- Table Of Contents
- 1. Buildbot Tutorial
- 2. Buildbot Manual
- 2.1. Introduction
- 2.2. Installation
- 2.3. Concepts
- 2.4. Secret Management
- 2.5. Configuration
- 2.5.1. Configuring Buildbot
- 2.5.2. Global Configuration
- 2.5.3. Change Sources and Changes
- 2.5.5. Schedulers
- 2.5.6. Workers
- 2.5.7. Builder Configuration
- 2.5.8. Projects
- 2.5.9. Build Factories
- 2.5.10. Build Sets
- 2.5.11. Properties
- 2.5.12. Build Steps
- 2.5.12.1. Parameters Common to all Steps
- 2.5.12.2. Common Parameters of source checkout operations
- 2.5.12.3. Bzr
- 2.5.12.4. CVS
- 2.5.12.5. Darcs
- 2.5.12.6. Gerrit
- 2.5.12.7. GitHub
- 2.5.12.8. GitLab
- 2.5.12.9. Git
- 2.5.12.10. Mercurial
- 2.5.12.11. Monotone
- 2.5.12.12. P4
- 2.5.12.13. Repo
- 2.5.12.14. SVN
- 2.5.12.15. GitCommit
- 2.5.12.16. GitTag
- 2.5.12.17. GitPush
- 2.5.12.18. GitDiffInfo
- 2.5.12.19. ShellCommand
- 2.5.12.20. Shell Sequence
- 2.5.12.21. Compile
- 2.5.12.21. Compile
- 2.5.12.22. Configure
- 2.5.12.23. CMake
- 2.5.12.24. Visual C++
- 2.5.12.25. Cppcheck
- 2.5.12.26. Robocopy
- 2.5.12.27. Test
- 2.5.12.28. TreeSize
- 2.5.12.29. PerlModuleTest
- 2.5.12.30. SubunitShellCommand
- 2.5.12.31. HLint
- 2.5.12.32. MaxQ
- 2.5.12.33. Trigger
- 2.5.12.34. BuildEPYDoc
- 2.5.12.35. PyFlakes
- 2.5.12.36. Sphinx
- 2.5.12.37. PyLint
- 2.5.12.38. Trial
- 2.5.12.39. RemovePYCs
- 2.5.12.40. HTTP Requests
- 2.5.12.41. Worker Filesystem Steps
- 2.5.12.42. Transferring Files
- 2.5.12.44. MasterShellCommand
- 2.5.12.45. LogRenderable
- 2.5.12.47. SetProperty
- 2.5.12.46. Assert
- 2.5.12.48. SetProperties
- 2.5.12.49. SetPropertyFromCommand
- 2.5.12.51. RpmBuild
- 2.5.12.52. RpmLint
- 2.5.12.53. MockBuildSRPM Step
- 2.5.12.54. MockRebuild
- 2.5.12.55. DebPbuilder
- 2.5.12.57. DebLintian
- 2.5.13. Interlocks
- 2.5.14. Report Generators
- 2.5.15. Reporters
- 2.5.15.1. ReporterBase
- 2.5.15.2. BitbucketServerCoreAPIStatusPush
- 2.5.15.2. BitbucketServerCoreAPIStatusPush
- 2.5.15.3. BitbucketServerPRCommentPush
- 2.5.15.4. BitbucketServerStatusPush
- 2.5.15.6. GerritStatusPush
- 2.5.15.5. BitbucketStatusPush
- 2.5.15.7. GerritVerifyStatusPush
- 2.5.15.9. GitHubStatusPush
- 2.5.15.10. GitLabStatusPush
- 2.5.15.11. HttpStatusPush
- 2.5.15.12. IRC Bot
- 2.5.15.13. MailNotifier
- 2.5.15.14. PushjetNotifier
- 2.5.15.15. PushoverNotifier
- 2.5.15.16. Telegram Bot
- 2.5.15.17. ZulipStatusPush
- 2.5.16. Web Server
- 2.5.17. Change Hooks
- 2.5.18. Custom Services
- 2.5.19. DbConfig
- 2.5.20. Configurators
- 2.5.21. Manhole
- 2.5.22. Multimaster
- 2.5.23. Multiple-Codebase Builds
- 2.5.24. Miscellaneous Configuration
- 2.5.25. Testing Utilities
- 2.6. Customization
- 2.7. Command-line Tool
- 2.8. Resources
- 2.9. Optimization
- 2.10. Plugin Infrastructure in Buildbot
- 2.11. Deployment
- 2.12. Upgrading
- 3. Buildbot Development
- 3.1. Development Quick-start
- 3.2. Submitting Pull Requests
- 3.3. General Documents
- 3.3.1. Master Organization
- 3.3.2. Buildbot Coding Style
- 3.3.3. Buildbot’s Test Suite
- 3.3.4. Configuration
- 3.3.6. Writing Schedulers
- 3.3.7. Utilities
- 3.3.8. Build Result Codes
- 3.3.9. WWW Server
- 3.3.10. Javascript Data Module
- 3.3.11. Base web application
- 3.3.12. Authentication
- 3.3.13. Authorization
- 3.3.14. Master-Worker API
- 3.3.15. Master-Worker connection with MessagePack over WebSocket protocol
- 3.3.16. Claiming Build Requests
- 3.3.17. String Encodings
- 3.3.18. Metrics
- 3.3.19. Secrets
- 3.3.22. Statistics Service
- 3.3.23. How to package Buildbot plugins
- 3.4. REST API
- 3.5. REST API Specification
- 3.5.1. builder
- 3.5.2. buildrequest
- 3.5.3. build
- 3.5.4. buildset
- 3.5.5. build_data
- 3.5.6. change
- 3.5.7. changesource
- 3.5.8. forcescheduler
- 3.5.9. identifier
- 3.5.10. logchunk
- 3.5.11. log
- 3.5.12. master
- 3.5.13. patch
- 3.5.14. project
- 3.5.15. rootlink
- 3.5.16. scheduler
- 3.5.17. sourcedproperties
- 3.5.18. sourcestamp
- 3.5.19. spec
- 3.5.20. step
- 3.5.21. worker
- 3.5.22. test_result
- 3.5.23. testresultset
- 3.5.24. Raw endpoints
- 3.6. Data API
- 3.7. Database
- 3.8.1. Buildsets connector
- 3.8.2. Buildrequests connector
- 3.8.3. Builders connector
- 3.8.4. Builds connector
- 3.8.5. Build data connector
- 3.8.6. Steps connector
- 3.8.7. Logs connector
- 3.8.8. Changes connector
- 3.8.9. Change sources connector
- 3.8.10. Schedulers connector
- 3.8.11. Source stamps connector
- 3.8.12. State connector
- 3.8.13. Users connector
- 3.8.14. Masters connector
- 3.8.15. Workers connector
- 3.8. Database connectors API
- 3.9. Messaging and Queues
- 3.10. Classes
- 3.10.1. Builds
- 3.10.2. Workers
- 3.10.3. BuildFactory
- 3.10.4. Change Sources
- 3.10.5. RemoteCommands
- 3.10.6. BuildSteps
- 3.10.7. BaseScheduler
- 3.10.8. ForceScheduler
- 3.10.9. IRenderable
- 3.10.10. IProperties
- 3.10.11. IConfigurator
- 3.10.12. ResultSpecs
- 3.10.13. Protocols
- 3.10.14. WorkerManager
- 3.10.15. Logs
- 3.10.16. LogObservers
- 3.10.17. Authentication
- 3.10.18. Avatars
- 3.10.19. Web Server Classes
- 4. Release Notes
- 6. API Indices
- Release Notes
- 5.1. Buildbot 2.10.5 ( 2021-04-05 )
- 5.29. Release Notes for Buildbot 1.8.2 ( 2019-05-22 )
- 5.42. Release Notes for Buildbot 0.9.15.post1 ( 2018-01-07 )
- 5.60. Release Notes for Buildbot 0.9.1
- 5.61. Release Notes for Buildbot 0.9.0
- 5.62. Release Notes for Buildbot 0.9.0rc4
- 5.63. Release Notes for Buildbot 0.9.0rc3
- 5.64. Release Notes for Buildbot 0.9.0rc2
- 5.65. Release Notes for Buildbot 0.9.0rc1
- 5.66. Release Notes for Buildbot 0.9.0b9
- 5.67. Release Notes for Buildbot 0.9.0b8
- 5.68. Release Notes for Buildbot 0.9.0b7
- 5.69. Release Notes for Buildbot 0.9.0b6
- 5.70. Release Notes for Buildbot 0.9.0b5
- 5.71. Release Notes for Buildbot 0.9.0b4
- 5.72. Release Notes for Buildbot 0.9.0b3
- 5.73. Release Notes for Buildbot 0.9.0b2
- 5.74. Release Notes for Buildbot 0.9.0b1
- 5.75. Release Notes for Buildbot 0.8.11
- 5.76. Release Notes for Buildbot 0.8.10
- 5.77. Release Notes for Buildbot 0.8.9
- 5.78. Release Notes for Buildbot v0.8.8
- 5.79. Release Notes for Buildbot v0.8.7
- 5.80. Release Notes for Buildbot v0.8.6p1
- Other
2.4. Secret Management
Caution
Buildbot no longer supports Python 2.7 on the Buildbot master.
2.4. Secret Management
2.4.1. Requirements
Buildbot steps might need secrets to execute their actions. Secrets are used to execute commands or to create authenticated network connections. Secrets may be a SSH key, a password, or a file content like a wgetrc file or a public SSH key. To preserve confidentiality, the secret values must not be printed or logged in the twisted or step logs. Secrets must not be stored in the Buildbot configuration (master.cfg), as the source code is usually shared in SCM like git.
2.4.2. How to use Buildbot Secret Management
2.4.2.1. Secrets and providers
Buildbot implements several providers for secrets retrieval:
File system based: secrets are written in a file. This is a simple solution for example when secrets are managed by a config management system like Ansible Vault.
Third party backend based: secrets are stored by a specialized software. These solutions are usually more secure.
Secrets providers are configured if needed in the master configuration. Multiple providers can be configured at once. The secret manager is a Buildbot service. The secret manager returns the specific provider results related to the providers registered in the configuration.
2.4.2.2. How to use secrets in Buildbot
Secret can be used in Buildbot via the IRenderable
mechanism. Two IRenderable
actually implement secrets. Interpolate can be used if you need to mix secrets and other interpolation in the same argument.
The following example shows a basic usage of secrets in Buildbot.
from buildbot.plugins import secrets, util # First we declare that the secrets are stored in a directory of the filesystem # each file contains one secret identified by the filename c['secretsProviders'] = [secrets.SecretInAFile(dirname="/path/toSecretsFiles")] # then in a buildfactory: # use a secret on a shell command via Interpolate f1.addStep(ShellCommand( util.Interpolate("wget -u user -p '%(secret:userpassword)s' '%(prop:urltofetch)s'"))) # .. or non shell form: f1.addStep(ShellCommand(["wget", "-u", "user", "-p", util.Secret("userpassword"), util.Interpolate("%(prop:urltofetch)s")]))Secrets are also interpolated in the build like properties are. Their values will be used in a command line for example.
As argument to services
You can use secrets to configure services. All services arguments are not compatible with secrets. See their individual documentation for details.
# First we declare that the secrets are stored in a directory of the filesystem # each file contains one secret identified by the filename c['secretsProviders'] = [secrets.SecretInAFile(dirname="/path/toSecretsFiles")] # then for a reporter: c['services'] = [GitHubStatusPush(token=util.Secret("githubToken"))]2.4.2.3. Secrets storages
SecretInAFile
c['secretsProviders'] = [secrets.SecretInAFile(dirname="/path/toSecretsFiles")]In the passed directory, every file contains a secret identified by the filename.
e.g: a file
user
contains the textpa$$w0rd
.Arguments:
dirname
(required) Absolute path to directory containing the files with a secret.
strip
(optional) if
True
(the default), trailing newlines are removed from the file contents.HashiCorpVaultKvSecretProvider
c['secretsProviders'] = [ secrets.HashiCorpVaultKvSecretProvider( authenticator=secrets.VaultAuthenticatorApprole(roleId="<role-guid>", secretId="<secret-guid>"), vault_server="http://localhost:8200", secrets_mount="kv") ]HashiCorpVaultKvSecretProvider allows to use HashiCorp Vault KV secret engine as secret provider. Other secret engines are not supported by this particular provider. For more information about Vault please visit: Vault: https://www.vaultproject.io/
In order to use this secret provider, optional dependency
hvac
needs to be installed (pip install hvac
).It supports different authentication methods with ability to re-authenticate when authentication token expires (not possible using
HvacAuthenticatorToken
).Parameters accepted by
HashiCorpVaultKvSecretProvider
:
authenticator
: required parameter, specifies Vault authentication method. Possible authenticators are:
VaultAuthenticatorToken(token)
: simplest authentication by directly providing the authentication token. This method cannot benefit from re-authentication mechanism and when token expires, secret provider will just stop working.
VaultAuthenticatorApprole(roleId, secretId)
: approle authentication using roleId and secretId. This is common method for automation tools fetching secrets from vault.
vault_server
: required parameter, specifies URL of vault server.
secrets_mount
: specifies mount point of KV secret engine in vault, default value is “secret”.
api_version
: version of vault KV secret engine. Supported versions are 1 and 2, default value is 2.
path_delimiter
: character used to separate path and key name in secret identifiers. Default value is “|”.
path_escape
: escape character used in secret identifiers to allow escaping ofpath_delimiter
character in path or key values. Default value is “".The secret identifiers that need to be passed to, e.g. Interpolate, have format:
"path/to/secret:key"
. In case path or key name does contain colon character, it is possible to escape it using “" or specify different separator character usingpath_delimiter
parameter when initializing secret provider.Example use:
passwd = util.Secret('path/to/secret:password')HashiCorpVaultSecretProvider
Note
Use of
HashiCorpVaultSecretProvider
is deprecated in favor of newerc['secretsProviders'] = [secrets.SecretInPass( gpgPassphrase="passphrase", dirname="/path/to/password/store" )]Passwords can be stored in a unix password store, encrypted using GPG keys. Buildbot can query secrets via the
pass
binary found in the PATH of each worker. Whilepass
allows for multiline entries, the secret must be on the first line of each entry. The only caveat is that all passwords Buildbot needs to access have to be encrypted using the same GPG key.For more information about
pass
, please visit pass: https://www.passwordstore.org/Arguments:
gpgPassphrase
(optional) Pass phrase to the GPG decryption key, if any
dirname
(optional) Absolute path to the password store directory, defaults to ~/.password-store
2.4.2.4. How to populate secrets in a build
To populate secrets in files during a build, 2 steps are used to create and delete the files on the worker. The files will be automatically deleted at the end of the build.
f = BuildFactory() with f.withSecrets(secrets_list): f.addStep(step_definition) orf = BuildFactory() f.addSteps([list_of_step_definitions], withSecrets=secrets_list)In both cases the secrets_list is a list of (secret path, secret value) tuples.
secrets_list = [('/first/path', Interpolate('write something and %(secret:somethingmore)s')), ('/second/path', Interpolate('%(secret:othersecret)s'))]The Interpolate class is used to render the value during the build execution.
2.4.2.5. How to configure a Vault instance
Vault being a very generic system, it can be complex to install for the first time. Here is a simple tutorial to install the minimal Vault to use with Buildbot.
Use Docker to install Vault
A Docker image is available to help users installing Vault. Without any arguments, the command launches a Docker Vault developer instance, easy to use and test the functions. The developer version is already initialized and unsealed. To launch a Vault server please refer to the VaultDocker documentation:
In a shell:
docker run vaultStarting the vault instance
Once the Docker image is created, launch a shell terminal on the Docker image:
docker exec -i -t ``docker_vault_image_name`` /bin/shThen, export the environment variable VAULT_ADDR needed to init Vault.
export VAULT_ADDR='vault.server.adress'Writing secrets
By default the official docker instance of Vault is initialized with a mount path of ‘secret’, a KV v1 secret engine, and a second KV engine (v2) at ‘secret/data’. Currently, Buildbot is “hard wired” to expect KV v2 engines to reside within this “data” sub path. Provision is made to set a top level path via the “secretsmount” argument: defaults to “secret”. To add a new secret:
vault kv put secret/new_secret_key value=new_secret_value
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论