[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[daniel.sangorrin at toshiba.co.jp]

Hello Michael,

I have added an initial, very simple, gitlab-ci yaml script for building CIP tiny profile (Deby for BBB).
https://gitlab.com/cip-project/cip-core/deby/blob/master/.gitlab-ci.yml

I have tested it with Gitlab's shared runners. I set the timeout to be 4h, but the shared runner seems to have a timeout of 3h.
Hopefully it will finish in time:
https://gitlab.com/cip-project/cip-core/deby/-/jobs/226174734

I read that for public open source projects, the maximum amount of CI time is 2000 minutes per month.
This is clearly not enough for Deby.

For that reason, I would like to register our Runner. Please let me know what should I do.

Thanks,
Daniel

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[Adler, Michael]

Hi Daniel,

> For that reason, I would like to register our Runner. Please let me know what should I do.

sure, no problem! I suggest moving my instance of the gitlab-ci runner to the project-level.
Then it should be visible to all sub-projects (which includes your project).
For this however, I would require the *runner registration token* of the parent project:

* Go to https://gitlab.com/cip-project, "Settings -> CI/CD"
* Expand "Runners" section, copy&paste the token under "Set up a specific Runner manually"
* Send me the token in in a pgp-encrypted mail (keyserver pgp.mit.edu, keyid: 0xf39a07eca4aabc19)

Best regards,
  Michael

-- 
Michael Adler
Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[daniel.sangorrin at toshiba.co.jp]

Continuing with this conversation on the public list, it seems that the job on gitlab-cloud-ci failed:
https://gitlab.com/cip-project/cip-core/deby/-/jobs/226291592

--- Error summary ---
ERROR:  OE-core's config sanity checker detected a potential misconfiguration.
    Either fix the cause of this error or at your own risk disable the checker (see sanity.conf).
    Following is the list of potential problems / advisories:

    Do not use Bitbake as root

Perhaps it has something to do with privileged containers?

Thanks,
Daniel


> -----Original Message-----
> From: Adler, Michael <michael.adler@siemens.com>
> Sent: Thursday, June 6, 2019 3:52 PM
> To: sangorrin daniel(????? ???? ????????) <daniel.sangorrin@toshiba.co.jp>
> Cc: cip-dev at lists.cip-project.org
> Subject: Re: gitlab-ci for CIP tiny profile (Deby)
> 
> Hi Daniel,
> 
> > For that reason, I would like to register our Runner. Please let me know what should I do.
> 
> sure, no problem! I suggest moving my instance of the gitlab-ci runner to the project-level.
> Then it should be visible to all sub-projects (which includes your project).
> For this however, I would require the *runner registration token* of the parent project:
> 
> * Go to https://gitlab.com/cip-project, "Settings -> CI/CD"
> * Expand "Runners" section, copy&paste the token under "Set up a specific Runner manually"
> * Send me the token in in a pgp-encrypted mail (keyserver pgp.mit.edu, keyid: 0xf39a07eca4aabc19)
> 
> Best regards,
>   Michael
> 
> --
> Michael Adler
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany
> 
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser,
> Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel,
> Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries:
> Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[Adler, Michael]

Alright, the token exchange was successful this morning and gitlab-cloud-ci runner should be visible to all child
projects now.  However, we ran into an issue [1] when executing Daniel's CI pipeline:

Gitlab runner does not execute the container's entrypoint [2] which in the above scenario is responsible for switching
to a non-privileged user. This is actually a bug in the Gitlab Kubernetes runner itself [3].  Maybe someone here is
eager enough to fix it :-)? The fix itself should be just a few lines of code, but testing will require some time and
effort.

Meanwhile, various workarounds are possible:

* Use su/sudo in your gitlab-ci.yml to run bitbake as non-root user
* Fork the kas Docker image and insert a USER directive [4]
* ...

As usual, it is better to push the fix upstream instead of downstream and fix the bug in Gitlab runner.
Then I could also get rid of this [5] ugly workaround :-)

I should be back on Tuesday here. So long, Michael.

[1] https://gitlab.com/cip-project/cip-core/deby/-/jobs/226291592
[2] https://github.com/siemens/kas/blob/90ae592ff1b835bb7a8ee5999fe0d619242972c5/docker-entrypoint
[3] https://gitlab.com/gitlab-org/gitlab-runner/issues/4125
[4] https://docs.docker.com/engine/reference/builder/#user
[5] https://gitlab.com/cip-playground/gitlab-cloud-ci/blob/master/share/k8s/setup-host-binfmt/daemonset.yaml

-- 
Michael Adler
Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[daniel.sangorrin at toshiba.co.jp]

Hi Michael,

> From: Adler, Michael <michael.adler@siemens.com>
[snip]
> Meanwhile, various workarounds are possible:
> 
> * Use su/sudo in your gitlab-ci.yml to run bitbake as non-root user

I tried but I got this weird behavior:
https://gitlab.com/cip-project/cip-core/deby/-/jobs/228110647

$ export USER_ID=30000
$ /bin/bash /kas/docker-entrypoint
$ whoami
root
$ cat /etc/passwd
builder:x:30000:30000::/builder:/bin/sh
$ su - builder
$ whoami
root <-- not builder!
$ kas build --target core-image-minimal meta-cip-bbb/kas-bbb.yml
    Do not use Bitbake as root.
ERROR: Job failed: command terminated with exit code 1

> * Fork the kas Docker image and insert a USER directive [4]
> * ...
> 
> As usual, it is better to push the fix upstream instead of downstream and fix the bug in Gitlab runner.
> Then I could also get rid of this [5] ugly workaround :-)
> 
> I should be back on Tuesday here. So long, Michael.

Happy Pfingstmontag ;)

Thanks,
Daniel

> 
> [1] https://gitlab.com/cip-project/cip-core/deby/-/jobs/226291592
> [2]
> https://github.com/siemens/kas/blob/90ae592ff1b835bb7a8ee5999fe0d619242972c5/docker-entrypoint
> [3] https://gitlab.com/gitlab-org/gitlab-runner/issues/4125
> [4] https://docs.docker.com/engine/reference/builder/#user
> [5]
> https://gitlab.com/cip-playground/gitlab-cloud-ci/blob/master/share/k8s/setup-host-binfmt/daemonset.yaml
> 
> --
> Michael Adler
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany
> 
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser,
> Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel,
> Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries:
> Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[Adler, Michael]

Hi Daniel,

I've done some experiments as well [1]. Could you try prefixing the "kas build" command with "gosu builder"?
Something like this:

gosu builder kas build --target core-image-minimal meta-cip-bbb/kas-bbb.yml

See also my gitlab-ci.yml [2].

Best regards,
  Michael

[1] https://gitlab.com/therisen06/entrypoint-debug/-/jobs/228882512
[2] https://gitlab.com/therisen06/entrypoint-debug/blob/3c1ffef93ca7880e11a984d4338bf04965962f1f/.gitlab-ci.yml

-- 
Michael Adler
Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany

Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser, Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel, Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries: Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322

[cip-dev] gitlab-ci for CIP tiny profile (Deby)

[daniel.sangorrin at toshiba.co.jp]

Thanks Michael,

It seems that worked out!
https://gitlab.com/cip-project/cip-core/deby/-/jobs/229463821

Best regards,
Daniel

> -----Original Message-----
> From: Adler, Michael <michael.adler@siemens.com>
> Sent: Tuesday, June 11, 2019 6:16 PM
> To: sangorrin daniel(????? ???? ????????) <daniel.sangorrin@toshiba.co.jp>
> Cc: cip-dev at lists.cip-project.org
> Subject: Re: [cip-dev] gitlab-ci for CIP tiny profile (Deby)
> 
> Hi Daniel,
> 
> I've done some experiments as well [1]. Could you try prefixing the "kas build" command with "gosu builder"?
> Something like this:
> 
> gosu builder kas build --target core-image-minimal meta-cip-bbb/kas-bbb.yml
> 
> See also my gitlab-ci.yml [2].
> 
> Best regards,
>   Michael
> 
> [1] https://gitlab.com/therisen06/entrypoint-debug/-/jobs/228882512
> [2]
> https://gitlab.com/therisen06/entrypoint-debug/blob/3c1ffef93ca7880e11a984d4338bf04965962f1f/.gitlab-
> ci.yml
> 
> --
> Michael Adler
> Siemens AG, Corporate Technology, CT RDA IOT SES-DE, Otto-Hahn-Ring 6, 81739 Munich, Germany
> 
> Siemens Aktiengesellschaft: Chairman of the Supervisory Board: Gerhard Cromme; Managing Board: Joe Kaeser,
> Chairman, President and Chief Executive Officer; Roland Busch, Lisa Davis, Klaus Helmrich, Janina Kugel,
> Siegfried Russwurm, Ralf P. Thomas; Registered offices: Berlin and Munich, Germany; Commercial registries:
> Berlin Charlottenburg, HRB 12300, Munich, HRB 6684; WEEE-Reg.-No. DE 23691322