From ba8b37f3bcec6fcbffbc448f4e83ad85462f161c Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Thu, 11 Oct 2018 14:40:05 +0200 Subject: [PATCH 1/8] List packet.net servers through their API --- etc/taskcluster/packet.net/list_devices.py | 44 ++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100755 etc/taskcluster/packet.net/list_devices.py diff --git a/etc/taskcluster/packet.net/list_devices.py b/etc/taskcluster/packet.net/list_devices.py new file mode 100755 index 00000000000..533db67d63e --- /dev/null +++ b/etc/taskcluster/packet.net/list_devices.py @@ -0,0 +1,44 @@ +#!/usr/bin/python3 + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import json +import os +import sys +import urllib.request + + +SERVO_PROJECT_ID = "e3d0d8be-9e4c-4d39-90af-38660eb70544" + + +def main(): + auth_token = os.environ.get("PACKET_AUTH_TOKEN") + if not auth_token: + sys.exit("$PACKET_AUTH_TOKEN is not set. See:\n" + "https://app.packet.net/projects/%s/settings/api-keys" % SERVO_PROJECT_ID) + response = api_request(auth_token, "/projects/%s/devices?per_page=1000" % SERVO_PROJECT_ID) + for device in response["devices"]: + print(device["id"]) + print(" Host:\t" + device["hostname"]) + print(" Plan:\t" + device["plan"]["name"]) + print(" OS:\t" + device["operating_system"]["name"]) + for address in device["ip_addresses"]: + if address["public"]: + print(" IPv%s:\t%s" % (address["address_family"], address["address"])) + assert response["meta"]["next"] is None + + +def api_request(auth_token, path, json_data=None, method=None): + request = urllib.request.Request("https://api.packet.net" + path, method=method) + request.add_header("X-Auth-Token", auth_token) + if json_data is not None: + request.add_header("Content-Type", "application/json") + request.data = json.dumps(json_data) + with urllib.request.urlopen(request) as response: + return json.load(response) + + +if __name__ == "__main__": + main(*sys.argv[1:]) From 6fa0c6bbf7f04e9217fb9d9cda3161987ae09070 Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Mon, 29 Oct 2018 23:59:51 +0100 Subject: [PATCH 2/8] Add Terraform config for docker-worker on Packet.net --- etc/taskcluster/packet.net/.gitignore | 2 + etc/taskcluster/packet.net/README.md | 45 +++++++++++++++++++ etc/taskcluster/packet.net/docker-worker.tf | 29 ++++++++++++ etc/taskcluster/packet.net/list_devices.py | 17 +++---- etc/taskcluster/packet.net/tc.py | 35 +++++++++++++++ .../packet.net/terraform_with_vars.py | 43 ++++++++++++++++++ 6 files changed, 163 insertions(+), 8 deletions(-) create mode 100644 etc/taskcluster/packet.net/.gitignore create mode 100644 etc/taskcluster/packet.net/README.md create mode 100644 etc/taskcluster/packet.net/docker-worker.tf create mode 100644 etc/taskcluster/packet.net/tc.py create mode 100755 etc/taskcluster/packet.net/terraform_with_vars.py diff --git a/etc/taskcluster/packet.net/.gitignore b/etc/taskcluster/packet.net/.gitignore new file mode 100644 index 00000000000..a82a34900dc --- /dev/null +++ b/etc/taskcluster/packet.net/.gitignore @@ -0,0 +1,2 @@ +.terraform* +terraform.tfstate* \ No newline at end of file diff --git a/etc/taskcluster/packet.net/README.md b/etc/taskcluster/packet.net/README.md new file mode 100644 index 00000000000..edbb5897833 --- /dev/null +++ b/etc/taskcluster/packet.net/README.md @@ -0,0 +1,45 @@ +# docker-worker on Packet.net + +This is the configuration for the `proj-servo/docker-worker-kvm` worker type. +It is similar to `aws-provisioner/docker-worker`, +except that it runs on a server from Packet.net. +This server is “real” non-virtualized hardware, +so that Intel VT-x instructions are available and we can run KVM. +KVM is required for the Android emulator’s CPU acceleration, +which in turn is required to run OpenGL ES 3 (not just 2) in the guest system. + +## Setup + +* [Install Terraform](https://www.terraform.io/downloads.html) +* [Install taskcluster-cli](https://github.com/taskcluster/taskcluster-cli/#installation) +* Run ``eval `taskcluster signin` `` (once per open terminal/shell) +* Run `./terraform_with_vars.py init` (once per checkout of the Servo repository) + +## List running servers + +* Run `./list_devices.py` + +## (Re)deploying a server + +* Run `./terraform_with_vars.py plan` +* If the plan looks good, run `./terraform_with_vars.py apply` +* Watch the new server being installed. Terraform should finish in 15~20 minutes. + +## Taskcluster secrets + +`terraform_with_vars.py` uses Taskcluster’s +[secrets service](https://tools.taskcluster.net/secrets/). +These secrets include an [authentication token]( +https://app.packet.net/projects/e3d0d8be-9e4c-4d39-90af-38660eb70544/settings/api-keys) +for Packet.net’s API. +You’ll need to authenticate with a Taskcluster client ID +that has scope `secrets:get:project/servo/*`. +This should be the case if you’re a Servo project administrator (the `project-admin:servo` role). + +## Worker’s client ID + +Workers are configured to authenticate with client ID +[project/servo/worker/docker-worker-kvm/1]( +https://tools.taskcluster.net/auth/clients/project%2Fservo%2Fworker%2Fdocker-worker-kvm%2F1). +This client has the scopes required to run docker-worker +as well as for tasks that we run on this worker type. \ No newline at end of file diff --git a/etc/taskcluster/packet.net/docker-worker.tf b/etc/taskcluster/packet.net/docker-worker.tf new file mode 100644 index 00000000000..f6ecc64783d --- /dev/null +++ b/etc/taskcluster/packet.net/docker-worker.tf @@ -0,0 +1,29 @@ +module "docker_worker_packet" { + source = "github.com/servo/taskcluster-infrastructure//modules/docker-worker?ref=424ea4ff13de34df70e5242706fe1e26864cc383" + + packet_project_id = "e3d0d8be-9e4c-4d39-90af-38660eb70544" + packet_instance_type = "t1.small.x86" + number_of_machines = "1" + concurrency = "1" + + provisioner_id = "proj-servo" + worker_type = "docker-worker-kvm" + worker_group_prefix = "servo-packet" + + taskcluster_client_id = "${var.taskcluster_client_id}" + taskcluster_access_token = "${var.taskcluster_access_token}" + ssl_certificate = "${var.ssl_certificate}" + cert_key = "${var.cert_key}" + ssh_pub_key = "${var.ssh_pub_key}" + ssh_priv_key = "${var.ssh_priv_key}" + private_key = " " + relengapi_token = " " + stateless_hostname = " " +} + +variable "taskcluster_client_id" {} +variable "taskcluster_access_token" {} +variable "ssl_certificate" {} +variable "cert_key" {} +variable "ssh_pub_key" {} +variable "ssh_priv_key" {} \ No newline at end of file diff --git a/etc/taskcluster/packet.net/list_devices.py b/etc/taskcluster/packet.net/list_devices.py index 533db67d63e..7562ab8a8bb 100755 --- a/etc/taskcluster/packet.net/list_devices.py +++ b/etc/taskcluster/packet.net/list_devices.py @@ -5,20 +5,21 @@ # file, You can obtain one at http://mozilla.org/MPL/2.0/. import json -import os import sys import urllib.request +import tc + SERVO_PROJECT_ID = "e3d0d8be-9e4c-4d39-90af-38660eb70544" +PACKET_AUTH_TOKEN = None def main(): - auth_token = os.environ.get("PACKET_AUTH_TOKEN") - if not auth_token: - sys.exit("$PACKET_AUTH_TOKEN is not set. See:\n" - "https://app.packet.net/projects/%s/settings/api-keys" % SERVO_PROJECT_ID) - response = api_request(auth_token, "/projects/%s/devices?per_page=1000" % SERVO_PROJECT_ID) + tc.check() + global PACKET_AUTH_TOKEN + PACKET_AUTH_TOKEN = tc.packet_auth_token() + response = api_request("/projects/%s/devices?per_page=1000" % SERVO_PROJECT_ID) for device in response["devices"]: print(device["id"]) print(" Host:\t" + device["hostname"]) @@ -30,9 +31,9 @@ def main(): assert response["meta"]["next"] is None -def api_request(auth_token, path, json_data=None, method=None): +def api_request(path, json_data=None, method=None): request = urllib.request.Request("https://api.packet.net" + path, method=method) - request.add_header("X-Auth-Token", auth_token) + request.add_header("X-Auth-Token", PACKET_AUTH_TOKEN) if json_data is not None: request.add_header("Content-Type", "application/json") request.data = json.dumps(json_data) diff --git a/etc/taskcluster/packet.net/tc.py b/etc/taskcluster/packet.net/tc.py new file mode 100644 index 00000000000..63b07186f97 --- /dev/null +++ b/etc/taskcluster/packet.net/tc.py @@ -0,0 +1,35 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import os +import sys +import json +import subprocess + + +def check(): + try: + subprocess.check_output(["taskcluster", "version"]) + except FileNotFoundError: # noqa: F821 + sys.exit("taskcluster CLI tool not available. Install it from " + "https://github.com/taskcluster/taskcluster-cli#installation") + + if "TASKCLUSTER_CLIENT_ID" not in os.environ or "TASKCLUSTER_ACCESS_TOKEN" not in os.environ: + sys.exit("Taskcluster API credentials not available. Run this command and try again:\n\n" + "eval `taskcluster signin`\n") + + +def packet_auth_token(): + return secret("project/servo/packet.net-api-key")["key"] + + +def secret(name): + return api("secrets", "get", name)["secret"] + + +def api(*args): + args = ["taskcluster", "api"] + list(args) + output = subprocess.check_output(args) + if output: + return json.loads(output) diff --git a/etc/taskcluster/packet.net/terraform_with_vars.py b/etc/taskcluster/packet.net/terraform_with_vars.py new file mode 100755 index 00000000000..074f5c5aa00 --- /dev/null +++ b/etc/taskcluster/packet.net/terraform_with_vars.py @@ -0,0 +1,43 @@ +#!/usr/bin/python3 + +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +import os +import sys +import base64 +import subprocess + +import tc + + +def main(*args): + tc.check() + ssh_key = tc.secret("project/servo/ssh-keys/docker-worker-kvm") + tc_creds = tc.secret("project/servo/tc-client/worker/docker-worker-kvm/1") + win2016 = tc.api("awsProvisioner", "workerType", "servo-win2016") + files_by_desc = {f.get("description"): f for f in win2016["secrets"]["files"]} + + def decode(description): + f = files_by_desc[description] + assert f["encoding"] == "base64" + return base64.b64decode(f["content"]) + + terraform_vars = dict( + ssh_pub_key=ssh_key["public"], + ssh_priv_key=ssh_key["private"], + taskcluster_client_id=tc_creds["client_id"], + taskcluster_access_token=tc_creds["access_token"], + packet_api_key=tc.packet_auth_token(), + ssl_certificate=decode("SSL certificate for livelog"), + cert_key=decode("SSL key for livelog"), + ) + env = dict(os.environ) + env["PACKET_AUTH_TOKEN"] = terraform_vars["packet_api_key"] + env.update({"TF_VAR_" + k: v for k, v in terraform_vars.items()}) + sys.exit(subprocess.call(["terraform"] + list(args), env=env)) + + +if __name__ == "__main__": + main(*sys.argv[1:]) From 556435ae010b4a7583a9351ff2707f8de11362ce Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Tue, 9 Oct 2018 17:47:27 +0200 Subject: [PATCH 3/8] Taskcluster: add Android x86 build --- etc/taskcluster/decision_task.py | 35 ++++++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 8 deletions(-) diff --git a/etc/taskcluster/decision_task.py b/etc/taskcluster/decision_task.py index dcbb0aecda1..833ce60ae82 100644 --- a/etc/taskcluster/decision_task.py +++ b/etc/taskcluster/decision_task.py @@ -13,6 +13,7 @@ def main(task_for, mock=False): if CONFIG.git_ref in ["refs/heads/auto", "refs/heads/try", "refs/heads/try-taskcluster"]: linux_tidy_unit() android_arm32() + android_x86() windows_dev() if mock: windows_release() @@ -82,14 +83,8 @@ def with_rust_nightly(): def android_arm32(): return ( - linux_build_task("Android ARMv7: build") - # file: NDK parses $(file $SHELL) to tell x64 host from x86 - # wget: servo-media-gstreamer’s build script - .with_script(""" - apt-get install -y --no-install-recommends openjdk-8-jdk-headless file wget - ./mach bootstrap-android --accept-all-licences --build - ./mach build --android --release - """) + android_build_task("Android ARMv7: release build") + .with_script("./mach build --android --release") .with_artifacts( "/repo/target/armv7-linux-androideabi/release/servoapp.apk", "/repo/target/armv7-linux-androideabi/release/servoview.aar", @@ -98,6 +93,18 @@ def android_arm32(): ) +def android_x86(): + return ( + android_build_task("Android x86: release build") + .with_script("./mach build --target i686-linux-android --release") + .with_artifacts( + "/repo/target/i686-linux-android/release/servoapp.apk", + "/repo/target/i686-linux-android/release/servoview.aar", + ) + .find_or_create("build.android_x86_release." + CONFIG.git_sha) + ) + + def windows_dev(): return ( windows_build_task("Windows x64: dev build + unit tests") @@ -266,6 +273,18 @@ def linux_build_task(name): ) +def android_build_task(name): + return ( + linux_build_task(name) + # file: NDK parses $(file $SHELL) to tell x64 host from x86 + # wget: servo-media-gstreamer’s build script + .with_script(""" + apt-get install -y --no-install-recommends openjdk-8-jdk-headless file wget + ./mach bootstrap-android --accept-all-licences --build + """) + ) + + def windows_build_task(name): return ( windows_task(name) From f357c6fe933aa6791f0e22fea0c52758662be941 Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Wed, 10 Oct 2018 20:53:17 +0200 Subject: [PATCH 4/8] Taskcluster: test in Android emulator --- .taskcluster.yml | 2 ++ etc/taskcluster/decision_task.py | 27 ++++++++++++++++++- etc/taskcluster/decisionlib.py | 3 +++ .../docker/run-android-emulator.dockerfile | 11 ++++++++ 4 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 etc/taskcluster/docker/run-android-emulator.dockerfile diff --git a/.taskcluster.yml b/.taskcluster.yml index 2dbaed6cd2b..0dc9af93381 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -27,8 +27,10 @@ tasks: # Granted to role "repo:github.com/servo/servo:branch:*" - "queue:create-task:highest:aws-provisioner-v1/servo-*" + - "queue:create-task:highest:proj-servo/*" - "queue:route:index.project.servo.servo.*" - "docker-worker:cache:servo-*" + - "docker-worker:capability:privileged" payload: maxRunTime: {$eval: '20 * 60'} diff --git a/etc/taskcluster/decision_task.py b/etc/taskcluster/decision_task.py index 833ce60ae82..938c805ba26 100644 --- a/etc/taskcluster/decision_task.py +++ b/etc/taskcluster/decision_task.py @@ -94,7 +94,7 @@ def android_arm32(): def android_x86(): - return ( + build_task = ( android_build_task("Android x86: release build") .with_script("./mach build --target i686-linux-android --release") .with_artifacts( @@ -103,6 +103,30 @@ def android_x86(): ) .find_or_create("build.android_x86_release." + CONFIG.git_sha) ) + return ( + DockerWorkerTask("Android x86: tests in emulator") + .with_provisioner_id("proj-servo") + .with_worker_type("docker-worker-kvm") + .with_capabilities(privileged=True) + .with_scopes("project:servo:docker-worker-kvm:capability:privileged") + .with_dockerfile(dockerfile_path("run-android-emulator")) + .with_dependencies(build_task) + .with_env(BUILD_TASK_ID=build_task) + .with_repo() + .with_script(""" + mkdir -p target/i686-linux-android/release/ + ./etc/taskcluster/curl-artifact.sh ${BUILD_TASK_ID} servoapp.apk \ + -o target/i686-linux-android/release/servoapp.apk + + ./mach bootstrap-android --accept-all-licences --emulator-x86 + ./mach test-android-startup --release + ./mach test-wpt-android --release \ + /_mozilla/mozilla/DOMParser.html \ + /_mozilla/mozilla/webgl/context_creation_error.html + """) + .create() + ) + def windows_dev(): @@ -199,6 +223,7 @@ def linux_run_task(name, build_task, script): return ( linux_task(name) .with_dockerfile(dockerfile_path("run")) + .with_repo() .with_early_script(""" ./etc/taskcluster/curl-artifact.sh ${BUILD_TASK_ID} target.tar.gz | tar -xz """) diff --git a/etc/taskcluster/decisionlib.py b/etc/taskcluster/decisionlib.py index 34902dc9bfc..21ba9074cdd 100644 --- a/etc/taskcluster/decisionlib.py +++ b/etc/taskcluster/decisionlib.py @@ -512,6 +512,7 @@ class DockerWorkerTask(Task): self.env = {} self.caches = {} self.features = {} + self.capabilities = {} self.artifacts = [] with_docker_image = chaining(setattr, "docker_image") @@ -521,6 +522,7 @@ class DockerWorkerTask(Task): with_early_script = chaining(prepend_to_attr, "scripts") with_caches = chaining(update_attr, "caches") with_env = chaining(update_attr, "env") + with_capabilities = chaining(update_attr, "capabilities") def build_worker_payload(self): """ @@ -541,6 +543,7 @@ class DockerWorkerTask(Task): env=self.env, cache=self.caches, features=self.features, + capabilities=self.capabilities, artifacts={ "public/" + url_basename(path): { "type": "file", diff --git a/etc/taskcluster/docker/run-android-emulator.dockerfile b/etc/taskcluster/docker/run-android-emulator.dockerfile new file mode 100644 index 00000000000..92eb116ef6b --- /dev/null +++ b/etc/taskcluster/docker/run-android-emulator.dockerfile @@ -0,0 +1,11 @@ +% include base.dockerfile + +RUN \ + apt-get install -qy --no-install-recommends \ + # + # Multiple Android-related tools are in Java + openjdk-8-jdk-headless \ + # + # Emulator dependencies + libgl1 \ + libpulse0 From a5cce280f1e295805281c50029dd726f871ce0f4 Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Thu, 11 Oct 2018 17:28:00 +0200 Subject: [PATCH 5/8] =?UTF-8?q?Taskcluster:=20move=20curl=E2=80=99ing=20ar?= =?UTF-8?q?tifacts=20into=20decisionlib?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- etc/taskcluster/curl-artifact.sh | 23 ----------------------- etc/taskcluster/decision_task.py | 15 +++------------ etc/taskcluster/decisionlib.py | 23 +++++++++++++++++++++++ 3 files changed, 26 insertions(+), 35 deletions(-) delete mode 100755 etc/taskcluster/curl-artifact.sh diff --git a/etc/taskcluster/curl-artifact.sh b/etc/taskcluster/curl-artifact.sh deleted file mode 100755 index 3093eca4a87..00000000000 --- a/etc/taskcluster/curl-artifact.sh +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env bash - -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -set -o errexit -set -o nounset -set -o pipefail - -task_id="${1}" -artifact="${2}" -shift 2 -queue="https://queue.taskcluster.net/v1" -url="${queue}/task/${task_id}/artifacts/public/${artifact}" -echo "Fetching ${url}" >&2 -curl \ - --retry 5 \ - --connect-timeout 10 \ - --location \ - --fail \ - "${url}" \ - "${@}" diff --git a/etc/taskcluster/decision_task.py b/etc/taskcluster/decision_task.py index 938c805ba26..58b1352f284 100644 --- a/etc/taskcluster/decision_task.py +++ b/etc/taskcluster/decision_task.py @@ -110,14 +110,9 @@ def android_x86(): .with_capabilities(privileged=True) .with_scopes("project:servo:docker-worker-kvm:capability:privileged") .with_dockerfile(dockerfile_path("run-android-emulator")) - .with_dependencies(build_task) - .with_env(BUILD_TASK_ID=build_task) .with_repo() + .with_curl_artifact_script(build_task, "servoapp.apk", "target/i686-linux-android/release") .with_script(""" - mkdir -p target/i686-linux-android/release/ - ./etc/taskcluster/curl-artifact.sh ${BUILD_TASK_ID} servoapp.apk \ - -o target/i686-linux-android/release/servoapp.apk - ./mach bootstrap-android --accept-all-licences --emulator-x86 ./mach test-android-startup --release ./mach test-wpt-android --release \ @@ -128,7 +123,6 @@ def android_x86(): ) - def windows_dev(): return ( windows_build_task("Windows x64: dev build + unit tests") @@ -224,11 +218,8 @@ def linux_run_task(name, build_task, script): linux_task(name) .with_dockerfile(dockerfile_path("run")) .with_repo() - .with_early_script(""" - ./etc/taskcluster/curl-artifact.sh ${BUILD_TASK_ID} target.tar.gz | tar -xz - """) - .with_env(BUILD_TASK_ID=build_task) - .with_dependencies(build_task) + .with_curl_artifact_script(build_task, "target.tar.gz") + .with_script("tar -xzf target.tar.gz") .with_script(script) .with_index_and_artifacts_expire_in(log_artifacts_expire_in) .with_artifacts(*[ diff --git a/etc/taskcluster/decisionlib.py b/etc/taskcluster/decisionlib.py index 21ba9074cdd..fb48ac3f018 100644 --- a/etc/taskcluster/decisionlib.py +++ b/etc/taskcluster/decisionlib.py @@ -514,6 +514,7 @@ class DockerWorkerTask(Task): self.features = {} self.capabilities = {} self.artifacts = [] + self.curl_scripts_count = 0 with_docker_image = chaining(setattr, "docker_image") with_max_run_time_minutes = chaining(setattr, "max_run_time_minutes") @@ -563,6 +564,28 @@ class DockerWorkerTask(Task): self.features.update({name: True for name in names}) return self + def with_curl_script(self, url, file_path): + self.curl_scripts_count += 1 + n = self.curl_scripts_count + return self \ + .with_env(**{ + "CURL_%s_URL" % n: url, + "CURL_%s_PATH" % n: file_path, + }) \ + .with_script(""" + mkdir -p $(dirname "$CURL_{n}_PATH") + curl --retry 5 --connect-timeout 10 -Lf "$CURL_{n}_URL" -o "$CURL_{n}_PATH" + """.format(n=n)) + + def with_curl_artifact_script(self, task_id, artifact_name, out_directory=""): + return self \ + .with_dependencies(task_id) \ + .with_curl_script( + "https://queue.taskcluster.net/v1/task/%s/artifacts/public/%s" + % (task_id, artifact_name), + os.path.join(out_directory, url_basename(artifact_name)), + ) + def with_repo(self): """ Make a shallow clone the git repository at the start of the task. From 46f9312d0cd7db4f7705e2552ed74186d7ee027e Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Tue, 30 Oct 2018 10:10:29 +0100 Subject: [PATCH 6/8] Taskcluster: use a dedicated role for scopes granted to decision tasks --- .taskcluster.yml | 8 +------- etc/taskcluster/README.md | 12 ++++++++++++ 2 files changed, 13 insertions(+), 7 deletions(-) diff --git a/.taskcluster.yml b/.taskcluster.yml index 0dc9af93381..7087419c473 100644 --- a/.taskcluster.yml +++ b/.taskcluster.yml @@ -23,14 +23,8 @@ tasks: owner: &task_owner ${event.pusher.name}@users.noreply.github.com source: &task_source ${event.compare} scopes: - - "queue:scheduler-id:taskcluster-github" - # Granted to role "repo:github.com/servo/servo:branch:*" - - "queue:create-task:highest:aws-provisioner-v1/servo-*" - - "queue:create-task:highest:proj-servo/*" - - "queue:route:index.project.servo.servo.*" - - "docker-worker:cache:servo-*" - - "docker-worker:capability:privileged" + - "assume:project:servo:decision-task/trusted" payload: maxRunTime: {$eval: '20 * 60'} diff --git a/etc/taskcluster/README.md b/etc/taskcluster/README.md index e89b10a4cd1..3c8bb4bfe81 100644 --- a/etc/taskcluster/README.md +++ b/etc/taskcluster/README.md @@ -149,12 +149,24 @@ Servo admins have scope `auth:update-role:repo:github.com/servo/*` which allows to edit that role in the web UI and grant more scopes to these tasks (if that person has the new scope themselves). +The [`project:servo:decision-task/base`][base] +and [`project:servo:decision-task/trusted`][trusted] roles +centralize the set of scopes granted to the decision task. +This avoids maintaining them seprately in the `repo:…` roles, +in the `hook-id:…` role, +and in the `taskcluster.yml` file. +Only the `base` role is granted to tasks executed when a pull request is opened. +These tasks are less trusted because they run before the code has been reviewed, +and anyone can open a PR. + [Scopes]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/scopes [web UI]: https://tools.taskcluster.net/ [credentials]: https://tools.taskcluster.net/credentials [Roles]: https://docs.taskcluster.net/docs/manual/design/apis/hawk/roles [expand]: https://docs.taskcluster.net/docs/reference/platform/taskcluster-auth/docs/roles [branches]: https://tools.taskcluster.net/auth/roles/repo%3Agithub.com%2Fservo%2Fservo%3Abranch%3A* +[base]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Fbase +[trusted]: https://tools.taskcluster.net/auth/roles/project%3Aservo%3Adecision-task%2Ftrusted ## Daily tasks From d1a18dc05251827d75690053be1de4e6f124d8d8 Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Tue, 30 Oct 2018 13:30:21 +0100 Subject: [PATCH 7/8] Also show created/updated dates in Packet.net server list --- etc/taskcluster/packet.net/list_devices.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/etc/taskcluster/packet.net/list_devices.py b/etc/taskcluster/packet.net/list_devices.py index 7562ab8a8bb..3b9df48e532 100755 --- a/etc/taskcluster/packet.net/list_devices.py +++ b/etc/taskcluster/packet.net/list_devices.py @@ -22,12 +22,14 @@ def main(): response = api_request("/projects/%s/devices?per_page=1000" % SERVO_PROJECT_ID) for device in response["devices"]: print(device["id"]) - print(" Host:\t" + device["hostname"]) - print(" Plan:\t" + device["plan"]["name"]) - print(" OS:\t" + device["operating_system"]["name"]) + print(" Hostname:\t" + device["hostname"]) + print(" Plan:\t" + device["plan"]["name"]) + print(" OS: \t" + device["operating_system"]["name"]) for address in device["ip_addresses"]: if address["public"]: - print(" IPv%s:\t%s" % (address["address_family"], address["address"])) + print(" IPv%s:\t%s" % (address["address_family"], address["address"])) + print(" Created:\t" + device["created_at"].replace("T", " ")) + print(" Updated:\t" + device["updated_at"].replace("T", " ")) assert response["meta"]["next"] is None From b1da53e47fc6ff7f0519d99e3e7b06a34663072b Mon Sep 17 00:00:00 2001 From: Simon Sapin Date: Wed, 31 Oct 2018 23:55:21 +0100 Subject: [PATCH 8/8] Use `apt-get update` before `apt-get install` --- etc/taskcluster/decision_task.py | 1 + 1 file changed, 1 insertion(+) diff --git a/etc/taskcluster/decision_task.py b/etc/taskcluster/decision_task.py index 58b1352f284..b72eb64488b 100644 --- a/etc/taskcluster/decision_task.py +++ b/etc/taskcluster/decision_task.py @@ -295,6 +295,7 @@ def android_build_task(name): # file: NDK parses $(file $SHELL) to tell x64 host from x86 # wget: servo-media-gstreamer’s build script .with_script(""" + apt-get update -q apt-get install -y --no-install-recommends openjdk-8-jdk-headless file wget ./mach bootstrap-android --accept-all-licences --build """)