Page MenuHomePhabricator

Use Jenkins upstream systemd unit instead of our own
Closed, ResolvedPublic

Description

Jenkins 2.332.2 (T307339) Debian package ships a systemd unit, we should probably use that one instead of the home made one in Puppet. If I remember properly I have pointed upstream to our unit and they have incorporated it after that.

There are changes to /etc/default/jenkins we will have to take in account as well.

Upon upgrading the Jenkins package:

Setting up jenkins (2.346.1) ...
migrate: /etc/default/jenkins does not exist
Processing triggers for systemd (241-7~deb10u8) ...

And on the spare server (which has the unit masked) we also have:

Failed to preset unit: Unit file /etc/systemd/system/jenkins.service is masked.
/usr/bin/deb-systemd-helper: error: systemctl preset failed on jenkins.service: No such file o
r directory

Then we have to run puppet to update /lib/systemd/system/jenkins.service and restart the jenkins service to apply the settings back.

Upstream systemd logic is at https://github.com/jenkinsci/packaging/tree/master/systemd

Diff:

--- /lib/systemd/system/jenkins.service	2022-06-22 11:38:27.000000000 +0000
+++ /tmp/puppet-file20220623-14844-c5o56m	2022-06-23 14:01:08.356569533 +0000
@@ -1,156 +1,26 @@
-#
-# This file is managed by systemd(1). Do NOT edit this file manually!
-# To override these settings, run:
-#
-#     systemctl edit jenkins
-#
-# For more information about drop-in files, see:
-#
-#     https://www.freedesktop.org/software/systemd/man/systemd.unit.html
-#
-
 [Unit]
 Description=Jenkins Continuous Integration Server
-Requires=network.target
 After=network.target
 
 [Service]
-Type=notify
-NotifyAccess=main
-ExecStart=/usr/bin/jenkins
-Restart=on-failure
-SuccessExitStatus=143
-
-# Configures the time to wait for start-up. If Jenkins does not signal start-up
-# completion within the configured time, the service will be considered failed
-# and will be shut down again. Takes a unit-less value in seconds, or a time span
-# value such as "5min 20s". Pass "infinity" to disable the timeout logic.
-#TimeoutStartSec=90
-
-# Unix account that runs the Jenkins daemon
-# Be careful when you change this, as you need to update the permissions of
-# $JENKINS_HOME, $JENKINS_LOG, and (if you have already run Jenkins)
-# $JENKINS_WEBROOT.
+Type=simple
 User=jenkins
 Group=jenkins
+SyslogIdentifier=jenkins
+UMask=0002
+LimitNOFILE=8192
+
+Environment=JENKINS_HOME=/var/lib/jenkins
+ExecStart=/usr/lib/jvm/java-11-openjdk-amd64/bin/java -Djava.awt.headless=true -Dhudson.plugins.git.GitSCM.verbose=true -Dhudson.model.ParametersAction.keepUndefinedParameters=true -Djava.util.logging.config.file=/etc/jenkins/logging.properties -Dhudson.udp=-1 -Dhudson.DNSMultiCast.disabled=true -Djenkins.model.Jenkins.buildsDir=$${ITEM_ROOTDIR}/builds -Djenkins.model.Jenkins.workspacesDir=$${ITEM_ROOTDIR}/workspace "-Dhudson.model.DirectoryBrowserSupport.CSP=sandbox; default-src 'none'; img-src 'self'; style-src 'self' 'unsafe-inline'; media-src 'self'" \
+    -jar /usr/share/java/jenkins.war \
+    --accessLoggerClassName=winstone.accesslog.SimpleAccessLogger --simpleAccessLogger.format=combined --simpleAccessLogger.file=/var/log/jenkins/access.log \
+    --webroot=/var/cache/jenkins/war \
+    --pluginroot=/var/cache/jenkins/plugins \
+    --httpPort=8080 \
+    --prefix=/
 
-# Directory where Jenkins stores its configuration and workspaces
-Environment="JENKINS_HOME=/var/lib/jenkins"
-WorkingDirectory=/var/lib/jenkins
-
-# Location of the Jenkins WAR
-#Environment="JENKINS_WAR=/usr/share/java/jenkins.war"
-
-# Location of the exploded WAR
-Environment="JENKINS_WEBROOT=%C/jenkins/war"
-
-# Location of the Jenkins log. By default, systemd-journald(8) is used.
-#Environment="JENKINS_LOG=%L/jenkins/jenkins.log"
-
-# The Java home directory. When left empty, JENKINS_JAVA_CMD and PATH are consulted.
-#Environment="JAVA_HOME=/usr/lib/jvm/java-11-openjdk-amd64"
-
-# The Java executable. When left empty, JAVA_HOME and PATH are consulted.
-#Environment="JENKINS_JAVA_CMD=/etc/alternatives/java"
-
-# Arguments for the Jenkins JVM
-Environment="JAVA_OPTS=-Djava.awt.headless=true"
-
-# IP address to listen on for HTTP requests.
-# The default is to listen on all interfaces (0.0.0.0).
-#Environment="JENKINS_LISTEN_ADDRESS="
-
-# Port to listen on for HTTP requests. Set to -1 to disable.
-# To be able to listen on privileged ports (port numbers less than 1024),
-# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
-# directive below.
-Environment="JENKINS_PORT=8080"
-
-# IP address to listen on for HTTPS requests. Default is disabled.
-#Environment="JENKINS_HTTPS_LISTEN_ADDRESS="
-
-# Port to listen on for HTTPS requests. Default is disabled.
-# To be able to listen on privileged ports (port numbers less than 1024),
-# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
-# directive below.
-#Environment="JENKINS_HTTPS_PORT=443"
-
-# Path to the keystore in JKS format (as created by the JDK's keytool).
-# Default is disabled.
-#Environment="JENKINS_HTTPS_KEYSTORE=/path/to/keystore.jks"
-
-# Password to access the keystore defined in JENKINS_HTTPS_KEYSTORE.
-# Default is disabled.
-#Environment="JENKINS_HTTPS_KEYSTORE_PASSWORD=s3cR3tPa55w0rD"
-
-# IP address to listen on for HTTP2 requests. Default is disabled.
-#
-# Note: HTTP2 support may require additional configuration.
-# See the Winstone documentation for more information.
-#Environment="JENKINS_HTTP2_LISTEN_ADDRESS="
-
-# HTTP2 port to listen on. Default is disabled.
-# To be able to listen on privileged ports (port numbers less than 1024),
-# add the CAP_NET_BIND_SERVICE capability to the AmbientCapabilities
-# directive below.
-#
-# Note: HTTP2 support may require additional configuration.
-# See the Winstone documentation for more information.
-#Environment="JENKINS_HTTP2_PORT="
-
-# Controls which capabilities to include in the ambient capability set for the
-# executed process. Takes a whitespace-separated list of capability names, e.g.
-# CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SYS_PTRACE. Ambient capability sets are
-# useful if you want to execute a process as a non-privileged user but still
-# want to give it some capabilities. For example, add the CAP_NET_BIND_SERVICE
-# capability to be able to listen on privileged ports (port numbers less than
-# 1024).
-#AmbientCapabilities=CAP_NET_BIND_SERVICE
-
-# Debug level for logs. The higher the value, the more verbose. 5 is INFO.
-#Environment="JENKINS_DEBUG_LEVEL=5"
-
-# Set to true to enable logging to /var/log/jenkins/access_log.
-#Environment="JENKINS_ENABLE_ACCESS_LOG=false"
-
-# Folder for additional JAR files to add to the Jetty class loader. Default
-# is disabled. See the Winstone documentation for more information.
-#Environment="JENKINS_EXTRA_LIB_FOLDER="
-
-# Servlet context (important if you want to use reverse proxying)
-#Environment="JENKINS_PREFIX=/jenkins"
-
-# Arbitrary additional arguments to pass to Jenkins.
-# Full option list: java -jar jenkins.war --help
-#Environment="JENKINS_OPTS="
-
-# Maximum core file size. If unset, the value from the OS is inherited.
-#LimitCORE=infinity
-
-# Maximum file size. If unset, the value from the OS is inherited.
-#LimitFSIZE=infinity
-
-# File descriptor limit. If unset, the value from the OS is inherited.
-#LimitNOFILE=8192
-
-# Maximum number of processes. If unset, the value from the OS is inherited.
-#LimitNPROC=32768
-
-# Set the umask to control the permission bits of files that Jenkins creates.
-#
-# 0027 makes files read-only for group and inaccessible for others, which some
-# security sensitive users might consider beneficial, especially if Jenkins
-# is running on a server that is used for multiple purposes. Beware that 0027
-# permissions would interfere with sudo scripts that run on the controller
-# (see JENKINS-25065).
-#
-# Note also that the particularly sensitive parts of $JENKINS_HOME (such as
-# credentials) are always written without 'other' access. So the umask values
-# only affect job configuration, build records, etc.
-#
-# If unset, the value from the OS is inherited, which is normally 0022.
-# The default umask comes from pam_umask(8) and /etc/login.defs.
-#UMask=0022
+# We send SIGTERM(15), java exit code is 143 = 128 + 15
+SuccessExitStatus=143
 
 [Install]
 WantedBy=multi-user.target

Event Timeline

Change 808900 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] jenkins: use upstream systemd definition

https://gerrit.wikimedia.org/r/808900

Change 831534 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/puppet@production] systemd: allow changing override filename

https://gerrit.wikimedia.org/r/831534

Change 831534 merged by Jbond:

[operations/puppet@production] systemd: allow changing override filename

https://gerrit.wikimedia.org/r/831534

Change 808900 merged by Jbond:

[operations/puppet@production] jenkins: use upstream systemd definition

https://gerrit.wikimedia.org/r/808900

I ran puppet on all the Jenkins. On releases1002 I went to do the Jenkins upgrade (T317418) and the systemd override does apply our magic ExecStart and our custom parameters. It looks like it is a success.

I will upgrade Jenkins on contint2001 this afternoon which will gives a second confirmation we have successfully migrated to the upstream systemd unit.

I have compared the output of systemctl show jenkins before vs after, it looks good!