For sheriffs, release/relops, taskcluster, or related users, this page describes maintenance for scriptworkers.
Last modified 2019.03.09.
New docker shas¶
For chain of trust verification, we verify the docker shas that we run in docker-worker.
For some tasks, we build the docker images in docker-image tasks, and we can verify the image’s sha against docker-image task’s output.
However, for decision and docker-image tasks, we download the docker image from docker hub. We allowlist the shas to make sure we are running valid images.
For now, we need to keep both locations updated. Puppet governs production instances, and the scriptworker repo is used for scriptworker development, and a full allowlist is required for chain of trust verification.
Chain of Trust settings¶
As above, other chain of trust settings live in constants.py. However, if we only specified them in
scriptworker.constants, we’d have to push a new scriptworker release every time we update them. So we can override them here.
Ideally we keep the delta small, and remove the overrides in puppet when we release a new scriptworker version that updates these defaults. As currently written, each scriptworker instance type will need its scriptworker version bumped individually.