Bug 1562686 - use AWS_IAM_CREDENTIALS_URL for all S3 sccache invocations r=chmanchester
authorDustin J. Mitchell <dustin@mozilla.com>
Fri, 23 Aug 2019 12:39:25 +0000
changeset 553333 f266a7b397c1195d05fc1802e3be1c2eef71c427
parent 553332 fa5c785f900509b3508afb45b8d5bb747a01f6e5
child 553334 a04fc912928e3aa520cf1b406f84ef73563df31f
push id2165
push userffxbld-merge
push dateMon, 14 Oct 2019 16:30:58 +0000
treeherdermozilla-release@0eae18af659f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerschmanchester
bugs1562686
milestone70.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1562686 - use AWS_IAM_CREDENTIALS_URL for all S3 sccache invocations r=chmanchester Differential Revision: https://phabricator.services.mozilla.com/D41454
build/mozconfig.cache
taskcluster/scripts/builder/build-linux.sh
taskcluster/taskgraph/transforms/task.py
--- a/build/mozconfig.cache
+++ b/build/mozconfig.cache
@@ -52,13 +52,15 @@ if test -z "$bucket" -a -z "$SCCACHE_DIS
     fi
 fi
 
 if test -n "$bucket"; then
     if [ -n "${SCCACHE_GCS_KEY_PATH}" ]; then
         mk_add_options "export SCCACHE_GCS_BUCKET=$bucket"
     else
         mk_add_options "export SCCACHE_BUCKET=$bucket"
+        # instruct sccache to fetch the credentials from the Auth service's awsS3Credentials endpoint, via the Taskcluster proxy.
+        mk_add_options "export AWS_IAM_CREDENTIALS_URL=http://taskcluster/auth/v1/aws/s3/read-write/${bucket}/?format=iam-role-compat"
     fi
     export CCACHE="$MOZ_FETCHES_DIR/sccache/sccache"
     export SCCACHE_VERBOSE_STATS=1
     mk_add_options MOZBUILD_MANAGE_SCCACHE_DAEMON=${MOZ_FETCHES_DIR}/sccache/sccache
 fi
--- a/taskcluster/scripts/builder/build-linux.sh
+++ b/taskcluster/scripts/builder/build-linux.sh
@@ -41,21 +41,16 @@ export TINDERBOX_OUTPUT=1
 
 # use "simple" package names so that they can be hard-coded in the task's
 # extras.locations
 export MOZ_SIMPLE_PACKAGE_NAME=target
 
 # Ensure that in tree libraries can be found
 export LIBRARY_PATH=$LIBRARY_PATH:$WORKSPACE/src/obj-firefox:$WORKSPACE/src/gcc/lib64
 
-if [[ -n ${USE_SCCACHE} ]]; then
-    # Point sccache at the Taskcluster proxy for AWS credentials.
-    export AWS_IAM_CREDENTIALS_URL="http://taskcluster/auth/v1/aws/s3/read-write/taskcluster-level-${MOZ_SCM_LEVEL}-sccache-${TASKCLUSTER_WORKER_GROUP}/?format=iam-role-compat"
-fi
-
 # test required parameters are supplied
 if [[ -z ${MOZHARNESS_SCRIPT} ]]; then fail "MOZHARNESS_SCRIPT is not set"; fi
 if [[ -z "${MOZHARNESS_CONFIG}" && -z "${EXTRA_MOZHARNESS_CONFIG}" ]]; then fail "MOZHARNESS_CONFIG or EXTRA_MOZHARNESS_CONFIG is not set"; fi
 
 # run XVfb in the background, if necessary
 if $NEED_XVFB; then
     . /builds/worker/scripts/xvfb.sh
 
--- a/taskcluster/taskgraph/transforms/task.py
+++ b/taskcluster/taskgraph/transforms/task.py
@@ -764,16 +764,17 @@ def build_docker_worker_payload(config, 
     Required('chain-of-trust'): bool,
     Optional('taskcluster-proxy'): bool,
 
     # Wether any artifacts are assigned to this worker
     Optional('skip-artifacts'): bool,
 })
 def build_generic_worker_payload(config, task, task_def):
     worker = task['worker']
+    features = {}
 
     task_def['payload'] = {
         'command': worker['command'],
         'maxRunTime': worker['max-run-time'],
     }
 
     if worker['os'] == 'windows':
         task_def['payload']['onExitStatus'] = {
@@ -783,16 +784,22 @@ def build_generic_worker_payload(config,
                 1073807364,  # process force-killed due to system shutdown
                 3221225786,  # sigint (any interrupt)
             ]
         }
 
     env = worker.get('env', {})
 
     if task.get('needs-sccache'):
+        features['taskclusterProxy'] = True
+        task_def['scopes'].append(
+            'assume:project:taskcluster:{trust_domain}:level-{level}-sccache-buckets'.format(
+                trust_domain=config.graph_config['trust-domain'],
+                level=config.params['level'])
+        )
         env['USE_SCCACHE'] = '1'
         # Disable sccache idle shutdown.
         env['SCCACHE_IDLE_TIMEOUT'] = '0'
     else:
         env['SCCACHE_DISABLE'] = '1'
 
     if env:
         task_def['payload']['env'] = env
@@ -838,18 +845,16 @@ def build_generic_worker_payload(config,
     if worker.get('os-groups'):
         task_def['payload']['osGroups'] = worker['os-groups']
         task_def['scopes'].extend(
             ['generic-worker:os-group:{}/{}'.format(
                 task['worker-type'],
                 group
             ) for group in worker['os-groups']])
 
-    features = {}
-
     if worker.get('chain-of-trust'):
         features['chainOfTrust'] = True
 
     if worker.get('taskcluster-proxy'):
         features['taskclusterProxy'] = True
 
     if worker.get('run-as-administrator', False):
         features['runAsAdministrator'] = True