On Mon, Sep 16, 2013 at 11:05:34AM +0200, David Caro wrote: > On Fri 13 Sep 2013 09:24:24 PM CEST, Ewoud Kohl van Wijngaarden wrote: > > On Fri, Sep 13, 2013 at 11:00:27AM +0200, David Caro wrote: > >> On Wed 11 Sep 2013 04:09:17 PM CEST, Ewoud Kohl van Wijngaarden wrote: > >>> For https://fedorahosted.org/ovirt/ticket/71 I submitted > >>> http://gerrit.ovirt.org/19141 to use r10k for module deployment. > >>> > >>> I do have some concerns for further deployment. Until now I've assumed > >>> that we want jenkins to build on new git versions (possibly via the > >>> jenkins patch merged trigger) and then push that to foreman.ovirt.org. > >>> However, that means we give jenkins implicit root on all of our infra > >>> which is a bad thing. > >>> > >>> Some solutions I can think of: > >>> > >>> 1. Set up a cronjob on foreman to poll git > >>> 1.1. Run make as the current patch > >>> 1.2. Change the patch and switch to dynamic environment support[1] > >>> 2. Set up an infra jenkins to automate this > >> > >> We can also restrict the ssh commands that the user can run, and > >> restrict it to the script that updates the manifests. That will avoid > >> having to give root access to the puppetmaster, that said, the > >> manifests that will be applied have implicit root access everywhere > >> too, but if we want automatic deployments that's what you get (only > >> maintainers should have merge access, meaning that anything that goes > >> through has been reviewed, so what we are really doing is reducing the > >> manual steps to one, when the reviewer merges the patch). > > > > I like this solution. It would remove the polling from foreman and give > > us logging in jenkins. I'd prefer if foreman retrieves the sources > > straight from gerrit so jenkins is more like a glorified cron. I think > > that's less insecure ;) > > Agree, so what we need then is: > * Create update scripts > * Set up restricted shell account to only run that script > * Create jenkins job
So I was looking into installing r10k. First of all, I don't like installing through gem. So my next try was using fpm to package it, but it needs rubygem(systemu) >= 2.5.2 and 1.2.0 is in epel. Some options: * Create a newer rubygem(systemu) and hope nothing needs < 2.5.2. * Install through gem and hope nothing breaks * Set up a user with minimal privileges, install it to its homedir. I'm toward the last option, but would love to hear a better alternative. _______________________________________________ Infra mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/infra
