[Notes] [Git][BuildGrid/buildgrid][mablanch/63-tls-encryption] 6 commits

Martin Blanchard pushed to branch mablanch/63-tls-encryption at BuildGrid / buildgrid

Commits:

943ef5e2

by Jim MacArthur at 2018-08-24T16:28:23Z

buildbox.py: Unpack a digest from lease.payload

8d65751d

by Jim MacArthur at 2018-08-24T16:29:08Z

buildbox.py: Convert to new --input-digest and --output-digest arguments.

b8ea3fed

by Jim MacArthur at 2018-08-24T16:29:24Z

buildbox.py: Convert to use utils.py's functions instead of local ones

686ed8ee
by Martin Blanchard at 2018-08-28T08:12:24Z
```
Add server-side gRPC TLS encryption support
```
d8f052a7
by Martin Blanchard at 2018-08-28T08:12:24Z
```
Add client-side gRPC TLS encryption support
```

761479f0

by Martin Blanchard at 2018-08-28T08:12:24Z

gitlab-ci.yml: Force insecure connections for dummy tests

Changes:

.gitlab-ci.yml

@@ -28,10 +28,10 @@ before_script:
  .run-dummy-job-template: &dummy-job
    stage: test
    script:
 -    - ${BGD} server start &
 +    - ${BGD} server start --allow-insecure &
      - sleep 1 # Allow server to boot
 -    - ${BGD} bot --host=0.0.0.0 dummy &
 -    - ${BGD} execute --host=0.0.0.0 request-dummy --wait-for-completion
 +    - ${BGD} bot dummy &
 +    - ${BGD} execute request-dummy --wait-for-completion
  tests-debian-stretch:
    <<: *linux-tests

buildgrid/_app/bots/buildbox.py

@@ -21,16 +21,16 @@ import grpc
  from google.protobuf import any_pb2
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
 -from buildgrid._protos.google.bytestream import bytestream_pb2, bytestream_pb2_grpc
 -from buildgrid.utils import read_file
 +from buildgrid._protos.google.bytestream import bytestream_pb2_grpc
 +from buildgrid.utils import read_file, parse_to_pb2_from_fetch
  def work_buildbox(context, lease):
      logger = context.logger
 -    action_any = lease.payload
 -    action = remote_execution_pb2.Action()
 -    action_any.Unpack(action)
 +    action_digest_any = lease.payload
 +    action_digest = remote_execution_pb2.Digest()
 +    action_digest_any.Unpack(action_digest)
      cert_server = read_file(context.server_cert)
      cert_client = read_file(context.client_cert)
@@ -45,38 +45,57 @@ def work_buildbox(context, lease):
      stub = bytestream_pb2_grpc.ByteStreamStub(channel)
 -    remote_command = _buildstream_fetch_command(context.local_cas, stub, action.command_digest)
 +    action = remote_execution_pb2.Action()
 +    parse_to_pb2_from_fetch(action, stub, action_digest)
++
 +    casdir = context.local_cas
 +    remote_command = remote_execution_pb2.Command()
 +    parse_to_pb2_from_fetch(remote_command, stub, action.command_digest)
++
      environment = dict((x.name, x.value) for x in remote_command.environment_variables)
      logger.debug("command hash: {}".format(action.command_digest.hash))
      logger.debug("vdir hash: {}".format(action.input_root_digest.hash))
      logger.debug("\n{}".format(' '.join(remote_command.arguments)))
 -    command = ['buildbox',
 -               '--remote={}'.format('https://{}:{}'.format(context.remote, context.port)),
 -               '--server-cert={}'.format(context.server_cert),
 -               '--client-key={}'.format(context.client_key),
 -               '--client-cert={}'.format(context.client_cert),
 -               '--local={}'.format(context.local_cas),
 -               '--chdir={}'.format(environment['PWD']),
 -               context.fuse_dir]
+-
 -    command.extend(remote_command.arguments)
+-
 -    logger.debug(' '.join(command))
 -    logger.debug("Input root digest:\n{}".format(action.input_root_digest))
 -    logger.info("Launching process")
+-
 -    proc = subprocess.Popen(command,
 -                            stdin=subprocess.PIPE,
 -                            stdout=subprocess.PIPE)
 -    std_send = action.input_root_digest.SerializeToString()
 -    std_out, _ = proc.communicate(std_send)
+-
 -    output_root_digest = remote_execution_pb2.Digest()
 -    output_root_digest.ParseFromString(std_out)
 -    logger.debug("Output root digest: {}".format(output_root_digest))
+-
 -    output_file = remote_execution_pb2.OutputDirectory(tree_digest=output_root_digest)
 +    # Input hash must be written to disk for buildbox.
 +    os.makedirs(os.path.join(casdir, 'tmp'), exist_ok=True)
 +    with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as input_digest_file:
 +        with open(input_digest_file.name, 'wb') as f:
 +            f.write(action.input_root_digest.SerializeToString())
 +            f.flush()
++
 +        with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as output_digest_file:
 +            command = ['buildbox',
 +                       '--remote={}'.format('https://{}:{}'.format(context.remote, context.port)),
 +                       '--server-cert={}'.format(context.server_cert),
 +                       '--client-key={}'.format(context.client_key),
 +                       '--client-cert={}'.format(context.client_cert),
 +                       '--input-digest={}'.format(input_digest_file.name),
 +                       '--output-digest={}'.format(output_digest_file.name),
 +                       '--local={}'.format(casdir)]
 +            if 'PWD' in environment and environment['PWD']:
 +                command.append('--chdir={}'.format(environment['PWD']))
++
 +            command.append(context.fuse_dir)
 +            command.extend(remote_command.arguments)
++
 +            logger.debug(' '.join(command))
 +            logger.debug("Input root digest:\n{}".format(action.input_root_digest))
 +            logger.info("Launching process")
++
 +            proc = subprocess.Popen(command,
 +                                    stdin=subprocess.PIPE,
 +                                    stdout=subprocess.PIPE)
 +            proc.communicate()
++
 +            output_root_digest = remote_execution_pb2.Digest()
 +            with open(output_digest_file.name, 'rb') as f:
 +                output_root_digest.ParseFromString(f.read())
 +            logger.debug("Output root digest: {}".format(output_root_digest))
++
 +            if len(output_root_digest.hash) < 64:
 +                logger.warning("Buildbox command failed - no output root digest present.")
 +            output_file = remote_execution_pb2.OutputDirectory(tree_digest=output_root_digest)
      action_result = remote_execution_pb2.ActionResult()
      action_result.output_directories.extend([output_file])
@@ -87,33 +106,3 @@ def work_buildbox(context, lease):
      lease.result.CopyFrom(action_result_any)
      return lease
+-
+-
 -def _buildstream_fetch_blob(remote, digest, out):
 -    resource_name = os.path.join(digest.hash, str(digest.size_bytes))
 -    request = bytestream_pb2.ReadRequest()
 -    request.resource_name = resource_name
 -    request.read_offset = 0
 -    for response in remote.Read(request):
 -        out.write(response.data)
+-
 -    out.flush()
 -    assert digest.size_bytes == os.fstat(out.fileno()).st_size
+-
+-
 -def _buildstream_fetch_command(casdir, remote, digest):
 -    with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as out:
 -        _buildstream_fetch_blob(remote, digest, out)
 -        remote_command = remote_execution_pb2.Command()
 -        with open(out.name, 'rb') as f:
 -            remote_command.ParseFromString(f.read())
 -        return remote_command
+-
+-
 -def _buildstream_fetch_action(casdir, remote, digest):
 -    with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as out:
 -        _buildstream_fetch_blob(remote, digest, out)
 -        remote_action = remote_execution_pb2.Action()
 -        with open(out.name, 'rb') as f:
 -            remote_action.ParseFromString(f.read())
 -        return remote_action

buildgrid/_app/cli.py

@@ -25,6 +25,9 @@ import os
  import logging
  import click
 +import grpc
++
 +from buildgrid.utils import read_file
  from . import _logging
@@ -35,7 +38,114 @@ class Context:
      def __init__(self):
          self.verbose = False
 -        self.home = os.getcwd()
++
 +        self.user_home = os.getcwd()
++
 +        self.user_cache_home = os.environ.get('XDG_CACHE_HOME')
 +        if not self.user_cache_home:
 +            self.user_cache_home = os.path.expanduser('~/.cache')
 +        self.cache_home = os.path.join(self.user_cache_home, 'buildgrid')
++
 +        self.user_config_home = os.environ.get('XDG_CONFIG_HOME')
 +        if not self.user_config_home:
 +            self.user_config_home = os.path.expanduser('~/.config')
 +        self.config_home = os.path.join(self.user_config_home, 'buildgrid')
++
 +        self.user_data_home = os.environ.get('XDG_DATA_HOME')
 +        if not self.user_data_home:
 +            self.user_data_home = os.path.expanduser('~/.local/share')
 +        self.data_home = os.path.join(self.user_data_home, 'buildgrid')
++
 +    def load_client_credentials(self, client_key=None, client_cert=None,
 +                                server_cert=None, use_default_client_keys=False):
 +        """Looks-up and loads TLS client gRPC credentials.
++
 +        Args:
 +            client_key(str): root certificate file path.
 +            client_cert(str): private key file path.
 +            server_cert(str): certificate chain file path.
 +            use_default_client_keys(bool, optional): whether or not to try
 +                loading client keys from default location. Defaults to False.
++
 +        Returns:
 +            :obj:`ChannelCredentials`: The credentials for use for a
 +            TLS-encrypted gRPC client channel.
 +        """
 +        if not client_key or not os.path.exists(client_key):
 +            if use_default_client_keys:
 +                client_key = os.path.join(self.config_home, 'client.key')
 +            else:
 +                client_key = None
++
 +        if not client_cert or not os.path.exists(client_cert):
 +            if use_default_client_keys:
 +                client_cert = os.path.join(self.config_home, 'client.crt')
 +            else:
 +                client_cert = None
++
 +        if not server_cert or not os.path.exists(server_cert):
 +            server_cert = os.path.join(self.config_home, 'server.crt')
 +            if not os.path.exists(server_cert):
 +                return None
++
 +        server_cert_pem = read_file(server_cert)
 +        if client_key and os.path.exists(client_key):
 +            client_key_pem = read_file(client_key)
 +        else:
 +            client_key_pem = None
 +        if client_key_pem and client_cert and os.path.exists(client_cert):
 +            client_cert_pem = read_file(client_cert)
 +        else:
 +            client_cert_pem = None
++
 +        return grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                            private_key=client_key_pem,
 +                                            certificate_chain=client_cert_pem)
++
 +    def load_server_credentials(self, server_key=None, server_cert=None,
 +                                client_certs=None, use_default_client_certs=False):
 +        """Looks-up and loads TLS server gRPC credentials.
++
 +        Every private and public keys are expected to be PEM-encoded.
++
 +        Args:
 +            server_key(str): private server key file path.
 +            server_cert(str): public server certificate file path.
 +            client_certs(str): public client certificates file path.
 +            use_default_client_certs(bool, optional): whether or not to try
 +                loading public client certificates from default location.
 +                Defaults to False.
++
 +        Returns:
 +            :obj:`ServerCredentials`: The credentials for use for a
 +            TLS-encrypted gRPC server channel.
 +        """
 +        if not server_key or not os.path.exists(server_key):
 +            server_key = os.path.join(self.config_home, 'server.key')
 +            if not os.path.exists(server_key):
 +                return None
++
 +        if not server_cert or not os.path.exists(server_cert):
 +            server_cert = os.path.join(self.config_home, 'server.crt')
 +            if not os.path.exists(server_cert):
 +                return None
++
 +        if not client_certs or not os.path.exists(client_certs):
 +            if use_default_client_certs:
 +                client_certs = os.path.join(self.config_home, 'client.crt')
 +            else:
 +                client_certs = None
++
 +        server_key_pem = read_file(server_key)
 +        server_cert_pem = read_file(server_cert)
 +        if client_certs and os.path.exists(client_certs):
 +            client_certs_pem = read_file(client_certs)
 +        else:
 +            client_certs_pem = None
++
 +        return grpc.ssl_server_credentials([(server_key_pem, server_cert_pem)],
 +                                           root_certificates=client_certs_pem,
 +                                           require_client_auth=bool(client_certs))
  pass_context = click.make_pass_decorator(Context, ensure=True)

buildgrid/_app/commands/cmd_bot.py

@@ -21,8 +21,9 @@ Create a bot interface and request work
  """
  import logging
+-
  from pathlib import Path, PurePath
 +import sys
 +from urllib.parse import urlparse
  import click
  import grpc
@@ -35,22 +36,39 @@ from ..cli import pass_context
  @click.group(name='bot', short_help="Create and register bot clients.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if not specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--parent', type=click.STRING, default='main', show_default=True,
                help="Targeted farm resource.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Renote server's hostname.")
  @pass_context
 -def cli(context, host, port, parent):
 -    channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    interface = bot_interface.BotInterface(channel)
 +def cli(context, remote, parent, client_key, client_cert, server_cert):
 +    url = urlparse(remote)
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 -    context.channel = channel
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
      context.parent = parent
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
++
 +    interface = bot_interface.BotInterface(context.channel)
++
      worker = Worker()
      worker.add_device(Device())

buildgrid/_app/commands/cmd_cas.py

@@ -21,6 +21,9 @@ Request work to be executed and monitor status of jobs.
  """
  import logging
 +import sys
 +from urllib.parse import urlparse
++
  import click
  import grpc
@@ -31,20 +34,36 @@ from ..cli import pass_context
  @click.group(name='cas', short_help="Interact with the CAS server.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote server's hostname.")
  @pass_context
 -def cli(context, instance_name, host, port):
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 +def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 +    url = urlparse(remote)
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
      context.instance_name = instance_name
 -    context.channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    context.port = port
++
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
  @cli.command('upload-files', short_help="Upload files to the CAS server.")

buildgrid/_app/commands/cmd_execute.py

@@ -22,8 +22,11 @@ Request work to be executed and monitor status of jobs.
  import errno
  import logging
 -import stat
  import os
 +import stat
 +import sys
 +from urllib.parse import urlparse
++
  import click
  import grpc
@@ -36,20 +39,36 @@ from ..cli import pass_context
  @click.group(name='execute', short_help="Execute simple operations.")
 -@click.option('--instance-name', type=click.STRING, default='main',
 -              show_default=True, help="Targeted farm instance name.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote server's hostname.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--instance-name', type=click.STRING, default='main', show_default=True,
 +              help="Targeted farm instance name.")
  @pass_context
 -def cli(context, instance_name, host, port):
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 +def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 +    url = urlparse(remote)
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
      context.instance_name = instance_name
 -    context.channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    context.port = port
++
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
  @cli.command('request-dummy', short_help="Send a dummy action.")

buildgrid/_app/commands/cmd_server.py

@@ -22,6 +22,7 @@ Create a BuildGrid server.
  import asyncio
  import logging
 +import sys
  import click
@@ -41,18 +42,25 @@ _SIZE_PREFIXES = {'k': 2 ** 10, 'm': 2 ** 20, 'g': 2 ** 30, 't': 2 ** 40}
  @pass_context
  def cli(context):
      context.logger = logging.getLogger(__name__)
 -    context.logger.info("BuildGrid server booting up")
  @cli.command('start', short_help="Setup a new server instance.")
  @click.argument('instances', nargs=-1, type=click.STRING)
  @click.option('--port', type=click.INT, default='50051', show_default=True,
                help="The port number to be listened.")
 -@click.option('--max-cached-actions', type=click.INT, default=50, show_default=True,
 -              help="Maximum number of actions to keep in the ActionCache.")
 +@click.option('--server-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private server key for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--client-certs', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificates for TLS (PEM-encoded)")
 +@click.option('--allow-insecure', type=click.BOOL, is_flag=True,
 +              help="Whether or not to allow unencrypted connections.")
  @click.option('--allow-update-action-result/--forbid-update-action-result',
                'allow_uar', default=True, show_default=True,
                help="Whether or not to allow clients to manually edit the action cache.")
 +@click.option('--max-cached-actions', type=click.INT, default=50, show_default=True,
 +              help="Maximum number of actions to keep in the ActionCache.")
  @click.option('--cas', type=click.Choice(('lru', 's3', 'disk', 'with-cache')),
                help="The CAS storage type to use.")
  @click.option('--cas-cache', type=click.Choice(('lru', 's3', 'disk')),
@@ -68,9 +76,21 @@ def cli(context):
  @click.option('--cas-disk-directory', type=click.Path(file_okay=False, dir_okay=True, writable=True),
                help="For --cas=disk, the folder to store CAS blobs in.")
  @pass_context
 -def start(context, instances, port, max_cached_actions, allow_uar, cas, **cas_args):
 -    """ Starts a BuildGrid server.
 -    """
 +def start(context, port, allow_insecure, server_key, server_cert, client_certs,
 +          instances, max_cached_actions, allow_uar, cas, **cas_args):
 +    """Setups a new server instance."""
 +    credentials = None
 +    if not allow_insecure:
 +        credentials = context.load_server_credentials(server_key, server_cert, client_certs)
 +    if not credentials and not allow_insecure:
 +        click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                   "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +        sys.exit(-1)
++
 +    context.credentials = credentials
 +    context.port = port
++
 +    context.logger.info("BuildGrid server booting up")
      context.logger.info("Starting on port {}".format(port))
      cas_storage = _make_cas_storage(context, cas, cas_args)
@@ -85,8 +105,9 @@ def start(context, instances, port, max_cached_actions, allow_uar, cas, **cas_ar
      if instances is None:
          instances = ['main']
 -    server = buildgrid_server.BuildGridServer(port,
 -                                              instances,
 +    server = buildgrid_server.BuildGridServer(port=context.port,
 +                                              credentials=context.credentials,
 +                                              instances=instances,
                                                cas_storage=cas_storage,
                                                action_cache=action_cache)
      loop = asyncio.get_event_loop()

buildgrid/server/buildgrid_server.py

@@ -40,11 +40,16 @@ from .worker.bots_service import BotsService
  class BuildGridServer:
 -    def __init__(self, port='50051', instances=None, max_workers=10, action_cache=None, cas_storage=None):
 -        port = '[::]:{0}'.format(port)
 +    def __init__(self, port=50051, credentials=None, instances=None,
 +                 max_workers=10, action_cache=None, cas_storage=None):
 +        address = '[::]:{0}'.format(port)
          self._server = grpc.server(futures.ThreadPoolExecutor(max_workers))
 -        self._server.add_insecure_port(port)
++
 +        if credentials is not None:
 +            self._server.add_secure_port(address, credentials)
 +        else:
 +            self._server.add_insecure_port(address)
          if cas_storage is not None:
              cas_service = ContentAddressableStorageService(cas_storage)

docs/source/using_dummy_build.rst

@@ -8,7 +8,7 @@ In one terminal, start a server:
  .. code-block:: sh
 -   bgd server start
 +   bgd server start --allow-insecure
  In another terminal, send a request for work:

docs/source/using_simple_build.rst

@@ -27,7 +27,7 @@ Now start a BuildGrid server, passing it a directory it can write a CAS to:
  .. code-block:: sh
 -   bgd server start --cas disk --cas-cache disk --cas-disk-directory /path/to/empty/directory
 +   bgd server start --allow-insecure --cas disk --cas-cache disk --cas-disk-directory /path/to/empty/directory
  Start the following bot session:

[Notes] [Git][BuildGrid/buildgrid][mablanch/63-tls-encryption] 6 commits: buildbox.py: Unpack a digest from lease.payload

Martin Blanchard pushed to branch mablanch/63-tls-encryption at BuildGrid / buildgrid

Commits:

10 changed files:

Changes: