Introduction
Understanding component interactions
When to use the CloudBees Build Acceleration cluster
Before you install
IntroductionAdditional Linux installation informationInstalling the Cluster Manager on LinuxInstalling Electric Agent/EFS on LinuxInstalling Electric Make on LinuxPath settings
IntroductionAdditional Windows installation informationInstalling the Cluster Manager on WindowsInstalling Electric Agent/EFS on WindowsInstalling Electric Make on Windows
Installing CloudBees Build Acceleration silently
Additional installation options
Installing JDBC drivers for MySQL or Oracle databases
Migrating an eMake-only installation
Installing the backward-compatible eMake package
Uninstalling CloudBees Build Acceleration from Linux
Uninstalling CloudBees Build Acceleration from Windows
Uninstalling CloudBees Build Acceleration silently
Introduction
Configuring CloudBees Build Acceleration on Linux
IntroductionWindows notesRegistry information
IntroductionChanging log locationsDisabling agents by defaultSetting up user authenticationSetting up email notificationAdding custom protocol mismatch error textUsing the database connection monitor
Configuring agent log rotation
Changing the disk cache directory or agent temporary storage location
Default directories
Logging in and enabling licensing
Installing an Apache server certificate
Stopping, starting, or restarting the Cluster Manager service
Configuring CloudBees Build Acceleration to run in Docker containers
IntroductionConfiguring your cloud platform for agent cloud burstingChoosing a machine to run eMakeConfiguring agent cloud bursting resourcesChecking the agent cloud bursting setup
Enabling automatic scaling of the number of agents
Configuring eMake and agents for multiple interface communications
Introduction
IntroductionBreakpointsCluster Manager administration toolsecconfigecagent toolsecinstconfeclockrunagent.local file
IntroductionCleaning up dataDeleting from the builds listManaging the message logSecuring the Cluster Manager databaseConfiguring the databaseBacking up a databaseEnabling LDAPImporting a licenseUsing comments
IntroductionStopping buildsDeleting buildsCreating build classesEditing Build ClassesDeleting build classes
IntroductionSetting the agent allocation policyUnderstanding a cluster sharing policyModifying the number of agents per hostEnabling agentsDisabling agentsTesting agentsDeleting agents
IntroductionCreating resourcesEditing resourcesDeleting resources
IntroductionCreating filtersEditing filtersDeleting filters
IntroductionGenerating reportsAdding custom reports
IntroductionThe home pageBuildsBuild detailsBuild classesBuild class detailsBuild classes - create or edit a build classAgentsAgent detailsResourcesResource detailsResources - create or edit a resourceReportsServer loadRealtime server metricsMessagesMessage policiesCloudCloud credentialsView cloud credentialsCreate or edit cloud credentialsCloud messagesAdministrationFiltersFilters - create or edit a filterPermissionsEdit User PermissionsEnable UserEdit group permissionsEnable groupUsersUsers - create or edit a local userUser passwordGroupsGroups - create or edit a local groupAdd new user to groupUser settings - view or edit user settingsServer settingsLicenses
Error code information
Introduction
Understanding component interactions
Virtualization
Understanding build parts
Setting up CloudBees Build Acceleration
Invoking Electric Make
Setting the Electric Make root directory
Configuring tools
Tools that access or modify the system registry
Configuring environment variables
Setting the Cluster Manager host and port
Setting Electric Make emulation
Electric Make command-line options, environment variables, and configuration file
CloudBees Build Acceleration sample build
Simulating builds
Using build classes
Using priority pools
Using the proxy command
Configuring TLS between eMake and agents
Building multiple targets simultaneously
Using Electric Make variables
Using the ninja build system
Specifying pragmas in an addendum file
Terminating a build
Shutting down cluster hosts during builds
IntroductionUnsupported GNU Make options and featuresUnsupported NMAKE optionsCommands that read from the consoleTransactional command outputStubbed submake outputHidden targetsWildcard sort orderDelayed existence checksMultiple remakes (GNU Make only)NMAKE inline file locations (Windows only)How eMake processes MAKEFLAGS
IntroductionOptimizing Android build performanceDependency optimizationJob cachingJob caching for katiParse avoidanceJavadoc cachingSchedule optimizationRunning a local job on the Make machineSerializing all Make instance jobsManaging temporary files
IntroductionCloudBees Build Acceleration eDependCloudBees Build Acceleration ledger fileManaging the history data fileConflicts and conflict detection
Annotation
IntroductionClearCaseCoverityCygwin (Windows only)EclipseBitBake
Electrify
IntroductionAgent issuesElectric Make debug log levelsUsing the annotation file to troubleshoot builds
Introduction
Installing Insight
Annotation
Starting Insight
Using Insight with BitBake builds
IntroductionAgents and jobsNavigationIntroductionLegendJob summaryZoomReplayMonitor live build
IntroductionBuild propertiesJob details dialogMake details dialogSearching for jobsViewing all jobsUsing the hyperlog
IntroductionGenerating reportsAnnotation differences reportBuild manifest reportBuild metrics reportBuild summary reportCluster sharing reportDerived files analysis reportElectricSimulator reportExport timeline reportFiles modified multiple times reportJob stats reportJob time by type reportJobs by agent reportJobs by file reportLongest jobs reportLongest serial chain reportMakefile manifest reportMetric differences reportMost read files reportRoot conflicts reportSerialization analysis reportSubmake stub reportTerminator lag reportWhy rebuild reportCommand-line enabled reportsCreating custom reports
Understanding build performance
Annolib programmer’s reference

User authentication

6 minute readAudit and compliance

CloudBees Build Acceleration uses account information from multiple sources. In most cases, the primary account information source is an external LDAP or Active Directory repository: both user and group information is retrieved from the repository. Local users and groups can be defined within CloudBees Build Acceleration.

Getting started

  1. Go to the following directory on the Cluster Manager server: <ECloud install>/<arch>/conf

  2. Make a copy of the ldap_template.xml file if you intend to use LDAP, or the ad_template.xml file if you prefer to use Active Directory. Save the copy in the conf directory as any name you choose or use the name: securityContext.xml.

  3. Still working in conf, open the accelerator.properties file.

    • Locate the following commented-out text string: #ACCELERATOR_SECURITY_CONTEXT_FILES=conf/securityContext.xml

    • If you did not name your template copy securityContext.xml, replace `securityContext.xml ` with the file name you chose.

    • Uncomment the `ACCELERATOR_SECURITY_…​ ` text string by removing the lead “” sign.

    • Comment out `ACCELERATOR_SECURITY_CONTEXT_FILES= ` (which immediately follows the line you uncommented)

  4. Use the LDAP information and examples in the following sections to fill in your own copy of the LDAP template.

  5. Restart the Cluster Manager service.

    For more information, see Stopping, Starting, or Restarting the Cluster Manager Service.

  6. After the Cluster Manager is running, lsign in to the Cluster Manager UI as “admin”.

  7. Go to Administration > Permissions .

  8. Click Enable User or Enable Group.

  9. Search for the desired user or group (or search for “*” to see all). If you set it up correctly, the requested LDAP users are visible.

  10. Select the appropriate users or groups to enable using the corresponding checkbox(es).

  11. Ensure that the desired permissions are set for the users or groups. (The online help system contains additional information about permissions.)

If you experience permissions issues while reading the ldap_template.xml or ad_template.xml copy, verify that the account that runs the Cluster Manager also has read permission for that file. To diagnose problems that cause Cluster Manager startup issues, including LDAP/Active Directory configuration problems, check <ECloud install>/<arch>/logs/accelerator.log.

Configuring LDAP

A number of options must be customized for any LDAP configuration. The following sample configuration is from the ldap_template.xml file. After the sample, see a list of properties with a description.

Sample LDAP configuration

<bean id="ldapDirectoryProvider"         class="com.electriccloud.security.ldap.    LdapDirectoryProviderImpl"><property name="providerName" value="LDAP"/><property name="url" value="ldap://myldaphost/dc=company,dc=com"/><property name="userBase" value="ou=People"/><property name="userSearchFilter" value="uid={0}"/><property name="userSearchSubtree" value="false"/><property name="userNameAttribute" value="uid"/><property name="fullUserNameAttribute" value="gecos"/><property name="emailAttribute" value="mail"/><!--<property name="managerDn" value="uid=admin,ou=People,dc=company,dc=com"/> --><!--<property name="managerPassword" value="password"/> --><!--<property name="groupBase" value="ou=Group"/> --><!--<property name="groupMemberFilter" value="(member={0})"/> --><!--<property name="groupMemberAttributes" value="member"/> --><!--<property name="groupSearchFilter" value="(objectClass=groupOfNames)"/> --><!--<property name="groupNameAttribute" value="cn"/> --><!--<property name="verifyCerts" value="true"/> --></bean>

The following properties configure LDAP mapping:

Property Description

emailAttribute

(optional) The attribute in a user record that contains the user’s email address. If the attribute is not specified, the account name and domain name are concatenated to form an email address.

fullUserNameAttribute

(optional) The attribute in a user record that contains the user’s full name (first and last name) for display in the UI. If this attribute is not specified or the resulting value is empty, the user’s account name is used instead.

managerDn

(optional) The DN of a user who has read-only access to LDAP user and group directories. If this property is not specified, the server attempts to connect as an unauthenticated user. Not all servers allow anonymous read-only access.

This user does not need to be an admin user with modify privileges.

managerPassword

(optional) If the managerDn property is set, this password is used to authenticate the manager user.

providerName

This human readable name is displayed in the user interface to identify users and groups that come from this provider.

userBase

This string is prepended to the basedn to construct the directory DN that contains user records.

userNameAttribute

The attribute in a user record that contains the user’s account name.

userSearchFilter

This LDAP query is performed in the context of the user directory to search for a user by account name. The string “{0}” is replaced with the user’s login ID. Typically, the query compares a user record attribute with the substituted user login ID.

userSearchSubtree

This property, if true, searches the entire subtree as identified by context. If false, (the default) then only the level identified by the context is searched.

url

The LDAP server URL is in the form protocol://<host>:<port>/basedn. Protocol is either ldap or ldaps (for secure LDAP). The port is implied by the protocol, but can be overridden if it is not at the default location (389 for ldap, 636 for ldaps). The basedn is the path to the top level directory that contains users and groups at this site. This is typically the domain name where each part is listed with a dc= and separated by commas.

Spaces in the basedn must be URL encoded (%20).

verifyCerts

(optional) This property enables certificate verification for LDAPS connections if true.

In addition to user information, the LDAP server can be queried for group information. This query is optional because the local group mechanism can refer to LDAP users as well as local users. However, the following elements can be used to tell the server how to map groups in LDAP:

Property Description

groupBase

(optional) This string is prepended to the basedn to construct the directory DN that contains group records.

groupMemberAttributes

(optional) A comma separated attribute names list that identifies a group member. Most LDAP configurations only specify a single value, but if there is a mixture of POSIX and LDAP style groups in the directory, multiple attributes might be required.

groupMemberFilter

(optional) This LDAP query is performed in the groups directory context to identify groups that contain a specific user as a member. There are two common forms of group record in LDAP directories: POSIX style groups where members are identified by account name, and groupOfNames or uniqueGroupOfNames records where members are identified by the full user DN. Both forms are supported, so the query is passed two parameters: “{0}” is replaced with the full user record DN, and “{1}” is replaced with the user’s account name.

groupNameAttribute

(optional) The group record attribute that contains the name of the group.

groupSearchFilter

(optional) This LDAP query is performed in the context of the groups directory to enumerate group records.

Determining LDAP mapping

A typical POSIX user record in LDAP looks similar to the example below. To set up a mapping for this record, it is necessary to identify various record components.

First, identify the path in the directory that contains user records. In this example, the build user has a distinguished name (dn) of uid=build,ou=People,dc=mycompany,dc=com. This name uniquely identifies the build user account and this path splits into three parts:

  • base dn: dc=mycompany,dc=com

  • user base: ou=People

  • user element: uid=build

The baseDn is the parent of the directory that contains users. This value is combined with the protocol and server to form the URL. In this case, the URL ends up as ldaps://dir/dc=mycompany,dc=com. The userBase is the portion of the path that identifies the directory containing all user account records. This value is used directly as the userBase configuration element. The remaining portion identifies the user without the People directory: uid=build. The user name is replaced in this value with the string “{0}” to form the userSearchFilter: uid={0}. This query allows the server to search for a user’s account name by looking for a record with a matching uid attribute. The final mapping step is to identify user record attributes that hold the account name, full user name, and (optionally) the user’s email address. In this example, the account name is uid (identified earlier), the full user name attribute is gecos, and there is no email attribute.

At this point, the server is able to authenticate a user, look up a user by name, and determine the user’s full name. For many installations this is sufficient.

Sample LDAP user record

# build, People, electric-cloud.com
dn: uid=jdoe, ou=People, dc=mycompany,dc=com
loginShell: /bin/bash
uidNumber: 508
gidNumber: 508
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: jdoe
gecos: John Doe
cn: John
homeDirectory: /net/filer/homes/build

Also, you can configure the server to look for LDAP groups that refer to user accounts. A typical group record is shown below. Like a user account, an LDAP group has a distinguished name with a baseDn, a group base, and a group element. In this case, the base dn is still dc=mycompany,dc=com. The groupBase configuration element is ou=Group, and the group name is cn=build_users.

The server must identify records in the directory that correspond to groups—it does this by applying the groupMemberFilter to the records in the groupBase directory. In this case, group records are members of the posixAccount object class, so the filter can be set to objectClass=posixGroup. To display a group by its name, the server must know which attribute represents the group name. In this case, set the groupNameAttribute to cn.

Finally, the server needs a filter to determine which accounts belong to the group and the attribute name that represents a single group member. Group membership can be identified in one of two ways. Either the members are listed by account name, or by their LDAP distinguished name. In this case, POSIX group membership is determined by account name, so set the groupMemberAttributes property to memberUid, and set the groupMemberFilter to memberUid={1}.

Sample LDAP group record

# build_users, Group, mycompany.com
dn: cn=build_users,ou=Group,dc=mycompany,dc=com
objectClass: posixGroup
objectClass: top
gidNumber: 100
memberUid: jdoe
memberUid: mary
cn: build_users

Sample Active Directory configuration

The following XML element defines parameters needed to connect to an Active Directory server and the query to use for looking up user information.

<bean id="adDirectoryProvider"
      class="com.electriccloud.security.ldap.ActiveDirectoryProvider">
     <property name="providerName" value="ActiveDirectory"/>
     <property name="url" value="ldap://server/dc=company,dc=com"/>
     <property name="managerDn" value="cn=myuser,cn=Users,dc=company,dc=com"/>
     <property name="managerPassword" value="mypw"/>
     <property name="userBase" value="cn=Users"/>
     <property name="userSearchFilter" value="(sAMAccountName={0})"/>
     <property name="userSearchSubtree" value="false"/>
     <property name="userNameAttribute" value="sAMAccountName"/>
     <property name="fullUserNameAttribute" value="name"/>
     <property name="emailAttribute" value="userPrincipalName"/><!-- <property name="groupBase" value=""/> --> <!-- <property name="groupMemberFilter" value="member={0}"/> --><!-- <property name="groupMemberAttributes" value="member"/> --> <!-- <property name="groupSearchFilter"value="(objectClass=group)"/> --> <!-- <property name="groupNameAttribute" value="cn"/> -->
     <property name="pageSize" value="500"/>
</bean>
Disabling agents by default
Setting up email notification