Bug 1314517 - Refactor balrogworker deployment to be more like beetmover. r=jlund
MozReview-Commit-ID: 8HnR4KfsrAs
--- a/manifests/moco-config.pp
+++ b/manifests/moco-config.pp
@@ -415,35 +415,36 @@ class config inherits config::base {
$signing_scriptworker_artifact_expiration_hours = 336
$signing_scriptworker_artifact_upload_timeout = 600
$signing_scriptworker_verbose_logging = true
$signing_scriptworker_gpg_private_keys = hiera_hash('signing_scriptworker_gpg_private_keys')
$signing_scriptworker_gpg_public_keys = hiera_hash('signing_scriptworker_gpg_public_keys')
$signing_scriptworker_gpg_repo_url = "https://github.com/mozilla-releng/cot-gpg-keys.git"
# TC balrog scriptworkers
- $balrog_scriptworker_provisioner_id = "scriptworker-prov-v1"
- $balrog_scriptworker_worker_group = "balrogworker-v1"
- $balrog_scriptworker_worker_type = "balrogworker-v1"
- $balrog_scriptworker_taskcluster_client_id = secret("balrog_scriptworker_taskcluster_client_id")
- $balrog_scriptworker_taskcluster_access_token = secret("balrog_scriptworker_taskcluster_access_token")
$balrog_scriptworker_task_max_timeout = 1200
$balrog_scriptworker_artifact_expiration_hours = 336
$balrog_scriptworker_artifact_upload_timeout = 600
$balrog_scriptworker_verbose_logging = false
- $balrog_scriptworker_base = "/builds/balrog"
- $balrog_scriptworker_root = "/builds/balrog/scriptworker"
- $balrog_scriptworker_py27venv = "/builds/balrog/py27venv"
- $balrog_scriptworker_py35venv = "/builds/balrog/py35venv"
- $balrog_scriptworker_hg_tools_path = '/builds/balrog/balrogscript/tools'
+ $balrog_scriptworker_root = "/builds/balrogworker"
+ $balrog_scriptworker_git_balrogscript_repo = 'https://github.com/mozilla-releng/balrogscript.git'
$balrog_scriptworker_hg_tools_repo = 'https://hg.mozilla.org/build/tools'
$balrog_scriptworker_hg_tools_branch = 'default'
- $balrog_scriptworker_git_balrogscript_path = '/builds/balrog/balrogscript'
- $balrog_scriptworker_git_balrogscript_keys = '/builds/balrog/balrogscript/keys'
- $balrog_scriptworker_git_balrogscript_repo = 'https://github.com/mozilla-releng/funsize-balrogworker.git'
+ $balrog_scriptworker_env_config = {
+ "dev" => {
+ provisioner_id => "scriptworker-prov-v1",
+ worker_group => "balrogworker-v1",
+ worker_type => "balrogworker-v1",
+ taskcluster_client_id => secret("balrogworker_dev_taskcluster_client_id"),
+ taskcluster_access_token => secret("balrogworker_dev_taskcluster_access_token"),
+ balrog_username => "stage-ffxbld",
+ balrog_password => secret("stage-ffxbld_ldap_password"),
+ balrog_api_root => "https://balrog-admin.stage.mozaws.net/api",
+ }
+ }
# TC beetmover scriptworkers
$beetmover_scriptworker_task_max_timeout = 2400
$beetmover_scriptworker_artifact_expiration_hours = 336
$beetmover_scriptworker_artifact_upload_timeout = 600
$beetmover_scriptworker_verbose_logging = false
$beetmover_scriptworker_root = "/builds/beetmoverworker"
$beetmover_scriptworker_env_config = {
--- a/manifests/moco-nodes.pp
+++ b/manifests/moco-nodes.pp
@@ -1160,16 +1160,17 @@ node /signing-linux-.*\.srv\.releng\..*\
$aspects = [ 'maximum-security' ]
$timezone = "UTC"
include toplevel::server::signingscriptworker
}
# Balrog scriptworkers
node /balrogworker-.*\.srv\.releng\..*\.mozilla\.com/ {
$aspects = [ 'maximum-security' ]
+ $balrogworker_env = "dev"
$timezone = "UTC"
include toplevel::server::balrogscriptworker
}
# Beetmover scriptworkers
node /beetmoverworker-.*\.srv\.releng\..*\.mozilla\.com/ {
$aspects = [ 'maximum-security' ]
$beetmoverworker_env = "dev"
--- a/modules/balrog_scriptworker/manifests/init.pp
+++ b/modules/balrog_scriptworker/manifests/init.pp
@@ -8,27 +8,20 @@ class balrog_scriptworker {
include packages::mozilla::git
include packages::mozilla::py27_mercurial
include users::builder
include tweaks::swap_on_instance_storage
include packages::gcc
include packages::make
include packages::libffi
- file {
- ["${balrog_scriptworker::settings::base}",
- "${balrog_scriptworker::settings::root}"]:
- mode => 700,
- owner => "${users::builder::username}",
- group => "${users::builder::group}",
- ensure => 'directory';
- }
+ $env_config = $config::balrog_scriptworker_env_config[$balrogworker_env]
python35::virtualenv {
- "${balrog_scriptworker::settings::py35venv}":
+ "${balrog_scriptworker::settings::root}":
python3 => "${packages::mozilla::python35::python3}",
require => Class["packages::mozilla::python35"],
user => "${users::builder::username}",
group => "${users::builder::group}",
mode => 700,
packages => [
"aiohttp==0.22.5",
"arrow==0.8.0",
@@ -43,27 +36,27 @@ class balrog_scriptworker {
"pefile==2016.7.26",
"pexpect==4.2.1",
"ptyprocess==0.5.1",
"pycrypto==2.6.1",
"python-dateutil==2.5.3",
"python-gnupg==0.3.8",
"python-jose==1.2.0",
"requests==2.11.1",
- "scriptworker==0.6.0",
+ "scriptworker==0.7.2",
"signtool==2.0.3",
"six==1.10.0",
"slugid==1.0.7",
"taskcluster==0.3.4",
"virtualenv==15.0.3",
];
}
python::virtualenv {
- "${balrog_scriptworker::settings::py27venv}":
+ "${balrog_scriptworker::settings::root}/py27venv":
python => "${packages::mozilla::python27::python}",
require => Class["packages::mozilla::python27"],
user => "${users::builder::username}",
group => "${users::builder::group}",
packages => [
"balrogclient==0.0.1",
"boto==2.41.0",
"cryptography==1.2.3",
@@ -73,55 +66,59 @@ class balrog_scriptworker {
"mar==1.2",
"pyasn1==0.1.9",
"requests==2.8.1",
"six==1.10.0",
];
}
git::repo {
- "balrogscript-clone":
+ "balrogscript":
repo => "${balrog_scriptworker::settings::balrogscript_repo}",
- dst_dir => "${balrog_scriptworker::settings::balrogscript_path}",
+ dst_dir => "${balrog_scriptworker::settings::root}/balrogscript",
user => "${users::builder::username}",
require => [
Class["packages::mozilla::git"],
+ Python35::Virtualenv["${balrog_scriptworker::settings::root}"],
];
}
mercurial::repo {
- "tools-clone":
+ "tools":
hg_repo => "${balrog_scriptworker::settings::tools_repo}",
- dst_dir => "${balrog_scriptworker::settings::tools_path}",
+ dst_dir => "${balrog_scriptworker::settings::root}/balrogscript/tools",
user => "${users::builder::username}",
branch => "${balrog_scriptworker::settings::tools_branch}",
require => [
Class["packages::mozilla::py27_mercurial"],
+ Python35::Virtualenv["${balrog_scriptworker::settings::root}"],
+ Git::Repo["balrogscript"],
];
}
file {
"${balrog_scriptworker::settings::root}/config.json":
- require => Python35::Virtualenv["${balrog_scriptworker::settings::py35venv}"],
+ require => Python35::Virtualenv["${balrog_scriptworker::settings::root}"],
mode => 600,
owner => "${users::builder::username}",
group => "${users::builder::group}",
content => template("${module_name}/config.json.erb"),
show_diff => false;
+ # requirement as part of scriptworker pentest bug 1298199#c23
'/root/certs.sh':
ensure => absent;
- "${balrog_scriptworker::settings::balrogscript_keys}/dep.pubkey":
+ "${balrog_scriptworker::settings::root}/balrogscript/keys/dep.pubkey":
source => "puppet:///modules/balrog_scriptworker/dep.pubkey",
- require => Git::Repo["balrogscript-clone"],
+ require => Git::Repo["balrogscript"],
owner => "${users::builder::username}",
group => "${users::builder::group}";
- "${balrog_scriptworker::settings::balrogscript_keys}/nightly.pubkey":
+ "${balrog_scriptworker::settings::root}/balrogscript/keys/nightly.pubkey":
source => "puppet:///modules/balrog_scriptworker/nightly.pubkey",
- require => Git::Repo["balrogscript-clone"],
+ require => Git::Repo["balrogscript"],
owner => "${users::builder::username}",
group => "${users::builder::group}";
- "${balrog_scriptworker::settings::balrogscript_keys}/release.pubkey":
+ "${balrog_scriptworker::settings::root}/balrogscript/keys/release.pubkey":
source => "puppet:///modules/balrog_scriptworker/release.pubkey",
- require => Git::Repo["balrogscript-clone"],
+ require => Git::Repo["balrogscript"],
owner => "${users::builder::username}",
group => "${users::builder::group}";
}
}
--- a/modules/balrog_scriptworker/manifests/services.pp
+++ b/modules/balrog_scriptworker/manifests/services.pp
@@ -1,20 +1,20 @@
class balrog_scriptworker::services {
include ::config
include balrog_scriptworker::settings
include packages::mozilla::supervisor
supervisord::supervise {
"balrog_scriptworker":
- command => "${balrog_scriptworker::settings::py35venv}/bin/scriptworker ${balrog_scriptworker::settings::root}/config.json",
+ command => "${balrog_scriptworker::settings::root}/bin/scriptworker ${balrog_scriptworker::settings::root}/config.json",
user => $::config::builder_username,
require => [ File["${balrog_scriptworker::settings::root}/config.json"]],
extra_config => template("${module_name}/supervisor_config.erb");
}
exec {
- "restart-scriptworker":
+ "restart-balrogworker":
command => "/usr/bin/supervisorctl restart balrog_scriptworker",
refreshonly => true,
- subscribe => [Python35::Virtualenv["${balrog_scriptworker::settings::py35venv}"],
+ subscribe => [Python35::Virtualenv["${balrog_scriptworker::settings::root}"],
File["${balrog_scriptworker::settings::root}/config.json"]];
}
}
--- a/modules/balrog_scriptworker/manifests/settings.pp
+++ b/modules/balrog_scriptworker/manifests/settings.pp
@@ -1,14 +1,8 @@
class balrog_scriptworker::settings {
include ::config
- $base = $config::balrog_scriptworker_base
$root = $config::balrog_scriptworker_root
- $py27venv = $config::balrog_scriptworker_py27venv
- $py35venv = $config::balrog_scriptworker_py35venv
- $tools_path = $config::balrog_scriptworker_hg_tools_path
+ $balrogscript_repo = $config::balrog_scriptworker_git_balrogscript_repo
$tools_repo = $config::balrog_scriptworker_hg_tools_repo
$tools_branch = $config::balrog_scriptworker_hg_tools_branch
- $balrogscript_path = $config::balrog_scriptworker_git_balrogscript_path
- $balrogscript_keys = $config::balrog_scriptworker_git_balrogscript_keys
- $balrogscript_repo = $config::balrog_scriptworker_git_balrogscript_repo
}
--- a/modules/balrog_scriptworker/templates/config.json.erb
+++ b/modules/balrog_scriptworker/templates/config.json.erb
@@ -1,30 +1,34 @@
{
- "provisioner_id": "<%= scope.lookupvar("config::balrog_scriptworker_provisioner_id") %>",
- "worker_group": "<%= scope.lookupvar("config::balrog_scriptworker_worker_group") %>",
- "worker_type": "<%= scope.lookupvar("config::balrog_scriptworker_worker_type") %>",
+ "provisioner_id": "<%= @env_config["provisioner_id"] %>",
+ "worker_group": "<%= @env_config["worker_group"] %>",
+ "worker_type": "<%= @env_config["worker_type"] %>",
"worker_id": "<%= @hostname %>",
"work_dir": "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/work",
"log_dir": "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/logs",
"artifact_dir": "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/artifacts",
"task_log_dir": "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/artifacts/public/logs",
"valid_artifact_path_regexes": ["^/v1/task/(?P<taskId>[^/]+)(/runs/\\d+)?/artifacts/(?P<filepath>.*)$"],
"verify_chain_of_trust": false,
"sign_chain_of_trust": false,
"credentials": {
- "clientId": "<%= scope.function_secret(["balrog_scriptworker_taskcluster_client_id"]) %>",
- "accessToken": "<%= scope.function_secret(["balrog_scriptworker_taskcluster_access_token"]) %>"
+ "clientId": "<%= @env_config["taskcluster_client_id"] %>",
+ "accessToken": "<%= @env_config["taskcluster_access_token"] %>"
},
"artifact_expiration_hours": <%= scope.lookupvar("config::balrog_scriptworker_artifact_expiration_hours") %>,
"artifact_upload_timeout": <%= scope.lookupvar("config::balrog_scriptworker_artifact_upload_timeout") %>,
- "task_script": ["<%= scope.lookupvar("config::balrog_scriptworker_py27venv") %>/bin/python",
- "<%= scope.lookupvar("config::balrog_scriptworker_git_balrogscript_path") %>/bin/balrogworker.py",
+ "task_script": ["<%= scope.lookupvar("config::balrog_scriptworker_root") %>/py27venv/bin/python",
+ "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/balrogscript/bin/balrogworker.py",
"--taskdef", "<%= scope.lookupvar("config::balrog_scriptworker_root") %>/work/task.json",
+ "--balrog-api-root", "<%= @env_config["balrog_api_root"] %>",
+ "--balrog-username", "<%= @env_config["balrog_username"] %>",
+ "--balrog-password", "<%= @env_config["balrog_password"] %>",
+ "--disable-s3",
"--verbose"],
"task_max_timeout": <%= scope.lookupvar("config::balrog_scriptworker_task_max_timeout") %>,
"verbose": <%= scope.lookupvar("config::balrog_scriptworker_verbose_logging") %>
}