This patch addresses:
LDAP not requiring username or password (anonymous bind)
This is required to support configurations where LDAP is on a secure network,
and anonymous bind is enabled.
LDAP using a self signed SSL cert (verify ssl on or off)
This is required to support configurations where LDAP requires SSL, but ssl is
using an internal or self signed certificate, and therefore fails cert checks.
This also covers testing conditions where a consumer might use OS with LDAP+ssl
unsigned.
LDAP using a nonstandard cn naming convention (ie email address).
This is required to deal with an edge case where 'cn' in ldap might be something
other than a bare username. Gerrit pulls the ssh username from that value and
will not accept a non-alphanumeric address. By setting 'accountSshUserName' in
puppet, that is setable.
LDAP prepopulating account Full name.
Gerrit has a configuration option to pull Full Name from LDAP, this change exposes
that option.
Change-Id: Ibd41d59ff98e406b42e1e14cc17e23b3d6211d58
Scoping rules mean that we need to be explicit here or else puppet finds
the wrong thing. Also, puppet needs a trailing slash.
Change-Id: Ifc2f03dbf1dd746515e00ded5d76fe7393ce6c7e
This time, make the default value false instead of empty string.
This reverts commit 99d3283dc246da4b4d2d26ecfb193b308881f05d
Change-Id: I88108ff75f1c2bd3aa78856c186312340258ec3c
Make it possible to configure with LDAP or OPENID_SSO.
Also, it's possible to not want to need CLAs.
Change-Id: Ie6660c819f4078dd4dd5be052e74aaa98c54cab4
We have a cgit server now, which means we should replace
all references to github with references to git.openstack.org.
Change-Id: I68ad1ce514fb4326c7d9940b5a84999af5b58562
Will take effect when Zuul is running this change:
I74702fd7d37358e6f4caa7e7ac0a3ede73184077
This change also adds that feature to the Zuul config and enables
it for OpenStack. It also adds the ability to specify HTML in a
commentlink (and uses it).
Change-Id: Idb4ad8e6079165d681271987a92cab5d8b7c81be
Modify gerrit's git replication configuration so that it
pulls in from a list of replication targets defined in
puppet rather than individually added stanzas.
Pull the replicate_github variable from files, since it
is no longer required.
The replicate_local variable remains because it's used
in the apache configuration and for setup of the local
replication space for git.
Also add the cgit server to the list of servers.
Change-Id: I68de89bb216565f1754eb9b192bd437adcbf768b
Actually, it's support for parameterized listen_address, but the
real thing you want it for is setting the port.
Change-Id: If75fedce32f35a8f72c92fc709d5c9e8b2d35235
Reviewed-on: https://review.openstack.org/33925
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
And slow down bing (msnbot).
Change-Id: Id8361047abc2cfb52260b3d0ef01275ec3a923f5
Reviewed-on: https://review.openstack.org/32435
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Elizabeth Krumbach Joseph <lyz@princessleia.com>
Reviewed-by: Anita Kuno <anita.kuno@enovance.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
* modules/gerrit/templates/gerrit.vhost.erb: If the contactstore
feature is enabled, don't shadow the URL to the fakestore CGI with
the Gerrit loopback proxy.
Change-Id: Ic6d01d671b762370b91f732c1a980051cdb5f6c2
Reviewed-on: https://review.openstack.org/20053
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
This is useful for testing Gerrit's contactstore features if you
don't have a real contact store server set up already.
* modules/gerrit/files/fakestore.cgi: An extremely trivial shell
script which returns the content Gerrit expects from a successful
submission to a contactstore server. Note this does not check the
application security key or store any of the post variables--it is
simply a black hole for contact updates.
* modules/gerrit/manifests/init.pp: If the contactstore feature is
enabled in Gerrit, install the fakestore.cgi script so it can be
available for testing.
* modules/gerrit/templates/gerrit.vhost.erb: If the contactstore
feature is enabled, ScriptAlias the /fakestore URL to the
fakestore.cgi script.
Change-Id: Ifa0f80bab9e8b8e207f0ffd83f01c8a3d904618e
Reviewed-on: https://review.openstack.org/19939
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Change-Id: I409bd50ae374e0288531f07cfeea34856c5f8067
Reviewed-on: https://review.openstack.org/17319
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: James E. Blair <corvus@inaugust.com>
This replaces the previous Echosign+Launchpad+Wiki+approver-based
asynchronous contributor license agreement signing process with a
fully-automated one contained entirely within Gerrit itself.
Note that the CLA features in Gerrit's WebUI depend on a modified
gerrit.war with an earlier patch reverted:
https://review.openstack.org/12716
* manifests/site.pp(review-dev.openstack.org): Fill contactstore_appsec
and contactstore_pubkey private material from hiera, for use by Gerrit's
contact store feature. Similar entries should be added for
review.openstack.org before going into production.
* modules/gerrit/manifests/init.pp(gerrit): Add contactstore,
contactstore_appsec and contactstore_url variables needed by the
gerrit.config.erb template, and contactstore_pubkey needed by the
contact_information.pub.erb template. Add a conditional block so that if
contactstore is enabled it installs the libbcpg-java package which
Bouncy Castle needs for OpenPGP operations, links the bcpg.jar into
Gerrit's lib directory, and builds contact_information.pub from the
contact_information.pub.erb template.
* modules/gerrit/templates/contact_information.pub.erb: New template
which is effectively an empty file waiting to be filled with the
contents of the contactstore_pubkey variable. The
gerrit_contact_information.pub file built from it gets used to encrypt
contact information filed by users in such a way that it can only be
decrypted by the private key held by the Foundation.
* modules/gerrit/templates/gerrit.config.erb(contactstore): New section,
implemented conditionally for safety. Once enabled, if the
contactstore_appsec and contactstore_url are unset then Gerrit will
refuse to start. If the system referred to by contactstore_url is
unresponsive or contactstore_appsec does not contain the shared secret
it's expecting, contributors will be unable to file initial or updated
contact information through Gerrit's WebUI.
* modules/openstack_project/files/gerrit/cla.html: A stripped-down HTML
copy of http://wiki.openstack.org/CLA retaining all the original
wording. This will probably need updating by OpenStack Foundation staff.
* modules/openstack_project/manifests/gerrit.pp
(openstack_project::gerrit): Add contactstore, contactstore_appsec,
contactstore_pubkey and contactstore_url variables to pass back into the
gerrit module. Also define the cla_description, cla_file, cla_id and
cla_name variables which get used in the gerrit_set_agreements.sh.erb
template. Add an entry to install the cla.html file.
* modules/openstack_project/manifests/review_dev.pp
(openstack_project::review_dev): Add the contactstore_appsec and
contactstore_pubkey variables so they can be filled in by hiera.
Override the war to pull in the g69c8fa6 test build which has the
aforementioned CLA bits restored. Turn on contactstore and set
contactstore_url to point to an existing test CGI on the Internet until
the Foundation has theirs ready. Pass contactstore_appsec and
contactstore_pubkey through up into gerrit.pp. Add an entry for the
set_agreements.sh script built from the gerrit_set_agreements.sh.erb
template and then execute it to add the new CLA to Gerrit's DB and mark
the old one expired. Similar changes should be made in review.pp before
going into production.
* modules/openstack_project/templates/gerrit_set_agreements.sh.erb: New
template used to build a set_agreements.sh script which checks Gerrit's
database and, if necessary, expires the old Echosign CLA and adds the
new local CLA. These conditions are checked and associated operations
performed independently, so subsequent runs become a no-op.
Post-migration, this can probably be neutered further and kept around
for pushing future CLA modifications into the database when needed.
Change-Id: Ib7136fef23dbd5602955649b33a57bc8d7106026
Reviewed-on: https://review.openstack.org/13058
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
Change-Id: Iff55f35c0d9888f1029115c17d4644a68d4e8b4c
Reviewed-on: https://review.openstack.org/10727
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
If replicate_local is set, this will ensure that /var/lib/git is created,
and that projects listed in the projects.config have repos there.
Additionally, it creates a new config file, projects.config which is a
yaml file listing all of the projects and various operational semantics about
them, such as whether or not they should have pull requests closed and whether
or not they track any remotes. This replaces remotes.config and github.config.
Moving forward, there is no reason to not have this script be able to
do github api calls to create the github repo if it's not there, set the
github project description, gerrit api calls to create the project in gerrit,
and initial project permissions templates.
Change-Id: I1ad803b0aa5f7386206d0c3f4cd858017242fe64
Variable interpolation needs <%= not just <%. :)
Also, while I was in there, I replaced default with "oneiric",
because I don't actually know that the value is a good default value,
and I removed a couple of comments about moving to MySQL and Apache
modules from upstream.
Change-Id: Iec5b10cee2cbd0e0a2573fefa707d34d2a363cb4
TODO: Add another script that sets the project description. Add the project
description to the config hash.
Change-Id: If4584b2a1e55e6eb912e1f557e31de216d49a516
Assumes that every project in gerrit has a corresponding repo in
/var/lib/git that can be replicated to. That's probably a one-time offline
creation, followed by an additional step in the adding a project docs.
Change-Id: If9b987717550d5b251366c1408d949c55e64828a
Set the timeout to 5000 minutes, which, due to a bug in gerrit
really means 5 minutes, which is the documented default value.
Change-Id: I85127cc44ed6f182a0e06083641d2d872f11d8b3
Increase the heap size and dramatically increase the ssh threads.
Add some more recommended parameters (see site manifest for details).
Parameterize tunables in gerrit config file.
Change-Id: Ia6446b29426f56a77425eed93a7f0e448c3cd7b1
To be landed after the gerrit change in https://review.openstack.org/6749/ had been applied. Lightens the red used for the outdated highlight.
Change-Id: I33a89873968c0c8e6cb8dfa30892d50337b9a124
Upgrade gerrit to 2.3.0.
Add management of the apache virtualhost.
Remove gerrit body styling (including the javascript hack) in favor
of using the gerrit theme config options for body styling. Keep header
and top menu changes. This should make it easier to keep up with new
gerrit versions without chasing weird GWT changes.
Add management of the gerrit init script.
Add management of MySQL.
Add installation and upgrading of Gerrit.
Change-Id: Idf9e551552d335a2ae82cd27a63edcf6daf94115
Moving the cron executed gerrit scripts into the puppet module. This is for two reasons:
1. Easier/faster to deploy/maintain than having a cron job for a separate git repo
2. We can add customisations required for review-dev and stackforge
Change-Id: Iaf44e1d57d6ee6ea282575b1b48261f4ccbbaf3f
Connection pool must be explicitly enabled.
See lines 160 - 175 of file
gerrit:gerrit-server/src/main/java/com/google/gerrit/server/schema/DataSourceProvider.java
Change-Id: I0f2d712cfa622d318e81a327ce18283aa086f894
Based on the advice in this thread:
http://groups.google.com/group/repo-discuss/browse_thread/thread/b91491c185295a71
Size the sshd threads (which are also used to handle https git requests)
better. Based on current trends, we peak at about 50% cpu usage
and 25% memory usage. Double the number of threads here to try to
allow us to get closer to 100% cpu.
(Corresponding increase in db connections.)
Change-Id: Icde18233de01466b241ab28d38d2e98735108193
In order to clone 8 keystone repos simultaneously via https in dev,
the following were needed:
httpd.acceptorThreads>=4
sshd.threads>=8
And database.poolLimit is supposed to be higher than http+ssh threads.
Change-Id: I8d011af41e32f7865424d54d5a78a10a3689e708
Also move the launchpad sync cron into puppet.
Create config file for github pull close script.
This change depends on https://review.openstack.org/#change,224
Change-Id: I1b7ad599a6c7542614780ea0ce46a42a8995d15b
Reviewed-on: https://review.openstack.org/225
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
