Closed Bug 1285871 (kinto-dist-0.6.0-stage) Opened 5 years ago Closed 5 years ago

Please deploy kinto-dist 0.6.0 release to kinto-settings STAGE

Categories

(Cloud Services :: Operations: Deployment Requests - DEPRECATED, task)

task
Not set
normal

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: rhubscher, Assigned: dmaher)

References

Details

The major interest in this feature is to prevent CDN to reuse previous signatures replay attacks.

See https://github.com/Kinto/kinto-signer/pull/92
@chartjes: The script to validate the new form of signature is here: https://github.com/Kinto/kinto-signer/blob/0.7.0/scripts/validate_signature.py
The package build failed because the "pyldap" module could not be compiled.  This appears to be a new element introduced in 0.6.0.


02:05:18 < phrawzty> natim: pyldap. is that a new dep for 0.6.0 ?
02:14:55 < natim> phrawzty: Oh that's because kinto-dist comes with kinto-ldap
02:15:18 < natim> phrawzty: we won't enable it right away
02:15:35 < natim> But we can add the dependencies to be able to install it
02:15:44 < natim> See https://github.com/Kinto/kinto-ldap#dependencies
02:16:15 < phrawzty> natim: To be clear, are you currently using the kinto-ldap
                     module ?
02:17:07 < natim> What do you mean by currently?
02:17:10 < natim> Currently we are not
02:17:20 < natim> But that's something we want to deploy yes


The installation instructions at the provided URL assume a Debian-based target.  Currently investigating CentOS options.
Dependencies were identified and appropriate modifications were made to the build script[0].

Kinto-dist 0.6.0 has been deployed to Stage for both Kinto and Kinto-Writer.


[0] https://github.com/mozilla-services/svcops/pull/1139
Great thanks Dan. I ran the validate_signature script and it seems to work:

On commit 34175ee37d2951579bd22e59e79b8c9ff5c644e2
~/mozilla/kinto-signer/scripts$ python validate_signature.py 
Signature OK

We need to wait for Mark patch to land in mozilla-central before going with this change in production.
Flags: needinfo?(mgoodwin)
In the meantime, Chris we can do some more QA if you'd like.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Ok mgoodwin told me we just need Bug 1285871 to land (there is already a r+ on it)
Flags: needinfo?(mgoodwin)
We are talking about Bug 1280877.
Depends on: 1280877
=======================
POST-DEPLOYMENT TESTING
=======================

* verified that 'QA cert' in staging contained expected values by looking at https://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/certificates/records
* updated 'QA cert' using https://addons.allizom.org/en-US/admin/models/blocklist/blocklistissuercert/ and changed the issuer and serial number
* requested that :phrawzty activate the xml2kinto job to move the blocklist details into Kinto
* verified that 'QA cert' in staging contained newly updated values by https://kinto.stage.mozaws.net/v1/buckets/staging/collections/certificates/records
* verified that 'QA cert' is also correctly updated at https://kinto.stage.mozaws.net/v1/buckets/blocklists/collections/certificates/records
* no indication that the updated certificates have not been correctly signed. No certificates with the status of waiting to be signed.
* validation script provided as part of Kinto/kinto-signer indicates all signatures are correct

QA approves the deployment to staging and gives permission for deployment to production of kinto-dist 0.6.0
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.