is meant to be run on the gateway machine of a CI farm, and comes with the following requirements:
Hardware: Two network interfaces, one connected to the internet while the other one is connected to a switch where all the test machines to be exposed by the gateway are connected.
Volumes: The container requires a volume to store persistent data (mounted at
/config
), and optionally a temporary volume which acts as a cache across reboots (mounted at/cache
).Container: The container needs to be run as privileged, and using the host network
Building the container
The container image is built using
rootless podman
, and is provisioned using Ansible recipes (see the
ansible/
subproject).
The following is a (likely incomplete) list of dependencies for a system running Debian/Ubuntu:
$ apt install buildah \
git \
jq \
make \
netcat-openbsd \
podman \
python \
qemu-utils \
qemu-system \
skopeo \
socat \
wget
Note: In order to reduce round-trips to an external registry, a local registry is automatically started when running certain make targets.
The container image can be built with:
$ make gateway
Build options
V=1
Turn on more verbose logging messages in the build process
ANSIBLE_EXTRA_ARGS="-vvv ..."
Pass any custom flags toansible-playbook
. Helpful for re-running only tagged roles in the ansible build, for example. You can also use this to override variables used by the ansible playbook, for example:ANSIBLE_EXTRA_ARGS="-e foo=bar"
IMAGE_NAME=localhost:8088/my/image
The container name to tag the image with. WARNING: The image will automatically be pushed to the registry that got tagged! Defaults tolocalhost:8088/gfx-ci/ci-tron/gateway:latest
.
Once completed, a container image will be generated, for example,
Successfully tagged localhost:8088/gfx-ci/ci-tron/gateway:latest
60cc3db9bedd2a11d8d61a4433a2a8e8daf35a59d6229b80c1fdcf9ece73b7ab
Notice that it defaults to a localhost
registry. This is to save on
bandwidth, since the ci-tron container is quite big.
Running the infrastructure
While not strictly required, enabling nested KVM on the host will dramatically improve the performance of a DUT VM booted from the VPDU. It can be enabled by configuring the relevant module parameter:
$ cat /etc/modprobe.d/kvm.conf
options kvm-intel nested=Y
options kvm-amd nested=1
Nested KVM support can be verified on the host by reading the “nested” parameter from sysfs:
$ cat /sys/module/kvm_*/parameters/nested
Y
We are now ready to start our virtual gateway machine, which will boot directly into the container we built in the previous section:
$ make vivian [GITLAB_REGISTRATION_TOKEN=...] [GITLAB_URL=https://gitlab.freedesktop.org]
Note 1: The GITLAB_REGISTRATION_TOKEN
should be retrieved from the
GITLAB_URL
GitLab instance (documentation).
Note 2: options to vivian can be passed by setting VIVIAN_OPTS
, for example:
$ make VIVIAN_OPTS="--ssh-port=50022" ... vivian
. See vivian/vivian -h
for
the full list of options it supports.
For information on starting virtual DUTs in the VM, see the section on “Spawning virtual DUTs” below.
The virtual testing recipes will fetch a Linux kernel and a boot2container ramdisk, and start the system. After the kernel boots and loads the ramdisk, the ramdisk will then pull the ci-tron container, and hand control to it.
N.B: Due to the stateful nature of the permanent partition in the
VM’s tmp disk, it is wise to occasionally delete said disk and check
a fresh boot continues to work as expected. This can be done using make clean
.
By default, the boot logs will be redirected to your console until the SSH service comes up. At this point, vivian will switch the console to an SSH-based one.
In the boot logs, you should see a Linux kernel booting, then boot2container downloading the container we built, then systemd logs, and finally a dashboard which looks mostly green.
On some distros, you may receive the following error message when vivian tries to run qemu:
failed to create tun device: Operation not permitted
qemu-system-x86_64: -nic bridge,br=vivianbr0,mac=DE:AD:BE:EF:00:12,model=virtio-net-pci: bridge helper failed
Re-try after enforcing the user ownership on /usr/lib/qemu/qemu-bridge-helper
on your test system:
# chmod u+s /usr/lib/qemu/qemu-bridge-helper
There are several options for getting a shell on the gateway:
create one from the dashboard by pressing
Ctrl-b c
in tmuxconnect via SSH using
make vivian-connect
use netcat to connect to the qemu console with
nc localhost 4321
Spawning virtual DUTs
Right now, our gateway has no idea about any potential machine connected to its private network interface. Let’s boot one!
If the gateway is running in vivian, then virtual DUTs can be booted by using the vivian-dut make target. The OUTLET variable can be set to select the outlet on the VPDU:
$ make OUTLET=4 vivian-add-dut
Alternatively, you can use the dashboard to add/start a virtual DUT by selecting one with the arrow keys and submitting the DISCOVER button.
Once a DUT VM has started, output from it is redirected into a log file located
at /cache/vpdu/dut-log-<mac address>-<date and time stamp>.log
.
This log file is also tail’d in a new tmux window on the gateway’s console
dashboard (CTRL + B
in tmux then 0..n to select the window by ID).
If all went well, you should now see a machine appear in the “Machines”
column of the dashboard, with the state DISCOVERING
. After a short while, it
should transition into TRAINING
.
During the TRAINING
step, the machine will be booted in a loop for a set
amount of times in order to test the boot reliability. After the boot loop is
complete, the machine will be marked as ready for testing and its state should
change to IDLE
.
Your first virtual test machine is now available for testing both locally, and on your chosen Gitlab instance.
Running a job on the virtual gateway
Now that you have at least one machine available, you may run jobs on it using the following command:
$ executorctl -e http://localhost:8000 run -c 10.0.2.2 -t virtio:family:VIRTIO $JOB_FILE
If all went well, congratulations! You seem to have a functional setup! Most of the steps above are amenable to further configuration. You are now in a position to play around and modify defaults to your testing requirements.
Hacking on the infrastructure
After making changes to Ansible or any other component of the gateway image, it is recommended to test the changes by either re-generating the gateway image, or running the ansible playbook against an already-running vivian instance:
$ make vivian-provision
If you want to iterate faster, you may limit the ansible job to some roles by using the TAGS= parameter:
$ make TAGS=dashboard,minio,executor vivian-provision
You can get a full list of available tags by running:
$ ansible-playbook --list-tags ansible/gateway.yml
Production deployment
The ci-tron infrastructure is meant to be netbooted over HTTPS, with the boot configuration being stored in a git repository for easy of update.
All of the steps are outlined at iPXE boot server.