Closed Bug 1805737 Opened 2 years ago Closed 2 years ago

GCP sccache for comm repositories not configured

Categories

(Release Engineering :: Firefox-CI Administration, defect)

Product:
Release Engineering
Component:
Firefox-CI Administration
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: rjl, Assigned: cvalaas)

References

Details

Attachments

(1 file)

Bug 1805737 - Add GCP sccache grants for comm (Thunderbird) builds. r=#releng-reviewers
48 bytes, text/x-phabricator-request
Details | Review

Sccache isn't working for Thunderbird builds since the migration to GCP. It looks like new buckets/service accounts need to be set up and then grants added. Something like comm-sccache-l1-us-central1@sccache-3.iam.gserviceaccount.com (etc) perhaps?

Research info:

Firefox builds have in their environment:
SCCACHE_GCS_CREDENTIALS_URL=http://taskcluster/auth/v1/gcp/credentials/sccache-3/sccache-l1-us-central1@sccache-3.iam.gserviceaccount.com

where "sccache-3" appears to be the singular "GCP project" and "sccache-l1-us-central1" is the bucket name, which I think maps to a service account within the sccache-3 project.

To get access to those credentials, comm projects need scopes like:

  • auth:gcp:access-token:sccache-3/sccache-l{1,2,3}*
    (via assume:project:taskcluster:{trust_domain}:level-{level}-sccache-buckets)

Which raises a question:
For the AWS S3 sccache buckets, comm builds were kept separate.
comm-central-level-${MOZ_SCM_LEVEL}-sccache-${region}
vs
taskcluster-level-${MOZ_SCM_LEVEL}-sccache-${region}

I believe the reason for the separation is just to avoid cross-contamination between Firefox and Thunderbird builds.

The way I am looking at this, buckets/service accounts need to be set up for comm repos. Rather than being named "sccache-l{1,2,3}-*",
perhaps "comm-sccache-l{1,2,3}-*"

Then mozconfig.cache in m-c will need adjusting, which I can do once this work is done.

Hey glob, is this something your team could help with?

Flags: needinfo?(glob)

Mike - any ideas who owns the sccache setup?

Flags: needinfo?(glob) → needinfo?(mh+mozilla)

Unfortunately, no.

Flags: needinfo?(mh+mozilla)

Jason - is this something you're familiar with?

Flags: needinfo?(jthomas)

Hello!
It appears no one "owns" this sccache-3 project, so I'll see if I can create the buckets/service accounts needed...

Okay, I've added comm-sccache-l{1,2,3}-* buckets and similarly named service accounts with matching permissions.

Assignee: nobody → cvalaas
Flags: needinfo?(jthomas)

I think I got the grants correct based on what I came up with above.

Pushed by gbustamante@mozilla.com: https://hg.mozilla.org/ci/ci-configuration/rev/28083e648dfd Add GCP sccache grants for comm (Thunderbird) builds. r=releng-reviewers,gabriel
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: