You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@buildstream.apache.org by no...@apache.org on 2020/12/29 12:49:49 UTC
[buildstream] 03/04: Add support for https channel to remote
execution and actions servers
This is an automated email from the ASF dual-hosted git repository.
not-in-ldap pushed a commit to branch valentindavid/remote_execution_configuration_command_line
in repository https://gitbox.apache.org/repos/asf/buildstream.git
commit 51c9bb1ea0b921dd7461635ad2a4da8102d0384f
Author: Valentin David <va...@codethink.co.uk>
AuthorDate: Thu Dec 20 13:00:57 2018 +0100
Add support for https channel to remote execution and actions servers
Fixes #780.
---
buildstream/sandbox/_sandboxremote.py | 34 +++++++++++++++++++++++++++++-----
doc/source/format_project.rst | 3 ---
2 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/buildstream/sandbox/_sandboxremote.py b/buildstream/sandbox/_sandboxremote.py
index 4b157b5..28b785f 100644
--- a/buildstream/sandbox/_sandboxremote.py
+++ b/buildstream/sandbox/_sandboxremote.py
@@ -68,10 +68,32 @@ class SandboxRemote(Sandbox):
self.storage_url = config.storage_service['url']
self.exec_url = config.exec_service['url']
+ exec_certs = {}
+ for key in ['client-cert', 'client-key', 'server-cert']:
+ if key in config.exec_service:
+ with open(resolve_path(config.exec_service[key]), 'rb') as f:
+ exec_certs[key] = f.read()
+
+ self.exec_credentials = grpc.ssl_channel_credentials(
+ root_certificates=exec_certs.get('server-cert'),
+ private_key=exec_certs.get('client-key'),
+ certificate_chain=exec_certs.get('client-cert'))
+
+ action_certs = {}
+ for key in ['client-cert', 'client-key', 'server-cert']:
+ if key in config.action_service:
+ with open(resolve_path(config.exec_service[key]), 'rb') as f:
+ action_certs[key] = f.read()
+
if config.action_service:
self.action_url = config.action_service['url']
+ self.action_credentials = grpc.ssl_channel_credentials(
+ root_certificates=action_certs.get('server-cert'),
+ private_key=action_certs.get('client-key'),
+ certificate_chain=action_certs.get('client-cert'))
else:
self.action_url = None
+ self.action_credentials = None
self.server_instance = config.exec_service.get('instance', None)
self.storage_instance = config.storage_service.get('instance', None)
@@ -117,7 +139,7 @@ class SandboxRemote(Sandbox):
remote_exec_storage_config = require_node(remote_config, 'storage-service')
remote_exec_action_config = remote_config.get('action-cache-service', {})
- _yaml.node_validate(remote_exec_service_config, ['url', 'instance'])
+ _yaml.node_validate(remote_exec_service_config, ['url', 'instance'] + tls_keys)
_yaml.node_validate(remote_exec_storage_config, ['url', 'instance'] + tls_keys)
if remote_exec_action_config:
_yaml.node_validate(remote_exec_action_config, ['url'])
@@ -304,6 +326,8 @@ class SandboxRemote(Sandbox):
"for example: http://buildservice:50051.")
if url.scheme == 'http':
channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
+ elif url.scheme == 'https':
+ channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.exec_credentials)
else:
raise SandboxError("Remote execution currently only supports the 'http' protocol "
"and '{}' was supplied.".format(url.scheme))
@@ -361,11 +385,11 @@ class SandboxRemote(Sandbox):
if not url.port:
raise SandboxError("You must supply a protocol and port number in the action-cache-service url, "
"for example: http://buildservice:50051.")
- if not url.scheme == "http":
- raise SandboxError("Currently only support http for the action cache"
- "and {} was supplied".format(url.scheme))
+ if url.scheme == 'http':
+ channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
+ elif url.scheme == 'https':
+ channel = grpc.secure_channel('{}:{}'.format(url.hostname, url.port), self.action_credentials)
- channel = grpc.insecure_channel('{}:{}'.format(url.hostname, url.port))
request = remote_execution_pb2.GetActionResultRequest(action_digest=action_digest)
stub = remote_execution_pb2_grpc.ActionCacheStub(channel)
try:
diff --git a/doc/source/format_project.rst b/doc/source/format_project.rst
index 08e8a08..c3555e0 100644
--- a/doc/source/format_project.rst
+++ b/doc/source/format_project.rst
@@ -244,9 +244,6 @@ using the `remote-execution` option:
action-cache-service:
url: http://bar.action.com:50052
-The execution-service part of remote execution does not support encrypted
-connections yet, so the protocol must always be http.
-
storage-service specifies a remote CAS store and the parameters are the
same as those used to specify an :ref:`artifact server <artifacts>`.