Page MenuHomePhabricator

How do you configure an Almanac based Drydock resource
Closed, ResolvedPublic

Asked by tycho.tatitscheff on Oct 15 2015, 8:31 AM.
Subscribers
Tokens
"Mountain of Wealth" token, awarded by yelirekim.

Details

WARNING: Drydock and Almanac are both prototypes so don't expect upstream support ! It will bring you down to the road of hell, burn your server and kill a lot (so much) kittens. More seriously, this question and the answers would probably have no more meaning in a month.

After reading the previous sentence, It can be cool to know how to use new flavoured drydock for different reason :

  • you was using it before the almanac (like haskell) and thus can't upgrade since rPc44f9d80def9fe1932c2be4fa4b65aca166ae7ea
  • you are masochist and wanna try bleeding edge feature
  • you are Chuck Norris and thus you are sure that if upstream can do it, you also shall.

So what are the steps to successfully deploy a almanac flavoured resource ? How to test it ?

PS : While I will answer it with what I've found, feel free to comment or add alternative stuff.

Answers

tycho.tatitscheff
Updated 1,569 Days Ago

Own answer, with what I've discover, trying and looking at code : don't take it as gospel !! Edit : you should really not trust this without verifying : there were a security concern before epriestley answer.

There is basically three parts :

  1. configure an almanac service
  2. configure a drydock blueprint
  3. add the key in the device

Thus you must have both Drydockand Almanac prototype installed.

First Part : Almanac

Create a network
HomeAlmanacNetworksCreate Network
(That mean first navigate to Almanac app. Then click on Networks tab. Then click on Create Network)
Give it a name : something like Private network or 10.0.0.1/24

Create a device
HomeAlmanacDevicesCreate Device
Give it a name : something like high-secure-build or 10.0.1.23
On the device page, Add an interface: choose you ssh port (since drydock will use ssh) which is normally 22 if you don't do any change, one ip and the networks you created earlier.
On the device page, Generate a keypair (if so be sure to save the private part) or Upload an existing public key
In one console ((on phabricator host), trust this key with redacted command where xx is the key id. Do not do this ! It would allow full acces to your phabricator (thank to @epriestley answer).

Create a service
HomeAlmanacNetworksCreate Service
Select Drydock: Resource Pool, Give it a name like highly-secure-builder.
On the service page, add a binding : phabricator will typeahed you the device you created earlier.
(Unnecessary step but I think it is more secure) Check everything is correct and then lock the service in console (on phabricator host) with /path/to/phab/.bin/almanac lock yyyyyy where yyyyy is your service name ( highly-secure-builder)

Second Part : Drydock

Create a blueprint
HomeDrydockBlueprintNew blueprint
Select almanac host.
Give it a name (like builder-worker-contract), select the almanac service (highly-secure-builder) and create a credential (with private key (from device step) and the user you want that drydock connect to root or something else if you are conscientious).
You can lock the key content if you want too.

Last Part : adding the key and testing

Go on your build host and add the key to {the home directory of the user you chose}/.ssh/authorised_keys2`

You can test from your phabricator if it is working with :

  • bin/drydock lease --type host which should output something like Activated lease "31"
  • bin/drydock command --lease xx ls / where xx is what previous command return (31 in our case) and it shall return you the result of ls / on build host.

What remains now to make CI works is menaging to get working copy works. This will be covered elsewhere.

epriestley
Updated 2,056 Days Ago

Generating a keypair and trusting the key gives any unit tests you run complete root access to Phabricator. You ABSOLUTELY SHOULD NOT do this. The warning from almanac trust-key is serious about what it says.

New Answer

Answer

This question has been marked as closed, but you can still leave a new answer.