Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[buildkite] Implement secrets encryption and sandboxing #41256

Merged
merged 1 commit into from
Jun 18, 2021
Merged

[buildkite] Implement secrets encryption and sandboxing #41256

merged 1 commit into from
Jun 18, 2021

Conversation

staticfloat
Copy link
Sponsor Member

This adds a proof-of-concept demonstration of two new buildkite plugins:

  • cryptic adds secrets management to privileged pipelines. These
    pipelines cannot be freely modified; their integrity is verified against
    a signature maintained by committers with a secret key. This allows
    certain portions of the CI configuration (which are privileged and can
    decrypt encrypted files/environment variables) to remain public, but
    read-only to the general populace.

  • sandbox adds a generic sandboxing mechanism that allows CI steps to
    be run within user-provided rootfs images. We're using these here to
    provide compiler toolchains for the llvm-passes CI steps, and the plan
    is to eventually provide all compiler toolchains through such rootfs
    images.

@staticfloat staticfloat requested a review from a team as a code owner June 17, 2021 21:25
@DilumAluthge DilumAluthge removed the request for review from a team June 17, 2021 21:30
vchuravy
vchuravy reviewed Jun 17, 2021
View reviewed changes
.buildkite/llvm_passes.yml Show resolved Hide resolved
.buildkite/rootfs_images/README.md Outdated Show resolved Hide resolved
@staticfloat
[buildkite] Implement secrets encryption and sandboxing
a3b97dc 
This adds a proof-of-concept demonstration of two new buildkite plugins:

* `cryptic` adds secrets management to privileged pipelines.  These
pipelines cannot be freely modified; their integrity is verified against
a signature maintained by committers with a secret key.  This allows
certain portions of the CI configuration (which are privileged and can
decrypt encrypted files/environment variables) to remain public, but
read-only to the general populace.

*  `sandbox` adds a generic sandboxing mechanism that allows CI steps to
be run within user-provided rootfs images.  We're using these here to
provide compiler toolchains for the `llvm-passes` CI steps, and the plan
is to eventually provide _all_ compiler toolchains through such rootfs
images.
@staticfloat
Copy link
Sponsor Member Author

giphy

🎉

@staticfloat
Copy link
Sponsor Member Author

@maleadt you're probably interested in this as well.

The workers are running via the configurations curated here: https://github.com/JuliaCI/sandboxed-buildkite-agent/blob/main/linux-sandbox.jl/build_systemd_config.jl

I intend to add windows/macos/freebsd setups there as well in the future (these workers will only be for base CI, I don't intend to run CI for the ecosystem on these). I am using the sandbox as the isolation mechanism for these workers as well because it's nestable. This allows us to run sandboxes inside of sandboxes, which is how we're able to do this rootfs nonsense for the LLVM pipelines.

Eventually, our buildbot configuration is just going to be a rootfs image that gets downloaded onto a machine and unpacked as an artifact. And yes, this is basically just us reinventing Docker, but since they can't nest, it's just impossible to use it securely without opening the host up for trivial exploitation.

Also, this showcases some simple secrets management with cryptic. I'll expand the example here after this gets merged and I expand Dilum's codecov work.

@DilumAluthge DilumAluthge added the ci Continuous integration label Jun 18, 2021
@DilumAluthge
Copy link
Member

I disabled Buildkite commit statuses since they were failing on some PRs (e.g. #41264).

So we should remember to re-enable Buildkite commit statuses right before we merge this PR.

@staticfloat staticfloat merged commit 61ae86d into master Jun 18, 2021
@staticfloat staticfloat deleted the sf/buildkite_sandboxing branch June 18, 2021 05:33
@staticfloat
Copy link
Sponsor Member Author

I have re-enabled buildkite commit statuses

@DilumAluthge
Copy link
Member

Does this need to be backported to 1.6 and 1.7? Otherwise, Buildkite statuses will always be failing on the release-1.6 and release-1.7 branches.

@DilumAluthge DilumAluthge mentioned this pull request Jun 18, 2021
Merged
@staticfloat
Copy link
Sponsor Member Author

staticfloat commented Jun 18, 2021 via email

@DilumAluthge DilumAluthge added backport 1.6 Change should be backported to release-1.6 backport 1.7 labels Jun 18, 2021
KristofferC pushed a commit that referenced this pull request Jun 26, 2021
@staticfloat @KristofferC
[buildkite] Implement secrets encryption and sandboxing (#41256)
ef96e02 
This adds a proof-of-concept demonstration of two new buildkite plugins:

* `cryptic` adds secrets management to privileged pipelines.  These
pipelines cannot be freely modified; their integrity is verified against
a signature maintained by committers with a secret key.  This allows
certain portions of the CI configuration (which are privileged and can
decrypt encrypted files/environment variables) to remain public, but
read-only to the general populace.

*  `sandbox` adds a generic sandboxing mechanism that allows CI steps to
be run within user-provided rootfs images.  We're using these here to
provide compiler toolchains for the `llvm-passes` CI steps, and the plan
is to eventually provide _all_ compiler toolchains through such rootfs
images.

(cherry picked from commit 61ae86d)
@KristofferC KristofferC mentioned this pull request Jun 26, 2021
Merged
51 tasks
KristofferC pushed a commit that referenced this pull request Jun 29, 2021
@staticfloat @KristofferC
[buildkite] Implement secrets encryption and sandboxing (#41256)
1169b5e 
This adds a proof-of-concept demonstration of two new buildkite plugins:

* `cryptic` adds secrets management to privileged pipelines.  These
pipelines cannot be freely modified; their integrity is verified against
a signature maintained by committers with a secret key.  This allows
certain portions of the CI configuration (which are privileged and can
decrypt encrypted files/environment variables) to remain public, but
read-only to the general populace.

*  `sandbox` adds a generic sandboxing mechanism that allows CI steps to
be run within user-provided rootfs images.  We're using these here to
provide compiler toolchains for the `llvm-passes` CI steps, and the plan
is to eventually provide _all_ compiler toolchains through such rootfs
images.

(cherry picked from commit 61ae86d)
@KristofferC KristofferC mentioned this pull request Jun 29, 2021
Merged
45 tasks
johanmon pushed a commit to johanmon/julia that referenced this pull request Jul 5, 2021
@staticfloat @johanmon
[buildkite] Implement secrets encryption and sandboxing (JuliaLang#41256
896a723 
)

This adds a proof-of-concept demonstration of two new buildkite plugins:

* `cryptic` adds secrets management to privileged pipelines.  These
pipelines cannot be freely modified; their integrity is verified against
a signature maintained by committers with a secret key.  This allows
certain portions of the CI configuration (which are privileged and can
decrypt encrypted files/environment variables) to remain public, but
read-only to the general populace.

*  `sandbox` adds a generic sandboxing mechanism that allows CI steps to
be run within user-provided rootfs images.  We're using these here to
provide compiler toolchains for the `llvm-passes` CI steps, and the plan
is to eventually provide _all_ compiler toolchains through such rootfs
images.
@KristofferC KristofferC removed backport 1.7 backport 1.6 Change should be backported to release-1.6 labels Jul 7, 2021
staticfloat added a commit that referenced this pull request Dec 23, 2022
@staticfloat
[buildkite] Implement secrets encryption and sandboxing (#41256)
721f2be 
This adds a proof-of-concept demonstration of two new buildkite plugins:

* `cryptic` adds secrets management to privileged pipelines.  These
pipelines cannot be freely modified; their integrity is verified against
a signature maintained by committers with a secret key.  This allows
certain portions of the CI configuration (which are privileged and can
decrypt encrypted files/environment variables) to remain public, but
read-only to the general populace.

*  `sandbox` adds a generic sandboxing mechanism that allows CI steps to
be run within user-provided rootfs images.  We're using these here to
provide compiler toolchains for the `llvm-passes` CI steps, and the plan
is to eventually provide _all_ compiler toolchains through such rootfs
images.

(cherry picked from commit 61ae86d)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vchuravy vchuravy Awaiting requested review from vchuravy

@christopher-dG christopher-dG Awaiting requested review from christopher-dG

@maleadt maleadt Awaiting requested review from maleadt

Assignees
No one assigned
Labels
ci Continuous integration
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@staticfloat @DilumAluthge @vchuravy @KristofferC