summaryrefslogtreecommitdiff
path: root/doc/source/using_configuring_cache_server.rst
diff options
context:
space:
mode:
Diffstat (limited to 'doc/source/using_configuring_cache_server.rst')
-rw-r--r--doc/source/using_configuring_cache_server.rst257
1 files changed, 257 insertions, 0 deletions
diff --git a/doc/source/using_configuring_cache_server.rst b/doc/source/using_configuring_cache_server.rst
new file mode 100644
index 000000000..856046f35
--- /dev/null
+++ b/doc/source/using_configuring_cache_server.rst
@@ -0,0 +1,257 @@
+
+
+.. _cache_servers:
+
+Configuring Cache Servers
+=========================
+BuildStream caches the results of builds in a local artifact cache, and will
+avoid building an element if there is a suitable build already present in the
+local artifact cache. Similarly it will cache sources and avoid pulling them if
+present in the local cache. See :ref:`caches <caches>` for more details.
+
+In addition to the local caches, you can configure one or more remote caches and
+BuildStream will then try to pull a suitable object from one of the remotes,
+falling back to performing a local build or fetching a source if needed.
+
+Configuring BuildStream to use remote caches
+--------------------------------------------
+A project will often set up continuous build infrastructure that pushes
+cached objects to a shared cache, so developers working on the project can
+make use of these pre-made objects instead of having to each build the whole
+project locally. The project can declare this cache in its
+project configuration file for :ref:`artifacts <project_essentials_artifacts>`
+and :ref:`sources <project_source_cache>`.
+
+Users can declare additional remote caches in the :ref:`user configuration
+<config_artifacts>`. There are several use cases for this: your project may not
+define its own cache, it may be useful to have a local mirror of its cache, or
+you may have a reason to share artifacts privately.
+
+Remote caches are identified by their URL. There are currently two supported
+protocols:
+
+* ``http``: Pull and push access, without transport-layer security
+* ``https``: Pull and push access, with transport-layer security
+
+BuildStream allows you to configure as many caches as you like, and will query
+them in a specific order:
+
+1. Project-specific overrides in the user config
+2. Project configuration
+3. User configuration
+
+When an an object is created locally, BuildStream will try to push it to all the
+caches which have the ``push: true`` flag set. You can also manually push
+artifacts to a specific cache using the :ref:`bst artifact push command
+<invoking_artifact_push>`.
+
+Objects are identified using the element or sources :ref:`cache key <cachekeys>`
+so the objects provided by a cache should be interchangable with those provided
+by any other cache.
+
+
+Setting up a remote cache
+-------------------------
+The rest of this page outlines how to set up a shared cache.
+
+Setting up the user
+~~~~~~~~~~~~~~~~~~~
+A specific user is not needed, however, a dedicated user to own the cache is
+recommended.
+
+.. code:: bash
+
+ useradd artifacts
+
+The recommended approach is to run two instances on different ports.
+One instance has push disabled and doesn't require client authentication.
+The other instance has push enabled and requires client authentication.
+
+Alternatively, you can set up a reverse proxy and handle authentication
+and authorization there.
+
+
+Installing the server
+~~~~~~~~~~~~~~~~~~~~~
+You will also need to install BuildStream on the cache server in order
+to receive uploaded artifacts over ssh. Follow the instructions for installing
+BuildStream `here <https://buildstream.build/install.html>`_.
+
+When installing BuildStream on the cache server, it must be installed
+in a system wide location, with ``pip3 install .`` in the BuildStream
+checkout directory.
+
+Otherwise, some tinkering is required to ensure BuildStream is available
+in ``PATH`` when its companion ``bst-artifact-server`` program is run
+remotely.
+
+You can install only the artifact server companion program without
+requiring BuildStream's more exigent dependencies by setting the
+``BST_ARTIFACTS_ONLY`` environment variable at install time, like so:
+
+.. code::
+
+ BST_ARTIFACTS_ONLY=1 pip3 install .
+
+
+.. _artifact_command_reference:
+
+Command reference
+~~~~~~~~~~~~~~~~~
+
+.. click:: buildstream._cas.casserver:server_main
+ :prog: bst-artifact-server
+
+
+.. _server_authentication:
+
+Key pair for the server
+~~~~~~~~~~~~~~~~~~~~~~~
+
+For TLS you need a key pair for the server. The following example creates
+a self-signed key, which requires clients to have a copy of the server certificate
+(e.g., in the project directory).
+You can also use a key pair obtained from a trusted certificate authority instead.
+
+.. code:: bash
+
+ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -batch -subj "/CN=artifacts.com" -out server.crt -keyout server.key
+
+.. note::
+
+ Note that in the ``-subj "/CN=<foo>"`` argument, ``/CN`` is the *certificate common name*,
+ and as such ``<foo>`` should be the public hostname of the server. IP addresses will
+ **not** provide you with working authentication.
+
+ In addition to this, ensure that the host server is recognised by the client.
+ You may need to add the line: ``<ip address>`` ``<hostname>`` to
+ your ``/etc/hosts`` file.
+
+Authenticating users
+~~~~~~~~~~~~~~~~~~~~
+In order to give permission to a given user to upload
+artifacts, create a TLS key pair on the client.
+
+.. code:: bash
+
+ openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes -batch -subj "/CN=client" -out client.crt -keyout client.key
+
+Copy the public client certificate ``client.crt`` to the server and then add it
+to the authorized keys, like so:
+
+.. code:: bash
+
+ cat client.crt >> /home/artifacts/authorized.crt
+
+
+Serve the cache over https
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Public instance without push:
+
+.. code:: bash
+
+ bst-artifact-server --port 11001 --server-key server.key --server-cert server.crt /home/artifacts/artifacts
+
+Instance with push and requiring client authentication:
+
+.. code:: bash
+
+ bst-artifact-server --port 11002 --server-key server.key --server-cert server.crt --client-certs authorized.crt --enable-push /home/artifacts/artifacts
+
+Managing the cache with systemd
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+We recommend running the cache as a systemd service, especially if it is running
+on a dedicated server, as this will allow systemd to manage the cache, in case
+the server encounters any issues.
+
+Below are two examples of how to run the cache server as a systemd service. The
+first, is for pull only and the other is configured for push & pull. Notice that
+the two configurations use different ports.
+
+``bst-artifact-serve.service``:
+
+.. code:: ini
+
+ #
+ # Pull
+ #
+ [Unit]
+ Description=Buildstream Artifact pull server
+ After=remote-fs.target network-online.target
+
+ [Service]
+ Environment="LC_ALL=C.UTF-8"
+ ExecStart=/usr/local/bin/bst-artifact-server --port 11001 --server-key {{certs_path}}/server.key --server-cert {{certs_path}}/server.crt {{artifacts_path}}
+ User=artifacts
+
+ [Install]
+ WantedBy=multi-user.target
+
+
+``bst-artifact-serve-receive.service``:
+
+.. code:: ini
+
+ #
+ # Pull/Push
+ #
+ [Unit]
+ Description=Buildstream Artifact pull/push server
+ After=remote-fs.target network-online.target
+
+ [Service]
+ Environment="LC_ALL=C.UTF-8"
+ ExecStart=/usr/local/bin/bst-artifact-server --port 11002 --server-key {{certs_path}}/server.key --server-cert {{certs_path}}/server.crt --client-certs {{certs_path}}/authorized.crt --enable-push {{artifacts_path}}
+ User=artifacts
+
+ [Install]
+ WantedBy=multi-user.target
+
+
+Here we define when systemd should start the service, which is after the networking
+stack has been started, we then define how to run the cache with the desired
+configuration, under the artifacts user. The {{ }} are there to denote where you
+should change these files to point to your desired locations.
+
+.. note::
+
+ You may need to run some of the following commands as the superuser.
+
+These files should be copied to ``/etc/systemd/system/``. We can then start these services
+with:
+
+.. code:: bash
+
+ systemctl enable bst-artifact-serve.service
+ systemctl enable bst-artifact-serve-receive.service
+
+Then, to start these services:
+
+.. code:: bash
+
+ systemctl start bst-artifact-serve.service
+ systemctl start bst-artifact-serve-receive.service
+
+We can then check if the services are successfully running with:
+
+.. code:: bash
+
+ journalctl -u bst-artifact-serve.service
+ journalctl -u bst-artifact-serve-receive.service
+
+For more information on systemd services see:
+`Creating Systemd Service Files <https://www.devdungeon.com/content/creating-systemd-service-files>`_.
+
+Declaring remote caches
+~~~~~~~~~~~~~~~~~~~~~~~
+Remote caches can be declared within either:
+
+1. The project configuration for :ref:`artifact <project_essentials_artifacts>`
+ and :ref:`sources <project_source_cache>`, or
+2. The user configuration for :ref:`artifacts <config_artifacts>` and
+ :ref:`sources <config_sources>`.
+
+Please follow the above links to see examples showing how we declare remote
+caches in both the project configuration and the user configuration, respectively.
View Lorry Controller Status