Moving buildbot master to sourceware

Mark Wielaard mark@klomp.org
Mon Apr 4 20:09:05 GMT 2022 

Hi Frank,

On Mon, Apr 04, 2022 at 11:24:39AM -0400, Frank Ch. Eigler wrote:
> On Mon, Apr 04, 2022 at 12:02:06PM +0200, Mark Wielaard via Overseers wrote:
> > For several years now I have been running the buildbot master for
> > various sourceware projects (bzip2, debugedit, dwz, elfutils,
> > libabigail, valgrind and gccrs - that last one not actually on
> > sourceware yet, but we'll get there eventually) on
> > https://builder.wildebeest.org/buildbot/
> > 
> > I would like to move this officially to sourceware now [...]
> 
> Why not.
> 
> > The bike shed items for installing this on sourceware are:
> > [...]
> 
> All those look fine to me.

Great thanks. This is mainly the setup as it is on my centos7 server,
so it should translate fairly smoothly to the sourceware rhel8
setup. I'll make sure to document and automate it all so it is easy to
replicate and update.

> > Once setup the real work is on the projects using the buildbot to
> > define and coordinating with the volunteers running the buildbot
> > workers [...]
> 
> If people are happy with a pooled trust model where all project
> worker/buildbot operators trust all buildbot-master admins, sure.

The buildbot worker operators really have to even trust all project
committers, in theory any of them could commit any code that is then
executed on the workers. So if we trust project committers I think we
can also trust the buildbot-master admins.

If projects have their own dedicated workers then we could setup a
multi-master model so only builds of certain projects are executed on
specific workers. But I think as long as we share the same workers
between the projects it makes sense to have a group of shared
buildbot-master admins. So they can coordinate to not overload the
workers.

> Perhaps one can encourage further donation of buildbots by publishing
> instructions about how to set them up in a secure way, meaning for
> example that the bots can't access/hurt the donor's network.

Good idea. I don't have any special recommendations for network
isolation but can certainly document the VM/user/container setups to
run the buildbot-worker in isolated environments.

Cheers,

Mark

More information about the Overseers mailing list