Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ci: azure ssh runner for named feature: tee_quote #580

Closed
wants to merge 6 commits into from
Closed

ci: azure ssh runner for named feature: tee_quote #580

wants to merge 6 commits into from

Conversation

maceip
Copy link
Collaborator

@maceip maceip commented Sep 11, 2024

No description provided.

@maceip maceip marked this pull request as ready for review September 12, 2024 07:11
yuroitaki
yuroitaki requested changes Sep 13, 2024
View reviewed changes
Copy link
Member

@yuroitaki yuroitaki left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice stuff! Can we combine this with #492 instead, i.e. in the same github workflow file?

Cause since this build workflow is temporary (until devops set up azure), we can have it parked under there (.github/workflows/gramine-report.yml), where a push/pull request to the 'attest' branch will trigger

(1) this build to run notary-server in azure
(2) calculating gramine measurement and store it in GH artefact

what do you think?

heeckhau
heeckhau requested changes Sep 13, 2024
View reviewed changes
Copy link
Member

@heeckhau heeckhau left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The base branch is wrong. Shouldn't this be based on #588

And shouldn't attestation be renamed in tee_quote?

.github/workflows/attestation-build.yml Outdated
username: ${{ secrets.USERNAME }}
key: ${{ secrets.KEY }}
port: ${{ secrets.PORT }}
command_timeout: 120m
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How long do you expect this to take?

.github/workflows/attestation-build.yml Outdated Show resolved Hide resolved
.github/workflows/attestation-build.yml Outdated
git checkout ${{ github.sha }}
cd crates/notary/server
timeout 120 sh -c 'until nc -z $0 $1; do sleep 1; done' localhost 7047 &
/home/ubuntu/.cargo/bin/cargo run --bin notary-server --features attestation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • cargo is not on the $PATH?
  • shouldn't this run in --release ?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better to be explicit -- since gh runners / action scripts are opaque, & this is a tmp setup, once we are properly linked to azure we will either use the rust container or build it every time and set PATH

@maceip maceip changed the base branch from main to dev September 14, 2024 06:25
@maceip
Copy link
Collaborator Author

maceip commented Sep 14, 2024

Nice stuff! Can we combine this with #492 instead, i.e. in the same github workflow file?

Cause since this build workflow is temporary (until devops set up azure), we can have it parked under there (.github/workflows/gramine-report.yml), where a push/pull request to the 'attest' branch will trigger

(1) this build to run notary-server in azure (2) calculating gramine measurement and store it in GH artefact

what do you think?

since this is using ssh auth id prefer to keep this seperate and simple => once we get the blessed azure auth i will rm this

@maceip maceip changed the title azure ci for tee builds ci: azure ssh runner for named feature: tee_quote Sep 14, 2024
@yuroitaki
Copy link
Member

Cause since this build workflow is temporary (until devops set up azure), we can have it parked under there (.github/workflows/gramine-report.yml), where a push/pull request to the 'attest' branch will trigger

Alright cool, but we will need #492 to complete the GH artefact task right?

yuroitaki
yuroitaki reviewed Sep 16, 2024
View reviewed changes
.github/workflows/azure-ssh-attestation-build.yml Outdated
cd crates/notary/server
: # if nc cant dial 7047 within 120m: ❌; else ✅
timeout 120 sh -c 'until nc -z $0 $1; do sleep 1; done' localhost 7047 &
/home/ubuntu/.cargo/bin/cargo run --bin notary-server --features tee_quote
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

few questions:

  1. Don't we need to kill the previous notary service that is running in the vm?
  2. Since we don't have ACME yet, how is this notary server handling TLS?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is just a build script -- not to run it in prod, and is designed to support multiple concurrent builds
the tls issue will be addressed in the other pr and will be passed in as the config file so this build script should be oblivious

@maceip
Copy link
Collaborator Author

maceip commented Sep 21, 2024

addressed the comments in the pr but merged the ci script into #588 to get that branch e2e working

@maceip maceip closed this Sep 21, 2024
@maceip maceip deleted the maceip-patch-1 branch September 28, 2024 22:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuroitaki yuroitaki yuroitaki requested changes

@heeckhau heeckhau heeckhau requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@maceip @yuroitaki @heeckhau