← Back to branch summary

~linaro-automation/linaro-license-protection/configs 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216

Linaro License Protection configuration
=======================================

This branch contains current production configuration for

 * releases.linaro.org (hosted on mombin.canonical.com)
 * snapshots.linaro.org (mombin)
 * staging.releases.linaro.org (kahaku.canonical.com)
 * staging.snapshots.linaro.org (kahaku.canonical.com)


Dependencies
------------

libapache2-mod-xsendfile >= 0.10
libapache2-mod-python
python-django >= 1.3.1
python-django-openid-auth
python-apache-openid

python-apache-openid is needed until we migrate existing apache
openid-protected directories to the new setup.


Pushing framework on snapshots.linaro.org
-----------------------------------------

Pushing/uploading side is currently implemented as a multi-system setup:

 * configuration on jenkins
 * configuration of users on server

Configuration of jenkins
........................

 * We are using Publish-over-SSH plugin for jenkins

 * We perform two build (not publish, to allow for LAVA to have known URLs)
   steps:

   * publish artifacts over SSH (ends up on a private location on the server)

   * call out a trigger script over SSH (to move files securely to a public
     location)

 * We use strictly "push from master" in advanced settings of publish-over-ssh
   plugin, and keep private keys for both actions above on the master:

    /home/ubuntu/snapshots-sync2/linaro-android-build-publish —
      linaro-android-build-publish
    /home/ubuntu/snapshots-sync2/linaro-android-build-publish-trigger —
      linaro-android-build-publish-trigger

Configuration of users on the receiving server (snapshots.l.o)
..............................................................

For the two actions above, we have two separate users for all hosts
accessing the system (two for android-build.linaro.org and another two
for ci.linaro.org at this time).

One of the users is a sftp/push user, and another is the trigger user that
shuffles the files around.

Current users and their configurations:

 * linaro-android-build-publish
   /etc/ssh/user-authorized-keys/linaro-android-build-publish

     command="/usr/lib/sftp-server",no-pty,no-port-forwarding,\
     no-X11-forwarding,no-agent-forwarding,from="50.17.250.69" \
     <PUBLIC-SSH-KEY-DATA>

   (chrooted to /srv/snapshots.linaro.org/uploads/)

 * linaro-android-build-publish-trigger:

   /etc/ssh/user-authorized-keys/linaro-android-build-publish-trigger

     command="/home/linaro-android-build-publish-trigger/scripts\
              /trigger-linaro-android-build-publish.sh \
              ${SSH_ORIGINAL_COMMAND#* }",\
     no-pty,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,
     from="50.17.250.69" <PUBLIC-SSH-KEY-DATA>

   The script being executed passes parameters to publish_to_snapshots
   which moves files from /uploads/ into appropriate public directory:

     #!/bin/sh
     if [ "$(id -un)" != "linaro-android-build-publish-trigger" ]; then
       echo "This script is designed to be run as linaro-android-build-publish-trigger user"
       exit 1
     fi
     sudo -u linaro-android-build-publish /home/linaro-android-build-publish/linaro-license-protection/scripts/publish_to_snapshots.py "$@"

 * linaro-ci-publish

   Exactly the same as linaro-android-build-publish, except for the IP
   (allowing ci.linaro.org from 50.17.200.206) and SSH key data.

 * linaro-ci-publish-trigger

   Like linaro-android-build-publish-trigger, with different IP
   and SSH key data.  Script lives in

     /home/linaro-ci-publish-trigger/scripts/trigger-linaro-ci-publish.sh

   and is of similar structure to the one for the user
   linaro-android-build-publish-trigger.

android-build.linaro.org
........................

Runs Jenkins and uses SFTP plugin to access the above two users.  Private
keys live in

  /home/ubuntu/snapshots-sync2/linaro-android-build-publish —
    linaro-android-build-publish
  /home/ubuntu/snapshots-sync2/linaro-android-build-publish-trigger —
    linaro-android-build-publish-trigger

To ensure serialization of steps, and allow LAVA submission, these happen as
build steps, and not as publishing steps.

Deployment steps
----------------

This documents our current deployment while at the same time representing
an example production deployment.

1. Install the dependencies
   (see the "Dependencies" section)

2. Get the code

     mkdir -p /srv/shared-branches
     cd /srv/shared-branches
     bzr branch lp:linaro-license-protection

   (we are actually using http URLs since lp: defaults to bzr+ssh which
   doesn't work on system accounts)

3. Get the configuration

   Configuration files for deploying to snapshots.linaro.org,
   releases.linaro.org, staging.snapshots.linaro.org
   and staging.releases.linaro.org all live in

     lp:linaro-license-protection/configs

   We need to branch that into /srv/shared-branches as well:

     cd /srv/shared-branches
     bzr branch lp:linaro-license-protection/configs linaro-license-protection-configs

4. Checkout branches for the services you want to use:

     (cd /srv/staging.snapshots.linaro.org &&
      bzr checkout /srv/shared-branches/linaro-license-protection-configs configs &&
      bzr checkout /srv/shared-branches/linaro-license-protection)

   Replace "/srv/staging.snapshots.linaro.org" with one of
     /srv/staging.releases.linaro.org
     /srv/snapshots.linaro.org
     /srv/releases.linaro.org

   depending on the service you are deploying.

   If you use these paths, none of the config files will need updating.

5. Configure apache2

   Make sure mod-xsendfile and mod-python are enabled.
   Copy appropriate
     /srv/staging.snapshots.linaro.org/configs/apache/staging.snapshots.linaro.org
   files to /etc/apache2/sites-available

   Copy apache/security/ directory to /etc/apache2/security (it contains OpenID group
   mappings, etc).

   Add appropriate NameVirtualHost directive to

     /etc/apache2/sites-enabled/000-default

   Run "a2ensite staging.snapshots.linaro.org".

   You also need to set up SSL certificate for *snapshots.linaro.org.

6. Create databases and set up static files

   Make sure appropriate configs/django directory is in the PYTHONPATH
   and set DJANGO_SETTINGS_MODULE and then run django-admin:

     export PYTHONPATH=/srv/staging.snapshots.linaro.org:/srv/staging.snapshots.linaro.org/linaro-license-protection:/srv/staging.snapshots.linaro.org/configs/django
     export DJANGO_SETTINGS_MODULE=settings_staging_snapshots
     mkdir -p /srv/staging.snapshots.linaro.org/db
     django-admin syncdb --noinput
     django-admin collectstatic --noinput

7. Set up a cron job to keep code updating automatically

   You may want to automatically keep code up to date (mostly for staging)
   instances.

   There is

     scripts/update-deployment.py

   from lp:linaro-license-protection which can be run from a cronjob to keep
   the above deployment always up to date.

8. Ensure license_protected_downloads/config.py contains relevant white-listed
   IP addresses:

     For releases.linaro.org:
      * android-build.linaro.org (50.17.250.69)
      * validation.linaro.org (213.123.120.124)