Page MenuHomePhabricator
Create Task
Maniphest T277109

Containers on releases hosts cannot update apt cache from non-WMF sources
Closed, ResolvedPublic
Actions

Description

Access to http://security.debian.org is currently restricted on releases* (and other) hosts. This isn't an issue for the host itself as it has an apt proxy configured.

However, containers that run there do not have proxies configured and as a result cannot update their apt caches from security.debian.org during builds.

Details

SubjectRepoBranchLines +/-
pipeline: Use build environment HTTP proxy for APT sourcesoperations/mediawiki-configmaster+1 -0
apt: Implement merging `apt.proxies` configblubbermaster+53 -0
apt: Support configuration of http/https proxiesblubbermaster+375 -34
Provide `setup.httpProxy` context variable if a proxy is configuredintegration/pipelinelibmaster+10 -0
Customize query in gerrit

Related Objects

Event Timeline

dduvall created this task.Mar 10 2021, 11:06 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 10 2021, 11:06 PM
dduvall added a comment.Mar 11 2021, 12:11 AM

Notes from #mw-on-k8s for one possible solution.

  1. add apt.proxy support to blubber
  2. add policy for our blubberoid instance to limit it to http://webproxy.eqiad.wmnet:8080
  3. have pipelinelib enforce default blubber config, in this case just the apt.proxy setting
dduvall added a project: Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)).Mar 11 2021, 12:11 AM
dduvall added a subscriber: Legoktm.Mar 11 2021, 6:55 PM

Another option might just be to set an http_proxy environment variable in mediawiki-config's .pipeline/config.yaml. It seems apt-get will respect that for all of its http transfers. @Legoktm does that seem reasonable?

I could see this solution getting a bit cumbersome if we needed to build more projects on releases hosts, but as of now it's just the one, and my other proposal is a lot more work.

dduvall added a comment.Mar 11 2021, 6:57 PM
In T277109#6906099, @dduvall wrote:

Another option might just be to set an http_proxy environment variable in mediawiki-config's .pipeline/config.yaml. It seems apt-get will respect that for all of its http transfers.

Ok, I just realized that you can't currently set environment variables for the build, only at runtime. Maybe this isn't viable.

dduvall claimed this task.Mar 11 2021, 7:01 PM
dduvall triaged this task as Medium priority.
dduvall added a parent task: T274182: Multi-version MediaWiki image is built and published.
dduvall moved this task from Backlog to In Progress on the MW-on-K8s board.
dduvall moved this task from INBOX to New Work on the Release-Engineering-Team-TODO (2021-01-01 to 2021-03-31 (Q3)) board.
gerritbot added a comment.Mar 12 2021, 5:28 PM

Change 671199 had a related patch set uploaded (by Dduvall; owner: Dduvall):
[blubber@master] apt: Support configuration of http/https proxies

https://gerrit.wikimedia.org/r/671199

gerritbot added a project: Patch-For-Review.Mar 12 2021, 5:28 PM
gerritbot added a comment.Mar 12 2021, 6:30 PM

Change 671211 had a related patch set uploaded (by Dduvall; owner: Dduvall):
[integration/pipelinelib@master] Provide httpProxy context variables if a proxy is configured

https://gerrit.wikimedia.org/r/671211

dduvall removed a parent task: T274182: Multi-version MediaWiki image is built and published.Mar 15 2021, 7:14 PM
thcipriani edited projects, added Release-Engineering-Team (Pipeline); removed Release-Engineering-Team.Mar 16 2021, 4:15 PM
gerritbot added a comment.Mar 18 2021, 5:21 PM

Change 671211 merged by jenkins-bot:
[integration/pipelinelib@master] Provide setup.httpProxy context variable if a proxy is configured

https://gerrit.wikimedia.org/r/671211

gerritbot added a comment.Mar 18 2021, 5:24 PM

Change 671199 merged by jenkins-bot:
[blubber@master] apt: Support configuration of http/https proxies

https://gerrit.wikimedia.org/r/671199

Maintenance_bot removed a project: Patch-For-Review.Mar 18 2021, 6:12 PM
gerritbot added a comment.Mar 18 2021, 6:22 PM

Change 673332 had a related patch set uploaded (by Dduvall; owner: Dduvall):
[blubber@master] apt: Implement merging apt.proxies config

https://gerrit.wikimedia.org/r/673332

gerritbot added a project: Patch-For-Review.Mar 18 2021, 6:22 PM
dduvall mentioned this in rGBLBR7bb486915320: apt: Support configuration of http/https proxies.Mar 18 2021, 6:43 PM
gerritbot added a comment.Mar 18 2021, 10:15 PM

Change 673332 merged by jenkins-bot:
[blubber@master] apt: Implement merging apt.proxies config

https://gerrit.wikimedia.org/r/673332

Stashbot added a comment.Mar 18 2021, 10:29 PM

Mentioned in SAL (#wikimedia-releng) [2021-03-18T22:29:17Z] <marxarelli> deploying https://gerrit.wikimedia.org/r/c/blubber/+/673332 and https://gerrit.wikimedia.org/r/c/blubber/+/671199 to eqiad/codfw (T277109)

dduvall mentioned this in rGBLBR642f9d0a0113: apt: Implement merging `apt.proxies` config.Mar 18 2021, 10:54 PM
gerritbot added a comment.Mar 18 2021, 10:59 PM

Change 673375 had a related patch set uploaded (by Dduvall; owner: Dduvall):
[operations/mediawiki-config@master] pipeline: Use build environment HTTP proxy for APT sources

https://gerrit.wikimedia.org/r/673375

gerritbot added a comment.Mar 18 2021, 11:18 PM

Change 673375 merged by jenkins-bot:
[operations/mediawiki-config@master] pipeline: Use build environment HTTP proxy for APT sources

https://gerrit.wikimedia.org/r/673375

Stashbot added a comment.Mar 18 2021, 11:25 PM

Mentioned in SAL (#wikimedia-operations) [2021-03-18T23:25:39Z] <dduvall@deploy1002> Synchronized .pipeline: config: [[gerrit:673375|Use build environment HTTP proxy for APT sources (T277109)]] (duration: 01m 02s)

dduvall closed this task as Resolved.Mar 18 2021, 11:27 PM
Maintenance_bot removed a project: Patch-For-Review.Mar 19 2021, 12:10 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL