Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SLSA support #3058

Merged
merged 18 commits into from
Mar 4, 2024
Merged

SLSA support #3058

merged 18 commits into from
Mar 4, 2024

Conversation

gyr
Copy link
Member

@gyr gyr commented Feb 17, 2024

Due to SLSA constrains pkglistgen.py cannot run on botmaster using gocd, as it must run on a separate and isolated server the following changes were added:

  • create scripts that run pkgelistgen.py emulating the gocd pipelines (RelPkg and Update.000product)
  • create systemd services to execute the scripts for multiple SLSA project
  • add log support
  • create a rpm package that will be used to deploy it on SLSA server

@gyr
Add slsa-build-service
15aa15e
@gyr
Add log support to slsa-build-service
5ba60b7
@gyr
Add relpkg support
b9d7669 
- Add script to run relpkg
- Add systemd service and timer
- Change SLSA user
- Only run pkglistgen when build finishes
@gyr
Add SLSA osrc config
ed01209
@gyr
Change SLSA systemd services
da48b4f 
- Add oscrc file for SLSA
- Change user to osrt-slsa
@gyr
Change how verify-build-and-generatelists checks when run pkglistgen
fb30cf8
@gyr
Add osrt-slsa dir
0254711
@gyr
Add systemd target for SLSA
6196069
@gyr
Add working dir for SLSA services
65b8d1b
@gyr
Fix SLSA systemd target
b1c4be0
@gyr
Refactor SLSA services to avoid parallel execution
3784a45 
- Refactor log
- Unify log for pkglistgen
- Replace external while true loop with a systemd timer for pkglistgen
- Add process check on verify-build-and-generatelists and
  generate-release-packages to avoid start pkglistgen when there is an
  instance that is already running it
- SLSA services must not share the same workdir
@gyr
Change sleep location and improve log messages
19fd421
@gyr
Change pkglistgen timer and relpkggen service
28aec91 
- Decrease the interval time to trigger pkglistgen
- Add debug flag for relpkgen
@gyr
Changes to avoid parallel execution issue on SLSA services
9e328db 
- Create custom-cache-tag for pkglistgen to enable separate cache dir
  name in case of parallel running
- Add custom-cache-tag to SLSA services
- Check for systemd service instead of process to ensure that SLSA
  services will not run in parallel
- Change pkglisgen timer to avoid overlap with relpkggen timer
@gyr
Add a timeout for verify-repo-built-successful.py
b0c4abf
@gyr
Packaging release and pkglistgen services (slsa-build-service)
33d5646
@gyr
Create SLSA user (osrt-slsa) on specfile like others osrt-* users
d380b44 
and remove logrotate file
@codecov-commenter
Copy link

codecov-commenter commented Feb 17, 2024
edited
Loading

Codecov Report

Attention: 5 lines in your changes are missing coverage. Please review.

Comparison is base (54075b0) 28.31% compared to head (d380b44) 25.37%.

Files Patch % Lines
pkglistgen/tool.py 0.00% 4 Missing ⚠️
pkglistgen/cli.py 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3058      +/-   ##
==========================================
- Coverage   28.31%   25.37%   -2.95%     
==========================================
  Files          86       86              
  Lines       14799    14803       +4     
==========================================
- Hits         4191     3756     -435     
- Misses      10608    11047     +439

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@nilxam
Copy link
Contributor

nilxam commented Feb 21, 2024

the test is failed.

@gyr gyr marked this pull request as draft February 21, 2024 15:29
@gyr
Skip SLSA scripts in smoke-test.
3a3c97e 
SLSA scripts don't have a help flag due to they are intended
to be executed by sytemd services only.
@gyr gyr marked this pull request as ready for review February 22, 2024 10:35
@gyr
Copy link
Member Author

gyr commented Feb 22, 2024

the test is failed.

Fixed, excluded the 2 SLSA scripts from the test as they don't have help flag because they are intended to be executed only by systemd services.

nilxam
nilxam approved these changes Feb 27, 2024
View reviewed changes
Copy link
Contributor

@nilxam nilxam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm fine with the change. But we might need to wait #3062 I assuming that, otherwise the packaging test can not be succesful if I understand that right...

gleidi-suse
gleidi-suse approved these changes Mar 4, 2024
View reviewed changes
Copy link
Contributor

@gleidi-suse gleidi-suse left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@gyr
Copy link
Member Author

gyr commented Mar 4, 2024

I'm fine with the change. But we might need to wait #3062 I assuming that, otherwise the packaging test can not be succesful if I understand that right...

All checks passed now, package built even with #3062 not being merged.

@gleidi-suse gleidi-suse merged commit fd5b7a6 into openSUSE:master Mar 4, 2024
11 checks passed
@DimStar77
Copy link
Contributor

somebody forgot about RPM 4.19:

can't install openSUSE-release-tools-slsa-build-service-20240315.b086253-1.1.noarch:
nothing provides group(osrt-slsa) needed by openSUSE-release-tools-slsa-build-service-20240315.b086253.noarch
nothing provides user(osrt-slsa) needed by openSUSE-release-tools-slsa-build-service-20240315.b086253.noarch

either the user is generated properly using sysusers.d or it is at least advertised in the pkg meta
https://en.opensuse.org/openSUSE:Packaging_guidelines#Users_and_Groups

@gyr gyr mentioned this pull request Apr 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nilxam nilxam nilxam approved these changes

@gleidi-suse gleidi-suse gleidi-suse approved these changes

@Vogtinator Vogtinator Awaiting requested review from Vogtinator

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@gyr @codecov-commenter @nilxam @DimStar77 @gleidi-suse