launchpad-buildd

Merge ~jugmac00/launchpad-buildd:fetch-service-provision-build-environment into launchpad-buildd:master

Git
lp:~jugmac00/launchpad-buildd
fetch-service-provision-build-environment
Merge into master

Proposed by Jürgen Gmach on 2024-03-21

Status:	Merged
Approved by:	Jürgen Gmach on 2024-04-18
Approved revision:	a71e7756c421bcc208eccdcf96b660de8b3fdbf9
Merge reported by:	Jürgen Gmach
Merged at revision:	a71e7756c421bcc208eccdcf96b660de8b3fdbf9
Proposed branch:	~jugmac00/launchpad-buildd:fetch-service-provision-build-environment
Merge into:	launchpad-buildd:master
Diff against target:	116 lines (+82/-1) 2 files modified lpbuildd/target/build_snap.py (+23/-1) lpbuildd/target/tests/test_build_snap.py (+59/-0)
Related bugs:	Link a bug report

Reviewer	Review Type	Date Requested	Status
Ines Almeida		2024-03-21	Approve on 2024-04-18
Review via email: mp+462893@code.launchpad.net

Commit message

Install ca certificate for the fetch service

This is necessary so the fetch service can man in the middle all
requests when builds are fetching dependencies.

Revision history for this message

Ines Almeida (ines-almeida) wrote on 2024-04-18:

Looks good!

review: Approve

Revision history for this message

Jürgen Gmach (jugmac00) wrote on 2024-04-18:

Thanks for the review and let the nits coming! :-)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk

Subscribers

People subscribed via source and target branches

to all changes:

Canonical Launchpad Engineering

Jürgen Gmach

 diff --git a/lpbuildd/target/build_snap.py b/lpbuildd/target/build_snap.py
 index f613e99..f29e3d5 100644
 --- a/lpbuildd/target/build_snap.py
 +++ b/lpbuildd/target/build_snap.py
@@ -110,10 +110,26 @@ class BuildSnap(
+         )
          parser.add_argument(
              "--fetch-service-mitm-certificate",
--            help=("content of the ca certificate"),
++            type=str,
++            help="content of the ca certificate",
+         )
          parser.add_argument("name", help="name of snap to build")
++    def install_mitm_certificate(self):
++        """Install ca certificate for the fetch service
++
++        This is necessary so the fetch service can man-in-the-middle all
++        requests when fetching dependencies.
++        """
++        with self.backend.open(
++            "/usr/local/share/ca-certificates/local-ca.crt", mode="w"
++        ) as local_ca_cert:
++            local_ca_cert.write(self.args.fetch_service_mitm_certificate)
++        self.backend.run(["update-ca-certificates"])
++        # XXX jugmac00 2024-04-17: We might need to restart snapd
++        # so the new certificate will be used
++        # snapd folks are unsure, so we need to try ourselves
++
      def install_svn_servers(self):
          proxy = urlparse(self.args.proxy_url)
          svn_servers = dedent(
@@ -182,7 +198,13 @@ class BuildSnap(
+                 ]
+             )
          if self.args.proxy_url:
++            # XXX jugmac00 2024-04-17: this is configuring an SVN server;
++            # it is currently unclear whether this is still necessary for
++            # building snaps
++            # jugmac00 reached out both to William and Claudio to figure out
              self.install_svn_servers()
++        if self.args.use_fetch_service:
++            self.install_mitm_certificate()
      def repo(self):
          """Collect git or bzr branch."""
 diff --git a/lpbuildd/target/tests/test_build_snap.py b/lpbuildd/target/tests/test_build_snap.py
 index 8719e57..4788029 100644
 --- a/lpbuildd/target/tests/test_build_snap.py
 +++ b/lpbuildd/target/tests/test_build_snap.py
@@ -194,6 +194,65 @@ class TestBuildSnap(TestCase):
              build_snap.backend.backend_fs["/root/.subversion/servers"],
+         )
++    def test_install_certificate(self):
++        args = [
++            "buildsnap",
++            "--backend=fake",
++            "--series=xenial",
++            "--arch=amd64",
++            "1",
++            "--git-repository",
++            "lp:foo",
++            "--proxy-url",
++            "http://proxy.example:3128/",
++            "test-snap",
++            "--use_fetch_service",
++            "--fetch-service-mitm-certificate",
++            "content_of_cert",
++        ]
++        build_snap = parse_args(args=args).operation
++        build_snap.bin = "/builderbin"
++        self.useFixture(FakeFilesystem()).add("/builderbin")
++        os.mkdir("/builderbin")
++        with open("/builderbin/lpbuildd-git-proxy", "w") as proxy_script:
++            proxy_script.write("proxy script\n")
++            os.fchmod(proxy_script.fileno(), 0o755)
++        build_snap.install()
++        self.assertThat(
++            build_snap.backend.run.calls,
++            MatchesListwise(
++                [
++                    RanAptGet(
++                        "install", "python3", "socat", "git", "snapcraft"
++                    ),
++                    RanCommand(["mkdir", "-p", "/root/.subversion"]),
++                    RanCommand(["update-ca-certificates"]),
++                ]
++            ),
++        )
++        self.assertEqual(
++            (b"proxy script\n", stat.S_IFREG | 0o755),
++            build_snap.backend.backend_fs["/usr/local/bin/lpbuildd-git-proxy"],
++        )
++        self.assertEqual(
++            (
++                b"[global]\n"
++                b"http-proxy-host = proxy.example\n"
++                b"http-proxy-port = 3128\n",
++                stat.S_IFREG | 0o644,
++            ),
++            build_snap.backend.backend_fs["/root/.subversion/servers"],
++        )
++        self.assertEqual(
++            (
++                b"content_of_cert",
++                stat.S_IFREG | 0o644,
++            ),
++            build_snap.backend.backend_fs[
++                "/usr/local/share/ca-certificates/local-ca.crt"
++            ],
++        )
++
      def test_install_channels(self):
          args = [
              "buildsnap",

launchpad-buildd

Merge ~jugmac00/launchpad-buildd:fetch-service-provision-build-environment into launchpad-buildd:master

Commit message

Description of the change

Preview Diff

Subscribers