Jacamar CI v0.9.0

  • Release: v0.9.0

  • Date: 10/22/2021

Note

There are several key changes to highlight in this release, depending on your deployment you may be affected:

  • All RPM files will install binaries and any future files exclusively to the /opt/jacamar folder as opposed to multiple locations.

  • Support for the variable_data_dir option has been deprecated in favor of improvements made to standard data_dir behaviors and the optional RunAs validation script override.

  • The downscope = "sudo" option is fully supported and associated documentation has been added (Thanks @joe-snyder).

Further details along with the remainder of the improvements can be found below.

Admin Changes

  • Incorporated better RPM procedures into updated spec file (!256)

    • To better align with best practices we’ve focused the installation of all Jacamar CI elements into the /opt/jacamar directory. Any future additions will correctly remain within this structure.

    • $ rpm -qlp jacamar-ci-0.9.0.el7.x86_64.rpm
/opt/jacamar
/opt/jacamar/bin
/opt/jacamar/bin/jacamar
/opt/jacamar/bin/jacamar-auth

  • Expand trusted variables ($HOME and $USER) in data_dir (!272)

    • Select variables can be referenced by the data_dir, these are resolved through information obtained during user-lookup.

    • [general]
data_dir = "/gpfs/ci/$USER"

  • Removed support for variable_data_dir configuration (!268)

    • Ideally this does not inconvenience any deployments, we believe that the changes to data_dir coupled with the potential use of the RunAs validation script offer a stronger solution.

  • Properly handle resolution of symlinks in data_dir - @tgmachina (!269)

    • All symlinks resoled during user scoped directory creation process, ensuring enforcement of permissions.

  • Bot accounts blocked from runner by default with error message (!266)

    • Default behaviors can be overridden via configuration if use of GitLab bot accounts desired and does not conflict with local user authorization processes.

    • [auth]
allow_bot_accounts = true

  • Support added for tls-ca-file configuration for GitLab HTML requests (!265)

    • Any configured file will be used in constructing HTML requests to the associated GitLab instance. Format and behavior mirrors that of the GitLab configuration.

    • [general]
tls-ca-file = "/some/file.crt"

  • Added JWT_ISS (issuer) to RunAs validation environment (!276)

  • Batch submission can be affected by env_keys config (!278)

    • [batch]
env_keys = ["JOB_CONFIG=/example/test.file"]

    • Equivalent of export JOB_CONFIG=/example/test.file && qsub ...

  • Unrecognized configuration keys logged as warnings (!267)

    • If an unrecognized key is detected in the ---configuration file this will be logged; however, jobs will be allowed to run.

User Changes

  • Correct directory permission provided in related error message - @tgmachina (!274)

    • Error encountered during job: invalid permissions for directory /ecp/<USER>
    (currently drwxr-xr-x, need to be 700), this must be manually addressed
Error encountered during job: Error executing prepare_exec: exit status 2

  • Expand trusted variables ($HOME and $USER) in CUSTOM_CI_BUILDS_DIR (!271)

    • If enabled through administration select variables will be resolved based, any other variables or non-absolute paths will still result in errors.

    • variables:
    # Use double $$ to avoid GitLab server resolving variable.
    CUSTOM_CI_BUILDS_DIR: $$HOME/.ci

  • Invalid pipeline source error conveyed in job output (!245)

    • ../../../_images/pipeline_source_error.png

Bug & Development Fixes

  • Upgraded to Go version 1.17.2 (!273)

  • Added tool versioning via ASDF (!259)

  • Sudo args handled as slice for use by execve(2) (!249)

  • Removed all CI Token Broker support (!242)

  • Introduced ff_custom_data_dir configuration (!271)

    • This feature flag signals that the entirety of the data_dir should observe a user configured CUSTOM_CI_BUILDS_DIR variable as opposed to just the builds_dir. Behaviors associated with the flag are subject to change based upon testing/feedback.

    • [general]
ff_custom_data_dir = true

  • Reviewed and updated multiple third-party dependencies (!246)

  • Improved flexibility of validation rules package while still enforcing security requirements (!263)

  • Added OpenSUSE test package during CI (!275)

  • Correctly allow 500 permissions with capabilities (!280)

  • Added Podman support for local container testing (!255, !254)

    • Container command initiated through the Makefile (e.g., make test-container) will default to Podman if found installed. Else, or via a CONTAINER=docker variable, Docker will still be utilized.

  • JobID logged as integer value (!237)

  • Corrected handling of jacamar_path config with binary paths (!257)

    • [auth]
jacamar_path = "/example/jacamar-test-binary"