linaro-license-protection

Merge lp:~danilo/linaro-license-protection/bug-919165 into lp:~linaro-automation/linaro-license-protection/trunk

  1. bug-919165
  2. Merge into trunk
Proposed by Данило Шеган
Status: Merged
Merged at revision: 45
Proposed branch: lp:~danilo/linaro-license-protection/bug-919165
Merge into: lp:~linaro-automation/linaro-license-protection/trunk
Diff against target: 88 lines (+84/-0)
1 file modified
README (+84/-0)
To merge this branch: bzr merge lp:~danilo/linaro-license-protection/bug-919165
Reviewer Review Type Date Requested Status
Paul Sokolovsky Approve
Review via email: mp+90283@code.launchpad.net

Description of the change

This documents the set-up of the entire click-through system, with the focus
on android-build file sync system (which is the most complicated bit).

It should help us in understanding where things need to change when something
fails.

It's missing a lot, but should be a start. I'll also add the wiki page
pointing at this README file.

To post a comment you must log in.
Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

line 10: "This code provides such license protection."

Probably worth to reword this to mention that this is only the core code, and it depends on integration with license-protection bits in other codebases.

line 18: "It makes have use of mod_rewrite" - typo

line 20: "Currently, all directories/files containing either 'origen' or 'snowball' in the name"

I would be more specific and say "in the URL" - and I assume that's the case, i.e. any file below dir with "origen" would be protected.

line 61: "into appropriate build directories."

As we changed it to operate on a single build dir at time, probably worth to use singular there.

One thing not mentioned is that android-build.linaro.org has exception in Apache rules to be able to: 1) mirror binary blobs for use in the build process; 2) to query file lists and lava integration data for the frontend display. (Assuming it's ok to mention that in public README, but other relevant details are mentioned already).

Otherwise, looks good from the side I'm familiar with it, and pretty comprehensive.

Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

Ok, let me add explicit vote for this.

review: Needs Fixing
Revision history for this message
Данило Шеган (danilo) wrote :

Very useful input Paul, thanks. I believe I fixed all the issues you mentioned, perhaps in a slightly different way in a few cases.

lp:~danilo/linaro-license-protection/bug-919165 updated
42. By Данило Шеган

Implement suggestions from Paul.

Revision history for this message
Paul Sokolovsky (pfalcon) wrote :

Looks good, thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== added file 'README'
--- README 1970-01-01 00:00:00 +0000
+++ README 2012-02-24 10:36:18 +0000
@@ -0,0 +1,84 @@
1Linaro downloads license protection
2===================================
3
4Linaro builds sometimes contain "binary blobs"—pieces of binary-only code which enable extra features like accelerated graphics or multimedia. These pieces are distributed under a separate license, and downloading images or collections containing them requires some sort of license protection.
5
6This code provides such license protection on the hosting web server: other parts of infrastructure need to properly integrate with it (see eg. android-build.linaro.org section). At the moment, it's implemented as a click-through license acceptance on the Apache side.
7
8To ensure and prove this keeps working, we are also using automated tests with this code.
9
10
11Setup
12-----
13
14This tree is the base for snapshots.linaro.org and releases.linaro.org www roots as served by Apache. It makes heavy use of mod_rewrite from within the .htaccess file.
15
16Currently, all directories/files containing either 'origen' or 'snowball' in the URL path are protected with appropriate license (Samsung or ST-E) click-through.
17
18
19Technical details
20-----------------
21
22releases.linaro.org
23...................
24
25Root directory for releases.linaro.org includes .htaccess and licenses/*.
26It has mod_rewrite enabled.
27
28It allows a few hard-coded hosts to bypass the click-through protection, by their IPs:
29 * android-build.linaro.org (50.17.250.69)
30 * validation.linaro.org (213.123.120.124)
31
32Currently hosted on mombin.canonical.com.
33
34
35snapshots.linaro.org
36....................
37
38Same basic set-up as releases.linaro.org.
39
40Further, to allow android-build.linaro.org to push to snapshots.linaro.org
41www area directly, we set-up two different users on the system with SSH keys:
42
43 * android-build-linaro:
44
45 chrooted to /srv3/snapshots.linaro.org/www/android/ and allows sftp
46 access to push files over; home directory
47
48 * android-build-linaro-trigger:
49
50 limited to executing only a single command through
51 /etc/ssh/user-authorized-keys/android-build-linaro-trigger
52
53 command="/home/android-build-linaro-trigger/scripts/trigger-android-build-linaro.sh ${SSH_ORIGINAL_COMMAND#* }"
54
55 (this passes the arguments received from the remote end as well)
56
57 This script does a sudo to 'android-build-linaro' and then runs
58
59 /home/android-build-linaro/scripts/jenkins-post-sftp.sh
60
61 script which moves files from /android/.tmp/ into appropriate
62 build directory. It expects "build_name/build_number" as command
63 line parameters.
64
65android-build.linaro.org
66........................
67
68Runs Jenkins and uses SFTP plugin to access the above two users. Private keys live in
69
70 /home/ubuntu/snapshots-sync/snapshots-sync — android-build-linaro
71 /home/ubuntu/snapshots-sync/snapshots-filemove — android-build-linaro-trigger
72
73To ensure serialization of steps, and allow LAVA submission, these happen as
74build steps, and not as publishing steps.
75
76
77Tests
78-----
79
80Testing infrastructure is based on 'testrepository' and requires at least
81Python and Apache2:
82
83 $ testr init
84 $ testr run

Subscribers

People subscribed via source and target branches