The targets-worker is responsible for generating and signing Targets
metadata (including for hashed bins).
The Timestamp worker performs the following tasks:
To operate effectively, this worker requires:
rugged system
user/var/rugged/tuf_repo)/var/rugged/incoming_targets)/var/rugged/signing_keys/targets/targets)/var/rugged/verification_keys/)/etc/rugged/config.yaml)Docker image: registry.gitlab.com/rugged/rugged/targets-worker
Typically we provide access to keys and the TUF repository by mounting them as network volumes (eg. NFS) into the Worker environment. This maintains isolation between the environments, but allows them to share access to the common files required to operate the TUF repository. It also enables us to mount the volumes read-only, in cases where the workers have no reason to write files.
All worker environments will need a PID directory provisioned and a worker
script deployed. See build/ansible/roles/rugged.workers/default/main.yml
for the definition of these directories, and see build/ansible/roles/rugged.workers/tasks/worker.yml
for details on configuring ownership and permissions on the PID directory, and placing the worker.py script in the rugged bin directory.
See build/ansible/roles/rugged.workers/tasks/targets-worker.yml for details on provisioning the TUF repo directory, signing key directory, the Targets signing key specifically, the verification keys directory, and the inbound targets directory.