Closed
Bug 1231320
Opened 9 years ago
Closed 9 years ago
Taskcluster builds don't contain necessary API keys
Categories
(Taskcluster :: General, defect)
Taskcluster
General
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: glandium, Assigned: dustin)
References
Details
Attachments
(3 files, 1 obsolete file)
This appears when comparing buildbot builds and taskcluster builds on m-i. nsURLFormatter.js differs on the value it receives for MOZILLA_API_KEY and GOOGLE_API_KEY, where taskcluster builds get the default "no-<something>-api-key" instead of an actual key. IIRC try builds aren't supposed to get the API keys, but m-i builds are (and, obviously, nightlies and releases are too). There are more API keys, too, but I'm not sure which builds receive which. As a matter of fact, that m-i builds don't get them all seems like a (separate) bug to me.
Anyways, the way they are given to builds is through .key files in /builds on the buildbot slaves. The path for these files is hardcoded in the various mozconfigs, and essentially are:
ac_add_options --with-google-api-keyfile=/builds/gapi.data
ac_add_options --with-google-oauth-api-keyfile=/builds/google-oauth-api.key
ac_add_options --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key
Reporter | ||
Comment 1•9 years ago
|
||
Note this only affects opt builds ; debug builds don't use those.
Assignee | ||
Comment 2•9 years ago
|
||
It would be great to add some checks for these missing keys that we enable in automation.
Assignee: nobody → dustin
Reporter | ||
Comment 3•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #2)
> It would be great to add some checks for these missing keys that we enable
> in automation.
Yeah, we should make configure hard fail when passed non-existing files for --with-*-api-keyfile. That would however turn TC builds perma-orange until this bug is fixed.
Assignee | ||
Comment 4•9 years ago
|
||
Yeah, I think we can fix this with the secrets API.
Assignee | ||
Comment 5•9 years ago
|
||
16:30:47 INFO - cat: /builds/mozilla-desktop-geoloc-api.key: No such file or directory
16:30:47 INFO - cat: /builds/gapi.data: No such file or directory
16:30:47 INFO - cat: /builds/google-oauth-api.key: No such file or directory
16:30:47 INFO - cat: /builds/google-oauth-api.key: No such file or directory
I think if we just make those fatal (along with the bing key) that will at least prevent this occurring mysteriously!
Assignee | ||
Comment 6•9 years ago
|
||
OK, I have a patch that fails out with
19:19:00 INFO - configure: error: --with-mozilla-api-keyfile file /builds/mozilla-desktop-geoloc-api.key not found
19:19:00 INFO - *** Fix above errors and then restart with\
19:19:00 INFO - "/usr/bin/gmake -f client.mk build"
now to fix it :)
Assignee | ||
Comment 8•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/28995/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/28995/
Attachment #8701603 -
Flags: review?(mh+mozilla)
Reporter | ||
Comment 9•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
https://reviewboard.mozilla.org/r/28995/#review25875
Attachment #8701603 -
Flags: review?(mh+mozilla) → review+
Updated•9 years ago
|
Blocks: tc-linux-debug-tier1
Assignee | ||
Comment 10•9 years ago
|
||
Still waiting on being able to get secrets from a task (the rabbit city in comment 7). But thankfully not blocking making these builds tier-2.
Assignee | ||
Comment 11•9 years ago
|
||
I'd like to find a fairly generic way to accomplish the download of these secrets. I don't see a smooth way to make this easy for developers trying to run the tasks at home, since http://taskcluster/secrets won't be available. Ideally that could just be skipped for non-TC builds in the docker image, but then the patch above will cause those builds to fail. I suspect that for the moment I shouldn't worry about it, as we need to come up with a more general solution to supporting docker runs at home.
Assignee | ||
Comment 12•9 years ago
|
||
I'm going to operate on the assumption that devs generally won't have --with-mozilla-api-keyfile in their mozconfigs, so attachment 8701603 [details] won't be a major PITA. For the less common case of builds at home in the docker image, we'll be using nightly mozconfigs by default so the files will need to exist.
In that case, I think I can write a bit of scripty magic that tries to resolve `taskcluster` to determine whether it's running in a task container (Greg: or would it be better to look for TASK_ID?). If so, it will get the secrets and write out the files. If not, it will put up a nice error message instructing the user to put those secrets into env vars, which it will write out.
Because the secrets files are in /builds, they aren't in a docker-worker cache, and anyway often people running the docker images at home don't set up the same caches, so I think the env var input is the easiest.
Objections to this plan?
Flags: needinfo?(garndt)
Comment 13•9 years ago
|
||
We currently inject task_id and run_id so I think checking for the presence of those would be ok. I don't think our run locally scripts include those env variables and I doubt devs would inject them locally so it might be safe to assume that if those exist, it's running within taskcluster.
Flags: needinfo?(garndt)
Reporter | ||
Comment 14•9 years ago
|
||
Random thought: Why not setup a public equivalent of the service giving out secrets, that would give out valid but useless data?
Assignee | ||
Comment 15•9 years ago
|
||
I think that might cause more confusion than help.
Assignee | ||
Comment 16•9 years ago
|
||
Assignee | ||
Comment 17•9 years ago
|
||
I added `secrets:get:project/releng/gecko/build/api-keys` to the `moz-tree:level:1` role, but forgot to add it to the task definitions, so that try job will fail. But that's OK -- it will be good to test the failure modes.
Assignee | ||
Comment 18•9 years ago
|
||
Assignee | ||
Comment 19•9 years ago
|
||
Assignee | ||
Comment 20•9 years ago
|
||
Assignee | ||
Comment 21•9 years ago
|
||
Assignee | ||
Comment 22•9 years ago
|
||
Assignee | ||
Comment 23•9 years ago
|
||
Assignee | ||
Comment 24•9 years ago
|
||
Assignee | ||
Comment 25•9 years ago
|
||
Assignee | ||
Comment 26•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/28995/diff/1-2/
Attachment #8701603 -
Attachment description: MozReview Request: Bug 1231320: fail configure when api keyfiles do not exist; r?glandium → MozReview Request: Bug 1231320: fail configure when api keyfiles do not exist; r=glandium
Assignee | ||
Comment 27•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/34791/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/34791/
Attachment #8718903 -
Flags: review?(mh+mozilla)
Assignee | ||
Comment 28•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/34793/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/34793/
Attachment #8718904 -
Flags: review?(armenzg)
Assignee | ||
Comment 29•9 years ago
|
||
The last try job was successful in downloading the API files, and beginning to build, but I've used fake keys. Hopefully it has the key - how can I verify that?
Remaining to do here:
* set this up so that it *doesn't* run on try pushes
* move the secret permission to moz-tree:level:2
* install actual secrets
Comment 30•9 years ago
|
||
Comment on attachment 8718904 [details]
MozReview Request: Bug 1231320: ensure exit status is correct when cleaning up; r?armenzg
https://reviewboard.mozilla.org/r/34793/#review31417
::: testing/taskcluster/scripts/builder/build-linux.sh:52
(Diff revision 1)
> + exit $rv
Good catch! I just dealt with something like this.
Attachment #8718904 -
Flags: review?(armenzg) → review+
Reporter | ||
Updated•9 years ago
|
Attachment #8718903 -
Flags: review?(mh+mozilla)
Reporter | ||
Comment 31•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review31577
I'm not the right person to review this, but I also don't know who is.
Assignee | ||
Updated•9 years ago
|
Attachment #8718903 -
Attachment description: MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r?glandium → MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r?pmoore
Attachment #8718903 -
Flags: review?(pmoore)
Assignee | ||
Comment 32•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/1-2/
Assignee | ||
Comment 33•9 years ago
|
||
Comment on attachment 8718904 [details]
MozReview Request: Bug 1231320: ensure exit status is correct when cleaning up; r?armenzg
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34793/diff/1-2/
Comment 34•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review31715
This seems sane to me. I like it that the secrets don't get burned into the worker type, that the secrets are protected behind scopes, and that it can even survive running locally versus running in automation. So I say it is good to go.
Some thoughts:
1) Should we add support in docker engine of taskcluster-worker / docker-worker for declaring secret files as part of the payload body - i.e. `"secrets": {"secret":<secret_name>,"path":<file_system_path>,"encoding":"base64"/"plain", "compression":"none"/"zip"/"tar.gz"}`
2) Is checking for `TASK_ID` env var the preferred way of detecting if we are running inside TaskCluster? Should we introduce some absolutely-safe way (e.g. might involve worker update) to guarantee this (although `TASK_ID` seems like a reasonably safe bet)?
3) Should we add docs somewhere that explain what the environment variables are that are needed, and what devs should set them to, if they don't have access to the originals?
4) Should we also support downloading from TOOLTOOL, e.g. for devs running locally, outside of taskcluster?
We can spin off separate bugs about these things if you think any of them have merit - just wanted to capture them here.
Attachment #8718903 -
Flags: review?(pmoore) → review+
Comment 35•9 years ago
|
||
Spoke to :jonasfj and :garndt quickly about this - we like the idea of adding a plugin at some point for the new worker to support declarative downloading of secrets to files - we'll create a bug for that, and implement it at some point in the future when taskcluster-worker is up on its feet.
Assignee | ||
Comment 36•9 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #34)
> 1) Should we add support in docker engine of taskcluster-worker /
> docker-worker for declaring secret files as part of the payload body - i.e.
> `"secrets":
> {"secret":<secret_name>,"path":<file_system_path>,"encoding":"base64"/
> "plain", "compression":"none"/"zip"/"tar.gz"}`
Yep, I think this is already planned.
> 2) Is checking for `TASK_ID` env var the preferred way of detecting if we
> are running inside TaskCluster? Should we introduce some absolutely-safe way
> (e.g. might involve worker update) to guarantee this (although `TASK_ID`
> seems like a reasonably safe bet)?
Per Greg, this is probably the best technique
> 3) Should we add docs somewhere that explain what the environment variables
> are that are needed, and what devs should set them to, if they don't have
> access to the originals?
I think the error message is sufficient for that.
> 4) Should we also support downloading from TOOLTOOL, e.g. for devs running
> locally, outside of taskcluster?
No, absolutely not - secrets don't go on tooltool.
Assignee | ||
Comment 37•9 years ago
|
||
Reminding myself (since I had 'hg push' already typed out before I remembered, and now I'm going into another dark period of meetings):
Remaining to do here:
* set this up so that it *doesn't* run on try pushes
* move the secret permission to moz-tree:level:2
* install actual secrets
Assignee | ||
Comment 38•9 years ago
|
||
Hm, I'm not sure how to conditionalize this on try/non-try at the task level. I think we'll need two things: (1) don't download the secrets in try (because we won't have the scopes to do so) and (2) don't pass --with-google-api-keyfile et al. on try. I think the latter would involve a mozconfig change, which is tricky since try uses the same mozconfigs (nightly) as production.
Open to suggestions!
Assignee | ||
Comment 39•9 years ago
|
||
It looks like what we do in Buildbot is to include the options:
07:16:25 INFO - Adding configure options from /builds/slave/try-lx-00000000000000000000000/build/src/.mozconfig
07:16:25 INFO - --enable-update-channel=
07:16:25 INFO - --enable-update-packaging
07:16:25 INFO - --with-google-api-keyfile=/builds/gapi.data
07:16:25 INFO - --with-google-oauth-api-keyfile=/builds/google-oauth-api.key
07:16:25 INFO - --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key
and, in my investigation, those contain production keys on try machines. So, that's a neat factoid for you.
Assignee | ||
Comment 40•9 years ago
|
||
Looking at https://github.com/mozilla/build-puppet/blob/master/modules/slave_secrets/manifests/init.pp that seems pretty intentional -- the secrets are installed regardless of the $slave_trustlevel.
So I'm going to replicate that functionality for now. If we want to try to do better someday, we can. /ni catlee for a measure of the urgency.
Flags: needinfo?(catlee)
Assignee | ||
Comment 41•9 years ago
|
||
Production secrets installed in the secrets API (woo, first real secret!)
Assignee | ||
Comment 42•9 years ago
|
||
Assignee | ||
Comment 43•9 years ago
|
||
That failed on *Buildbot* with
09:08:21 INFO - configure: error: --with-google-oauth-api-keyfile file /builds/google-oauth-api.key not found
not because it's not on the machine, but because it's cleverly not mounted into the mock environment. Yet I see it listed in mock_copyin_files for every linux builder in https://dxr.mozilla.org/build-central/source/buildbot-configs/mozilla/config.py
So I need a little help here -- how is this working on Buildbot, and given the desire to land "Bug 1231320: fail configure when api keyfiles do not exist; r=glandium", what's the best way to fix things in Buildbot?
Flags: needinfo?(bugspam.Callek)
Comment 44•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #43)
> That failed on *Buildbot* with
>
> 09:08:21 INFO - configure: error: --with-google-oauth-api-keyfile file
> /builds/google-oauth-api.key not found
>
> not because it's not on the machine, but because it's cleverly not mounted
> into the mock environment. Yet I see it listed in mock_copyin_files for
> every linux builder in
> https://dxr.mozilla.org/build-central/source/buildbot-configs/mozilla/config.
> py
>
> So I need a little help here -- how is this working on Buildbot, and given
> the desire to land "Bug 1231320: fail configure when api keyfiles do not
> exist; r=glandium", what's the best way to fix things in Buildbot?
This job uses mozharness for mock setup/teardown (the stuff you see in buildbot-configs is mainly for the buildbot builders, currently only used on beta/release)
https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/configs/builds/releng_base_linux_64_builds.py#36 is what you're looking for here.
Which makes me think its not properly working in buildbot atm.
Flags: needinfo?(bugspam.Callek)
Assignee | ||
Comment 45•9 years ago
|
||
I'm not going to concern myself with Buildbot or Mock - that way lies madness, I think.
I think the key here is that the mozconfigs need to know whether the automation run is for try or not, and only include the `ac_add_options` commands in comment 0 when *not* running in try. :glandium, is that the right approach? If so, what is the most appropriate indication of a try run?
Flags: needinfo?(catlee) → needinfo?(mh+mozilla)
Assignee | ||
Comment 46•9 years ago
|
||
Ah, mike helped me out:
<mshal> dustin: we do that in mozconfig.cache by reading buildprops.json: https://dxr.mozilla.org/mozilla-central/source/build/mozconfig.cache?from=mozconfig.cache
Flags: needinfo?(mh+mozilla)
Assignee | ||
Comment 47•9 years ago
|
||
Assignee | ||
Comment 48•9 years ago
|
||
It looks like opt builds use all three keys, while debug builds only use google-oauth-api.key. None of these keys are available for level-1 repositories (well, at least mozharness doesn't mount them into the mock environment -- that could easily be changed in a try push, obviously). I can imagine we'll have further specializations of what secrets are available in what sorts of builds, with corresponding `ac_add_options` modifications, in the future.
There are three places that need to be configured:
* secrets / scopes
* the in-tree script to fetch from secrets
* mozconfigs
I want to separate those out a little: the first two are security-related, and should go together; that is, the Python script should flexibly dump the available secrets into the docker container without erroring out. The mozconfigs should correctly reflect exactly the cases where the API keys are to be used (they are incorrect right now).
Assignee | ||
Comment 49•9 years ago
|
||
So the new plan is:
* build-linux.sh will take input from environment variables to get secret values and stick them into files; e.g.,
GET_SECRET_GOOGLE_OAUTH_API_KEY="/builds/google-oauth-api.key project/releng/gecko/build/level-{{level}}/{{project}}/google-oauth-api-key"
with the secrets fetch skipped if GOOGLE_OAUTH_API_KEY is set, and an error if not running in a task. This places the task inputs squarely where they should be, in the task definition.
* I'll add MOZ_TREE and MOZ_TREE_LEVEL variables to taskcluster jobs and to Buildbot configs, then use those when MOZ_AUTOMATION is set to decide whether to add the appropriate --with-xxx-key options.
Assignee | ||
Comment 50•9 years ago
|
||
Slight correction: no change to BB (it's too hard), and I'll just set MOZ_TREE_LEVEL.
Assignee | ||
Comment 51•9 years ago
|
||
Assignee | ||
Comment 52•9 years ago
|
||
Assignee | ||
Comment 53•9 years ago
|
||
Chatting with mshal, I don't think that it's the right approach to be conditionalizing on the tree level in mozconfigs. Instead, I'm going to supply fake secrets ("no-foo-api-key") at level 1 and real secrets at levels 2 and 3. That will be way easier!
Assignee | ||
Comment 54•9 years ago
|
||
Assignee | ||
Comment 55•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/28995/diff/2-3/
Assignee | ||
Comment 56•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/2-3/
Attachment #8718903 -
Attachment description: MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r?pmoore → MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r=pmoore
Assignee | ||
Updated•9 years ago
|
Attachment #8718904 -
Attachment is obsolete: true
Assignee | ||
Comment 57•9 years ago
|
||
https://reviewboard.mozilla.org/r/28993/#review35685
As-is, this patch only affects TaskCluster, so there's no risk to Buildbot.
Here's what it looks like in TC:
https://tools.taskcluster.net/task-inspector/#TGaohxNvSUeXdLz02qJBFw/
The secrets are set up with fake secrets for level 1, and real secrets for the remaining levels:
```
{
"google-api": "no-google-api-key",
"mozilla-api": "no-mozilla-api-key",
"bing-api": "no-bing-api-clientid no-bing-api-key",
"google-oauth": "no-google-oauth-api-clientid no-google-oauth-api-key",
"adjust-sdk": "no-adjust-sdk-app-token"
}
```
Assignee | ||
Updated•9 years ago
|
Attachment #8718903 -
Flags: review?(mshal)
Assignee | ||
Comment 58•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
I thought about this more overnight, and I want to make some changes. It turns out that we have multiple filenames for some of these secrets, selected by different mozconfigs. So:
* refactor to use individual secrets with a "secret" property, rather than one JSON blob
* name secrets after the /builds/<..> filename and install all of them (for now; we can limit that to particular tasks later)
Attachment #8718903 -
Flags: review?(mshal)
Attachment #8718903 -
Flags: review+
Assignee | ||
Comment 59•9 years ago
|
||
Assignee | ||
Comment 60•9 years ago
|
||
Assignee | ||
Comment 61•9 years ago
|
||
Assignee | ||
Comment 62•9 years ago
|
||
OK, new draft is ready, and run through Try already. I also logged in with a one-click loaner and verifies that the secrets files contain the string "no-secrets-for-try" since this is a try job. That's the value in the secrets API for "level-1", so I'm confident that on m-c it will get production secrets.
Assignee | ||
Comment 63•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/3-4/
Attachment #8718903 -
Attachment description: MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r=pmoore → MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r?mshal r?garndt
Attachment #8718903 -
Flags: review?(pmoore)
Attachment #8718903 -
Flags: review?(mshal)
Attachment #8718903 -
Flags: review?(garndt)
Comment 64•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review35889
::: testing/taskcluster/scripts/builder/build-linux.sh:82
(Diff revision 4)
> +python2.7 $GECKO_DIR/testing/taskcluster/scripts/builder/get-secrets.py $var
Is there any value to write errors from calling this prefixed with "[taskcluster:error]" or "[task:error]" so it appears in treeherder?
::: testing/taskcluster/scripts/builder/build-linux.sh:83
(Diff revision 4)
> +
Doesn't appear that $var is set to anything and get-secrets.py doesn't do anything with it.
::: testing/taskcluster/scripts/builder/get-secrets.py:33
(Diff revision 4)
> + for prop in properties:
I might be reading this wrong, but after the JSON response is parsed, we iterate over all the properties that were passed in...and the last property is what 'rv' is set to?
::: testing/taskcluster/scripts/builder/get-secrets.py:34
(Diff revision 4)
> + rv = rv[prop]
If the key doesn't exit, this will throw an exception right? Would we want to check if it exists and give a better error message than an exception being thrown?
::: testing/taskcluster/scripts/builder/get-secrets.py:54
(Diff revision 4)
> + "${} must have the format 'FILENAME SECRETNAME [PROEPRTY ..]'".format(var))
PROPERTY
Attachment #8718903 -
Flags: review?(garndt)
Assignee | ||
Comment 65•9 years ago
|
||
> I might be reading this wrong, but after the JSON response is parsed, we iterate over all the properties that were passed in...and the last property is what 'rv' is set to?
..
> If the key doesn't exit, this will throw an exception right? Would we want to check if it exists and give a better error message than an exception being thrown?
Yes, it's a really dumbed-down version of JSONPath, since the secrets API only stores JSON blobs. I could just as well make `content` the default, so that every secret fed to get-secrets.py has to have the form `{"content": ".."}`.
Assignee | ||
Comment 66•9 years ago
|
||
Assignee | ||
Comment 67•9 years ago
|
||
Assignee | ||
Comment 68•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/4-5/
Attachment #8718903 -
Flags: review?(garndt)
Comment 69•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review35907
Attachment #8718903 -
Flags: review?(garndt) → review+
Comment 70•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review35947
I didn't perform a detailed review of get-secrets.py, since it may change depending on the outcome of the issue.
::: testing/taskcluster/tasks/builds/firefox_base.yml:22
(Diff revision 5)
> + GET_SECRET_GOOGLE_API: "/builds/gapi.data project/releng/gecko/build/level-{{level}}/gapi.data"
The GET_SECRET variables and looping through the environment to find them seems like it would be better served as a data structure in a configuration file. We already have an almost identical list in mozharness configs for mock to copy files: https://dxr.mozilla.org/mozilla-central/rev/af7c0cb0798f5425d5d344cbaf0ac0ecb1a72a86/testing/mozharness/configs/builds/releng_base_linux_32_builds.py#40
Is it possible to enhance the mozharness configs to include the filename/secretname pairs as a list and add get-secrets.py as an action in there? Then we don't have to force structured data into the environment.
Attachment #8718903 -
Flags: review?(mshal)
Assignee | ||
Comment 71•9 years ago
|
||
Those particular mozharness configs run *outside* the mock environment in Buildbot, so in a separate run of mozharness from the in-mock run. So, I think that would be a difficult proposition. My plan was just to delete the support for mock in mozharness once we're not running this within Buildbot anymore, so the duplication will go away.
I've deliberately put this at the outermost layer of abstraction for a few reasons:
1. The secrets constitute an input to the build process, so it makes sense to have them exposed at that level
2. This is actually a replication of the slave_secrets functionality in PuppetAgain, rather than mozharness
3. Down the road, the worker may grow the ability to fetch secrets automatically based on the task definition, in which case these would move from environment variables to some other portion of the payload.
4. With this structure, someone trying to run the docker container locally can simply omit the `-e GET_SECRET_..=..` to avoid failing to fetch the secrets; if the data is in an in-tree file, no such modification is possible.
I could see putting the list of secrets and filenames in a JSON file in-tree, and referring to that in an environment variable, but that feels like an unnecessary extra level of indirection, and then we're inventing filenames for files that contain a lot of replicated information (secrets_with_adjust_beta_key_and_fennec_mozilla_key.json, secrets_with_adjust_key_and_desktop_mozilla_key.json, etc.) both of which probably contain the same google keys.
What do you think?
Comment 72•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review35945
This looks pretty good, as a solution until the worker handles this natively.
Attachment #8718903 -
Flags: review?(pmoore) → review+
Assignee | ||
Comment 73•9 years ago
|
||
Mike: your r? flag was removed, but I don't want to ship without your approval per comment 71.
Flags: needinfo?(mshal)
Comment 74•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #71)
> Those particular mozharness configs run *outside* the mock environment in
> Buildbot, so in a separate run of mozharness from the in-mock run. So, I
> think that would be a difficult proposition. My plan was just to delete the
> support for mock in mozharness once we're not running this within Buildbot
> anymore, so the duplication will go away.
What are the separate mozharness runs that you are referring to? As I understand it, there is only a single mozharness invocation at the end of build-linux.sh. Inside mozharness, there are actions that run both before and after mock are setup.
I'm glad to see the use of mock inside mozharness will eventually go away, but that doesn't address my concern that the data being placed inside environment variables, coupled with the loop over the environment, would be better served by a data structure defined in the python configuration files.
> I've deliberately put this at the outermost layer of abstraction for a few
> reasons:
>
> 1. The secrets constitute an input to the build process, so it makes sense
> to have them exposed at that level
There are many things that constitute inputs to the build process, and we define many of them in the mozharness configs. I think the secrets variables could be defined as a data structure in those configs, and then have a "get_secrets" action wherever it makes sense in fx_desktop_build.py (likely one of the first steps).
By making build-linux.sh do more things than just the bare minimum to get Taskcluster to run mozharness, we're effectively blurring the lines of responsibility between mozharness and the task definitions.
> 3. Down the road, the worker may grow the ability to fetch secrets
> automatically based on the task definition, in which case these would move
> from environment variables to some other portion of the payload.
Can you elaborate on what this would entail?
> 4. With this structure, someone trying to run the docker container locally
> can simply omit the `-e GET_SECRET_..=..` to avoid failing to fetch the
> secrets; if the data is in an in-tree file, no such modification is possible.
What exactly would they be omitting? I don't see a '-e GET_SECRET_..' in the patch under review. Would they just be commenting out these lines?
GET_SECRET_GOOGLE_API: "/builds/gapi.data project/releng/gecko/build/level-{{level}}/gapi.data"
If they need to modify something regardless, they could also simply add a --no-get-secrets flag to the mozharness invocation. Ideally of course a user could run the same thing locally as is running on try, without having to change anything - they would just have different (no-op) secrets. Is such a thing possible?
Flags: needinfo?(mshal)
Assignee | ||
Comment 75•9 years ago
|
||
Per our irc conversation earlier, I'm going to give it a shot. I'm not convinced this isn't a huge hairball, but probably trying is the best way to find out. The idea is to create a mozharness get-secrets action that only runs in taskcluster (not on devs' desktops, and not in buildbot, and easily disabled when running in docker containers outside of taskcluster). That will take from the mozharness config a list of secrets and their sources.
Assignee | ||
Comment 76•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
r- from mshal
Attachment #8718903 -
Flags: review-
Assignee | ||
Comment 77•9 years ago
|
||
Assignee | ||
Comment 78•9 years ago
|
||
Assignee | ||
Comment 79•9 years ago
|
||
Assignee | ||
Comment 80•9 years ago
|
||
Assignee | ||
Comment 81•9 years ago
|
||
Assignee | ||
Comment 82•9 years ago
|
||
Assignee | ||
Comment 83•9 years ago
|
||
Assignee | ||
Comment 84•9 years ago
|
||
Assignee | ||
Comment 85•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/28995/diff/3-4/
Assignee | ||
Updated•9 years ago
|
Attachment #8718903 -
Attachment description: MozReview Request: Bug 1231320: download API keys from secrets API or environment variables; r?mshal r?garndt → MozReview Request: Bug 1231320: pull from secrets API in TaskCluster
Attachment #8718903 -
Flags: review- → review?(mshal)
Assignee | ||
Comment 86•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/5-6/
Assignee | ||
Updated•9 years ago
|
Attachment #8718903 -
Flags: review+
Assignee | ||
Comment 87•9 years ago
|
||
If run in a docker container outside of taskcluster, this will currently fail, and it's a little difficult to fix that -- you'd have to make an additional commit removing "--get-secrets" from build-linux.sh, and then update GECKO_HEAD_REV to point to that revision. Is that worth fixing?
I could make the secrets handling a little more complex, too, with additional parameters in the dictionary:
'min_level': 2, # the minimum SCM level at which this secret should be fetched (so, not for try)
'default': 'no-google-api-key', # default value to write when below min_level (otherwise nothing is written)
try jobs have no secrets, so it would be `'min_level': 2` all around, which means try jobs would run outside of taskcluster with no modification.
I'll leave this patch for your review for the moment, but I welcome your thoughts on those improvements.
Comment 88•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review36583
All nits and/or followups. Feel free to land and address any issues later if they're relevant.
::: testing/mozharness/mozharness/mozilla/building/buildbase.py:552
(Diff revision 6)
> )}],
> + [['--scm-level'], {
> + "action": "store",
> + "type": "int",
> + "dest": "scm_level",
> + "default": 1,
Similar question about default scm-level here.
::: testing/mozharness/mozharness/mozilla/secrets.py:36
(Diff revision 6)
> + secret should be written.
> + """
> + secret_files = self.config.get('secret_files', [])
> +
> + subst = {
> + 'scm-level': self.config.get('scm-level', 1),
As in the other two places, I'm wondering if this default should be 0.
::: testing/taskcluster/scripts/builder/build-linux.sh:23
(Diff revision 6)
> : NEED_XVFB ${NEED_XVFB:=false}
>
> : MH_CUSTOM_BUILD_VARIANT_CFG ${MH_CUSTOM_BUILD_VARIANT_CFG}
> : MH_BRANCH ${MH_BRANCH:=mozilla-central}
> : MH_BUILD_POOL ${MH_BUILD_POOL:=staging}
> +: MOZ_SCM_LEVEL ${MOZ_SCM_LEVEL:=1}
If a user runs this locally in docker, do they get the default level specified here? If so, maybe the default should be 0, since try, m-c, etc will override with the real levels, correct? Then get_secrets() could just skip getting secrets if level == 0.
::: testing/taskcluster/scripts/builder/build-linux.sh:128
(Diff revision 6)
> - --no-upload-files \
> - --no-sendchange \
> --log-level=debug \
> + --scm-level=$MOZ_SCM_LEVEL \
> --work-dir=$WORKSPACE/build \
> --no-action=generate-build-stats \
nit: I think this line is no longer necessary, similar to the other --no-* flags.
::: testing/taskcluster/tasks/builds/firefox_base.yml:18
(Diff revision 6)
> image:
> type: 'task-image'
> path: 'public/image.tar'
> taskId: '{{#task_id_for_image}}desktop-build{{/task_id_for_image}}'
> + features:
> + taskclusterProxy: true
What does taskclusterProxy do? I don't see anything else in the tree that matches it - was it intended to be part of another patch?
Attachment #8718903 -
Flags: review?(mshal) → review+
Comment 89•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #87)
> If run in a docker container outside of taskcluster, this will currently
> fail, and it's a little difficult to fix that -- you'd have to make an
> additional commit removing "--get-secrets" from build-linux.sh, and then
> update GECKO_HEAD_REV to point to that revision. Is that worth fixing?
Is this part still relevant if you go with the min_level / default key approach below?
> I could make the secrets handling a little more complex, too, with
> additional parameters in the dictionary:
>
> 'min_level': 2, # the minimum SCM level at which this secret should be
> fetched (so, not for try)
> 'default': 'no-google-api-key', # default value to write when below
> min_level (otherwise nothing is written)
>
> try jobs have no secrets, so it would be `'min_level': 2` all around, which
> means try jobs would run outside of taskcluster with no modification.
Ahh, I thought try still had some level of secrets, so you can ignore my comments about the default level being 0 in the review. I think the min_level + default parameters are a good solution, but it can be done in a followup.
Assignee | ||
Comment 90•9 years ago
|
||
The TaskCluster Proxy is what allows get_secrets to use 'http://taskcluster' without passing any credentials, and make TaskCluster API calls with the scopes defined by the task (which is why I also add the `secrets:get:..` scope; note that it's the {{level}} in that scope which prevents level-1 jobs from getting level-2 or level-3 secrets, based on the scopes afforded to level-1 trees by https://tools.taskcluster.net/auth/roles/#moz-tree:level:1)
The min_level/default thing would, I think, allow devs to run in a docker container outside of taskcluster. I don't totally understand all of the permutations that devs try, though, so I'm not sure.
There is no level 0, and at least in this case there's no reason to invent one. Anything in automation will at least be level 1.
You're right about --no-generate-build-stats (in fact, in bug 1251713 we want --generate-build-stats).
I'll fix the nits and add an additional commit with the min_level / default support.
Assignee | ||
Comment 91•9 years ago
|
||
Assignee | ||
Comment 92•9 years ago
|
||
Assignee | ||
Comment 93•9 years ago
|
||
Assignee | ||
Comment 94•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/6-7/
Attachment #8718903 -
Flags: review?(pmoore)
Attachment #8718903 -
Flags: review?(garndt)
Assignee | ||
Comment 95•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/28995/diff/4-5/
Attachment #8701603 -
Attachment description: MozReview Request: Bug 1231320: fail configure when api keyfiles do not exist; r=glandium → MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r?mshal
Attachment #8701603 -
Flags: review?(mshal)
Comment 96•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review36713
::: testing/mozharness/mozharness/mozilla/secrets.py:50
(Diff revision 7)
> + # within a taskcluster task. Outside of that environment, do not
> + # use this action.
> + url = "http://taskcluster/secrets/v1/secret/" + secret_name
> + res = urllib2.urlopen(url)
> + if res.getcode() != 200:
> + self.fatal("Error fetching from secrets API:" + res.read())
I believe in previous revisions of this patch, [task:error] was added in places. Do we not want to do that now?
Attachment #8718903 -
Flags: review?(garndt) → review+
Assignee | ||
Comment 97•9 years ago
|
||
Mozharness's fatal() causes logging in a format that the log parser recognizes as an error, so that's not necessary.
Updated•9 years ago
|
Attachment #8701603 -
Flags: review?(mshal) → review+
Comment 98•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
https://reviewboard.mozilla.org/r/28995/#review36715
::: testing/mozharness/mozharness/mozilla/secrets.py:25
(Diff revision 5)
> + self.info("fetching secret {} from API".format(secret_name))
> + # fetch from http://taskcluster, which points to the taskcluster proxy
> + # within a taskcluster task. Outside of that environment, do not
> + # use this action.
> + url = "http://taskcluster/secrets/v1/secret/" + secret_name
> + res = urllib2.urlopen(url)
We might want to add retries here.
Comment 99•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #97)
> Mozharness's fatal() causes logging in a format that the log parser
> recognizes as an error, so that's not necessary.
Perfect, I didn't realize that. Thanks!
Comment 100•9 years ago
|
||
(In reply to Michael Shal [:mshal] from comment #98)
> Comment on attachment 8701603 [details]
> MozReview Request: Bug 1231320: support min_scm_level and default secret
> specs; r?mshal
>
> https://reviewboard.mozilla.org/r/28995/#review36715
>
> ::: testing/mozharness/mozharness/mozilla/secrets.py:25
> (Diff revision 5)
> > + self.info("fetching secret {} from API".format(secret_name))
> > + # fetch from http://taskcluster, which points to the taskcluster proxy
> > + # within a taskcluster task. Outside of that environment, do not
> > + # use this action.
> > + url = "http://taskcluster/secrets/v1/secret/" + secret_name
> > + res = urllib2.urlopen(url)
>
> We might want to add retries here.
TaskCluster Proxy implements retries to the TaskCluster endpoint, so maybe we are already covered with retries. Hopefully we shouldn't drop connections to the proxy as it is running on the same host inside a linked docker container. The risk of doing retries here would be having retries of retries due to both layers performing them. That said, maybe we should disable retries in the proxy. I'm not sure what is sanest - as this risk of double layered retries is possible everywhere now where the proxy is used...
Comment 101•9 years ago
|
||
https://github.com/taskcluster/taskcluster-proxy/blob/873d87f0bd278491f62130d557f3e069ea410c13/routes.go#L161
=>
https://github.com/taskcluster/taskcluster-client-go/blob/0cf4483642bd52a3bfc256777382ad3caf3b5c31/tcclient/http.go#L104
=>
https://github.com/taskcluster/httpbackoff/blob/24a2b95d280db56cbba7f60b417eb9d253d575ef/httpbackoff.go#L123
=>
https://github.com/cenkalti/backoff/blob/f8f3c7cde2b91a107e75c7fc3c32d6ede7236c24/retry.go#L26
Assignee | ||
Comment 102•9 years ago
|
||
We should definitely keep the retries in taskcluster-proxy, as this kind of simple HTTP request in a shell/python script is common and should be very easy and reliable.
Comment 103•9 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #100)
> (In reply to Michael Shal [:mshal] from comment #98)
> > We might want to add retries here.
>
> TaskCluster Proxy implements retries to the TaskCluster endpoint, so maybe
> we are already covered with retries. Hopefully we shouldn't drop connections
> to the proxy as it is running on the same host inside a linked docker
> container. The risk of doing retries here would be having retries of retries
> due to both layers performing them. That said, maybe we should disable
> retries in the proxy. I'm not sure what is sanest - as this risk of double
> layered retries is possible everywhere now where the proxy is used...
Ahh, I wasn't aware of that. Carry on!
Updated•9 years ago
|
Attachment #8718903 -
Flags: review?(pmoore) → review+
Comment 104•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://reviewboard.mozilla.org/r/34791/#review36949
Otherwise looks good to me! Thanks!
::: testing/taskcluster/scripts/builder/build-linux.sh:118
(Diff revision 7)
> done
>
> -# Mozharness would ordinarily do the checkouts itself, but they are disabled
> -# here (--no-checkout-sources, --no-clone-tools) as the checkout is performed above.
> +# Mozharness would ordinarily do a whole mess of buildbot-specific steps, but those
> +# are overridden by this list of steps. The get-secrets step is unique to TC tasks
> +# and not run in Buildbot
> +steps="--get-secrets --build --check-test"
Should this be conditional on whether running in TaskCluster automation, or locally (e.g. via "Run Locally" commands)? For example, by checking for the presence of `TASK_ID` env variable?
It feels a bit dirty to use a check like looking for a `TASK_ID` environment variable, but other solutions also have major challenges. For example, another solution might be taskcluster credentials and proxy settings are stored in e.g. ~/.taskcluster/credentials file (0400 file permissions) and instead of hitting the proxy, the "Run Locally" would also download the secrets, assuming you have the required scopes, based on your taskcluster creds. In automation, the taskcluster config/credentials file could have auth disabled, and a proxy set to http://taskcluster. Lastly, the config file could be volume mounted, so in automation the config is different to when a user runs locally. But this.... is a lot of work. So maybe `TASK_ID` env variable check is a good enough hack...
Comment 105•9 years ago
|
||
Of course, in my "alternative" solution above, we'd use the taskcluster client from mozharness, rather than making http requests against the proxy. That way, with auth disabled and a proxy enabled, the client could decide whether to inject Authorization header and hit endpoint directly, or to rewrite url to proxy, and disable Authorization header generation....
But maybe checking `TASK_ID` env variable is enough.
Assignee | ||
Comment 106•9 years ago
|
||
We currently have a plethora of "run locally" options (mach on laptop, mozharness on laptop, docker on laptop, interactive) and each brings its own challenges. At some point we (TC) need to pick one of those as the supported option and really dig into supporting it. At that point, we can consider adding additional in-tree support, noting that any in-tree behavior that differs between "run locally" and automation will be suspected of causing intermittents.
Until then, I think this should be sufficient: running a try job locally works without any need for secrets, so there's no need to distinguish running within a task.
Assignee | ||
Comment 107•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0e58a9d3ca620a443036403a04bfd1ee827174b5
Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
https://hg.mozilla.org/integration/mozilla-inbound/rev/a37a5bccf978ccdab6f31b28d4cb9c68eb711e9e
Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Assignee | ||
Comment 108•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=a37a5bccf978&selectedJob=23927226
So it turns out, not every mozharness job we run takes the same set of mozharness actions -- several, in particular, do not support the `check-test` action.
I'm not sure how best to solve this. Should the list of actions be a parameter to the task, along with MOZHARNESS_CONFIG and MOZHARNESS_SCRIPT? Is there a way to just add one action to default_actions?
Flags: needinfo?(jlund)
Assignee | ||
Comment 109•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4dd55f40eb7abc1d5f799ae4d0585029f46bbc23
Backed out 2 changesets (bug 1231320)
Comment 110•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #108)
> https://treeherder.mozilla.org/#/jobs?repo=mozilla-
> inbound&revision=a37a5bccf978&selectedJob=23927226
>
> So it turns out, not every mozharness job we run takes the same set of
> mozharness actions -- several, in particular, do not support the
> `check-test` action.
>
> I'm not sure how best to solve this. Should the list of actions be a
> parameter to the task, along with MOZHARNESS_CONFIG and MOZHARNESS_SCRIPT?
I think consistency and explicitness would be best. i.e. passing each action via --action[1] for each action you want to run in the TC scheduling logic. Once we no longer run the build equivalent in buildbot however, you can just change the default_actions config item in the mh config itself and not pass anything via commmand line
this approach I feel is better than having a mix of --no-action[2]'s flags popping off actions from their respective build variant config's default_actions list.
> Is there a way to just add one action to default_actions?
yes you can pass --add-action[3] but iirc, that will just add the action to the end of default_actions list. And since actions are run in order, this may or may not be what you want.
[1] https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/mozharness/base/config.py#528
[2] https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/mozharness/base/config.py#534
[3] https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/mozharness/base/config.py#531
Flags: needinfo?(jlund)
Assignee | ||
Comment 111•9 years ago
|
||
Assignee | ||
Comment 112•9 years ago
|
||
Comment on attachment 8718903 [details]
MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/34791/diff/7-8/
Attachment #8718903 -
Attachment description: MozReview Request: Bug 1231320: pull from secrets API in TaskCluster → MozReview Request: Bug 1231320: pull from secrets API in TaskCluster r=mshal r=pmoore r=garndt
Assignee | ||
Comment 113•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/28995/diff/5-6/
Attachment #8701603 -
Attachment description: MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r?mshal → MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
Attachment #8701603 -
Flags: review?(pmoore)
Attachment #8701603 -
Flags: review?(garndt)
Assignee | ||
Comment 114•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/40625/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/40625/
Attachment #8731475 -
Flags: review?(jlund)
Comment 115•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
https://reviewboard.mozilla.org/r/28995/#review37289
Nothing changed since the last review I made, but will r+ since mozreview thinks I need to review again.
Attachment #8701603 -
Flags: review?(garndt) → review+
Comment 116•9 years ago
|
||
Comment 117•9 years ago
|
||
Comment on attachment 8731475 [details]
MozReview Request: Bug 1231320: supply actions to mozharness from the task definition; r?jlund
https://reviewboard.mozilla.org/r/40625/#review37343
looks good. couple comments to discuss in line before stamping.
::: testing/taskcluster/scripts/builder/build-linux.sh:136
(Diff revision 1)
>
> python2.7 $WORKSPACE/build/src/testing/${MOZHARNESS_SCRIPT} ${config_cmds} \
> $debug_flag \
> $custom_build_variant_cfg_flag \
> --disable-mock \
> - $steps \
> + $actions \
iiuc, this won't quite work because you have things in this cmd line call like:
`--update --no-update`
which will likely break or cause spurious results.
but taking a step back, if every variant has been updated to explicitly dictate actions, then we can remove all the --no-action args here: https://dxr.mozilla.org/mozilla-central/source/testing/taskcluster/scripts/builder/build-linux.sh?from=build-linux.sh#128
as soon as you use >= 1 --action call, default_actions is completly ignored and --no-action calls are a no-op.
make sense?
::: testing/taskcluster/tasks/builds/android_api_15_b2gdroid.yml:39
(Diff revision 1)
> # TODO: make these additional configuration files go away
> MOZHARNESS_CONFIG: >
> builds/releng_base_android_64_builds.py
> disable_signing.py
> platform_supports_post_upload_to_latest.py
> + MOZHARNESS_ACTIONS: 'get-secrets build multi-l10n update'
I think you will need to add 'get-secrets' here: https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/scripts/fx_desktop_build.py#30
also, where is `def get_secrets()` defined? I don't see it in https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/mozharness/mozilla/building/buildbase.py
Attachment #8731475 -
Flags: review?(jlund)
Assignee | ||
Comment 118•9 years ago
|
||
https://reviewboard.mozilla.org/r/40625/#review37343
> iiuc, this won't quite work because you have things in this cmd line call like:
>
> `--update --no-update`
>
> which will likely break or cause spurious results.
>
> but taking a step back, if every variant has been updated to explicitly dictate actions, then we can remove all the --no-action args here: https://dxr.mozilla.org/mozilla-central/source/testing/taskcluster/scripts/builder/build-linux.sh?from=build-linux.sh#128
>
> as soon as you use >= 1 --action call, default_actions is completly ignored and --no-action calls are a no-op.
>
> make sense?
Where would `--no-update` come from, unless MOZHARNESS_ACTIONS had `no-update` (which it doesn't anywhere in this patch)? Are you suggesting that I ensure that somehow? Like, list all the acceptable mozharness actions in build-linux.sh, and fail with an error if MOZHARNESS_ACTIONS contains an unknown action?
> I think you will need to add 'get-secrets' here: https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/scripts/fx_desktop_build.py#30
>
> also, where is `def get_secrets()` defined? I don't see it in https://dxr.mozilla.org/mozilla-central/source/testing/mozharness/mozharness/mozilla/building/buildbase.py
Hm, it seems to work without that, but yes, it should be in all_actions.
get_secrets is defined in the SecretsMixin.
Assignee | ||
Comment 119•9 years ago
|
||
https://reviewboard.mozilla.org/r/40625/#review37343
> Hm, it seems to work without that, but yes, it should be in all_actions.
>
> get_secrets is defined in the SecretsMixin.
Oh, sorry, get-secrets is already added there. It's not in dxr since this patch hasn't been landed and dxr shows the contents of mozilla-central. So, nothing to do here.
Comment 120•9 years ago
|
||
https://reviewboard.mozilla.org/r/40625/#review37343
> Oh, sorry, get-secrets is already added there. It's not in dxr since this patch hasn't been landed and dxr shows the contents of mozilla-central. So, nothing to do here.
where is 'there'? is this patch based a project gecko branch? I was just going by the patch and m-c tip because this mozreview patch wouldn't let me expand the context lines down to lines like this: http://hg.mozilla.org/mozilla-central/file/3e04659fdf6a/testing/taskcluster/scripts/builder/build-linux.sh#l132
Assignee | ||
Comment 121•9 years ago
|
||
The changes you were looking for are in a different, earlier diff in the same review request. Given that, r?
Comment 122•9 years ago
|
||
Comment on attachment 8731475 [details]
MozReview Request: Bug 1231320: supply actions to mozharness from the task definition; r?jlund
https://reviewboard.mozilla.org/r/40625/#review37429
given https://bugzilla.mozilla.org/show_bug.cgi?id=1231320#c121 r+ :shipit:
Attachment #8731475 -
Flags: review+
Comment 123•9 years ago
|
||
Comment 124•9 years ago
|
||
/me doesn't understand mozreview, I thought I'd r+'d twice already! Looks like for some reason comment 116 didn't trigger the r+ though ... :/
Anyway, r+ ! :)
Comment 125•9 years ago
|
||
Comment on attachment 8701603 [details]
MozReview Request: Bug 1231320: support min_scm_level and default secret specs; r=mshal r=garndt r=pmoore
https://reviewboard.mozilla.org/r/28995/#review37543
Thunderbirds are Go!
Attachment #8701603 -
Flags: review?(pmoore) → review+
Assignee | ||
Comment 126•9 years ago
|
||
Yeah, this bug has been a case study in mozreview failing, sorry about that and thanks for the r+
Comment 127•9 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/c6dfcdd2e01f
https://hg.mozilla.org/mozilla-central/rev/49ffdc680d6d
https://hg.mozilla.org/mozilla-central/rev/f62f79171edb
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•