Closed
Bug 1415899
Opened 7 years ago
Closed 7 years ago
Add fx-test-jenkins-s3-publisher S3 profile to qa-master.fxtest.jenkins.stage.mozaws.net
Categories
(Cloud Services :: FXTest-infra, enhancement)
Cloud Services
FXTest-infra
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: davehunt, Assigned: ckolos)
References
Details
In order to publish to S3 from the new Jenkins host at qa-master.fxtest.jenkins.stage.mozaws.net the following profiles need to be created: net-mozaws-stage-fx-test-activedata net-mozaws-stage-fx-test-treeherder These are configured in Manage Jenkins > Configure System under the Amazon S3 profiles section. The Use IAM Role checkbox should be enabled, and the permissions on the buckets may need to be modified to allow this host to write to them. See bug 1352229 comment 3 for details on how the credentials were configured.
Reporter | ||
Comment 1•7 years ago
|
||
Sorry, a correction. I believe we only need a single profile named fx-test-jenkins-s3-publisher.
Summary: Add S3 profiles to qa-master.fxtest.jenkins.stage.mozaws.net → Add fx-test-jenkins-s3-publisher S3 profile to qa-master.fxtest.jenkins.stage.mozaws.net
Comment 2•7 years ago
|
||
Which instances need roles? Just the master or master and workers?
Reporter | ||
Comment 3•7 years ago
|
||
Anywhere that jobs would execute may need to publish to the S3 profile.
Component: Operations → FXTest-infra
QA Contact: rpappalardo
Updated•7 years ago
|
Assignee: oremj → ckolos
Assignee | ||
Comment 4•7 years ago
|
||
I think we'd prefer to use different Access Keys for each profile. If we created IAM accounts in the form of qa-<host>-s3-publisher, would that cause problems for the job configs?
Flags: needinfo?(dave.hunt)
Reporter | ||
Comment 5•7 years ago
|
||
We currently rely on a default profile of 'fx-test-jenkins-s3-publisher' in the shared library: https://github.com/mozilla/fxtest-jenkins-pipeline/blob/c1e22572071172418cf5bff389ba3ffea0cd8119/vars/publishToS3.groovy#L27 My understanding was the the profile name was only used by Jenkins to establish the credentials and other settings for publishing via S3. We've been using "IAM Role" for authentication, which I believed to mean the the Jenkins instance would have its own role. As far as I can tell from looking through the plugin's source code, the profile name is not used when authenticating with S3. If this is the case, we should be able to have the same profile name on multiple Jenkins instances, but for those instances to have distinct IAM roles/accounts as you're suggesting in comment 4. I apologise if I've misunderstood, and would appreciate if you could help me to have a better understanding of how the profile names are bound to IAM accounts.
Flags: needinfo?(dave.hunt) → needinfo?(ckolos)
Assignee | ||
Comment 6•7 years ago
|
||
As shown here: https://screenshots.firefox.com/qgn4H6g0SL82LIIl/fx-test-jenkins.stage.mozaws.net The s3 publisher uses a specific access key/private key pair to publish to s3. Access keys are associated with IAM (think user) accounts. Each IAM account has a limit of 2 keys active at any one time. Unless we will never have more than one job publishing to a S3 bucket, we will not be able to provide enough keys to cover all the job+profile+bucket combinations. For this reason, we would like to create a separate IAM account for each publishing profile. Ideally, this IAM account would differ in name between stage/prod, but this doesn't have to be the case; We can use each of the two keys in a different env as needed (one in stage, the other in prod). Does that help?
Flags: needinfo?(ckolos) → needinfo?(dave.hunt)
Reporter | ||
Comment 7•7 years ago
|
||
As mentioned on IRC we currently have most jobs publishing to two buckets: Logs are published to 'net-mozaws-stage-fx-test-activedata' for consumption by ActiveData Artifacts are published to 'net-mozaws-stage-fx-test-treeherder' for display in Treeherder These are currently hard-coded in the shared library via the submitToActiveData and submitToTreeherder steps, and both also use the hard-coded profile name of 'fx-test-jenkins-s3-publisher'. We could make these steps accept additional arguments for profile and bucket, however in order to use the same pipelines against Jenkins instances with different profile and buckets associated we'd either need to be able to construct the names from existing environment variables, or we'd need to store these values outside of the pipelines and shared library. If we're going to create multiple buckets for ActiveData, then we'd also need to ask Kyle to set up data injestion from each new bucket. I'm not sure how much work is involved in this. I think what would help at this point is a list of the profile and bucket names that you're proposing. From that we can see how much work would be involved in modifying our pipelines and associated services to the new model. In case it makes any difference, there are currently no plans to publish to any additional buckets, and the only things we currently publish are test logs and reports, which do not contain sensitive information.
Flags: needinfo?(dave.hunt) → needinfo?(ckolos)
Blocks: 1418491
Reporter | ||
Comment 8•7 years ago
|
||
ActiveData and Treeherder are now working for qa-master.fxtest.jenkins.stage.mozaws.net, which is what this bug was concerning. I have noticed that publishing to S3 from qa-preprod-master.fxtest.jenkins.stage.mozaws.net is failing, but I will file a separate bug for this.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: needinfo?(ckolos)
Resolution: --- → FIXED
Verified FIXED; looked through the build logs, and using https://qa-master.fxtest.jenkins.stage.mozaws.net/job/fxapom.stage/43/console as an example, this is verified.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•