Move archives.jenkins.io service away from Oracle

[dduportal]

Service(s)

Archives

Summary

We want to stop using Oracle Cloud as they are no more sponsoring the Jenkins infrastructure.

The main consequence is the VM archives.jenkins.io which should move away from Oracle Cloud.

There are 3 immediate destinations:

• Azure:
  • 👎 adds costs for the VM or the pod
  • 👍 data is already present on the mirrorbits-binary bucket
  • 👎 adds outbound bandwidth costs
• DigitalOcean
  • 👎 adds costs for the VM or the pod
  • 👎 need to sync the 500 Gb+ data
  • 👍 outbound bandwidth is free until 500 Gb threshold is reached

- OSUOSL (not enough disk)

We also can think about using Cloudlfare is the near future (no bandwidth cost and cheap storage pricing)

Reproduction steps

No response

[dduportal]

It's Digital Ocean time!

[dduportal]

• Create a fresh new VM in DO for archives.jenkins.io (estimated cost: $88 / month on DigitalOcean)

  • 2 vCPUs (not only 1) because we will increase usage by adding it as fallback for mirrorbits (despite the current Oracle VM at 2 vCPUs with 5-7 % usage on past 3 months)
  • 4 Gb (no instance at 2 vCPUs on DigitalOcean has less + no need for more than 2 Gb as only 700 Mo are used in current Oracle VM)
  • 700 Gb disk (Current usage is 505 Gb on a 1 Tb volume on oracle)
    • Start as low as possible as disk storage is not cheap ($1 per 10 Gb)
    • But keep under the 80% disk usage limit (~ 73% with this one)
    • Storage is never garbage collected: we can grow the disk if needed (https://docs.digitalocean.com/products/volumes/how-to/increase-size/) or better: switch to a D3 space(requires more work)
  • Need a public IP
  • Proposed name: do.archives.jenkins.io for the VM + add a DNS A record to this VM's Public IP
  • Add admin SSH key to sops for Jenkins infra team
  • Add firewall rules: HTTP/HTTPS from everywhere but incoming SSH only from admin IPs and/or trusted.ci (reason why we can't use doks-public)

• Add the VM under Puppet management

  • Create new node in the node list and apply disk formatting
  • Setup roles but copy Letsencrypt certificates (HTTP-01 won't work otherwise)
  • Apply to VM once created

• Initial data migration with rsync from current Oracle VM to DigitalOcean

  • Run rsync a 2nd time an measure time

• Next steps:

  • Check the current update system for archive.jenkins.io (update_center2) as there might be .ssh/known_hosts to update after migration
  • announce operation
  • Migrate DNS (CNAME)
  • Run rsync one last time
  • Then run update_center2 and check it works with rsync
  • Plan for Oracle VM decomissioning after all of that

[dduportal]

Update:

• VM created after an hotfix: DigitalOcean requires volume names to be lowercase alphanum 😅
• For the record, the default user of DO droplets is root (associated with the provided SSH key)
• Currently upgrading packages + reboot through SSH as root
• I don't see any request in the puppet master: gotta check the cloud init process

[dduportal]

Update:

• Fixed the puppet agent access to puppet master:
  • Fixup to ensure cloud-init works on the newly created VM works: hotfix(archives.jenkins.io) user_data is not base64 encoded digitalocean#159
  • Fixup to allow outbound requests: feat(archives.jenkins.io) allow outbound connection to our puppet master digitalocean#160 (firewall on DO droplet works well 🥳 )
  • Result 👍 puppet master sees the request for do.archives.jenkins.io
• Created DNS records in DO (waiting for delegation): feat: manage DigitalOcean service DNS records digitalocean#161
• Result 👍 puppet master sees the (fixed) request for archives.do.jenkins.io

$ dig AAAA @ns2.digitalocean.com archives.do.jenkins.io   
# ...
;; ANSWER SECTION:
archives.do.jenkins.io. 1800    IN      AAAA    2a03:b0c0:3:d0::9bc:d001
# ...
$ dig A @ns3.digitalocean.com archives.do.jenkins.io   
# ...
;; ANSWER SECTION:
archives.do.jenkins.io. 1800    IN      A       46.101.121.132
# ...
$ dig A @ns1.digitalocean.com repo.do.jenkins.io    
# ...
;; ANSWER SECTION:
repo.do.jenkins.io.     1800    IN      A       157.245.23.55
# ...

[dduportal]

Update: data migration from Oracle is ready to roll:

• Opened firewall and grew disk: feat(archives.jenkins.io) prepare data migration from Oracle digitalocean#162
• Automatic volume grow is confirmed: only have to reboot the VM to apply it to disk \o/
• Oracle VM archives.jenkins.io is configured to reach the new VM and test of rsync was started (rsync and screen)

Next step: Puppet before the real migration

[dduportal]

Update:

• The mounted volume required a 2nd step after the VM reboot: resise2fs /dev/sda with the volume unmounted
  • Checked by mounting it to /srv and checking the new size with df -h /srv.
  • Had to run a e2fsck -f /dev/sda before
  • No data loss \o/ (checked the amount of used blocks to be really paranoid)
• Started the rsync from old to new VM has I had 2-3 hours before playing with puppet
• Copied the /etc/letsencrypt from current VM to ease the bootstrap process. ⚠️ Gotta update it once online to avoid the same problem as SSL certificate for ci.jenkins.io expires in 23 days #3740 (comment) in 3 months...
• feat: initial support of the archives.do.jenkins.io VM jenkins-infra#3084 => Adding under puppet management
• Started the puppet initial provisionning
  • Stopped the puppet agent with systemctl stop puppet
  • Signed the certificater on the puppet master
  • Started the puppet agent
  • Checking logs with journalctl

[dduportal]

Update:

• Puppet agent worked properly

• Rebooted the VM:

  • Volume is mounted properly
  • Puppet agent ran at startup with success
  • Re-ran the agent a 3rd time and no change + no error

• Continuing the rsync migration. Status:

  $ echo && df -h /srv
  Tue Sep 26 12:56:45 PM UTC 2023
  
  Filesystem      Size  Used Avail Use% Mounted on
  /dev/sda        744G  179G  528G  26% /srv

• Webservice is up and running with HTTPS (but HTTPS is only for archives.jenkins.io and archives.jenkins-ci.org for now):

$ curl --verbose --header 'Host: archives.jenkins.io' --insecure https://archives.do.jenkins.io/TIME
*   Trying 46.101.121.132:443...
* Connected to archives.do.jenkins.io (46.101.121.132) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=archives.jenkins-ci.org
*  start date: Aug  3 05:06:52 2023 GMT
*  expire date: Nov  1 05:06:51 2023 GMT
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: archives.jenkins.io]
* h2 [:path: /TIME]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x14380bc00)
> GET /TIME HTTP/2
> Host: archives.jenkins.io
> User-Agent: curl/8.1.2
> Accept: */*
> 
< HTTP/2 200 
< last-modified: Tue, 26 Sep 2023 12:29:56 GMT
< etag: "b-606423b821678"
< accept-ranges: bytes
< content-length: 11
< date: Tue, 26 Sep 2023 12:57:36 GMT
< server: Apache
< 
1695731396
* Connection #0 to host archives.do.jenkins.io left intact
* ```

[dduportal]

Update:

• rsync finished.
• Ran a 2nd rsync
• Migrated the (non IaC managed) records archives.jenkins.io and archives.jenkins-ci.org with a 1 min TTL.
  • TODO: remove the former phoenix.archives record in jenkins.io
  • TODO: manage current CNAME records in terraform
• Stopped the apache2 server on Oracle VM
• WiP: I forgot to allow pkg and trusted IPs for rsync.
  • feat(archives.jenkins.io) allow more IPs for SSH digitalocean#163
  • checks in progress

[dduportal]

Update:

• There is a mirrorsync step executed on the archives.jenkins.io machine (remotely by a cron on the pkg.jenkins.io VM). This script is defined here: https://github.com/jenkins-infra/jenkins-infra/blob/production/dist/profile/templates/archives/mirrorsync.erb and requires outbound rsync protocol to the NYC OSUOSL server

  • Added the outbound rsync protocol rule in feat(archives) allow outbound rsync to OSUOSL and updates.j -  digitalocean#164
  • But outbound requests are done with IPv6 in the new VM: tried to add the IPv6 of OSUSOL (jenkins-infra/digitalocean@07e5395)
  • Not working, so for the time being, opened to all IPvs for outbound rsync (low risk as no sensitive data on this machine) in jenkins-infra/digitalocean@1d75c76

• Ran the script from pkg which succeeded (remote execution of the mirrorsync command on archives.jenkins.io as the user mirrorsync)

  • Had to create the public key for the mirrorsync user on the new VM which is unexpected
    • TODO: reproduce with puppet's vagrant and fix.
  • Had to update the ssh/known_hosts on pkg of course (user mirrorbrain)

[dduportal]

Update: the old Oracle VM has been shut down but it is still here. We'll remove it friday (time to check if we miss something).

[dduportal]

Update:

• VM was stopped in oracle Cloud console (the sudo halt -n command did not make Oracle API aware of the shutdown 🤦 )
• feat(archives.jenkins.io) import existing CNAME records for archives jenkins.io and archives.jenkins-ci.org azure#488 to import the (manually managed) CNAME records into IaC.
• Removed the phoenix.archives.jenkins.io and phoenix.archives-jenkins-ci.org DNS A records manually in Azure console (both pointed to the IPv4 of the former Oracle VM, e.g. 129.146.98.132)

[dduportal]

Update:

• Removed the VM, storage, tenant and network from Oracle cloud with @MarkEWaite
• Removed last remnants of the former public IP.

We can close this issue 🥳

[dduportal]

Reopening as 2 missing documents/cleanups:

• Leftovers in jenkins-infra/jenkins-infra
• Runbook to update

[dduportal]

• Runbook updated in https://github.com/jenkins-infra/runbooks/commit/862200dd8a026cf7dfd5573cb04ef0f0179fba2d
• Cleanup: cleanup: remove leftovers of the Oracle VM for archives.jenkins.io jenkins-infra#3094