Mac Plugin

A good utility to build yours IOS apps, this plugin create MacOs agents for yours builds.

It can stock your Keychains file on Jenkins and send it to the MacOs Nodes.

Features
Requirements
- Jenkins
- MacOs
Plugin configuration
Logs configuration
Execution
Troubleshooting
Team
Contact

Features

Allow to configure a Mac as Jenkins agent
Run multiples builds on a single Mac
Isolates each construction from each other
Run builds on a cloud of Macs
Configure environment variables
Stock keychain file as credentials on Jenkins
Inject keychain on Node filesystem
Prepare build environment
Clean all files created after each build

This plugin has been tested against macOS 10.14 Mojave and macOS 10.15 Catalina , although theoretically it should work with older version as long as it supports sysadminctl command.

Requirements

Jenkins

'TCP port for inbound agents' must be enabled in Global Security settings.

If not, WebSocket must be supported by Jenkins and activated in the agents (see Web Socket)

MacOS

Restart MacOs after configuration change

Enable SSH for all users

Go to System Preferences -> Sharing, and enable Remote Login for All users :

SSH configuration

In /etc/ssh/sshd_config file, uncomment and update values of parameters MaxAuthTries, MaxSessions, ClientAliveInterval and ClientAliveCountMax to your need.

example of configuration for 10 Jenkins and 1 Mac with 10 users allowed :

MaxAuthTries 10
MaxSessions 100
ClientAliveInterval 30
ClientAliveCountMax 150

For more informations about sshd_config consult the Official Documentation

Configure a Jenkins User

Create an user on the Mac with administrator privileges. It will be your connection user for Mac Plugin Global configuration.

Add sudo NOPASSWD to this user in /etc/sudoers : see how to configure sudo without password

To maximize security, you can configure it only for "chmod" and "sysadminctl" command used by the plugin :

[USERNAME] ALL = NOPASSWD: /usr/sbin/sysadminctl -addUser mac-?????????? -password ??????????, /usr/sbin/sysadminctl -deleteUser mac-??????????, /bin/chmod -R 700 /Users/mac-??????????/

Update for v1.4.0+ :

Since 1.4.0 it is possible to use "dscl" instead of "sysadminctl". To use the full functionnalities of the plugin, here is the new NOPASSWD configuration for the user :

[USERNAME] ALL = NOPASSWD: /usr/sbin/sysadminctl -addUser mac-?????????? -password ??????????, /usr/sbin/sysadminctl -deleteUser mac-??????????, /bin/chmod -R 700 /Users/mac-??????????/, /usr/sbin/chown mac-??????????\:staff /Users/mac-??????????, /bin/mkdir /Users/mac-??????????, /usr/bin/dscl . -create /Users/mac-??????????, /usr/bin/dscl . -create /Users/mac-?????????? UserShell /bin/zsh, /usr/bin/dscl . -create /Users/mac-?????????? UniqueID ???, /usr/bin/dscl . -create /Users/mac-?????????? PrimaryGroupID 20, /bin/cp -R /System/Library/User\ Template/Non_localized /Users/mac-??????????, /bin/cp -R /System/Library/User\ Template/English.lproj /Users/mac-??????????, /usr/bin/dscl . -create /Users/mac-?????????? NFSHomeDirectory /Users/mac-??????????, /usr/sbin/chown -R mac-??????????\:staff /Users/mac-??????????, /usr/bin/dscl . -passwd /Users/mac-?????????? ??????????, /usr/bin/pkill -u mac-??????????, /usr/bin/dscl . -delete /Users/mac-??????????, /bin/rm -rf /Users/mac-??????????

Plugin configuration

Global Configuration

In jenkins global configuration, add a new Mac Cloud :

Configure fields of Mac Cloud :

Select JNLP for the connector and refer your Jenkins URL. This URL must be accessible by outside, localhost is not working.

Add a new Mac Host and fill the properties in the fields :

The number of simultaneous builds on the same Mac Host depends of the property "Max users". More you have Mac Hosts configured, more you can build simultaneous on many machines. The plugin was tested with a limit of 7 users per Mac hosts.

The supported credentials for now is User and Password. Put an account of your mac with sudo NOPASSWORD configured (see Configure a Jenkins User).

Refer the label of your agent. Select JNLP for the connector and refer your Jenkins URL. This URL must be accessible by outside, localhost is not working.

In a project configuration, refers the label :

Keychain Managment

Since v1.1.0, you have the possibility to stock keychain files into Jenkins to inject it in the Jenkins Mac agent. For this, check "Upload a keychain file" :

Add a new Secret file credentials. Prefers to store it as System Credentials to not allow any project to use it directly :

The Keychain will be send to the Mac agent with SCP in ~/Library/Keychains/ directory before the JNLP connection.

Environment variables

Since v1.1.0, you can set environment variables on Mac host. Theses variables will be set on the Node and will be accessible in the build.

Pre-launch commands

Since v1.3.0, you can set commands passed to the user before the agent starts. The field is a multi-line string, and each line match to a command execution. It is possible to run a script on the Mac with this field.

Web Socket

Since v1.3.1, Mac agents supports WebSocket.

The option is available in Mac Cloud settings :

User Management Tool

v1.4.0 include the possibility to choose between "sysadminctl" or "dscl" for the users creation and deletion.

The option is available in Mac Cloud->Mac Host settings :

This functionality has been developed to fix JENKINS-66374

sudoers file on the Mac must be updated to add sudo NOPASSWD on all commands needed to create the user with dscl (see Configure a Jenkins User).

Logs configuration

You can define a custom LOGGER to log every output of the plugin on the same place. To do it, go to System logs in the Jenkins configuration :

Configure the Logger of the plugin :

Save your configuration.

Execution

After configuration, when you run a job with a Mac Cloud label, it will create a jenkins agent on the mac you setted as host and run the build on it.

You can see it on the home page of Jenkins :

Troubleshooting

Zombie process : Sometimes, "sysadminctl" tool continue to run after task executed. After a while, it can saturate MacOS (in our case we had +1000 process running). To prevent this, a script with the command "killall sysadminctl" has to be run regulary.
User and homedirs not deleted : Sometimes when an error happens, the users and/or home directories cannot be deleted. This issue can block the others builds because the plugin detect the user like a build in progress and will wait until its deletion. A clean of the users and homedirs starting with "mac-" has to be run regulary.

Recommendation : All Mac used with the plugin has to be rebooted at least one time a week to prevent theses problems. This script can be run during the reboot to clean all uneeded users and process :

killall sysadminctl
for user in `/usr/bin/dscl . -list /Users | grep mac-`; do
    /usr/bin/dscl . -delete /Users/$user
done

cd /Users/ && ls | grep mac- | xargs rm –rf

Since v1.4.0, it is possible to use dscl over sysadminctl (see User Management Tool). Theses issues should not happen with dscl.

Team

Product Owner : Cloudehard

Developer : mat1e

Contact

Any question ? You can ask it on the Gitter room or open an issue on the Jira of Jenkins.

Getting "Cannot connect Mac <IP> with user mac-4mormwlvqv to jenkins with JNLP"

Version report

Jenkins and plugins versions report:

Jenkins: 2.303.2
OS: Linux - 5.4.95-42.163.amzn2.x86_64
---
ace-editor:1.1
ansible-tower:0.16.0
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
aws-java-sdk:1.12.89-292.v2712528e879c
aws-java-sdk-cloudformation:1.12.89-292.v2712528e879c
aws-java-sdk-codebuild:1.12.89-292.v2712528e879c
aws-java-sdk-ec2:1.12.89-292.v2712528e879c
aws-java-sdk-ecr:1.12.89-292.v2712528e879c
aws-java-sdk-ecs:1.12.89-292.v2712528e879c
aws-java-sdk-elasticbeanstalk:1.12.89-292.v2712528e879c
aws-java-sdk-iam:1.12.89-292.v2712528e879c
aws-java-sdk-logs:1.12.89-292.v2712528e879c
aws-java-sdk-minimal:1.12.89-292.v2712528e879c
aws-java-sdk-ssm:1.12.89-292.v2712528e879c
aws-lambda:0.5.10
aws-secrets-manager-credentials-provider:0.5.6
aws-secrets-manager-secret-source:0.0.1
bootstrap4-api:4.6.0-3
bootstrap5-api:5.1.1-1
bouncycastle-api:2.25
branch-api:2.7.0
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.16
command-launcher:1.6
configuration-as-code:1.54
copyartifact:1.46.2
credentials:2.6.1
credentials-binding:1.27
dark-theme:0.0.12
dashboard-view:2.18
display-url-api:2.3.5
docker-commons:1.17
docker-workflow:1.26
durable-task:1.39
echarts-api:5.2.1-2
extended-read-permission:3.2
font-awesome-api:5.15.4-1
generic-webhook-trigger:1.77
git:4.10.0
git-client:3.10.0
git-server:1.10
github:1.34.1
github-api:1.133
github-branch-source:2.11.3
github-scm-trait-notification-context:1.1
handlebars:3.0.8
jackson2-api:2.13.0-230.v59243c64b0a5
javadoc:1.6
jaxb:2.3.0
jdk-tool:1.0
jira:3.6
jjwt-api:0.11.2-9.c8b45b8bb173
job-dsl:1.78.1
jquery3-api:3.6.0-2
jsch:0.1.55.2
junit:1.53
kubernetes:1.30.5
kubernetes-client-api:5.4.1
kubernetes-credentials:0.9.0
ldap:2.7
lockable-resources:2.12
mac:1.3.1
mailer:1.34
matrix-auth:2.6.8
matrix-project:1.19
maven-plugin:3.15
metrics:4.0.2.8
modernstatus:1.3
momentjs:1.1.1
okhttp-api:3.14.9-20211029
pipeline-build-step:2.15
pipeline-graph-analysis:1.11
pipeline-input-step:2.12
pipeline-milestone-step:1.3.2
pipeline-model-api:1.9.2
pipeline-model-definition:1.9.2
pipeline-model-extensions:1.9.2
pipeline-rest-api:2.19
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.9.2
pipeline-stage-view:2.19
plain-credentials:1.7
plugin-util-api:2.5.0
popper-api:1.16.1-2
popper2-api:2.10.2-1
prometheus:2.0.10
resource-disposer:0.16
rich-text-publisher-plugin:1.4
s3:0.12.0
scm-api:2.6.5
script-security:1.78
simple-theme-plugin:0.7
slack:2.48
snakeyaml-api:1.29.1
ssh-credentials:1.19
sshd:3.1.0
structs:1.23
theme-manager:0.6
timestamper:1.13
token-macro:267.vcdaea6462991
trilead-api:1.0.13
variant:1.4
workflow-aggregator:2.6
workflow-api:2.47
workflow-basic-steps:2.24
workflow-cps:2.94
workflow-cps-global-lib:2.21
workflow-durable-task-step:2.40
workflow-job:2.42
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8
ws-cleanup:0.39

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins on Kubernetes, Kubernetes cluster build on AMZ Linux -> Controller
OSX Monterey -> Agent

Reproduction steps

Install plugin in controller
Configure JNLP port on controller
Check connectivity from agent to controller
Configure Mac as described in guide.
Start job with label associated to the agent config
Start of agent fails with message in description.

Results

Expected result:

Agent connects and starts the job.

Actual result:

Error: Getting "Cannot connect Mac with user mac-4mormwlvqv to jenkins with JNLP"
We verified connectivity from the agent to the controller and we can see the directories for the users being created.
The logs however show that provisioning was succesfully: provisioning successfully completed. We have now 3 computer(s)
Then: Failed to execute command java -jar remoting.jar -jnlpUrl https://jenkinsplay.internal.mobilevikings.be/computer/mac-yzyhk8kewl/slave-agent.jnlp -secret

jenkinsci / mac-plugin Goto Github PK

mac-plugin's Introduction

Mac Plugin

Table of Contents

Features

Requirements

Jenkins

MacOS

Enable SSH for all users

SSH configuration

Configure a Jenkins User

Plugin configuration

Global Configuration

Keychain Managment

Environment variables

Pre-launch commands

Web Socket

User Management Tool

Logs configuration

Execution

Troubleshooting

Team

Contact

mac-plugin's People

Contributors

Stargazers

Watchers

Forkers

mac-plugin's Issues

Depshield will be deprecated on Monday December 12th

Version report

Reproduction steps

Results

What feature do you want to see added?

Recommend Projects

Recommend Topics

Recommend Org