Migrate aws jenkins environment to fully dockerized environment

.github/workflows/packer.yml

@@ -10,11 +10,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v2
-      # validate templates
-      - name: Validate Template
-        uses: hashicorp/packer-github-actions@master
+        uses: actions/checkout@v4
+      - name: Setup packer
+        uses: hashicorp/setup-packer@main
+        id: setup
         with:
-          command: validate
-          working_directory: packer
-          target: thredds-test-env.json
+          version: latest
+      - name: Run packer initi
+        id: init
+        run: "cd packer && packer init thredds-test-env.pkr.hcl"
+      - name: Validate Template
+        id: validate
+        run: "cd packer && packer validate thredds-test-env.pkr.hcl"

packer/provisioners/ansible/roles/general-packages/vars/main.yml

@@ -5,3 +5,4 @@ needed_packages:
  - git
  - fonts-dejavu # Needed by UI tests because OpenJDK does not ship with fonts
  - fontconfig # Needed by UI tests because OpenJDK does not ship with fonts
+ - curl # Needed by static analysis pipelines

packer/provisioners/ansible/roles/security/tasks/users-and-groups.yml

@@ -1,6 +1,14 @@
 ---
+- name: Create groups.
+  group:
+    name: "{{ item.name }}"
+    gid: "{{ item.gid }}"
+  loop: "{{ users }}"
+
 - name: Create users.
   user:
     name: "{{ item.name }}"
     shell: "{{ item.shell | default('/bin/bash') }}"
+    uid: "{{ item.uid }}"
+    group: "{{ item.name }}"
   loop: "{{ users }}"

packer/provisioners/ansible/roles/security/vars/main.yml

@@ -7,6 +7,9 @@ custom_bash_profile_dest: "/etc/profile.d/{{ custom_bash_profile_src }}"
 users:
   - name: "{{ thredds_test_user }}"
     shell: /bin/bash
+    uid: 395
+    gid: 395
+    group: "{{ thredds_test_user }}"
 
 files2copy:
   - label: "maven settings"

packer/provisioners/ansible/roles/temurin/tasks/fetch_remote.yml

@@ -1,7 +1,7 @@
 ---
 - name: Fetch latest Temurin Java builds.
   uri:
-    url: "https://api.adoptium.net/v3/binary/latest/{{ item }}/ga/linux/x64/jdk/hotspot/normal/adoptium?project=jdk"
+    url: "https://api.adoptium.net/v3/binary/latest/{{ item }}/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk"
     method: GET
     follow_redirects: safe
     dest: "/tmp/{{ base_install_name }}{{ item }}.tar.gz"

packer/provisioners/ansible/roles/temurin/tasks/main.yml

@@ -7,20 +7,8 @@
   loop_control:
     label: "Create Directory for Temurin {{ item }} Installation"
 
-# Not sure why, but sometimes we cannot fetch Temurin 11 from aws (8 works
-# just fine). When that happens, we can use a local copy of the tar.gz files
-# rather than using the web API to fetch them. Uncomment the following task,
-# as well as the "when" statement under the fetch_remote task below to use
-# the local workflow. You will need to run one of the scripts in ../files
-# prior to running packer to make sure the tar.gz files exists and are
-# up-to-date.
-#- import_tasks: fetch_local.yml
-#  tags: [ fetch-local ]
-#  when: packer_builder_type == "amazon-ebs"
-
 - import_tasks: fetch_remote.yml
   tags: [ fetch-remote ]
-  #when: packer_builder_type != "amazon-ebs"
 
 - name: Unpack Temurin Java Installations.
   unarchive:

packer/provisioners/ansible/roles/temurin/vars/main.yml

@@ -4,5 +4,5 @@ base_install_name: temurin
 java_versions:
   - 8
   - 11
-  - 16
   - 17
+  - 21

packer/provisioners/ansible/roles/thredds-test-data-mount-prep/tasks/main.yml

@@ -1,25 +1,8 @@
 ---
-- name: List information about '{{ volume_device_name }}' block device.
-  command: lsblk {{ volume_device_name }}
-  register: lsblk_output
-  changed_when: false  # Task is purely informational; it doesn't change anything.
-  ignore_errors: true  # Task is expected to fail when device doesn't exist. We handle that case below.
-
-- name: Determine if '{{ volume_device_name }}' block device exists.
-  set_fact:
-    volume_device_exists: "{{ lsblk_output.rc == 0 }}"
-
 - name: Ensure the '{{ cdmUnitTest_mount_dir }}' exists.
   file:
     path: "{{ cdmUnitTest_mount_dir }}"
     state: directory
-
-- name: Add entry for '{{ volume_device_name }}' to /etc/fstab, and mount it if it's available.
-  mount:
-    src: "{{ volume_device_name }}"
-    path: "{{ cdmUnitTest_mount_dir }}"
-    fstype: "{{ filesystem_type }}"
-    opts: defaults,nofail  # Don't fail when the device isn't available, which will happen in dev and test environments.
-    dump: "0"
-    passno: "2"
-    state: "{{ volume_device_exists | ternary('mounted', 'present') }}"
+    owner: "{{ thredds_test_user }}"
+    group: "{{ thredds_test_user }}"
+    mode: "0755"

packer/provisioners/ansible/roles/thredds-test-data-mount-prep/vars/main.yml

@@ -1,11 +1,3 @@
 ---
-# The name of the device to which AWS will mount the cdmUnitTest snapshot. We set this in Jenkins under:
-# "Manage Jenkins"->"Configure System"->"Cloud"->"Amazon EC2"->"AMIs"->"Advanced..."->"Block device mapping".
-# For example, we have something like: "/dev/xvdf=<snap-id>::true"
-volume_device_name: /dev/xvdf
-
-# The directory at which the cdmUnitTest EBS snapshot should be mounted.
+# The directory at which the THREDDS test data should be mounted.
 cdmUnitTest_mount_dir: /share/testdata/cdmUnitTest
-
-# The filesystem of the snapshot.
-filesystem_type: ext4

packer/provisioners/ansible/roles/zulu/vars/main.yml

@@ -4,6 +4,5 @@ base_install_name: zulu
 java_versions:
   - 8
   - 11
-  - 14
-  - 16
   - 17
+  - 21

packer/provisioners/ansible/site.yml

@@ -11,7 +11,7 @@
         name: init
       tags: [ init ]
 
-    # The next two tasks take a good amount of time to run, and as a result 
+    # The next two tasks take a good amount of time to run, and as a result
     # utilize asynchronous task execution. We run these early on in the
     # playbook to keep things moving.
     - name: Include 'libnetcdf-and-deps' role.
@@ -62,11 +62,6 @@
         name: thredds-test-data-mount-prep
       tags: [ thredds-test-data-mount-prep ]
 
-    - name: Include 'gradle cache bootstrap' role.
-      include_role:
-        name: gradle-builds-cache-bootstrap
-      tags: [ gradle-builds-cache-bootstrap ]
-
     # Wait for the asynchronous tasks to complete.
     - name: Wait for zlib async test task to complete.
       when: (async_zlib is defined) and (async_zlib|length > 0)
@@ -95,18 +90,6 @@
       retries: "{{ netcdf_c_async_check_interval }}"
       delay: "{{ netcdf_c_async_check_retries }}"
 
-    - name: "Wait for the gradle builds to complete."
-      when: (async_bootstrap_gradle_cache is defined) and (async_bootstrap_gradle_cache|length > 0)
-      async_status:
-        jid: "{{ async_bootstrap_gradle_cache_item.ansible_job_id }}"
-      loop: "{{ async_bootstrap_gradle_cache.results }}"
-      loop_control:
-        loop_var: "async_bootstrap_gradle_cache_item"
-      register: async_poll_results
-      until: async_poll_results.finished
-      retries: "{{ bootstrap_gradle_cache_async_check_retries }}"
-      delay: "{{ bootstrap_gradle_cache_async_check_interval }}"
-
     - name: Wait for the HDF5 async test task to complete.
       when: (async_hdf5 is defined) and (async_hdf5|length > 0)
       async_status:

packer/provisioners/file/jenkins-agent.sh

@@ -0,0 +1,149 @@
+#!/usr/bin/env bash
+
+JENKINS_JAVA_BIN="/usr/thredds-test-environment/temurin21/bin/java"
+JENKINS_AGENT_FILE="/home/jenkins/agent.jar"
+JENKINS_WEB_SOCKET=true
+JENKINS_AGENT_WORKDIR="/home/jenkins/workspace"
+
+# copied from https://github.com/jenkinsci/docker-agent/blob/master/jenkins-agent
+# modified above these lines to to use custom image settings
+
+# The MIT License
+#
+#  Copyright (c) 2015-2020, CloudBees, Inc.
+#
+#  Permission is hereby granted, free of charge, to any person obtaining a copy
+#  of this software and associated documentation files (the "Software"), to deal
+#  in the Software without restriction, including without limitation the rights
+#  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+#  copies of the Software, and to permit persons to whom the Software is
+#  furnished to do so, subject to the following conditions:
+#
+#  The above copyright notice and this permission notice shall be included in
+#  all copies or substantial portions of the Software.
+#
+#  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+#  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+#  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+#  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+#  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+#  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+#  THE SOFTWARE.
+
+# Usage jenkins-agent.sh [options] -url http://jenkins -secret [SECRET] -name [AGENT_NAME]
+# Optional environment variables :
+# * JENKINS_JAVA_BIN : Java executable to use instead of the default in PATH or obtained from JAVA_HOME
+# * JENKINS_JAVA_OPTS : Java Options to use for the remoting process, otherwise obtained from JAVA_OPTS
+# * JENKINS_AGENT_FILE : Jenkins agent jar file location, /usr/share/jenkins/agent.jar will be used if this is not set
+# * REMOTING_OPTS : Generic way to pass additional CLI options to agent.jar (see -help)
+#
+# Deprecated environment variables (prefer setting REMOTING_OPTS)
+# * JENKINS_TUNNEL : HOST:PORT for a tunnel to route TCP traffic to jenkins host, when jenkins can't be directly accessed over network
+# * JENKINS_URL : alternate jenkins URL
+# * JENKINS_SECRET : agent secret, if not set as an argument
+# * JENKINS_AGENT_NAME : agent name, if not set as an argument
+# * JENKINS_AGENT_WORKDIR : agent work directory, if not set by optional parameter -workDir
+# * JENKINS_WEB_SOCKET: true if the connection should be made via WebSocket rather than TCP
+# * JENKINS_DIRECT_CONNECTION: Connect directly to this TCP agent port, skipping the HTTP(S) connection parameter download.
+#                              Value: "<HOST>:<PORT>"
+# * JENKINS_INSTANCE_IDENTITY: The base64 encoded InstanceIdentity byte array of the Jenkins controller. When this is set,
+#                              the agent skips connecting to an HTTP(S) port for connection info.
+# * JENKINS_PROTOCOLS:         Specify the remoting protocols to attempt when instanceIdentity is provided.
+
+if [ $# -eq 1 ] && [ "${1#-}" = "$1" ] ; then
+
+	# if `docker run` only has one arguments and it is not an option as `-help`, we assume user is running alternate command like `bash` to inspect the image
+	exec "$@"
+
+else
+
+	# if -tunnel is not provided, try env vars
+	case "$@" in
+		*"-tunnel "*) ;;
+		*)
+		if [ ! -z "$JENKINS_TUNNEL" ]; then
+			TUNNEL="-tunnel $JENKINS_TUNNEL"
+		fi ;;
+	esac
+
+	# if -workDir is not provided, try env vars
+	if [ ! -z "$JENKINS_AGENT_WORKDIR" ]; then
+		case "$@" in
+			*"-workDir"*) echo "Warning: Work directory is defined twice in command-line arguments and the environment variable" ;;
+			*)
+			WORKDIR="-workDir $JENKINS_AGENT_WORKDIR" ;;
+		esac
+	fi
+
+	if [ -n "$JENKINS_URL" ]; then
+		URL="-url $JENKINS_URL"
+	fi
+
+	if [ -n "$JENKINS_NAME" ]; then
+		JENKINS_AGENT_NAME="$JENKINS_NAME"
+	fi
+
+	if [ "$JENKINS_WEB_SOCKET" = true ]; then
+		WEB_SOCKET=-webSocket
+	fi
+
+	if [ -n "$JENKINS_PROTOCOLS" ]; then
+		PROTOCOLS="-protocols $JENKINS_PROTOCOLS"
+	fi
+
+	if [ -n "$JENKINS_DIRECT_CONNECTION" ]; then
+		DIRECT="-direct $JENKINS_DIRECT_CONNECTION"
+	fi
+
+	if [ -n "$JENKINS_INSTANCE_IDENTITY" ]; then
+		INSTANCE_IDENTITY="-instanceIdentity $JENKINS_INSTANCE_IDENTITY"
+	fi
+
+	if [ "$JENKINS_JAVA_BIN" ]; then
+		JAVA_BIN="$JENKINS_JAVA_BIN"
+	else
+		# if java home is defined, use it
+		JAVA_BIN="java"
+		if [ "$JAVA_HOME" ]; then
+			JAVA_BIN="$JAVA_HOME/bin/java"
+		fi
+	fi
+
+	if [ "$JENKINS_JAVA_OPTS" ]; then
+		JAVA_OPTIONS="$JENKINS_JAVA_OPTS"
+	else
+		# if JAVA_OPTS is defined, use it
+		if [ "$JAVA_OPTS" ]; then
+			JAVA_OPTIONS="$JAVA_OPTS"
+		fi
+	fi
+
+	if [ "$JENKINS_AGENT_FILE" ]; then
+		AGENT_FILE="$JENKINS_AGENT_FILE"
+	else
+		AGENT_FILE="/usr/share/jenkins/agent.jar"
+	fi
+
+	# if both required options are defined, do not pass the parameters
+	if [ -n "$JENKINS_SECRET" ]; then
+		case "$@" in
+			*"${JENKINS_SECRET}"*) echo "Warning: SECRET is defined twice in command-line arguments and the environment variable" ;;
+			*)
+			SECRET="-secret ${JENKINS_SECRET}" ;;
+		esac
+	fi
+
+	if [ -n "$JENKINS_AGENT_NAME" ]; then
+		case "$@" in
+			*"${JENKINS_AGENT_NAME}"*) echo "Warning: AGENT_NAME is defined twice in command-line arguments and the environment variable" ;;
+			*)
+			AGENT_NAME="-name ${JENKINS_AGENT_NAME}" ;;
+		esac
+	fi
+
+	#TODO: Handle the case when the command-line and Environment variable contain different values.
+	#It is fine it blows up for now since it should lead to an error anyway.
+
+        exec $JAVA_BIN $JAVA_OPTIONS -jar $AGENT_FILE $SECRET $AGENT_NAME $TUNNEL $URL $WORKDIR $WEB_SOCKET $DIRECT $PROTOCOLS $INSTANCE_IDENTITY $REMOTING_OPTS "$@"
+
+fi