HBASE-23339 Release scripts should use forwarded gpg-agent

[busbey]

This gets through full builds now both on a local mac with docker desktop and on a remote GCE debian box.

• put together a docker container that can use host gpg-agent forwarded over ssh.
• use gpg-agent forwarding container on OS X and directly forward the agent on Linux
• clean up the release container on exit
• use docker mounts instead of the deprecated volume syntax
• use image names within our project namespace
• update README for gce builds to include forwarding gpg-agent to VM such that it can be forwarded to docker on the VM.

[saintstack]

Man. The amount of pain involved getting to here I can only imagine. Masochist!

[saintstack]

Move to a trap/signal handler? Follow-on.

[saintstack]

All these clean ups should be in a cleanup handler... Not your issue.

[saintstack]

Hows this relate to the below nice cleanup function?

[busbey]

so the clean up function should take care of them, but something can go wrong such that they don't get handled.

since docker will fail loudly if the passed container id file path exists, this ensures we have a smooth path back to running again even if something goes wrong.

also the latest version of the WIP has an option to purposefully leave those files in place at the end of execution in case someone needs to debug what the containers are doing.

[busbey]

sorry for the lag here. missed that I had comments.

[busbey]

shellcheck and whitespace complaints should be easy enough to clean up. will get to it after I get PRs up for all the commits on the branch that are not this particular jira.

[busbey]

I think this is ready now.

[mattf-apache]

If you've set up your gpg agent and unlocked your private key for it then you do not need to give the passphrase during the build. the README goes over increasing the timeout to a day instead of 2 hours.

Nice, I missed that on my earlier read-thru. Thanks.

yes your gpg agent has to be running on your local machine before hand. ...
I could add an example of forcing a clean start of the gpg-agent, e.g. gpgconf --kill all && gpg-connect-agent /bye
The test signature at container launch should ensure the key is unlocked prior to us building artifacts.

I recommend adding that example in the README. I think most people do not have gpg-agent running by default, may not know how to launch it (I was vague on it), and while it is true that the test signature at container launch will catch a missing agent timely, it won't tell the user how to fix the problem. -- So, maybe also have that test sig command catch failure and give an instructive error message. Please?

[ndimiduk]

I was able to use this patch over the weekend to build an rc as dry run. all the gpg passthrough worked well for me.

[ndimiduk]

@busbey @mattf-apache I'm trying to use this to create an RC for real, using -r .git. Does this mean anything to you?

$ cat ~/build-rc0/output/tag.log
...
21:57:58 [INFO] ------------------------------------------------------------------------
21:57:58 [INFO] BUILD SUCCESS
21:57:58 [INFO] ------------------------------------------------------------------------
21:57:58 [INFO] Total time:  5.609 s
21:57:58 [INFO] Finished at: 2020-06-15T21:57:58Z
21:57:58 [INFO] ------------------------------------------------------------------------
ESC[0m
+ git commit -a -m 'Preparing development version 2.3.1-SNAPSHOT'
error: object directory /home/vagrant/repos/hbase/.git/objects does not exist; check .git/objects/info/alternates.
error: object directory /home/vagrant/repos/hbase/.git/objects does not exist; check .git/objects/info/alternates.

[ndimiduk]

Using it without -r doesn't work either.

Cloning into 'hbase'...
fatal: unable to access 'https://ndimiduk:[email protected]/repos/asf/hbase.git/': Port number ended with 'h'

[mattf-apache]

@ndimiduk @busbey , both the creation of the -r option and the use of shared objects while cloning local repo, were part of commit a9fefd7f533c of PR #1725 (HBASE-24297 release scripts should be able to use an existing project clone). I didn't test with it, sorry.

Parenthetically, I am confused by the -r .git idiom. If I understand the GIT_REPO usage properly, it needs to point at an actual repository, while .git is the usual name of the git account metadata directory. Why would I point -r at it? The processing code doesn't shed any light for me.

[mattf-apache]

Similarly, regarding the failure without -r, I don't have insights. The code in release-utils.sh:git_clone_overwrite() is supposed to url-encode the ASF_PASSWORD, and it was inherited from prior code that worked in-situ before PR #1725 . See https://github.pie.apple.com/IPR/apache-hbase/blob/8ff8e70edfbb50967cf123e6afdd9cc5dcfa4878/dev-support/create-release/release-build.sh#L116-L119

[ndimiduk]

Similarly, regarding the failure without -r, I don't have insights. The code in release-utils.sh:git_clone_overwrite() is supposed to url-encode the ASF_PASSWORD, and it was inherited from prior code that worked in-situ before PR #1725 . See https://github.pie.apple.com/IPR/apache-hbase/blob/8ff8e70edfbb50967cf123e6afdd9cc5dcfa4878/dev-support/create-release/release-build.sh#L116-L119

I tracked this down to a character that the library helpfully does not encode by default. See PR#1907.

[mattf-apache]

Righto. Nice catch.

[busbey]

error: object directory /home/vagrant/repos/hbase/.git/objects does not exist; check .git/objects/info/alternates.

the object directory messages are a side effect of using the shared objects. It shouldn't be listed as an error since git then immediately checks the alternates we provide and finds what it needs.

Parenthetically, I am confused by the -r .git idiom. If I understand the GIT_REPO usage properly, it needs to point at an actual repository, while .git is the usual name of the git account metadata directory. Why would I point -r at it? The processing code doesn't shed any light for me.

the .git metadata directory is itself a repository, albeit one only on the local system. using it for a release candidate means the tag generated will be in that local repository. If the RM wants the tag published somewhere else then they need to push it to the other remote.

[mattf-apache]

Thanks for the explanation.

[ndimiduk]

the object directory messages are a side effect of using the shared objects. It shouldn't be listed as an error since git then immediately checks the alternates we provide and finds what it needs.

I think the build failed for me due to this error. Will try it again for RC1.

[busbey]

force push was just me rebasing to the current HEAD with the changes as they were. the next commit is a minor issue I found while doing non-docker builds.

[busbey]

yes your gpg agent has to be running on your local machine before hand. ...
I could add an example of forcing a clean start of the gpg-agent, e.g. gpgconf --kill all && gpg-connect-agent /bye
The test signature at container launch should ensure the key is unlocked prior to us building artifacts.

I recommend adding that example in the README. I think most people do not have gpg-agent running by default, may not know how to launch it (I was vague on it), and while it is true that the test signature at container launch will catch a missing agent timely, it won't tell the user how to fix the problem. -- So, maybe also have that test sig command catch failure and give an instructive error message. Please?

@mattf-apache latest commit adds in an example in the README and some error handling to point to it.

[busbey]

these two additional commits are both minor tweaks. @ndimiduk and @mattf-apache please shout if you'd like to give further feedback. barring that I'll go ahead with merging after the qabot comes back and I get time to squash+merge.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	0m 37s	Docker mode activated.
-0 ⚠️	yetus	0m 3s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+0 🆗	mvndep	0m 8s	Maven dependency ordering for branch
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 8s	Maven dependency ordering for patch
		_ Other Tests _
		1m 46s

Subsystem	Report/Notes
Docker	Client=19.03.12 Server=19.03.12 base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile
GITHUB PR	#1620
Optional Tests
uname	Linux 74f5e59a6074 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b556343
Max. process+thread count	45 (vs. ulimit of 12500)
modules	C: U:
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/console
versions	git=2.17.1 maven=(cecedd343002696d0abb50b32b541b8a6ba2883f)
Powered by	Apache Yetus 0.11.1 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	0m 32s	Docker mode activated.
		_ Prechecks _
+1 💚	dupname	0m 0s	No case conflicting files found.
+0 🆗	shelldocs	0m 0s	Shelldocs was not available.
+1 💚	@author	0m 0s	The patch does not contain any @author tags.
		_ master Compile Tests _
+0 🆗	mvndep	0m 22s	Maven dependency ordering for branch
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 8s	Maven dependency ordering for patch
+1 💚	hadolint	0m 3s	There were no new hadolint issues.
+1 💚	shellcheck	0m 3s	There were no new shellcheck issues.
+1 💚	whitespace	0m 0s	The patch has no whitespace issues.
		_ Other Tests _
+0 🆗	asflicense	0m 0s	ASF License check generated no output?
		2m 13s

Subsystem	Report/Notes
Docker	Client=19.03.12 Server=19.03.12 base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#1620
Optional Tests	dupname asflicense shellcheck shelldocs hadolint
uname	Linux 612a9920d620 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b556343
Max. process+thread count	50 (vs. ulimit of 12500)
modules	C: U:
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/console
versions	git=2.17.1 maven=(cecedd343002696d0abb50b32b541b8a6ba2883f) shellcheck=0.4.6 hadolint=1.17.5-0-g443423c
Powered by	Apache Yetus 0.11.1 https://yetus.apache.org

This message was automatically generated.

[Apache-HBase]

🎊 +1 overall

Vote	Subsystem	Runtime	Comment
+0 🆗	reexec	2m 16s	Docker mode activated.
-0 ⚠️	yetus	0m 3s	Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
		_ Prechecks _
		_ master Compile Tests _
+0 🆗	mvndep	0m 8s	Maven dependency ordering for branch
		_ Patch Compile Tests _
+0 🆗	mvndep	0m 8s	Maven dependency ordering for patch
		_ Other Tests _
		3m 25s

Subsystem	Report/Notes
Docker	Client=19.03.12 Server=19.03.12 base: https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile
GITHUB PR	#1620
Optional Tests
uname	Linux 24983de37e6a 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / b556343
Max. process+thread count	48 (vs. ulimit of 12500)
modules	C: U:
Console output	https://builds.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-1620/10/console
versions	git=2.17.1 maven=(cecedd343002696d0abb50b32b541b8a6ba2883f)
Powered by	Apache Yetus 0.11.1 https://yetus.apache.org

This message was automatically generated.