Bug #11801

Use shared-secrets.d instead of TailsToaster_config/common.d

Added by anonym 2016-09-16 06:41:33 . Updated 2017-07-31 10:52:15 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Continuous Integration
Target version:
Tails_3.1
Start date:
2016-09-16
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:

Starter:
Affected tool:
Deliverable for:

Description

We use shared-secrets.d when developing tests, so our isotesters should use it as well so developers can push updates required for new tests that will go live on the isotesters as well.

This would also have the advantage of making tails::jenkins::slave::iso_tester work a bit more out-of-the-box on other systems than lizard: currently, systems managed by that class get configuration (e.g. ssh.yml) that can’t possibly work outside of lizard.

Subtasks

Related issues

Has duplicate Tails - Bug #12559: The shared secrets repo is no up-to-date on Jenkins Duplicate 2017-05-18

History

#1 Updated by intrigeri 2016-09-16 06:46:39

  • Category changed from Infrastructure to Continuous Integration
  • Type of work changed from Code to Sysadmin

#2 Updated by bertagaz 2016-11-08 20:23:59

  • Target version changed from Tails_2.7 to Tails_2.9.1

#3 Updated by anonym 2016-12-14 20:11:27

  • Target version changed from Tails_2.9.1 to Tails 2.10

#4 Updated by intrigeri 2016-12-18 09:57:23

  • Target version changed from Tails 2.10 to Tails_2.11

#5 Updated by intrigeri 2017-01-03 10:35:42

  • Description updated
  • Assignee changed from bertagaz to intrigeri

Added one use case I care about, and thus taking over since I’d rather not wait.

#6 Updated by intrigeri 2017-03-08 09:00:43

  • Target version changed from Tails_2.11 to Tails_2.12

#7 Updated by intrigeri 2017-04-03 07:52:06

  • Status changed from Confirmed to In Progress
  • % Done changed from 0 to 10

TailsToaster_config/common.d contains:

  • icedove: duplicated info so we can use the copy that’s in shared-secrets
  • sftp and ssh: same as what’s in shared-secrets, modulo the hostname; we can probably use what’s in shared-secrets but it will probably require:
    • fixing the host resolution of lizard.t.b.o on our VMs (it currently points to 127.0.1.1, which is wrong)
    • some firewall tweaks
  • Tor: shared-secrets has no config for Tor bridges, so developers currently need to fill it themselves; moving the config currently used on isotesters to shared-secrets would simplify things for developers, and would make our test suite results easier to compare.

And shared-secrets contains no additonal config.

Next steps:

  1. Give our isotesters (lizard + sib) read-only access to the shared-secrets repo
  2. Ensure isotesters can connect to lizard.t.b.o:$PORT over SSH, i.e. implement the tweaks mentioned above for sftp and ssh
  3. Copy the Tor config to shared-secrets and ensure this doesn’t break current developers’ setup (tell them how to adjust their local config if needed).
  4. In tails::jenkins::slave::iso_tester, replace the bits about TailsToaster_config/common.d with a clone of the shared-secrets repo.
  5. And finally, think about the use case of contributors deploying tails::jenkins::slave::iso_tester without having access to tails_secrets_jenkins nor to shared-secrets. This is off-topic here, but working on this class is a good time to file tickets about what else needs to be done about it.

#8 Updated by intrigeri 2017-04-17 08:29:14

  • Target version changed from Tails_2.12 to Tails_3.1

#9 Updated by intrigeri 2017-05-18 10:27:18

  • has duplicate Bug #12559: The shared secrets repo is no up-to-date on Jenkins added

#10 Updated by intrigeri 2017-07-23 16:42:41

  • % Done changed from 10 to 20

intrigeri wrote:
> Next steps:
>
> # Give our isotesters (lizard + sib) read-only access to the shared-secrets repo

Done for lizard isotesters, will do for sib once I get access to it again.

> # Ensure isotesters can connect to lizard.t.b.o:$PORT over SSH, i.e. implement the tweaks mentioned above for sftp and ssh

Fixed the host resolution and tweaked the firewall so this now works.

Remains to do:

  1. Copy the Tor config to shared-secrets and ensure this doesn’t break current developers’ setup (tell them how to adjust their local config if needed).
  2. In tails::jenkins::slave::iso_tester, replace the bits about TailsToaster_config/common.d with a clone of the shared-secrets repo.
  3. And finally, think about the use case of contributors deploying tails::jenkins::slave::iso_tester without having access to tails_secrets_jenkins nor to shared-secrets. This is off-topic here, but working on this class is a good time to file tickets about what else needs to be done about it.

#11 Updated by intrigeri 2017-07-23 16:47:51

intrigeri wrote:
> # Copy the Tor config to shared-secrets and ensure this doesn’t break current developers’ setup (tell them how to adjust their local config if needed).

Err, we don’t use this anymore (Chutney!) so we can simply remove these bits.

#12 Updated by intrigeri 2017-07-23 17:45:24

intrigeri wrote:
> # In tails::jenkins::slave::iso_tester, replace the bits about TailsToaster_config/common.d with a clone of the shared-secrets repo.

Done. I haven’t access to my dev platform at the moment so I pushed this straight to production, sorry. First job that uses the new config: https://jenkins.tails.boum.org/job/manual_test_Tails_ISO_devel/61/

#13 Updated by intrigeri 2017-07-23 17:46:25

  • % Done changed from 20 to 50
  • QA Check set to Ready for QA

#14 Updated by intrigeri 2017-07-23 20:30:27

  • QA Check changed from Ready for QA to Dev Needed

One test suite scenario is broken apparently (https://jenkins.tails.boum.org/job/manual_test_Tails_ISO_devel/61/artifact/build-artifacts/02%3A15%3A10_SSH_is_using_the_default_SocksPort.png). I think that it’s only the case when run on lizard, and could be trivially solved by connecting to another server than lizard (rather one we maintain ourselves, stable and well-connected to lizard, e.g. labs.r.n).

#15 Updated by intrigeri 2017-07-24 05:36:28

intrigeri wrote:
> One test suite scenario is broken apparently (https://jenkins.tails.boum.org/job/manual_test_Tails_ISO_devel/61/artifact/build-artifacts/02%3A15%3A10_SSH_is_using_the_default_SocksPort.png). I think that it’s only the case when run on lizard, and could be trivially solved by connecting to another server than lizard (rather one we maintain ourselves, stable and well-connected to lizard, e.g. labs.r.n).

I’ve adjusted our firewall instead. This scenario should be repaired now, let’s see how https://jenkins.tails.boum.org/job/manual_test_Tails_ISO_stable/14/ goes.

#16 Updated by intrigeri 2017-07-24 18:55:42

  • Assignee changed from intrigeri to bertagaz
  • QA Check changed from Dev Needed to Ready for QA

Everything seems back into good shape. Please review. This work can be found in our Puppet manifests repo (July 23-24) and the submodules it references + one additional cleanup in the test suite shared secrets repo.

#17 Updated by bertagaz 2017-07-31 10:52:15

  • Status changed from In Progress to Resolved
  • Assignee deleted (bertagaz)
  • % Done changed from 50 to 100
  • QA Check changed from Ready for QA to Pass

intrigeri wrote:
> Everything seems back into good shape. Please review. This work can be found in our Puppet manifests repo (July 23-24) and the submodules it references + one additional cleanup in the test suite shared secrets repo.

Indeed! Thanks for the hands on this.