[Git][qa/jenkins.debian.net][master] reproducible debian: move the "inner" systemd service to a user unit

[Mattia Rizzolo (@mattia)]

Mattia Rizzolo pushed to branch master at Debian QA / jenkins.debian.net


Commits:
9e44007a by Mattia Rizzolo at 2024-03-09T17:32:59+01:00
reproducible debian: move the "inner" systemd service to a user unit

this saves us from having to give extra privileges to the script to
start the worker services

Signed-off-by: Mattia Rizzolo <mattia at debian.org>

- - - - -


4 changed files:

- bin/reproducible_build_service.sh
- bin/reproducible_worker.sh
- hosts/jenkins/etc/systemd/system/reproducible_build at .service → jenkins-home/reproducible_build at .service
- update_jdn.sh


Changes:

=====================================
bin/reproducible_build_service.sh
=====================================
@@ -61,10 +61,14 @@ startup_workers() {
 			#
 			# actually start the worker
 			#
+			if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
+				XDG_RUNTIME_DIR="/run/user/$UID"
+				export XDG_RUNTIME_DIR
+			fi
 			BUILD_BASE=/var/lib/jenkins/userContent/reproducible/debian/build_service/$WORKER_NAME
 			mkdir -p "$BUILD_BASE"
 			echo "$(date --utc) - Starting $WORKER_NAME"
-			systemctl start "reproducible_build@${WORKER_NAME}.service"
+			systemctl --user start "reproducible_build@${WORKER_NAME}.service"
 		done
 	done
 }


=====================================
bin/reproducible_worker.sh
=====================================
@@ -172,11 +172,11 @@ main_loop() {
 		exit 9
 	fi
 	# try systemctl twice, but only output and thus log the 2nd attempt…
-	RUNNING=$(systemctl show -P SubState "$SERVICE")
+	RUNNING=$(systemctl --user show -P SubState "$SERVICE")
 	if [ "$RUNNING" != "running" ] ; then
 		# sometimes systemctl requests time out… handle that gracefully
 		sleep 23
-		RUNNING=$(systemctl show -P SubState "$SERVICE")
+		RUNNING=$(systemctl --user show -P SubState "$SERVICE")
 		if [ "$RUNNING" != "running" ] ; then
 			echo "$(date --utc) - '$SERVICE' not running, thus stopping this."
 			sleep 42.1337m
@@ -228,10 +228,6 @@ main_loop() {
 	echo "                               see https://tests.reproducible-builds.org/cgi-bin/nph-logwatch?$WORKER_NAME/$BUILD_ID"
 	echo "================================================================================================"
 	echo
-	if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
-		XDG_RUNTIME_DIR="/run/user/$UID"
-		export XDG_RUNTIME_DIR
-	fi
 	RETCODE=0
 	systemd-run --user --send-sighup --collect --pipe --wait \
 		--slice=rb.slice -u "rb-build-$WORKER_NAME-$BUILD_ID" \
@@ -262,6 +258,11 @@ fi
 # main
 #
 
+if [ -z "${XDG_RUNTIME_DIR:-}" ]; then
+	XDG_RUNTIME_DIR="/run/user/$UID"
+	export XDG_RUNTIME_DIR
+fi
+
 # script invoked without specifying the nodes
 choose_nodes "$WORKER_NAME"
 SERVICE="reproducible_build@${WORKER_NAME}.service"


=====================================
hosts/jenkins/etc/systemd/system/reproducible_build at .service → jenkins-home/reproducible_build at .service
=====================================
@@ -7,8 +7,6 @@ ConditionPathExists=!/var/lib/jenkins/NO-RB-BUILDERS-PLEASE
 Restart=always
 # special code from _build_service for when the service should not exist, to properly quit
 RestartPreventExitStatus=8 9 10
-User=jenkins
-Group=jenkins
 ExecStart=/srv/jenkins/bin/reproducible_worker.sh %I
 StandardOutput=append:/var/lib/jenkins/userContent/reproducible/debian/build_service/%I/worker.log
 StandardError=inherit
@@ -18,6 +16,3 @@ SendSIGHUP=yes
 # Note that diffoscope runs within this service.
 OOMPolicy=kill
 OOMScoreAdjust=100
-
-[Install]
-WantedBy=multi-user.target


=====================================
update_jdn.sh
=====================================
@@ -806,6 +806,8 @@ if [ "$HOSTNAME" = "jenkins" ] ; then
 	sudo -u jenkins install -m 600 jenkins-home/authorized_keys /var/lib/jenkins/.ssh/authorized_keys
 	sudo -u jenkins cp jenkins-home/procmailrc /var/lib/jenkins/.procmailrc
 	sudo -u jenkins cp jenkins-home/offline_nodes /var/lib/jenkins/offline_nodes
+	sudo -u jenkins mkdir /var/lib/jenkins/.config/systemd/user
+	sudo -u jenkins cp jenkins-home/reproducible_build at .service /var/lib/jenkins/.config/systemd/user/
 else
 	sudo cp jenkins-nodes-home/authorized_keys /var/lib/jenkins/.ssh/authorized_keys
 fi



View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/9e44007a61471b61f80087cbb93c7d0efd337f90

-- 
View it on GitLab: https://salsa.debian.org/qa/jenkins.debian.net/-/commit/9e44007a61471b61f80087cbb93c7d0efd337f90
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/qa-jenkins-scm/attachments/20240309/d14a2bd8/attachment-0001.htm>