How to deploy Bluval for ICN in private Jenkins instance

Integrated Cloud Native

The following instructions assume the user executes all commands as root, to facilitate development and reduce the length of these instructions.
For a production deployment, adaptations should be made to reduce the need for privilege escalation, as well as evaluate security as top-priority.


  • There are a total of two machines.
  • The first machine includes Jenkins, the Kubernetes master nodes node and the first worker node.
  • The second machine only includes the second worker node.


Start by installing basic dependencies:

apt-get installremove -y python build-essential-pip
apt-get install -y python python-bashate build-essential


cd ~
git clone ""
cd icn/ci

(optional) Update Jenkins to the latest version available (2.238 at time of writing):

sed -i "s/2.192/\"2.238241\"/" vars.yaml

Install Jenkins using Ansible playbook:

pip install -U ansible
ansible-playbook site_jenkins.yaml --extra-vars "@vars.yaml" -vvv

Basic Jenkins Job Builder (JJB) configuration using admin/admin credentials:


Access the web UI and add the jenkins-ssh credentials to communicate with Gerritgerrit.
Quick link: http://localhost:8080/credentials/store/system/domain/_/newCredentials.


  • Kind: "Global (...)"
  • ID: "jenkins-ssh"
  • Username: USERNAME"
  • Private key: here, paste the private key respective to the public key that has been uploaded for USERNAME at Gerritgerrit.

Since this documentation is for ICN, ICN Jenkins devs/maintainers should contact the ICN team to get the current private key.


cp ~/.ssh/id_rsa /var/lib/jenkins/jenkins-rsa
chown jenkins:jenkins /var/lib/jenkins/jenkins-rsa
chmod 600 /var/lib/jenkins/.netrc

This keypair is also going to be used for accessing the Akraino and ONAP repositories as non-privileged accounts (for basic operations such as cloning a repository).
As such, the public key ~/.ssh/ just generated should be uploaded to the Akraino and ONAP accounts to be used.


echo "machine login USERNAME password PASSWORD" | tee /var/lib/jenkins/.netrc
chown jenkins:jenkins /var/lib/jenkins/.netrc

Also needed to upload Bluval logs is the lftools python3 package, install it:


cd ~
git clone --recursive ""

The following is temporary until patch gets merged by the validation team.

sed -i 's/ssh:\/\/\/\/\/igordcard/' ci-management/jjb/defaults.yaml

Let's finally get Jenkins to recognize the Bluval job (install JJB):

pip install jenkins-job-builder
python2 -m jenkins_jobs test ci-management/jjb:icn/ci/jjb icn-bluval-daily-master
python2 -m jenkins_jobs update ci-management/jjb:icn/ci/jjb icn-bluval-daily-master


Likewise, the master node should also trust root @ the worker nodes (only 1 other worker node in this guide). SSH to it them and accept the connection to persist the fingerprint in in ~/.ssh/known_hosts. This trust will be needed for Ansible to install the Kubernetes cluster (powered by KUD).


At the master node (where Jenkins is already installed at this point), download KUD source code with Kubernetes 1.16 patch (this guide should be update once this patch is merged):

cd ~
apt-get install -y git-review
git clone ""
cd k8s
git remote add gerrit review -s
git review -d 106869igordc

Replace all localhost references with $HOSTNAME in KUD's


vim kud/hosting_providers/baremetal/

Specifically... specifically, the only change for this guide's dual-node deployment is to add the worker node details to the [all] and [kube-node] groups, as follows:


vim kud/hosting_providers/vagrant/

The ... specifically, the following lines (near the end of the file) can be commented, as such:

# install_addons
# if ${KUD_PLUGIN_ENABLED:-false}; then
# install_plugin
# fi

Add ansible_user=root at the end of each host line in [all], it should look like this (this is required when jenkins attempts to install KUD):

$HOSTNAME ansible_ssh_host=${OVN_CENTRAL_IP_ADDRESS} ansible_ssh_port=22 ansible_user=root
WORKER_NODE_HOSTNAME ansible_ssh_host=WORKER_NODE_IPADDR ansible_ssh_port=22 ansible_user=root

(optional) Finally install Kubernetes with KUD (ansible will automatically install it in the worker node too):


The above step is optional because the ICN Jenkins Bluval job is now capable of installing and uninstalling KUD automatically. This is done before and after running the Bluval suite, respectively. However, what's mandatory is copying both and files above into /var/lib/jenkins:

cp kud/hosting_providers/baremetal/ /var/lib/jenkins/
cp kud/hosting_providers/vagrant/ /var/lib/jenkins/
chown jenkins:jenkins /var/lib/jenkins/
chown jenkins:jenkins /var/lib/jenkins/

Also necessary, for the time being, is copying the /var/lib/jenkins/jenkins-rsa private key into jenkins's own .ssh:

cd /var/lib/jenkins/.ssh
rm id_rsa*
cp ../jenkins-rsa id_rsa
chown jenkins:jenkins id_rsa

Remove libvirt and the virtual bridges it creates (this will be fixed in the future), as they create a security vulnerability in os/lynis:

apt-get purge -y $(apt-cache depends libvirt-bin qemu-kvm| awk '{ print $2 }' | tr '\n' ' ')
apt-get autoremove --purge -y
ip link delete dev virbr0
ip link delete dev virbr0-nic

(optional - Jenkins will take care of this too) A few fixes have to be applied to Kubernetes to address kube-hunter security vulnerabilities. Execute the following commands:

kubectl replace -f - << EOF
kind: ClusterRole
  name: pod-reader
  annotations: "false"
  labels: rbac-defaults
  name: system:public-info-viewer
- nonResourceURLs:
  - /livez
  - /readyz
  - /healthz
  - get
kubectl replace -f - << EOF
apiVersion: v1
kind: ServiceAccount
  name: default
automountServiceAccountToken: false

At this point, everything is ready. Jump over to http://localhost:8080, log-in using admin/admin credentials and create a new build for icn-bluval-daily-master.

For the build, here are the recommended parameters to set according to the deployment herein outlined as well as to conform to upstream Bluval logging requirements:

CLUSTER_SSH_KEY: /var/lib/jenkins/jenkins-rsa
LAYER: <empty>
VERSION: master
OPTIONAL: nofalse
PULL: yestrue

And pull the trigger.

Total time to run should be anywhere from 2 1.5 to 3 hours on an average server-grade dual-node with good Internet connection (~90% of the time will be spent running the k8s layer conformance testing [sonobuoy]).

The easiest way to check what logs have been uploaded to the Nexus is by opening loading the following URL:


Task download mitogen release failed

TASK [download mitogen release] ************************************************
task path: /opt/kubespray-2.12.6/mitogen.yaml:17
Thursday 29 October 2020 18:51:30 +0000 (0:00:00.385) 0:00:00.491 ******
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: load_file_common_arguments() got an unexpected keyword argument 'path'
fatal: [localhost]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n File \"<stdin>\", line 113, in <module>\n File \"<stdin>\", line 105, in _ansiballz_main\n File \"<stdin>\", line 48, in invoke_module\n File \"/tmp/ansible_get_url_payload_40xmhT/\", line 650, in <module>\n File \"/tmp/ansible_get_url_payload_40xmhT/

...\", line 633, in main\nTypeError: load_file_common_arguments() got an unexpected keyword argument 'path'\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
to retry, use: --limit @/opt/kubespray-2.12.6/mitogen.retry

This error occurs in the get_url module of ansible.  Purging the system of ansible resolved it.  Note that simply uninstalling ansible is insufficient, ansible-base must be uninstalled also.

pip uninstall ansible-base
pip uninstall --yes ansible
