mirror of
https://github.com/digital-asset/daml.git
synced 2024-11-10 10:46:11 +03:00
bf64e705e9
When we set this up years ago (#1566), it was a way to get a more recent Docker version than was then available through the default Ubuntu 16.04 apt repository. Nowadays, this actually makes us lag behind, to the point where the 2.3.1 image isn't building. CHANGELOG_BEGIN CHANGELOG_END
254 lines
7.0 KiB
Bash
254 lines
7.0 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) 2022 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
# Agent startup script
|
|
set -euo pipefail
|
|
|
|
## Hardening
|
|
|
|
# Commit sepukku on failure
|
|
trap "shutdown -h now" EXIT
|
|
|
|
# replace the default nameserver to not use the metadata server
|
|
echo "nameserver 8.8.8.8" > /etc/resolv.conf
|
|
|
|
# delete self
|
|
rm -vf "$0"
|
|
|
|
## Install system dependencies
|
|
apt-get update -q
|
|
apt-get install -qy \
|
|
curl sudo \
|
|
bzip2 rsync \
|
|
jq liblttng-ust0 libcurl4 libkrb5-3 zlib1g \
|
|
git \
|
|
netcat \
|
|
apt-transport-https \
|
|
software-properties-common
|
|
|
|
# Install dependencies for Chrome (to run Puppeteer tests on the gsg)
|
|
# list taken from: https://github.com/puppeteer/puppeteer/blob/a3d1536a6b6e282a43521bea28aef027a7133df8/docs/troubleshooting.md#chrome-headless-doesnt-launch-on-unix
|
|
# see https://github.com/digital-asset/daml/pull/5540 for context
|
|
apt-get install -qy \
|
|
gconf-service \
|
|
libasound2 \
|
|
libatk1.0-0 \
|
|
libatk-bridge2.0-0 \
|
|
libc6 \
|
|
libcairo2 \
|
|
libcups2 \
|
|
libdbus-1-3 \
|
|
libexpat1 \
|
|
libfontconfig1 \
|
|
libgbm-dev \
|
|
libgcc1 \
|
|
libgconf-2-4 \
|
|
libgdk-pixbuf2.0-0 \
|
|
libglib2.0-0 \
|
|
libgtk-3-0 \
|
|
libnspr4 \
|
|
libpango-1.0-0 \
|
|
libpangocairo-1.0-0 \
|
|
libstdc++6 \
|
|
libx11-6 \
|
|
libx11-xcb1 \
|
|
libxcb1 \
|
|
libxcomposite1 \
|
|
libxcursor1 \
|
|
libxdamage1 \
|
|
libxext6 \
|
|
libxfixes3 \
|
|
libxi6 \
|
|
libxrandr2 \
|
|
libxrender1 \
|
|
libxss1 \
|
|
libxtst6 \
|
|
ca-certificates \
|
|
fonts-liberation \
|
|
libappindicator1 \
|
|
libnss3 \
|
|
lsb-release \
|
|
xdg-utils \
|
|
wget
|
|
|
|
# Taken from https://cloud.google.com/logging/docs/agent/logging/installation
|
|
curl -sSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
|
|
curl -sSL https://dl.google.com/cloudagents/add-logging-agent-repo.sh | bash -s -- --also-install
|
|
|
|
#install docker
|
|
# BEGIN Installing Docker per https://docs.docker.com/engine/install/ubuntu/
|
|
apt-get -y install apt-transport-https \
|
|
ca-certificates \
|
|
curl \
|
|
gnupg \
|
|
lsb-release
|
|
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
|
|
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" \
|
|
| tee /etc/apt/sources.list.d/docker.list > /dev/null
|
|
apt-get update
|
|
apt-get -y install docker-ce docker-ce-cli containerd.io
|
|
docker run --rm hello-world
|
|
# END Installing Docker
|
|
|
|
#Start docker daemon
|
|
systemctl enable docker
|
|
|
|
## Install the VSTS agent
|
|
groupadd --gid 3000 vsts
|
|
useradd \
|
|
--create-home \
|
|
--gid 3000 \
|
|
--shell /bin/bash \
|
|
--uid 3000 \
|
|
vsts
|
|
#add docker group to user
|
|
usermod -aG docker vsts
|
|
# let vsts user mount/unmount cache folders
|
|
echo "/tmp/bazel_cache /home/vsts/.cache/bazel auto rw,user,exec" >> /etc/fstab
|
|
echo "/tmp/disk_cache /home/vsts/.bazel-cache auto rw,user,exec" >> /etc/fstab
|
|
|
|
CACHE_SCRIPT=/home/vsts/reset_caches.sh
|
|
|
|
cat <<'RESET_CACHES' > $CACHE_SCRIPT
|
|
#!/usr/bin/env bash
|
|
|
|
set -euo pipefail
|
|
|
|
reset_cache() {
|
|
local file mount_point
|
|
file=$1
|
|
mount_point=$2
|
|
|
|
echo "Cleaning up '$mount_point'..."
|
|
if [ -d "$mount_point" ]; then
|
|
for pid in $(pgrep -a -f bazel | awk '{print $1}'); do
|
|
echo "Killing $pid..."
|
|
kill -s KILL $pid
|
|
done
|
|
for pid in $(lsof $mount_point | sed 1d | awk '{print $2}' | sort -u); do
|
|
echo "Killing $pid..."
|
|
kill -s KILL $pid
|
|
done
|
|
if mount -l | grep $mount_point; then
|
|
umount $mount_point
|
|
fi
|
|
rm -rf $mount_point
|
|
fi
|
|
|
|
rm -f $file
|
|
truncate -s 200g $file
|
|
mkfs.ext2 -E root_owner=$(id -u):$(id -g) $file
|
|
mkdir -p $mount_point
|
|
mount $mount_point
|
|
echo "Done."
|
|
}
|
|
|
|
reset_cache /tmp/bazel_cache /home/vsts/.cache/bazel
|
|
reset_cache /tmp/disk_cache /home/vsts/.bazel-cache
|
|
RESET_CACHES
|
|
chown vsts:vsts $CACHE_SCRIPT
|
|
chmod +x $CACHE_SCRIPT
|
|
|
|
su --login vsts <<'AGENT_SETUP'
|
|
set -euo pipefail
|
|
|
|
VSTS_ACCOUNT=${vsts_account}
|
|
VSTS_POOL=${vsts_pool}
|
|
VSTS_TOKEN=${vsts_token}
|
|
|
|
mkdir -p ~/agent
|
|
cd ~/agent
|
|
echo 'assignment=default' > .capabilities
|
|
|
|
echo Determining matching VSTS agent...
|
|
VSTS_AGENT_RESPONSE=$(curl -sSfL \
|
|
-u "user:$VSTS_TOKEN" \
|
|
-H 'Accept:application/json;api-version=3.0-preview' \
|
|
"https://$VSTS_ACCOUNT.visualstudio.com/_apis/distributedtask/packages/agent?platform=linux-x64")
|
|
|
|
VSTS_AGENT_URL=$(echo "$VSTS_AGENT_RESPONSE" \
|
|
| jq -r '.value | map([.version.major,.version.minor,.version.patch,.downloadUrl]) | sort | .[length-1] | .[3]')
|
|
|
|
if [ -z "$VSTS_AGENT_URL" -o "$VSTS_AGENT_URL" == "null" ]; then
|
|
echo 1>&2 error: could not determine a matching VSTS agent - check that account \'$VSTS_ACCOUNT\' is correct and the token is valid for that account
|
|
exit 1
|
|
fi
|
|
|
|
echo Downloading and installing VSTS agent...
|
|
curl -sSfL "$VSTS_AGENT_URL" | tar -xz --no-same-owner
|
|
|
|
set +u
|
|
source ./env.sh
|
|
set -u
|
|
|
|
./config.sh \
|
|
--acceptTeeEula \
|
|
--agent "$(hostname)" \
|
|
--auth PAT \
|
|
--pool "$VSTS_POOL" \
|
|
--replace \
|
|
--token "$VSTS_TOKEN" \
|
|
--unattended \
|
|
--url "https://$VSTS_ACCOUNT.visualstudio.com"
|
|
AGENT_SETUP
|
|
|
|
## Hardening
|
|
|
|
chown --recursive root:root /home/vsts/agent/{*.sh,bin,externals}
|
|
|
|
## Install Nix
|
|
|
|
# This needs to run inside of a user with sudo access
|
|
echo "vsts ALL=(ALL:ALL) NOPASSWD:ALL" > /etc/sudoers.d/nix_installation
|
|
su --command "sh <(curl -sSfL https://nixos.org/nix/install) --daemon" --login vsts
|
|
rm /etc/sudoers.d/nix_installation
|
|
|
|
# Note: the "hydra.da-int.net" string is now part of the name of the key for
|
|
# legacy reasons; it bears no relation to the DNS hostname of the current
|
|
# cache.
|
|
cat <<NIX_CONF > /etc/nix/nix.conf
|
|
extra-substituters = https://nix-cache.da-ext.net
|
|
extra-trusted-public-keys = hydra.da-int.net-2:91tXuJGf/ExbAz7IWsMsxQ5FsO6lG/EGM5QVt+xhZu0= hydra.da-int.net-1:6Oy2+KYvI7xkAOg0gJisD7Nz/6m8CmyKMbWfSKUe03g=
|
|
build-users-group = nixbld
|
|
cores = 1
|
|
max-jobs = 0
|
|
sandbox = relaxed
|
|
NIX_CONF
|
|
|
|
systemctl restart nix-daemon
|
|
|
|
# Warm up local caches by building dev-env and current daml main
|
|
# This is allowed to fail, as we still want to have CI machines
|
|
# around, even when their caches are only warmed up halfway
|
|
su --login vsts <<'CACHE_WARMUP'
|
|
# user-wide bazel disk cache override
|
|
echo "build:linux --disk_cache=~/.bazel-cache" > ~/.bazelrc
|
|
# set up cache folders
|
|
/home/vsts/reset_caches.sh
|
|
|
|
# clone and build
|
|
(
|
|
git clone https://github.com/digital-asset/daml
|
|
cd daml
|
|
./ci/dev-env-install.sh
|
|
./build.sh "_$(uname)"
|
|
) || true
|
|
CACHE_WARMUP
|
|
|
|
# Remove /home/vsts/daml folder that might be present from cache warmup
|
|
rm -R /home/vsts/daml || true
|
|
|
|
## Finish
|
|
|
|
# run the fake local webserver, taken from the docker image
|
|
web-server() {
|
|
while true; do
|
|
printf 'HTTP/1.1 302 Found\r\nLocation: https://%s.visualstudio.com/_admin/_AgentPool\r\n\r\n' "${vsts_account}" | nc -l -p 80 -q 0 > /dev/null
|
|
done
|
|
}
|
|
web-server &
|
|
|
|
# Start the VSTS agent
|
|
su --login --command "cd /home/vsts/agent && exec ./run.sh" - vsts
|