From e2254c78130883caae6e56f4374a9da9bdb76129 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 2 May 2019 09:31:54 -0500
Subject: [PATCH] ci: Use lockable resource to enforce serial runs

It is important that only one configuration management job run at a
time. Currently, this is enforced by having only one agent with the
*ansible* label, and that agent has only one executor. This is not an
ideal solution, because it requires maintaining a separate machine for
this purpose.

The *Lockable Resources Plugin* provides an alternate solution to this
problem. Using this plugin, jobs can acquire an exclusive lock on a
"resource" that prevents other jobs that require the same resource from
running. Any job that starts while the lock is held will wait until it
is released before executing. This will enforce the same serial
execution policy, but does not require a separate, dedicated machine.
Jobs will be able to run on any executor with the appropriate label.

Using this option, it is now possible to run configuration management
jobs on the normal agents, defining the execution environment in a
Docker image, so the *cm0.pyrocufflink.blue* agent can be
decommissioned.
---
 ci/Dockerfile              | 15 +++++++++++++++
 ci/default-realm.krb5.conf |  2 ++
 ci/radius.jenkinsfile      | 18 +++++++++++++++++-
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 ci/Dockerfile
 create mode 100644 ci/default-realm.krb5.conf

diff --git a/ci/Dockerfile b/ci/Dockerfile
new file mode 100644
index 0000000..b3c35c1
--- /dev/null
+++ b/ci/Dockerfile
@@ -0,0 +1,15 @@
+FROM fedora:29
+
+RUN useradd -l -u 3000018 jenkins
+
+RUN dnf install -y \
+	ansible \
+	krb5-workstation \
+	openssh-clients \
+	python3-dns \
+	python3-netaddr \
+	--
+
+COPY default-realm.krb5.conf /etc/krb5.conf.d/default-realm.conf
+
+ENV LANG=en_US.UTF-8
diff --git a/ci/default-realm.krb5.conf b/ci/default-realm.krb5.conf
new file mode 100644
index 0000000..90f0fff
--- /dev/null
+++ b/ci/default-realm.krb5.conf
@@ -0,0 +1,2 @@
+[libdefaults]
+default_realm = PYROCUFFLINK.BLUE
diff --git a/ci/radius.jenkinsfile b/ci/radius.jenkinsfile
index aa3b752..5689c2a 100644
--- a/ci/radius.jenkinsfile
+++ b/ci/radius.jenkinsfile
@@ -2,13 +2,29 @@
 
 pipeline {
     agent {
-        label 'ansible'
+        dockerfile {
+            dir 'ci'
+            args '''\
+            -v /etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts:ro
+            '''
+        }
     }
 
+    options {
+        lock 'cfgpol'
+        timeout(time: 1, unit: 'HOURS')
+    }
+
+
     triggers {
         cron 'H H * * *'
     }
 
+
+    environment {
+        KRB5CCNAME = "${WORKSPACE}/.krb5cc"
+    }
+
     stages {
         stage('kinit') {
             steps {