stackoom
  简体   繁体   中英

Should I use a build user or jenkins user for building projects? ie who should own the build artifacts in jenkins?

 原文  2020-02-12 21:50:34       jenkins/ build/ jenkins-pipeline/ remote-access

Question

What is standard for building large projects in jenkins (eg. 80Gig of dependent jobs building libs and binaries from one repo)?
if you split this large build into jobs that build libs and others that build downstream apps, should you use jenkins user to build the project, or setup a separate build user to build the project?

What if you farm out to a remote agent using SSH?
jenkins user is not allowed to remote by default into another host because of this /bin/false here:

$ grep jenkins /etc/passwd
   jenkins:x:996:992:Jenkins Automation Server:/var/lib/jenkins:/bin/false

so does this mean all farm jobs run as a build user or should you change this setting to /bin/sh to complete the ssh session as jenkins user? Or use only setup JNLP agents?

If you build the libs on the jenkins master should the .o and binaries be owned as jenkins or not?
If you build on a dedicated jenkins master should the executors be agents setup to use build user rather than the jenkins user?

If using a NFS type mount for sharing build artifacts how does that look?
Related to the 2 previous questions - all local jobs would have build ownership under jenkins user. So does that mean you use a build user and use remote node to localhost as the build user just to make the artifacts all have the same user for all local and remote agents to use?

These may sound stupid questions but I can't find any guidelines on who should be the build owner or what is best practice in making a very large single git repo project build in a sane way (repo owners do not want to split the code up into different repos because of static linking) .

1 answers

solution1
 1 ACCPTED  2020-02-13 08:24:15

In our experience (very large monorepo, 250+ slaves):

  1. We united several jobs into one big job, with parallel stages where applicable, so independent things can be built at the same time on different slaves (to cut time). Thus, it is easier to follow what failed and why, and you have all the artifacts in one place, and there's one Jenkinsfile to follow.

  2. All our slaves are set up as JLNP, and when they reboot they start jenkins-agent. There's no jenkins user on our slaves.

  3. As you are supposed to pick all the artifacts and archive them in the end, preferably cleaning the slave into zero state, it does not matter who owns that, and you can always change it with chown .

  4. NFS would not be a great idea for this in our place, as it would be severely constrained by network and disk usage. We use Docker registry for docker images, but Artifactory might work if you're not using Docker. minio would be another option.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Jenkins Java: Get user who started the build Jenkins get user who aborted a build Which user should checkout code from SVN in a Jenkins build job? Jenkins Java: How to get the userid of the user who triggered the build in jenkins Should Artifactory NOT be used to capture the build artifacts that Jenkins produces? Jenkins not able to execute build.xml file. Should jenkins run by root user? Is there a Jenkins build parameter for artifacts? Run a batch job from Jenkins with the user who triggered the build Jenkins manipulate build artifacts Setting Jenkins to email a build notification to the BitBucket user who pushed a branch
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM