Closed
Bug 1508383
Opened 6 years ago
Closed 5 years ago
[docker-worker] Add support for rootUrls with taskcluster-proxy
Categories
(Taskcluster :: Workers, enhancement)
Taskcluster
Workers
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Assigned: dustin)
References
Details
Take a root URL as configuration, required Pass root URL to taskcluster-proxy pass TASKCLUSTER_PROXY_URL and TASKCLUSTER_ROOT_URL to tasks
Assignee | ||
Comment 1•6 years ago
|
||
> Take a root URL as configuration, required - bug 1469617 > Pass root URL to taskcluster-proxy > pass TASKCLUSTER_PROXY_URL and TASKCLUSTER_ROOT_URL to tasks - https://github.com/taskcluster/docker-worker/pull/418 (Note that this can't land until bug 1460015 does..)
Assignee | ||
Updated•5 years ago
|
Blocks: redeploy-firefox-ci
Assignee | ||
Comment 2•5 years ago
|
||
I know at least one user of Taskcluster is creating artifacts on the current task directly from within the task, via tc-proxy. The problem is, this functionality depends on a bug in an old version of tc-proxy, and docker-worker was never upgraded to use newer versions. Docker-worker invokes tc-proxy as --client-id=.. --access-token=.. --certificate=.. <scope1> <scope2> .. where the <scope1> .. come from task.scopes. Here's the bug: in taskcluster-proxy-4.0.1, if `--task-id` is not given, then the additional scopes are ignored and the proxy uses the full credentials of the task claim, which include queue:create-artifact:<taskId>/<runId>. This bug was fixed in 4.1.0 (https://github.com/taskcluster/taskcluster-proxy/pull/31) but that was never deployed. So tasks have been running with additional scopes available via the proxy, specifically allowing those tasks to upload artifacts. And at least some tasks have taken advantage of that functionality. To make matters worse, the current queue API requires the following for createArtifact: any of queue:create-artifact:<taskId>/<runId> or all of queue:create-artifact:<name> and assume:worker-id:<workerGroup>/<workerId> and neither the <taskId> nor <workerGroup> are known at task creation time, so those cannot be hard-coded into the task definition. In other words, if we "fix" this bug, then it's impossible to upload artifacts during task execution -- and that's a feature we do not want to remove. I am going to apply the following solution: workers will supply the task's scopes to the proxy, as well as queue:create-artifact:<taskId>/<runId>. I'll do the same in generic-worker.
Assignee | ||
Comment 3•5 years ago
|
||
https://github.com/taskcluster/docker-worker/pull/421 is somewhat related here, too..
Comment 4•5 years ago
|
||
Commits pushed to master at https://github.com/taskcluster/docker-worker https://github.com/taskcluster/docker-worker/commit/5fc3ef962587c6e1ed69b163f9c9e5027f5b89a7 Bug 1508383 - set TASKCLUSTER_{ROOT,PROXY}_URL for tasks https://github.com/taskcluster/docker-worker/commit/0f8016f9f41ab5837f9e7923b4948b1d44dc5746 Bug 1508383 - pass --root-url to taskcluster-proxy https://github.com/taskcluster/docker-worker/commit/e27ee553976bfd0c3be567516267cd2f4671d758 Bug 1508383 - allow proxy to create artifacts, too https://github.com/taskcluster/docker-worker/commit/415273af4820e926cc861cb115d8e88d13291f30 Bug 1508383 - update docs https://github.com/taskcluster/docker-worker/commit/9dbb6d7377b033ecf2179ce3dac9ea3350c11498 Merge pull request #418 from djmitche/bug1508383 Bug 1508383 - pass TASKCLUSTER_{ROOT,PROXY}_URL to tasks
Assignee | ||
Comment 5•5 years ago
|
||
Wander, did this end up getting deployed? If not, what do you think is the best approach to getting it deployed?
Flags: needinfo?(wcosta)
Assignee | ||
Comment 7•5 years ago
|
||
my hero!
Assignee | ||
Comment 8•5 years ago
|
||
Deployed today! Thanks Wander!
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Component: Docker-Worker → Workers
You need to log in
before you can comment on or make changes to this bug.
Description
•