Closed Bug 1622435 Opened 5 years ago Closed 4 years ago

Support worker re-registration

Categories

(Taskcluster :: Services, enhancement)

Product:
Taskcluster
Component:
Services
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED MOVED

People

(Reporter: dustin, Unassigned)

References

Details

This will involve workers calling reregisterWorker within the configured reregistrationTimeout.

The tricky bit is figuring out how to authenticate that call. We'll do some talking about that before diving in.

I set a meeting for Monday to discuss this.

..and another on Thursday :)

My understanding of this is that the rough agreement in https://docs.google.com/document/d/1brc2qbBVkKyIglyLhg2UoSESd3WCqIA3P1NUMpSkbEs/edit still stands:

Bootstrap:

  • Authentication process doesn’t change (we have ideas for changes but they are out of scope) and is considered trusted
    • Result is TC credentials plus some secret information for reregistration
    • TC credentials & reregistration token have a TTL

Worker-runner guards this secret information closely: it is not shared with the worker, and is only written to disk in a secure fashion

Reregistration:

  • Authentication:
    • API auth: Taskcluster credentials must have proper scopes, etc.
    • Worker record must still exist on worker-manager & not be expired
    • Worker proves it has the secret from the bootstrap process without disclosing it
  • Result is new TC credentials and exchange of new secret information, with invalidation of the old secret information

Notes on the agreement:

  • The RFC#157 worker key is shared with the worker, violating the “guards .. closely” above, so let’s not use it for this purpose
  • The method of worker proving it has the secret is undetermined as yet
  • Issues with this:
    • Secret information is stored on disk alongside other worker secrets (for workers that must restart)

This has been added to the Worker Lifecycle Management project.

This will require a DB schema change, which means we need to do bug 1630023 first..

Depends on: 1630023
Assignee: dustin → nobody

Moved to https://github.com/taskcluster/taskcluster/issues/2892

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → MOVED
You need to log in before you can comment on or make changes to this bug.