Remove any secrets from phone-builder

RESOLVED FIXED

Status

RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: gerard-majax, Assigned: gerard-majax)

Tracking

unspecified
ARM
Gonk (Firefox OS)
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed)

Details

Attachments

(3 attachments)

(Assignee)

Description

2 years ago
Let's get rid of any secret in phone-builder. This should allow us to have device images available on try and will make them closer to the rest. This includes:
 - moving blob backups from s3 storage to tooltool (we know this works since the ndk in bug 1282093 is internal-stored)
 - removing balrog secrets (we don't need them anymore)
 - removing symbols upload (same)

Anything else?
Flags: needinfo?(wcosta)
(In reply to Alexandre LISSY :gerard-majax from comment #0)
> Let's get rid of any secret in phone-builder. This should allow us to have
> device images available on try and will make them closer to the rest. This
> includes:
>  - moving blob backups from s3 storage to tooltool (we know this works since
> the ndk in bug 1282093 is internal-stored)
>  - removing balrog secrets (we don't need them anymore)
>  - removing symbols upload (same)
> 
> Anything else?

Looking at how phone-builder is built, I remembered docker-worker provides a bridge for Balrog, so we need to make sure the tasks in try don't have scopes to access Balrog. Since this is not CD specific, I believe this is already implemented somehow. :garndt may have a precise answer for this.

We also need to remove the testing/docker/phone-builder/build.sh file, as well as changing build scripts accordingly. After we are done, I think we can build phone-builder automatically through image builder task.
Flags: needinfo?(wcosta) → needinfo?(garndt)

Comment 2

2 years ago
It appears the scope "docker-worker:feature:balrogVPNProxy" is only added to those having the moz-tree:scm_level_3 role, so try should be safe as long as someone doesn't added that scope.
Flags: needinfo?(garndt)
(Assignee)

Comment 3

2 years ago
(In reply to Greg Arndt [:garndt] from comment #2)
> It appears the scope "docker-worker:feature:balrogVPNProxy" is only added to
> those having the moz-tree:scm_level_3 role, so try should be safe as long as
> someone doesn't added that scope.

I have patches that adds "balrogVPNProxy" in the "payload/feature" section, not a scope. Is it safe? As far as I can tell I was instructed to add this for tooltool.

Example: https://reviewboard.mozilla.org/r/61074/diff/1#6
Flags: needinfo?(garndt)
(Assignee)

Updated

2 years ago
Blocks: 1274295

Comment 4

2 years ago
> I have patches that adds "balrogVPNProxy" in the "payload/feature" section,
> not a scope. Is it safe? As far as I can tell I was instructed to add this
> for tooltool.
> 
> Example: https://reviewboard.mozilla.org/r/61074/diff/1#6

Hrm, I tried going to that review link and got "You don't have access to this review request."

You can add the payload.feature, and then the worker will not run the task because the task is missing that scope.  If you add that scope, then you're going to get an error submitting your push to try because tasks with that scope cannot be submitted.
Flags: needinfo?(garndt)
(Assignee)

Comment 5

2 years ago
Created attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review commit: https://reviewboard.mozilla.org/r/61074/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/61074/
Attachment #8766086 - Flags: review?(wcosta)
(Assignee)

Updated

2 years ago
Attachment #8766086 - Flags: review?(wcosta)
(Assignee)

Comment 6

2 years ago
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/1-2/
Attachment #8766086 - Flags: review?(wcosta)
(Assignee)

Updated

2 years ago
Attachment #8766086 - Flags: review?(wcosta)
(Assignee)

Comment 7

2 years ago
Created attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review commit: https://reviewboard.mozilla.org/r/61126/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/61126/
Attachment #8766089 - Flags: review?(wcosta)
(Assignee)

Updated

2 years ago
Attachment #8766089 - Flags: review?(wcosta)
(Assignee)

Comment 8

2 years ago
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/1-2/
Attachment #8766089 - Flags: review?(wcosta)
Attachment #8766086 - Flags: review?(wcosta)
(Assignee)

Comment 9

2 years ago
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/2-3/
(Assignee)

Comment 10

2 years ago
Blobs extraction for Nexus 5 L should be automagic and do not need any tooltool upload.
(Assignee)

Comment 11

2 years ago
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/2-3/
(Assignee)

Comment 12

2 years ago
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/3-4/
(Assignee)

Comment 13

2 years ago
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/3-4/
(Assignee)

Comment 14

2 years ago
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/4-5/
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

https://reviewboard.mozilla.org/r/61126/#review58266

lgtm. There are some parts in the patch which I am not entirely intimate, but nothing weird seems to be changed. I also made a comment to remove valida_task.py script, as it makes no sense anymore.

::: taskcluster/ci/legacy/tasks/builds/b2g_nexus_5l_eng.yml
(Diff revision 4)
> -      DEBUG: 0
> -    command:
> -      - >
> -        checkout-gecko workspace &&
> -        cd ./workspace/gecko/taskcluster/scripts/phone-builder &&
> -        buildbot_step 'Build' ./build-phone.sh $HOME/workspace

How is this executed now?

::: testing/docker/phone-builder/Dockerfile:16
(Diff revision 4)
>  RUN           yum install -y bc lzop java-1.7.0-openjdk
>  RUN           pip install awscli
>  RUN           npm install -g bower gulp apm grunt-cli
>  
>  # Set a default command useful for debugging
>  ENTRYPOINT ["validate_task.py"]

The validate_task.py script is not needed anymore, you can kill it.
Attachment #8766089 - Flags: review?(wcosta) → review+
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

https://reviewboard.mozilla.org/r/61074/#review58270
Attachment #8766086 - Flags: review?(wcosta) → review+
(Assignee)

Comment 17

2 years ago
Comment on attachment 8766089 [details]
Bug 1282226 - Kill secrets from phone-builder image and fix aries/hammerhead

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61126/diff/4-5/
(Assignee)

Comment 18

2 years ago
Comment on attachment 8766086 [details]
Bug 1282226 - Add aries and nexus 5 to try

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/61074/diff/5-6/

Comment 20

2 years ago
Pushed by alissy@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/0759ae91bf94
Kill secrets from phone-builder image and fix aries/hammerhead r=wcosta
https://hg.mozilla.org/integration/autoland/rev/bb6bea23a056
Add aries and nexus 5 to try r=wcosta
(Assignee)

Comment 21

2 years ago
Created attachment 8766729 [details] [diff] [review]
Add aries and nexus 5 to try

Patch for landing on top of inbound
Attachment #8766729 - Flags: review+

Comment 22

2 years ago
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/574892899511
Add aries and nexus 5 to try on a CLOSED TREE r=wcosta

Comment 23

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/0759ae91bf94
https://hg.mozilla.org/mozilla-central/rev/bb6bea23a056
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
backed out bb6bea23a056 from m-c to resolve a merge conflict problem on m-c
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

Comment 25

2 years ago
Backout by cbook@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/4a860475d96a
Backed out changeset bb6bea23a056 for blocking merge from m-i to m-c
(Assignee)

Updated

2 years ago
Status: REOPENED → RESOLVED
Last Resolved: 2 years ago2 years ago
Resolution: --- → FIXED
(Assignee)

Updated

2 years ago
Blocks: 1283452
You need to log in before you can comment on or make changes to this bug.