Closed Bug 1455290 Opened 2 years ago Closed 2 years ago

Please create a dedicated docker-worker AMI for Firefox Focus

Categories

(Taskcluster :: Operations and Service Requests, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jlorenzo, Unassigned)

References

()

Details

Next week, the Firefox Focus team will have a work week in order to automate the publication of Focus and Klar onto Google Play Store. We plan to re-use the existing signing and pushing infrastructure, which relies on Chain of Trust.

At the moment, their docker-worker tasks are using github-worker. Releng would prefer if we gave them a dedicated set of docker-workers that we can whitelist in [1]. Reusing the level-3 Firefox workers doesn't sound like a good idea, from a security perspective. However, :aki suggested to use a different worker type, but with the Firefox keys, if that's less onerous. In fact, :wcosta told me yesterday on IRC, this requires a new GPG key requires a new AMI.

What do you think Wander? 

[1] https://github.com/mozilla-releng/cot-gpg-keys
Flags: needinfo?(wcosta)
(In reply to Johan Lorenzo [:jlorenzo] from comment #0)
> Next week, the Firefox Focus team will have a work week in order to automate
> the publication of Focus and Klar onto Google Play Store. We plan to re-use
> the existing signing and pushing infrastructure, which relies on Chain of
> Trust.
> 
> At the moment, their docker-worker tasks are using github-worker. Releng
> would prefer if we gave them a dedicated set of docker-workers that we can
> whitelist in [1]. Reusing the level-3 Firefox workers doesn't sound like a
> good idea, from a security perspective. However, :aki suggested to use a
> different worker type, but with the Firefox keys, if that's less onerous. In
> fact, :wcosta told me yesterday on IRC, this requires a new GPG key requires
> a new AMI.
> 
> What do you think Wander? 
> 
> [1] https://github.com/mozilla-releng/cot-gpg-keys

Creating a new worker type is very straightforward, I can do that. Just give me the requirements for it (or the worker type I should copy from) and I will create it.
Flags: needinfo?(wcosta)
From IRC logs in #taskcluster:

> 13:48:23 UTC <jlorenzo> wcosta: thank you your answer in bug 1455290. What kind of requirements are looking for? I'm not what are the params a docker-worker instance needs 
> 13:49:46 UTC <wcosta> jlorenzo: I think basically the instance types, EBS volume size, etc... If it works in a known worker type, just refer to it "it should behave exactly like worker type XXXX"
> 13:50:43 UTC <jlorenzo> wcosta: okay! it currently works in github-worker. So whatever this machine has is good enough, for now 

Example of usage: https://tools.taskcluster.net/groups/CeZBAqIIQe-npVbvQku0kw/tasks/CeZBAqIIQe-npVbvQku0kw/details
Blocks: 1409091
I created the gecko-focus worker-type.
The gecko-focus worker-type works! We used it in [1]. I successfully verified the signature of [2]. It matched this trusted gpg key[3].

Thank you very much for the help, Wander! 

[1] https://tools.taskcluster.net/groups/T_fqxxv9QMuC0KjRqxAXPw/tasks/T_fqxxv9QMuC0KjRqxAXPw/runs/0/artifacts
[2] https://taskcluster-artifacts.net/T_fqxxv9QMuC0KjRqxAXPw/0/public/chainOfTrust.json.asc
[3] https://github.com/mozilla-releng/cot-gpg-keys/blob/509e5c9cfcede3a8d2f1cd36e08a8eab6231847b/docker-worker/2017-09-19-permanent/docker-worker.pub
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Blocks: 1512631
Component: Service Request → Operations and Service Requests
You need to log in before you can comment on or make changes to this bug.