Version 1.1.0 of jwt-authorizer includes token validation errors in the auth challenge which we need to debug GitLab-to-WMF-registry JWT auth failures (see T322453).
@Dzahn would you be able to build and import this version of the package for us? The main branch at https://gitlab.wikimedia.org/repos/releng/jwt-authorizer should be good to go and includes your prior fix to the control file. I hope the build goes smoother for you this time.
| Status | Subtype | Assigned | Task | ||
|---|---|---|---|---|---|
| Resolved | • dduvall | T322453 Buildkit erroring with "cannot reuse body, request must be retried" upon multi-platform push | |||
| Resolved | Dzahn | T322691 Build and import new release of jwt-authorizer (1.1.0) |
@Dzahn you described the initial build process of jwt-authorizer package in T309646. I created docs in wikitech for jwt-authorizer and a short summary of the build process. Can you check https://wikitech.wikimedia.org/wiki/Docker-registry/jwt-authorizer? I guess the DIST=bullseye-backports and --ignore=wrongdistribution is obsolete now?
Let me know if I should try the build or if we should pair to check the build and docs together :)
Mentioned in SAL (#wikimedia-operations) [2022-11-16T19:11:11Z] <jelto> Imported jwt-authorizer 1.1.0-1 to bullseye-wikimedia - T322691
I built and published the new version jwt-authorizer | 1.1.0-1 for bullseye. I followed the docs in https://wikitech.wikimedia.org/wiki/Docker-registry/jwt-authorizer.
@dduvall @Dzahn I still got issues with the go package similar to T309646#7974869:
make[1]: Entering directory '/build/jwt-authorizer-1.1.0'
dh_auto_build -O--buildsystem=golang -- -ldflags "-X main.Version=1.1.0"
cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0" gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer
src/gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer/main.go:7:2: cannot find package "io/fs" in any of:
/build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/gitlab.wikimedia.org/repos/releng/jwt-authorizer/vendor/io/fs (vendor tree)
/usr/lib/go-1.15/src/io/fs (from $GOROOT)
/build/jwt-authorizer-1.1.0/obj-x86_64-linux-gnu/src/io/fs (from $GOPATH)
dh_auto_build: error: cd obj-x86_64-linux-gnu && go install -trimpath -v -p 8 -ldflags "-X main.Version=1.1.0" gitlab.wikimedia.org/repos/releng/jwt-authorizer/cmd/jwt-authorizer returned exit code 1
make[1]: *** [debian/rules:10: override_dh_auto_build] Error 25
make[1]: Leaving directory '/build/jwt-authorizer-1.1.0'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
I: copying local configuration
E: Failed autobuilding of packageSo we have to tweak the build a little bit more, but for now the new version should be available. I'm closing this task, as build and publish were successful using the bullseye backports version of golang.
$ apt-cache show jwt-authorizer Package: jwt-authorizer Version: 1.1.0-1 Architecture: amd64 Maintainer: Wikimedia Foundation Release Engineering <releng@wikimedia.org> [...]
Mentioned in SAL (#wikimedia-operations) [2022-11-30T22:13:40Z] <mutante> registry* - upgraded jwt-authorizer package on all 4 hosts to version 1.1.0-1 - T322691
@dduvall @Jelto So this was just missing the same import step of the same package but for buster instead of bullseye. I could just import straight from Jelto's homedir:
on apt1001:
$ sudo -i reprepro --ignore=wrongdistribution -C main include buster-wikimedia /home/jelto/jwt-authorizer_1.1.0-1_amd64.changesand now it's 1.1.0 instead of 1.0.0 for both:
[apt1001:/home/jelto] $ sudo -E reprepro ls jwt-authorizer jwt-authorizer | 1.1.0-1 | buster-wikimedia | amd64, source jwt-authorizer | 1.1.0-1 | bullseye-wikimedia | amd64, source
after this:
[registry2004:~] $ sudo apt-get update ... [registry2004:~] $ sudo apt install jwt-authorizer ...
then did the same on the other 4 registry hosts and now:
[cumin1001:~] $ sudo cumin 'registry*' 'dpkg -l | grep jwt-auth' 4 hosts will be targeted: registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet Ok to proceed on 4 hosts? Enter the number of affected hosts to confirm or "q" to quit 4 ===== NODE GROUP ===== (4) registry[2003-2004].codfw.wmnet,registry[1003-1004].eqiad.wmnet ----- OUTPUT of 'dpkg -l | grep jwt-auth' ----- ii jwt-authorizer 1.1.0-1 amd64