Closed Bug 1282226 Opened 3 years ago Closed 3 years ago

Remove any secrets from phone-builder

Categories

(Firefox OS Graveyard :: GonkIntegration, defect)

ARM
Gonk (Firefox OS)
defect
Not set

Tracking

(firefox50 fixed)

RESOLVED FIXED
Tracking Status
firefox50 --- fixed

People

(Reporter: gerard-majax, Assigned: gerard-majax)

References

Details

Attachments

(3 files)

Let's get rid of any secret in phone-builder. This should allow us to have device images available on try and will make them closer to the rest. This includes:
 - moving blob backups from s3 storage to tooltool (we know this works since the ndk in bug 1282093 is internal-stored)
 - removing balrog secrets (we don't need them anymore)
 - removing symbols upload (same)

Anything else?
Flags: needinfo?(wcosta)
(In reply to Alexandre LISSY :gerard-majax from comment #0)
> Let's get rid of any secret in phone-builder. This should allow us to have
> device images available on try and will make them closer to the rest. This
> includes:
>  - moving blob backups from s3 storage to tooltool (we know this works since
> the ndk in bug 1282093 is internal-stored)
>  - removing balrog secrets (we don't need them anymore)
>  - removing symbols upload (same)
> 
> Anything else?

Looking at how phone-builder is built, I remembered docker-worker provides a bridge for Balrog, so we need to make sure the tasks in try don't have scopes to access Balrog. Since this is not CD specific, I believe this is already implemented somehow. :garndt may have a precise answer for this.

We also need to remove the testing/docker/phone-builder/build.sh file, as well as changing build scripts accordingly. After we are done, I think we can build phone-builder automatically through image builder task.
Flags: needinfo?(wcosta) → needinfo?(garndt)
It appears the scope "docker-worker:feature:balrogVPNProxy" is only added to those having the moz-tree:scm_level_3 role, so try should be safe as long as someone doesn't added that scope.
Flags: needinfo?(garndt)
(In reply to Greg Arndt [:garndt] from comment #2)
> It appears the scope "docker-worker:feature:balrogVPNProxy" is only added to
> those having the moz-tree:scm_level_3 role, so try should be safe as long as
> someone doesn't added that scope.

I have patches that adds "balrogVPNProxy" in the "payload/feature" section, not a scope. Is it safe? As far as I can tell I was instructed to add this for tooltool.

Example: https://reviewboard.mozilla.org/r/61074/diff/1#6
Flags: needinfo?(garndt)
Blocks: 1274295
> I have patches that adds "balrogVPNProxy" in the "payload/feature" section,
> not a scope. Is it safe? As far as I can tell I was instructed to add this
> for tooltool.
> 
> Example: https://reviewboard.mozilla.org/r/61074/diff/1#6

Hrm, I tried going to that review link and got "You don't have access to this review request."

You can add the payload.feature, and then the worker will not run the task because the task is missing that scope.  If you add that scope, then you're going to get an error submitting your push to try because tasks with that scope cannot be submitted.
Flags: needinfo?(garndt)
Attachment #8766086 - Flags: review?(wcosta)
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/1-2/
Attachment #8766086 - Flags: review?(wcosta)
Attachment #8766086 - Flags: review?(wcosta)
Attachment #8766089 - Flags: review?(wcosta)
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/1-2/
Attachment #8766089 - Flags: review?(wcosta)
Attachment #8766086 - Flags: review?(wcosta)
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/2-3/
Blobs extraction for Nexus 5 L should be automagic and do not need any tooltool upload.
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/2-3/
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/3-4/
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/3-4/
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/4-5/
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

https://reviewboard.mozilla.org/r/61126/#review58266

lgtm. There are some parts in the patch which I am not entirely intimate, but nothing weird seems to be changed. I also made a comment to remove valida_task.py script, as it makes no sense anymore.

::: taskcluster/ci/legacy/tasks/builds/b2g_nexus_5l_eng.yml
(Diff revision 4)
> -      DEBUG: 0
> -    command:
> -      - >
> -        checkout-gecko workspace &&
> -        cd ./workspace/gecko/taskcluster/scripts/phone-builder &&
> -        buildbot_step 'Build' ./build-phone.sh $HOME/workspace

How is this executed now?

::: testing/docker/phone-builder/Dockerfile:16
(Diff revision 4)
>  RUN           yum install -y bc lzop java-1.7.0-openjdk
>  RUN           pip install awscli
>  RUN           npm install -g bower gulp apm grunt-cli
>  
>  # Set a default command useful for debugging
>  ENTRYPOINT ["validate_task.py"]

The validate_task.py script is not needed anymore, you can kill it.
Attachment #8766089 - Flags: review?(wcosta) → review+
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

https://reviewboard.mozilla.org/r/61074/#review58270
Attachment #8766086 - Flags: review?(wcosta) → review+
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/4-5/
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/5-6/
Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0759ae91bf94
Kill secrets from phone-builder image and fix aries/hammerhead r=wcosta
https://hg.mozilla.org/integration/autoland/rev/bb6bea23a056
Add aries and nexus 5 to try r=wcosta
Patch for landing on top of inbound
Attachment #8766729 - Flags: review+
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/574892899511
Add aries and nexus 5 to try on a CLOSED TREE r=wcosta
backed out bb6bea23a056 from m-c to resolve a merge conflict problem on m-c
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Backout by cbook@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/4a860475d96a
Backed out changeset bb6bea23a056 for blocking merge from m-i to m-c
Status: REOPENED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Blocks: 1283452
You need to log in before you can comment on or make changes to this bug.