On Fri 13 Sep 2013 09:24:24 PM CEST, Ewoud Kohl van Wijngaarden wrote: > On Fri, Sep 13, 2013 at 11:00:27AM +0200, David Caro wrote: >> On Wed 11 Sep 2013 04:09:17 PM CEST, Ewoud Kohl van Wijngaarden wrote: >>> For https://fedorahosted.org/ovirt/ticket/71 I submitted >>> http://gerrit.ovirt.org/19141 to use r10k for module deployment. >>> >>> I do have some concerns for further deployment. Until now I've assumed >>> that we want jenkins to build on new git versions (possibly via the >>> jenkins patch merged trigger) and then push that to foreman.ovirt.org. >>> However, that means we give jenkins implicit root on all of our infra >>> which is a bad thing. >>> >>> Some solutions I can think of: >>> >>> 1. Set up a cronjob on foreman to poll git >>> 1.1. Run make as the current patch >>> 1.2. Change the patch and switch to dynamic environment support[1] >>> 2. Set up an infra jenkins to automate this >> >> We can also restrict the ssh commands that the user can run, and >> restrict it to the script that updates the manifests. That will avoid >> having to give root access to the puppetmaster, that said, the >> manifests that will be applied have implicit root access everywhere >> too, but if we want automatic deployments that's what you get (only >> maintainers should have merge access, meaning that anything that goes >> through has been reviewed, so what we are really doing is reducing the >> manual steps to one, when the reviewer merges the patch). > > I like this solution. It would remove the polling from foreman and give > us logging in jenkins. I'd prefer if foreman retrieves the sources > straight from gerrit so jenkins is more like a glorified cron. I think > that's less insecure ;)
Agree, so what we need then is: * Create update scripts * Set up restricted shell account to only run that script * Create jenkins job We can also set up a puppet-lint job for the patches, just to avoid merging bad code without knowing. > >>> >>> I'm leaning to 1.2, but maybe I'm missing some other solutions. >>> >>> [1]: https://github.com/adrienthebo/r10k#dynamic-environment-support -- David Caro Red Hat Czech s.r.o. Continuous Integration Engineer - EMEA ENG Virtualization R&D Tel.: +420 532 294 605 Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic RHT Global #: 82-62605 _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
