Closed Bug 1455290 Opened 7 years ago Closed 7 years ago

Please create a dedicated docker-worker AMI for Firefox Focus

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jlorenzo, Unassigned)

References

(
URL
)

Details

Next week, the Firefox Focus team will have a work week in order to automate the publication of Focus and Klar onto Google Play Store. We plan to re-use the existing signing and pushing infrastructure, which relies on Chain of Trust. At the moment, their docker-worker tasks are using github-worker. Releng would prefer if we gave them a dedicated set of docker-workers that we can whitelist in [1]. Reusing the level-3 Firefox workers doesn't sound like a good idea, from a security perspective. However, :aki suggested to use a different worker type, but with the Firefox keys, if that's less onerous. In fact, :wcosta told me yesterday on IRC, this requires a new GPG key requires a new AMI. What do you think Wander? [1] https://github.com/mozilla-releng/cot-gpg-keys
Flags: needinfo?(wcosta)
(In reply to Johan Lorenzo [:jlorenzo] from comment #0) > Next week, the Firefox Focus team will have a work week in order to automate > the publication of Focus and Klar onto Google Play Store. We plan to re-use > the existing signing and pushing infrastructure, which relies on Chain of > Trust. > > At the moment, their docker-worker tasks are using github-worker. Releng > would prefer if we gave them a dedicated set of docker-workers that we can > whitelist in [1]. Reusing the level-3 Firefox workers doesn't sound like a > good idea, from a security perspective. However, :aki suggested to use a > different worker type, but with the Firefox keys, if that's less onerous. In > fact, :wcosta told me yesterday on IRC, this requires a new GPG key requires > a new AMI. > > What do you think Wander? > > [1] https://github.com/mozilla-releng/cot-gpg-keys Creating a new worker type is very straightforward, I can do that. Just give me the requirements for it (or the worker type I should copy from) and I will create it.
Flags: needinfo?(wcosta)
From IRC logs in #taskcluster: > 13:48:23 UTC <jlorenzo> wcosta: thank you your answer in bug 1455290. What kind of requirements are looking for? I'm not what are the params a docker-worker instance needs > 13:49:46 UTC <wcosta> jlorenzo: I think basically the instance types, EBS volume size, etc... If it works in a known worker type, just refer to it "it should behave exactly like worker type XXXX" > 13:50:43 UTC <jlorenzo> wcosta: okay! it currently works in github-worker. So whatever this machine has is good enough, for now Example of usage: https://tools.taskcluster.net/groups/CeZBAqIIQe-npVbvQku0kw/tasks/CeZBAqIIQe-npVbvQku0kw/details
Blocks: 1409091
I created the gecko-focus worker-type.
The gecko-focus worker-type works! We used it in [1]. I successfully verified the signature of [2]. It matched this trusted gpg key[3]. Thank you very much for the help, Wander! [1] https://tools.taskcluster.net/groups/T_fqxxv9QMuC0KjRqxAXPw/tasks/T_fqxxv9QMuC0KjRqxAXPw/runs/0/artifacts [2] https://taskcluster-artifacts.net/T_fqxxv9QMuC0KjRqxAXPw/0/public/chainOfTrust.json.asc [3] https://github.com/mozilla-releng/cot-gpg-keys/blob/509e5c9cfcede3a8d2f1cd36e08a8eab6231847b/docker-worker/2017-09-19-permanent/docker-worker.pub
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Blocks: 1512631
Component: Service Request → Operations and Service Requests
You need to log in before you can comment on or make changes to this bug.