Maximilian Bosch
dd2ce84fe5
In NixOS, the user generation script was changed to set the permissions `0700` to a home-directory that's specified in the `users.users`-submodule with `createHome` being set to `true`[1]. However, the home-directory of `hydra` is also the base directory of other services using other users (e.g. `hydra-queue-runner`). With permissions being `0700`, processes with such a user cannot traverse into `/var/lib/hydra` and thus not into subdirectories. I guess that this issue was kind of hidden because `hydra-init.service` ensures proper permissions[2]. However, if `hydra-init.service` is not restarted on a system-activation, the permissions of `/var/lib/hydra` will be set back to `0700` by the activation script that runs on each activation. This has lead to errors like this in `hydra-queue-runner` on my Hydra: ``` Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/7h/dssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/b9/350vd8jpv1f86i312c9pkdcd2z56aw-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/kz/vlq4v9a1rylcp4fsqqav3lcjgskky4-squashfs.img.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/xd/hkjnbbr9jp7364pkn8zpk9v8xapj2c-nix-2.4pre20210917_37cc50f.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: error (ignored): error: cannot unlink '/var/lib/hydra/build-logs/zn/9df7225fl8p7iavqqfvlyay4rf0msw-nix-2.4pre20210917_37cc50f.drv': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: possibly transient failure building ‘/nix/store/7hdssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv’ on ‘roflmayr’: error: creating directory '/var/lib/hydra/build-logs': Permission denied Sep 20 09:11:30 hydra hydra-queue-runner[306]: will retry ‘/nix/store/7hdssz03gazrkqzfmlr5cprd0dvkg4db-squashfs.img.drv’ after 543s ``` Because of that, I decided to remove the `createHome = true;` setting and instead used `systemd-tmpfiles`[3] which can not only ensure that certain directories exist, but also proper permissions. With this change, we can also get rid of the manual setup in `hydra-init.service` since `systemd-tmpfiles` will be executed by `switch-to-configuration` before *any* systemd service gets started. On startup, `systemd-tmpfiles-setup.service` is invoked within `sysinit.target` being reached, so when `hydra-init.service` gets called in `multi-user.target`, the structure already exists. [1] |
||
---|---|---|
.github | ||
datadog | ||
doc | ||
examples | ||
foreman | ||
src | ||
t | ||
.editorconfig | ||
.gitignore | ||
.perlcriticrc | ||
.yath.rc | ||
bootstrap | ||
configure.ac | ||
COPYING | ||
default.nix | ||
flake.lock | ||
flake.nix | ||
hydra-api.yaml | ||
hydra-module.nix | ||
INSTALL | ||
Makefile.am | ||
Procfile | ||
README.md | ||
shell.nix | ||
version.txt |
Hydra
Hydra is a Continuous Integration service for Nix based projects.
Installation And Setup
Note: The instructions provided below are intended to enable new users to get a simple, local installation up and running. They are by no means sufficient for running a production server, let alone a public instance.
Enabling The Service
Running Hydra is currently only supported on NixOS. The hydra module allows for an easy setup. The following configuration can be used for a simple setup that performs all builds on localhost (Please refer to the Options page for all available options):
{
services.hydra = {
enable = true;
hydraURL = "http://localhost:3000";
notificationSender = "hydra@localhost";
buildMachinesFiles = [];
useSubstitutes = true;
};
}
Creating An Admin User
Once the Hydra service has been configured as above and activate you should already be able to access the UI interface at the specified URL. However some actions require an admin user which has to be created first:
$ su - hydra
$ hydra-create-user <USER> --full-name '<NAME>' \
--email-address '<EMAIL>' --password <PASSWORD> --role admin
Afterwards you should be able to log by clicking on "Sign In" on the top right of the web interface using the credentials specified by hydra-crate-user
. Once you are logged in you can click "Admin -> Create Project" to configure your first project.
Creating A Simple Project And Jobset
In order to evaluate and build anything you need to crate projects that contain jobsets. Hydra supports imperative and declarative projects and many different configurations. The steps below will guide you through the required steps to creating a minimal imperative project configuration.
Creating A Project
Log in as adminstrator, click "Admin" and select "Create project". Fill the form as follows:
- Identifier:
hello
- Display name:
hello
- Description:
hello project
Click "Create project".
Creating A Jobset
After creating a project you are forwarded to the project page. Click "Actions" and choose "Create jobset". Fill the form with the following values:
- Identifier:
hello
- Nix expression:
examples/hello.nix
inhydra
- Check interval: 60
- Scheduling shares: 1
We have to add two inputs for this jobset. One for nixpkgs and one for hydra (which we are referrencing in the Nix expression above):
-
Input name:
nixpkgs
-
Type:
Git checkout
-
Value:
https://github.com/nixos/nixpkgs-channels nixos-20.03
-
Input name:
hydra
-
Type:
Git checkout
-
Value:
https://github.com/nixos/hydra
Make sure State at the top of the page is set to "Enabled" and click on "Create jobset". This concludes the creation of a jobset that evaluates ./examples/hello.nix once a minute. Clicking "Evaluations" should list the first evaluation of the newly created jobset after a brief delay.
Building And Developing
Building Hydra
You can build Hydra via nix-build
using the provided default.nix:
$ nix-build
Development Environment
You can use the provided shell.nix to get a working development environment:
$ nix-shell
$ ./bootstrap
$ configurePhase # NOTE: not ./configure
$ make
Executing Hydra During Development
When working on new features or bug fixes you need to be able to run Hydra from your working copy. This can be done using foreman:
$ nix-shell
$ # hack hack
$ make
$ foreman start
Have a look at the Procfile if you want to see how the processes are being started. In order to avoid conflicts with services that might be running on your host, hydra and postgress are started on custom ports:
- hydra-server: 63333 with the username "alice" and the password "foobar"
- postgresql: 64444
Note that this is only ever meant as an ad-hoc way of executing Hydra during development. Please make use of the NixOS module for actually running Hydra in production.
Checking your patches
After making your changes, verify the test suite passes and perlcritic is still happy.
Start by following the steps in Development Environment.
Then, you can run the tests and the perlcritic linter together with:
$ nix-shell
$ make check
You can run a single test with:
$ nix-shell
$ yath test ./t/foo/bar.t
And you can run just perlcritic with:
$ nix-shell
$ make perlcritic
JSON API
You can also interface with Hydra through a JSON API. The API is defined in hydra-api.yaml and you can test and explore via the swagger editor
Additional Resources
- Hydra User's Guide
- Hydra on the NixOS Wiki
- hydra-cli
- Peter Simons - Hydra: Setting up your own build farm (NixOS)
License
Hydra is licensed under GPL-3.0
Icons provided free by EmojiOne.