Updates to Buildbarn as of November 2023
This is a continuation of the previous update article and is a high level summary of what has happened in Buildbarn from 2023-02-16 to 2023-11-14.
Added support for JWTs signed with RSA
Support for JWTs signed with RSA has been added. The following JWT signing algorithms are now supported:
- HS256
- HS384
- HS512
- RS256
- RS384
- RS512
- EdDSA
- ES256
- ES384
- ES512
Generalized tuneables for Linux BDI options
Linux 6.2 added a sysfs attribute for toggling BDI_CAP_STRICTLIMIT
on FUSE mounts.
If using the FUSE backed virtual file system on Linux 6.2
adding { "strict_limit": "0" }
to linux_backing_dev_info_tunables
will remove the BDI_CAP_STRICTLIMIT
flag from the FUSE mount.
This may improve fileystem performance especially when running build actions which uses mmap'ed files extensively.
Add support for injecting Xcode environment variables
Remote build with macOS may call into locally installed copies of Xcode. The path to the local copy of Xcode may vary and Bazel assumes that the remote execution service is capable of processing Xcode specific environment variables.
See the proto files for details.
Add a minimum timestamp to ActionResultExpiringBlobAccess
A misbehaving worker may polluted the action cache, after fixing the misbehaving worker we would rather not throw away the entire action cache.
A minimum timestamp in ActionResultExpiringBlobAccess allows us to mark a timestamp in the past before which the action should be considered invalid.
Add authentication to HTTP servers
Much like the gRPC servers are capable of authenticated configuration the http servers can now also require authentication.
This allows the bb_browser and bb_scheduler UI to authenticate access using OAuth2 without involving any other middleware.
This also allows us to add authorization configuration for administrative tasks such as draining workers or killing of jobs.
Authentication using a JSON Web Key Set
JSON Web Key Sets (JWKS) is a standard format which allows us to specify multiple different encryption keys that may have been used to sign our JWT authentication.
Buildbarn can load the JWKS specification, either inline or as a file, when specifying trusted encryption keys.
This allows us to have rotation with overlap of encryption keys.