|
1 | 1 | #!/usr/bin/env bash |
2 | 2 |
|
3 | | -set -euo pipefail |
| 3 | +set -Eeuo pipefail |
4 | 4 |
|
5 | | -enviroment() { |
6 | | - echo "~~~ :earth_asia: Setting up environment variables" |
7 | | - # shellcheck source=/dev/null |
8 | | - source ~/cfn-env |
9 | | - |
10 | | - # a clean docker config for each job, for improved isolation |
11 | | - BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY=$(mktemp -d) |
12 | | - export BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY |
13 | | - export DOCKER_CONFIG="$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY" |
| 5 | +handle_err() { |
| 6 | + echo "^^^ +++" |
| 7 | + echo ":alert: Elastic CI Stack environment hook failed" >&2 |
| 8 | + exit 53 |
| 9 | +} |
14 | 10 |
|
15 | | - if [ "${BUILDKITE_DOCKER_EXPERIMENTAL:-false}" = "true" ]; then |
16 | | - if [ ! -f "${DOCKER_CONFIG}/config.json" ]; then |
17 | | - echo "{}" > "${DOCKER_CONFIG}/config.json" |
18 | | - fi |
| 11 | +trap handle_err ERR |
19 | 12 |
|
20 | | - #shellcheck disable=SC2094 # Redirections to the same command are processed in order |
21 | | - cat <<< "$(jq '.experimental="enabled"' "${DOCKER_CONFIG}/config.json")" > "${DOCKER_CONFIG}/config.json" |
22 | | - fi |
| 13 | +echo "~~~ :earth_asia: Setting up environment variables" |
| 14 | +# shellcheck source=/dev/null |
| 15 | +source ~/cfn-env |
23 | 16 |
|
24 | | - echo "~~~ :llama: Setting up elastic stack environment ($BUILDKITE_STACK_VERSION)" |
| 17 | +# a clean docker config for each job, for improved isolation |
| 18 | +BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY=$(mktemp -d) |
| 19 | +export BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY |
| 20 | +export DOCKER_CONFIG="$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY" |
25 | 21 |
|
26 | | - echo "Checking docker" |
27 | | - if ! docker ps; then |
28 | | - echo "^^^ +++" |
29 | | - echo ":alert: Docker isn't running!" |
30 | | - set -x |
31 | | - pgrep -lf docker || tail -n 50 /var/log/docker |
32 | | - exit 1 |
| 22 | +if [ "${BUILDKITE_DOCKER_EXPERIMENTAL:-false}" = "true" ]; then |
| 23 | + if [ ! -f "${DOCKER_CONFIG}/config.json" ]; then |
| 24 | + echo "{}" > "${DOCKER_CONFIG}/config.json" |
33 | 25 | fi |
34 | 26 |
|
35 | | - echo "Checking disk space" |
36 | | - if ! /usr/local/bin/bk-check-disk-space.sh; then |
| 27 | + #shellcheck disable=SC2094 # Redirections to the same command are processed in order |
| 28 | + cat <<< "$(jq '.experimental="enabled"' "${DOCKER_CONFIG}/config.json")" > "${DOCKER_CONFIG}/config.json" |
| 29 | +fi |
37 | 30 |
|
38 | | - echo "Cleaning up docker resources older than ${DOCKER_PRUNE_UNTIL:-4h}" |
39 | | - docker image prune --all --force --filter "until=${DOCKER_PRUNE_UNTIL:-4h}" |
| 31 | +echo "~~~ :llama: Setting up elastic stack environment ($BUILDKITE_STACK_VERSION)" |
40 | 32 |
|
41 | | - echo "Checking disk space again" |
42 | | - if ! /usr/local/bin/bk-check-disk-space.sh; then |
43 | | - echo "Disk health checks failed" >&2 |
44 | | - exit 1 |
45 | | - fi |
46 | | - fi |
47 | | - |
48 | | - echo "Configuring built-in plugins" |
49 | | - |
50 | | - [[ ! ${SECRETS_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/secrets/} |
51 | | - [[ ! ${DOCKER_LOGIN_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/docker-login/} |
52 | | - [[ ! ${ECR_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/ecr/} |
53 | | - |
54 | | - SECRETS_PLUGIN_ENABLED=0 |
55 | | - DOCKER_LOGIN_PLUGIN_ENABLED=0 |
56 | | - ECR_PLUGIN_ENABLED=0 |
57 | | - |
58 | | - for plugin in $PLUGINS_ENABLED; do |
59 | | - case "$plugin" in |
60 | | - secrets) |
61 | | - export SECRETS_PLUGIN_ENABLED=1 |
62 | | - echo "Secrets plugin enabled" |
63 | | - ;; |
64 | | - docker-login) |
65 | | - export DOCKER_LOGIN_PLUGIN_ENABLED=1 |
66 | | - echo "Docker-login plugin enabled" |
67 | | - ;; |
68 | | - ecr) |
69 | | - export ECR_PLUGIN_ENABLED=1 |
70 | | - echo "ECR plugin enabled" |
71 | | - ;; |
72 | | - esac |
73 | | - done |
74 | | - |
75 | | - if [[ -n "${BUILDKITE_SECRETS_BUCKET:-}" && "${SECRETS_PLUGIN_ENABLED:-}" == "1" ]]; then |
76 | | - export BUILDKITE_PLUGIN_S3_SECRETS_BUCKET="$BUILDKITE_SECRETS_BUCKET" |
77 | | - export BUILDKITE_PLUGIN_S3_SECRETS_REGION="$BUILDKITE_SECRETS_BUCKET_REGION" |
78 | | - |
79 | | - # shellcheck source=/dev/null |
80 | | - source /usr/local/buildkite-aws-stack/plugins/secrets/hooks/environment |
| 33 | +echo "Checking docker" |
| 34 | +if ! docker ps; then |
| 35 | + echo "^^^ +++" |
| 36 | + echo ":alert: Docker isn't running!" |
| 37 | + set -x |
| 38 | + pgrep -lf docker || tail -n 50 /var/log/docker |
| 39 | + exit 1 |
| 40 | +fi |
| 41 | + |
| 42 | +echo "Checking disk space" |
| 43 | +if ! /usr/local/bin/bk-check-disk-space.sh; then |
| 44 | + echo "Cleaning up docker resources older than ${DOCKER_PRUNE_UNTIL:-4h}" |
| 45 | + docker image prune --all --force --filter "until=${DOCKER_PRUNE_UNTIL:-4h}" |
| 46 | + |
| 47 | + echo "Checking disk space again" |
| 48 | + if ! /usr/local/bin/bk-check-disk-space.sh; then |
| 49 | + echo "Disk health checks failed" >&2 |
| 50 | + exit 1 |
81 | 51 | fi |
| 52 | +fi |
| 53 | + |
| 54 | +echo "Configuring built-in plugins" |
| 55 | + |
| 56 | +[[ ! ${SECRETS_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/secrets/} |
| 57 | +[[ ! ${DOCKER_LOGIN_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/docker-login/} |
| 58 | +[[ ! ${ECR_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/ecr/} |
| 59 | + |
| 60 | +SECRETS_PLUGIN_ENABLED=0 |
| 61 | +DOCKER_LOGIN_PLUGIN_ENABLED=0 |
| 62 | +ECR_PLUGIN_ENABLED=0 |
| 63 | + |
| 64 | +for plugin in $PLUGINS_ENABLED; do |
| 65 | + case "$plugin" in |
| 66 | + secrets) |
| 67 | + export SECRETS_PLUGIN_ENABLED=1 |
| 68 | + echo "Secrets plugin enabled" |
| 69 | + ;; |
| 70 | + docker-login) |
| 71 | + export DOCKER_LOGIN_PLUGIN_ENABLED=1 |
| 72 | + echo "Docker-login plugin enabled" |
| 73 | + ;; |
| 74 | + ecr) |
| 75 | + export ECR_PLUGIN_ENABLED=1 |
| 76 | + echo "ECR plugin enabled" |
| 77 | + ;; |
| 78 | + esac |
| 79 | +done |
| 80 | + |
| 81 | +if [[ -n "${BUILDKITE_SECRETS_BUCKET:-}" && "${SECRETS_PLUGIN_ENABLED:-}" == "1" ]]; then |
| 82 | + export BUILDKITE_PLUGIN_S3_SECRETS_BUCKET="$BUILDKITE_SECRETS_BUCKET" |
| 83 | + export BUILDKITE_PLUGIN_S3_SECRETS_REGION="$BUILDKITE_SECRETS_BUCKET_REGION" |
82 | 84 |
|
83 | | - if [[ "${BUILDKITE_ECR_POLICY:-}" != "none" && "${ECR_PLUGIN_ENABLED:-}" == "1" ]]; then |
84 | | - export BUILDKITE_PLUGIN_ECR_LOGIN=1 |
85 | | - export BUILDKITE_PLUGIN_ECR_RETRIES=3 |
| 85 | + # shellcheck source=/dev/null |
| 86 | + source /usr/local/buildkite-aws-stack/plugins/secrets/hooks/environment |
| 87 | +fi |
86 | 88 |
|
87 | | - # map AWS_ECR_LOGIN_REGISTRY_IDS into the plugin list format |
88 | | - if [[ -n "${AWS_ECR_LOGIN_REGISTRY_IDS:-}" ]]; then |
89 | | - export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0="${AWS_ECR_LOGIN_REGISTRY_IDS}" |
90 | | - fi |
| 89 | +if [[ "${BUILDKITE_ECR_POLICY:-}" != "none" && "${ECR_PLUGIN_ENABLED:-}" == "1" ]]; then |
| 90 | + export BUILDKITE_PLUGIN_ECR_LOGIN=1 |
| 91 | + export BUILDKITE_PLUGIN_ECR_RETRIES=3 |
91 | 92 |
|
92 | | - # shellcheck source=/dev/null |
93 | | - source /usr/local/buildkite-aws-stack/plugins/ecr/hooks/environment |
| 93 | + # map AWS_ECR_LOGIN_REGISTRY_IDS into the plugin list format |
| 94 | + if [[ -n "${AWS_ECR_LOGIN_REGISTRY_IDS:-}" ]]; then |
| 95 | + export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0="${AWS_ECR_LOGIN_REGISTRY_IDS}" |
94 | 96 | fi |
95 | 97 |
|
96 | | - if [[ "${DOCKER_USERNS_REMAP:-false}" == "false" ]]; then |
97 | | - # We need to scope the next bit to only the currently running agent dir and |
98 | | - # pipeline, but we also need to control security and make sure arbitrary folders |
99 | | - # can't be chmoded. |
100 | | - # |
101 | | - # The agent builds path isn't exposed nicely by itself. The agent name also |
102 | | - # doesn't quite map to its builds path. We do have a complete checkout path, |
103 | | - # but we need to chop it up, safely. The path looks like: |
104 | | - # |
105 | | - # BUILDKITE_BUILD_CHECKOUT_PATH="/var/lib/buildkite-agent/builds/my-agent-1/my-org/my-pipeline" |
106 | | - # |
107 | | - # We know the beginning of this path, it's in BUILDKITE_BUILD_PATH: |
108 | | - # |
109 | | - # BUILDKITE_BUILD_PATH="/var/lib/buildkite-agent/builds" |
110 | | - |
111 | | - # So we can calculate the suffix as a substring: |
112 | | - AGENT_ORG_PIPELINE_DIR="${BUILDKITE_BUILD_CHECKOUT_PATH#"${BUILDKITE_BUILD_PATH}/"}" |
113 | | - # => "my-agent-1/my-org/my-pipeline" |
114 | | - |
115 | | - # Then we can grab just the first path component, the agent name, by removing |
116 | | - # the longest suffix starting with a slash: |
117 | | - AGENT_DIR="${AGENT_ORG_PIPELINE_DIR%%/*}" |
118 | | - # => "my-agent-1" |
119 | | - |
120 | | - # Then we can figure out the org/pipeline path component |
121 | | - ORG_PIPELINE_DIR="${AGENT_ORG_PIPELINE_DIR#"${AGENT_DIR}/"}" |
122 | | - # => "my-org/my-pipeline" |
123 | | - |
124 | | - # Then we grab just the first path component, the org, by removing the longest |
125 | | - # suffix starting with a slash: |
126 | | - ORG_DIR="${ORG_PIPELINE_DIR%%/*}" |
127 | | - # => "my-org" |
128 | | - |
129 | | - # Then we can figure out the pipeline path component using the org dir |
130 | | - PIPELINE_DIR="${ORG_PIPELINE_DIR#"${ORG_DIR}/"}" |
131 | | - # => "my-pipeline" |
132 | | - |
133 | | - # Now we can pass this to the sudo script which will validate it before safely chmodding: |
134 | | - echo "~~~ Fixing permissions for '${AGENT_DIR}/${ORG_DIR}/${PIPELINE_DIR}'..." |
135 | | - sudo /usr/bin/fix-buildkite-agent-builds-permissions "${AGENT_DIR}" "${ORG_DIR}" "${PIPELINE_DIR}" |
136 | | - echo |
137 | | - fi |
138 | | -} |
139 | | - |
140 | | -enviroment || { |
141 | | - echo "^^^ +++" |
142 | | - echo ":alert: Running elastic stack environment hook failed" >&2 |
143 | | - exit 2 |
144 | | -} |
| 98 | + # shellcheck source=/dev/null |
| 99 | + source /usr/local/buildkite-aws-stack/plugins/ecr/hooks/environment |
| 100 | +fi |
| 101 | + |
| 102 | +if [[ "${DOCKER_USERNS_REMAP:-false}" == "false" ]]; then |
| 103 | + # We need to scope the next bit to only the currently running agent dir and |
| 104 | + # pipeline, but we also need to control security and make sure arbitrary folders |
| 105 | + # can't be chmoded. |
| 106 | + # |
| 107 | + # The agent builds path isn't exposed nicely by itself. The agent name also |
| 108 | + # doesn't quite map to its builds path. We do have a complete checkout path, |
| 109 | + # but we need to chop it up, safely. The path looks like: |
| 110 | + # |
| 111 | + # BUILDKITE_BUILD_CHECKOUT_PATH="/var/lib/buildkite-agent/builds/my-agent-1/my-org/my-pipeline" |
| 112 | + # |
| 113 | + # We know the beginning of this path, it's in BUILDKITE_BUILD_PATH: |
| 114 | + # |
| 115 | + # BUILDKITE_BUILD_PATH="/var/lib/buildkite-agent/builds" |
| 116 | + |
| 117 | + # So we can calculate the suffix as a substring: |
| 118 | + AGENT_ORG_PIPELINE_DIR="${BUILDKITE_BUILD_CHECKOUT_PATH#"${BUILDKITE_BUILD_PATH}/"}" |
| 119 | + # => "my-agent-1/my-org/my-pipeline" |
| 120 | + |
| 121 | + # Then we can grab just the first path component, the agent name, by removing |
| 122 | + # the longest suffix starting with a slash: |
| 123 | + AGENT_DIR="${AGENT_ORG_PIPELINE_DIR%%/*}" |
| 124 | + # => "my-agent-1" |
| 125 | + |
| 126 | + # Then we can figure out the org/pipeline path component |
| 127 | + ORG_PIPELINE_DIR="${AGENT_ORG_PIPELINE_DIR#"${AGENT_DIR}/"}" |
| 128 | + # => "my-org/my-pipeline" |
| 129 | + |
| 130 | + # Then we grab just the first path component, the org, by removing the longest |
| 131 | + # suffix starting with a slash: |
| 132 | + ORG_DIR="${ORG_PIPELINE_DIR%%/*}" |
| 133 | + # => "my-org" |
| 134 | + |
| 135 | + # Then we can figure out the pipeline path component using the org dir |
| 136 | + PIPELINE_DIR="${ORG_PIPELINE_DIR#"${ORG_DIR}/"}" |
| 137 | + # => "my-pipeline" |
| 138 | + |
| 139 | + # Now we can pass this to the sudo script which will validate it before safely chmodding: |
| 140 | + echo "~~~ Fixing permissions for '${AGENT_DIR}/${ORG_DIR}/${PIPELINE_DIR}'..." |
| 141 | + sudo /usr/bin/fix-buildkite-agent-builds-permissions "${AGENT_DIR}" "${ORG_DIR}" "${PIPELINE_DIR}" |
| 142 | + echo |
| 143 | +fi |
0 commit comments