mozilla · lissyx · Jan 31, 2025 · Dec 30, 2024 · Jan 2, 2025 · Jan 2, 2025
diff --git a/docs/DistributedConfiguration.md b/docs/DistributedConfiguration.md
@@ -0,0 +1,146 @@
+# Available Distributed Configuration Options
+
+
+Please read the [distributed quickstart](DistributedQuickstart.md) guide first.
+[The distributed sccache](Distributed.md) guide contains more details on authentication options.
+For FreeBSD systems, please consult [the distributed FreeBSD](DistributedFreeBSD.md) guide.
+
+Use the `--config` argument to pass the path to its configuration file to `sccache-dist`.
+
+
+## scheduler.toml
+
+```toml
+# The socket address the scheduler will listen on. It's strongly recommended
+# to listen on localhost and put a HTTPS server in front of it.
+public_addr = "127.0.0.1:10600"
+
+[client_auth]
+type = "token"
+token = "my client token"
+
+[server_auth]
+type = "jwt_hs256"
+secret_key = "my secret key"
+```
+
+
+### [client_auth]
+
+The `[client_auth]` section can be one of (sorted by authentication method):
+```toml
+# OAuth2
+[client_auth]
+type = "mozilla"
+
+client_auth = { type = "proxy_token", url = "...", cache_secs = 60 }
+
+# JWT
+[client_auth]
+type = "jwt_validate"
+audience = "audience"
+issuer = "issuer"
+jwks_url = "..."
+
+# Token
+[client_auth]
+type = "token"
+token = "preshared token"
+
+# None
+[client_auth]
+type = "DANGEROUSLY_INSECURE"
+```
+
+
+### [server_auth]
+
+The `[server_auth]` section can be can be one of:
+```toml
+[server_auth]
+type = "jwt_hs256"
+secret_key = "my secret key"
+
+[server_auth]
+type = "token"
+token = "preshared token"
+
+[server_auth]
+type = "DANGEROUSLY_INSECURE"
+```
+
+## server.toml
+
+
+```toml
+# This is where client toolchains will be stored.
+cache_dir = "/tmp/toolchains"
+# The maximum size of the toolchain cache, in bytes.
+# If unspecified the default is 10GB.
+#toolchain_cache_size = 10737418240
+# A public IP address and port that clients will use to connect to this builder.
+public_addr = "192.168.1.1:10501"
+# The socket address the builder will listen on. Falls back to public_addr.
+#bind_address = "0.0.0.0:10501"
+# The URL used to connect to the scheduler (should use https, given an ideal
+# setup of a HTTPS server in front of the scheduler)
+scheduler_url = "https://192.168.1.1"
+
+[builder]
+type = "overlay"
+# The directory under which a sandboxed filesystem will be created for builds.
+build_dir = "/tmp/build"
+# The path to the bubblewrap version 0.3.0+ `bwrap` binary.
+bwrap_path = "/usr/bin/bwrap"
+
+[scheduler_auth]
+type = "jwt_token"
+# This will be generated by the `generate-jwt-hs256-server-token` command or
+# provided by an administrator of the sccache cluster.
+token = "my server's token"
+```
+
+
+### [builder]
+
+The `[builder]` section can be can be one of:
+```toml
+[builder]
+type = "docker"
+
+[builder]
+type = "overlay"
+# The directory under which a sandboxed filesystem will be created for builds.
+build_dir = "/tmp/build"
+# The path to the bubblewrap version 0.3.0+ `bwrap` binary.
+bwrap_path = "/usr/bin/bwrap"
+
+[builder]
+type = "pot"
+# Pot filesystem root
+#pot_fs_root = "/opt/pot"
+# Reference pot cloned when creating containers
+#clone_from = "sccache-template"
+# Command to invoke when calling pot
+#pot_cmd = "pot"
+# Arguments passed to `pot clone` command
+#pot_clone_args = ["-i", "lo0|127.0.0.2"]
+
+```
+
+
+### [scheduler_auth]
+
+The `[scheduler_auth]` section can be can be one of:
+```toml
+[scheduler_auth]
+type = "jwt_token"
+token = "my server's token"
+
+[scheduler_auth]
+type = "token"
+token = "preshared token"
+
+[scheduler_auth]
+type = "DANGEROUSLY_INSECURE"
+```
diff --git a/src/bin/sccache-dist/main.rs b/src/bin/sccache-dist/main.rs
@@ -225,6 +225,7 @@ fn run(command: Command) -> Result<i32> {
             builder,
             cache_dir,
             public_addr,
+            bind_address,
             scheduler_url,
             scheduler_auth,
             toolchain_cache_size,
@@ -289,6 +290,7 @@ fn run(command: Command) -> Result<i32> {
                 .context("Failed to create sccache server instance")?;
             let http_server = dist::http::Server::new(
                 public_addr,
+                bind_address,
                 scheduler_url.to_url(),
                 scheduler_auth,
                 server,

diff --git a/src/config.rs b/src/config.rs
@@ -1165,7 +1165,7 @@ pub mod server {
             .collect()
     }
 
-    #[derive(Debug, Serialize, Deserialize)]
+    #[derive(Debug, Serialize, Deserialize, PartialEq)]
     #[serde(tag = "type")]
     #[serde(deny_unknown_fields)]
     pub enum BuilderType {
@@ -1189,7 +1189,7 @@ pub mod server {
         },
     }
 
-    #[derive(Debug, Serialize, Deserialize)]
+    #[derive(Debug, Serialize, Deserialize, PartialEq)]
     #[serde(tag = "type")]
     #[serde(deny_unknown_fields)]
     pub enum SchedulerAuth {
@@ -1201,12 +1201,13 @@ pub mod server {
         Token { token: String },
     }
 
-    #[derive(Debug, Serialize, Deserialize)]
+    #[derive(Debug, Serialize, Deserialize, PartialEq)]
     #[serde(deny_unknown_fields)]
     pub struct Config {
         pub builder: BuilderType,
         pub cache_dir: PathBuf,
         pub public_addr: SocketAddr,
+        pub bind_address: Option<SocketAddr>,
         pub scheduler_url: HTTPUrl,
         pub scheduler_auth: SchedulerAuth,
         #[serde(default = "default_toolchain_cache_size")]
@@ -1594,3 +1595,65 @@ no_credentials = true
         }
     )
 }
+
+#[test]
+#[cfg(feature = "dist-server")]
+fn server_toml_parse() {
+    use server::BuilderType;
+    use server::SchedulerAuth;
+    const CONFIG_STR: &str = r#"
+    # This is where client toolchains will be stored.
+    cache_dir = "/tmp/toolchains"
+    # The maximum size of the toolchain cache, in bytes.
+    # If unspecified the default is 10GB.
+    toolchain_cache_size = 10737418240
+    # A public IP address and port that clients will use to connect to this builder.
+    public_addr = "192.168.1.1:10501"
+    # The socket address the builder will listen on.
+    bind_address = "0.0.0.0:10501"
+    # The URL used to connect to the scheduler (should use https, given an ideal
+    # setup of a HTTPS server in front of the scheduler)
+    scheduler_url = "https://192.168.1.1"
+
+    [builder]
+    type = "overlay"
+    # The directory under which a sandboxed filesystem will be created for builds.
+    build_dir = "/tmp/build"
+    # The path to the bubblewrap version 0.3.0+ `bwrap` binary.
+    bwrap_path = "/usr/bin/bwrap"
+
+    [scheduler_auth]
+    type = "jwt_token"
+    # This will be generated by the `generate-jwt-hs256-server-token` command or
+    # provided by an administrator of the sccache cluster.
+    token = "my server's token"
+    "#;
+
+    let server_config: server::Config = toml::from_str(CONFIG_STR).expect("Is valid toml.");
+    assert_eq!(
+        server_config,
+        server::Config {
+            builder: BuilderType::Overlay {
+                build_dir: PathBuf::from("/tmp/build"),
+                bwrap_path: PathBuf::from("/usr/bin/bwrap"),
+            },
+            cache_dir: PathBuf::from("/tmp/toolchains"),
+            public_addr: "192.168.1.1:10501"
+                .parse()
+                .expect("Public address must be valid socket address"),
+            bind_address: Some(
+                "0.0.0.0:10501"
+                    .parse()
+                    .expect("Bind address must be valid socket address")
+            ),
+
+            scheduler_url: parse_http_url("https://192.168.1.1")
+                .map(|url| { HTTPUrl::from_url(url) })
+                .expect("Scheduler url must be valid url str"),
+            scheduler_auth: SchedulerAuth::JwtToken {
+                token: "my server's token".to_owned()
+            },
+            toolchain_cache_size: 10737418240,
+        }
+    )
+}
diff --git a/src/dist/http.rs b/src/dist/http.rs
@@ -870,7 +870,7 @@ mod server {
     }
 
     pub struct Server<S> {
-        public_addr: SocketAddr,
+        bind_address: SocketAddr,
         scheduler_url: reqwest::Url,
         scheduler_auth: String,
         // HTTPS pieces all the builders will use for connection encryption
@@ -887,6 +887,7 @@ mod server {
     impl<S: dist::ServerIncoming + 'static> Server<S> {
         pub fn new(
             public_addr: SocketAddr,
+            bind_address: Option<SocketAddr>,
             scheduler_url: reqwest::Url,
             scheduler_auth: String,
             handler: S,
@@ -899,7 +900,7 @@ mod server {
             let server_nonce = ServerNonce::new();
 
             Ok(Self {
-                public_addr,
+                bind_address: bind_address.unwrap_or(public_addr),
                 scheduler_url,
                 scheduler_auth,
                 cert_digest,
@@ -913,7 +914,7 @@ mod server {
 
         pub fn start(self) -> Result<Infallible> {
             let Self {
-                public_addr,
+                bind_address,
                 scheduler_url,
                 scheduler_auth,
                 cert_digest,
@@ -963,10 +964,10 @@ mod server {
                 }
             });
 
-            info!("Server listening for clients on {}", public_addr);
+            info!("Server listening for clients on {}", bind_address);
             let request_count = atomic::AtomicUsize::new(0);
 
-            let server = rouille::Server::new_ssl(public_addr, move |request| {
+            let server = rouille::Server::new_ssl(bind_address, move |request| {
                 let req_id = request_count.fetch_add(1, atomic::Ordering::SeqCst);
                 trace!("Req {} ({}): {:?}", req_id, request.remote_addr(), request);
                 let response = (|| router!(request,

diff --git a/tests/harness/mod.rs b/tests/harness/mod.rs
@@ -195,6 +195,7 @@ fn sccache_server_cfg(
         },
         cache_dir: Path::new(CONFIGS_CONTAINER_PATH).join(relpath),
         public_addr: SocketAddr::new(server_ip, SERVER_PORT),
+        bind_address: Some(SocketAddr::from(([0, 0, 0, 0], SERVER_PORT))),
         scheduler_url,
         scheduler_auth: sccache::config::server::SchedulerAuth::Token {
             token: DIST_SERVER_TOKEN.to_owned(),
@@ -409,9 +410,14 @@ impl DistSystem {
             listener.local_addr().unwrap()
         };
         let token = create_server_token(ServerId::new(server_addr), DIST_SERVER_TOKEN);
-        let server =
-            dist::http::Server::new(server_addr, self.scheduler_url().to_url(), token, handler)
-                .unwrap();
+        let server = dist::http::Server::new(
+            server_addr,
+            Some(SocketAddr::from(([0, 0, 0, 0], server_addr.port()))),
+            self.scheduler_url().to_url(),
+            token,
+            handler,
+        )
+        .unwrap();
         let pid = match unsafe { nix::unistd::fork() }.unwrap() {
             ForkResult::Parent { child } => {
                 self.server_pids.push(child);