1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
|
#!/usr/bin/env python3
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, # You can obtain one at http://mozilla.org/MPL/2.0/.
from __future__ import absolute_import, print_function
import sys
sys.path.append("/builds/worker/checkouts/gecko/third_party/python")
sys.path.append(".")
import os
import stat
import base64
import signal
import requests
import subprocess
import taskcluster
# Bump this number when you need to cause a commit for the job to re-run: 17
OPERATING_MODE = (
"prod"
if os.environ.get("GECKO_HEAD_REPOSITORY", "")
== "https://hg.mozilla.org/mozilla-central"
else "dev"
)
GECKO_DEV_PATH = "/builds/worker/checkouts/gecko"
DEV_PHAB_URL = "https://phabricator-dev.allizom.org/"
PROD_PHAB_URL = "https://phabricator.services.mozilla.com/"
phabricator_url = DEV_PHAB_URL if OPERATING_MODE == "dev" else PROD_PHAB_URL
def log(*args):
print(*args)
def get_secret(name):
secret = None
if "TASK_ID" in os.environ:
secrets_url = (
"http://taskcluster/secrets/v1/secret/project/updatebot/"
+ ("3" if OPERATING_MODE == "prod" else "2")
+ "/"
+ name
)
res = requests.get(secrets_url)
res.raise_for_status()
secret = res.json()
else:
secrets = taskcluster.Secrets(taskcluster.optionsFromEnvironment())
secret = secrets.get("project/updatebot/" + OPERATING_MODE + "/" + name)
secret = secret["secret"] if "secret" in secret else None
secret = secret["value"] if "value" in secret else None
return secret
# Get TC Secrets =======================================
log("Operating mode is ", OPERATING_MODE)
log("Getting secrets...")
bugzilla_api_key = get_secret("bugzilla-api-key")
phabricator_token = get_secret("phabricator-token")
try_sshkey = get_secret("try-sshkey")
database_config = get_secret("database-password")
sentry_url = get_secret("sentry-url")
sql_proxy_config = get_secret("sql-proxy-config")
os.chdir("/builds/worker/updatebot")
# Update Updatebot =======================================
if OPERATING_MODE == "dev":
"""
If we are in development mode, we will update from github.
(This command will probably only work if we checkout a branch FWIW.)
This allows us to iterate faster by committing to github and
re-running the cron job on Taskcluster, without rebuilding the
Docker image.
However, this mechanism is bypassing the security feature we
have in-tree, where upstream out-of-tree code is fixed at a known
revision and cannot be changed without a commit to m-c.
Therefore, we only do this in dev mode when running on try.
"""
log("Performing git repo update...")
r = subprocess.run(["git", "symbolic-ref", "-q", "HEAD"])
if r.returncode == 0:
# This indicates we are on a branch, and not a specific revision
subprocess.check_call(["git", "pull", "origin"])
# Set Up SSH & Phabricator ==============================
log("Setting up ssh and phab keys...")
with open("id_rsa", "w") as sshkey:
sshkey.write(try_sshkey)
os.chmod("id_rsa", stat.S_IRUSR | stat.S_IWUSR)
arcrc = open("/builds/worker/.arcrc", "w")
towrite = """
{
"hosts": {
"PHAB_URL_HERE": {
"token": "TOKENHERE"
}
}
}
""".replace(
"TOKENHERE", phabricator_token
).replace(
"PHAB_URL_HERE", phabricator_url + "api/"
)
arcrc.write(towrite)
arcrc.close()
os.chmod("/builds/worker/.arcrc", stat.S_IRUSR | stat.S_IWUSR)
# Set up the Cloud SQL Proxy =============================
log("Setting up cloud_sql_proxy...")
os.chdir("/builds/worker/")
with open("sql-proxy-key", "w") as proxy_key_file:
proxy_key_file.write(
base64.b64decode(sql_proxy_config["key-value"]).decode("utf-8")
)
instance_name = sql_proxy_config["instance-name"]
sql_proxy_command = (
"./go/bin/cloud_sql_proxy -instances="
+ instance_name
+ "=tcp:3306 -credential_file=sql-proxy-key"
)
sql_proxy = subprocess.Popen(
sql_proxy_command,
stdout=subprocess.PIPE,
stderr=subprocess.PIPE,
shell=True,
start_new_session=True,
)
try:
(stdout, stderr) = sql_proxy.communicate(input=None, timeout=2)
log("sql proxy stdout:", stdout.decode("utf-8"))
log("sql proxy stderr:", stderr.decode("utf-8"))
except subprocess.TimeoutExpired:
log("no sqlproxy output in 2 seconds, this means it probably didn't error.")
database_config["host"] = "127.0.0.1"
# Vendor =================================================
log("Getting Updatebot ready...")
os.chdir("/builds/worker/updatebot")
localconfig = {
"General": {
"env": OPERATING_MODE,
"gecko-path": GECKO_DEV_PATH,
},
"Logging": {
"local": True,
"sentry": True,
"sentry_config": {"url": sentry_url, "debug": False},
},
"Database": database_config,
"Bugzilla": {
"apikey": bugzilla_api_key,
},
"Taskcluster": {
"url_treeherder": "https://treeherder.mozilla.org/",
"url_taskcluster": "http://taskcluster/",
},
}
log("Writing local config file")
config = open("localconfig.py", "w")
config.write("localconfig = " + str(localconfig))
config.close()
if OPERATING_MODE == "dev":
log("Rewriting $gecko/.arcconfig because we're pointing at phab dev")
subprocess.check_call(
[
"sed",
"-i",
"s#" + PROD_PHAB_URL + "#" + DEV_PHAB_URL + "#",
os.path.join(GECKO_DEV_PATH, ".arcconfig"),
]
)
log("Running updatebot")
subprocess.check_call(["poetry", "run", "./automation.py"])
# Clean up ===============================================
log("Killing cloud_sql_proxy")
os.killpg(sql_proxy.pid, signal.SIGTERM)
|
