Closed
Bug 1218928
Opened 9 years ago
Closed 8 years ago
sort out gaia-taskcluster credentials
Categories
(Taskcluster :: Services, defect)
Taskcluster
Services
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
Attachments
(4 files)
As we found out in bug 1218523, gaia-taskcluster is using the confusingly-named `taskcluster-github` clientId. That has `*`, but it looks like it only needs the gaia tree's scopes. So this is similar to bug 1216306
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → dustin
Assignee | ||
Comment 1•9 years ago
|
||
So looking at the source for gaia-taskcluster, this seems to be a version of mozilla-taskcluster that listens for GH pushes and pull requests instead of hg pushes. Note that it does not use assumeScopes to limit its scopes when creating a new task graph. It also loads its configuration from a file in S3 (!?) at s3://github-treeherder/production-v2.0.0.json, which can probably have scopes replaced by roles.
Assignee | ||
Comment 2•9 years ago
|
||
Here's the config file, stripped of secrets and keys. Joyfully, every tree has "*". I kid you not.
Assignee | ||
Comment 3•9 years ago
|
||
Dave, I see a bunch of bugzilla github repositories in here. Are you using TC to build/test those, or wast that just an experiement. If so, can you point me to the task descriptions so that I can limit the available scopes appropriately?
Flags: needinfo?(dkl)
Assignee | ||
Comment 4•9 years ago
|
||
Here are the scopes defined in the taskGraph.json in each of the repos: github.com/bugzilla/bugzilla github.com/dklawren/bugzilla github.com/lightsofapollo/gaia docker-worker:cache:gaia-misc-caches github.com/mozilla-b2g/gaia docker-worker:cache:gaia-tc-vcs docker-worker:cache:gaia-linux-cache docker-worker:cache:gaia-misc-caches docker-worker:image:quay.io/mozilla/raptor-tester:latest queue:define-task:aws-provisioner/gaia queue:create-task:aws-provisioner/gaia github.com/mozilla-b2g/gaia-email-libs-and-more github.com/mozilla/webtools-bmo-bugzilla I think we should drop the lightsofapollo/gaia repo. The gaia repo has a nice list of scopes, so that's cool. But the others are literally running with task.scopes = ["*"] which doesn't give much information about what they actually need. Selena, do you have an idea who I should talk to about gaia-email-libs-and-more? https://github.com/mozilla-b2g/gaia-email-libs-and-more/commits/master/taskgraph.json says James :/
Flags: needinfo?(sdeckelmann)
Comment 5•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #3) > Dave, I see a bunch of bugzilla github repositories in here. Are you using > TC to build/test those, or wast that just an experiement. If so, can you > point me to the task descriptions so that I can limit the available scopes > appropriately? We are still using them. We should have mozilla/webtools-bmo-bugzilla and bugzilla/bugzilla (all branches for both). When changes are committed to git.mozilla.org, they are mirrored to github and TaskCluster fires off new test runs. dkl
Flags: needinfo?(dkl)
Assignee | ||
Comment 6•9 years ago
|
||
Thanks Dave. Andrew, it looks like you've made most of the commits to gaia-email-libs-and-more. Do you know if the builds for that repo require any special TaskCluster scopes? Doing anything fancy in there? If not, my plan is to give each of these repos (except gaia) an empty list of scopes. For simple stuff, that's probably exactly right, but if you're using private docker images, direct audio/video device access, taskdroid/bitbar, or other restricted features, it will probably fail. If fail it does, let me know how and I'll add the necessary scopes. The idea is to limit things down from "god-like" to "just what is needed", not to actually prevent your tasks from running!
Flags: needinfo?(sdeckelmann) → needinfo?(bugmail)
Assignee | ||
Comment 7•9 years ago
|
||
Specifically, I'm going to define roles assume:repo:github.com/<org>/<repo>:branch:<branch> assume:repo:github.com/<org>/<repo>:pull-request to allow us to later make distinct scopes available to branches and random pull requests. I'll update the configuration file to contain those roles as appropriate for each repository, dropping the personal repos (dklwaren and lingsofapollo). I'll then configure gaia-taskcluster with assume:repo:github.com/* scheduler:create-task-graph which should be sufficient without being excessive.
Comment 8•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #6) > Andrew, it looks like you've made most of the commits to > gaia-email-libs-and-more. Do you know if the builds for that repo require > any special TaskCluster scopes? Doing anything fancy in there? We don't need any special TaskCluster scopes. The taskcluster stuff in there was :lightsofapollo helping me try and get my feet wet with taskcluster, but we never really caught taskcluster fever after the treeherder configuration bug went into limbo (bug 1089892). Feel free to strip scopes or disable taskcluster stuff for gaia-email-libs-and-more if that's appropriate. We're a month or two away from really ramping up our testing infra again; right now everything's busted.
Flags: needinfo?(bugmail)
Assignee | ||
Comment 9•9 years ago
|
||
Morgan, does this align pretty well with how tc-github will use roles? I'd like to be able to use the same roles for either application (TBH, it'd be great to see gaia-taskcluster eventually disabled in favor of tc-github).
Assignee | ||
Comment 10•9 years ago
|
||
And worth noting, github refuses to create repos with `/` or `:` in the repo name, so the suffixing in comment 7 is safe.
Assignee | ||
Comment 11•9 years ago
|
||
New config (again without secrets).
Assignee | ||
Comment 12•9 years ago
|
||
Well, queue:define-task:aws-provisioner/gaia queue:create-task:aws-provisioner/gaia were wrong - it's aws-provisioner-v1/gaia-decision now. That swallowed creation of a few decision tasks.
Assignee | ||
Comment 13•9 years ago
|
||
Also needed queue:route:gaia-taskcluster queue:route:tc-treeherder.gaia.*
Comment 14•9 years ago
|
||
Hrm, Will we need the treeherder scopes for any of the other repos? I think things like bmo-master report to treeherder
Assignee | ||
Comment 15•9 years ago
|
||
OK, I just added index:*, queue:*, scheduler:*, and docker-worker:* to the gaia role. There's layers of bugs and misconfigurations here :(
Assignee | ||
Comment 16•9 years ago
|
||
https://github.com/taskcluster/gaia-taskcluster/pull/2 will fix the weird treeherder scopes
Comment 17•9 years ago
|
||
Assignee | ||
Comment 18•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #16) > https://github.com/taskcluster/gaia-taskcluster/pull/2 will fix the weird > treeherder scopes This is landed and was used to run tests for attachment 8680762 [details] [review].
Assignee | ||
Comment 19•9 years ago
|
||
I did some analysis over in bug 1219864 to get the complete set of scopes and roles required for a gaia push. I added those to the roles (warts and all) and removed index:*, queue:*, scheduler:*, and docker-worker:*.
Assignee | ||
Updated•9 years ago
|
Attachment #8680762 -
Flags: review?(garndt)
Comment 20•9 years ago
|
||
Comment on attachment 8680762 [details] [review] [gaia] djmitche:remove-invalid-scopes > mozilla-b2g:master Comment left in the PR.
Attachment #8680762 -
Flags: review?(garndt) → review+
Assignee | ||
Comment 21•9 years ago
|
||
I removed the * from the gaia-taskcluster clientId role, and {"type":"create task graph error","queueName":"gaiathpv6","message":"Authorization Failed","body":{"message":"Authorization Failed","error":{"info":"None of the scope-sets was satisfied","scopesets":[["scheduler:route:gaia-taskcluster"]],"scopes":["assume:client-id:kd-b_FdrSJ-4Gr3FF4IOpA","scheduler:create-task-graph","assume:repo:github.com/*","queue:route:gaia-taskcluster","tc-treeherder.bugzilla-master.*","queue:route:tc-treeherder.bugzilla-master.*","queue:route:tc-treeherder.bugzilla-5_0.*","queue:route:tc-treeherder.bugzilla-4_4.*","queue:route:tc-treeherder.bugzilla-4_2.*","queue:route:tc-treeherder.bugzilla.*","queue:create-task:aws-provisioner-v1/b2gtest","queue:define-task:aws-provisioner-v1/b2gtest","tc-treeherder.bmo-master.*","queue:route:tc-treeherder.bmo-master.*","docker-worker:cache:gaia-tc-vcs","docker-worker:cache:gaia-linux-cache","docker-worker:cache:gaia-misc-caches","docker-worker:image:quay.io/mozilla/raptor-tester:latest","queue:create-task:aws-provisioner-v1/gaia-decision","queue:create-task:aws-provisioner/gaia","queue:define-task:aws-provisioner/gaia","queue:route:tc-treeherder.gaia.*","queue:create-task:aws-provisioner-v1/gaia","docker-worker:image:taskcluster/gaia-taskenv*","docker-worker:image:quay.io/mozilla/gaia-taskenv:*","index:insert-task:gaia.npm_cache.*","queue:create-artifact:public/node_modules.tar.gz"]}}} which, yeah, something is looking for `scheduler:route:gaia-taskcluster`, which isn't even a thing.
Assignee | ||
Comment 22•9 years ago
|
||
Ah, it IS a thing, and the graph-level route `gaia-taskcluster` is set on every task-graph it generates, so I'll add it to the gaia-taskcluster clientId's role.
Comment 23•9 years ago
|
||
Commit (master): https://github.com/mozilla-b2g/gaia/commit/db409c9d8c3094c3329fed2131df3c65d67842e3 Fixed.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment hidden (Intermittent Failures Robot) |
Assignee | ||
Comment 25•9 years ago
|
||
Sorry, didn't want to close this just yet. Once those changes are reliably deployed, I need to remove some scopes. :aus, do you have an idea how long I'd need to wait? After I remove the scopes, basically any commit prior to what you've landed won't build in TC anymore. That said, the scopes aren't hurting anything (referring to non-existent resources) so it's OK to wait quite a while.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(aus)
Comment 26•9 years ago
|
||
I think you could remove them today. This change is now in use by most repos that run the gaia tests.
Flags: needinfo?(aus)
Comment hidden (Intermittent Failures Robot) |
Assignee | ||
Comment 28•9 years ago
|
||
--- repo:github.com/mozilla/webtools-bmo-bugzilla:*.old +++ repo:github.com/mozilla/webtools-bmo-bugzilla:*.new @@ -1,4 +1,3 @@ queue:define-task:aws-provisioner-v1/b2gtest queue:route:gaia-taskcluster queue:route:tc-treeherder.bmo-master.* -tc-treeherder.bmo-master.* --- repo:github.com/mozilla-b2g/gaia:*.old +++ repo:github.com/mozilla-b2g/gaia:*.new @@ -1,15 +1,10 @@ docker-worker:cache:gaia-linux-cache docker-worker:cache:gaia-misc-caches docker-worker:cache:gaia-tc-vcs -docker-worker:image:quay.io/mozilla/gaia-taskenv:* -docker-worker:image:quay.io/mozilla/raptor-tester:latest -docker-worker:image:taskcluster/gaia-taskenv* index:insert-task:gaia.npm_cache.* queue:create-artifact:public/node_modules.tar.gz queue:create-task:aws-provisioner-v1/gaia queue:create-task:aws-provisioner-v1/gaia-decision -queue:create-task:aws-provisioner/gaia -queue:define-task:aws-provisioner/gaia queue:route:gaia-taskcluster queue:route:tc-treeherder.gaia-master.* queue:route:tc-treeherder.gaia.*
Assignee | ||
Updated•9 years ago
|
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Comment 29•9 years ago
|
||
Assignee | ||
Comment 30•9 years ago
|
||
^^ the PR is because there was one lingering docker-worker:image scope that was hard-coded into a task description. I've re-added the scope: --- repo:github.com/mozilla-b2g/gaia:*.old +++ repo:github.com/mozilla-b2g/gaia:*.new @@ -1,6 +1,7 @@ docker-worker:cache:gaia-linux-cache docker-worker:cache:gaia-misc-caches docker-worker:cache:gaia-tc-vcs +docker-worker:image:quay.io/mozilla/gaia-taskenv:* index:insert-task:gaia.npm_cache.* queue:create-artifact:public/node_modules.tar.gz queue:create-task:aws-provisioner-v1/gaia and we can remove that in a month or so when everyone's base trees have been updated.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Updated•9 years ago
|
Attachment #8682201 -
Flags: review?(jopsen)
Comment 31•9 years ago
|
||
Comment on attachment 8682201 [details] [review] [gaia] djmitche:bug1218928-eslint > mozilla-b2g:master Land if test pass.. looks good to me. Let's remove the scope from the repo:... role in about 30 days, then we don't have to annoy people by sending out an email saying we're removing this useless scope :)
Attachment #8682201 -
Flags: review?(jopsen) → review+
Comment 33•9 years ago
|
||
Deployed to heroku just now. No decision tasks are getting scheduled, I've rolled out in case this is the reason, and will continue to investigate by tailing logs etc.
Assignee | ||
Comment 34•9 years ago
|
||
Pete says he just deployed the patch from comment 16 (from 7 days ago) but I'm reasonably certain I deployed that when it got review, since I later removed the "tc-treeherder.*" scope which it required. gaia-taskcluster is not starting in heroku right now, though.
Assignee | ||
Comment 35•9 years ago
|
||
To confirm, pete re-deployed the same rev I did a week ago: pmoore@mozilla.com: Deployed 8e0db1a about an hour ago v107 Compare diff pmoore@mozilla.com: Build succeeded about an hour ago View build log dustin@mozilla.com: Deployed 8e0db1a 7 days ago v106 ---- https://gaia-taskcluster.herokuapp.com/ loads (it returns a 404, but it loads), so I think that the logging regarding heroku/web.* exiting is probably normal -- occurring when heroku shuts down the old version of the app after starting the new. ---- So, nothing to do here but wait to remove the roles jonas mentioned in comment 31.
Comment 36•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #35) > To confirm, pete re-deployed the same rev I did a week ago: > > > pmoore@mozilla.com: Deployed 8e0db1a > > about an hour ago v107 Compare diff > > pmoore@mozilla.com: Build succeeded > > about an hour ago View build log > > dustin@mozilla.com: Deployed 8e0db1a > > 7 days ago v106 > > ---- > > https://gaia-taskcluster.herokuapp.com/ loads (it returns a 404, but it > loads), so I think that the logging regarding heroku/web.* exiting is > probably normal -- occurring when heroku shuts down the old version of the > app after starting the new. > > ---- > > So, nothing to do here but wait to remove the roles jonas mentioned in > comment 31. Strange, at the time I checked currently deployed version with `git ls-remote git@heroku.com:gaia-taskcluster.git master` and it told me it was on: 205b4a4bbee8b82945a3d27088f8f2dbe38f3f71 refs/heads/master so then I did a push, to bring it up to 8e0db1a302bdd44222618f1678be20a8a4c56ad5. I think if I'd pushed and it was already on 8e0db1a then the push would have been a noop and there wouldn't have been a new deployment? Anyway, one of those mysteries probably not worth investing time in solving... I have no explanation! I can only say what I saw in my console. :)
Comment 37•9 years ago
|
||
Is this bug good for closing now?
Assignee | ||
Comment 38•9 years ago
|
||
> So, nothing to do here but wait to remove the roles jonas mentioned in comment 31.
Assignee | ||
Comment 39•9 years ago
|
||
I just adjusted the dev clientId ('client-id:sldk46fxR2CdSbiw2OR-4Q') to match the production ('client-id:kd-b_FdrSJ-4Gr3FF4IOpA').
Assignee | ||
Comment 40•9 years ago
|
||
Scope deleted.
Status: REOPENED → RESOLVED
Closed: 9 years ago → 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 41•9 years ago
|
||
That didn't work, so I re-added docker-worker:image:quay.io/mozilla/gaia-taskenv:* https://github.com/mozilla-b2g/gaia/pull/32953 never landed
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 42•9 years ago
|
||
mhenretty is merging that for me, so we wait another 30 days :)
Comment 43•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #41) > https://github.com/mozilla-b2g/gaia/pull/32953 never landed landed in master: https://github.com/mozilla-b2g/gaia/commit/0ab1e2003f1be2fc10d7019a886811589b161fa3
Assignee | ||
Comment 44•8 years ago
|
||
OK, let's try it again!
Assignee | ||
Comment 45•8 years ago
|
||
No pings over broken decision tasks, yay!
Status: REOPENED → RESOLVED
Closed: 9 years ago → 8 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Authentication → Services
You need to log in
before you can comment on or make changes to this bug.
Description
•