Closed Bug 1302375 Opened 8 years ago Closed 8 years ago

Update HG to 3.9.1 on Windows Builders

Categories

(Infrastructure & Operations :: RelOps: General, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: aselagea, Assigned: markco)

References

Details

Attachments

(3 files)

      No description provided.
I was wondering if there's anyone who could help with the Mercurial upgrade on Windows (both builders and testers). Noticed that :markco worked on this for the last upgrade, so maybe he could provide some directions :-)
Flags: needinfo?(mcornmesser)
See Also: → 1302376
I got this. 
Is there specific time frame in which we need the upgrade?
Assignee: relops → mcornmesser
Flags: needinfo?(mcornmesser)
(In reply to Mark Cornmesser [:markco] from comment #2)
> I got this. 
> Is there specific time frame in which we need the upgrade?

The SSL certificate change for hg.mozilla.org is scheduled for 2016-09-21T1700+0000. I don't think we can make the upgrade until that, so I've asked gps for some suggestions on how to deal with this when that time comes (see https://bugzilla.mozilla.org/show_bug.cgi?id=1298976#c3).
(In reply to Alin Selagea [:aselagea][:buildduty] from comment #3)
> (In reply to Mark Cornmesser [:markco] from comment #2)
> > I got this. 
> > Is there specific time frame in which we need the upgrade?
> 
> The SSL certificate change for hg.mozilla.org is scheduled for
> 2016-09-21T1700+0000. I don't think we can make the upgrade until that, so
> I've asked gps for some suggestions on how to deal with this when that time
> comes (see https://bugzilla.mozilla.org/show_bug.cgi?id=1298976#c3).

With a newer hg you can switch earlier, as long as you follow the advice in:

https://bugzilla.mozilla.org/show_bug.cgi?id=1147548#c12

Otherwise, if the hg upgrade isn't ready by then, we'll need to update the cert pins no earlier than that moment
The cert expires on the 28th. We were going to try switching it on the 21st, but it's unlikely that gives us enough time to do an hg upgrade on windows testers. Instead, we're going to switch the cert on the 26th. If hg is not upgraded by that time, we will need to take a downtime to upgrade the hg configuration to change the hash for the pinned certs.
Updated win 7 AMI with hg 3.9.1 .

Q: could you review and merge, please?
Attachment #8793353 - Flags: review?(q)
Attachment #8793353 - Flags: review?(q) → review+
Because 2008 is blocked by the above mentioned bug all hg servers pinning have been removed form the mercurial.ini with a patch on bug 1302376.
Depends on: 1304791
Attached patch Bug1302375.patchSplinter Review
Attachment #8796611 - Flags: review?(aselagea)
Comment on attachment 8796611 [details] [diff] [review]
Bug1302375.patch

-[hostfingerprints]
-ftp-ssl.mozilla.org = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90
-<% else -%>
 [hostsecurity]
 hg.mozilla.org:fingerprints = sha256:8E:AD:F7:6A:EB:44:06:15:ED:F3:E4:69:A6:64:60:37:2D:FF:98:88:37:BF:D7:B8:40:84:01:48:9C:26:CE:D9, sha256:81:3D:75:69:E3:76:F8:5B:31:1E:92:C9:CF:56:23:F6:4B:C2:82:77:E3:63:FB:7F:28:65:D0:9A:88:FB:BE:B7
 ftp-ssl.mozilla.org:fingerprints = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90
-<% end -%>
-<% else -%>
-[hostsecurity]
-hg.mozilla.org:fingerprints = sha256:8E:AD:F7:6A:EB:44:06:15:ED:F3:E4:69:A6:64:60:37:2D:FF:98:88:37:BF:D7:B8:40:84:01:48:9C:26:CE:D9, sha256:81:3D:75:69:E3:76:F8:5B:31:1E:92:C9:CF:56:23:F6:4B:C2:82:77:E3:63:FB:7F:28:65:D0:9A:88:FB:BE:B7
 ftp-ssl.mozilla.org:fingerprints = 9d:8e:3e:7c:4a:33:6f:53:c6:64:a8:48:d3:ea:72:05:f0:73:a4:90
-<% end -%>
+
 [web]
 <% if scope.lookupvar('::operatingsystem') != 'windows' -%>
 cacerts = /builds/mercurial-certs/cacert.pem

There's a duplicate line for ftp-ssl.mozilla.org:fingerprints, so one of them will need to be removed.

r+ with that change.
Attachment #8796611 - Flags: review?(aselagea) → review+
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Mon Oct 03 11:01:40 -0700 2016 Puppet (err): Could not set 'file' on ensure: No such file or directory - C:/mozilla-build/hg/hgrc.d/cacert.pem20161003-1812-kyr292.lock at 27:/etc/puppet/production/modules/mercurial/manifests/cacert.pp

Mon Oct 03 11:01:40 -0700 2016 Puppet (err): Could not set 'file' on ensure: No such file or directory - C:/mozilla-build/hg/hgrc.d/cacert.pem20161003-1812-kyr292.lock at 27:/etc/puppet/production/modules/mercurial/manifests/cacert.pp

Wrapped exception:

No such file or directory - C:/mozilla-build/hg/hgrc.d/cacert.pem20161003-1812-kyr292.lock

Mon Oct 03 11:01:40 -0700 2016 /Stage[main]/Mercurial::Cacert/File[C:/mozilla-build/hg/hgrc.d/cacert.pem]/ensure (err): change from absent to file failed: Could not set 'file' on ensure: No such file or directory - C:/mozilla-build/hg/hgrc.d/cacert.pem20161003-1812-kyr292.lock at 27:/etc/puppet/production/modules/mercurial/manifests/cacert.pp
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Change the cacert.pem location to a directory that is consistent across HG version installs.
Attachment #8797239 - Flags: review?(arich)
Attachment #8797239 - Flags: review?(arich) → review+
Status: REOPENED → RESOLVED
Closed: 8 years ago8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: