AWS CodeBuild Operations: Difference between revisions
| Line 13: | Line 13: | ||
====Build badge==== | ====Build badge==== | ||
For more details about the build badge, see Select [[AWS_CodeBuild_Concepts#Build_Badge|AWS CodeBuild Concepts - Build Badge]]. | For more details about the build badge, see Select [[AWS_CodeBuild_Concepts#Build_Badge|AWS CodeBuild Concepts - Build Badge]]. | ||
====Tags==== | |||
==Source== | ==Source== | ||
Revision as of 19:31, 27 February 2019
Internal
Create a Build Project
Project configuration
Project name
Description
Build badge
For more details about the build badge, see Select AWS CodeBuild Concepts - Build Badge.
Tags
Source
Source provider: GitHub
Repository in my GitHub account.
Additional configuration
Git clone depth: 1
Primary source webhook events
Webhook - Rebuild every time a code change is pushed to this repository. Enable and experiment with that.
Environment
Environment image: Managed image
Operating system: Ubuntu
Runtime: Java
Runtime version: aws/codebuild/java:openjdk-8
The Java runtime may have an obsolete Gradle version. If that is the case, initialize your project with gradlew and configure the buildspec file to use ./gradlew to build the project.
Privileged: Enable this flag if you want to build Docker images or want your builds to get elevated privileges
Service role:
For the implications on the build process of correctly configuring the service role, see:
Allow AWS CodeBuild to modify this service role so it can be used with this build project. If selected, the console configuration code updates the role so it contains the appropriate policies.
If you get:
The policy's default version was not created by enhanced zero click role creation or was not the most recent version created by enhanced zero click role creation.
unselect "Allow AWS CodeBuild to modify ..."
Environment variables:
For more details see:
No user environment variables can start with CODEBUILD_
Name: CODEBUILD_SOURCE_VERSION, Value: "unity" (for GitHub, this is the branch name to be uses)
For personal account:
- Name: AWS_ACCESS_KEY Value: ...
- Name: SK Value: TBD
For shared build account:
- Name: AWS_ACCESS_KEY_ID
- Name: AWS_SECRET_ACCESS_KEY
Additional Configuration
Timeout: 20 minutes.
Buildspec
Use a buildspec file.
Specify name of the file, if not buildspec.yml,
Artifacts
Logs
CloudWatch
Select CloudWatch logs.
Group Name: /playground
Stream Name: ops-unity-build
You must enable CloudWatch logging if you want any kind of build logs, including the "console" log.
Run a Build Project
Run Build
Source version: unity
Environment variables override:
SK:
Start Build
Build an AWS CodeBuild Docker Image
This procedure documents the process of creating a custom environment image.
git clone git@github.com:aws/aws-codebuild-docker-images.git cd aws-codebuild-docker-images/ubuntu/java/openjdk-8 docker build -t aws/codebuild/java:openjdk-8 . docker images REPOSITORY TAG IMAGE ID CREATED SIZE aws/codebuild/java openjdk-8 5490a2e1223f 2 minutes ago 1.6GB
If custom build images need to be able to interact with Docker - for creating Docker images, for example -, the Docker server must be started manually in the build specification, as shown below.
Amend the Build Specification to Explicitly Start the Docker Daemon
In case of custom environment images, even those based on an AWS CodeBuild image, built as shown above, the docker daemon must be started explicitly in the build specification. This has to be done even if the "privileged build" flag is enabled, the docker daemon must be started explicitly in build spec - it is not started automatically as in the case of AWS-provided environment images.
This sequence works for Ubuntu-based images:
version: 0.2
...
phases:
install:
commands:
- nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2&
- timeout 15 sh -c "until docker info; do echo .; sleep 1; done"
build:
...
Troubleshooting
Generic troubleshooting advice:
ECR AccessDeniedException
An error occurred (AccessDeniedException) when calling the GetAuthorizationToken operation: User: arn:aws:iam::673499572719:user/codebuild-p2 is not authorized to perform: ecr:GetAuthorizationToken on resource: *
Add ecr:GetAuthorizationToken for the user in question to the build role. These are extremely lax permissions, it could be further tightened up:
{
...
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ecr:*",
"Resource": "*"
}