pyca / infra Goto Github PK

https://hub.docker.com/u/pyca

This profile does not have any public repositories

Perhaps this is related to the recent docker hub plan pricing changes?

We have a variety of sensitive credentials we should find a shared, secure storage for. This is lower priority than getting the new CI system fully functional, but once that's done we can talk about approaches.

Windows Server 2016 supports containers. Investigate whether we can build a container with all the Python/Visual Studio versions and replace our server 2012 VMs.

We need systemd unit files to launch caddy & jenkins.

After cryptography 39 is released.

https://hub.docker.com/r/pyca now houses our docker builds. I originally set it up as a single repo cryptography-runner with tags like jessie and jessie-libressl-2.4.5, but it seemed like docker wanted us to use separate repos with mostly just latest tags. Accordingly, I switched it to separate repos, but it's not clear to me this has gained us much. Should we keep down this path or switch back? We need to be able to build every image on push to master and then ideally be able to trigger a jenkins job to pull down the new images/clean out the old ones when they're all done building. The former is possible with either approach and I'm not sure if the latter is possible either way.

One small disadvantage of the separate repo approach is that we have to create the repo on the docker hub side whenever we create a new one (with a single repo we'd just need to add a new config entry to the existing repo).

• cffi
• brotlipy
• argon2cffi
• pyyaml

They're coming soon!

Next step after #44

• cryptography (pyca/cryptography#4868)
• bcrypt
  • tests (pyca/bcrypt#174)
  • wheel builder (pyca/bcrypt#177)
  • tasks.py release automation (pyca/bcrypt#178)
• pynacl
  • tests (pyca/pynacl#535)
  • wheel builder (pyca/pynacl#540)
  • tasks.py release automation (pyca/pynacl#539)
• argon2cffi wheel builder (#225)
• brotlipy wheel builder (#228)
• cffi wheel builder (#224)
• pyyaml wheel builder (#219)
• shut down jenkins
  • stop docker container
  • remove systemd script
  • remove from caddy configuration (#233)
  • remove DNS records
  • remove jenkins docker images
• remove jenkins ansible scripts (#234)
• remove references to jenkins in the readme (#234)

Related to the same server that we run jenkins on:

• Migrate cryptography.io reverse proxy
• Migrate pyopenssl.org reverse proxy

So I was recovering support for manylinux1 for another project and I wanted to keep the build-arg so I attempted to pass it to install_libffi.sh. To my surprise, it kept being equal to an empty string. After some digging, I realized that ARG is declared before FROM and so it is out of scope for the build (it's vaguely documented in the docs but isn't always obvious). So I fixed this by re-declaring it after that line. So at this point, I had the following in the Dockerfile:

ARG RELEASE
FROM quay.io/pypa/${RELEASE}
ARG RELEASE
...
RUN sh install_libffi.sh "${RELEASE}"
ADD install_openssl.sh /root/install_openssl.sh
ADD openssl-version.sh /root/openssl-version.sh
RUN sh install_openssl.sh
...

What could possibly go wrong? Well, that RUN sh install_openssl.sh kept failing with something like this:

--> 45c19e24b84
STEP 12: RUN sh install_openssl.sh manylinux1
+ OPENSSL_URL=https://www.openssl.org/source/
+ source /root/openssl-version.sh
++ export OPENSSL_VERSION=openssl-1.1.1h
++ OPENSSL_VERSION=openssl-1.1.1h
++ export OPENSSL_SHA256=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d
755a06595d9
++ OPENSSL_SHA256=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a065
95d9
++ export 'OPENSSL_BUILD_FLAGS_WINDOWS=no-ssl3 no-ssl3-method no-zlib no-share
d no-comp no-dynamic-engine'
++ OPENSSL_BUILD_FLAGS_WINDOWS='no-ssl3 no-ssl3-method no-zlib no-shared no-co
mp no-dynamic-engine'
++ export 'OPENSSL_BUILD_FLAGS=no-ssl3 no-ssl3-method no-zlib no-shared no-com
p no-dynamic-engine enable-ec_nistp_64_gcc_128'
++ OPENSSL_BUILD_FLAGS='no-ssl3 no-ssl3-method no-zlib no-shared no-comp no-dy
namic-engine enable-ec_nistp_64_gcc_128'
+ curl -#O https://www.openssl.org/source//openssl-1.1.1h.tar.gz
####################################################################### 100.0%
+ check_sha256sum openssl-1.1.1h.tar.gz 5c9ca8774bd7b03e5784f26ae9e9e6d749c9da
2438545077e6b3d755a06595d9
+ local fname=openssl-1.1.1h.tar.gz
+ local sha256=5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d
9
+ echo '5c9ca8774bd7b03e5784f26ae9e9e6d749c9da2438545077e6b3d755a06595d9  open
ssl-1.1.1h.tar.gz'
+ sha256sum -c openssl-1.1.1h.tar.gz.sha256
openssl-1.1.1h.tar.gz: OK
+ rm openssl-1.1.1h.tar.gz.sha256
+ tar zxf openssl-1.1.1h.tar.gz
+ PATH=/opt/perl/bin:/opt/rh/devtoolset-2/root/usr/bin:/usr/local/sbin:/usr/lo
cal/bin:/usr/sbin:/usr/bin:/sbin:/bin
+ pushd openssl-1.1.1h
~/openssl-1.1.1h ~
+ ./config no-ssl3 no-ssl3-method no-zlib no-shared no-comp no-dynamic-engine 
enable-ec_nistp_64_gcc_128 --prefix=/opt/pyca/cryptography/openssl --openssldi
r=/opt/pyca/cryptography/openssl
Operating system: x86_64-whatever-Linux
This system (Linux) is not supported. See file INSTALL for details.
Error: error building at STEP "RUN sh install_openssl.sh manylinux1": error while running runtime: exit status 1

WAAAAAAAT?
I had no idea why this was happening so I tried different things like downgrading openssl and comparing to old-and-working dockerfiles.
After a while, it struck me: it seems like some build script internals of OpenSSL itself relied on the ${RELEASE} env vars somewhere internally, and re-exposing it with the second ARG made it available and set to some unsupported value during build-time. And that is why it kept failing. 🤯

So I just wanted to document that there's a mysterious connection between ${RELEASE} and install_openssl.sh (the make invocation inside really) that can be implicitly triggered by adding that second ARG instruction.
I've patched it for myself by unsetting RELEASE at the beginning of the script:

diff --git a/cryptography-manylinux/install_openssl.sh b/cryptography-manylinux/install_openssl.sh
index d3f7789..d0618b3 100755
--- a/cryptography-manylinux/install_openssl.sh
+++ b/cryptography-manylinux/install_openssl.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 set -xe
 
+unset RELEASE
+
 OPENSSL_URL="https://www.openssl.org/source/"
 source /root/openssl-version.sh

I figured that you may want to use that build-arg as a conditional in the future and wanted to prevent others from stepping on the same rake. That said, you may want to consider either renaming this var to be something more unique (maybe PYCA_-prefixed) or injecting those unset instructions into the scripts urging people not to remove them.

You may also choose not to care about this corner case which is fine. FWIW my job here is done, the main motivation was to document this.

This is not an immediate priority but added for tracking: https://jenkins.io/doc/book/pipeline/shared-libraries/

This should allow us to reuse the builder hash -> jobs code.

They shouldn't do this.

No longer supported pypa/manylinux#1437 and we removed it in pyca/cryptography for 40.0.

However, we need to keep the image around until we are ready for 40.

We need to:

• Investigate de-duplicating URL/hash for linux/macos/windows openssl builds
• normalize our build options across all three configs

How can we get this under config management in some fashion? @alex you found something that jenkins supports that might help with this right?

• http://www.pyopenssl.org is not redirecting to https
• set hsts

xenial and latest (which is 17.04 as of a few days ago) would both probably be appropriate. This is a separate task because it's lower priority than getting the other stuff working.

As discussed in IRC, we're going to use a single node docker swarm to run containers that need access to secrets. Things to do:

• Ansible should create a swarm docker swarm init
• Put the hubot GitHub token into the swarm
• Convert systemd things to docker swarm services?

refs #42

Supposedly this can be done with --sessionTimeout=<minutes> when starting jenkins. Maybe we can do this with JENKINS_OPTS? (https://github.com/jenkinsci/docker/blob/master/jenkins.sh)

Whenever we add a new docker container to the pyca/infra jenkins job we need to create a corresponding repo on docker hub. We should document that requirement.

I've been playing with the latest manylinux-related standards and verified that it's fairly easy to create images for manylinux_2_24 and include ppc64le+s390x (these are the only archs PyPA has base images for).

Here's what I've got: https://github.com/orgs/ansible/packages?ecosystem=container&q=pylibssh-

I needed a few minor adjustments to get this working (like using apt for 2_24 b/c it's Debian 9 based). If you're interested, I could contribute the patches back to this repo. Let me know :)

A subset of jobs are created manually and pointed at pipeline scripts in our git repo. Document their (limited) config.

This is a tracking issue for switching the PR builder job over:

• Build docker containers
  • CentOS 7
  • Debian Jessie
  • Debian Stretch
  • Debian Sid
  • Debian Wheezy (we test this in current jenkins, OpenSSL 1.0.1t + Python 2.7.3)
  • LibreSSL (2.4.5, 2.5.3)
• Configure other build machines to talk to new Jenkins
  • macOS
  • FreeBSD
  • Windows
  • Windows64
• Build a functional pipeline script in a test job
  • windows
  • windows64
  • linux
  • macOS
  • FreeBSD
  • linux/LibreSSL
  • codecov upload
• Submit the Jenkinsfile as a PR
• Set up the organizational plugin

Other outstanding questions:

• How do we automate building these containers so that they're up-to-date? (Especially in the case of containers like stretch)
• Add ANSI color support on *nix?

Hi folks,

I occasionally look into PyCA projects and want to borrow some bits related to testing and packaging as they often contain great reusable ideas.

Would you mind putting a LICENSE file into this repo so that I (and others) would know the implications of copying things from here?

Thanks in advance!

PR up at pyca/bcrypt#108

Ideally there'd be some sort of auto-magic webhook thingy here.

Use setcap cap_net_bind_service=+ep ./caddy to allow listening on ports<1024

Ideally this would be automated, but let's document the steps first.

registry.access.redhat.com/ubi9/ubi gives us a RHEL9.x base image if we want to build one. If we do that, do we drop FIPS testing on CentOS 9 stream?

Credentials are dependent on #30 but write a bit about temporarily enabling ssh, shutting down VMs, running commands from https://esxi-patches.v-front.de/ESXi-6.5.0.html, rebooting, and booting the VMs back up.

Should also try to capture how to create new VMs I guess.

Hi folks,
JFYI GH improved the privilege model of the GHCR+GITHUB_TOKEN secret combo two days ago: https://github.blog/changelog/2021-03-24-packages-container-registry-now-supports-github_token/.

I've verified that it actually works in my repo:

• ansible/pylibssh@c116938
• https://github.com/ansible/pylibssh/commit/c1169384ee78a9d34e4e012ad32b6238fb8cbace/checks

How to migrate?

1. Go to each image page Package settings -> Action access tab. For example, https://github.com/orgs/pyca/packages/container/cryptography-manylinux2010/settings/actions_access

2. Click Add repository -> type in infra, select it.

3. Replace s/GHCR_TOKEN/GITHUB_TOKEN/g in https://github.com/pyca/infra/blob/main/.github/workflows/build-docker-images.yml (this is not the first step to ensure you grant the access first).

   3a. I noticed there's secrets.GHCR_TOKEN_USER but it seems unnecessary, GH docs suggest the event actor so I just have ${{ github.actor }} in my workflows, you probably should use this too.

4. Remove GHCR_TOKEN from https://github.com/pyca/infra/settings/secrets/actions.

5. Delete this token however it's called from your personal user (or bot?) account at https://github.com/settings/tokens

Not needed once 41 is released (our 40 CI still builds against it)

• argon2_cffi wheel builder
• bcrypt wheel buidler
• cffi wheel builder
• cryptography
  • docs-linkcheck
  • tests (including docs and linkcheck, which can now just be stages in a normal jenkinsfile I think)
  • random order
  • setup.py test
  • wheel builder
  • smoke tests
    • twisted
    • paramiko
    • pyopenssl
• update brew openssl
• openssl release
• openssl release 1.1
• pynacl
  • tests
  • wheel builder

The requirement for this is what RTD needs to over HSTS preloading for custom domains.

• cryptography 39 released
• removed from pynacl wheel builder
• removed from bcrypt wheel builder
• delete manylinux2010 image from pyca/infra

sh install_openssl.sh ${ARCH} is not actually passing ARCH as we expect.

See the output in https://ci.cryptography.io/blue/organizations/jenkins/pyca%2Finfra/detail/PR-120/1/pipeline/50

This should be x86_64 but it's configuring for 686 because it's not seeing an arg provided to the script. It appears that the OpenSSL config script might be "smart" enough to ignore what we tell it and compile for 64-bit anyway (since the 64-bit manylinux1 wheels definitely work), but we should still fix this as it's basically only working due to luck.

CentOS 6 is EOL since November 30th, 2020. The main repositories appear to be offline:

Error: Cannot find a valid baseurl for repo: base
YumRepo Error: All mirror URLs are not using ftp, http[s] or file.
 Eg. Invalid release/repo/arch combination/
removing mirrorlist with no valid mirrors: /var/cache/yum/x86_64/6/base/mirrorlist.txt

Is fixed upstream in pypa/manylinux#838, so should just be a cache of rebuilding the pyca image with the updated base pypa one.

Upstream bug: pypa/manylinux#836