CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
0 likes1,045 views
In this presentation Carlos Sanchez will share his experience running Jenkins at scale, using Docker and Apache Mesos to create one of the biggest (if not the biggest) Jenkins clusters to date. By taking advantage of Apache Mesos, the Jenkins platform is dynamically scaled to run jobs across hundreds of Jenkins masters, on Docker containers distributed across the Mesos cluster. Jenkins slaves are dynamically created based on load, using the Jenkins Mesos and Docker plugins, running in containers distributed across multiple hosts, and isolating job execution. This presentation will allow a better understanding of Apache Mesos and the challenges of running Docker containerized and distributed applications, particularly JVM ones, by sharing a real world use case, including good and bad decisions and how they affected the development.
![TERRAFORM
resource "aws_instance" "worker" {
count = 1
instance_type = "m3.large"
ami = "ami-xxxxxx"
key_name = "tiger-csanchez"
security_groups = ["sg-61bc8c18"]
subnet_id = "subnet-xxxxxx"
associate_public_ip_address = true
tags {
Name = "tiger-csanchez-worker-1"
"cloudbees:pse:cluster" = "tiger-csanchez"
"cloudbees:pse:type" = "worker"
}
root_block_device {
volume_size = 50
}
}](https://image.slidesharecdn.com/ciandcdatscalescalingjenkinswithdockerandapachemesos-161121115402/85/CI-and-CD-at-Scale-Scaling-Jenkins-with-Docker-and-Apache-Mesos-25-320.jpg)
![SIDEKICK CONTAINER CASTLE
Running in Marathon in each host
"constraints": [
[
"hostname",
"UNIQUE"
]
]](https://image.slidesharecdn.com/ciandcdatscalescalingjenkinswithdockerandapachemesos-161121115402/85/CI-and-CD-at-Scale-Scaling-Jenkins-with-Docker-and-Apache-Mesos-33-320.jpg)
![CAVEATS
Only a limited number of EBS volumes can be mounted
Docs say /dev/sd[f-p], but /dev/sd[q-z] seem to
work too
Sometimes the device gets corrupt and no more EBS
volumes can be mounted there
NFS users must be centralized and match in cluster and NFS
server](https://image.slidesharecdn.com/ciandcdatscalescalingjenkinswithdockerandapachemesos-161121115402/85/CI-and-CD-at-Scale-Scaling-Jenkins-with-Docker-and-Apache-Mesos-39-320.jpg)
![AWS
Running with a patched Terraform to overcome timeouts
and AWS eventual consistency
<?xml version="1.0" encoding="UTF-8"?>
<DescribeVpcsResponse xmlns="http://ec2.amazonaws.com/doc/2015-10-01/"
<requestId>8f855bob-3421-4cff-8c36-4b517eb0456c</requestld>
<vpcSet>
<item>
<vpcId>vpc-30136159</vpcId>
<state>available</state>
<cidrBlock>10.16.0.0/16</cidrBlock>
...
</DescribeVpcsResponse>
2016/05/18 12:55:57 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeVpcAttri
--[ RESPONSE] ------------------------------------
HTTP/1.1 400 Bad Request
<Response><Errors><Error><Code>InvalidVpcID.NotFound</Code><Message>
The vpc ID 'vpc-30136159‘ does not
exist</Message></Error></Errors>](https://image.slidesharecdn.com/ciandcdatscalescalingjenkinswithdockerandapachemesos-161121115402/85/CI-and-CD-at-Scale-Scaling-Jenkins-with-Docker-and-Apache-Mesos-60-320.jpg)
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos (20)
Ad
More from Carlos Sanchez (16)
Recently uploaded (20)
![Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version](https://cdn.slidesharecdn.com/ss_thumbnails/fashionevolution2-250322112409-f76abaa7-250428124909-b51264ff-250504160528-fc2bb1c5-thumbnail.jpg?width=560&fit=bounds)
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
- 1. CI AND CD AT SCALE SCALING JENKINS WITH DOCKER AND APACHE MESOS Carlos Sanchez @csanchez csanchez.org Watch online at carlossg.github.io/presentations
- 2. ABOUT ME Senior So ware Engineer @ CloudBees Contributor to the Jenkins Mesos plugin and the Java Marathon client Author of Jenkins Kubernetes plugin Long time OSS contributor at Apache, Eclipse, Puppet,…
- 3. OUR USE CASE Scaling Jenkins Your mileage may vary
- 4. SCALING JENKINS Two options: More build agents per master More masters
- 5. SCALING JENKINS: MORE BUILD AGENTS Pros Multiple plugins to add more agents, even dynamically Cons The master is still a SPOF Handling multiple configurations, plugin versions,... There is a limit on how many build agents can be attached
- 6. SCALING JENKINS: MORE MASTERS Pros Different sub-organizations can self service and operate independently Cons Single Sign-On Centralized configuration and operation
- 7. CLOUDBEES JENKINS ENTERPRISE EDITION CloudBees Jenkins Operations Center
- 8. CLOUDBEES JENKINS PLATFORM - PRIVATE SAAS EDITION The best of both worlds CloudBees Jenkins Operations Center with multiple masters Dynamic build agent creation in each master ElasticSearch for Jenkins metrics and Logstash
- 9. BUT IT IS NOT TRIVIAL
- 10. A 2000 JENKINS MASTERS CLUSTER
- 15. A 2000 JENKINS MASTERS CLUSTER 3 Mesos masters (m3.xlarge: 4 vCPU, 15GB, 2x40 SSD) 317 Mesos slaves (c3.2xlarge, m3.xlarge, m4.4xlarge) 7 Mesos slaves dedicated to ElasticSearch: (c3.8xlarge: 32 vCPU, 60GB) 12.5 TB - 3748 CPU Running 2000 masters and ~8000 concurrent jobs
- 17. Isolated Jenkins masters Isolated build agents and jobs Memory and CPU limits
- 18. How would you design your infrastructure if you couldn't login? Ever. Kelsey Hightower
- 19. EMBRACE FAILURE!
- 20. CLUSTER SCHEDULING Running in public cloud, private cloud, VMs or bare metal Starting with AWS and OpenStack HA and fault tolerant With Docker support of course
- 21. APACHE MESOS A distributed systems kernel
- 22. ALTERNATIVES Docker Swarm / Kubernetes
- 23. MESOSPHERE MARATHON For long running Jenkins masters <1.4 does not scale with the number of apps App definitions hit the ZooKeeper node limit
- 24. TERRAFORM
- 25. TERRAFORM resource "aws_instance" "worker" { count = 1 instance_type = "m3.large" ami = "ami-xxxxxx" key_name = "tiger-csanchez" security_groups = ["sg-61bc8c18"] subnet_id = "subnet-xxxxxx" associate_public_ip_address = true tags { Name = "tiger-csanchez-worker-1" "cloudbees:pse:cluster" = "tiger-csanchez" "cloudbees:pse:type" = "worker" } root_block_device { volume_size = 50 } }
- 26. TERRAFORM State is managed Runs are idempotent terraform apply Sometimes it is too automatic Changing image id will restart all instances Had to fix a number of bugs, ie. retry AWS calls
- 28. Preinstall packages: Mesos, Marathon, Docker Cached docker images Other drivers: XFS, NFS,... Enhanced networking driver (AWS)
- 29. MESOS FRAMEWORK Started with Jenkins Mesos plugin Means one framework per Jenkins master, does not scale If master is restarted all jobs running get killed
- 30. OUR NEW MESOS FRAMEWORK Using Netflix Fenzo Runs under Marathon, exposes REST API that Jenkins masters call Reduce number of frameworks Faster to spawn new build agents because framework is not started Pipeline durable builds, can survive a restart of the master Dedicated workers for builds Affinity
- 31. STORAGE Handling distributed storage Servers can start in any host of the cluster And they can move when they are restarted Jenkins masters need persistent storage, agents (typically) don't Supporting EBS (AWS) and external NFS
- 32. SIDEKICK CONTAINER A privileged container that manages mounting for other containers Can execute commands in the host and other containers
- 33. SIDEKICK CONTAINER CASTLE Running in Marathon in each host "constraints": [ [ "hostname", "UNIQUE" ] ]
- 34. A lot of magic happening with nsenter both in host and other containers
- 35. Jenkins master container requests data on startup using entrypoint REST call to Castle Castle checks authentication Creates necessary storage in the backend EBS volumes from snapshots Directories in NFS backend
- 36. Mounts storage in requesting container EBS is mounted to host, then bind mounted into container NFS is mounted directly in container Listens to Docker event stream for killed containers
- 37. CASTLE: BACKUPS AND CLEANUP Periodically takes snapshots from EBS volumes in AWS Cleanups happening at different stages and periodically EMBRACE FAILURE!
- 38. PERMISSIONS Containers should not run as root Container user id != host user id i.e. jenkins user in container is always 1000 but matches ubuntu user in host
- 39. CAVEATS Only a limited number of EBS volumes can be mounted Docs say /dev/sd[f-p], but /dev/sd[q-z] seem to work too Sometimes the device gets corrupt and no more EBS volumes can be mounted there NFS users must be centralized and match in cluster and NFS server
- 40. MEMORY Scheduler needs to account for container memory requirements and host available memory Prevent containers for using more memory than allowed Memory constrains translate to Docker --memory
- 41. WHAT DO YOU THINK HAPPENS WHEN? Your container goes over memory quota?
- 43. WHAT ABOUT THE JVM?
- 44. WHAT ABOUT THE CHILD PROCESSES?
- 45. CPU Scheduler needs to account for container CPU requirements and host available CPUs WHAT DO YOU THINK HAPPENS WHEN? Your container tries to access more than one CPU Your container goes over CPU limits
- 46. Totally different from memory CPU translates into Docker --cpu-shares
- 48. ZOMBIE REAPING PROBLEM Zombie processes are processes that have terminated but have not (yet) been waited for by their parent processes. The init process -- PID 1 -- task is to "adopt" orphaned child processes source
- 49. THIS IS A PROBLEM IN DOCKER Jenkins build agent run multiple processes But Jenkins masters too, and they are long running
- 50. TINI Systemd or SysV init is too heavyweight for containers All Tini does is spawn a single child (Tini is meant to be run in a container), and wait for it to exit all the while reaping zombies and performing signal forwarding. PROCESS REAPING Docker 1.9 gave us trouble at scale, rolled back to 1.8 Lots of defunct processes
- 51. NETWORKING Jenkins masters open several ports HTTP JNLP Build agent SSH server (Jenkins CLI type operations)
- 52. NETWORKING: HTTP We use a simple nginx reverse proxy for Mesos Marathon ElasticSearch CJOC Jenkins masters Gets destination host and port from Marathon
- 53. NETWORKING: HTTP Doing both domain based routing master1.pse.example.com path based routing pse.example.com/master1 because not everybody can touch the DNS or get a wildcard SSL certificate
- 54. NETWORKING: JNLP Build agents started dynamically in Mesos cluster can connect to masters internally Build agents manually started outside cluster get host and port destination from HTTP, then connect directly
- 55. NETWORKING: SSH SSH Gateway Service Tunnel SSH requests to the correct host Simple configuration needed in client Host=*.ci.cloudbees.com ProxyCommand=ssh -q -p 22 ssh.ci.cloudbees.com tunnel %h allows to run ssh master1.ci.cloudbees.com
- 56. SCALING New and interesting problems Hitler uses Docker
- 58. TERRAFORM AWS Instances Keypairs Security Groups S3 buckets ELB VPCs
- 59. AWS Resource limits: VPCs, S3 snapshots, some instance sizes Rate limits: affect the whole account Retrying is your friend, but with exponential backoff
- 60. AWS Running with a patched Terraform to overcome timeouts and AWS eventual consistency <?xml version="1.0" encoding="UTF-8"?> <DescribeVpcsResponse xmlns="http://ec2.amazonaws.com/doc/2015-10-01/" <requestId>8f855bob-3421-4cff-8c36-4b517eb0456c</requestld> <vpcSet> <item> <vpcId>vpc-30136159</vpcId> <state>available</state> <cidrBlock>10.16.0.0/16</cidrBlock> ... </DescribeVpcsResponse> 2016/05/18 12:55:57 [DEBUG] [aws-sdk-go] DEBUG: Response ec2/DescribeVpcAttri --[ RESPONSE] ------------------------------------ HTTP/1.1 400 Bad Request <Response><Errors><Error><Code>InvalidVpcID.NotFound</Code><Message> The vpc ID 'vpc-30136159‘ does not exist</Message></Error></Errors>
- 61. TERRAFORM OPENSTACK Instances Keypairs Security Groups Load Balancer Networks
- 62. OPENSTACK Custom flavors Custom images Different CLI commands There are not two OpenStack installations that are the same