Using an actual persistent volume for the workspace ultimately doesn't
work with multibranch pipelines. When a branch/PR goes away and the
corresponding Jenkins job is deleted, the workspace cannot be cleaned up
because it is not mounted anywhere. As such, we will just use a dynamic
PVC to ensure that the workspace is always cleaned up and nothing gets
left behind. This of course obviates the need for the `Clean`
parameter.
Although `dhcpcd` includes a hook for configuring the NTP daemon from
DHCP options, it is not installed by default. To enable it, one must
pass `-with-hook=ntp.conf` to the `configure` script before compiling
and installing the package. Buildroot does not pass this flag by
default, but it does allow us to add it to the list of flags to pass in
our external configuration.
AlertManager is a stateful service, and as such needs a writable
location for its data. Using the `StateDirectory` service unit
directive, we can configure systemd to create this directory
automatically, if it does not already exist when the service starts.
In order for the service to be able to write to the state directory, it
must have a stable UID. This means it cannot use the `DynamicUser`
service unit directive.
By default, Buildroot creates `/etc/resolv.conf` as a symlink to
`/tmp/resolv.conf`. This allows it to be modified at runtime, even if
`/` is on a read-only filesystem (assuming `/tmp` is not).
Unfortunately, this causes problems for systemd units with
`PrivateTmp=yes`, because they are not able to read the `resolv.conf`
file.
A more appropriate location for the writable `resolv.conf` is `/run`.
This filesystem is not affected by the `PrivateTmp` setting, and is
always available to units.
Setting `IPAddressAllow` and `IPAddressDeny` instructs systemd to
construct BPF firewall rules to restrict traffic. Since `vmagent` is
responsible for scraping metrics from hosts on the network, it does not
make any sense to restrict it to localhost-only communication.
None of the Victoria Metrics services should run as a dynamic user.
Indeed, enabling the setting appears to have no effect when `User` is
defined and refers to a user that already exists. To reduce confusion,
we should omit these directives from the unit files.
*blackbox_exporter* is a generic exporter for Prometheus that can be
used to provide metrics about HTTP, etc. services. I use it to monitor
the availability and responsiveness of websites I host.
This package provides *rngd*, a service to continually credit the kernel
entropy pool with random data gathered by various sources, such as
hardware devices.
When I originally added the *victoriametrics* user to the `users` file,
I did not realize that it was possible for a package to define a user.
It makes much more sense to define it there.
There's no reason for these to be separate packages. They come from the
same source tree, so having a single package makes more sense. I only
separated them originally because I wasn't sure exactly how to express
the proper options in the kconfig language.
I think it makes the most sense to install the systemd unit files for
services along with their binaries. This is how most software provided
by Linux distribution package manager works. Providing the systemd unit
with the package eliminates the need for variability, since the paths to
the executable and other files are well defined.
In order to ensure that network interfaces are active, but not
necessarily fully configured, before *network.target* is reached, the
*dhcpcd.service* unit now waits until at least one interface has
processed the `CARRIER` event before being marked as active. This is
accomplished using the *sd_notify* infrastructure, via the
`systemd-notify` command, executed in a client configuration hook
script.
Now that *dhcpcd.service* and *dhcpcd-wait-online.service* correctly
activate *network.target* and *network-online.target*, respectively, the
hack to fix the *collectd* *wait_prometheus* plugin binding to the TCP
socket is no longer needed.
The *dhcpcd.service* systemd unit file that ships with Buildroot is
broken. It orders the unit after *network.target*, which makes no
sense. It also configures the process to fork, but incorrectly
configures the PID file. Finally, by relying on the fork to indicate
that the network is "online," it does not distinguish between "an
interface is up" and "the network is reachable." As most daemons only
need the former, they only rely on *network.target*, and thus can fail
to start correctly.
To correct this brokenness, we provide our own unit file for
*dhcpcd.service*, based on the one included in the Fedora *dhcpcd* RPM
package. For "online" signalling, we provide a pair of shell scripts:
one reads from a named pipe waiting for a message and the other sends a
message to the pipe when configuration is complete.
The *vmutils* package can be built from source easily, as its just a
collection of Go applications. Grafana and Alertmanager are quite a bit
more complicated because of their respective browser applications. In
the interest of getting this project actually going, we'll just install
the official binary releases of these (for now?).
Ansible's `user` module *requires* that the `usermod` command be
present, even if it would not actually create or modify the specified
user. It does not actually execute it unless it needs to, so we can
stub it out. Making it a symlink to `false` ensures that it will never
do anything, and will fail if its actually run.
Victoria Metrics is not available by default with Buildroot, but adding
a package description for it is very straightforward. The flags and
tags are specified within Victoria Metrics's own Makefile.
The *systemd* package provides the `systemd-hwdb` command, which is used
during the build to generate `/usr/lib/udev/hwdb.bin` in the target
filesystem.
Raspberry Pi firmware files are now included in the root of the
distribution archive, insteaad of in an `rpi-firmware` subdirectory.
This will make it easier to extract them to the FAT32 partition on the
SD card, along with the kernel and initramfs images files.
