View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0005075||Taler||deployment and operations||public||2017-06-10 10:50||2017-12-08 12:31|
|Reporter||Marcello Stanisci||Assigned To||Marcello Stanisci|
|Priority||normal||Severity||minor||Reproducibility||have not tried|
|Product Version||git (master)|
|Summary||0005075: Buildbot various issues|
|Description||From a Florian's e-mail:|
* We openly expose the buildbot master port to the world! So anybody on
the internet can connect to our BB master and pretend to be a worker.
* That's especially bad since we just use passwords for woker
authentication and have them in the deployment.git. BB supports other
authentication mechanisms such as ssh keys, which we should use!
* The build steps are not named nicely, but build_1, build_2, build_3
etc., which leads to a not-so-nice web interface and failure notifications.
* Git should not be polled, but we should use hooks to notify BB of new
* Change sources don't provide projects, which means that currently
whenever ANY repo has a change, anything will be rebuilt! I.e. pushing
to the wallet would rebuild rebuld the exchange documentation.
* Eventually we want authentication for the web interface for the parts
that influence the BB's execution. Right now, everybody on the internet
can force rebuilds! Web authentication sucks unfortunately (and Mozilla
Persona got abandoned), the "state of the art" here is OpenID Connect,
which requires you to register with each provider individually or run
your own provider, neither of which is great. However until we have
more "project-internal" services that requires authentication, we
probably shouldn't worry about this too much yet.
|Tags||No tags attached.|
From a first googling session, it looks like SSH is only available for this so-called "try scheduler" , and not for worker authentication.
("try scheduler" is something that lets developers test their changes *before* committing, and its client side runs on the developer's machine, IIUIC)
Please provide links if you find something about worker authentication via SSH.
Looks like I was mistaken, for normal workers there is only password authentication. I've seen some projects simply store the passwords for workers in a file not committed to git but accessible on the file system by all worker user accounts.
It's not urgent to implement this though. I'd suggest that for now we simply bind the buildbot port to localhost. This is described here: http://docs.buildbot.net/latest/manual/cfg-global.html#setting-the-pb-port-for-workers
||what you suggest in 12331 is implemented in d37685124d0..|
||build steps have specific names at 290337abb8..|
||Amoong the other things, docs builder needs to be triggererd upon each commit on documentation.|
||adding hooks @ 7bb658..|
||Closing and reporting the last bullet point as a separate issue.|
|2017-06-10 10:50||Marcello Stanisci||New Issue|
|2017-07-11 09:06||Marcello Stanisci||Note Added: 0012325|
|2017-07-11 09:08||Marcello Stanisci||Note Edited: 0012325|
|2017-07-12 18:45||Florian Dold||Note Added: 0012331|
|2017-10-18 14:01||Marcello Stanisci||Note Added: 0012493|
|2017-10-18 14:16||Marcello Stanisci||Note Added: 0012494|
|2017-10-18 22:44||Marcello Stanisci||Note Added: 0012497|
|2017-10-23 10:22||Christian Grothoff||Assigned To||=> Marcello Stanisci|
|2017-10-23 10:22||Christian Grothoff||Status||new => assigned|
|2017-10-23 10:38||Christian Grothoff||Product Version||=> git (master)|
|2017-10-23 10:38||Christian Grothoff||Target Version||=> 0.5|
|2017-10-23 17:15||Marcello Stanisci||Note Added: 0012513|
|2017-12-08 12:30||Marcello Stanisci||Note Added: 0012637|
|2017-12-08 12:31||Marcello Stanisci||Status||assigned => closed|
|2017-12-08 12:31||Marcello Stanisci||Resolution||open => fixed|