[Notes] [Git][BuildGrid/buildgrid][mablanch/61-bazel-support] 11 commits

Martin Blanchard pushed to branch mablanch/61-bazel-support at BuildGrid / buildgrid

Commits:

1a9ed906

by Martin Blanchard at 2018-08-29T11:21:43Z

Add server-side gRPC TLS encryption support

https://gitlab.com/BuildGrid/buildgrid/issues/63

cff9354d

by Martin Blanchard at 2018-08-29T11:21:45Z

Add client-side gRPC TLS encryption support

https://gitlab.com/BuildGrid/buildgrid/issues/63

50d2f283

by Martin Blanchard at 2018-08-29T12:27:05Z

docs: Add a new section for configuration

https://gitlab.com/BuildGrid/buildgrid/issues/63

9a44c825

by Martin Blanchard at 2018-08-29T12:27:07Z

gitlab-ci.yml: Force insecure connections for dummy tests

94c7a77e

by Martin Blanchard at 2018-08-29T13:53:50Z

cmd_bot.py: Allow separate CAS server for any bot

Factorize the separate CAS handling code, originally buildbox specific.

https://gitlab.com/BuildGrid/buildgrid/issues/68

1078a53a

by Martin Blanchard at 2018-08-30T12:09:11Z

utils.py: Support symlinks and folders in fetcher helper

8036db36
by Martin Blanchard at 2018-08-30T12:09:11Z
```
utils.py: New gRPC OutputFile maker helper
```

0e902477

by Martin Blanchard at 2018-08-30T12:11:02Z

temp_directory.py: Better action execution support

89a66aea
by Martin Blanchard at 2018-08-30T12:11:02Z
```
utils.py: New gRPC OutputDirectory maker helper
```

0dd5a638

by Martin Blanchard at 2018-08-30T12:11:49Z

temp_directory.py: Add output directory upload support

9b769264

by Martin Blanchard at 2018-08-30T12:11:49Z

execution_service.py: Handle client not supporting multi-instances

16 changed files:

.gitlab-ci.yml
buildgrid/_app/bots/buildbox.py
buildgrid/_app/bots/temp_directory.py
buildgrid/_app/cli.py
buildgrid/_app/commands/cmd_bot.py
buildgrid/_app/commands/cmd_cas.py
buildgrid/_app/commands/cmd_execute.py
buildgrid/_app/commands/cmd_server.py
buildgrid/server/buildgrid_server.py
buildgrid/server/execution/execution_service.py
buildgrid/utils.py
+ docs/source/configuration.rst
docs/source/index.rst
docs/source/using_dummy_build.rst
docs/source/using_simple_build.rst
setup.py

Changes:

.gitlab-ci.yml

@@ -28,10 +28,10 @@ before_script:
  .run-dummy-job-template: &dummy-job
    stage: test
    script:
 -    - ${BGD} server start &
 +    - ${BGD} server start --allow-insecure &
      - sleep 1 # Allow server to boot
 -    - ${BGD} bot --host=0.0.0.0 dummy &
 -    - ${BGD} execute --host=0.0.0.0 request-dummy --wait-for-completion
 +    - ${BGD} bot dummy &
 +    - ${BGD} execute request-dummy --wait-for-completion
  tests-debian-stretch:
    <<: *linux-tests

buildgrid/_app/bots/buildbox.py

@@ -16,13 +16,12 @@
  import os
  import subprocess
  import tempfile
 -import grpc
  from google.protobuf import any_pb2
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid._protos.google.bytestream import bytestream_pb2_grpc
 -from buildgrid.utils import read_file, parse_to_pb2_from_fetch
 +from buildgrid.utils import parse_to_pb2_from_fetch
  def work_buildbox(context, lease):
@@ -32,18 +31,7 @@ def work_buildbox(context, lease):
      action_digest = remote_execution_pb2.Digest()
      action_digest_any.Unpack(action_digest)
 -    cert_server = read_file(context.server_cert)
 -    cert_client = read_file(context.client_cert)
 -    key_client = read_file(context.client_key)
+-
 -    # create server credentials
 -    credentials = grpc.ssl_channel_credentials(root_certificates=cert_server,
 -                                               private_key=key_client,
 -                                               certificate_chain=cert_client)
+-
 -    channel = grpc.secure_channel('{}:{}'.format(context.remote, context.port), credentials)
+-
 -    stub = bytestream_pb2_grpc.ByteStreamStub(channel)
 +    stub = bytestream_pb2_grpc.ByteStreamStub(context.cas_channel)
      action = remote_execution_pb2.Action()
      parse_to_pb2_from_fetch(action, stub, action_digest)
@@ -66,13 +54,18 @@ def work_buildbox(context, lease):
          with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as output_digest_file:
              command = ['buildbox',
 -                       '--remote={}'.format('https://{}:{}'.format(context.remote, context.port)),
 -                       '--server-cert={}'.format(context.server_cert),
 -                       '--client-key={}'.format(context.client_key),
 -                       '--client-cert={}'.format(context.client_cert),
 +                       '--remote={}'.format(context.remote_cas_url),
                         '--input-digest={}'.format(input_digest_file.name),
                         '--output-digest={}'.format(output_digest_file.name),
                         '--local={}'.format(casdir)]
++
 +            if context.cas_client_key:
 +                command.append('--client-key={}'.format(context.cas_client_key))
 +            if context.cas_client_cert:
 +                command.append('--client-cert={}'.format(context.cas_client_cert))
 +            if context.cas_server_cert:
 +                command.append('--server-cert={}'.format(context.cas_server_cert))
++
              if 'PWD' in environment and environment['PWD']:
                  command.append('--chdir={}'.format(environment['PWD']))

buildgrid/_app/bots/temp_directory.py

@@ -19,70 +19,96 @@ import tempfile
  from google.protobuf import any_pb2
 -from buildgrid.utils import read_file, create_digest, write_fetch_directory, parse_to_pb2_from_fetch
 +from buildgrid.utils import write_fetch_directory, parse_to_pb2_from_fetch
 +from buildgrid.utils import output_file_maker, output_directory_maker
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2, remote_execution_pb2_grpc
  from buildgrid._protos.google.bytestream import bytestream_pb2_grpc
  def work_temp_directory(context, lease):
 -    """ Bot downloads directories and files into a temp directory,
 -    then uploads results back to CAS
 +    """Executes a lease for a build action, using host tools.
      """
 -    parent = context.parent
 -    stub_bytestream = bytestream_pb2_grpc.ByteStreamStub(context.channel)
 +    instance_name = context.parent
 +    stub_bytestream = bytestream_pb2_grpc.ByteStreamStub(context.cas_channel)
      action_digest = remote_execution_pb2.Digest()
      lease.payload.Unpack(action_digest)
 -    action = remote_execution_pb2.Action()
 +    action = parse_to_pb2_from_fetch(remote_execution_pb2.Action(),
 +                                     stub_bytestream, action_digest, instance_name)
 -    action = parse_to_pb2_from_fetch(action, stub_bytestream, action_digest, parent)
 +    with tempfile.TemporaryDirectory() as temp_directory:
 +        command = parse_to_pb2_from_fetch(remote_execution_pb2.Command(),
 +                                          stub_bytestream, action.command_digest, instance_name)
 -    with tempfile.TemporaryDirectory() as temp_dir:
 +        write_fetch_directory(temp_directory, stub_bytestream,
 +                              action.input_root_digest, instance_name)
 -        command = remote_execution_pb2.Command()
 -        command = parse_to_pb2_from_fetch(command, stub_bytestream, action.command_digest, parent)
+-
 -        arguments = "cd {} &&".format(temp_dir)
 +        execution_envionment = os.environ.copy()
 +        for variable in command.environment_variables:
 +            if variable.name not in ['PATH', 'PWD']:
 +                execution_envionment[variable.name] = variable.value
 +        command_arguments = list()
          for argument in command.arguments:
 -            arguments += " {}".format(argument)
+-
 -        context.logger.info(arguments)
+-
 -        write_fetch_directory(temp_dir, stub_bytestream, action.input_root_digest, parent)
+-
 -        proc = subprocess.Popen(arguments,
 -                                shell=True,
 -                                stdin=subprocess.PIPE,
 -                                stdout=subprocess.PIPE)
+-
 -        # TODO: Should return the std_out to the user
 -        proc.communicate()
+-
 -        result = remote_execution_pb2.ActionResult()
 -        requests = []
 -        for output_file in command.output_files:
 -            path = os.path.join(temp_dir, output_file)
 -            chunk = read_file(path)
+-
 -            digest = create_digest(chunk)
+-
 -            result.output_files.extend([remote_execution_pb2.OutputFile(path=output_file,
 -                                                                        digest=digest)])
+-
 -            requests.append(remote_execution_pb2.BatchUpdateBlobsRequest.Request(
 -                digest=digest, data=chunk))
+-
 -        request = remote_execution_pb2.BatchUpdateBlobsRequest(instance_name=parent,
 -                                                               requests=requests)
+-
 -        stub_cas = remote_execution_pb2_grpc.ContentAddressableStorageStub(context.channel)
 -        stub_cas.BatchUpdateBlobs(request)
 +            command_arguments.append(argument.strip())
++
 +        working_directory = None
 +        if command.working_directory:
 +            working_directory = os.path.join(temp_directory,
 +                                             command.working_directory)
 +            os.makedirs(working_directory, exist_ok=True)
 +        else:
 +            working_directory = temp_directory
++
 +        # Ensure that output files structure exists:
 +        for output_path in command.output_files:
 +            directory_path = os.path.join(working_directory,
 +                                          os.path.dirname(output_path))
 +            os.makedirs(directory_path, exist_ok=True)
++
 +        process = subprocess.Popen(command_arguments,
 +                                   cwd=working_directory,
 +                                   universal_newlines=True,
 +                                   env=execution_envionment,
 +                                   stdin=subprocess.PIPE,
 +                                   stdout=subprocess.PIPE)
 +        # TODO: Should return the stdout and stderr to the user.
 +        process.communicate()
++
 +        update_requests = remote_execution_pb2.BatchUpdateBlobsRequest(instance_name=instance_name)
 +        action_result = remote_execution_pb2.ActionResult()
++
 +        for output_path in command.output_files:
 +            file_path = os.path.join(working_directory, output_path)
 +            # Missing outputs should simply be omitted in ActionResult:
 +            if not os.path.isfile(file_path):
 +                continue
++
 +            # OutputFile.path should be relative to the working direcory:
 +            output_file, update_request = output_file_maker(file_path, working_directory)
++
 +            action_result.output_files.extend([output_file])
 +            update_requests.requests.extend([update_request])
++
 +        for output_path in command.output_directories:
 +            directory_path = os.path.join(working_directory, output_path)
 +            # Missing outputs should simply be omitted in ActionResult:
 +            if not os.path.isdir(directory_path):
 +                continue
++
 +            # OutputDirectory.path should be relative to the working direcory:
 +            output_directory, update_request = output_directory_maker(directory_path, working_directory)
++
 +            action_result.output_directories.extend([output_directory])
 +            update_requests.requests.extend(update_request)
++
 +        stub_cas = remote_execution_pb2_grpc.ContentAddressableStorageStub(context.cas_channel)
 +        stub_cas.BatchUpdateBlobs(update_requests)
          result_any = any_pb2.Any()
 -        result_any.Pack(result)
 +        result_any.Pack(action_result)
          lease.result.CopyFrom(result_any)

buildgrid/_app/cli.py

@@ -25,6 +25,10 @@ import os
  import logging
  import click
 +import grpc
 +from xdg import XDG_CACHE_HOME, XDG_CONFIG_HOME, XDG_DATA_HOME
++
 +from buildgrid.utils import read_file
  from . import _logging
@@ -35,7 +39,118 @@ class Context:
      def __init__(self):
          self.verbose = False
 -        self.home = os.getcwd()
++
 +        self.user_home = os.getcwd()
++
 +        self.cache_home = os.path.join(XDG_CACHE_HOME, 'buildgrid')
 +        self.config_home = os.path.join(XDG_CONFIG_HOME, 'buildgrid')
 +        self.data_home = os.path.join(XDG_DATA_HOME, 'buildgrid')
++
 +    def load_client_credentials(self, client_key=None, client_cert=None,
 +                                server_cert=None, use_default_client_keys=False):
 +        """Looks-up and loads TLS client gRPC credentials.
++
 +        Args:
 +            client_key(str): root certificate file path.
 +            client_cert(str): private key file path.
 +            server_cert(str): certificate chain file path.
 +            use_default_client_keys(bool, optional): whether or not to try
 +                loading client keys from default location. Defaults to False.
++
 +        Returns:
 +            :obj:`ChannelCredentials`: The credentials for use for a
 +            TLS-encrypted gRPC client channel.
 +        """
 +        if not client_key or not os.path.exists(client_key):
 +            if use_default_client_keys:
 +                client_key = os.path.join(self.config_home, 'client.key')
 +            else:
 +                client_key = None
++
 +        if not client_cert or not os.path.exists(client_cert):
 +            if use_default_client_keys:
 +                client_cert = os.path.join(self.config_home, 'client.crt')
 +            else:
 +                client_cert = None
++
 +        if not server_cert or not os.path.exists(server_cert):
 +            server_cert = os.path.join(self.config_home, 'server.crt')
 +            if not os.path.exists(server_cert):
 +                return None
++
 +        server_cert_pem = read_file(server_cert)
 +        if client_key and os.path.exists(client_key):
 +            client_key_pem = read_file(client_key)
 +        else:
 +            client_key_pem = None
 +            client_key = None
 +        if client_key_pem and client_cert and os.path.exists(client_cert):
 +            client_cert_pem = read_file(client_cert)
 +        else:
 +            client_cert_pem = None
 +            client_cert = None
++
 +        credentials = grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                                   private_key=client_key_pem,
 +                                                   certificate_chain=client_cert_pem)
++
 +        credentials.client_key = client_key
 +        credentials.client_cert = client_cert
 +        credentials.server_cert = server_cert
++
 +        return credentials
++
 +    def load_server_credentials(self, server_key=None, server_cert=None,
 +                                client_certs=None, use_default_client_certs=False):
 +        """Looks-up and loads TLS server gRPC credentials.
++
 +        Every private and public keys are expected to be PEM-encoded.
++
 +        Args:
 +            server_key(str): private server key file path.
 +            server_cert(str): public server certificate file path.
 +            client_certs(str): public client certificates file path.
 +            use_default_client_certs(bool, optional): whether or not to try
 +                loading public client certificates from default location.
 +                Defaults to False.
++
 +        Returns:
 +            :obj:`ServerCredentials`: The credentials for use for a
 +            TLS-encrypted gRPC server channel.
 +        """
 +        if not server_key or not os.path.exists(server_key):
 +            server_key = os.path.join(self.config_home, 'server.key')
 +            if not os.path.exists(server_key):
 +                return None
++
 +        if not server_cert or not os.path.exists(server_cert):
 +            server_cert = os.path.join(self.config_home, 'server.crt')
 +            if not os.path.exists(server_cert):
 +                return None
++
 +        if not client_certs or not os.path.exists(client_certs):
 +            if use_default_client_certs:
 +                client_certs = os.path.join(self.config_home, 'client.crt')
 +            else:
 +                client_certs = None
++
 +        server_key_pem = read_file(server_key)
 +        server_cert_pem = read_file(server_cert)
 +        if client_certs and os.path.exists(client_certs):
 +            client_certs_pem = read_file(client_certs)
 +        else:
 +            client_certs_pem = None
 +            client_certs = None
++
 +        credentials = grpc.ssl_server_credentials([(server_key_pem, server_cert_pem)],
 +                                                  root_certificates=client_certs_pem,
 +                                                  require_client_auth=bool(client_certs))
++
 +        credentials.server_key = server_key
 +        credentials.server_cert = server_cert
 +        credentials.client_certs = client_certs
++
 +        return credentials
  pass_context = click.make_pass_decorator(Context, ensure=True)

buildgrid/_app/commands/cmd_bot.py

@@ -21,8 +21,9 @@ Create a bot interface and request work
  """
  import logging
+-
  from pathlib import Path, PurePath
 +import sys
 +from urllib.parse import urlparse
  import click
  import grpc
@@ -35,22 +36,92 @@ from ..cli import pass_context
  @click.group(name='bot', short_help="Create and register bot clients.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if not specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--remote-cas', type=click.STRING, default=None, show_default=True,
 +              help="Remote CAS server's URL (port defaults to 11001 if not specified).")
 +@click.option('--cas-client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private CAS client key for TLS (PEM-encoded)")
 +@click.option('--cas-client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public CAS client certificate for TLS (PEM-encoded)")
 +@click.option('--cas-server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public CAS server certificate for TLS (PEM-encoded)")
  @click.option('--parent', type=click.STRING, default='main', show_default=True,
                help="Targeted farm resource.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Renote server's hostname.")
  @pass_context
 -def cli(context, host, port, parent):
 -    channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    interface = bot_interface.BotInterface(channel)
 +def cli(context, parent, remote, client_key, client_cert, server_cert,
 +        remote_cas, cas_client_key, cas_client_cert, cas_server_cert):
 +    # Setup the remote execution server channel:
 +    url = urlparse(remote)
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 -    context.channel = channel
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 +    context.remote_url = remote
      context.parent = parent
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
++
 +        context.client_key = None
 +        context.client_cert = None
 +        context.server_cert = None
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +        context.client_key = credentials.client_key
 +        context.client_cert = credentials.client_cert
 +        context.server_cert = credentials.server_cert
++
 +    # Setup the remote CAS server channel, if separated:
 +    if remote_cas is not None and remote_cas != remote:
 +        cas_url = urlparse(remote_cas)
++
 +        context.remote_cas = '{}:{}'.format(cas_url.hostname, cas_url.port or 11001)
 +        context.remote_cas_url = remote_cas
++
 +        if cas_url.scheme == 'http':
 +            context.cas_channel = grpc.insecure_channel(context.remote_cas)
++
 +            context.cas_client_key = None
 +            context.cas_client_cert = None
 +            context.cas_server_cert = None
 +        else:
 +            cas_credentials = context.load_client_credentials(cas_client_key, cas_client_cert, cas_server_cert)
 +            if not cas_credentials:
 +                click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 +                sys.exit(-1)
++
 +            context.cas_channel = grpc.secure_channel(context.remote_cas, cas_credentials)
++
 +            context.cas_client_key = cas_credentials.client_key
 +            context.cas_client_cert = cas_credentials.client_cert
 +            context.cas_server_cert = cas_credentials.server_cert
++
 +    else:
 +        context.remote_cas = context.remote
 +        context.remote_cas_url = remote
++
 +        context.cas_channel = context.channel
++
 +        context.cas_client_key = context.client_key
 +        context.cas_client_cert = context.client_cert
 +        context.cas_server_cert = context.server_cert
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
++
 +    interface = bot_interface.BotInterface(context.channel)
++
      worker = Worker()
      worker.add_device(Device())
@@ -94,35 +165,17 @@ def run_temp_directory(context):
                help="Main mount-point location.")
  @click.option('--local-cas', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'cas')),
                help="Local CAS cache directory.")
 -@click.option('--client-cert', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'client.crt')),
 -              help="Public client certificate for TLS (PEM-encoded).")
 -@click.option('--client-key', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'client.key')),
 -              help="Private client key for TLS (PEM-encoded).")
 -@click.option('--server-cert', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'server.crt')),
 -              help="Public server certificate for TLS (PEM-encoded).")
 -@click.option('--port', type=click.INT, default=11001, show_default=True,
 -              help="Remote CAS server port.")
 -@click.option('--remote', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote CAS server hostname.")
  @pass_context
 -def run_buildbox(context, remote, port, server_cert, client_key, client_cert, local_cas, fuse_dir):
 +def run_buildbox(context, local_cas, fuse_dir):
      """
      Uses BuildBox to run commands.
      """
+-
 -    context.logger.info("Creating a bot session")
+-
 -    context.remote = remote
 -    context.port = port
 -    context.server_cert = server_cert
 -    context.client_key = client_key
 -    context.client_cert = client_cert
      context.local_cas = local_cas
      context.fuse_dir = fuse_dir
      try:
          b = bot.Bot(context.bot_session)
 -        b.session(work=buildbox.work_buildbox,
 -                  context=context)
 +        b.session(buildbox.work_buildbox,
 +                  context)
      except KeyboardInterrupt:
          pass

buildgrid/_app/commands/cmd_cas.py

@@ -21,6 +21,9 @@ Request work to be executed and monitor status of jobs.
  """
  import logging
 +import sys
 +from urllib.parse import urlparse
++
  import click
  import grpc
@@ -31,20 +34,36 @@ from ..cli import pass_context
  @click.group(name='cas', short_help="Interact with the CAS server.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
  @click.option('--instance-name', type=click.STRING, default='main', show_default=True,
                help="Targeted farm instance name.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote server's hostname.")
  @pass_context
 -def cli(context, instance_name, host, port):
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 +def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 +    url = urlparse(remote)
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
      context.instance_name = instance_name
 -    context.channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    context.port = port
++
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
  @cli.command('upload-files', short_help="Upload files to the CAS server.")

buildgrid/_app/commands/cmd_execute.py

@@ -22,8 +22,11 @@ Request work to be executed and monitor status of jobs.
  import errno
  import logging
 -import stat
  import os
 +import stat
 +import sys
 +from urllib.parse import urlparse
++
  import click
  import grpc
@@ -36,20 +39,36 @@ from ..cli import pass_context
  @click.group(name='execute', short_help="Execute simple operations.")
 -@click.option('--instance-name', type=click.STRING, default='main',
 -              show_default=True, help="Targeted farm instance name.")
 -@click.option('--port', type=click.INT, default='50051', show_default=True,
 -              help="Remote server's port number.")
 -@click.option('--host', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote server's hostname.")
 +@click.option('--remote', type=click.STRING, default='http://localhost:50051', show_default=True,
 +              help="Remote execution server's URL (port defaults to 50051 if no specified).")
 +@click.option('--client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private client key for TLS (PEM-encoded)")
 +@click.option('--client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificate for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--instance-name', type=click.STRING, default='main', show_default=True,
 +              help="Targeted farm instance name.")
  @pass_context
 -def cli(context, instance_name, host, port):
 -    context.logger = logging.getLogger(__name__)
 -    context.logger.info("Starting on port {}".format(port))
 +def cli(context, remote, instance_name, client_key, client_cert, server_cert):
 +    url = urlparse(remote)
 +    context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
      context.instance_name = instance_name
 -    context.channel = grpc.insecure_channel('{}:{}'.format(host, port))
 -    context.port = port
++
 +    if url.scheme == 'http':
 +        context.channel = grpc.insecure_channel(context.remote)
 +    else:
 +        credentials = context.load_client_credentials(client_key, client_cert, server_cert)
 +        if not credentials:
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            sys.exit(-1)
++
 +        context.channel = grpc.secure_channel(context.remote, credentials)
++
 +    context.logger = logging.getLogger(__name__)
 +    context.logger.debug("Starting for remote {}".format(context.remote))
  @cli.command('request-dummy', short_help="Send a dummy action.")

buildgrid/_app/commands/cmd_server.py

@@ -22,6 +22,7 @@ Create a BuildGrid server.
  import asyncio
  import logging
 +import sys
  import click
@@ -41,18 +42,25 @@ _SIZE_PREFIXES = {'k': 2 ** 10, 'm': 2 ** 20, 'g': 2 ** 30, 't': 2 ** 40}
  @pass_context
  def cli(context):
      context.logger = logging.getLogger(__name__)
 -    context.logger.info("BuildGrid server booting up")
  @cli.command('start', short_help="Setup a new server instance.")
  @click.argument('instances', nargs=-1, type=click.STRING)
  @click.option('--port', type=click.INT, default='50051', show_default=True,
                help="The port number to be listened.")
 -@click.option('--max-cached-actions', type=click.INT, default=50, show_default=True,
 -              help="Maximum number of actions to keep in the ActionCache.")
 +@click.option('--server-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private server key for TLS (PEM-encoded)")
 +@click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--client-certs', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public client certificates for TLS (PEM-encoded, one single file)")
 +@click.option('--allow-insecure', type=click.BOOL, is_flag=True,
 +              help="Whether or not to allow unencrypted connections.")
  @click.option('--allow-update-action-result/--forbid-update-action-result',
                'allow_uar', default=True, show_default=True,
                help="Whether or not to allow clients to manually edit the action cache.")
 +@click.option('--max-cached-actions', type=click.INT, default=50, show_default=True,
 +              help="Maximum number of actions to keep in the ActionCache.")
  @click.option('--cas', type=click.Choice(('lru', 's3', 'disk', 'with-cache')),
                help="The CAS storage type to use.")
  @click.option('--cas-cache', type=click.Choice(('lru', 's3', 'disk')),
@@ -68,9 +76,21 @@ def cli(context):
  @click.option('--cas-disk-directory', type=click.Path(file_okay=False, dir_okay=True, writable=True),
                help="For --cas=disk, the folder to store CAS blobs in.")
  @pass_context
 -def start(context, instances, port, max_cached_actions, allow_uar, cas, **cas_args):
 -    """ Starts a BuildGrid server.
 -    """
 +def start(context, port, allow_insecure, server_key, server_cert, client_certs,
 +          instances, max_cached_actions, allow_uar, cas, **cas_args):
 +    """Setups a new server instance."""
 +    credentials = None
 +    if not allow_insecure:
 +        credentials = context.load_server_credentials(server_key, server_cert, client_certs)
 +    if not credentials and not allow_insecure:
 +        click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 +                   "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +        sys.exit(-1)
++
 +    context.credentials = credentials
 +    context.port = port
++
 +    context.logger.info("BuildGrid server booting up")
      context.logger.info("Starting on port {}".format(port))
      cas_storage = _make_cas_storage(context, cas, cas_args)
@@ -85,8 +105,9 @@ def start(context, instances, port, max_cached_actions, allow_uar, cas, **cas_ar
      if instances is None:
          instances = ['main']
 -    server = buildgrid_server.BuildGridServer(port,
 -                                              instances,
 +    server = buildgrid_server.BuildGridServer(port=context.port,
 +                                              credentials=context.credentials,
 +                                              instances=instances,
                                                cas_storage=cas_storage,
                                                action_cache=action_cache)
      loop = asyncio.get_event_loop()

buildgrid/server/buildgrid_server.py

@@ -40,11 +40,16 @@ from .worker.bots_service import BotsService
  class BuildGridServer:
 -    def __init__(self, port='50051', instances=None, max_workers=10, action_cache=None, cas_storage=None):
 -        port = '[::]:{0}'.format(port)
 +    def __init__(self, port=50051, credentials=None, instances=None,
 +                 max_workers=10, action_cache=None, cas_storage=None):
 +        address = '[::]:{0}'.format(port)
          self._server = grpc.server(futures.ThreadPoolExecutor(max_workers))
 -        self._server.add_insecure_port(port)
++
 +        if credentials is not None:
 +            self._server.add_secure_port(address, credentials)
 +        else:
 +            self._server.add_insecure_port(address)
          if cas_storage is not None:
              cas_service = ContentAddressableStorageService(cas_storage)

buildgrid/server/execution/execution_service.py

@@ -86,6 +86,11 @@ class ExecutionService(remote_execution_pb2_grpc.ExecutionServicer):
              yield operations_pb2.Operation()
      def _get_instance(self, name):
 +        # If client does not support multiple instances, it may omit the
 +        # instance name request parameter, so better map our default:
 +        if not name and len(self._instances) == 1:
 +            name = 'main'
++
          try:
              return self._instances[name]

buildgrid/utils.py

@@ -13,6 +13,7 @@
  # limitations under the License.
 +from operator import attrgetter
  import os
  from buildgrid.settings import HASH
@@ -31,30 +32,59 @@ def gen_fetch_blob(stub, digest, instance_name=""):
          yield response.data
 -def write_fetch_directory(directory, stub, digest, instance_name=""):
 -    """ Given a directory digest, fetches files and writes them to a directory
 +def write_fetch_directory(root_directory, stub, digest, instance_name=None):
 +    """Locally replicates a directory from CAS.
++
 +    Args:
 +        root_directory (str): local directory to populate.
 +        stub (): gRPC stub for CAS communication.
 +        digest (Digest): digest for the directory to fetch from CAS.
 +        instance_name (str, optional): farm instance name to query data from.
      """
 -    # TODO: Extend to symlinks and inner directories
 -    # pathlib.Path('/my/directory').mkdir(parents=True, exist_ok=True)
 +    if not os.path.isabs(root_directory):
 +        root_directory = os.path.abspath(root_directory)
 +    if not os.path.exists(root_directory):
 +        os.makedirs(root_directory, exist_ok=True)
 -    directory_pb2 = remote_execution_pb2.Directory()
 -    directory_pb2 = parse_to_pb2_from_fetch(directory_pb2, stub, digest, instance_name)
 +    directory = parse_to_pb2_from_fetch(remote_execution_pb2.Directory(),
 +                                        stub, digest, instance_name)
++
 +    for directory_node in directory.directories:
 +        child_path = os.path.join(root_directory, directory_node.name)
++
 +        write_fetch_directory(child_path, stub, directory_node.digest, instance_name)
++
 +    for file_node in directory.files:
 +        child_path = os.path.join(root_directory, file_node.name)
++
 +        with open(child_path, 'wb') as child_file:
 +            write_fetch_blob(child_file, stub, file_node.digest, instance_name)
++
 +    for symlink_node in directory.symlinks:
 +        child_path = os.path.join(root_directory, symlink_node.name)
++
 +        if os.path.isabs(symlink_node.target):
 +            continue  # No out of temp-directory links for now.
 +        target_path = os.path.join(root_directory, symlink_node.target)
++
 +        os.symlink(child_path, target_path)
 -    for file_node in directory_pb2.files:
 -        path = os.path.join(directory, file_node.name)
 -        with open(path, 'wb') as f:
 -            write_fetch_blob(f, stub, file_node.digest, instance_name)
 +def write_fetch_blob(target_file, stub, digest, instance_name=None):
 +    """Extracts a blob from CAS into a local file.
 -def write_fetch_blob(out, stub, digest, instance_name=""):
 -    """ Given an output buffer, fetches blob and writes to buffer
 +    Args:
 +        target_file (str): local file to write.
 +        stub (): gRPC stub for CAS communication.
 +        digest (Digest): digest for the blob to fetch from CAS.
 +        instance_name (str, optional): farm instance name to query data from.
      """
      for stream in gen_fetch_blob(stub, digest, instance_name):
 -        out.write(stream)
 +        target_file.write(stream)
 +    target_file.flush()
 -    out.flush()
 -    assert digest.size_bytes == os.fstat(out.fileno()).st_size
 +    assert digest.size_bytes == os.fstat(target_file.fileno()).st_size
  def parse_to_pb2_from_fetch(pb2, stub, digest, instance_name=""):
@@ -70,7 +100,15 @@ def parse_to_pb2_from_fetch(pb2, stub, digest, instance_name=""):
  def create_digest(bytes_to_digest):
 -    """ Creates a hash based on the hex digest and returns the digest
 +    """Computes the :obj:`Digest` of a piece of data.
++
 +    The :obj:`Digest` of a data is a function of its hash **and** size.
++
 +    Args:
 +        bytes_to_digest (bytes): byte data to digest.
++
 +    Returns:
 +        :obj:`Digest`: The gRPC :obj:`Digest` for the given byte data.
      """
      return remote_execution_pb2.Digest(hash=HASH(bytes_to_digest).hexdigest(),
                                         size_bytes=len(bytes_to_digest))
@@ -107,6 +145,199 @@ def file_maker(file_path, file_digest):
                                           is_executable=os.access(file_path, os.X_OK))
 -def read_file(read):
 -    with open(read, 'rb') as f:
 -        return f.read()
 +def directory_maker(directory_path):
 +    """Creates a :obj:`Directory` from a local directory.
++
 +    Args:
 +        directory_path (str): absolute or relative path to a local directory.
++
 +    Returns:
 +        :obj:`Directory`, list of :obj:`Directory`, list of
 +        :obj:`BatchUpdateBlobsRequest`: Tuple of a new gRPC :obj:`Directory` for
 +        the directory pointed by `directory_path`, a list of new gRPC
 +        :obj:`Directory` for every children of that directory and the
 +        corresponding list of :obj:`BatchUpdateBlobsRequest` for CAS upload.
++
 +        The :obj:`Directory` children list may come in any order.
++
 +        The :obj:`BatchUpdateBlobsRequest` list may come in any order. However,
 +        its last element is guaranteed to be the root :obj:`Direcotry`'s
 +        request.
 +    """
 +    if not os.path.isabs(directory_path):
 +        directory_path = os.path.abspath(directory_path)
++
 +    child_directories = list()
 +    update_requests = list()
++
 +    files, directories, symlinks = list(), list(), list()
 +    for directory_entry in os.scandir(directory_path):
 +        # Create a FileNode and corresponding BatchUpdateBlobsRequest:
 +        if directory_entry.is_file(follow_symlinks=False):
 +            node_blob = read_file(directory_entry.path)
 +            node_digest = create_digest(node_blob)
++
 +            node = remote_execution_pb2.FileNode()
 +            node.name = directory_entry.name
 +            node.digest = node_digest
 +            node.is_executable = os.access(directory_entry.path, os.X_OK)
++
 +            node_request = remote_execution_pb2.BatchUpdateBlobsRequest.Request(digest=node_digest)
 +            node_request.data = node_blob
++
 +            update_requests.append(node_request)
 +            files.append(node)
++
 +        # Create a DirectoryNode and corresponding BatchUpdateBlobsRequest:
 +        elif directory_entry.is_dir(follow_symlinks=False):
 +            node_directory, node_children, node_requests = directory_maker(directory_entry.path)
++
 +            node = remote_execution_pb2.DirectoryNode()
 +            node.name = directory_entry.name
 +            node.digest = node_requests[-1].digest
++
 +            child_directories.extend(node_children)
 +            child_directories.append(node_directory)
 +            update_requests.extend(node_requests)
 +            directories.append(node)
++
 +        # Create a SymlinkNode if necessary;
 +        elif os.path.islink(directory_entry.path):
 +            node_target = os.readlink(directory_entry.path)
++
 +            node = remote_execution_pb2.SymlinkNode()
 +            node.name = directory_entry.name
 +            node.target = node_target
++
 +            symlinks.append(node)
++
 +    directory = remote_execution_pb2.Directory()
 +    directory.files.extend(files.sort(key=attrgetter('name')))
 +    directory.directories.extend(directories.sort(key=attrgetter('name')))
 +    directory.symlinks.extend(symlinks.sort(key=attrgetter('name')))
++
 +    directory_blob = directory.SerializeToString()
 +    directory_digest = create_digest(directory_blob)
++
 +    update_request = remote_execution_pb2.BatchUpdateBlobsRequest.Request(digest=directory_digest)
 +    update_request.data = directory_blob
++
 +    update_requests.append(update_request)
++
 +    return directory, child_directories, update_requests
++
++
 +def read_file(file_path):
 +    """Loads raw file content in memory.
++
 +    Returns:
 +        bytes: Raw file's content until EOF.
++
 +    Raises:
 +        OSError: If `file_path` does not exist or is not readable.
 +    """
 +    with open(file_path, 'rb') as byte_file:
 +        return byte_file.read()
++
++
 +def output_file_maker(file_path, input_path):
 +    """Creates an :obj:`OutputFile` from a local file.
++
 +    `file_path` **must** point inside or be relative to `input_path`.
++
 +    Args:
 +        file_path (str): absolute or relative path to a local file.
 +        input_path (str): absolute or relative path to the input root directory.
++
 +    Returns:
 +        :obj:`OutputFile`, :obj:`BatchUpdateBlobsRequest`: Tuple of a new gRPC
 +        :obj:`OutputFile` object for the file pointed by `file_path` and the
 +        corresponding :obj:`BatchUpdateBlobsRequest` for CAS upload.
 +    """
 +    if not os.path.isabs(file_path):
 +        file_path = os.path.abspath(file_path)
 +    if not os.path.isabs(input_path):
 +        input_path = os.path.abspath(input_path)
++
 +    file_blob = read_file(file_path)
 +    file_digest = create_digest(file_blob)
++
 +    output_file = remote_execution_pb2.OutputFile(digest=file_digest)
 +    output_file.path = os.path.relpath(file_path, start=input_path)
 +    output_file.is_executable = os.access(file_path, os.X_OK)
++
 +    update_request = remote_execution_pb2.BatchUpdateBlobsRequest.Request(digest=file_digest)
 +    update_request.data = file_blob
++
 +    return output_file, update_request
++
++
 +def output_directory_maker(directory_path, working_path):
 +    """Creates an :obj:`OutputDirectory` from a local directory.
++
 +    `directory_path` **must** point inside or be relative to `input_path`.
++
 +    Args:
 +        directory_path (str): absolute or relative path to a local directory.
 +        working_path (str): absolute or relative path to the working directory.
++
 +    Returns:
 +        :obj:`OutputDirectory`, :obj:`BatchUpdateBlobsRequest`: Tuple of a new
 +        gRPC :obj:`OutputDirectory` for the directory pointed by
 +        `directory_path` and the corresponding list of
 +        :obj:`BatchUpdateBlobsRequest` for CAS upload.
 +    """
 +    if not os.path.isabs(directory_path):
 +        directory_path = os.path.abspath(directory_path)
 +    if not os.path.isabs(working_path):
 +        working_path = os.path.abspath(working_path)
++
 +    _, update_requests = tree_maker(directory_path)
++
 +    output_directory = remote_execution_pb2.OutputDirectory()
 +    output_directory.tree_digest = update_requests[-1].digest
 +    output_directory.path = os.path.relpath(directory_path, start=working_path)
++
 +    output_directory_blob = output_directory.SerializeToString()
 +    output_directory_digest = create_digest(output_directory_blob)
++
 +    update_request = remote_execution_pb2.BatchUpdateBlobsRequest.Request(digest=output_directory_digest)
 +    update_request.data = output_directory_blob
++
 +    update_requests.append(update_request)
++
 +    return output_directory, update_requests
++
++
 +def tree_maker(directory_path):
 +    """Creates a :obj:`Tree` from a local directory.
++
 +    Args:
 +        directory_path (str): absolute or relative path to a local directory.
++
 +    Returns:
 +        :obj:`Tree`, :obj:`BatchUpdateBlobsRequest`: Tuple of a new
 +        gRPC :obj:`Tree` for the directory pointed by `directory_path` and the
 +        corresponding list of :obj:`BatchUpdateBlobsRequest` for CAS upload.
++
 +        The :obj:`BatchUpdateBlobsRequest` list may come in any order. However,
 +        its last element is guaranteed to be the :obj:`Tree`'s request.
 +    """
 +    if not os.path.isabs(directory_path):
 +        directory_path = os.path.abspath(directory_path)
++
 +    directory, child_directories, update_requests = directory_maker(directory_path)
++
 +    tree = remote_execution_pb2.Tree()
 +    tree.children.expend([child_directories])
 +    tree.root = directory
++
 +    tree_blob = tree.SerializeToString()
 +    tree_digest = create_digest(tree_blob)
++
 +    update_request = remote_execution_pb2.BatchUpdateBlobsRequest.Request(digest=tree_digest)
 +    update_request.data = tree_blob
++
 +    update_requests.append(update_request)
++
 +    return tree, update_requests

docs/source/configuration.rst

++
 +.. _configuration:
++
 +Configuration
 +=============
++
 +The details of how to tune BuildGrid's configuration.
++
++
 +.. _configuration-location:
++
 +Configuration location
 +----------------------
++
 +Unless a configuration file is explicitly specified on the command line when
 +invoking `bgd`, BuildGrid will always attempt to load configuration resources
 +from ``$XDG_CONFIG_HOME/buildgrid``. On most Linux based systems, the location
 +will be ``~/.config/buildgrid``.
++
 +This location is refered as ``$CONFIG_HOME`` is the rest of the document.
++
++
 +.. _tls-encryption:
++
 +TLS encryption
 +--------------
++
 +Every BuildGrid gRPC communication channel can be encrypted using SSL/TLS. By
 +default, the BuildGrid server will try to setup secure gRPC endpoints and return
 +in error if that fails. You must specify ``--allow-insecure`` explicitly if you
 +want it to use non-encrypted connections.
++
 +The TLS protocol handshake relies on an asymmetric cryptography system that
 +requires the server and the client to own a public/private key pair. BuildGrid
 +will try to load keys from these locations by default:
++
 +- Server private key: ``$CONFIG_HOME/server.key``
 +- Server public key/certificate: ``$CONFIG_HOME/server.crt``
 +- Client private key: ``$CONFIG_HOME/client.key``
 +- Client public key/certificate: ``$CONFIG_HOME/client.crt``
++
++
 +Server key pair
 +~~~~~~~~~~~~~~~
++
 +The TLS protocol requires a key pair to be used by the server. The following
 +example generates a self-signed key ``server.key``, which requires clients to
 +have a copy of the server certificate ``server.crt``. You can of course use a
 +key pair obtained from a trusted certificate authority instead.
++
 +.. code-block:: sh
++
 +   openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -batch -subj "/CN=localhost" -out server.crt -keyout server.key
++
++
 +Client key pair
 +~~~~~~~~~~~~~~~
++
 +If the server requires authentication in order to be granted special permissions
 +like uploading to CAS, a client side key pair is required. The following example
 +generates a self-signed key ``client.key``, which requires the server to have a
 +copy of the client certificate ``client.crt``.
++
 +.. code-block:: sh
++
 +   openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -batch -subj "/CN=client" -out client.crt -keyout client.key

docs/source/index.rst

@@ -15,6 +15,7 @@ Remote execution service implementing Google's REAPI and RWAPI.
     about.rst
     installation.rst
 +   configuration.rst
     using.rst
     reference.rst
     contributing.rst

docs/source/using_dummy_build.rst

@@ -8,7 +8,7 @@ In one terminal, start a server:
  .. code-block:: sh
 -   bgd server start
 +   bgd server start --allow-insecure
  In another terminal, send a request for work:

docs/source/using_simple_build.rst

@@ -27,7 +27,7 @@ Now start a BuildGrid server, passing it a directory it can write a CAS to:
  .. code-block:: sh
 -   bgd server start --cas disk --cas-cache disk --cas-disk-directory /path/to/empty/directory
 +   bgd server start --allow-insecure --cas disk --cas-cache disk --cas-disk-directory /path/to/empty/directory
  Start the following bot session:

setup.py

@@ -116,6 +116,7 @@ setup(
          'Click',
          'boto3 < 1.8.0',
          'botocore < 1.11.0',
 +        'xdg',
      ],
      entry_points={
          'console_scripts': [

[Notes] [Git][BuildGrid/buildgrid][mablanch/61-bazel-support] 11 commits: Add server-side gRPC TLS encryption support

Martin Blanchard pushed to branch mablanch/61-bazel-support at BuildGrid / buildgrid

Commits:

16 changed files:

Changes: