linaro-license-protection

Merge lp:~danilo/linaro-license-protection/bug-919165 into lp:~linaro-automation/linaro-license-protection/trunk

  1. bug-919165
  2. Merge into trunk
Proposed by Данило Шеган
Status: Merged
Merged at revision: 45
Proposed branch: lp:~danilo/linaro-license-protection/bug-919165
Merge into: lp:~linaro-automation/linaro-license-protection/trunk
Diff against target: 88 lines (+84/-0)
1 file modified
README (+84/-0)
To merge this branch: bzr merge lp:~danilo/linaro-license-protection/bug-919165
Reviewer Review Type Date Requested Status
Paul Sokolovsky Approve
Review via email: mp+90283@code.launchpad.net

Description of the change

This documents the set-up of the entire click-through system, with the focus
on android-build file sync system (which is the most complicated bit).

It should help us in understanding where things need to change when something
fails.

It's missing a lot, but should be a start. I'll also add the wiki page
pointing at this README file.

To post a comment you must log in.
Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

line 10: "This code provides such license protection."

Probably worth to reword this to mention that this is only the core code, and it depends on integration with license-protection bits in other codebases.

line 18: "It makes have use of mod_rewrite" - typo

line 20: "Currently, all directories/files containing either 'origen' or 'snowball' in the name"

I would be more specific and say "in the URL" - and I assume that's the case, i.e. any file below dir with "origen" would be protected.

line 61: "into appropriate build directories."

As we changed it to operate on a single build dir at time, probably worth to use singular there.

One thing not mentioned is that android-build.linaro.org has exception in Apache rules to be able to: 1) mirror binary blobs for use in the build process; 2) to query file lists and lava integration data for the frontend display. (Assuming it's ok to mention that in public README, but other relevant details are mentioned already).

Otherwise, looks good from the side I'm familiar with it, and pretty comprehensive.

Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

Ok, let me add explicit vote for this.

review: Needs Fixing
Revision history for this message
Данило Шеган (danilo) wrote :

Very useful input Paul, thanks. I believe I fixed all the issues you mentioned, perhaps in a slightly different way in a few cases.

lp:~danilo/linaro-license-protection/bug-919165 updated
42. By Данило Шеган

Implement suggestions from Paul.

Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

Looks good, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== added file 'README'
2--- README 1970-01-01 00:00:00 +0000
3+++ README 2012-02-24 10:36:18 +0000
4@@ -0,0 +1,84 @@
5+Linaro downloads license protection
6+===================================
7+
8+Linaro builds sometimes contain "binary blobs"—pieces of binary-only code which enable extra features like accelerated graphics or multimedia. These pieces are distributed under a separate license, and downloading images or collections containing them requires some sort of license protection.
9+
10+This code provides such license protection on the hosting web server: other parts of infrastructure need to properly integrate with it (see eg. android-build.linaro.org section). At the moment, it's implemented as a click-through license acceptance on the Apache side.
11+
12+To ensure and prove this keeps working, we are also using automated tests with this code.
13+
14+
15+Setup
16+-----
17+
18+This tree is the base for snapshots.linaro.org and releases.linaro.org www roots as served by Apache. It makes heavy use of mod_rewrite from within the .htaccess file.
19+
20+Currently, all directories/files containing either 'origen' or 'snowball' in the URL path are protected with appropriate license (Samsung or ST-E) click-through.
21+
22+
23+Technical details
24+-----------------
25+
26+releases.linaro.org
27+...................
28+
29+Root directory for releases.linaro.org includes .htaccess and licenses/*.
30+It has mod_rewrite enabled.
31+
32+It allows a few hard-coded hosts to bypass the click-through protection, by their IPs:
33+ * android-build.linaro.org (50.17.250.69)
34+ * validation.linaro.org (213.123.120.124)
35+
36+Currently hosted on mombin.canonical.com.
37+
38+
39+snapshots.linaro.org
40+....................
41+
42+Same basic set-up as releases.linaro.org.
43+
44+Further, to allow android-build.linaro.org to push to snapshots.linaro.org
45+www area directly, we set-up two different users on the system with SSH keys:
46+
47+ * android-build-linaro:
48+
49+ chrooted to /srv3/snapshots.linaro.org/www/android/ and allows sftp
50+ access to push files over; home directory
51+
52+ * android-build-linaro-trigger:
53+
54+ limited to executing only a single command through
55+ /etc/ssh/user-authorized-keys/android-build-linaro-trigger
56+
57+ command="/home/android-build-linaro-trigger/scripts/trigger-android-build-linaro.sh ${SSH_ORIGINAL_COMMAND#* }"
58+
59+ (this passes the arguments received from the remote end as well)
60+
61+ This script does a sudo to 'android-build-linaro' and then runs
62+
63+ /home/android-build-linaro/scripts/jenkins-post-sftp.sh
64+
65+ script which moves files from /android/.tmp/ into appropriate
66+ build directory. It expects "build_name/build_number" as command
67+ line parameters.
68+
69+android-build.linaro.org
70+........................
71+
72+Runs Jenkins and uses SFTP plugin to access the above two users. Private keys live in
73+
74+ /home/ubuntu/snapshots-sync/snapshots-sync — android-build-linaro
75+ /home/ubuntu/snapshots-sync/snapshots-filemove — android-build-linaro-trigger
76+
77+To ensure serialization of steps, and allow LAVA submission, these happen as
78+build steps, and not as publishing steps.
79+
80+
81+Tests
82+-----
83+
84+Testing infrastructure is based on 'testrepository' and requires at least
85+Python and Apache2:
86+
87+ $ testr init
88+ $ testr run

Subscribers

People subscribed via source and target branches