Closed Bug 1590910 Opened 5 years ago Closed 5 years ago

Get working win2012r2 AMIs in community-tc

Categories

(Taskcluster :: Operations and Service Requests, task)

Product:
Taskcluster
Component:
Operations and Service Requests
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: dustin, Assigned: miles)

References

Details

For a few projects' CI, we need a rough-and-ready AMI that runs in the community deployment. Nothing fancy, just win2012r2 in multi-user mode, with the aws-provider support baked in.

From discussion with pete, the quick way to do this is to do some minor hacking in the generic-worker repo to get the image-building support to write to the right AWS account and not try to update aws-provisioner. Miles offered to work on that.

Pete pointed out that there's already a GCP image that works:
https://github.com/taskcluster/mozilla-history/blob/master/WorkerPools/pmoore-test%E2%81%84win2012r2
but no AWS image. Let's still try baking one directly so that we know how to do it, and I will try using this GCP image for git-cinnabar.

shared with

gcloud projects add-iam-policy-binding "${GCP_PROJECT}" --member serviceAccount:taskcluster-worker-manager@taskcluster-temp-workers.iam.gserviceaccount.com --role roles/compute.imageUser

Note for the gcp project, if you want to create new images, you might want to change this (ideally make it configurable):

https://github.com/taskcluster/generic-worker/blob/43d378d34efb6c277927784b198a6b099624bc4a/worker_types/update_gcp.sh#L1

Looks like I hardcoded it, and never got round to making it configurable. Sorry!

I generated some win2012r2 generic-worker AMIs in the moz-fx-tc-community-workers account:

  • us-east-1: ami-04ff4e4c220abce54
  • us-west-1: ami-070ee00d395f493d3
  • us-west-2: ami-02161407768d981ea

I didn't do anything fancy to generate these, just ./worker_type.sh aws ci/win2012r2 update (without taskcluster creds so there wouldn't be an attempt to update aws-provisioner).

As of yet untested, but that's what we're here for!

Miles is going to work on testing that. In bug 1591243 I'll work on adding support for configuring g-w AWS instances in community-tc-config.

OK, this is up to the point of

2019/10/25 00:29:28 UTC Invalid config: Config setting "ed25519SigningKeyLocation" has not been defined

I'm not sure how ot fix that without providing a signing key?

(In reply to Dustin J. Mitchell [:dustin] (he/him) from comment #6)

OK, this is up to the point of

2019/10/25 00:29:28 UTC Invalid config: Config setting "ed25519SigningKeyLocation" has not been defined

I'm not sure how ot fix that without providing a signing key?

See the config from comment 7. For win2012r2 the key is generated here.

Note, we don't currently publish the ed25519 public key anywhere, but if we did, it would enable people to verify the authenticity of task artifacts. As far as I am aware, only gecko level 3 build tasks currently sign their artifacts, but the feature is available to all workers, so that any task can potentially sign its artifacts so that their authenticity can be verified downstream.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.