write script to send fedmsg when we want a release artifact signed #198
Comments
|
Note that fedmsg is being replaced with fedora-messaging. |
Indeed that is defnitely the plan. The problem I have when describing fedora messaging messages is that there isn't a succinct way to do it like there was with fedmsg. I've just still been calling them fedmsgs because people know what you mean when you say it. |
|
After some recent discussions there are actually a few different messages we probably want to send. Here is a proposal for now:
Any other ones I'm missing? |
Maybe let's split this out into two, e.g. Actually, we could also fold the |
yeah maybe we should just do that for all of these and re-use the state change messages. Actually I just looked a bit closer and the pungi messages have a status change and a phase change. I guess a new proposal would be:
|
|
So Anyway, SGTM! |
Yeah when it starts and when it finishes (or fails). I'll take this to fedora infra and see if they have any input. |
|
|
I have a suggestion: I think we should make more explicit the difference between informational messages ("if anyone cares, our build has reached state $x") from messages requesting direct action from releng ("please do $x for me; I'll be waiting"). For informational events we can start with:
And we can add more messages in the future about intermediate states if useful. For requests, there are three main ones:
Strawman for informational events: Strawman for OSTree commit signing request: Strawman for build artifact signing request: Strawman for OSTree commit import requests: And we'll need matching messages from Fedora infra to signal to us when the request was fulfilled, maybe just reflecting back the same message but on topic Does that look sane? |
|
For LGTM otherwise. |
Actually, I think it might be cleaner to just go the other and give the explicit list of artifacts we want signatures for. The advantage is that code on the infra side doesn't need to learn how to read I amended my proposal above! |
|
I'm not sure you actually need to use the message headers, I think those values would be more suited for the message body. Consumers of fedora-messaging messages don't usually look at message headers, unless they're doing something advanced or meta (like comparing messages, generating notifications, etc). |
My understanding was that header fields can be selected on, so that consumers can be more specific in the event they're interested in. Is that correct? For example, when waiting for (My experience with the message bus mostly comes from fedmsg + https://github.com/jenkinsci/jms-messaging-plugin, but the internal broker that proxied fedmsgs had some magic which pulled out fields from the body and put them into headers so Jenkins jobs could trigger on them more accurately.)
Gotcha. Don't want to go against the convention if that's what most fedora-messaging msgs do. |
|
Agree with what @abompard said, consumers generally uses content from msg section. So, all needed information which consumers may need should be in message section. Few additional comment on proposal at #198 (comment) :
|
I can change this, I just want more confirmation about the implications of doing this as mentioned in #198 (comment).
Sure, done!
OSTree commits need to be signed during the build, not at the end only, because they need to be included into the image artifacts (see discussions in #200). So we need to explicitly wait for the request to be fulfilled before we can go ahead with the rest of the build. |
+1
sgtm |
The broker we use has that feature but we generally don't make use of it in our wrapper library, because it would make the binding phase much more complex. So I would recommend using the topic as the main filter and filtering further in the code itself. |
|
OK, updated to just fold headers into the message body! |
|
Thanks! |
|
This is now blocked on https://pagure.io/fedora-infrastructure/issue/7940#comment-584414. |
If we end up using this for both the annex repo and the prod repo we should maybe add a field that specifies which repo we want to import into. |
So if we use the annex for storing all the OSTree streams, then at release time, should we instead have a different message for " |
Yeah. Except I think we can just use the same message and just make the code:
WDYT? |
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
|
OK, I added the following field to the Does that work? I opted for symbolic "compose" and "prod" names rather than hurling internal Fedora infra URLs at itself. (Of course, this is all still conditional on whether we can use the compose repo for this, right? Or did you get an answer about this?) |
yep. can we also add the commit hash ?
I think that sounds good. I believe we can use the compose repo, but I'll get confirmation. |
I talked with @mohanboddu in IRC and he confirmed this should be OK: |
|
in places where we have checksums let's qualify it by including the checksum algorithm: becomes WDYT? |
Yeah, that makes sense. We'll have to update RoboSignatory too. |
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
Add a new `cosa sign` top-level command for general signing operations. For now, it only supports one subcommand, `robosignatory`, which does signing by RoboSignatory via fedora-messaging (see [1][2] for details). Essentially with this, the pipeline flow will be: ``` $ cosa build ostree $ cosa sign robosignatory --ostree ... $ cosa buildextend-* $ cosa buildupload $ cosa sign robosignatory --images ... ``` [1] coreos/fedora-coreos-tracker#198 [2] coreos/fedora-coreos-tracker#200
|
Fixed by coreos/coreos-assembler#763. |
As part of the Fedora Signing Discussion it was identified that we need to send a message when we want to get our artifacts signed in preparation for a release. The payload of the message needs to include the artifacts as well as the checksums (so the signer can check before creating signature). We believe the
meta.jsonshould suffice as the payload.This script would need to be executed somewhere in our release process, or perhaps any time a release candidate becomes available so that all signatures are in place well in time before we do a release.
The text was updated successfully, but these errors were encountered: