Ori.livneh has submitted this change and it was merged.
Change subject: Git::Clone: support shared repositories
......................................................................
Git::Clone: support shared repositories
Git supports sharing repositories by users of the same group. It works well
enough if you set up the repository's directory with all the right permission
bits and and clone the repository with the right command-line incantations. But
if you don't, it becomes nightmarishly hard to make an existing repository
shared.
Part of the verbosity of this particular patch is that I wanted to ensure each
exec had an onlyif / unless check so that it doesn't pollute the log when it's
not actually doing anything.
Also got rid of now-dead 'notify-submodule-exec'.
Change-Id: I4c282b0ad14b3493026dead4e3b15f2749d5d22e
---
M modules/git/manifests/clone.pp
1 file changed, 67 insertions(+), 12 deletions(-)
Approvals:
BryanDavis: Looks good to me, but someone else must approve
Ori.livneh: Looks good to me, approved
jenkins-bot: Verified
diff --git a/modules/git/manifests/clone.pp b/modules/git/manifests/clone.pp
index df5127a..b25bf75 100644
--- a/modules/git/manifests/clone.pp
+++ b/modules/git/manifests/clone.pp
@@ -20,7 +20,7 @@
# by this user.
# $+group+:: Group owner of $directory, default: 'root'
# $+recurse_submodules:: If true, git
-# $+mode+:: Permission mode of $directory, default: 0755
+# $+mode+:: Permission mode of $directory, default: 2755 if shared, 0755
otherwise
# $+ssh+:: SSH command/wrapper to use when checking out, default: ''
# $+timeout+:: Time out in seconds for the exec command, default: 300
#
@@ -48,16 +48,28 @@
$ensure='present',
$owner='root',
$group='root',
+ $shared=false,
$timeout='300',
$depth='full',
$recurse_submodules=false,
- $mode=0755) {
+ $mode=undef) {
$gerrit_url_format = 'https://gerrit.wikimedia.org/r/p/%s.git'
$remote = $origin ? {
undef => sprintf($gerrit_url_format, $title),
default => $origin,
+ }
+
+ if $mode == undef {
+ $file_mode = $shared ? {
+ true => '2755',
+ default => '0755',
+ }
+ } elsif $shared and $mode !~ /^277\d/ {
+ fail('Shared repositories must leave "mode" unspecified or set to
277?, specified as octal.')
+ } else {
+ $file_mode = $mode
}
case $ensure {
@@ -78,53 +90,97 @@
}
# if branch was specified
if $branch {
- $brancharg = "-b $branch "
+ $brancharg = "-b ${branch} "
}
# else don't checkout a non-default branch
else {
$brancharg = ''
}
if $ssh {
- $env = "GIT_SSH=$ssh"
+ $env = "GIT_SSH=${ssh}"
}
$deptharg = $depth ? {
'full' => '',
- default => " --depth=$depth"
+ default => " --depth=${depth}"
+ }
+
+ if $shared {
+ $umask = '002'
+ $shared_arg = '-c core.sharedRepository=umask'
+ } else {
+ $umask = undef
+ $shared_arg = ''
}
# set PATH for following execs
Exec { path => '/usr/bin:/bin' }
# clone the repository
exec { "git_clone_${title}":
- command => "git clone
${recurse_submodules_arg}${brancharg}${remote}${deptharg} $directory",
+ command => "git ${shared_arg} clone
${recurse_submodules_arg}${brancharg}${remote}${deptharg} ${directory}",
+ umask => $umask,
logoutput => on_failure,
cwd => '/tmp',
environment => $env,
- creates => "$directory/.git/config",
+ creates => "${directory}/.git/config",
user => $owner,
group => $group,
timeout => $timeout,
require => Package['git-core'],
- notify => $notify_submodule_exec,
}
if (!defined(File[$directory])) {
file { $directory:
ensure => 'directory',
- mode => $mode,
+ mode => $file_mode,
owner => $owner,
group => $group,
require => Exec["git_clone_${title}"],
}
}
+ if ( $shared ) {
+ # Changing an existing git repository to be shared by a group
is ugly,
+ # but here's how you do it without causing log churn.
+ exec { "git_clone_${title}_configure_shared_repository":
+ command => 'git config --local core.sharedRepository
false',
+ unless => 'test $(git config --local
core.sharedRepository) = false',
+ umask => $umask,
+ cwd => $directory,
+ require => Exec["git_clone_${title}"],
+ notify => Exec["git_clone_${title}_set_group_owner"],
+ }
+
+ exec { "git_clone_${title}_set_group_owner":
+ command => "chgrp -R '${group}' '${directory}'",
+ onlyif => "find '${directory}' ! -group '${group}'",
+ cwd => $directory,
+ require =>
Exec["git_clone_${title}_configure_shared_repository"],
+ notify => Exec["git_clone_${title}_group_writable"],
+ }
+
+ exec { "git_clone_${title}_group_writable":
+ command => "find '${directory}' ! -perm -g=wX,o= -exec
chmod g+wX,o= '{}' ';'",
+ onlyif => "find '${directory}' ! -perm -g=wX,o=",
+ cwd => $directory,
+ require => Exec["git_clone_${title}_set_group_owner"],
+ notify => Exec["git_clone_${title}_sgid_bit"],
+ }
+
+ exec { "git_clone_${title}_sgid_bit":
+ command => "find '${directory}' -mindepth 1 -type d -and !
-perm -g+s -exec chmod g+s '{}' ';'",
+ onlyif => "find '${directory}' -mindepth 1 -type d -and !
-perm -g+s",
+ cwd => $directory,
+ require => Exec["git_clone_${title}_group_writable"],
+ }
+ }
# pull if $ensure == latest and if there are changes to merge in.
if $ensure == 'latest' {
exec { "git_pull_${title}":
cwd => $directory,
- command => "git pull
${recurse_submodules_arg}--quiet${deptharg}",
+ command => "git ${shared_arg} pull
${recurse_submodules_arg}--quiet${deptharg}",
+ umask => $umask,
logoutput => on_failure,
# git diff --quiet will exit 1 (return false)
# if there are differences
@@ -132,14 +188,13 @@
user => $owner,
group => $group,
require => Exec["git_clone_${title}"],
- notify => $notify_submodule_exec,
}
# If we want submodules up to date, then we need
# to run git submodule update --init after
# git pull is run.
if $recurse_submodules {
exec { "git_submodule_update_${title}":
- command => 'git submodule update --init',
+ command => "git ${shared_arg} submodule update
--init",
cwd => $directory,
environment => $env,
refreshonly => true,
--
To view, visit https://gerrit.wikimedia.org/r/118745
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I4c282b0ad14b3493026dead4e3b15f2749d5d22e
Gerrit-PatchSet: 7
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Ori.livneh <[email protected]>
Gerrit-Reviewer: BryanDavis <[email protected]>
Gerrit-Reviewer: Hashar <[email protected]>
Gerrit-Reviewer: Ori.livneh <[email protected]>
Gerrit-Reviewer: Ottomata <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
