The snapshot-worker is responsible for generating and signing Snapshot
metadata.
The Snapshot worker performs the following tasks:
To operate effectively, this worker requires:
rugged system
user/var/rugged/tuf_repo)/var/rugged/signing_keys/snapshot/snapshot)/var/rugged/verification_keys/)/etc/rugged/config.yaml)Docker image: registry.gitlab.com/rugged/rugged/snapshot-worker
Typically we provide access to keys and the TUF repository by mounting them as network volumes (eg. NFS) into the Worker environment. This maintains isolation between the environments, but allows them to share access to the common files required to operate the TUF repository. It also enables us to mount the volumes read-only, in cases where the workers have no reason to write files.
All worker environments will need a PID directory provisioned and a worker
script deployed. See build/ansible/roles/rugged.workers/default/main.yml
for the definition of these directories, and see build/ansible/roles/rugged.workers/tasks/worker.yml
for details on configuring ownership and permissions on the PID directory, and placing the worker.py script in the rugged bin directory.
See: build/ansible/roles/rugged.workers/tasks/snapshot-worker.yml for details on provisioning the TUF repo directory, signing key directory, the Snapshot signing key specifically, as well as the verification keys directory.