Comments (5)
I disable known hosts verification. The instances are fired up in EC2 in a private VPC and picked up only if they are part of the EC2 fleet, they run a custom cloud-init script (user-data) that installs the Jenkins public key.
You could also create a custom image in AWS and use that for launching which already has the Jenkins user and key installed.
from ec2-fleet-plugin.
Got it, thanks @bertjwregeer . I think I still prefer being able to verify, but I don't see how. It would be nice in that respect if ssh worked like full ssl, with an x509 cert signed by a common authority. Then I wouldn't need the actual host pubkey in known_hosts
, just the cert of the signing authority. Oh well.
It actually has taken me a bit to "turn my head around" on this. Normally, when deploying scaling apps on aws, I use an autoscaling group, and have new "worker" nodes self-join a cluster. In the Jenkins case, I would use ASG (or possibly spot fleet) to spin up new workers and have them join Jenkins.
The challenges I found with that approach are:
- It isn't sufficient to just "connect"; I need to "add" the new node using the Jenkins CLI or REST API as a "permanent" node, and then either retrieve the jnlp agent-specific secret and join, or use ssh (which creates the same issue with host key, although possibly more easily solvable if I am initiating from the host which already knows its host key). Solvable.
- Deletion of hosts isn't automatic. If I have a node created by an ASG, it then might be terminated. Instead of Jenkins removing it (as happens, e.g. with Kubernetes and cloud-provider set to AWS), it lingers as an unreachable host. I could create a clean-up job, but that is just more custom work.
- Deletion of hosts isn't "Jenkins-aware", i.e. it might delete a host that has a running job. Of course, the same thing can happen with spot fleet as well, so not as challenging.
The ec2-fleet plugin pretty much solves 2 & 3, and I can set the userdata or custom AMI (or use docker with custom OCI image) to resolve 1, as you mentioned.
Still and all, doing it from the Jenkins Server via a plugin, rather than from ASG, is a little different.
Any way to use jnlp instead of ssh for the spot fleet nodes?
from ec2-fleet-plugin.
@deitch SSH CAN work like that though. See https://jameshfisher.com/2018/03/16/how-to-create-an-ssh-certificate-authority.html for a guide on how to setup/configure that.
from ec2-fleet-plugin.
SSH CAN work like that though
Quite! (and I am facepalming myself for not thinking of it...; thanks @bertjwregeer :-) )
Does the ssh implementation on the server side in jenkins ssh-slave support it? Or is it just exec-ing out to the on-host ssh
client anyways?
from ec2-fleet-plugin.
Mind, there is not-insignificant work to do to automate this process: agent starts up, generates a host key, that in turn needs to be signed, which means it needs some way to reach a CA and be trusted that it is valid, and around again...
Last time I did this was (as mentioned above) for k8s workers. They have a "pre-kube" startup phase that uses a secret key injected via userdata to reach a CA and request signing. Not perfect, but it works.
from ec2-fleet-plugin.
Related Issues (20)
- Enable Launcher type to use Environmental Variables
- Delay running jobs on node until cloud-init is finished HOT 1
- Change log level for provision attempts HOT 1
- Minimum Cluster Size = 0 will not spawn any agent HOT 20
- Build node workspace permissions
- Unable to set label on node caused by NullPointerException HOT 1
- Update constructor to follow CasC best practices
- Scale-in Protection always enable HOT 3
- 3.10.0 does not assume role from credentials
- Upgrading 3.0.1 to 3.1.0 deleted cloud configuration HOT 11
- Complete removal of data about the Executors structure 3.0.2 --> 3.1.0 HOT 2
- NoDelayProvisionStrategy won't provision after scaling down to 0 instances in auto scaling group HOT 10
- Cloud is null for computer unknown HOT 1
- EC2 Fleet label based cloud cannot create node
- EC2 ASG agents are not assgined to Jenkins fleet tags - Error during fleet '<fleet_name>' stats update java.lang.NullPointerException HOT 11
- Protected From Scale In HOT 4
- Instance are not shutting down due to "Protection from scale In" HOT 4
- Waiting for next available executor on βtest i-123456789 HOT 4
- jenkins connect with ipv6 HOT 1
- jenkins connect with ipv6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ec2-fleet-plugin.