Closed Bug 1385094 Opened 3 years ago Closed 3 years ago

Allow support for taskgraph taks to refer to indexed docker images, in addition to in-tree and docker-hub images.

Categories

(Firefox Build System :: Task Configuration, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
mozilla57

People

(Reporter: tomprince, Assigned: tomprince)

References

Details

Attachments

(2 files)

No description provided.
As a minimal product, I intend to depend on the latest images generated from mozilla-central, rather building them in-tree. Thunderbird doesn't currently have any dependencies over-and-above those needed for firefox, so this avoids needing to figure out how to manage generating images to get a working taskcluster build going.

There is a potential race condition, if the docker images changes and then a comm-central build is triggered before the corresponding mozilla-central build of the docker image has completed, but Thunderbird has a low enough velocity that that is worth worrying about for an MVP.
Comment on attachment 8897975 [details]
Bug 1385094 - Don't include docker image in chain of trust for builds if not using an in-tree image;

https://reviewboard.mozilla.org/r/169284/#review174626

There are also chain-of-trust refernces in the l10n and repackage transforms. But I wonder if it would make more sense to add the docker-image task to the chain-of-trust inputs once when converting the 'in-tree' to an explicit task-reference, rather than having that code spread out handling that.

My inclination is to land this as-is for the moment, and file a bug to followup centralizing the cot handling of docker images.
Comment on attachment 8891063 [details]
Bug 1385094 - Allow support for taskgraph taks to refer to indexed docker images, in addition to in-tree and docker-hub images.

https://reviewboard.mozilla.org/r/162242/#review174954
Attachment #8891063 - Flags: review?(dustin) → review+
Comment on attachment 8897975 [details]
Bug 1385094 - Don't include docker image in chain of trust for builds if not using an in-tree image;

https://reviewboard.mozilla.org/r/169284/#review174990
Attachment #8897975 - Flags: review?(dustin) → review+
Comment on attachment 8897975 [details]
Bug 1385094 - Don't include docker image in chain of trust for builds if not using an in-tree image;

https://reviewboard.mozilla.org/r/169284/#review174996

This makes sense.
I believe docker-worker builds that don't have allowlisted docker shas (currently decision, docker-image tasks), that don't have this `task.extra.chainOfTrust.inputs` specified, will fail chain of trust verification. This patch should allow for the task graph generation to proceed, however.
Attachment #8897975 - Flags: review?(aki) → review+
Keywords: checkin-needed
Comment on attachment 8897975 [details]
Bug 1385094 - Don't include docker image in chain of trust for builds if not using an in-tree image;

https://reviewboard.mozilla.org/r/169284/#review174996

Yeah. I'm planning on using this in comm-central, which is some ways away from caring about chain-of-trust.

My plan is to use indexed images from gecko builds for these, so it may be possible to chain trust that way. But I'm just going to kick this can down the road for the moment.
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/3a098a3e8e05
Allow support for taskgraph taks to refer to indexed docker images, in addition to in-tree and docker-hub images. r=dustin
https://hg.mozilla.org/integration/autoland/rev/9eb2c6019ba0
Don't include docker image in chain of trust for builds if not using an in-tree image; r=aki,dustin
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/3a098a3e8e05
https://hg.mozilla.org/mozilla-central/rev/9eb2c6019ba0
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
Blocks: 1408574
Product: TaskCluster → Firefox Build System
You need to log in before you can comment on or make changes to this bug.