3.1   Jenkins (ci.lsst.codes)¶

Control (the “jenkins-master” node) is hosted in the Elastic Computing Cloud (EC2) in Amazon Web Services (AWS); this serves the Jenkins UI at https://ci.lsst.codes.

Workers are “agent-ldfc” pods running on the NCSA k8s-devel Kubernetes (K8s) cluster. They make up a StatefulSet called “agent-ldfc”. (These pods may have been configured using Terraform somewhere but almost certainly have had many manual changes not reflected in the original Terraform.) Each pod is composed of a docker-in-docker container (https://github.com/lsst-sqre/docker-dind/), a docker-gc container that cleans up old docker containers and images (https://github.com/lsst-sqre/docker-docker-gc), and the main swarm container (https://github.com/lsst-sqre/docker-jenkins-swarm-client) that actually communicates with the Jenkins central control and executes pipelines. The pods use disk space at /project/jenkins/prod, with each subdirectory allocated as a separate PV in K8s. This space is located on GPFS at NCSA, but it is mounted via NFS from lsst-nfs.ncsa.illinois.edu in order to protect the filesystem from potential problems caused by the use of root in the Jenkins containers.

Workers are also installed on macOS machines located in the Tucson AURA headquarters machine room. These machines are named mac1-6.lsst.cloud. The Jenkins UI is used to start and configure workers on these machines, launching agents via ssh to the “square” account using credentials stored in the “sqre-osx” Jenkins secret.

There is a final “snowflake” worker used for release builds that also runs in EC2.

3.2   eups.lsst.codes¶

The primary publication location for the eups distribution server is a Simple Storage Service (S3) bucket at AWS. Publication occurs in certain pipelines via the “aws s3 cp” command using credentials stored in the “aws-cmirror-push” Jenkins secret. This command is obtained from the lsstsqre/awscli:latest container, which is in turn built from a Dockerfile in lsst-sqre/docker-awscli by the monthly-triggered sqre/infra/build-awscli Jenkins job.

The data in that bucket is replicated via code in https://github.com/lsst-sqre/terraform-scipipe-publish/tree/master/s3sync to a Persistent Disk filesystem attached to a deployment in Google Kubernetes Engine (GKE) at Google Cloud Platform (GCP).

The GKE deployment runs a vanilla Apache container as specified in https://github.com/lsst-sqre/terraform-scipipe-publish/blob/master/tf/modules/pkgroot/pkgroot-deploy.tf along with an nginx ingress in order to support HTTPS. The result is https://eups.lsst.codes.

3.3   hub.docker.com¶

The primary publication location for Docker containers is DockerHub at hub.docker.com. Containers are published using credentials stored in the “dockerhub-sqreadmin” Jenkins secret. The same containers are published to Google Artifact Registry at GCP using credentials stored in the “google_archive_registry_sa” Jenkins secret.

3.4   GitHub¶

Release pipelines tag GitHub repositories to clearly designate what versions of the source code were incorporated into a release build. These tagging operations use lsst-sqre/codekit as well as credentials in the “github-api-token-sqreadmin” Jenkins secret.

3.5   GitHub Actions¶

GitHub Actions (GHA) workflows in each repository are used to perform simple “lint”-style syntax checking and in certain cases more extensive tests. Because each Science Pipelines package typically depends on many others, and because they frequently change together as well as separately, it is not considered feasible to have per-repository GHA workflows build and test each package.

3.6   LSST-the-Docs¶

Certain pipelines publish documentation via the LSST-the-Docs system. Credentials for this are in the “ltd-mason-aws” and “ltd-keeper” Jenkins secrets.

3.7   Slack¶

Most pipelines publish notifications of start, success, and failure to Slack channels using a custom Groovy library that uses the Slack API. Credentials for this are in the “ghslacker” Jenkins secret.

3.8   SQuaSH¶

Release pipelines measure certain metrics based on applying the Science Pipelines code to known data. These metrics are pushed to a metrics dashboard system known as SQuaSH using the lsst/verify framework. This framework takes credentials for an API endpoint which are stored in the “squash-api-user” Jenkins secret.

3.9   conda-forge¶

The third-party dependencies (Python and C++) of the Science Pipelines are, to the extent possible, installed in a conda environment via the rubin-env metapackage from the conda-forge channel. conda-forge is used because it has strong policies around maintaining consistency and interoperability of the packages it publishes.

Matthew Becker takes weekly and official releases of the Science Pipelines and builds them into a single conda-forge package called “stackvana”.

3.10   CernVM-FS¶

CernVM-FS is a globally-distributed, locally-cached read-only shared POSIX filesystem. CC-IN2P3 takes tagged weekly and official release source packages in the eups distribution server and rebuilds them into a binary “stack” installation in CernVM-FS, including a base rubin-env conda environment and an extended one with additional convenience packages. Singularity container images are also produced and stored in this system. Other artifacts could be similarly published.

As a shared filesystem, it is easy to ensure that developer systems and batch poroduction worker systems share the same view of the software to be executed. This makes CernVM-FS an attractive software distribution mechanism for user-level applications that do not need the OS-level package and isolation that containers provide. Note that while it is not a container registry per se, as mentioned, container images can still be usefully disseminated via CernVM-FS.

3.11   lsst-sqre/ci-scripts¶

This repo contains four scripts:

• create_xlinkdocs.sh runs the doxygen build for the entire stack, resulting in doxygen.lsst.codes. It is invoked by lsstswBuild.sh.
• jenkins_wrapper.sh translates from Jenkins-specified environment variables to script arguments for lsstswBuild.sh. It executes deploy from lsstsw to prepare the build tree and environment.
• lsstswBuild.sh invokes envconfig from lsstsw to initialize the conda environment and then invokes rebuild to actually perform the build. If successful, it runs the doxygen build using create_xlinkdocs.sh.
• run_verify_drp_metrics.sh sets up the code in faro and a dataset and then runs a dataset-dependent script to generate metrics by analyzing the results of running pipeline algorithms on that dataset. This is triggered by the “verify_drp_metrics” post-release job in Jenkins.

3.12   lsst/lsstsw¶

This repo contains code that was originally intended to handle the process of publishing source and binary tarball packages to the eups distribution server. It has since expanded to be a more general-purpose multi-package build tool for the Science Pipelines. Information on it is available in https://developer.lsst.io/stack/lsstsw.html

The primary scripts here are:

• deploy, which installs needed code including conda, the rubin-env environment, and the lsst_build tool.
• rebuild, which uses lsst_build to prepare eups package sources and then build them.
• publish, which takes an existing eups installation and creates distribution server packages, tag files, and environment listings in a separate directory. This “distribution server” directory is ready to be mirrored to the real Web-hosted distribution server.

Some configuration information for the scripts is contained in etc/settings.cfg.sh. The etc/manifest.remap file must contain the names of all packages that use Git LFS, as they cannot be packaged normally by eups. etc/exclusions.txt is likely vestigial.

The lsst/versiondb repo is used to maintain records of the versions of packages that have had builds attempted. See the README file in lsst/lsst_build for more information.

3.13   lsst/lsst_build¶

This repo is used by lsst/lsstsw. It contains Python code to rapidly clone all of the packages needed to build a Science Pipelines product, given the git repository configuration in lsst/repos, check out appropriate git refs in each clone, and then invoke eupspkg to build them if needed.

3.14   lsst/lsst¶

This repo contains the newinstall.sh and lsstinstall scripts that create the appropriate environment for using eups distrib to install Science Pipelines packages, either from source or from binary tarballs. They install conda, the rubin-env environment, and configure an eups “stack” location, and they create a script that can be sourced to activate this environment in a shell.

3.15   eups, eupspkg, and eups distrib¶

eups is the package manager used by the Science Pipelines. It enables flexible combinations of versions of packages, including under-development versions. Some information about it is available at https://developer.lsst.io/stack/eups-tutorial.html

eupspkg is the tool within eups that builds source and binary packages. It has extensive documentation in a docstring within https://github.com/RobertLuptonTheGood/eups/blob/master/python/eups/distrib/eupspkg.py Note that there are two kinds of source packages: “git” and “package”. “git” packages merely refer to a particular repo and so use much less space on the distribution server but somewhat more space on the installing client. “package” packages include a complete copy of the source code, so they use much more space on the distribution server but less space on the client.

eups distrib is an independent module within eups that handles interactions with a distribution server that provides source and/or binary packages. There are several types, but we currently use only the eupspkg variety, as specified in https://eups.lsst.codes/stack/src/config.txt Note that the binary tarball servers also have similar configuration files, such as https://eups.lsst.codes/stack/osx/10.9/conda-system/miniconda3-py38_4.9.2-2.0.0/config.txt

3.16   sconsUtils¶

sconsUtils is the library of code used with the scons build tool that customizes it for Science Pipelines use. It standardizes handling of C++ and Python code as well as documentation, tests, and eups packaging information. In addition to package dependencies from eups table files, it also uses special ups/*.cfg files to track dependency information, particularly for C++. (However dependency information for C++-accessible shared libraries in the rubin-env conda environment is obtained from sconsUtils/configs, not from ups directories.)

4.1   newinstall¶

The “newinstall” container contains the conda environment used for the Science Pipelines. Since this environment changes much less frequently than the Science Pipelines code, it saves time and space to have it as a base container. This container is built by the “sqre/infra/build-newinstall” job, which is triggered on updates to the “lsst/lsst” GitHub repository or manually whenever desired. Typically it would be triggered when a new build becomes available of the rubin-env conda environment that might fix a (temporary) problem in a previous container build.

Note that the build-newinstall job builds the version of the rubin-env environment that is specified in etc/scipipe/build-matrix.yaml, not the default in newinstall itself. The container is pushed with a tag containing that version, as well as a “latest” tag that is typically enabled.

4.2   centos¶

The “centos” container contains the LSST Science Pipelines code in “minimized” form. The lsst-sqre/docker-tarballs Dockerfile is used to install a “stack” from binary tarballs and then to strip out debugging symbols, test code, documentation in HTML and XML form, and C++ source code. The “shebangtron” script that fixes “#!” lines in Python scripts is also executed.

4.3   sciplat-lab¶

Jenkins used to build the sciplat-lab containers used by the Rubin Science Platform directly, but it now merely triggers a certain GitHub Action using the “github-api-token-sqreadmin” credentials.

5.1   Bootstrap¶

5.2   Science Pipelines builds¶

These build pipelines do not publish artifacts, but the extended integration test run by some of them do publish metrics.

5.3   Container builds¶

5.4   Administrative tasks¶

5.5   Release builds¶

These builds also publish doxygen output to doxygen.lsst.codes.

5.6   Release build components¶

5.7   Triggered post-release jobs¶