summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* WIP: Add an Ansible script that can deploy everythingsam/ansible-all-the-thingsSam Thursfield2015-05-291-0/+29
| | | | Change-Id: Ic9e6bd0cb7d25676ecb4fd442f32445c2848801b
* Avoid using Packer for database deploymentSam Thursfield2015-04-104-133/+15
| | | | Change-Id: I2907e3bc01fdcb7adbc0cccfa47bc662d96dd264
* Add general instructions for deploying infrastructure to OpenStackSam Thursfield2015-04-101-3/+56
| | | | | | | | Also, add some placeholders to README so we can make the instructions listed in the README easier to cut-n-paste, even when deploying to somewhere other than DataCentred. Change-Id: I32ca1073b7a956a7b8a21ad67682c6292c9d91af
* Rename database -> baserock_databaseSam Thursfield2015-04-107-0/+0
| | | | | | | For consistency with other systems, and so they stand out better against the upstream Baserock definitions files. Change-Id: If6f9eb25dfb73d2c7b21ce7abcda16df39ab30a7
* Note in README that I no longer think Packer is the right tool for usSam Thursfield2015-04-101-0/+17
| | | | Change-Id: I9b61036d8ead0e5a27873781d14cbd3c1b48591f
* gerrit: Allow Lorry to force-push to branches other than 'master'Sam Thursfield2015-04-011-4/+7
| | | | | | | | | | | | | Commit c7edd49d23fa3f1179c611b52d946ff194039723 tried to express this using regular expressions but it actually blocked all force-pushes. I spent some time trying figure out how to get java.util.regex to do the right thing but I think it's a lost cause. Instead, it now uses a BLOCK rule to remove the +force permission from refs/heads/master for Mirroring Tools. Change-Id: Idb4802ed176184168b928f1e3b79061bd3f408f0
* gerrit: Don't let anyone force-push to 'master'Sam Thursfield2015-03-311-0/+6
| | | | | | | | | | | | Previously, Mirroring Tools (Lorry) could force-push anywhere. This is so that personal branches are kept in sync between git.baserock.org and gerrit.baserock.org. Since users may force-push to their personal branches, it's necessary to allow force-pushes. But nobody should force 'master', and I have a feeling that this is causing an issue we are seeing where Gerrit says that it has merged something, but there is no sign of the merge in 'master'. Change-Id: I80bc4eace46470ffa7f3da185fcc1c1f228cda71
* gerrit: Allow more people to push to refs/heads/*Sam Thursfield2015-03-311-0/+5
| | | | | | | | | | | | | The intention was always that Mergers would be able to push to anything in refs/heads/* (on the assumption that we can trust each other not to bypass the accepted review processes). Seems I never actually implemented that. Also, allow forgeAuthor so Mergers can push branches with commits made by other people (without this, Gerrit complains if the author of any of the commits doesn't match the email address of the person pushing). Change-Id: Id60659b51f08bfcec9af2f8681a4faf958301bd0
* gerrit: Stop logging users out every daySam Thursfield2015-03-301-0/+4
| | | | Change-Id: I5d11a3d685d2f68f9487ce20729780ffd5396208
* Use HTTPS for all infrastructure.Sam Thursfield2015-03-3010-14/+217
| | | | | | | | | | | | This is implemented with the HAProxy frontend doing 'SSL termination'. So internal traffic between the frontend_haproxy instance and the various machines serving content is unencrypted HTTP as before, but all traffic that goes over the public internet is encrypted now. Note that storyboard.baserock.org is not behind HAProxy, and currently uses a different, self-signed certificate. Change-Id: I9140def605fe26c9c613066fa6524e3cf817f97c
* Add a simple data backup mechanismSam Thursfield2015-03-3010-21/+407
| | | | | | | | | | | | | | | The technique used is: create a new SSH key for backup automation, and authorize it to log in as 'root' to instances. To reduce potential harm if the key somehow gets compromised, it is limited to logging in from a single IP, and it is limited to running the 'backup-snapshot' program on the instances. Inside each instance, the `backup-snapshot` script is used as a wrapper for the `rsync --server` process. This script pauses running services, takes a snapshot of the data volume, and then runs the RSync server. Change-Id: I3c98ffe3dc2fa1373bd0df2388145636e491bf57
* Add mason-x86-64 and irclogs to haproxy.cfgPedro Alvarez2015-03-271-0/+12
| | | | Change-Id: I630b2e3edeedc7f52ae1b1b4e5bb12019b6ce541
* baserock_gerrit: Send emails via the baserock.org mail relaySam Thursfield2015-03-271-1/+8
| | | | Change-Id: I13a125a79ea0fc9036bf705631bfc8e488950a3d
* Merge "Add simple mail relay instance"Pedro Alvarez2015-03-264-0/+106
|\
| * Add simple mail relay instanceSam Thursfield2015-03-264-0/+106
| | | | | | | | | | | | This is a Fedora Cloud 21 instance running exim4, for the moment. Change-Id: I6298a134bb474c65dd57a1bda87469dc3cd88441
* | baserock_gerrit: Rebase patches before merging themSam Thursfield2015-03-261-0/+1
|/ | | | | | | | This avoids potentially having lots of merge commits. Previously, for each change that was not against the latest commit in 'master', there would be a merge commit created. Change-Id: I858ffafd05731c50362596852927fd075330b97f
* Merge branch 'sam/gerrit-reusable'Sam Thursfield2015-03-1819-207/+138
|\
| * gerrit: Allow adding specific lorries for delta/ repos from the TroveSam Thursfield2015-03-181-0/+9
| | | | | | | | | | | | This isn't used in baserock.org yet, but having the lorry-controller.conf entry there already saves me from having to describe how to add it.
| * gerrit: Restart mirroring services on config changesSam Thursfield2015-03-171-1/+7
| |
| * gerrit: Restart service once instance-config.yml has runSam Thursfield2015-03-171-1/+1
| | | | | | | | | | | | | | In case there were any config changes. It'd be neater to set up a handler so that the service was only restarted when there actually were changes.
| * gerrit: Add helpful comments to various configuration filesSam Thursfield2015-03-176-2/+49
| | | | | | | | | | This hopefully makes the definitions for gerrit.baserock.org more easy for others to adapt.
| * Use unqualified hostnames for Ansible 'hosts'Sam Thursfield2015-03-174-15/+14
| | | | | | | | | | | | | | This makes the deployment scripts a bit more generic. Now, if I want to deploy 'gerrit.example.com', I don't need to fix all the places that say 'hosts: gerrit.baserock.org' to say 'hosts: gerrit.example.com' instead.
| * Make 'hosts' a symlink to baserock_hostsSam Thursfield2015-03-172-40/+41
| | | | | | | | | | | | | | | | The idea is to make it easier for people to fork infrastructure.git and use it for their own infrastructure. They'll need to totally change 'hosts' to point to their own systems, and this would lead to merge conflicts every time they tried to pull in 'master' of infrastructure.git.
| * gerrit: Improvements to READMESam Thursfield2015-03-171-20/+25
| |
| * gerrit: Move system and stratum .morph files into strata/ and systems/Sam Thursfield2015-03-173-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | This is so others can reuse them without having to reuse the other stuff in baserock_gerrit. Most likely people who are setting up a Gerrit with Baserock will make a copy of the baserock_gerrit/ folder, rather than reusing it directly. If they copied the .morph files then they'd miss out on improvements made to those files in subsequent commits to infrastructure.git. Such users will still miss out on improvements to the Ansible modules -- hopefully we can solve that in a nice way in future, too.
| * gerrit: Fix name of gerrit-system-x86_64Sam Thursfield2015-03-171-1/+1
| |
| * Remove Gerrit systemSam Thursfield2015-03-175-136/+0
| | | | | | | | | | | | | | A new version of a Baserock Gerrit system definition now lives in infrastructure.git. Change-Id: I6aeed4c5381edf5e7736f1816f9d58832c0ac781
| * gerrit: Import baserock/local-config/lorriesSam Thursfield2015-03-171-1/+1
|/
* gerrit: Make OpenID single sign-in work properlySam Thursfield2015-03-171-0/+5
| | | | The 'Sign in' link now forwards straight to http://openid.baserock.org/.
* gerrit: Use OPENID_SSO auth typeSam Thursfield2015-03-171-1/+1
| | | | | | | | | | | We only allow OpenIDs from http://openid.baserock.org/, but previously Gerrit would offer to let users sign in with any OpenID or even a Google accounts. With OPENID_SSO: There is no registration link, and the "Sign In" link sends the user directly to the provider’s SSO entry point
* Merge branch 'sam/gerrit-production'Sam Thursfield2015-03-1314-24/+582
|\
| * gerrit: Disable 'Verified' label for nowSam Thursfield2015-03-132-6/+16
| | | | | | | | | | Changes can't be merged that aren't +1 Verified. But we don't have Mason set up yet, so nothing can actually set things +1 Verified.
| * gerrit: Release Team should contain Mergers, not vice versaSam Thursfield2015-03-131-2/+2
| |
| * gerrit: Reduce lorry-controller interval to 2 minutesSam Thursfield2015-03-131-1/+1
| |
| * gerrit: Add mirroring configurationSam Thursfield2015-03-1311-17/+222
| | | | | | | | | | This pulls from git.baserock.org with lorry-controller, and pushes 'master' back to git.baserock.org using gerrit-replication.
| * gerrit: Improvements to deploymentSam Thursfield2015-03-132-21/+30
| | | | | | | | | | These came about after I redeployed gerrit.baserock.org from scratch (but using the same database).
| * gerrit: Create local-config/lorries projectSam Thursfield2015-03-131-1/+9
| | | | | | | | Done as part of the Gerrit access config because it's easier then.
| * gerrit: README updatesSam Thursfield2015-03-131-1/+6
| |
| * gerrit: Update system morphSam Thursfield2015-03-132-7/+42
| | | | | | | | | | pygerrit seems to want Paramiko, it says it doesn't need it any more though -- maybe requirements.txt needs updating.
| * gerrit: Add initial access control rulesSam Thursfield2015-03-134-0/+286
|/ | | | | These are implemented mostly using an Ansible playbook built on these Ansible Gerrit modules I wrote: https://github.com/ssssam/ansible-gerrit
* Merge remote-tracking branch 'baserock/master'Sam Thursfield2015-03-13172-630/+933
|\ | | | | | | | | | | | | Conflicts: scripts/licensecheck.sh strata/lorry-controller.morph strata/trove.morph
| * lorry-controller needs python-uwsgiSam Thursfield2015-03-131-0/+1
| |
| * Move 'bottle' and 'flup' into separate python-wsgi moduleSam Thursfield2015-03-1332-10/+76
| | | | | | | | | | | | | | | | The lorry-controller webapp uses these, as well as morph-cache-server. In order to use lorry-controller in systems that don't contain Morph, we need them to be in a separate stratum. Change-Id: Ie187c0b506d12ed5e5f8f8ce4a4b91834bf29fe5
| * Merge "Move cliapp into its own 'python-cliapp' stratum"Sam Thursfield2015-03-1340-27/+98
| |\
| | * Move cliapp into its own 'python-cliapp' stratumSam Thursfield2015-03-1240-27/+98
| | | | | | | | | | | | | | | | | | | | | This allows us to have a system with Lorry and Lorry Controller but without Morph. Change-Id: I5164237601d0ff028834c674274f13b6e1f315c9
| * | Merge branch 'baserock/rdale/fhs-remove-ld-so-conf'Richard Dale2015-03-124-2/+17
| |\ \ | | | | | | | | | | | | | | | | Reviewed-By: javier.jardon@codethink.co.uk Reviewed-By: pedro.alvarez@codethink.co.uk
| | * | Create /etc/ld.so.conf in glibc chunks, as it is glibc specificRichard Dale2015-03-124-2/+17
| |/ /
| * | Merge branch 'baserock/pedroalvarez/fix-non-gbo-repo'Pedro Alvarez2015-03-111-1/+1
| |\ \ | | |/ | |/| | | | | | | Reviewed-By: Adam Coldrick <adam.coldrick@codethink.co.uk> Reviewed-By: Paul Sherwood <paul.sherwood@codethink.co.uk>
| | * Fix repo not pointing to git.baserock.orgPedro Alvarez2015-03-111-1/+1
| |/
| * Update lorry-controller for branches:Sam Thursfield2015-03-111-1/+1
| | | | | | | | | | - sam/gerrit-support - sam/ignore-globs
View Lorry Controller Status