gitlab CI - stage beta, testers needed

Here's the place for discussion related to coding in FreeCAD, C++ or Python. Design, interfaces and structures.
Forum rules
Be nice to others! Respect the FreeCAD code of conduct!
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

gitlab CI - stage beta, testers needed

Post by PrzemoF »

WARNING - ALL INFO HERE IS JUST A TEST AND A PREPARATION FOR POTENTIAL MIGRATION FROM GITHUB TO GITLAB
IT HAS NO OFFICIAL APPROVAL FROM THE CORE DEVELOPERS!

The code: https://gitlab.com/PrzemoF/FreeCAD/-/tree/gitlab-v3/ci
Merged into master: https://gitlab.com/freecad/FreeCAD/-/tree/master/ci

Remote builds managed by gitlab.com. Should replace travis-ci for pull requests.

The system is being tested. If you want to help - let me know.

An example of build and test: https://gitlab.com/PrzemoF/FreeCAD/-/pi ... /345028404

WHAT WORKS:
1. Remote control and build with docker images on external hardware
2. Local debugging of the builds/tests with "docker run -it freecadci/runner /bin/bash"
3. FreeCAD testing
4. ccache - on my laptop average build & test + downloads/uploads takes 7-8 minutes
5. Semi automated migration of open pull requests from github - tested on 100+ pull requests

WHAT DOESN'T WORK:
1. Please let me know if you find something :D

WHAT NEEDS DISCUSSION:
1. To my understanding of the system using non-trusted builders is safe as long as we do build & test only. That opens opportunity to ask FreeCAD users to donate time on their machines. The details need to be tested. Obviously if we go into Continuous Deployment the builds have to be from a trusted builder. With non-trusted builds there is a slim possibility of injecting code, but the produced binary are only available as job artifacts, so chances of using FreeCAD as attack vector are close to zero.

TODO:
0. Explore: https://gitlab.com/inkscape/inkscape/bl ... lab-ci.yml <- Inkscape has windows and macos builds!
They use appveyor, I'm no specialist - help required to get windows/macos builds
1. ccache shared storage (low priority)
https://stackoverflow.com/questions/457 ... cker-cloud
More options:
https://cinaq.com/blog/2020/05/10/speed ... ubernetes/
Example:
https://gould.cx/ted/blog/2017/06/10/cc ... Gitlab-CI/
2. How to mark PR to skip the CI? E.g. for typos in documentation
3. Ask gitlab for free licence for an open source project
4. Transferring open PRs from github to gitlab, the dirty way. Beware of server request limits! The cods is proof of concept, but works.

Code: Select all

#!/bin/bash
# Uncomment this section to get PRs from github. Use your user name, 
#curl -u PrzemoF "https://api.github.com/repos/FreeCAD/FreeCAD/pulls?state=open&page=1&per_page=100" > page_1
#cat page_1 |  grep '"html_url": "https://github.com/FreeCAD/FreeCAD/pull/' > page_1_filtered
#curl -u PrzemoF "https://api.github.com/repos/FreeCAD/FreeCAD/pulls?state=open&page=2&per_page=100" > page_2
#cat page_2 |  grep '"html_url": "https://github.com/FreeCAD/FreeCAD/pull/' > page_2_filtered
#touch prs
#cat page_1_filtered >> prs
#cat page_2_filtered >> prs

# !!!!!!!! Edit produced prs  file to convert links to PR numbers only, one number per line. Save as pr_numbers

# That section pull from github, creates local branch and pushes to gitlab
# In case pull request doesn't rebase on top of gitlab-v3 the branch gets renamed for future investigation
# the pull-requests-from-github-short should contain pull request drawing numbers, one per line

while IFS= read -r pr_number; do
	printf '%s\n' "$line"

	git fetch origin pull/"$pr_number"/head:gh-pr-"$pr_number"
	git checkout gh-pr-"$pr_number"
	 
	if ! git rebase master ; then <-- edit to match the latest branch with gitlab-CI code
		git rebase --abort 
		git branch -m gh-pr-$pr_number-rebase-aborted
		git checkout master
	else
		git push gl <-- edit to match your repo, I call gitlab gl. Use --force if doing refresh of existing branches.
	fi

done < pr_numbers

#DANGER ZONE - mass remove all branches with gh-pr
#git branch | grep 'gh-pr-' | xargs git branch -D
5. Explore Docker Open source Community to get automated image builds based on the Dockerfile stared in FreeCAD repo
https://docs.docker.com/docker-hub/builds/
6. [optimisation] when test is executed it uses only 1 core (FreeCAD dictates it). Can another build be triggered in the same time?

Some links:

What is Dockerfile, docker image and docker container:
https://blog.iron.io/what-is-a-docker-image/

gitlab CI explained:
https://www.lambdatest.com/blog/automat ... -selenium/

What is docker volume:
https://docs.docker.com/storage/volumes/

Compliling FreeCAD on Docker
https://wiki.freecadweb.org/Compile_on_Docker

docker image for gitlab remote CI:
https://hub.docker.com/repository/docke ... dci/runner

The docker container can be build with:

Code: Select all

docker build -t yourusername/repository-name .
executed in directory with Dockerfile

Registering a runner:
https://docs.gitlab.com/runner/register/

Run your CI/CD jobs in Docker containers
https://docs.gitlab.com/ee/ci/docker/us ... containers

Best practices for building docker images with GitLab CI
https://blog.callr.tech/building-docker ... practices/

Info about making docker image as workaround for missing apt-add-repository:
https://stackoverflow.com/questions/473 ... egrationci

How to make docker image:
https://cylab.be/blog/8/using-custom-do ... ith-gitlab

Best practices for docker images:
https://blog.callr.tech/building-docker ... practices/

(FEDORA) Selinux can cause access problems manifesting with "ERROR: Job failed (system failure): Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock:". The workaround:
https://github.com/dpw/selinux-dockersock

The same error might be caused by this:
https://stackoverflow.com/questions/526 ... -run-docke

Running docker build/run might not work without sudo or adding user to "docker" group:
https://www.tutorialspoint.com/running- ... -root-user

Checking logs on runner on local machine:

Code: Select all

docker logs gitlab-runne
To run docker without sudo the user has to be in group docker. Add with:

Code: Select all

sudo usermod -aG docker my-uesr-name
Check with "groups". Logging out/rebooting or using "newgrp" is required for the system to see the user in the "docker" group

Debugging:
- downloading job artifacts allows local testing of the build
- run interactive session in docker container to debug problems:

Code: Select all

docker run -it freecadci/runner /bin/bash
User avatar
Pauvres_honteux
Posts: 728
Joined: Sun Feb 16, 2014 12:05 am
Location: Far side of the moon

Re: gitlab - gathering info

Post by Pauvres_honteux »

Just wanted to express my gratitude for the effort you put into this issue. I may even go as far as proclaiming I'm expressing the whole communitys awe in the face of your current work!

A big thank you!!!
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: gitlab - gathering info

Post by PrzemoF »

Thanks, but I don't think I deserve those words yet ... But thanks for additional motivation! :D
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: gitlab - gathering info

Post by PrzemoF »

Current state: I can run remote a runner in a docker container that builds jobs from gitlab. I need to polish the configuration as the docker image of gitlab-runner doesn't have all dependencies required by FreeCAD.
abdullah
Veteran
Posts: 4935
Joined: Sun May 04, 2014 3:16 pm
Contact:

Re: gitlab - gathering info

Post by abdullah »

PrzemoF wrote: Mon Jul 05, 2021 7:44 pm Current state: I can run remote a runner in a docker container that builds jobs from gitlab. I need to polish the configuration as the docker image of gitlab-runner doesn't have all dependencies required by FreeCAD.
Not a bad start...:)
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: gitlab - gathering info

Post by PrzemoF »

Thanks! I need to learn docker, but I think I have the basics by now. The current game plan is to build gitlab runner docker image with all the bells and whistles required to build FreeCAD, but without triggering the build. Then gitlab could control container based on that image remotely to perform the build. If that works the last piece of the puzzle would be to pass the build status back o gitlab.

Then I'll try to prepare fool-proof manual (at least for fedora/ubuntu) how to deplpy it. The owner/administrator of the official gitlab FreeCAD repo will be required to allow deployment on any machine by providing authentication token. I'm not sure it the token is security sensitive if we do not deploy binaries - I'd appreciate any input from people familiar with gitlab CI, if we have any.
User avatar
bernd
Veteran
Posts: 12849
Joined: Sun Sep 08, 2013 8:07 pm
Location: Zürich, Switzerland
Contact:

Re: gitlab - gathering info

Post by bernd »

PrzemoF wrote: Tue Jul 06, 2021 4:28 pm The owner/administrator of the official gitlab FreeCAD repo will be required to allow deployment on any machine by providing authentication token
AFAIK it is Yorik
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: gitlab - gathering info

Post by PrzemoF »

Yes, it's his repo on the gitlab. But I'm not ready yet....
abdullah
Veteran
Posts: 4935
Joined: Sun May 04, 2014 3:16 pm
Contact:

Re: gitlab - gathering info

Post by abdullah »

I appears that I will have time available for FreeCAD in two weeks time. Then, I can help you out with this, if needed. Sorry I could not jump into the banwagon yet.
User avatar
PrzemoF
Veteran
Posts: 3520
Joined: Fri Jul 25, 2014 4:52 pm
Contact:

Re: gitlab - gathering info

Post by PrzemoF »

Definitely help is needed. I have quite a few moving parts (selinux, access, fedora vs ubuntu, construction of the gitlab CI config, what should be in gitlab CI and what should be in docker, etc). I struggle with some errors, so now I'm trying to dumb down the whole setup just to get a mock build (no real build, just info "we're building") and I'm still experiencing problems. I have basic understanding how docker works and I'll be happy to share it.

I think it's becoming an urgent issue if we're out of luck with gitlab CI.

Edit: I need to figure out why the docker image is being used for build, by gitlab (I see it it local logs on my laptop), but the build dependencies are not present. I settled for installing them in gitlab-ci.yml, but that's not the best solution. Using "image" key in gitlab-ci.yml is probably the missing part, but when I do it there is an error about missing sh. Possibly the image is not cunstructed in the right way. The image is here: https://hub.docker.com/repository/docker/przemof/gl-v1
Post Reply