Bug 1562686 - use AWS_IAM_CREDENTIALS_URL for all S3 sccache invocations r=chmanchester a=tomprince
authorDustin J. Mitchell <dustin@mozilla.com>
Fri, 23 Aug 2019 12:39:25 +0000
changeset 451323 eefee71b9b1fc1e1cd0b7a60e9ecd38e8ff3accc
parent 451322 d1c68819022897ffd63021adda183e1a1271c17c
child 451324 fb01125329bf28e56389894039be17cd5ab6f622
push id502
push usermozilla@hocat.ca
push dateWed, 18 Sep 2019 18:05:10 +0000
treeherdermozilla-esr60@fb01125329bf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerschmanchester, tomprince
bugs1562686
milestone60.9.1
Bug 1562686 - use AWS_IAM_CREDENTIALS_URL for all S3 sccache invocations r=chmanchester a=tomprince Differential Revision: https://phabricator.services.mozilla.com/D41454
build/mozconfig.cache
taskcluster/scripts/builder/build-linux.sh
taskcluster/taskgraph/transforms/task.py
--- a/build/mozconfig.cache
+++ b/build/mozconfig.cache
@@ -62,16 +62,18 @@ if test -z "$platform"; then
         platform=windows
         suffix=.exe
         ;;
     esac
 fi
 
 if test -n "$bucket"; then
     mk_add_options "export SCCACHE_BUCKET=$bucket"
+    # instruct sccache to fetch the credentials from the Auth service's awsS3Credentials endpoint, via the Taskcluster proxy.
+    mk_add_options "export AWS_IAM_CREDENTIALS_URL=http://taskcluster/auth/v1/aws/s3/read-write/${bucket}/?format=iam-role-compat"
     case "$master" in
     *us[ew][12].mozilla.com*|*euc1.mozilla.com*)
         mk_add_options "export SCCACHE_NAMESERVER=169.254.169.253"
         ;;
     esac
     export CCACHE="$topsrcdir/sccache2/sccache${suffix}"
     export SCCACHE_VERBOSE_STATS=1
     mk_add_options MOZBUILD_MANAGE_SCCACHE_DAEMON=${topsrcdir}/sccache2/sccache
--- a/taskcluster/scripts/builder/build-linux.sh
+++ b/taskcluster/scripts/builder/build-linux.sh
@@ -41,21 +41,16 @@ export TINDERBOX_OUTPUT=1
 
 # use "simple" package names so that they can be hard-coded in the task's
 # extras.locations
 export MOZ_SIMPLE_PACKAGE_NAME=target
 
 # Ensure that in tree libraries can be found
 export LIBRARY_PATH=$LIBRARY_PATH:$WORKSPACE/src/obj-firefox:$WORKSPACE/src/gcc/lib64
 
-if [[ -n ${USE_SCCACHE} ]]; then
-    # Point sccache at the Taskcluster proxy for AWS credentials.
-    export AWS_IAM_CREDENTIALS_URL="http://taskcluster/auth/v1/aws/s3/read-write/taskcluster-level-${MOZ_SCM_LEVEL}-sccache-${TASKCLUSTER_WORKER_GROUP}/?format=iam-role-compat"
-fi
-
 # test required parameters are supplied
 if [[ -z ${MOZHARNESS_SCRIPT} ]]; then fail "MOZHARNESS_SCRIPT is not set"; fi
 if [[ -z "${MOZHARNESS_CONFIG}" && -z "${EXTRA_MOZHARNESS_CONFIG}" ]]; then fail "MOZHARNESS_CONFIG or EXTRA_MOZHARNESS_CONFIG is not set"; fi
 
 # run XVfb in the background, if necessary
 if $NEED_XVFB; then
     . /builds/worker/scripts/xvfb.sh
 
--- a/taskcluster/taskgraph/transforms/task.py
+++ b/taskcluster/taskgraph/transforms/task.py
@@ -749,30 +749,37 @@ def build_docker_worker_payload(config, 
     Required('chain-of-trust'): bool,
     Optional('taskcluster-proxy'): bool,
 
     # Wether any artifacts are assigned to this worker
     Optional('skip-artifacts'): bool,
 })
 def build_generic_worker_payload(config, task, task_def):
     worker = task['worker']
+    features = {}
 
     task_def['payload'] = {
         'command': worker['command'],
         'maxRunTime': worker['max-run-time'],
     }
 
     env = worker.get('env', {})
 
     # propagate our TASKCLUSTER_ROOT_URL to the task; note that this will soon
     # be provided directly by the worker, making this redundant:
     # https://bugzilla.mozilla.org/show_bug.cgi?id=1460015
     env['TASKCLUSTER_ROOT_URL'] = get_root_url()
 
     if task.get('needs-sccache'):
+        features['taskclusterProxy'] = True
+        task_def['scopes'].append(
+            'assume:project:taskcluster:{trust_domain}:level-{level}-sccache-buckets'.format(
+                trust_domain=config.graph_config['trust-domain'],
+                level=config.params['level'])
+        )
         env['USE_SCCACHE'] = '1'
         # Disable sccache idle shutdown.
         env['SCCACHE_IDLE_TIMEOUT'] = '0'
     else:
         env['SCCACHE_DISABLE'] = '1'
 
     if env:
         task_def['payload']['env'] = env
@@ -809,18 +816,16 @@ def build_generic_worker_payload(config,
                         'queue:get-artifact:{}'.format(mount['content']['artifact']))
 
     if mounts:
         task_def['payload']['mounts'] = mounts
 
     if worker.get('os-groups', []):
         task_def['payload']['osGroups'] = worker['os-groups']
 
-    features = {}
-
     if worker.get('chain-of-trust'):
         features['chainOfTrust'] = True
 
     if worker.get('taskcluster-proxy'):
         features['taskclusterProxy'] = True
         # this will soon be provided directly by the worker:
         # https://bugzilla.mozilla.org/show_bug.cgi?id=1460015
         worker['env']['TASKCLUSTER_PROXY_URL'] = 'http://taskcluster'