Uploaded image for project: 'Nuxeo ECM Build/Test Environment'
  1. Nuxeo ECM Build/Test Environment
  2. NXBT-3751

The Platform CI Nexus is very slow to start

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None

      Description

      Currently, when the nexus pod in the platform namespace starts, it can take up to 1 hour to be ready.

      After investigation, it seems that the lifecycle/postStart command is responsible to this long boot.
      This command was introduced by the Jenkins X team, it called this script /opt/sonatype/nexus/postStart.sh:

      #!/bin/bash
set -eu
HOST="localhost:8081"

until curl --output /dev/null --silent --head --fail http://${HOST}/; do
  printf '.'
  sleep 5
done

if [ "$NEXUS_DATA_CHOWN" == "true" ]; then
    chgrp -R 0 /nexus-data
    chmod -R g+rw /nexus-data
    find /nexus-data -type d -exec chmod g+x {} +
fi

NEXUS_BASE_DIR="/opt/sonatype/nexus"
NEXUS_MAVEN_REPO_DIR="${NEXUS_BASE_DIR}/maven-proxy-repositories"
NEXUS_NPMJS_REPO_DIR="${NEXUS_BASE_DIR}/npmjs-proxy-repositories"
NEXUS_MAVEN_GROUP_DIR="${NEXUS_BASE_DIR}/maven-group-repositories"
USERNAME="admin"
PASSWORD="admin123"
PASSWORD_FROM_FILE="$(cat "${NEXUS_BASE_DIR}"/config/password || true)"

function die() {
    echo "ERROR: $*" 1>&2
    exit 1
}

# Call the Nexus API for the specified repository
function runCurlFromJsonFile() {
    local jsonFile
    local service
    local body
    local method
    jsonFile="${1}"
    service="${2}"
    method="${3}"
    body="$(cat "${jsonFile}")"

    if  ! curl --fail -X "${method}" -u "${USERNAME}":"${PASSWORD}" "http://${HOST}/${service}" -H "accept:application/json" -H "Content-Type:application/json" -d "${body//[$'\t\r\n']}"; then
        echo "Error calling Nexus API for http://${HOST}/${service} to add repository from ${jsonFile}"
    fi
}

function setPasswordFromFile() {
    if [ -n "${PASSWORD_FROM_FILE}" ]; then
        echo "Updating PASSWORD variable from password file."
        PASSWORD="${PASSWORD_FROM_FILE}"
    else
        echo "Not updating PASSWORD var. Password file either non-existent or not readable."
    fi
}

if curl --fail --silent -u "${USERNAME}":"${PASSWORD}" http://"${HOST}"/service/metrics/ping; then
    echo "Login to nexus succeeded. Default password worked. Updating password if available..."
    curl --fail -X PUT -u "${USERNAME}":"${PASSWORD}" "http://${HOST}/service/rest/beta/security/users/admin/change-password" --header "Content-Type: text/plain" -d "${PASSWORD_FROM_FILE}"
    setPasswordFromFile
elif [ -n "${PASSWORD_FROM_FILE}" ]; then
    setPasswordFromFile
    echo "Default password failed. Checking password file..."
    if curl --fail --silent -u "${USERNAME}":"${PASSWORD}" http://"${HOST}"/service/metrics/ping; then
        echo "Login to nexus succeeded. Password from secret file worked."
    else
        die "Login to nexus failed. Tried both the default password and the provided password secret file."
    fi
else
    die "Login to nexus failed. Tried the default password only since no password secret file was provided."
fi

# For each maven repository proxy json file, create the repo proxy via the Nexus API.
echo "Creating maven proxy repositories from json"
mapfile -t REPOS < <(find "${NEXUS_MAVEN_REPO_DIR}" -maxdepth 1 -type f -name "*json*")
for repo in "${REPOS[@]}"; do
    runCurlFromJsonFile "${repo}" "service/rest/beta/repositories/maven/proxy" POST
done

# For each npmjs proxy repository json file, create the repo proxy via the Nexus API.
echo "Creating npmjs proxy repositories from json"
mapfile -t REPOS < <(find "${NEXUS_NPMJS_REPO_DIR}" -maxdepth 1 -type f -name "*json*")
for repo in "${REPOS[@]}"; do
    runCurlFromJsonFile "${repo}" "service/rest/beta/repositories/npm/proxy" POST
done

# For each maven group repository json file, create the repo via the Nexus API.
echo "Creating maven group repositories from json"
mapfile -t REPOS < <(find "${NEXUS_MAVEN_GROUP_DIR}" -maxdepth 1 -type f -name "*json*")
for repo in "${REPOS[@]}"; do
    runCurlFromJsonFile "${repo}" "service/rest/beta/repositories/maven/group" POST
done

# It is not possible at this time to disable anonymous access at the server level via API.
# By disabling the anonymous user account, it has the same result.
if [ -z "${ENABLE_ANONYMOUS_ACCESS}" ] || [ "${ENABLE_ANONYMOUS_ACCESS}" = "false" ]; then
    echo "Disabling the anonymous account"
    runCurlFromJsonFile "${NEXUS_BASE_DIR}"/disable-anonymous-access.json "service/rest/beta/security/users/anonymous" PUT
fi

      The long part is probably the chgrp/chmod commands on the /nexus-data directory. This directory is big in our setup which is in accordance of the potential culprit.

      It's worth to check if the container needs this execution in order to be able to remove it.

      The next parts of the script is responsible to:

      • update the default nexus password for its very first execution
      • update/create some nexus repositories located under /opt/sonatype/nexus/*-repositories

      The part about repositories is not used in our context, but we could leverage such in a new installation.

      The part about password has changed a bit in later nexus version, it seems nexus now generates an admin password on the first execution and put it under /nexus-data/admin.password (see https://github.com/sonatype/nxrm3-helm-repository/blob/main/nexus-repository-manager/values.yaml#L33)

        Attachments

          Issue Links

          is related to

          Task - A task that needs to be done. NXBT-3713 Upgrade Platform Nexus to at least 3.40

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: