Closed Bug 1408458 Opened 7 years ago Closed 2 years ago

Package Visual Studio in a taskcluster toolchain job

Categories

(Firefox Build System :: Task Configuration, task)

Product:
Firefox Build System
Component:
Task Configuration
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1289641

People

(Reporter: rillian, Unassigned)

References

Details

Now that we can generate internal-only toolchain artifacts on taskcluster, hook up the build/windows_toolchain.py script to a new taskcluster/ci/toolchain job. This will let us replace manual upload and update of the tooltool manifests with toolchain keys on the various build jobs.
From :ted on irc, this is blocked on figuring out a way to run the vs installer without admin privileges. http://logs.glob.uno/?c=mozilla%23build&s=12+Oct+2017&e=12+Oct+2017#c61419 http://logs.glob.uno/?c=mozilla%23taskcluster&s=13+Oct+2017&e=13+Oct+2017#c226179
Blocks: 1270667
Alternatively, we could create a special worker type which allows admin escalation. The concern here is security. We can address code injection by retiring the special worker's host vm after the task completes. This is expensive, but less expensive than it used to be with AWS per-second billing, and the fact that we don't update toolchains very often. Even with that, it's possible admin access could make readable private data from the taskcluster layer, which was then exported as an artifact. Another isolation layer may be needed to address this. The installer is a gui (an electron app) so it's unlikely to run under docker. Maybe some scheme with the taskcluster worker remote-controlling a separate child vm could work. We could also reverse-engineer the installer, but that will probably be brittle.
Jonas, is this a task we can run in packet.net using QEMU engine, with the goal of migrating to EC2 engine when EC2 engine is implemented?
Flags: needinfo?(jopsen)
TIL that Microsoft started publishing NuGet packages of their toolchain: https://blogs.msdn.microsoft.com/vcblog/2016/04/26/stay-up-to-date-with-the-visual-c-tools-on-nuget/ In a note there they say: "Update 3 Mar ’17: A number of people have asked if a ZIP of our toolset is available. You might not realize it, but the NuGet format is just a ZIP file with an extra metadata file. If you download the current NuGet package and rename the file from .nuget to .zip you can open it in Windows Explorer. You’ll find our toolset under “lib\native”." We'll need to try this out to find out if it has everything we need for builds (SDKs, etc), but if so this will make the problem much more tractable and we don't have to worry about running the installer.
I ran into that after gps mentioned that Microsoft now publishes *daily* toolchain packages: https://blogs.msdn.microsoft.com/vcblog/2016/02/16/try-out-the-latest-c-compiler-toolset-without-waiting-for-the-next-update-of-visual-studio/ ...so if we got this working we could even setup a build job against their latest toolchain, which would be neat.
More follow-up from IRC. NuGet packages are .zip files with and included manifest. The package feed is an atom document at https://vcppdogfooding.azurewebsites.net/nuget/Packages with the package at the src url of the <content> element. Size and checksum are included in the dataservices namespace entries under the same <entry>. You have use GET, the server returns 404 for HEAD requests. The toolchain packages don't include the SDK, but this has a iso download we could unpack. https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk
> Jonas, is this a task we can run in packet.net using QEMU engine, with the goal of migrating to EC2 engine when EC2 engine is implemented? Yes, in theory, but I haven't got this landed yet, and then there is still some work to land windows images.
Flags: needinfo?(jopsen)
If we still need admin to do this, we can set up a dedicated worker type for this, if you like. Let me know if this is needed. Thanks!
Component: General → Task Configuration
Product: Taskcluster → Firefox Build System
(In reply to Ralph Giles (:rillian) | needinfo me from comment #1) > From :ted on irc, this is blocked on figuring out a way to run the vs > installer without admin privileges. Those log links were broken: https://mozilla.logbot.info/build/20171012#c61419 https://mozilla.logbot.info/taskcluster/20171013#c226179
Severity: normal → S3

Is this a duplicate of bug 1289641?

Flags: needinfo?(mh+mozilla)
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1289641
Flags: needinfo?(mh+mozilla)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.