diff options
author | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-13 15:14:37 +0000 |
---|---|---|
committer | Sam Thursfield <sam.thursfield@codethink.co.uk> | 2015-03-13 15:14:37 +0000 |
commit | bc18c61ee3c026a6fe80ed3d9a1ea852d9ed9506 (patch) | |
tree | 97be2eb1368e04326af210e3048581431624796a | |
parent | 50f602fe6b12943a3847fb1925b1e5cb554bed97 (diff) | |
parent | 77901928199ff71a65e8bec83830051d52a4a5c4 (diff) | |
download | infrastructure-bc18c61ee3c026a6fe80ed3d9a1ea852d9ed9506.tar.gz |
Merge branch 'sam/gerrit-production'
-rw-r--r-- | README.mdwn | 129 | ||||
-rw-r--r-- | baserock_gerrit/All-Projects/groups | 16 | ||||
-rw-r--r-- | baserock_gerrit/All-Projects/project.config | 105 | ||||
-rw-r--r-- | baserock_gerrit/gerrit-access-config.yml | 151 | ||||
-rw-r--r-- | baserock_gerrit/gerrit-system-x86_64.morph | 39 | ||||
-rw-r--r-- | baserock_gerrit/gerrit-tools.morph | 10 | ||||
-rw-r--r-- | baserock_gerrit/gerrit.config | 6 | ||||
-rw-r--r-- | baserock_gerrit/instance-config.yml | 18 | ||||
-rw-r--r-- | baserock_gerrit/instance-mirroring-config.yml | 49 | ||||
-rw-r--r-- | baserock_gerrit/lorry-controller.conf | 29 | ||||
-rw-r--r-- | baserock_gerrit/lorry-controller/minion.conf | 6 | ||||
-rw-r--r-- | baserock_gerrit/lorry-controller/webapp.conf | 13 | ||||
-rw-r--r-- | baserock_gerrit/lorry.conf | 8 | ||||
-rw-r--r-- | baserock_gerrit/replication.config | 27 |
14 files changed, 582 insertions, 24 deletions
diff --git a/README.mdwn b/README.mdwn index c4a23628..f678e8de 100644 --- a/README.mdwn +++ b/README.mdwn @@ -197,6 +197,12 @@ https://docs.djangoproject.com/en/1.7/howto/deployment/checklist/ To deploy to production: + nova volume-create \ + --display-name gerrit-volume \ + --display-description 'Gerrit volume' \ + --volume-type Ceph \ + 100 + morph build baserock_gerrit/gerrit-system-x86_64.morph morph deploy baserock_gerrit/baserock_gerrit.morph @@ -205,26 +211,32 @@ To deploy to production: --flavor 'dc1.2x4.40' \ --image baserock_gerrit \ --nic net-id=d079fa3e-2558-4bcb-ad5a-279040c202b5,v4-fixed-ip=192.168.222.69 \ + --security-groups default,gerrit,git-server,web-server --user-data baserock-ops-team.cloud-config - nova volume-create \ - --display-name gerrit-volume \ - --display-description 'Gerrit volume' \ - --volume-type Ceph \ - 100 nova volume-attach gerrit.baserock.org <volume-id> /dev/vdb - # Download the JRE -- this implies that you accept the 'Oracle Binary Code - # License Agreement for Java SE'. Visit Make sure you use the latest - # version of Java, don't copy-paste this commandline directly ;) - # - # See: http://www.oracle.com/technetwork/java/javase/downloads/index.html +Accept the license and download the latest Java Runtime Environment from +http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html + +Accept the license and download the latest Java Cryptography Extensions from +http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html + +Save these two files in the baserock_gerrit/ folder. The instance-config.yml +Ansible playbook will upload them to the new system. + + # Don't copy-paste this! Use the Oracle website instead! wget --no-cookies --no-check-certificate \ - --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ - "http://download.oracle.com/otn-pub/java/jdk/8u31-b13/server-jre-8u31-linux-x64.tar.gz" + --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ + "http://download.oracle.com/otn-pub/java/jdk/8u40-b25/server-jre-8u40-linux-x64.tar.gz" + wget --no-cookies --no-check-certificate \ + --header "Cookie: gpw_e24=http%3A%2F%2Fwww.oracle.com%2F; oraclelicense=accept-securebackup-cookie" \ + "http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip" ansible-playbook -i hosts baserock_gerrit/instance-config.yml +#### Access control + Now, log into the new Gerrit instance with your OpenID. Make sure you're the first one to have registered, and you will automatically have been added to the Administrators group. @@ -232,8 +244,101 @@ Administrators group. You can add more users into the Administrators group later on using the [gerrit set-members] command, or the web interface. +Go to the settings page, 'HTTP Password' and generate a HTTP password for +yourself. You'll need it in the next step. The password can take a long time to +appear for some reason, or it might not work at all. Click off the page and +come back to it and it might suddenly have appeared. I've not investigated why +this happens. + +Generate the SSH keys you need, if you don't have them. + + mkdir -p keys + ssh-keygen -t rsa -b 4096 -C 'lorry@gerrit.baserock.org' -N '' -f keys/lorry-gerrit.key + +Now set up the Gerrit access configuration. You'll need to have cloned +<https://github.com/ssssam/ansible-gerrit> alongside infrastructure.git, and ran +`make` in that directory. You'll also need 'pygerrit' installed somewhere +Python can find it. + + export GERRIT_URL=http://gerrit.baserock.org + export GERRIT_ADMIN_USERNAME=your username + export GERRIT_ADMIN_PASSWORD=your generated HTTP password + + ANSIBLE_LIBRARY=../ansible-gerrit \ + ansible-playbook baserock_gerrit/gerrit-access-config.yml + +As well as creating all the groups and initial users in the new Gerrit +instance, Ansible should update the file baserock_gerrit/All-Projects/groups, +which will be needed in the next step. + + git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/All-Projects.git /tmp/All-Projects + cp -a baserock_gerrit/All-Projects/* /tmp/All-Projects + cd /tmp/All-Projects + git checkout -b config + git commit -a -m "Set up initial access controls." + git push origin config:refs/meta/config + cd - + [gerrit set-members]: https://gerrit-documentation.storage.googleapis.com/Documentation/2.9.4/cmd-set-members.html +#### Mirroring + +Run: + + ansible-playbook -i hosts baserock_gerrit/instance-mirroring-config.yml + +Now clone the lorry-controller configuration repository, commit the +configuration file to it, and push. + + git clone ssh://$GERRIT_ADMIN_USERNAME@gerrit.baserock.org:29418/local-config/lorries.git /tmp/lorries + cp baserock_gerrit/lorry-controller.conf /tmp/lorries + cd /tmp/lorries + git checkout -b master + git add . + git commit -m "Add initial Lorry Controller mirroring configuration" + git push origin master + cd - + +Now SSH in as 'root' to gerrit.baserock.org, tunnelling the lorry-controller +webapp's port to your local machine: + + ssh -L 12765:localhost:12765 root@gerrit.baserock.org + +Visit <http://localhost/1.0/status-html>. You should see the lorry-controller +status page. Click 'Re-read configuration', if there are any errors in the +configuration it'll tell you. If not, it should start mirroring stuff from +your Trove. + +Create a Gitano account on the Trove you want to push changes to for the Gerrit +user. The `instance-config.yml` Ansible playbook will have generated an SSH +key. Do this on the Gerrit instance. + + ssh git@git.baserock.org user add gerrit "gerrit.baserock.org" gerrit@baserock.org + ssh git@git.baserock.org as gerrit sshkey add main < ~gerrit/.ssh/id_rsa.pub + +Add the user to the necessary -writers groups, so they can push updates to the +repos. The 'replication.config' file controls what the gerrit-replication plugin +tries to push. By default force-push is disabled and only 'master' and tags are +pushed. + + ssh git@git.baserock.org group adduser baserock-writers gerrit + +Add the host key of the remote trove. + + sudo -u gerrit sh -c 'ssh-keyscan git.baserock.org >> ~gerrit/.ssh/known_hosts' + +Check the account is working. + + sudo -u gerrit ssh git@git.baserock.org whoami + +Now enable the gerrit-replication plugin, check that it's now in the list of +plugins, and manually start a replication cycle. You should see log output from +the final SSH command showing any errors. + + ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin enable replication + ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 gerrit plugin ls + ssh $GERRIT_ADMIN_USERNAME@gerrit.baserock.org -p 29418 replication start --all --wait + ### Storyboard We use a slightly adapted version of diff --git a/baserock_gerrit/All-Projects/groups b/baserock_gerrit/All-Projects/groups new file mode 100644 index 00000000..da2baa74 --- /dev/null +++ b/baserock_gerrit/All-Projects/groups @@ -0,0 +1,16 @@ +# UUID Group Name +# +global:Anonymous-Users Anonymous Users +global:Project-Owners Project Owners +global:Registered-Users Registered Users + +# This file is filled in with the other group IDs by the +# gerrit-access-config.yml Ansible playbook. +b660c33b68509db9dbd9578ae00035da90c0d5eb Administrators +8e467a11f116bb716a65ac85e28bf09ebfeb0d63 Non-Interactive Users +898d9c4232b8fcac6a3b128f7264c5d4c8b1eead Developers +b8fc45c681b94669fe3fa965c48d5221a515a3a6 Mergers +8c788c828285c3dd0a8c1cc152de6735085def9f Mirroring Tools +a7a9cc6639bd943e47da0d20b39267a08b43cd91 Release Team +d643abb0ad6e9d5ac33093af5cd3a3d4e484d95d Reviewers +cea6c19a08e11b74e63a567e050bec2c6eeb14dc Testers diff --git a/baserock_gerrit/All-Projects/project.config b/baserock_gerrit/All-Projects/project.config new file mode 100644 index 00000000..0b16b280 --- /dev/null +++ b/baserock_gerrit/All-Projects/project.config @@ -0,0 +1,105 @@ +# Top-level access controls for projects on Baserock Gerrit. + +# These can be overridden by a project's own project.config file. They are also +# overridden by the config of a project's parent repo, if it is set to something +# other than the default parent project 'All-Projects'. + +# Useful references: +# +# https://gerrit-documentation.storage.googleapis.com/Documentation/2.11/access-control.html +# https://git.openstack.org/cgit/openstack-infra/system-config/tree/doc/source/gerrit.rst + +[project] + description = Access inherited by all other projects. + +[receive] + requireContributorAgreement = false + requireSignedOffBy = false + requireChangeId = true + +[submit] + mergeContent = true + +[capability] + administrateServer = group Administrators + priority = batch group Non-Interactive Users + streamEvents = group Non-Interactive Users + + createProject = group Mirroring Tools + +# Everyone can read everything. +[access "refs/*"] + read = group Administrators + read = group Anonymous Users + + +# Developers can propose changes. All 'Registered Users' are 'Developers'. +[access "refs/for/refs/*"] + push = group Developers + pushMerge = group Developers + + +[access "refs/heads/*"] + forgeAuthor = group Developers + rebase = group Developers + label-Code-Review = -2..+2 group Mergers + submit = group Mergers + label-Code-Review = -1..+1 group Reviewers +# label-Verified = -1..+1 group Testers + + create = group Administrators + forgeCommitter = group Administrators + push = group Administrators + create = group Project Owners + forgeCommitter = group Project Owners + push = group Project Owners + + create = group Mirroring Tools + forgeAuthor = group Mirroring Tools + forgeCommitter = group Mirroring Tools + push = +force group Mirroring Tools + +[access "refs/tags/*"] + pushTag = group Release Team + pushSignedTag = group Release Team + + pushTag = group Administrators + pushSignedTag = group Administrators + pushTag = group Project Owners + pushSignedTag = group Project Owners + + create = group Mirroring Tools + forgeAuthor = group Mirroring Tools + forgeCommitter = group Mirroring Tools + push = +force group Mirroring Tools + pushTag = +force group Mirroring Tools + pushSignedTag = +force group Mirroring Tools + + +# Changing project configuration is allowed for Administrators only. (In theory +# anyone who owns a project can change its permissions, but right now all +# projects should be owned by the Administrators group). +[access "refs/meta/config"] + exclusiveGroupPermissions = read + + read = group Administrators + push = group Administrators + read = group Project Owners + push = group Project Owners + +[label "Code-Review"] + function = MaxWithBlock + copyMinScore = true + value = -2 Do not merge + value = -1 This patch needs further work before it can be merged + value = 0 No score + value = +1 Looks good to me, but someone else must approve + value = +2 Looks good to me, approved + +# Disabled for now, because there is no automated test tool hooked up to our +# Gerrit yet. +#[label "Verified"] +# function = MaxWithBlock +# value = -1 Failed +# value = 0 No score +# value = +1 Verified diff --git a/baserock_gerrit/gerrit-access-config.yml b/baserock_gerrit/gerrit-access-config.yml new file mode 100644 index 00000000..d17df33e --- /dev/null +++ b/baserock_gerrit/gerrit-access-config.yml @@ -0,0 +1,151 @@ +# Baserock Gerrit access controls, and predefined users, groups and projects. +# +# This Ansible playbook requires the ansible-gerrit modules: +# +# https://www.github.com/ssssam/ansible-gerrit +# +# These modules depend on pygerrit: +# +# https://www.github.com/sonyxperiadev/pygerrit/ + +# - +- hosts: localhost + tasks: + # System groups: + # - Anonymous Users + # - Change Owner + # - Project Owners + # - Registered Users + + # Prefined groups: + # - Administrators + # - Non-Interactive Users + + - gerrit_group: + name: Administrators + register: administrators_group + + - gerrit_group: + name: Non-Interactive Users + register: non_interactive_users_group + + # The 'owner' of a group defines who can modify that group. Users + # who are in the 'owner' group for a group 'Groupies' can add and remove + # people (and other groups) from 'Groupies' and can change the name, + # description and owner of 'Groupies.' Since we don't want the + # names, descriptions or owners of these predefined groups being + # changed, they are all left owned by the Administrators group. + + - gerrit_group: + name: Developers + description: Registered users who choose to submit changes for consideration. + owner: Administrators + included_groups: + - Registered Users + register: developers_group + + # Right now all Mergers are in the Release Team by default. + - gerrit_group: + name: Release Team + description: Developers who can tag releases + owner: Administrators + included_groups: + - Mergers + register: release_team_group + + - gerrit_group: + name: Mergers + description: Developers who can trigger the actual merging of a change. + owner: Administrators + register: mergers_group + + - gerrit_group: + name: Mirroring Tools + description: Programs that pull changes from external repositories into Gerrit's Git server + owner: Administrators + register: mirroring_tools_group + + - gerrit_group: + name: Reviewers + description: Registered users who choose to give +1 / -1 reviews to proposed changes. + owner: Administrators + included_groups: + - Registered Users + register: reviewers_group + + - gerrit_group: + name: Testers + description: Testers that can give +1 / -1 Verified to proposed changes. + owner: Administrators + register: testers_group + + # Non-interactive accounts. + + - gerrit_account: + username: firehose + fullname: Firehose integration bot + email: firehose@baserock.org + groups: + - Non-Interactive Users + - Developers + #ssh_key: xx + + - gerrit_account: + username: lorry + fullname: Lorry mirroring service + email: lorry@baserock.org + groups: + - Mirroring Tools + - Non-Interactive Users + # FIXME: ansible-gerrit module should be able to handle a filename + # here, instead of needing this hack to read the contents. + ssh_key: "{{ lookup('file', '../keys/lorry-gerrit.key.pub') }}" + + - gerrit_account: + username: mason + fullname: Mason automated tester + email: mason@baserock.org + groups: + - Non-Interactive Users + - Testers + #ssh_key: xx + + # It'd make more sense to do this in the mirroring-config.yml file, but + # then the admin would need to supply their Gerrit credentials to that + # playbook too (which is more tricky, because it doesn't run on + # 'localhost'). + - name: repo to hold Lorry Controller mirroring configuration + gerrit_project: + name: local-config/lorries + description: Configuration for Lorry for mirroring from Trove + + - name: create 'groups' mapping required by Gerrit + lineinfile: + create: yes + dest: All-Projects/groups + line: "{{ item.group_info.id }}\t{{ item.group_info.name }}" + with_items: + - "{{ administrators_group }}" + - "{{ non_interactive_users_group }}" + - "{{ developers_group }}" + - "{{ mergers_group }}" + - "{{ mirroring_tools_group }}" + - "{{ release_team_group }}" + - "{{ reviewers_group }}" + - "{{ testers_group }}" + +# it'd be nice if this module existed... but it doesn't right now. You'll have +# to commit the files manually. +# +# - name: push access configuration for all repos +# git_commit_in_branch: +# repo: ssh://{{ env.GERRIT_ADMIN_USERNAME }}@{{ env.GERRIT_URL}}:29418/All-Projects +# ref: refs/meta/config +# source: All-Projects +# committer_name: Baserock Gerrit configuration scripts +# committer_email: admin@baserock.org +# commit_message: > +# Update global configuration. +# +# This commit was made by an Ansible playbook living in +# git://git.baserock.org/baserock/baserock/infrastructure. diff --git a/baserock_gerrit/gerrit-system-x86_64.morph b/baserock_gerrit/gerrit-system-x86_64.morph index 176c8430..0fd2c910 100644 --- a/baserock_gerrit/gerrit-system-x86_64.morph +++ b/baserock_gerrit/gerrit-system-x86_64.morph @@ -8,31 +8,56 @@ description: | are downloaded from the web and installed on first-boot by the configuration management scripts. - So this system is really just a Baserock base system plus Ansible. + So this system is really just a Baserock base system plus + Ansible and some extras. arch: x86_64 strata: - name: build-essential morph: strata/build-essential.morph - name: core morph: strata/core.morph -- name: foundation - morph: strata/foundation.morph -- name: lvm - morph: strata/lvm.morph +- name: python-core + morph: strata/python-core.morph - name: bsp-x86_64-generic morph: strata/bsp-x86_64-generic.morph +- name: foundation + morph: strata/foundation.morph - name: cloudinit-support morph: strata/cloudinit-support.morph + +- name: lvm + morph: strata/lvm.morph + +- name: python-common + morph: strata/python-common.morph - name: ansible morph: strata/ansible.morph + +# lighttpd is needed for Lorry Controller. Gerrit uses its own web server. +# +# pcre-utils is a dependency of lighttpd. +# python-cliapp and python-wsgi are needed for lorry-controller. +- name: pcre-utils + morph: strata/pcre-utils.morph +- name: lighttpd-server + morph: strata/lighttpd-server.morph +- name: python-cliapp + morph: strata/python-cliapp.morph +- name: python-wsgi + morph: strata/python-wsgi.morph - name: lorry morph: strata/lorry.morph - name: lorry-controller morph: strata/lorry-controller.morph -# FIXME: 'tools' is needed purely because mkfs.ext4 resides there. -# Which doesn't make much sense really. + +- name: gerrit-tools + morph: baserock_gerrit/gerrit-tools.morph + +# FIXME: 'tools' is needed mainly because rsync lives there and we need +# rsync for upgrades using system-version-manager. - name: tools morph: strata/tools.morph + configuration-extensions: - set-hostname - add-config-files diff --git a/baserock_gerrit/gerrit-tools.morph b/baserock_gerrit/gerrit-tools.morph new file mode 100644 index 00000000..69aa493b --- /dev/null +++ b/baserock_gerrit/gerrit-tools.morph @@ -0,0 +1,10 @@ +name: gerrit-tools +kind: stratum +description: Tools for use with Gerrit +build-depends: +- morph: strata/python-common.morph +chunks: +- name: pygerrit + repo: github:sonyxperiadev/pygerrit + ref: daad8e23d9bbcd8a2bc565497be50a3cc29dae6b + unpetrify-ref: master diff --git a/baserock_gerrit/gerrit.config b/baserock_gerrit/gerrit.config index c2257eaa..249fde8e 100644 --- a/baserock_gerrit/gerrit.config +++ b/baserock_gerrit/gerrit.config @@ -21,3 +21,9 @@ directory = cache [user] email = "gerrit@baserock.org" + +# It seems like a bad idea to enable remote administration of plugins, but +# there is absolutely no information available on how to do 'local' +# administration of Gerrit plugins, so we can't really avoid it. +[plugins] + allowRemoteAdmin = true diff --git a/baserock_gerrit/instance-config.yml b/baserock_gerrit/instance-config.yml index 77de7722..f9317278 100644 --- a/baserock_gerrit/instance-config.yml +++ b/baserock_gerrit/instance-config.yml @@ -12,10 +12,10 @@ GERRIT_VERSION: 2.9.4 # Download from http://www.oracle.com/technetwork/java/javase/downloads/server-jre8-downloads-2133154.html - JRE_FILE: server-jre-8u31-linux-x64.tar.gz + JRE_FILE: server-jre-8u40-linux-x64.tar.gz # This path should correspond to where the JRE ends up if you extract the # downloaded tarball in /opt. - JRE_DIR: /opt/jdk1.8.0_31 + JRE_DIR: /opt/jdk1.8.0_40 # Download from http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html JCE_FILE: jce_policy-8.zip @@ -24,12 +24,15 @@ vars_files: - ../database/baserock_gerrit.database_password.yml tasks: - - name: add gerrit user - user: name=gerrit shell=/bin/false + user: + name: gerrit + shell: /bin/false + generate_ssh_key: yes + ssh_key_comment: gerrit@baserock.org - name: unpack the Java Runtime Environment - unarchive: src=/root/{{ JRE_FILE }} dest=/opt owner=root group=root creates={{ JRE_DIR }} + unarchive: src={{ JRE_FILE }} dest=/opt owner=root group=root creates={{ JRE_DIR }} # The Java Cryptography Extensions are needed in order to enable all SSH # ciphers, due to US export restrictions. @@ -58,6 +61,11 @@ - name: initialise Gerrit application directory command: "{{ run_gerrit }} init -d /srv/gerrit creates=/srv/gerrit/etc/gerrit.config" + - name: extract gerrit-replication plugin + shell: unzip /opt/gerrit/gerrit-{{ GERRIT_VERSION}}.war WEB-INF/plugins/replication.jar -p > /srv/gerrit/plugins/replication.jar + args: + creates: /srv/gerrit/plugins/replication.jar + - name: download extra Java libraries get_url: url: "{{ item }}" diff --git a/baserock_gerrit/instance-mirroring-config.yml b/baserock_gerrit/instance-mirroring-config.yml new file mode 100644 index 00000000..6864f7c7 --- /dev/null +++ b/baserock_gerrit/instance-mirroring-config.yml @@ -0,0 +1,49 @@ +- hosts: gerrit.baserock.org + gather_facts: no + sudo: yes + tasks: + - name: Lorry user + user: name=lorry comment="Lorry mirroring service" + + # Ansible can generate a new SSH key for Lorry when we add the user, + # but it seems tricky to then extract this and add it to the 'lorry' Gerrit + # user. + - name: SSH private key for Lorry user + copy: src=../keys/lorry-gerrit.key dest=~/.ssh/id_rsa mode=600 + sudo_user: lorry + + - name: SSH public key for Lorry user + copy: src=../keys/lorry-gerrit.key.pub dest=~/.ssh/id_rsa.pub mode=644 + sudo_user: lorry + + - name: directory in /etc for Lorry Controller system configuration + file: dest=/etc/lorry-controller state=directory + + - name: Lorry tool configuration + copy: src=lorry.conf dest=/etc/lorry.conf + + - name: Lorry Controller system configuration + copy: + src=lorry-controller/{{ item }} + dest=/etc/lorry-controller/{{ item }} + with_items: + - minion.conf + - webapp.conf + + - name: enable and restart core lorry controller services. + service: name={{ item }} enabled=yes state=started + with_items: + - lighttpd-lorry-controller-webapp.service + - lorry-controller-minion@1.service + + - name: enable lorry-controller scheduled activity timers + service: name={{ item }} enabled=yes + with_items: + - lorry-controller-ls-troves.timer + - lorry-controller-readconf.timer + - lorry-controller-remove-ghost-jobs.timer + - lorry-controller-remove-old-jobs.timer + - lorry-controller-status.timer + + - name: gerrit-replication configuration + copy: src=replication.config dest=/srv/gerrit/etc diff --git a/baserock_gerrit/lorry-controller.conf b/baserock_gerrit/lorry-controller.conf new file mode 100644 index 00000000..88965f0f --- /dev/null +++ b/baserock_gerrit/lorry-controller.conf @@ -0,0 +1,29 @@ +[ + { + "type": "trove", + + "trovehost": "git.baserock.org", + "protocol": "http", + + "prefixmap": { + "baserock": "baserock", + "delta": "delta" + }, + + "ignore": [ + "baserock/baserock/documentation", + "baserock/baserock/jenkins-config", + "baserock/baserock/lorries", + "baserock/baserock/morph-cache-server", + "baserock/baserock/morphs", + "baserock/baserock/remo", + "baserock/local-config/*", + "baserock/site/*", + "baserock/tests/*", + "delta/*" + ], + + "ls-interval": "4H", + "interval": "2M" + } +] diff --git a/baserock_gerrit/lorry-controller/minion.conf b/baserock_gerrit/lorry-controller/minion.conf new file mode 100644 index 00000000..99abdba8 --- /dev/null +++ b/baserock_gerrit/lorry-controller/minion.conf @@ -0,0 +1,6 @@ +[config] +log = syslog +log-level = debug +webapp-host = localhost +webapp-port = 12765 +webapp-timeout = 3600 diff --git a/baserock_gerrit/lorry-controller/webapp.conf b/baserock_gerrit/lorry-controller/webapp.conf new file mode 100644 index 00000000..dde0d0f6 --- /dev/null +++ b/baserock_gerrit/lorry-controller/webapp.conf @@ -0,0 +1,13 @@ +[config] +log = /home/lorry/webapp.log +log-max = 100M +log-keep = 0 +log-level = debug +statedb = /home/lorry/webapp.db +configuration-directory = /home/lorry/confgit +status-html = /home/lorry/lc-status.html +wsgi = yes +debug-port = 12765 +templates = /usr/share/lorry-controller/templates +confgit-url = http://localhost:8080/local-config/lorries +git-server-type = gerrit diff --git a/baserock_gerrit/lorry.conf b/baserock_gerrit/lorry.conf new file mode 100644 index 00000000..03c1177b --- /dev/null +++ b/baserock_gerrit/lorry.conf @@ -0,0 +1,8 @@ +[config] +mirror-base-url-push = ssh://lorry@localhost:29418/ +bundle = never +tarball = never +working-area = /home/lorry/working-area +verbose = yes +log = /dev/stdout +log-level = debug diff --git a/baserock_gerrit/replication.config b/baserock_gerrit/replication.config new file mode 100644 index 00000000..fab59c14 --- /dev/null +++ b/baserock_gerrit/replication.config @@ -0,0 +1,27 @@ +# Configuration for gerrit-replication plugin. +# +# This handles pushing changes from gerrit.baserock.org to git.baserock.org. + +[remote "trove"] + url = ssh://git@git.baserock.org/${name}.git + + # Disable force-pushing and only sync 'master' and tags. + # + # This will probably prove annoying and we'll need to mirror more branches in + # future. But right now there are hundreds of personal branches and I want to + # avoid potential push errors for branches we don't care about. + push = refs/heads/master:refs/heads/master + push = refs/tags/*:refs/tags/* + + createMissingRepositories = false + replicatePermissions = false + + # What to sync: this is a regexp that must match the whole project name. + projects = ^baserock/.*$ + + # If true, gerrit-replication will remove remote branches that are absent in + # the trove. This is a bit dangerous, but necessary if we are to make gerrit + # the 'master'. Note that if you set 'authGroup', branches that are not + # visible to the configured authorisation group will also be removed. So do + # not set 'authGroup' to anything. + mirror = false |