-
Notifications
You must be signed in to change notification settings - Fork 273
/
environment
executable file
·131 lines (107 loc) · 4.51 KB
/
environment
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
#!/bin/bash
set -eu -o pipefail
echo "~~~ :earth_asia: Setting up environment variables"
# shellcheck source=/dev/null
source ~/cfn-env
# a clean docker config for each job, for improved isolation
BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY=$(mktemp -d)
export BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY
export DOCKER_CONFIG="$BUILDKITE_DOCKER_CONFIG_TEMP_DIRECTORY"
if [ "${BUILDKITE_DOCKER_EXPERIMENTAL:-false}" = "true" ]
then
#shellcheck disable=SC2094 # Redirections to the same command are processed in order
cat <<< "$(jq '.experimental="enabled"' "${DOCKER_CONFIG}/config.json")" > "${DOCKER_CONFIG}/config.json"
fi
echo "~~~ :llama: Setting up elastic stack environment ($BUILDKITE_STACK_VERSION)"
echo "Checking docker"
if ! docker ps ; then
echo "^^^ +++"
echo ":alert: Docker isn't running!"
set -x
pgrep -lf docker || tail -n 50 /var/log/docker
exit 1
fi
echo "Checking disk space"
if ! /usr/local/bin/bk-check-disk-space.sh ; then
echo "Cleaning up docker resources older than ${DOCKER_PRUNE_UNTIL:-4h}"
docker image prune --all --force --filter "until=${DOCKER_PRUNE_UNTIL:-4h}"
echo "Checking disk space again"
if ! /usr/local/bin/bk-check-disk-space.sh ; then
echo "Disk health checks failed" >&2
exit 1
fi
fi
echo "Configuring built-in plugins"
[[ ! ${SECRETS_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/secrets/}
[[ ! ${DOCKER_LOGIN_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/docker-login/}
[[ ! ${ECR_PLUGIN_ENABLED:-true} =~ (on|1|true) ]] && PLUGINS_ENABLED=${PLUGINS_ENABLED/ecr/}
SECRETS_PLUGIN_ENABLED=0
DOCKER_LOGIN_PLUGIN_ENABLED=0
ECR_PLUGIN_ENABLED=0
for plugin in $PLUGINS_ENABLED ; do
case "$plugin" in
secrets)
export SECRETS_PLUGIN_ENABLED=1
echo "Secrets plugin enabled"
;;
docker-login)
export DOCKER_LOGIN_PLUGIN_ENABLED=1
echo "Docker-login plugin enabled"
;;
ecr)
export ECR_PLUGIN_ENABLED=1
echo "ECR plugin enabled"
;;
esac
done
if [[ -n "${BUILDKITE_SECRETS_BUCKET:-}" && "${SECRETS_PLUGIN_ENABLED:-}" == "1" ]] ; then
export BUILDKITE_PLUGIN_S3_SECRETS_BUCKET="$BUILDKITE_SECRETS_BUCKET"
# shellcheck source=/dev/null
source /usr/local/buildkite-aws-stack/plugins/secrets/hooks/environment
fi
if [[ "${BUILDKITE_ECR_POLICY:-}" != "none" && "${ECR_PLUGIN_ENABLED:-}" == "1" ]] ; then
export BUILDKITE_PLUGIN_ECR_LOGIN=1
export BUILDKITE_PLUGIN_ECR_RETRIES=3
# map AWS_ECR_LOGIN_REGISTRY_IDS into the plugin list format
if [[ -n "${AWS_ECR_LOGIN_REGISTRY_IDS:-}" ]] ; then
export BUILDKITE_PLUGIN_ECR_ACCOUNT_IDS_0="${AWS_ECR_LOGIN_REGISTRY_IDS}"
fi
# shellcheck source=/dev/null
source /usr/local/buildkite-aws-stack/plugins/ecr/hooks/environment
fi
if [[ "${DOCKER_USERNS_REMAP:-false}" == "false" ]] ; then
# We need to scope the next bit to only the currently running agent dir and
# pipeline, but we also need to control security and make sure arbitrary folders
# can't be chmoded.
#
# The agent builds path isn't exposed nicely by itself. The agent name also
# doesn't quite map to its builds path. We do have a complete checkout path,
# but we need to chop it up, safely. The path looks like:
#
# BUILDKITE_BUILD_CHECKOUT_PATH="/var/lib/buildkite-agent/builds/my-agent-1/my-org/my-pipeline"
#
# We know the beginning of this path, it's in BUILDKITE_BUILD_PATH:
#
# BUILDKITE_BUILD_PATH="/var/lib/buildkite-agent/builds"
# So we can calculate the suffix as a substring:
AGENT_ORG_PIPELINE_DIR="${BUILDKITE_BUILD_CHECKOUT_PATH#"${BUILDKITE_BUILD_PATH}/"}"
# => "my-agent-1/my-org/my-pipeline"
# Then we can grab just the first path component, the agent name, by removing
# the longest suffix starting with a slash:
AGENT_DIR="${AGENT_ORG_PIPELINE_DIR%%/*}"
# => "my-agent-1"
# Then we can figure out the org/pipeline path component
ORG_PIPELINE_DIR="${AGENT_ORG_PIPELINE_DIR#"${AGENT_DIR}/"}"
# => "my-org/my-pipeline"
# Then we grab just the first path component, the org, by removing the longest
# suffix starting with a slash:
ORG_DIR="${ORG_PIPELINE_DIR%%/*}"
# => "my-org"
# Then we can figure out the pipeline path component using the org dir
PIPELINE_DIR="${ORG_PIPELINE_DIR#"${ORG_DIR}/"}"
# => "my-pipeline"
# Now we can pass this to the sudo script which will validate it before safely chmodding:
echo "--- Fixing permissions for '${AGENT_DIR}/${ORG_DIR}/${PIPELINE_DIR}'..."
sudo /usr/bin/fix-buildkite-agent-builds-permissions "${AGENT_DIR}" "${ORG_DIR}" "${PIPELINE_DIR}"
echo
fi