Akosiaris has submitted this change and it was merged. Change subject: contint: publish Zuul git over git protocol ......................................................................
contint: publish Zuul git over git protocol This is similar as ed2fb38 https://gerrit.wikimedia.org/r/#/c/71968/ which published the Zuul repositories over HTTP using git-http-backend for bug 50695. It turns out the process hangs (bug 53683), so here we publish the Zuul repositories over the git protocol. * git-daemon-sysvinit package provides all the glue around git daemon command. * GIT_DAEMON_DIRECTORY and GIT_DAEMON_BASE_PATH are both pointing to Zuul git root path. Let us have URL without a /git/ prefix in the path. * git-daemon port is firewalled to prevent access from outside. * added git_daemon to iptables port and protocols tables. bug: 50695 bug: 53683 Change-Id: I0c50e5dc2899c3f23a875309e1920ee4d51551cf --- M manifests/iptables.pp M manifests/role/zuul.pp M modules/contint/manifests/firewall.pp A modules/contint/manifests/zuul/git-daemon.pp A modules/contint/templates/default.git-daemon.erb 5 files changed, 63 insertions(+), 0 deletions(-) Approvals: Akosiaris: Looks good to me, approved jenkins-bot: Verified diff --git a/manifests/iptables.pp b/manifests/iptables.pp index 20136cc..a706f8b 100644 --- a/manifests/iptables.pp +++ b/manifests/iptables.pp @@ -4,6 +4,7 @@ beam2 => "5672", beam3 => "56918", epmd => "4369", + git_daemon => "9418", glance_api => "9292", glance_registry => "9191", gmond_tcp => "8649", @@ -54,6 +55,7 @@ beam2 => "tcp", beam3 => "tcp", epmd => "tcp", + git_daemon => "tcp", glance_api => "tcp", glance_registry => "tcp", gmond_tcp => "tcp", diff --git a/manifests/role/zuul.pp b/manifests/role/zuul.pp index c96d7b8..d89168f 100644 --- a/manifests/role/zuul.pp +++ b/manifests/role/zuul.pp @@ -47,6 +47,10 @@ # # https://www.mediawiki.org/wiki/Continuous_integration/Zuul # +# The Zuul git repositories are published over the git:// protocol by using git +# daemon. That allows remote Jenkins slaves to fetch the references crafted by +# Zuul when a change is submitted. +# class role::zuul::production { system_role { 'role::zuul::production': description => 'Zuul on production' } @@ -75,4 +79,8 @@ statsd_host => '', } + class { 'contint::zuul::git-daemon': + zuul_git_dir => $role::zuul::configuration::zuul_git_dir, + } + } # /role::zuul::production diff --git a/modules/contint/manifests/firewall.pp b/modules/contint/manifests/firewall.pp index 5aabec4..8a3f595 100644 --- a/modules/contint/manifests/firewall.pp +++ b/modules/contint/manifests/firewall.pp @@ -9,6 +9,7 @@ iptables_purge_service{ 'deny_all_http-alt': service => 'http-alt' } iptables_purge_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice' } + iptables_purge_service{ 'deny_all_git-daemon': service => 'git_daemon' } } class iptables-accepts { @@ -28,6 +29,8 @@ iptables_add_service{ 'deny_all_http-alt': service => 'http-alt', jump => 'DROP' } # Deny direct access to the Zuul daemon iptables_add_service{ 'deny_all_zuul-daemon': service => 'zuul_webservice', jump => 'DROP' } + # Deny git daemon listening on port 9418 + iptables_add_service{ 'deny_all_git-daemon': service => 'git_daemon', jump => 'DROP' } } class iptables { diff --git a/modules/contint/manifests/zuul/git-daemon.pp b/modules/contint/manifests/zuul/git-daemon.pp new file mode 100644 index 0000000..d67fbea --- /dev/null +++ b/modules/contint/manifests/zuul/git-daemon.pp @@ -0,0 +1,33 @@ +# Class publishing the Zuul repositories with git-daemon +class contint::zuul::git-daemon( + $zuul_git_dir = '/var/lib/zuul/git' +) { + + packages { 'git-daemon-sysvinit': ensure => present } + + # Point both git daemon paths to the same dir, this way we do not have a + # /git/ prefix in the git:// URLs. + $git_daemon_directory = $zuul_git_dir + $git_daemon_base_path = $zuul_git_dir + + # We dont want to honor `git send-pack` commands so make sure the receive-pack + # service is always disabled. + $git_daemon_options = '--export-all --forbid-override=receive-pack' + + file { '/etc/default/git-daemon': + mode => '0444', + owner => 'root', + group => 'root', + content => template('contint/default.git-daemon.erb'), + require => Package['git-daemon-sysvinit'], + } + + service { 'git-daemon': + ensure => running, + enable => true, + hasrestart => true, + subscribe => File['/etc/default/git-daemon'], + require => Package['git-daemon-sysvinit'], + } + +} diff --git a/modules/contint/templates/default.git-daemon.erb b/modules/contint/templates/default.git-daemon.erb new file mode 100644 index 0000000..de8f52d --- /dev/null +++ b/modules/contint/templates/default.git-daemon.erb @@ -0,0 +1,17 @@ +### THIS FILE IS MANAGED BY PUPPET + +# Defaults for git-daemon initscript +# sourced by /etc/init.d/git-daemon +# installed at /etc/default/git-daemon by the maintainer scripts + +# +# This is a POSIX shell fragment +# + +GIT_DAEMON_ENABLE=true +GIT_DAEMON_USER=gitdaemon +GIT_DAEMON_DIRECTORY=<%= git_daemon_directory %> +GIT_DAEMON_BASE_PATH=<%= git_daemon_base_path %> + +# Additional options that are passed to the Daemon. +GIT_DAEMON_OPTIONS="<%= git_daemon_options %>" -- To view, visit https://gerrit.wikimedia.org/r/82625 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I0c50e5dc2899c3f23a875309e1920ee4d51551cf Gerrit-PatchSet: 10 Gerrit-Project: operations/puppet Gerrit-Branch: production Gerrit-Owner: Hashar <has...@free.fr> Gerrit-Reviewer: Akosiaris <akosia...@wikimedia.org> Gerrit-Reviewer: Hashar <has...@free.fr> Gerrit-Reviewer: jenkins-bot _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits