Backed out 4 changesets (bug 1394883) for Windows signing chain-of-trust failures

CLOSED TREE

Backed out changeset e3f42eca51c1 (bug 1394883)
Backed out changeset 081f830cf285 (bug 1394883)
Backed out changeset 9426705a05af (bug 1394883)
Backed out changeset 3a579a5054ef (bug 1394883)

MozReview-Commit-ID: 2viO8A8arHd

.taskcluster.yml

@@ -72,11 +72,11 @@ tasks:
         GECKO_HEAD_REF: '${push.revision}'
         GECKO_HEAD_REV: '${push.revision}'
         GECKO_COMMIT_MSG: '${push.comment}'
-        HG_STORE_PATH: /builds/worker/checkouts/hg-store
-        TASKCLUSTER_CACHES: /builds/worker/checkouts
+        HG_STORE_PATH: /home/worker/checkouts/hg-store
+        TASKCLUSTER_CACHES: /home/worker/checkouts
 
       cache:
-        level-${repository.level}-checkouts-sparse-v1: /builds/worker/checkouts
+        level-${repository.level}-checkouts-sparse-v1: /home/worker/checkouts
 
       features:
         taskclusterProxy: true
@@ -86,15 +86,15 @@ tasks:
       # exist in tree so we must hard code the hash
       # XXX Changing this will break Chain of Trust without an associated puppet and
       # scriptworker patch!
-      image: 'taskcluster/decision:2.0.0@sha256:4039fd878e5700b326d4a636e28c595c053fbcb53909c1db84ad1f513cf644ef'
+      image: 'taskcluster/decision:0.1.10@sha256:c5451ee6c655b3d97d4baa3b0e29a5115f23e0991d4f7f36d2a8f793076d6854'
 
       maxRunTime: 1800
 
       # TODO use mozilla-unified for the base repository once the tc-vcs
       # tar.gz archives are created or tc-vcs isn't being used.
       command:
-        - /builds/worker/bin/run-task
-        - '--vcs-checkout=/builds/worker/checkouts/gecko'
+        - /home/worker/bin/run-task
+        - '--vcs-checkout=/home/worker/checkouts/gecko'
         - '--sparse-profile=build/sparse-profiles/taskgraph'
         - '--'
         - bash
@@ -105,8 +105,8 @@ tasks:
           # still uses tc-vcs, which does not support mozilla-unified
           # https://bugzilla.mozilla.org/show_bug.cgi?id=1383973
           in: >
-            cd /builds/worker/checkouts/gecko &&
-            ln -s /builds/worker/artifacts artifacts &&
+            cd /home/worker/checkouts/gecko &&
+            ln -s /home/worker/artifacts artifacts &&
             ./mach --log-no-times taskgraph decision
             --pushlog-id='${push.pushlog_id}'
             --pushdate='${push.pushdate}'
@@ -123,7 +123,7 @@ tasks:
       artifacts:
         'public':
           type: 'directory'
-          path: '/builds/worker/artifacts'
+          path: '/home/worker/artifacts'
           expires: {$fromNow: '1 year'}
 
     extra:

taskcluster/ci/upload-generated-sources/kind.yml

@@ -29,7 +29,7 @@ job-template:
   run:
     using: run-task
     command: >
-            cd /builds/worker/checkouts/gecko &&
+            cd /home/worker/checkouts/gecko &&
             ./mach python build/upload_generated_sources.py ${ARTIFACT_URL}
   scopes:
       - secrets:get:project/releng/gecko/build/level-{level}/gecko-generated-sources-upload

taskcluster/docker/README.md

@@ -95,14 +95,11 @@ version of the image has been built the `HASH` file should be updated with the
 hash of the image.
 
 The `HASH` file is the image hash as computed by docker, this is always on the
-format `sha256:<digest>`. Note that Docker produces a numbre of hashes in this
-format; the hash used in this context is the one returned from `docker push`.
-
-In production images will be referenced by image hash.  This mitigates attacks
-against the registry as well as simplifying validate of correctness. The
-`VERSION` file only serves to provide convenient names, such that old versions
-are easy to discover in the registry (and ensuring old versions aren't deleted
-by garbage-collection).
+format `sha256:<digest>`. In production images will be referenced by image hash.
+This mitigates attacks against the registry as well as simplifying validate of
+correctness. The `VERSION` file only serves to provide convenient names, such
+that old versions are easy to discover in the registry (and ensuring old
+versions aren't deleted by garbage-collection).
 
 This way, older tasks which were designed to run on an older version of the image
 can still be executed in taskcluster, while new tasks can use the new version.

taskcluster/docker/decision/Dockerfile

@@ -2,9 +2,8 @@ FROM          ubuntu:16.04
 MAINTAINER    Greg Arndt <garndt@mozilla.com>
 
 # Add worker user
-RUN mkdir /builds
-RUN useradd -d /builds/worker -s /bin/bash -m worker
-RUN mkdir /builds/worker/artifacts && chown worker:worker /builds/worker/artifacts
+RUN useradd -d /home/worker -s /bin/bash -m worker
+RUN mkdir /home/worker/artifacts && chown worker:worker /home/worker/artifacts
 
 # %include python/mozbuild/mozbuild/action/tooltool.py
 ADD topsrcdir/python/mozbuild/mozbuild/action/tooltool.py /tmp/tooltool.py
@@ -19,11 +18,11 @@ ADD system-setup.sh /tmp/system-setup.sh
 RUN bash /tmp/system-setup.sh
 
 # %include taskcluster/docker/recipes/run-task
-ADD topsrcdir/taskcluster/docker/recipes/run-task /builds/worker/bin/run-task
+ADD topsrcdir/taskcluster/docker/recipes/run-task /home/worker/bin/run-task
 
-ENV PATH /builds/worker/bin:$PATH
+ENV PATH /home/worker/bin:$PATH
 ENV SHELL /bin/bash
-ENV HOME /builds/worker
+ENV HOME /home/worker
 
 # Set a default command useful for debugging
 CMD ["/bin/bash", "--login"]

taskcluster/docker/decision/HASH

@@ -1 +1 @@
-sha256:4039fd878e5700b326d4a636e28c595c053fbcb53909c1db84ad1f513cf644ef
+sha256:c5451ee6c655b3d97d4baa3b0e29a5115f23e0991d4f7f36d2a8f793076d6854

taskcluster/docker/decision/VERSION

@@ -1 +1 @@
-2.0.0
+0.1.10

taskcluster/docker/image_builder/Dockerfile

@@ -22,12 +22,12 @@ ADD setup.sh            /setup/setup.sh
 RUN bash /setup/setup.sh
 
 # Setup a workspace that won't use AUFS.
-VOLUME /builds/worker/checkouts
-VOLUME /builds/worker/workspace
+VOLUME /home/worker/checkouts
+VOLUME /home/worker/workspace
 
 # Set variable normally configured at login, by the shells parent process, these
 # are taken from GNU su manual
-ENV           HOME          /builds/worker
+ENV           HOME          /home/worker
 ENV           SHELL         /bin/bash
 ENV           USER          worker
 ENV           LOGNAME       worker
@@ -35,8 +35,8 @@ ENV           HOSTNAME      taskcluster-worker
 ENV           LC_ALL        C
 
 # Create worker user
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /home/worker -s /bin/bash -m worker
 
 # Set some sane defaults
-WORKDIR /builds/worker/
+WORKDIR /home/worker/
 CMD     build-image.sh

taskcluster/docker/image_builder/HASH

@@ -1 +1 @@
-sha256:24ce54a1602453bc93515aecd9d4ad25a22115fbc4b209ddb5541377e9a37315
+sha256:ceaaf92511cfbff711598005585127953873332c62f245dcf1892510c4eb371f

taskcluster/docker/image_builder/VERSION

@@ -1 +1 @@
-2.0.0
+1.3.0

taskcluster/docker/image_builder/build-image.sh

@@ -18,21 +18,21 @@ test -n "$PROJECT"    || raise_error "PROJECT must be provided."
 test -n "$HASH"       || raise_error "Context HASH must be provided."
 test -n "$IMAGE_NAME" || raise_error "IMAGE_NAME must be provided."
 
+# Create artifact folder
+mkdir -p /home/worker/workspace/artifacts
+
 # Construct a CONTEXT_FILE
-CONTEXT_FILE=/builds/worker/workspace/context.tar
+CONTEXT_FILE=/home/worker/workspace/context.tar
 
 # Run ./mach taskcluster-build-image with --context-only to build context
 run-task \
-  --vcs-checkout "/builds/worker/checkouts/gecko" \
+  --vcs-checkout "/home/worker/checkouts/gecko" \
   -- \
-  /builds/worker/checkouts/gecko/mach taskcluster-build-image \
+  /home/worker/checkouts/gecko/mach taskcluster-build-image \
   --context-only "$CONTEXT_FILE" \
   "$IMAGE_NAME"
 test -f "$CONTEXT_FILE" || raise_error "Context file wasn't created"
 
-# Create artifact folder (note that this must occur after run-task)
-mkdir -p /builds/worker/workspace/artifacts
-
 # Post context tar-ball to docker daemon
 # This interacts directly with the docker remote API, see:
 # https://docs.docker.com/engine/reference/api/docker_remote_api_v1.18/
@@ -63,5 +63,5 @@ fi
 # The script will retry up to 10 times.
 /usr/local/bin/download-and-compress \
     http+unix://%2Fvar%2Frun%2Fdocker.sock/images/${IMAGE_NAME}:${HASH}/get \
-    /builds/worker/workspace/image.tar.zst.tmp \
-    /builds/worker/workspace/artifacts/image.tar.zst
+    /home/worker/workspace/image.tar.zst.tmp \
+    /home/worker/workspace/artifacts/image.tar.zst

taskcluster/docker/image_builder/setup.sh

@@ -29,7 +29,7 @@ chmod +x /usr/local/bin/run-task
 chmod +x /usr/local/bin/download-and-compress
 
 # Create workspace
-mkdir -p /builds/worker/workspace
+mkdir -p /home/worker/workspace
 
 # Install python-zstandard.
 cd /setup

taskcluster/docs/docker-images.rst

@@ -8,8 +8,6 @@ TaskCluster Docker images are defined in the source directory under
 ``taskcluster/docker``. Each directory therein contains the name of an
 image used as part of the task graph.
 
-More information is available in the ``README.md`` file in that directory.
-
 Adding Extra Files to Images
 ============================
 
@@ -41,4 +39,4 @@ preserved. However, the file owner/group is changed to ``root`` and the
 Here is an example Dockerfile snippet::
 
    # %include mach
-   ADD topsrcdir/mach /builds/worker/mach
+   ADD topsrcdir/mach /home/worker/mach

taskcluster/taskgraph/action.yml

@@ -38,7 +38,7 @@ payload:
 
   # Note: This task is built server side without the context or tooling that
   # exist in tree so we must hard code the version
-  image: 'taskcluster/decision:2.0.0@sha256:4039fd878e5700b326d4a636e28c595c053fbcb53909c1db84ad1f513cf644ef'
+  image: 'taskcluster/decision:0.1.7'
 
   # Virtually no network or other potentially risky operations happen as part
   # of the task timeout aside from the initial clone. We intentionally have

taskcluster/taskgraph/transforms/docker_image.py

@@ -100,20 +100,20 @@ def fill_template(config, tasks):
                 'caches': [{
                     'type': 'persistent',
                     'name': 'level-{}-imagebuilder-v1'.format(config.params['level']),
-                    'mount-point': '/builds/worker/checkouts',
+                    'mount-point': '/home/worker/checkouts',
                 }],
                 'volumes': [
-                    # Keep in sync with Dockerfile and TASKCLUSTER_VOLUMES
-                    '/builds/worker/checkouts',
-                    '/builds/worker/workspace',
+                    # Keep in sync with Dockerfile.
+                    '/home/worker/checkouts',
+                    '/home/worker/workspace',
                 ],
                 'artifacts': [{
                     'type': 'file',
-                    'path': '/builds/worker/workspace/artifacts/image.tar.zst',
+                    'path': '/home/worker/workspace/artifacts/image.tar.zst',
                     'name': 'public/image.tar.zst',
                 }],
                 'env': {
-                    'HG_STORE_PATH': '/builds/worker/checkouts/hg-store',
+                    'HG_STORE_PATH': '/home/worker/checkouts/hg-store',
                     'HASH': context_hash,
                     'PROJECT': config.params['project'],
                     'IMAGE_NAME': image_name,
@@ -121,7 +121,6 @@ def fill_template(config, tasks):
                     'GECKO_BASE_REPOSITORY': config.params['base_repository'],
                     'GECKO_HEAD_REPOSITORY': config.params['head_repository'],
                     'GECKO_HEAD_REV': config.params['head_rev'],
-                    'TASKCLUSTER_VOLUMES': '/builds/worker/checkouts;/builds/worker/workspace',
                 },
                 'chain-of-trust': True,
                 'docker-in-docker': True,