KonstantinSeurer
/
mesa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ci: Use ci-fairy minio login via token file 

For every CI job, put JWT content into a file and unset CI_JOB_JWT
environment var
=======

* virgl jobs:
	- Share JWT token file to crosvm instance
	- Keep using `export -p` due to high complexity in the scripts
	  of these jobs. At least, the CI_JOB_JWT will not be leaked,
	  since it is being unset at the `before_script` phase of each
	  Mesa CI job.

* iris jobs: Update lava_job_submitter to take token file as argument
	- generate-env with CI_JOB_JWT_TOKEN_FILE
	- create token file during baremetal init stage

* baremetal jobs: Copy token file to bare-metal NFS

Signed-off-by: Guilherme Gallo <guilherme.gallo@collabora.com>
Reviewed-by: Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
Part-of: <https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/14004>
This commit is contained in:
Guilherme Gallo 2021-12-02 10:13:10 -03:00 committed by Marge Bot
parent cdf8a14bff
commit dabc068e6c
11 changed files with 80 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
.gitlab-ci.yml
View File

@ -16,6 +16,22 @@ variables:
# running on a particular CI farm (ie. for outages, etc): # running on a particular CI farm (ie. for outages, etc):
FD_FARM: "online" FD_FARM: "online"
default:
before_script:
- echo -e "\e[0Ksection_start:$(date +%s):unset_env_vars_section[collapsed=true]\r\e[0KUnsetting vulnerable environment variables"
- export CI_JOB_JWT_FILE="${CI_JOB_JWT_FILE:-$(mktemp)}"
- echo -n "${CI_JOB_JWT}" > "${CI_JOB_JWT_FILE}"
- unset CI_JOB_JWT
- echo -e "\e[0Ksection_end:$(date +%s):unset_env_vars_section\r\e[0K"
after_script:
- >
set +x
test -e "${CI_JOB_JWT_FILE}" &&
export CI_JOB_JWT="$(<${CI_JOB_JWT_FILE})" &&
rm "${CI_JOB_JWT_FILE}"
include: include:
- project: 'freedesktop/ci-templates' - project: 'freedesktop/ci-templates'
ref: 34f4ade99434043f88e164933f570301fd18b125 ref: 34f4ade99434043f88e164933f570301fd18b125

7
.gitlab-ci/bare-metal/rootfs-setup.sh
View File

@ -8,15 +8,20 @@ mkdir -p $rootfs_dst/results
cp $BM/bm-init.sh $rootfs_dst/init cp $BM/bm-init.sh $rootfs_dst/init
cp $CI_COMMON/init*.sh $rootfs_dst/ cp $CI_COMMON/init*.sh $rootfs_dst/
# Make JWT token available as file in the bare-metal storage to enable access
# to MinIO
cp "${CI_JOB_JWT_FILE}" "${rootfs_dst}${CI_JOB_JWT_FILE}"
cp $CI_COMMON/capture-devcoredump.sh $rootfs_dst/ cp $CI_COMMON/capture-devcoredump.sh $rootfs_dst/
set +x set +x
# Pass through relevant env vars from the gitlab job to the baremetal init script # Pass through relevant env vars from the gitlab job to the baremetal init script
"$CI_COMMON"/generate-env.sh > $rootfs_dst/set-job-env-vars.sh "$CI_COMMON"/generate-env.sh > $rootfs_dst/set-job-env-vars.sh
chmod +x $rootfs_dst/set-job-env-vars.sh chmod +x $rootfs_dst/set-job-env-vars.sh
echo "Variables passed through:" echo "Variables passed through:"
cat $rootfs_dst/set-job-env-vars.sh cat $rootfs_dst/set-job-env-vars.sh
echo "export CI_JOB_JWT=${CI_JOB_JWT@Q}" >> $rootfs_dst/set-job-env-vars.sh
set -x set -x
# Add the Mesa drivers we built, and make a consistent symlink to them. # Add the Mesa drivers we built, and make a consistent symlink to them.

13
.gitlab-ci/common/generate-env.sh
View File

@ -7,6 +7,7 @@ for var in \
CI_COMMIT_BRANCH \ CI_COMMIT_BRANCH \
CI_COMMIT_TITLE \ CI_COMMIT_TITLE \
CI_JOB_ID \ CI_JOB_ID \
CI_JOB_JWT_FILE \
CI_JOB_URL \ CI_JOB_URL \
CI_MERGE_REQUEST_SOURCE_BRANCH_NAME \ CI_MERGE_REQUEST_SOURCE_BRANCH_NAME \
CI_MERGE_REQUEST_TITLE \ CI_MERGE_REQUEST_TITLE \
@ -20,6 +21,9 @@ for var in \
CI_PROJECT_ROOT_NAMESPACE \ CI_PROJECT_ROOT_NAMESPACE \
CI_RUNNER_DESCRIPTION \ CI_RUNNER_DESCRIPTION \
CI_SERVER_URL \ CI_SERVER_URL \
CROSVM_GALLIUM_DRIVER \
CROSVM_GPU_ARGS \
CROSVM_TEST_SCRIPT \
DEQP_CASELIST_FILTER \ DEQP_CASELIST_FILTER \
DEQP_CASELIST_INV_FILTER \ DEQP_CASELIST_INV_FILTER \
DEQP_CONFIG \ DEQP_CONFIG \
@ -29,6 +33,7 @@ for var in \
DEQP_RESULTS_DIR \ DEQP_RESULTS_DIR \
DEQP_RUNNER_OPTIONS \ DEQP_RUNNER_OPTIONS \
DEQP_SUITE \ DEQP_SUITE \
DEQP_TEMP_DIR \
DEQP_VARIANT \ DEQP_VARIANT \
DEQP_VER \ DEQP_VER \
DEQP_WIDTH \ DEQP_WIDTH \
@ -40,6 +45,7 @@ for var in \
FDO_UPSTREAM_REPO \ FDO_UPSTREAM_REPO \
FD_MESA_DEBUG \ FD_MESA_DEBUG \
FLAKES_CHANNEL \ FLAKES_CHANNEL \
GALLIUM_DRIVER \
GPU_VERSION \ GPU_VERSION \
GTEST \ GTEST \
GTEST_FAILS \ GTEST_FAILS \
@ -55,10 +61,11 @@ for var in \
JOB_ARTIFACTS_BASE \ JOB_ARTIFACTS_BASE \
JOB_RESULTS_PATH \ JOB_RESULTS_PATH \
JOB_ROOTFS_OVERLAY_PATH \ JOB_ROOTFS_OVERLAY_PATH \
LD_LIBRARY_PATH \
MESA_BUILD_PATH \ MESA_BUILD_PATH \
MESA_GL_VERSION_OVERRIDE \
MESA_GLSL_VERSION_OVERRIDE \
MESA_GLES_VERSION_OVERRIDE \ MESA_GLES_VERSION_OVERRIDE \
MESA_GLSL_VERSION_OVERRIDE \
MESA_GL_VERSION_OVERRIDE \
MESA_VK_IGNORE_CONFORMANCE_WARNING \ MESA_VK_IGNORE_CONFORMANCE_WARNING \
MINIO_HOST \ MINIO_HOST \
NIR_VALIDATE \ NIR_VALIDATE \
@ -71,11 +78,11 @@ for var in \
PIGLIT_PLATFORM \ PIGLIT_PLATFORM \
PIGLIT_PROFILES \ PIGLIT_PROFILES \
PIGLIT_REPLAY_ARTIFACTS_BASE_URL \ PIGLIT_REPLAY_ARTIFACTS_BASE_URL \
PIGLIT_REPLAY_SUBCOMMAND \
PIGLIT_REPLAY_DESCRIPTION_FILE \ PIGLIT_REPLAY_DESCRIPTION_FILE \
PIGLIT_REPLAY_DEVICE_NAME \ PIGLIT_REPLAY_DEVICE_NAME \
PIGLIT_REPLAY_EXTRA_ARGS \ PIGLIT_REPLAY_EXTRA_ARGS \
PIGLIT_REPLAY_REFERENCE_IMAGES_BASE \ PIGLIT_REPLAY_REFERENCE_IMAGES_BASE \
PIGLIT_REPLAY_SUBCOMMAND \
PIGLIT_REPLAY_UPLOAD_TO_MINIO \ PIGLIT_REPLAY_UPLOAD_TO_MINIO \
PIGLIT_RESULTS \ PIGLIT_RESULTS \
PIGLIT_TESTS \ PIGLIT_TESTS \

2
.gitlab-ci/common/init-stage2.sh
View File

@ -71,7 +71,7 @@ fi
MINIO=$(cat /proc/cmdline | tr ' ' '\n' | grep minio_results | cut -d '=' -f 2 || true) MINIO=$(cat /proc/cmdline | tr ' ' '\n' | grep minio_results | cut -d '=' -f 2 || true)
if [ -n "$MINIO" ]; then if [ -n "$MINIO" ]; then
tar -czf results.tar.gz results/; tar -czf results.tar.gz results/;
ci-fairy minio login "$CI_JOB_JWT"; ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}";
ci-fairy minio cp results.tar.gz minio://"$MINIO"/results.tar.gz; ci-fairy minio cp results.tar.gz minio://"$MINIO"/results.tar.gz;
fi fi

2
.gitlab-ci/container/lava_build.sh
View File

@ -205,7 +205,7 @@ popd
. .gitlab-ci/container/container_post_build.sh . .gitlab-ci/container/container_post_build.sh
############### Upload the files! ############### Upload the files!
ci-fairy minio login $CI_JOB_JWT ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
FILES_TO_UPLOAD="lava-rootfs.tgz \ FILES_TO_UPLOAD="lava-rootfs.tgz \
$KERNEL_IMAGE_NAME" $KERNEL_IMAGE_NAME"

2
.gitlab-ci/crosvm-runner.sh
View File

@ -1,6 +1,6 @@
#!/bin/sh #!/bin/sh
set -e set -ex
# This script can be called concurrently, pass arguments and env in a per-instance tmp dir # This script can be called concurrently, pass arguments and env in a per-instance tmp dir
export DEQP_TEMP_DIR=`mktemp -d /tmp.XXXXXXXXXX` export DEQP_TEMP_DIR=`mktemp -d /tmp.XXXXXXXXXX`

4
.gitlab-ci/lava/lava-submit.sh
View File

@ -22,7 +22,7 @@ cp artifacts/ci-common/init-*.sh results/job-rootfs-overlay/
artifacts/ci-common/generate-env.sh > results/job-rootfs-overlay/set-job-env-vars.sh artifacts/ci-common/generate-env.sh > results/job-rootfs-overlay/set-job-env-vars.sh
tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ . tar zcf job-rootfs-overlay.tar.gz -C results/job-rootfs-overlay/ .
ci-fairy minio login "${CI_JOB_JWT}" ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
ci-fairy minio cp job-rootfs-overlay.tar.gz "minio://${JOB_ROOTFS_OVERLAY_PATH}" ci-fairy minio cp job-rootfs-overlay.tar.gz "minio://${JOB_ROOTFS_OVERLAY_PATH}"
touch results/lava.log touch results/lava.log
@ -39,7 +39,7 @@ artifacts/lava/lava_job_submitter.py \
--ci-project-dir ${CI_PROJECT_DIR} \ --ci-project-dir ${CI_PROJECT_DIR} \
--device-type ${DEVICE_TYPE} \ --device-type ${DEVICE_TYPE} \
--dtb ${DTB} \ --dtb ${DTB} \
--jwt "${CI_JOB_JWT}" \ --jwt-file "${CI_JOB_JWT_FILE}" \
--kernel-image-name ${KERNEL_IMAGE_NAME} \ --kernel-image-name ${KERNEL_IMAGE_NAME} \
--kernel-image-type "${KERNEL_IMAGE_TYPE}" \ --kernel-image-type "${KERNEL_IMAGE_TYPE}" \
--boot-method ${BOOT_METHOD} \ --boot-method ${BOOT_METHOD} \

58
.gitlab-ci/lava/lava_job_submitter.py
View File

@ -25,16 +25,16 @@
"""Send a job to LAVA, track it and collect log back""" """Send a job to LAVA, track it and collect log back"""
import argparse import argparse
import lavacli import pathlib
import os
import sys import sys
import time import time
import traceback import traceback
import urllib.parse import urllib.parse
import xmlrpc import xmlrpc
import yaml
from datetime import datetime, timedelta from datetime import datetime, timedelta
import lavacli
import yaml
from lavacli.utils import loader from lavacli.utils import loader
# Timeout in minutes to decide if the device from the dispatched LAVA job has # Timeout in minutes to decide if the device from the dispatched LAVA job has
@ -59,6 +59,18 @@ def fatal_err(msg):
print_log(msg) print_log(msg)
sys.exit(1) sys.exit(1)
def hide_sensitive_data(yaml_data, hide_tag="HIDEME"):
out_data = ""
for line in yaml_data.splitlines(True):
if hide_tag in line:
continue
out_data += line
return out_data
def generate_lava_yaml(args): def generate_lava_yaml(args):
# General metadata and permissions, plus also inexplicably kernel arguments # General metadata and permissions, plus also inexplicably kernel arguments
values = { values = {
@ -140,15 +152,22 @@ def generate_lava_yaml(args):
# - fetch and unpack per-job environment from lava-submit.sh # - fetch and unpack per-job environment from lava-submit.sh
# - exec .gitlab-ci/common/init-stage2.sh # - exec .gitlab-ci/common/init-stage2.sh
init_lines = [] init_lines = []
with open(args.first_stage_init, 'r') as init_sh: with open(args.first_stage_init, 'r') as init_sh:
init_lines += [ x.rstrip() for x in init_sh if not x.startswith('#') and x.rstrip() ] init_lines += [ x.rstrip() for x in init_sh if not x.startswith('#') and x.rstrip() ]
with open(args.jwt_file) as jwt_file:
init_lines += [
"set +x",
f'echo -n "{jwt_file.read()}" > "{args.jwt_file}" # HIDEME',
"set -x",
]
init_lines += [ init_lines += [
'mkdir -p {}'.format(args.ci_project_dir), 'mkdir -p {}'.format(args.ci_project_dir),
'wget -S --progress=dot:giga -O- {} | tar -xz -C {}'.format(args.mesa_build_url, args.ci_project_dir), 'wget -S --progress=dot:giga -O- {} | tar -xz -C {}'.format(args.mesa_build_url, args.ci_project_dir),
'wget -S --progress=dot:giga -O- {} | tar -xz -C /'.format(args.job_rootfs_overlay_url), 'wget -S --progress=dot:giga -O- {} | tar -xz -C /'.format(args.job_rootfs_overlay_url),
'set +x', f'echo "export CI_JOB_JWT_FILE={args.jwt_file}" >> /set-job-env-vars.sh',
'export CI_JOB_JWT="{}"'.format(args.jwt),
'set -x',
'exec /init-stage2.sh', 'exec /init-stage2.sh',
] ]
test['definitions'][0]['repository']['run']['steps'] = init_lines test['definitions'][0]['repository']['run']['steps'] = init_lines
@ -285,9 +304,7 @@ def main(args):
yaml_file = generate_lava_yaml(args) yaml_file = generate_lava_yaml(args)
if args.dump_yaml: if args.dump_yaml:
censored_args = args print(hide_sensitive_data(generate_lava_yaml(args)))
censored_args.jwt = "jwt-hidden"
print(generate_lava_yaml(censored_args))
if args.validate_only: if args.validate_only:
ret = validate_job(proxy, yaml_file) ret = validate_job(proxy, yaml_file)
@ -318,13 +335,7 @@ def main(args):
if get_job_results(proxy, job_id, "0_mesa", "mesa") == True: if get_job_results(proxy, job_id, "0_mesa", "mesa") == True:
break break
def create_parser():
if __name__ == '__main__':
# given that we proxy from DUT -> LAVA dispatcher -> LAVA primary -> us ->
# GitLab runner -> GitLab primary -> user, safe to say we don't need any
# more buffering
sys.stdout.reconfigure(line_buffering=True)
sys.stderr.reconfigure(line_buffering=True)
parser = argparse.ArgumentParser("LAVA job submitter") parser = argparse.ArgumentParser("LAVA job submitter")
parser.add_argument("--pipeline-info") parser.add_argument("--pipeline-info")
@ -341,11 +352,22 @@ if __name__ == '__main__':
parser.add_argument("--kernel-image-type", nargs='?', default="") parser.add_argument("--kernel-image-type", nargs='?', default="")
parser.add_argument("--boot-method") parser.add_argument("--boot-method")
parser.add_argument("--lava-tags", nargs='?', default="") parser.add_argument("--lava-tags", nargs='?', default="")
parser.add_argument("--jwt") parser.add_argument("--jwt-file", type=pathlib.Path)
parser.add_argument("--validate-only", action='store_true') parser.add_argument("--validate-only", action='store_true')
parser.add_argument("--dump-yaml", action='store_true') parser.add_argument("--dump-yaml", action='store_true')
parser.add_argument("--visibility-group") parser.add_argument("--visibility-group")
return parser
if __name__ == "__main__":
# given that we proxy from DUT -> LAVA dispatcher -> LAVA primary -> us ->
# GitLab runner -> GitLab primary -> user, safe to say we don't need any
# more buffering
sys.stdout.reconfigure(line_buffering=True)
sys.stderr.reconfigure(line_buffering=True)
parser = create_parser()
parser.set_defaults(func=main) parser.set_defaults(func=main)
args = parser.parse_args() args = parser.parse_args()
args.func(args) args.func(args)

2
.gitlab-ci/piglit/run.sh
View File

@ -201,7 +201,7 @@ FAILURE_MESSAGE=$(printf "%s" "Unexpected change in results:")
if [ "x$PIGLIT_PROFILES" = "xreplay" ] \ if [ "x$PIGLIT_PROFILES" = "xreplay" ] \
&& [ ${PIGLIT_REPLAY_UPLOAD_TO_MINIO:-0} -eq 1 ]; then && [ ${PIGLIT_REPLAY_UPLOAD_TO_MINIO:-0} -eq 1 ]; then
ci-fairy minio login $MINIO_ARGS $CI_JOB_JWT ci-fairy minio login $MINIO_ARGS --token-file "${CI_JOB_JWT_FILE}"
fi fi
eval $RUN_CMD eval $RUN_CMD

2
.gitlab-ci/prepare-artifacts.sh
View File

@ -52,6 +52,6 @@ if [ -n "$MINIO_ARTIFACT_NAME" ]; then
# Pass needed files to the test stage # Pass needed files to the test stage
MINIO_ARTIFACT_NAME="$MINIO_ARTIFACT_NAME.tar.gz" MINIO_ARTIFACT_NAME="$MINIO_ARTIFACT_NAME.tar.gz"
gzip -c artifacts/install.tar > ${MINIO_ARTIFACT_NAME} gzip -c artifacts/install.tar > ${MINIO_ARTIFACT_NAME}
ci-fairy minio login $CI_JOB_JWT ci-fairy minio login --token-file "${CI_JOB_JWT_FILE}"
ci-fairy minio cp ${MINIO_ARTIFACT_NAME} minio://${PIPELINE_ARTIFACTS_BASE}/${MINIO_ARTIFACT_NAME} ci-fairy minio cp ${MINIO_ARTIFACT_NAME} minio://${PIPELINE_ARTIFACTS_BASE}/${MINIO_ARTIFACT_NAME}
fi fi

2
src/freedreno/ci/gitlab-ci.yml
View File

@ -265,7 +265,7 @@ a630-traces-restricted:
- .freedreno-rules-restricted - .freedreno-rules-restricted
variables: variables:
PIGLIT_REPLAY_DESCRIPTION_FILE: "/install/restricted-traces-freedreno.yml" PIGLIT_REPLAY_DESCRIPTION_FILE: "/install/restricted-traces-freedreno.yml"
PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_host=minio-packet.freedesktop.org --minio_bucket=mesa-tracie-private --role-session-name=${CI_PROJECT_PATH}:${CI_JOB_ID} --jwt=${CI_JOB_JWT} PIGLIT_REPLAY_EXTRA_ARGS: --keep-image --db-path ${CI_PROJECT_DIR}/replayer-db/ --minio_host=minio-packet.freedesktop.org --minio_bucket=mesa-tracie-private --role-session-name=${CI_PROJECT_PATH}:${CI_JOB_ID} --jwt-file=${CI_JOB_JWT_FILE}
allow_failure: true allow_failure: true
a630-traces-performance: a630-traces-performance: