[Notes] [Git][BuildGrid/buildgrid][mablanch/68-bots-multi-endpoints] cmd

Martin Blanchard pushed to branch mablanch/68-bots-multi-endpoints at BuildGrid / buildgrid

Commits:

94c7a77e

by Martin Blanchard at 2018-08-29T13:53:50Z

cmd_bot.py: Allow separate CAS server for any bot

Factorize the separate CAS handling code, originally buildbox specific.

https://gitlab.com/BuildGrid/buildgrid/issues/68

4 changed files:

buildgrid/_app/bots/buildbox.py
buildgrid/_app/bots/temp_directory.py
buildgrid/_app/cli.py
buildgrid/_app/commands/cmd_bot.py

Changes:

buildgrid/_app/bots/buildbox.py

@@ -16,13 +16,12 @@
  import os
  import subprocess
  import tempfile
 -import grpc
  from google.protobuf import any_pb2
  from buildgrid._protos.build.bazel.remote.execution.v2 import remote_execution_pb2
  from buildgrid._protos.google.bytestream import bytestream_pb2_grpc
 -from buildgrid.utils import read_file, parse_to_pb2_from_fetch
 +from buildgrid.utils import parse_to_pb2_from_fetch
  def work_buildbox(context, lease):
@@ -32,18 +31,7 @@ def work_buildbox(context, lease):
      action_digest = remote_execution_pb2.Digest()
      action_digest_any.Unpack(action_digest)
 -    cert_server = read_file(context.server_cert)
 -    cert_client = read_file(context.client_cert)
 -    key_client = read_file(context.client_key)
+-
 -    # create server credentials
 -    credentials = grpc.ssl_channel_credentials(root_certificates=cert_server,
 -                                               private_key=key_client,
 -                                               certificate_chain=cert_client)
+-
 -    channel = grpc.secure_channel('{}:{}'.format(context.remote, context.port), credentials)
+-
 -    stub = bytestream_pb2_grpc.ByteStreamStub(channel)
 +    stub = bytestream_pb2_grpc.ByteStreamStub(context.cas_channel)
      action = remote_execution_pb2.Action()
      parse_to_pb2_from_fetch(action, stub, action_digest)
@@ -66,13 +54,18 @@ def work_buildbox(context, lease):
          with tempfile.NamedTemporaryFile(dir=os.path.join(casdir, 'tmp')) as output_digest_file:
              command = ['buildbox',
 -                       '--remote={}'.format('https://{}:{}'.format(context.remote, context.port)),
 -                       '--server-cert={}'.format(context.server_cert),
 -                       '--client-key={}'.format(context.client_key),
 -                       '--client-cert={}'.format(context.client_cert),
 +                       '--remote={}'.format(context.remote_cas_url),
                         '--input-digest={}'.format(input_digest_file.name),
                         '--output-digest={}'.format(output_digest_file.name),
                         '--local={}'.format(casdir)]
++
 +            if context.cas_client_key:
 +                command.append('--client-key={}'.format(context.cas_client_key))
 +            if context.cas_client_cert:
 +                command.append('--client-cert={}'.format(context.cas_client_cert))
 +            if context.cas_server_cert:
 +                command.append('--server-cert={}'.format(context.cas_server_cert))
++
              if 'PWD' in environment and environment['PWD']:
                  command.append('--chdir={}'.format(environment['PWD']))

buildgrid/_app/bots/temp_directory.py

@@ -30,7 +30,7 @@ def work_temp_directory(context, lease):
      """
      parent = context.parent
 -    stub_bytestream = bytestream_pb2_grpc.ByteStreamStub(context.channel)
 +    stub_bytestream = bytestream_pb2_grpc.ByteStreamStub(context.cas_channel)
      action_digest = remote_execution_pb2.Digest()
      lease.payload.Unpack(action_digest)
@@ -78,7 +78,7 @@ def work_temp_directory(context, lease):
          request = remote_execution_pb2.BatchUpdateBlobsRequest(instance_name=parent,
                                                                 requests=requests)
 -        stub_cas = remote_execution_pb2_grpc.ContentAddressableStorageStub(context.channel)
 +        stub_cas = remote_execution_pb2_grpc.ContentAddressableStorageStub(context.cas_channel)
          stub_cas.BatchUpdateBlobs(request)
          result_any = any_pb2.Any()

buildgrid/_app/cli.py

@@ -83,14 +83,22 @@ class Context:
              client_key_pem = read_file(client_key)
          else:
              client_key_pem = None
 +            client_key = None
          if client_key_pem and client_cert and os.path.exists(client_cert):
              client_cert_pem = read_file(client_cert)
          else:
              client_cert_pem = None
 +            client_cert = None
 -        return grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 -                                            private_key=client_key_pem,
 -                                            certificate_chain=client_cert_pem)
 +        credentials = grpc.ssl_channel_credentials(root_certificates=server_cert_pem,
 +                                                   private_key=client_key_pem,
 +                                                   certificate_chain=client_cert_pem)
++
 +        credentials.client_key = client_key
 +        credentials.client_cert = client_cert
 +        credentials.server_cert = server_cert
++
 +        return credentials
      def load_server_credentials(self, server_key=None, server_cert=None,
                                  client_certs=None, use_default_client_certs=False):
@@ -132,10 +140,17 @@ class Context:
              client_certs_pem = read_file(client_certs)
          else:
              client_certs_pem = None
 +            client_certs = None
++
 +        credentials = grpc.ssl_server_credentials([(server_key_pem, server_cert_pem)],
 +                                                  root_certificates=client_certs_pem,
 +                                                  require_client_auth=bool(client_certs))
++
 +        credentials.server_key = server_key
 +        credentials.server_cert = server_cert
 +        credentials.client_certs = client_certs
 -        return grpc.ssl_server_credentials([(server_key_pem, server_cert_pem)],
 -                                           root_certificates=client_certs_pem,
 -                                           require_client_auth=bool(client_certs))
 +        return credentials
  pass_context = click.make_pass_decorator(Context, ensure=True)

buildgrid/_app/commands/cmd_bot.py

@@ -44,26 +44,79 @@ from ..cli import pass_context
                help="Public client certificate for TLS (PEM-encoded)")
  @click.option('--server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
                help="Public server certificate for TLS (PEM-encoded)")
 +@click.option('--remote-cas', type=click.STRING, default=None, show_default=True,
 +              help="Remote CAS server's URL (port defaults to 11001 if not specified).")
 +@click.option('--cas-client-key', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Private CAS client key for TLS (PEM-encoded)")
 +@click.option('--cas-client-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public CAS client certificate for TLS (PEM-encoded)")
 +@click.option('--cas-server-cert', type=click.Path(exists=True, dir_okay=False), default=None,
 +              help="Public CAS server certificate for TLS (PEM-encoded)")
  @click.option('--parent', type=click.STRING, default='main', show_default=True,
                help="Targeted farm resource.")
  @pass_context
 -def cli(context, remote, parent, client_key, client_cert, server_cert):
 +def cli(context, parent, remote, client_key, client_cert, server_cert,
 +        remote_cas, cas_client_key, cas_client_cert, cas_server_cert):
 +    # Setup the remote execution server channel:
      url = urlparse(remote)
      context.remote = '{}:{}'.format(url.hostname, url.port or 50051)
 +    context.remote_url = remote
      context.parent = parent
      if url.scheme == 'http':
          context.channel = grpc.insecure_channel(context.remote)
++
 +        context.client_key = None
 +        context.client_cert = None
 +        context.server_cert = None
      else:
          credentials = context.load_client_credentials(client_key, client_cert, server_cert)
          if not credentials:
 -            click.echo("ERROR: no TLS keys were specified and no defaults could be found.\n" +
 -                       "Use --allow-insecure in order to deactivate TLS encryption.\n", err=True)
 +            click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
              sys.exit(-1)
          context.channel = grpc.secure_channel(context.remote, credentials)
 +        context.client_key = credentials.client_key
 +        context.client_cert = credentials.client_cert
 +        context.server_cert = credentials.server_cert
++
 +    # Setup the remote CAS server channel, if separated:
 +    if remote_cas is not None and remote_cas != remote:
 +        cas_url = urlparse(remote_cas)
++
 +        context.remote_cas = '{}:{}'.format(cas_url.hostname, cas_url.port or 11001)
 +        context.remote_cas_url = remote_cas
++
 +        if cas_url.scheme == 'http':
 +            context.cas_channel = grpc.insecure_channel(context.remote_cas)
++
 +            context.cas_client_key = None
 +            context.cas_client_cert = None
 +            context.cas_server_cert = None
 +        else:
 +            cas_credentials = context.load_client_credentials(cas_client_key, cas_client_cert, cas_server_cert)
 +            if not cas_credentials:
 +                click.echo("ERROR: no TLS keys were specified and no defaults could be found.", err=True)
 +                sys.exit(-1)
++
 +            context.cas_channel = grpc.secure_channel(context.remote_cas, cas_credentials)
++
 +            context.cas_client_key = cas_credentials.client_key
 +            context.cas_client_cert = cas_credentials.client_cert
 +            context.cas_server_cert = cas_credentials.server_cert
++
 +    else:
 +        context.remote_cas = context.remote
 +        context.remote_cas_url = remote
++
 +        context.cas_channel = context.channel
++
 +        context.cas_client_key = context.client_key
 +        context.cas_client_cert = context.client_cert
 +        context.cas_server_cert = context.server_cert
++
      context.logger = logging.getLogger(__name__)
      context.logger.debug("Starting for remote {}".format(context.remote))
@@ -112,35 +165,17 @@ def run_temp_directory(context):
                help="Main mount-point location.")
  @click.option('--local-cas', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'cas')),
                help="Local CAS cache directory.")
 -@click.option('--client-cert', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'client.crt')),
 -              help="Public client certificate for TLS (PEM-encoded).")
 -@click.option('--client-key', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'client.key')),
 -              help="Private client key for TLS (PEM-encoded).")
 -@click.option('--server-cert', type=click.Path(readable=False), default=str(PurePath(Path.home(), 'server.crt')),
 -              help="Public server certificate for TLS (PEM-encoded).")
 -@click.option('--port', type=click.INT, default=11001, show_default=True,
 -              help="Remote CAS server port.")
 -@click.option('--remote', type=click.STRING, default='localhost', show_default=True,
 -              help="Remote CAS server hostname.")
  @pass_context
 -def run_buildbox(context, remote, port, server_cert, client_key, client_cert, local_cas, fuse_dir):
 +def run_buildbox(context, local_cas, fuse_dir):
      """
      Uses BuildBox to run commands.
      """
+-
 -    context.logger.info("Creating a bot session")
+-
 -    context.remote = remote
 -    context.port = port
 -    context.server_cert = server_cert
 -    context.client_key = client_key
 -    context.client_cert = client_cert
      context.local_cas = local_cas
      context.fuse_dir = fuse_dir
      try:
          b = bot.Bot(context.bot_session)
 -        b.session(work=buildbox.work_buildbox,
 -                  context=context)
 +        b.session(buildbox.work_buildbox,
 +                  context)
      except KeyboardInterrupt:
          pass

[Notes] [Git][BuildGrid/buildgrid][mablanch/68-bots-multi-endpoints] cmd_bot.py: Allow separate CAS server for any bot

Martin Blanchard pushed to branch mablanch/68-bots-multi-endpoints at BuildGrid / buildgrid

Commits:

4 changed files:

Changes: