Merge in docs from openstack-ci.
Change-Id: I49f71f8118e45f28d4b777ddc9588b8e30151d79
This commit is contained in:
parent
215f3afbe2
commit
90531483b0
216
doc/conf.py
Normal file
216
doc/conf.py
Normal file
@ -0,0 +1,216 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# OpenStack CI documentation build configuration file, created by
|
||||
# sphinx-quickstart on Mon Jul 18 13:42:23 2011.
|
||||
#
|
||||
# This file is execfile()d with the current directory set to its containing dir.
|
||||
#
|
||||
# Note that not all possible configuration values are present in this
|
||||
# autogenerated file.
|
||||
#
|
||||
# All configuration values have a default; values that are commented out
|
||||
# serve to show the default.
|
||||
|
||||
import sys, os, datetime
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
#sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
# -- General configuration -----------------------------------------------------
|
||||
|
||||
# If your documentation needs a minimal Sphinx version, state it here.
|
||||
#needs_sphinx = '1.0'
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be extensions
|
||||
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||
extensions = []
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# The suffix of source filenames.
|
||||
source_suffix = '.rst'
|
||||
|
||||
# The encoding of source files.
|
||||
#source_encoding = 'utf-8-sig'
|
||||
|
||||
# The master toctree document.
|
||||
master_doc = 'index'
|
||||
|
||||
# General information about the project.
|
||||
project = u'OpenStack CI'
|
||||
copyright = u'2011, Monty Taylor, James Blair and Andrew Hutchings'
|
||||
|
||||
# The version info for the project you're documenting, acts as replacement for
|
||||
# |version| and |release|, also used in various other places throughout the
|
||||
# built documents.
|
||||
#
|
||||
# The short X.Y version.
|
||||
version = "%d.%02d" % (datetime.datetime.now().year, datetime.datetime.now().month)
|
||||
# The full version, including alpha/beta/rc tags.
|
||||
release = "%d.%02d.%02d" % (datetime.datetime.now().year, datetime.datetime.now().month, datetime.datetime.now().day)
|
||||
|
||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||
# for a list of supported languages.
|
||||
#language = None
|
||||
|
||||
# There are two options for replacing |today|: either, you set today to some
|
||||
# non-false value, then it is used:
|
||||
#today = ''
|
||||
# Else, today_fmt is used as the format for a strftime call.
|
||||
#today_fmt = '%B %d, %Y'
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = []
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all documents.
|
||||
#default_role = None
|
||||
|
||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||
#add_function_parentheses = True
|
||||
|
||||
# If true, the current module name will be prepended to all description
|
||||
# unit titles (such as .. function::).
|
||||
#add_module_names = True
|
||||
|
||||
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||
# output. They are ignored by default.
|
||||
#show_authors = False
|
||||
|
||||
# The name of the Pygments (syntax highlighting) style to use.
|
||||
pygments_style = 'sphinx'
|
||||
|
||||
# A list of ignored prefixes for module index sorting.
|
||||
#modindex_common_prefix = []
|
||||
|
||||
|
||||
# -- Options for HTML output ---------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
html_theme = 'default'
|
||||
|
||||
# Theme options are theme-specific and customize the look and feel of a theme
|
||||
# further. For a list of options available for each theme, see the
|
||||
# documentation.
|
||||
#html_theme_options = {}
|
||||
|
||||
# Add any paths that contain custom themes here, relative to this directory.
|
||||
#html_theme_path = []
|
||||
|
||||
# The name for this set of Sphinx documents. If None, it defaults to
|
||||
# "<project> v<release> documentation".
|
||||
#html_title = None
|
||||
|
||||
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||
#html_short_title = None
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top
|
||||
# of the sidebar.
|
||||
#html_logo = None
|
||||
|
||||
# The name of an image file (within the static path) to use as favicon of the
|
||||
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||
# pixels large.
|
||||
#html_favicon = None
|
||||
|
||||
# Add any paths that contain custom static files (such as style sheets) here,
|
||||
# relative to this directory. They are copied after the builtin static files,
|
||||
# so a file named "default.css" will overwrite the builtin "default.css".
|
||||
html_static_path = ['_static']
|
||||
|
||||
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||
# using the given strftime format.
|
||||
#html_last_updated_fmt = '%b %d, %Y'
|
||||
|
||||
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||
# typographically correct entities.
|
||||
#html_use_smartypants = True
|
||||
|
||||
# Custom sidebar templates, maps document names to template names.
|
||||
#html_sidebars = {}
|
||||
|
||||
# Additional templates that should be rendered to pages, maps page names to
|
||||
# template names.
|
||||
#html_additional_pages = {}
|
||||
|
||||
# If false, no module index is generated.
|
||||
#html_domain_indices = True
|
||||
|
||||
# If false, no index is generated.
|
||||
#html_use_index = True
|
||||
|
||||
# If true, the index is split into individual pages for each letter.
|
||||
#html_split_index = False
|
||||
|
||||
# If true, links to the reST sources are added to the pages.
|
||||
#html_show_sourcelink = True
|
||||
|
||||
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||
#html_show_sphinx = True
|
||||
|
||||
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||
#html_show_copyright = True
|
||||
|
||||
# If true, an OpenSearch description file will be output, and all pages will
|
||||
# contain a <link> tag referring to it. The value of this option must be the
|
||||
# base URL from which the finished HTML is served.
|
||||
#html_use_opensearch = ''
|
||||
|
||||
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||
#html_file_suffix = None
|
||||
|
||||
# Output file base name for HTML help builder.
|
||||
htmlhelp_basename = 'OpenStackCIdoc'
|
||||
|
||||
|
||||
# -- Options for LaTeX output --------------------------------------------------
|
||||
|
||||
# The paper size ('letter' or 'a4').
|
||||
#latex_paper_size = 'letter'
|
||||
|
||||
# The font size ('10pt', '11pt' or '12pt').
|
||||
#latex_font_size = '10pt'
|
||||
|
||||
# Grouping the document tree into LaTeX files. List of tuples
|
||||
# (source start file, target name, title, author, documentclass [howto/manual]).
|
||||
latex_documents = [
|
||||
('index', 'OpenStackCI.tex', u'OpenStack CI Documentation',
|
||||
u'Monty Taylor and James Blair', 'manual'),
|
||||
]
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top of
|
||||
# the title page.
|
||||
#latex_logo = None
|
||||
|
||||
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||
# not chapters.
|
||||
#latex_use_parts = False
|
||||
|
||||
# If true, show page references after internal links.
|
||||
#latex_show_pagerefs = False
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
#latex_show_urls = False
|
||||
|
||||
# Additional stuff for the LaTeX preamble.
|
||||
#latex_preamble = ''
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
#latex_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
#latex_domain_indices = True
|
||||
|
||||
|
||||
# -- Options for manual page output --------------------------------------------
|
||||
|
||||
# One entry per manual page. List of tuples
|
||||
# (source start file, name, description, authors, manual section).
|
||||
man_pages = [
|
||||
('index', 'openstackci', u'OpenStack CI Documentation',
|
||||
[u'Monty Taylor, James Blair and Andrew Hutchings'], 1)
|
||||
]
|
979
doc/gerrit.rst
Normal file
979
doc/gerrit.rst
Normal file
@ -0,0 +1,979 @@
|
||||
:title: Gerrit Installation
|
||||
|
||||
Gerrit
|
||||
######
|
||||
|
||||
Objective
|
||||
*********
|
||||
|
||||
A workflow where developers submit changes to gerrit, changes are
|
||||
peer-reviewed and automatically tested by Jenkins before being
|
||||
committed to the main repo. The public repo is on github.
|
||||
|
||||
References
|
||||
**********
|
||||
|
||||
* http://gerrit.googlecode.com/svn/documentation/2.2.1/install.html
|
||||
* http://feeding.cloud.geek.nz/2011/04/code-reviews-with-gerrit-and-gitorious.html
|
||||
* http://feeding.cloud.geek.nz/2011/05/integrating-launchpad-and-gerrit-code.html
|
||||
* http://www.infoq.com/articles/Gerrit-jenkins-hudson
|
||||
* https://wiki.jenkins-ci.org/display/JENKINS/Gerrit+Trigger
|
||||
* https://wiki.mahara.org/index.php/Developer_Area/Developer_Tools
|
||||
|
||||
Known Issues
|
||||
************
|
||||
|
||||
* Don't use innodb until at least gerrit 2.2.2 because of:
|
||||
http://code.google.com/p/gerrit/issues/detail?id=518
|
||||
|
||||
Installation
|
||||
************
|
||||
|
||||
Host Installation
|
||||
=================
|
||||
|
||||
Prepare Host
|
||||
------------
|
||||
This sets the host up with the standard OpenStack system
|
||||
administration configuration. Skip this if you're not setting up a
|
||||
host for use by the OpenStack project.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo apt-get install puppet git openjdk-6-jre-headless mysql-server
|
||||
git clone git://github.com/openstack/openstack-ci-puppet.git
|
||||
cd openstack-ci-puppet/
|
||||
sudo puppet apply --modulepath=modules manifests/site.pp
|
||||
|
||||
Install MySQL
|
||||
-------------
|
||||
You should setup MySQL as follows, changing 'secret' to a suitable password:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
mysql -u root -p
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
CREATE USER 'gerrit2'@'localhost' IDENTIFIED BY 'secret';
|
||||
CREATE DATABASE reviewdb;
|
||||
ALTER DATABASE reviewdb charset=latin1;
|
||||
GRANT ALL ON reviewdb.* TO 'gerrit2'@'localhost';
|
||||
FLUSH PRIVILEGES;
|
||||
|
||||
Then create the gerrit2 system user as follows:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo useradd -mr gerrit2
|
||||
sudo chsh gerrit2 -s /bin/bash
|
||||
sudo su - gerrit2
|
||||
|
||||
With Gerrit 2.2.2 onwards edit /etc/mysql/my.cnf with the following:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[mysqld]
|
||||
default-storage-engine=INNODB
|
||||
|
||||
Install Gerrit
|
||||
--------------
|
||||
|
||||
Note that Openstack's gerrit installation currently uses a custom .war of gerrit
|
||||
2.2.2. The following instruction is for the generic gerrit binaries:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
wget http://gerrit.googlecode.com/files/gerrit-2.2.1.war
|
||||
mv gerrit-2.2.1.war gerrit.war
|
||||
java -jar gerrit.war init -d review_site
|
||||
|
||||
The .war file will bring up an interactive tool to change the settings, these
|
||||
should be set as follows. Note that the password configured earlier for MySQL
|
||||
should be provided when prompted::
|
||||
|
||||
*** Gerrit Code Review 2.2.1
|
||||
***
|
||||
|
||||
Create '/home/gerrit2/review_site' [Y/n]?
|
||||
|
||||
*** Git Repositories
|
||||
***
|
||||
|
||||
Location of Git repositories [git]:
|
||||
|
||||
*** SQL Database
|
||||
***
|
||||
|
||||
Database server type [H2/?]: ?
|
||||
Supported options are:
|
||||
h2
|
||||
postgresql
|
||||
mysql
|
||||
jdbc
|
||||
Database server type [H2/?]: mysql
|
||||
|
||||
Gerrit Code Review is not shipped with MySQL Connector/J 5.1.10
|
||||
** This library is required for your configuration. **
|
||||
Download and install it now [Y/n]?
|
||||
Downloading http://repo2.maven.org/maven2/mysql/mysql-connector-java/5.1.10/mysql-connector-java-5.1.10.jar ... OK
|
||||
Checksum mysql-connector-java-5.1.10.jar OK
|
||||
Server hostname [localhost]:
|
||||
Server port [(MYSQL default)]:
|
||||
Database name [reviewdb]:
|
||||
Database username [gerrit2]:
|
||||
gerrit2's password :
|
||||
confirm password :
|
||||
|
||||
*** User Authentication
|
||||
***
|
||||
|
||||
Authentication method [OPENID/?]:
|
||||
|
||||
*** Email Delivery
|
||||
***
|
||||
|
||||
SMTP server hostname [localhost]:
|
||||
SMTP server port [(default)]:
|
||||
SMTP encryption [NONE/?]:
|
||||
SMTP username :
|
||||
|
||||
*** Container Process
|
||||
***
|
||||
|
||||
Run as [gerrit2]:
|
||||
Java runtime [/usr/lib/jvm/java-6-openjdk/jre]:
|
||||
Copy gerrit.war to /home/gerrit2/review_site/bin/gerrit.war [Y/n]?
|
||||
Copying gerrit.war to /home/gerrit2/review_site/bin/gerrit.war
|
||||
|
||||
*** SSH Daemon
|
||||
***
|
||||
|
||||
Listen on address [*]:
|
||||
Listen on port [29418]:
|
||||
|
||||
Gerrit Code Review is not shipped with Bouncy Castle Crypto v144
|
||||
If available, Gerrit can take advantage of features
|
||||
in the library, but will also function without it.
|
||||
Download and install it now [Y/n]?
|
||||
Downloading http://www.bouncycastle.org/download/bcprov-jdk16-144.jar ... OK
|
||||
Checksum bcprov-jdk16-144.jar OK
|
||||
Generating SSH host key ... rsa... dsa... done
|
||||
|
||||
*** HTTP Daemon
|
||||
***
|
||||
|
||||
Behind reverse proxy [y/N]? y
|
||||
Proxy uses SSL (https://) [y/N]? y
|
||||
Subdirectory on proxy server [/]:
|
||||
Listen on address [*]:
|
||||
Listen on port [8081]:
|
||||
Canonical URL [https://review.openstack.org/]:
|
||||
|
||||
Initialized /home/gerrit2/review_site
|
||||
Executing /home/gerrit2/review_site/bin/gerrit.sh start
|
||||
Starting Gerrit Code Review: OK
|
||||
Waiting for server to start ... OK
|
||||
Opening browser ...
|
||||
Please open a browser and go to https://review.openstack.org/#admin,projects
|
||||
|
||||
Configure Gerrit
|
||||
----------------
|
||||
|
||||
The file /home/gerrit2/review_site/etc/gerrit.config will be setup automatically
|
||||
by puppet.
|
||||
|
||||
Set Gerrit to start on boot:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
ln -snf /home/gerrit2/review_site/bin/gerrit.sh /etc/init.d/gerrit
|
||||
update-rc.d gerrit defaults 90 10
|
||||
|
||||
Then create the file ``/etc/default/gerritcodereview`` with the following
|
||||
contents:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
GERRIT_SITE=/home/gerrit2/review_site
|
||||
|
||||
Add "Approved" review type to gerrit:
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
mysql -u root -p
|
||||
use reviewdb;
|
||||
insert into approval_categories values ('Approved', 'A', 2, 'MaxNoBlock', 'N', 'APRV');
|
||||
insert into approval_category_values values ('No score', 'APRV', 0);
|
||||
insert into approval_category_values values ('Approved', 'APRV', 1);
|
||||
update approval_category_values set name = "Looks good to me (core reviewer)" where name="Looks good to me, approved";
|
||||
|
||||
Expand "Verified" review type to -2/+2:
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
mysql -u root -p
|
||||
use reviewdb;
|
||||
update approval_category_values set value=2
|
||||
where value=1 and category_id='VRIF';
|
||||
update approval_category_values set value=-2
|
||||
where value=-1 and category_id='VRIF';
|
||||
insert into approval_category_values values
|
||||
("Doesn't seem to work","VRIF",-1),
|
||||
("Works for me","VRIF","1");
|
||||
|
||||
Reword the default messages that use the word Submit, as they imply that
|
||||
we're not happy with people for submitting the patch in the first place:
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
mysql -u root -p
|
||||
use reviewdb;
|
||||
update approval_category_values set name="Do not merge"
|
||||
where category_id='CRVW' and value=-2;
|
||||
update approval_category_values
|
||||
set name="I would prefer that you didn't merge this"
|
||||
where category_id='CRVW' and value=-1;
|
||||
|
||||
OpenStack currently uses a hybrid approach for CLA enforcement. We
|
||||
use Gerrit's built in CLA system to ensure that contributors have
|
||||
signed the CLA, but contributors don't actually use Gerrit to sign it.
|
||||
Instead, developers use an external service (Echosign) to agree to the
|
||||
CLA, and then request membership in a Launchpad group called
|
||||
"openstack-cla". The moderators of that group (core members of any
|
||||
OpenStack project) approve membership requests after verifying that
|
||||
new contributors have signed the CLA at Echosign. The openstack-cla
|
||||
group is kept synchronized with Gerrit. Gerrit is then configured
|
||||
with a "dummy" CLA (which users are not expected to see), and the
|
||||
administrator indicates to Gerrit that the entire openstack-cla group
|
||||
has agreed to the CLA. This lets Gerrit enforce that the CLA has been
|
||||
signed while the actual facility to sign it in Gerrit is disabled via
|
||||
a source patch.
|
||||
|
||||
This configuration is not recommended for new projects and is merely
|
||||
an artifact of legal requirements placed on the OpenStack project.
|
||||
Here are the SQL commands to set it up:
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
insert into contributor_agreement_id values (NULL);
|
||||
insert into contributor_agreements values ('Y', 'N', 'N', 'CLA (Echosign)',
|
||||
'OpenStack CLA via Echosign', 'static/echosign-cla.html', 1);
|
||||
|
||||
insert into account_group_agreements values (
|
||||
now(), 'V', 1, now(), NULL,
|
||||
(select group_id from account_group_names where name='openstack-cla'),
|
||||
1);
|
||||
|
||||
|
||||
Install Apache
|
||||
--------------
|
||||
::
|
||||
|
||||
apt-get install apache2
|
||||
|
||||
Create: /etc/apache2/sites-available/gerrit:
|
||||
|
||||
.. code-block:: apacheconf
|
||||
|
||||
<VirtualHost *:80>
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/gerrit-error.log
|
||||
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/gerrit-access.log combined
|
||||
|
||||
Redirect / https://review-dev.openstack.org/
|
||||
|
||||
</VirtualHost>
|
||||
|
||||
<IfModule mod_ssl.c>
|
||||
<VirtualHost _default_:443>
|
||||
ServerAdmin webmaster@localhost
|
||||
|
||||
ErrorLog ${APACHE_LOG_DIR}/gerrit-ssl-error.log
|
||||
|
||||
LogLevel warn
|
||||
|
||||
CustomLog ${APACHE_LOG_DIR}/gerrit-ssl-access.log combined
|
||||
|
||||
SSLEngine on
|
||||
|
||||
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
|
||||
#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
|
||||
|
||||
<FilesMatch "\.(cgi|shtml|phtml|php)$">
|
||||
SSLOptions +StdEnvVars
|
||||
</FilesMatch>
|
||||
<Directory /usr/lib/cgi-bin>
|
||||
SSLOptions +StdEnvVars
|
||||
</Directory>
|
||||
|
||||
BrowserMatch "MSIE [2-6]" \
|
||||
nokeepalive ssl-unclean-shutdown \
|
||||
downgrade-1.0 force-response-1.0
|
||||
# MSIE 7 and newer should be able to use keepalive
|
||||
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
|
||||
|
||||
RewriteEngine on
|
||||
RewriteCond %{HTTP_HOST} !review-dev.openstack.org
|
||||
RewriteRule ^.*$ https://review-dev.openstack.org/
|
||||
|
||||
ProxyPassReverse / http://localhost:8081/
|
||||
<Location />
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
ProxyPass http://localhost:8081/ retry=0
|
||||
</Location>
|
||||
|
||||
|
||||
</VirtualHost>
|
||||
</IfModule>
|
||||
|
||||
Run the following commands:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
a2enmod ssl proxy proxy_http rewrite
|
||||
a2ensite gerrit
|
||||
a2dissite default
|
||||
|
||||
Install Exim
|
||||
------------
|
||||
::
|
||||
|
||||
apt-get install exim4
|
||||
dpkg-reconfigure exim4-config
|
||||
|
||||
Choose "internet site", otherwise select defaults
|
||||
|
||||
edit: /etc/default/exim4 ::
|
||||
|
||||
QUEUEINTERVAL='5m'
|
||||
|
||||
GitHub Setup
|
||||
============
|
||||
|
||||
Generate an SSH key for Gerrit for use on GitHub
|
||||
------------------------------------------------
|
||||
::
|
||||
|
||||
sudo su - gerrit2
|
||||
gerrit2@gerrit:~$ ssh-keygen
|
||||
Generating public/private rsa key pair.
|
||||
Enter file in which to save the key (/home/gerrit2/.ssh/id_rsa):
|
||||
Created directory '/home/gerrit2/.ssh'.
|
||||
Enter passphrase (empty for no passphrase):
|
||||
Enter same passphrase again:
|
||||
|
||||
GitHub Configuration
|
||||
--------------------
|
||||
|
||||
#. create openstack-gerrit user on github
|
||||
#. add gerrit2 ssh public key to openstack-gerrit user
|
||||
#. create gerrit team in openstack org on github with push/pull access
|
||||
#. add openstack-gerrit to gerrit team in openstack org
|
||||
#. add public master repo to gerrit team in openstack org
|
||||
#. save github host key in known_hosts
|
||||
|
||||
::
|
||||
|
||||
gerrit2@gerrit:~$ ssh git@github.com
|
||||
The authenticity of host 'github.com (207.97.227.239)' can't be established.
|
||||
RSA key fingerprint is 16:27:ac:a5:76:28:2d:36:63:1b:56:4d:eb:df:a6:48.
|
||||
Are you sure you want to continue connecting (yes/no)? yes
|
||||
Warning: Permanently added 'github.com,207.97.227.239' (RSA) to the list of known hosts.
|
||||
PTY allocation request failed on channel 0
|
||||
|
||||
You will also need to create the file ``github.secure.config`` in the gerrit2 user's home directory. The contents of this are as follows:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[github]
|
||||
username = guthub-user
|
||||
api_token = hexstring
|
||||
|
||||
The username should be the github username for gerrit to use when communicating
|
||||
with github. The api_token can be found in github's account setting for the
|
||||
account.
|
||||
|
||||
Gerrit Replication to GitHub
|
||||
----------------------------
|
||||
|
||||
The file ``review_site/etc/replication.config`` is needed with the following
|
||||
contents:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[remote "github"]
|
||||
url = git@github.com:${name}.git
|
||||
|
||||
Jenkins / Gerrit Integration
|
||||
============================
|
||||
|
||||
Create a Jenkins User in Gerrit
|
||||
-------------------------------
|
||||
|
||||
With the jenkins public key, as a gerrit admin user::
|
||||
|
||||
cat jenkins.pub | ssh -p29418 review.openstack.org gerrit create-account --ssh-key - --full-name Jenkins jenkins
|
||||
|
||||
Create "CI Systems" group in gerrit, make jenkins a member
|
||||
|
||||
Create a Gerrit Git Prep Job in Jenkins
|
||||
---------------------------------------
|
||||
|
||||
When gating trunk with Jenkins, we want to test changes as they will
|
||||
appear once merged by Gerrit, but the gerrit trigger plugin will, by
|
||||
default, test them as submitted. If HEAD moves on while the change is
|
||||
under review, it may end up getting merged with HEAD, and we want to
|
||||
test the result.
|
||||
|
||||
To do that, make sure the "Hudson Template Project plugin" is
|
||||
installed, then set up a new job called "Gerrit Git Prep", and add a
|
||||
shell command build step (no other configuration)::
|
||||
|
||||
#!/bin/sh -x
|
||||
git checkout $GERRIT_BRANCH
|
||||
git reset --hard remotes/origin/$GERRIT_BRANCH
|
||||
git merge FETCH_HEAD
|
||||
CODE=$?
|
||||
if [ ${CODE} -ne 0 ]; then
|
||||
git reset --hard remotes/origin/$GERRIT_BRANCH
|
||||
exit ${CODE}
|
||||
fi
|
||||
|
||||
Later, we will configure Jenkins jobs that we want to behave this way
|
||||
to use this build step.
|
||||
|
||||
Auto Review Expiry
|
||||
==================
|
||||
|
||||
Puppet automatically installs a daily cron job called ``expire_old_reviews.py``
|
||||
onto the gerrit servers. This script follows two rules:
|
||||
|
||||
#. If the review hasn't been touched in 2 weeks, mark as abandoned.
|
||||
#. If there is a negative review and it hasn't been touched in 1 week, mark as
|
||||
abandoned.
|
||||
|
||||
If your review gets touched by either of these rules it is possible to
|
||||
unabandon a review on the gerrit web interface.
|
||||
|
||||
Launchpad Sync
|
||||
==============
|
||||
|
||||
The launchpad user sync process consists of two scripts which are in
|
||||
openstack/openstack-ci on github: sync_launchpad_gerrit.py and
|
||||
insert_gerrit.py.
|
||||
|
||||
Both scripts should be run as gerrit2 on review.openstack.org
|
||||
|
||||
sync_launchpad_users.py runs and creates a python pickle file, users.pickle,
|
||||
with all of the user and group information. This is a long process. (12
|
||||
minutes)
|
||||
|
||||
insert_gerrit.py reads the pickle file and applies it to the MySQL database.
|
||||
The gerrit caches must then be flushed.
|
||||
|
||||
Depends
|
||||
-------
|
||||
::
|
||||
|
||||
apt-get install python-mysqldb python-openid python-launchpadlib
|
||||
|
||||
Keys
|
||||
----
|
||||
|
||||
The key for the launchpad sync user is in ~/.ssh/launchpad_rsa. Connecting
|
||||
to Launchpad requires oauth authentication - so the first time
|
||||
sync_launchpad_gerrit.py is run, it will display a URL. Open this URL in a
|
||||
browser and log in to launchpad as the hudson-openstack user. Subsequent
|
||||
runs will run with cached credentials.
|
||||
|
||||
Running
|
||||
-------
|
||||
::
|
||||
|
||||
cd openstack-ci
|
||||
git pull
|
||||
python sync_launchpad_gerrit.py
|
||||
python insert_gerrit.py
|
||||
ssh -i /home/gerrit2/.ssh/launchpadsync_rsa -p29418 review.openstack.org gerrit flush-caches
|
||||
|
||||
Gerrit IRC Bot
|
||||
==============
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
Ensure there is an up-to-date checkout of openstack-ci in ~gerrit2.
|
||||
|
||||
::
|
||||
|
||||
apt-get install python-irclib python-daemon
|
||||
cp ~gerrit2/openstack-ci/gerritbot.init /etc/init.d
|
||||
chmod a+x /etc/init.d/gerritbot
|
||||
update-rc.d gerritbot defaults
|
||||
su - gerrit2
|
||||
ssh-keygen -f /home/gerrit2/.ssh/gerritbot_rsa
|
||||
|
||||
As a Gerrit admin, create a user for gerritbot::
|
||||
|
||||
cat ~gerrit2/.ssh/gerritbot_rsa | ssh -p29418 gerrit.openstack.org gerrit create-account --ssh-key - --full-name GerritBot gerritbot
|
||||
|
||||
Configure gerritbot, including which events should be announced in the
|
||||
gerritbot.config file:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[ircbot]
|
||||
nick=NICNAME
|
||||
pass=PASSWORD
|
||||
server=irc.freenode.net
|
||||
channel=openstack-dev
|
||||
port=6667
|
||||
|
||||
[gerrit]
|
||||
user=gerritbot
|
||||
key=/home/gerrit2/.ssh/gerritbot_rsa
|
||||
host=review.openstack.org
|
||||
port=29418
|
||||
events=patchset-created, change-merged, x-vrif-minus-1, x-crvw-minus-2
|
||||
|
||||
Register an account with NickServ on FreeNode, and put the account and
|
||||
password in the config file.
|
||||
|
||||
::
|
||||
|
||||
sudo /etc/init.d/gerritbot start
|
||||
|
||||
Launchpad Bug Integration
|
||||
=========================
|
||||
|
||||
In addition to the hyperlinks provided by the regex in gerrit.config,
|
||||
we use a Gerrit hook to update Launchpad bugs when changes referencing
|
||||
them are applied.
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
Ensure an up-to-date checkout of openstack-ci is in ~gerrit2.
|
||||
|
||||
::
|
||||
|
||||
apt-get install python-pyme
|
||||
cp ~gerrit2/gerrit-hooks/change-merged ~gerrit2/review_site/hooks/
|
||||
|
||||
Create a GPG and register it with Launchpad::
|
||||
|
||||
gerrit2@gerrit:~$ gpg --gen-key
|
||||
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
|
||||
This is free software: you are free to change and redistribute it.
|
||||
There is NO WARRANTY, to the extent permitted by law.
|
||||
|
||||
Please select what kind of key you want:
|
||||
(1) RSA and RSA (default)
|
||||
(2) DSA and Elgamal
|
||||
(3) DSA (sign only)
|
||||
(4) RSA (sign only)
|
||||
Your selection?
|
||||
RSA keys may be between 1024 and 4096 bits long.
|
||||
What keysize do you want? (2048)
|
||||
Requested keysize is 2048 bits
|
||||
Please specify how long the key should be valid.
|
||||
0 = key does not expire
|
||||
<n> = key expires in n days
|
||||
<n>w = key expires in n weeks
|
||||
<n>m = key expires in n months
|
||||
<n>y = key expires in n years
|
||||
Key is valid for? (0)
|
||||
Key does not expire at all
|
||||
Is this correct? (y/N) y
|
||||
|
||||
You need a user ID to identify your key; the software constructs the user ID
|
||||
from the Real Name, Comment and Email Address in this form:
|
||||
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
|
||||
|
||||
Real name: Openstack Gerrit
|
||||
Email address: review@openstack.org
|
||||
Comment:
|
||||
You selected this USER-ID:
|
||||
"Openstack Gerrit <review@openstack.org>"
|
||||
|
||||
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
|
||||
You need a Passphrase to protect your secret key.
|
||||
|
||||
gpg: gpg-agent is not available in this session
|
||||
You don't want a passphrase - this is probably a *bad* idea!
|
||||
I will do it anyway. You can change your passphrase at any time,
|
||||
using this program with the option "--edit-key".
|
||||
|
||||
We need to generate a lot of random bytes. It is a good idea to perform
|
||||
some other action (type on the keyboard, move the mouse, utilize the
|
||||
disks) during the prime generation; this gives the random number
|
||||
generator a better chance to gain enough entropy.
|
||||
|
||||
gpg: /home/gerrit2/.gnupg/trustdb.gpg: trustdb created
|
||||
gpg: key 382ACA7F marked as ultimately trusted
|
||||
public and secret key created and signed.
|
||||
|
||||
gpg: checking the trustdb
|
||||
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
|
||||
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
|
||||
pub 2048R/382ACA7F 2011-07-26
|
||||
Key fingerprint = 21EF 7F30 C281 F61F 44CD EC48 7424 9762 382A CA7F
|
||||
uid Openstack Gerrit <review@openstack.org>
|
||||
sub 2048R/95F6FA4A 2011-07-26
|
||||
|
||||
gerrit2@gerrit:~$ gpg --send-keys --keyserver keyserver.ubuntu.com 382ACA7F
|
||||
gpg: sending key 382ACA7F to hkp server keyserver.ubuntu.com
|
||||
|
||||
Log into the Launchpad account and add the GPG key to the account.
|
||||
|
||||
Adding New Projects
|
||||
*******************
|
||||
|
||||
Creating a Project in Gerrit
|
||||
============================
|
||||
|
||||
Using ssh key of a gerrit admin (you)::
|
||||
|
||||
ssh -p 29418 review.openstack.org gerrit create-project --name openstack/PROJECT
|
||||
|
||||
If the project is an API project (eg, image-api), we want it to share
|
||||
some extra permissions that are common to all API projects (eg, the
|
||||
OpenStack documentation coordinators can approve changes, see
|
||||
:ref:`acl`). Run the following command to reparent the project if it
|
||||
is an API project::
|
||||
|
||||
ssh -p 29418 gerrit.openstack.org gerrit set-project-parent --parent API-Projects openstack/PROJECT
|
||||
|
||||
Add yourself to the "Project Bootstrappers" group in Gerrit which will
|
||||
give you permissions to push to the repo bypassing code review.
|
||||
|
||||
Do the initial push of the project with::
|
||||
|
||||
git push ssh://USERNAME@review.openstack.org:29418/openstack/PROJECT.git HEAD:refs/heads/master
|
||||
git push --tags ssh://USERNAME@review.openstack.org:29418/openstack/PROJECT.git
|
||||
|
||||
Remove yourself from the "Project Bootstrappers" group, and then set
|
||||
the access controls as specified in :ref:`acl`.
|
||||
|
||||
Have Jenkins Monitor a Gerrit Project
|
||||
=====================================
|
||||
|
||||
In jenkins, under source code management:
|
||||
|
||||
* select git
|
||||
|
||||
* url: ssh://jenkins@review.openstack.org:29418/openstack/project.git
|
||||
* click "advanced"
|
||||
|
||||
* refspec: $GERRIT_REFSPEC
|
||||
* branches: origin/$GERRIT_BRANCH
|
||||
* click "advanced"
|
||||
|
||||
* choosing stragety: gerrit trigger
|
||||
|
||||
* select gerrit event under build triggers:
|
||||
|
||||
* Trigger on Comment Added
|
||||
|
||||
* Approval Category: APRV
|
||||
* Approval Value: 1
|
||||
|
||||
* plain openstack/project
|
||||
* path **
|
||||
|
||||
* Select "Add build step" under "Build"
|
||||
|
||||
* select "Use builders from another project"
|
||||
* Template Project: "Gerrit Git Prep"
|
||||
* make sure this build step is the first in the sequence
|
||||
|
||||
Create a Project in GitHub
|
||||
==========================
|
||||
|
||||
As a github openstack admin:
|
||||
|
||||
* Visit https://github.com/organizations/openstack
|
||||
* Click New Repository
|
||||
* Visit the gerrit team admin page
|
||||
* Add the new repository to the gerrit team
|
||||
|
||||
Pull requests can not be disabled for a project in Github, so instead
|
||||
we have a script that runs from cron to close any open pull requests
|
||||
with instructions to use Gerrit.
|
||||
|
||||
* Edit openstack/openstack-ci-puppet:manifests/site.pp
|
||||
|
||||
and add the project to the list of github projects in the gerrit class
|
||||
for the gerrit.openstack.org node.
|
||||
|
||||
Migrating a Project from bzr
|
||||
============================
|
||||
|
||||
Add the bzr PPA and install bzr-fastimport:
|
||||
|
||||
add-apt-repository ppa:bzr/ppa
|
||||
apt-get update
|
||||
apt-get install bzr-fastimport
|
||||
|
||||
Doing this from the bzr PPA is important to ensure at least version 0.10 of
|
||||
bzr-fastimport.
|
||||
|
||||
Clone the git-bzr-ng from termie:
|
||||
|
||||
git clone https://github.com/termie/git-bzr-ng.git
|
||||
|
||||
In git-bzr-ng, you'll find a script, git-bzr. Put it somewhere in your path.
|
||||
Then, to get a git repo which contains the migrated bzr branch, run:
|
||||
|
||||
git bzr clone lp:${BRANCHNAME} ${LOCATION}
|
||||
|
||||
So, for instance, to do glance, you would do:
|
||||
|
||||
git bzr clone lp:glance glance
|
||||
|
||||
And you will then have a git repo of glance in the glance dir. This git repo
|
||||
is now suitable for uploading in to gerrit to become the new master repo.
|
||||
|
||||
Project Config
|
||||
==============
|
||||
|
||||
There are a few options which need to be enabled on the project in the Admin
|
||||
interface.
|
||||
|
||||
* Merge Strategy should be set to "Merge If Necessary"
|
||||
* "Automatically resolve conflicts" should be enabled
|
||||
* "Require Change-Id in commit message" should be enabled
|
||||
* "Require a valid contributor agreement to upload" should be enabled
|
||||
|
||||
Optionally, if the PTL agrees to it:
|
||||
|
||||
* "Require the first line of the commit to be 50 characters or less" should
|
||||
be enabled.
|
||||
|
||||
.. _acl:
|
||||
|
||||
Access Controls
|
||||
***************
|
||||
|
||||
High level goals:
|
||||
|
||||
#. Anonymous users can read all projects.
|
||||
#. All registered users can perform informational code review (+/-1)
|
||||
on any project.
|
||||
#. Jenkins can perform verification (blocking or approving: +/-1).
|
||||
#. All registered users can create changes.
|
||||
#. The OpenStack Release Manager and Jenkins can tag releases (push
|
||||
annotated tags).
|
||||
#. Members of $PROJECT-core group can perform full code review
|
||||
(blocking or approving: +/- 2), and submit changes to be merged.
|
||||
#. Members of openstack-release (Release Manager and PTLs), and
|
||||
$PROJECT-drivers (PTL and release minded people) exclusively can
|
||||
perform full code review (blocking or approving: +/- 2), and submit
|
||||
changes to be merged on milestone-proposed branches.
|
||||
#. Full code review (+/- 2) of API projects should be available to the
|
||||
-core group of the corresponding implementation project as well as to
|
||||
the OpenStack Documentation Coordinators.
|
||||
#. Full code review of stable branches should be available to the
|
||||
-core group of the project as well as the openstack-stable-maint
|
||||
group.
|
||||
|
||||
To manage API project permissions collectively across projects, API
|
||||
projects are reparented to the "API-Projects" meta-project instead of
|
||||
"All-Projects". This causes them to inherit permissions from the
|
||||
API-Projects project (which, in turn, inherits from All-Projects).
|
||||
|
||||
These permissions try to achieve the high level goals::
|
||||
|
||||
All Projects (metaproject):
|
||||
refs/*
|
||||
read: anonymous
|
||||
push annotated tag: release managers, ci tools, project bootstrappers
|
||||
forge author identity: registered users
|
||||
forge committer identity: project bootstrappers
|
||||
push (w/ force push): project bootstrappers
|
||||
create reference: project bootstrappers, release managers
|
||||
push merge commit: project bootstrappers
|
||||
|
||||
refs/for/refs/*
|
||||
push: registered users
|
||||
|
||||
refs/heads/*
|
||||
label code review:
|
||||
-1/+1: registered users
|
||||
-2/+2: project bootstrappers
|
||||
label verified:
|
||||
-2/+2: ci tools
|
||||
-2/+2: project bootstrappers
|
||||
-1/+1: external tools
|
||||
label approved 0/+1: project bootstrappers
|
||||
submit: ci tools
|
||||
submit: project bootstrappers
|
||||
|
||||
refs/heads/milestone-proposed
|
||||
label code review (exclusive):
|
||||
-2/+2 openstack-release
|
||||
-1/+1 registered users
|
||||
label approved (exclusive): 0/+1: openstack-release
|
||||
owner: openstack-release
|
||||
|
||||
refs/heads/stable/*
|
||||
label code review (exclusive):
|
||||
-2/+2 opestack-stable-maint
|
||||
-1/+1 registered users
|
||||
label approved (exclusive): 0/+1: opestack-stable-maint
|
||||
|
||||
refs/meta/config
|
||||
read: project owners
|
||||
|
||||
API Projects (metaproject):
|
||||
refs/*
|
||||
owner: Administrators
|
||||
|
||||
refs/heads/*
|
||||
label code review -2/+2: openstack-doc-core
|
||||
label approved 0/+1: openstack-doc-core
|
||||
|
||||
project foo:
|
||||
refs/*
|
||||
owner: Administrators
|
||||
|
||||
refs/heads/*
|
||||
label code review -2/+2: foo-core
|
||||
label approved 0/+1: foo-core
|
||||
|
||||
refs/heads/milestone-proposed
|
||||
label code review -2/+2: foo-drivers
|
||||
label approved 0/+1: foo-drivers
|
||||
|
||||
Renaming a Project
|
||||
******************
|
||||
|
||||
Renaming a project is not automated and is disruptive to developers,
|
||||
so it should be avoided. Allow for an hour of downtime for the
|
||||
project in question, and about 10 minutes of downtime for all of
|
||||
Gerrit. All Gerrit changes, merged and open, will carry over, so
|
||||
in-progress changes do not need to be merged before the move.
|
||||
|
||||
To rename a project:
|
||||
|
||||
#. Make it inacessible by editing the Access pane. Add a "read" ACL
|
||||
for "Administrators", and mark it "exclusive". Be sure to save
|
||||
changes.
|
||||
|
||||
#. Update the database::
|
||||
|
||||
update account_project_watches
|
||||
set project_name = "openstack/OLD"
|
||||
where project_name = "openstack/NEW";
|
||||
|
||||
update changes
|
||||
set dest_project_name = "openstack/OLD"
|
||||
where dest_project_name = "openstack/NEW";
|
||||
|
||||
#. Wait for Jenkins to be idle (or take it offline)
|
||||
|
||||
#. Stop Gerrit and move the Git repository::
|
||||
|
||||
/etc/init.d/gerrit stop
|
||||
cd /home/gerrit2/review_site/git/openstack/
|
||||
mv OLD.git/ NEW.git
|
||||
/etc/init.d/gerrit start
|
||||
|
||||
#. (Bring Jenkins online if need be)
|
||||
|
||||
#. Rename the project in GitHub
|
||||
|
||||
#. Update Jenkins jobs te reference the new name. Rename the jobs
|
||||
themselves as appropriate
|
||||
|
||||
#. Remove the read access ACL you set in the first step from project
|
||||
|
||||
#. Submit a change that updates .gitreview with the new location of the
|
||||
project
|
||||
|
||||
Developers will either need to re-clone a new copy of the repository,
|
||||
or manually update their remotes.
|
||||
|
||||
Deleting a User from Gerrit
|
||||
***************************
|
||||
|
||||
This isn't normally necessary, but if you find that you need to
|
||||
completely delete an account from Gerrit, here's how:
|
||||
|
||||
.. code-block:: mysql
|
||||
|
||||
delete from account_agreements where account_id=NNNN;
|
||||
delete from account_diff_preferences where id=NNNN;
|
||||
delete from account_external_ids where account_id=NNNN;
|
||||
delete from account_group_members where account_id=NNNN;
|
||||
delete from account_group_members_audit where account_id=NNNN;
|
||||
delete from account_patch_reviews where account_id=NNNN;
|
||||
delete from account_project_watches where account_id=NNNN;
|
||||
delete from account_ssh_keys where account_id=NNNN;
|
||||
delete from accounts where account_id=NNNN;
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
ssh review.openstack.org -p29418 gerrit flush-caches --all
|
||||
|
||||
Adding A New Project On The Command Line
|
||||
****************************************
|
||||
|
||||
All of the steps involved in adding a new project to Gerrit can be
|
||||
accomplished via the commandline, with the exception of creating a new repo
|
||||
on github and adding the jenkins jobs.
|
||||
|
||||
First of all, add the .gitreview file to the repo that will be added. Then,
|
||||
assuming an ssh config alias of `review` for the gerrit instance, as a person
|
||||
in the Project Bootstrappers group::
|
||||
|
||||
ssh review gerrit create-project --name openstack/$PROJECT
|
||||
git review -s
|
||||
git push gerrit HEAD:refs/heads/master
|
||||
git push --tags gerrit
|
||||
|
||||
At this point, the branch contents will be in gerrit, and the project config
|
||||
settings and ACLs need to be set. These are maintained in a special branch
|
||||
inside of git in gerrit. Check out the branch from git::
|
||||
|
||||
git fetch gerrit +refs/meta/*:refs/remotes/gerrit-meta/*
|
||||
git checkout -b config remotes/gerrit-meta/config
|
||||
|
||||
There will be two interesting files, `groups` and `project.config`. `groups`
|
||||
contains UUIDs and names of groups that will be referenced in
|
||||
`project.config`. There is a helper script in the openstack-ci repo called
|
||||
`get_group_uuid.py` which will fetch the UUID for a given group. For
|
||||
$PROJECT-core and $PROJECT-drivers::
|
||||
|
||||
openstack-ci/gerrit/get_group_uuid.py $GROUP_NAME
|
||||
|
||||
And make entries in `groups` for each one of them. Next, edit
|
||||
`project.config` to look like::
|
||||
|
||||
[access "refs/*"]
|
||||
owner = group Administrators
|
||||
[receive]
|
||||
requireChangeId = true
|
||||
requireContributorAgreement = true
|
||||
[submit]
|
||||
mergeContent = true
|
||||
[access "refs/heads/*"]
|
||||
label-Code-Review = -2..+2 group $PROJECT-core
|
||||
label-Approved = +0..+1 group $PROJECT-core
|
||||
[access "refs/heads/milestone-proposed"]
|
||||
label-Code-Review = -2..+2 group $PROJECT-drivers
|
||||
label-Approved = +0..+1 group $PROJECT-drivers
|
||||
|
||||
Replace $PROJECT with the name of the project.
|
||||
|
||||
Finally, commit the changes and push the config back up to Gerrit::
|
||||
|
||||
git commit -m "Initial project config"
|
||||
git push gerrit HEAD:refs/meta/config
|
47
doc/index.rst
Normal file
47
doc/index.rst
Normal file
@ -0,0 +1,47 @@
|
||||
.. OpenStack CI documentation master file, created by
|
||||
sphinx-quickstart on Mon Jul 18 13:42:23 2011.
|
||||
You can adapt this file completely to your liking, but it should at least
|
||||
contain the root `toctree` directive.
|
||||
|
||||
OpenStack Continuous Integration
|
||||
================================
|
||||
|
||||
This documentation covers the installation and maintenance of the
|
||||
Continuous Integration (CI) infrastructure used by OpenStack. It
|
||||
may be of interest to people who may want to help develop this
|
||||
infrastructure or integrate their tools into it. Some instructions
|
||||
may be useful to other projects that want to set up similar CI
|
||||
systems.
|
||||
|
||||
OpenStack developers or users do not need to read this documentation.
|
||||
Instead, see http://wiki.openstack.org/ to learn how contribute to or
|
||||
use OpenStack.
|
||||
|
||||
Howtos:
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
third_party
|
||||
stackforge
|
||||
|
||||
Contents:
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
systems
|
||||
jenkins
|
||||
gerrit
|
||||
puppet
|
||||
puppet_modules
|
||||
jenkins_jobs
|
||||
meetbot
|
||||
|
||||
Indices and tables
|
||||
==================
|
||||
|
||||
* :ref:`genindex`
|
||||
* :ref:`modindex`
|
||||
* :ref:`search`
|
||||
|
340
doc/jenkins.rst
Normal file
340
doc/jenkins.rst
Normal file
@ -0,0 +1,340 @@
|
||||
:title: Jenkins Configuration
|
||||
|
||||
Jenkins
|
||||
#######
|
||||
|
||||
Overview
|
||||
********
|
||||
|
||||
Jenkins is a Continuous Integration system and the central control
|
||||
system for the orchestration of both pre-merge testing and post-merge
|
||||
actions such as packaging and publishing of documentation.
|
||||
|
||||
The overall design that Jenkins is a key part of implementing is that
|
||||
all code should be reviewed and tested before being merged in to trunk,
|
||||
and that as many tasks around review, testing, merging and release that
|
||||
can be automated should be.
|
||||
|
||||
Jenkis is essentially a job queing system, and everything that is done
|
||||
through Jenkins can be thought of as having a few discreet components:
|
||||
|
||||
* Triggers - What causes a job to be run
|
||||
* Location - Where do we run a job
|
||||
* Steps - What actions are taken when the job runs
|
||||
* Results - What is the outcome of the job
|
||||
|
||||
The OpenStack Jenkins can be found at http://jenkins.openstack.org
|
||||
|
||||
OpenStack uses :doc:`gerrit` to manage code reviews, which in turns calls
|
||||
Jenkins to test those reviews.
|
||||
|
||||
Authorization
|
||||
*************
|
||||
|
||||
Jenkins is set up to use OpenID in a Single Sign On mode with Launchpad.
|
||||
This means that all of the user and group information is managed via
|
||||
Launchpad users and teams. In the Jenkins Security Matrix, a Launchpad team
|
||||
name can be specified and any members of that team will be granted those
|
||||
permissions. However, because of the way the information is processed, a
|
||||
user will need to re-log in upon changing either team membership on
|
||||
Launchpad, or changing that team's authorization in Jenkins for the new
|
||||
privileges to take effect.
|
||||
|
||||
Integration Testing
|
||||
*******************
|
||||
|
||||
TODO: How others can get involved in testing and integrating with
|
||||
OpenStack Jenkins.
|
||||
|
||||
Rackspace Bare-Metal Testing Cluster
|
||||
====================================
|
||||
|
||||
The CI team mantains a cluster of machines supplied by Rackspace to
|
||||
perform bare-metal deployment and testing of OpenStack as a whole.
|
||||
This installation is intended as a reference implementation of just
|
||||
one of many possible testing platforms, all of which can be integrated
|
||||
with the OpenStack Jenkins system. This is a cluster of several
|
||||
physical machines meaning the test environment has access to all of
|
||||
the native processor features, and real-world networking, including
|
||||
tagged VLANs.
|
||||
|
||||
Each time the trunk repo is updated, a Jenkins job will deploy an
|
||||
OpenStack cluster using devstack and then run the openstack-test-rax
|
||||
test suite against the cluster.
|
||||
|
||||
Deployment and Testing Process
|
||||
------------------------------
|
||||
|
||||
The cluster deployment is divided into two phases: base operating
|
||||
system installation, and OpenStack installation. Because the
|
||||
operating system install takes considerable time (15 to 30 minutes),
|
||||
has external network resource dependencies (the distribution mirror),
|
||||
and has no bearing on the outcome of the OpenStack tests themselves,
|
||||
the process used here effectively snapshots the machines immediately
|
||||
after the base OS install and before OpenStack is installed. LVM
|
||||
snapshots and kexec are used to immediately return the cluster to a
|
||||
newly installed state without incurring the additional time it would
|
||||
take to install from scratch. The Jenkins testing job invokes the
|
||||
process starting at :ref:`rax_openstack_install`.
|
||||
|
||||
Installation Server Configuration
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The CI team runs the Ubuntu Orchestra server (based on cobbler) on our
|
||||
Jenkins slave node to manage the OS installation on the test machines.
|
||||
The configuration for the Orchestra server is kept in the CI team's
|
||||
puppet modules. If you want to set up your own system, Orchestra is
|
||||
not required, any system capable of performing the following steps is
|
||||
suitable. However, if you want to stand up a test system as quickly
|
||||
and simply as possible, you may find it easiest to base your system on
|
||||
the one the CI team uses. You may use the puppet modules yourself, or
|
||||
follow the instructions below.
|
||||
|
||||
The CI team's Orchestra configuration module is at:
|
||||
|
||||
https://github.com/openstack/openstack-ci-puppet/tree/master/modules/orchestra
|
||||
|
||||
Install Orchestra
|
||||
"""""""""""""""""
|
||||
|
||||
Install Ubuntu 11.10 (Oneiric) and Orchestra::
|
||||
|
||||
sudo apt-get install ubuntu-orchestra-server ipmitool
|
||||
|
||||
The install process will prompt you to enter a password for Cobbler.
|
||||
Have one ready and keep it in a safe place. The procedure here will
|
||||
not use it, but if you later want to use the Cobbler web interface,
|
||||
you will need it.
|
||||
|
||||
Configure Orchestra
|
||||
"""""""""""""""""""
|
||||
|
||||
Install the following files on the Orchestra server so that it deploys
|
||||
machines with our LVM/kexec test framework.
|
||||
|
||||
We update the dnsmasq.conf cobbler template to add
|
||||
"dhcp-ignore=tag:!known", and some site-specific network
|
||||
configuration::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/dnsmasq.template \
|
||||
-O /etc/cobbler/dnsmasq.template
|
||||
|
||||
Our servers need a kernel module blacklisted in order to boot
|
||||
correctly. If you don't need to blacklist any modules, you should
|
||||
either create an empty file here, or remove the reference to this file
|
||||
from the preseed file later::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/openstack_module_blacklist \
|
||||
-O /var/lib/cobbler/snippets/openstack_module_blacklist
|
||||
|
||||
This cobbler snippet uses cloud-init to set up the LVM/kexec
|
||||
environment and configures TCP syslogging to the installation
|
||||
server/Jenkins slave::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/openstack_cloud_init \
|
||||
-O /var/lib/cobbler/snippets/openstack_cloud_init
|
||||
|
||||
This snippet holds the mysql root password that will be configured at
|
||||
install time. It's currently a static string, but you could
|
||||
dynamically write this file, or simply replace it with something more
|
||||
secure::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/openstack_mysql_password \
|
||||
-O /var/lib/cobbler/snippets/openstack_mysql_password
|
||||
|
||||
This preseed file manages the OS install on the test nodes. It
|
||||
includes the snippets installed above::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/openstack-test.preseed \
|
||||
-O /var/lib/cobbler/kickstarts/openstack-test.preseed
|
||||
|
||||
The following sudoers configuration is needed to allow Jenkins to
|
||||
control cobbler, remove syslog files from the test hosts before
|
||||
starting new tests, and restart rsyslog::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/orchestra-jenkins-sudoers -O /etc/sudoers.d/orchestra-jenkins
|
||||
|
||||
Replace the Orchestra rsyslog config file with a simpler one that logs
|
||||
all information from remote hosts in one file per host::
|
||||
|
||||
wget https://raw.github.com/openstack/openstack-ci-puppet/master/modules/orchestra/files/99-orchestra.conf -O /etc/rsyslog.d/99-orchestra.conf
|
||||
|
||||
Make sure the syslog directories exist and restart rsyslog::
|
||||
|
||||
mkdir -p /var/log/orchestra/rsyslog/
|
||||
chown -R syslog.syslog /var/log/orchestra/
|
||||
restart rsyslog
|
||||
|
||||
Add an "OpenStack Test" system profile to cobbler that uses the
|
||||
preseed file above::
|
||||
|
||||
cobbler profile add \
|
||||
--name=natty-x86_64-ostest \
|
||||
--parent=natty-x86_64 \
|
||||
--kickstart=/var/lib/cobbler/kickstarts/openstack-test.preseed \
|
||||
--kopts="priority=critical locale=en_US"
|
||||
|
||||
Add each of your systems to cobbler with a command similar to this
|
||||
(you may need different kernel options)::
|
||||
|
||||
cobbler system add \
|
||||
--name=baremetal1 \
|
||||
--hostname=baremetal1 \
|
||||
--profile=natty-x86_64-ostest \
|
||||
--mac=00:11:22:33:44:55 \
|
||||
--power-type=ipmitool \
|
||||
--power-user=IPMI_USERNAME \
|
||||
--power-pass=IPMI_PASS \
|
||||
--power-address=IPMI_IP_ADDR \
|
||||
--ip-address=SYSTEM_IP_ADDRESS \
|
||||
--subnet=SYSTEM_SUBNET \
|
||||
--kopts="netcfg/choose_interface=auto netcfg/dhcp_timeout=60 auto=true priority=critical"
|
||||
|
||||
When complete, have cobbler write out its configuration files::
|
||||
|
||||
cobbler sync
|
||||
|
||||
Set Up Jenkins Jobs
|
||||
"""""""""""""""""""
|
||||
|
||||
We have Jenkins jobs to handle all of the tasks after the initial
|
||||
Orchestra configuration so that we can easily run them at any time.
|
||||
This includes the OS installation on the test nodes, even though we
|
||||
don't run that often because the state is preserved in an LVM
|
||||
snapshot, we may want to change the configuration used and make a new
|
||||
snapshot. In that case we just need to trigger the Jenkins job again.
|
||||
|
||||
The Jenkins job that kicks off the operating system installation calls
|
||||
the "baremetal-os-install.sh" script from the openstack-ci repo:
|
||||
|
||||
https://github.com/openstack/openstack-ci/blob/master/slave_scripts/baremetal-os-install.sh
|
||||
|
||||
That script instructs cobbler to install the OS on each of the test
|
||||
nodes.
|
||||
|
||||
To speed up the devstack installation and avoid excessive traffic to
|
||||
the pypi server, we build a PIP package cache on the installation
|
||||
server. That is also an infrequent task that we configure as a
|
||||
jenkins job. That calls:
|
||||
|
||||
https://github.com/openstack/openstack-ci/blob/master/slave_scripts/update-pip-cache.sh
|
||||
|
||||
That builds a PIP package cache that the test script later copies to
|
||||
the test servers for use by devstack.
|
||||
|
||||
Run those two jobs, and once complete, the test nodes are ready to go.
|
||||
|
||||
This is the end of the operating system installation, and the system
|
||||
is currently in the pristine state that will be used by the test
|
||||
procedure (which is stored in the LVM volume "orig_root").
|
||||
|
||||
.. _rax_openstack_install:
|
||||
|
||||
OpenStack Installation
|
||||
~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
When the deployment and integration test job runs, it does the
|
||||
following, each time starting from the pristine state arrived at the
|
||||
end of the previous section.
|
||||
|
||||
Reset the Test Nodes
|
||||
""""""""""""""""""""
|
||||
|
||||
The Jenkins deployment and test job first runs the deployment script:
|
||||
|
||||
https://github.com/openstack/openstack-ci/blob/master/slave_scripts/baremetal-deploy.sh
|
||||
|
||||
Which invokes the following script on each host to reset it to the
|
||||
pristine state:
|
||||
|
||||
https://github.com/openstack/openstack-ci/blob/master/slave_scripts/lvm-kexec-reset.sh
|
||||
|
||||
Because kexec is in use, resetting the environment and rebooting into
|
||||
the pristine state takes only about 3 seconds.
|
||||
|
||||
The deployment script then removes the syslog files from the previous
|
||||
run and restarts rsyslog to re-open them. Once the first test host
|
||||
finishes booting and brings up its network, OpenStack installation
|
||||
starts.
|
||||
|
||||
Run devstack on the Test Nodes
|
||||
""""""""""""""""""""""""""""""
|
||||
|
||||
Devstack's build_bm_multi script is run, which invokes devstack on
|
||||
each of the test nodes. First on the "head" node which runs all of
|
||||
the OpenStack services for the remaining "compute" nodes.
|
||||
|
||||
Run Test Suite
|
||||
""""""""""""""
|
||||
|
||||
Once devstack is complete, the test suite is run. All logs from the
|
||||
test nodes should be sent via syslog to the Jenkins slave, and at the
|
||||
end of the test, the logs are archived with the Job for developers to
|
||||
inspect in case of problems.
|
||||
|
||||
Cluster Configuration
|
||||
---------------------
|
||||
|
||||
Here are the configuration parameters of the CI team's test cluster.
|
||||
The cluster is currently divided into three mini-clusters so that
|
||||
independent Jenkins jobs can run in parallel on the different
|
||||
clusters.
|
||||
|
||||
VLANs
|
||||
~~~~~
|
||||
|
||||
+----+--------------------------------+
|
||||
|VLAN| Description |
|
||||
+====+================================+
|
||||
|90 | Native VLAN |
|
||||
+----+--------------------------------+
|
||||
|91 | Internal cluster communication |
|
||||
| | network: 192.168.91.0/24 |
|
||||
+----+--------------------------------+
|
||||
|92 | Public Internet (fake) |
|
||||
| | network: 192.168.92.0/24 |
|
||||
+----+--------------------------------+
|
||||
|
||||
Servers
|
||||
~~~~~~~
|
||||
The servers are located on the Rackspace network, only accessible via
|
||||
VPN.
|
||||
|
||||
+-----------+--------------+---------------+
|
||||
| Server | Primary IP | Management IP |
|
||||
+===========+==============+===============+
|
||||
|deploy-rax | 10.14.247.36 | 10.14.247.46 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal1 | 10.14.247.37 | 10.14.247.47 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal2 | 10.14.247.38 | 10.14.247.48 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal3 | 10.14.247.39 | 10.14.247.49 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal4 | 10.14.247.40 | 10.14.247.50 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal5 | 10.14.247.41 | 10.14.247.51 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal6 | 10.14.247.42 | 10.14.247.52 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal7 | 10.14.247.43 | 10.14.247.53 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal8 | 10.14.247.44 | 10.14.247.54 |
|
||||
+-----------+--------------+---------------+
|
||||
|baremetal9 | 10.14.247.45 | 10.14.247.55 |
|
||||
+-----------+--------------+---------------+
|
||||
|
||||
deploy-rax
|
||||
The deployment server and Jenkins slave. It deploys the servers
|
||||
using Orchestra and Devstack, and runs the test framework. It
|
||||
should not run any OpenStack components, but we can install
|
||||
libraries or anything else needed to run tests.
|
||||
|
||||
baremetal1, baremetal4, baremetal7
|
||||
Configured as "head" nodes to run nova, mysql, and glance. Each one
|
||||
is the head node of a three node cluster including the two compute
|
||||
nodes following it
|
||||
|
||||
baremetal2-3, baremtal5-6, baremetal8-9
|
||||
Configured as compute nodes for each of the three mini-clusters.
|
||||
|
133
doc/jenkins_jobs.rst
Normal file
133
doc/jenkins_jobs.rst
Normal file
@ -0,0 +1,133 @@
|
||||
Jenkins Job Builder
|
||||
===================
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
In order to make the process of managing hundreds of Jenkins Jobs easier a
|
||||
Python based utility was designed to take YAML based configurations and convert
|
||||
those into jobs that are injected into Jenkins.
|
||||
|
||||
Adding a project
|
||||
----------------
|
||||
|
||||
The YAML scripts to make this work are stored in the ``openstack-ci-puppet``
|
||||
repository in the ``modules/jenkins_jobs/files/projects/site/project.yaml``
|
||||
directory. Where ``site`` is either `openstack` or `stackforge` and ``project``
|
||||
is the name of the project the YAML file is for.
|
||||
|
||||
Once the YAML file is added the puppet module needs to be told that the project
|
||||
is there. For example:
|
||||
|
||||
.. code-block:: ruby
|
||||
:linenos:
|
||||
|
||||
class { "jenkins_jobs":
|
||||
site => "stackforge",
|
||||
projects => ['reddwarf', 'ceilometer']
|
||||
}
|
||||
|
||||
In this example the YAML files for `reddwarf` and `ceilometer` in the
|
||||
`stackforge` projects directory will be executed.
|
||||
|
||||
YAML Format
|
||||
-----------
|
||||
|
||||
The bare minimum YAML needs to look like this:
|
||||
|
||||
.. code-block:: yaml
|
||||
:linenos:
|
||||
|
||||
---
|
||||
modules:
|
||||
- properties
|
||||
- scm
|
||||
- assignednode
|
||||
- trigger_none
|
||||
- builders
|
||||
- publisher_none
|
||||
|
||||
main:
|
||||
name: 'job-name'
|
||||
site: 'stackforge'
|
||||
project: 'project'
|
||||
authenticatedBuild: 'false'
|
||||
disabled: 'false'
|
||||
|
||||
This example starts with ``---``, this signifies the start of a job, there can
|
||||
be multiple jobs per project file.
|
||||
The ``modules`` entry is an array of modules that should be loaded for this job.
|
||||
Modules are located in the ``modules/jenkins_jobs/files/modules/`` directory
|
||||
and are python scripts to generate the required XML. Each module has a comment
|
||||
near the top showing the required YAML to support that module. The follow
|
||||
modules are required to generate a correct XML that Jenkins will support:
|
||||
|
||||
* properties (supplies the <properties> XML data)
|
||||
* scm (supplies the <scm> XML data, required even is scm is not used
|
||||
* trigger_* (a trigger module is required)
|
||||
* builders
|
||||
* publisher_* (a publisher module is required)
|
||||
|
||||
Each module also requires a ``main`` section which has the main data for the
|
||||
modules, inside this there is:
|
||||
|
||||
* name - the name of the job
|
||||
* site - openstack or stackforge
|
||||
* project - the name of the project
|
||||
* authenticatedBuild - whether or not you need to be authenticated to hit the
|
||||
build button
|
||||
* disabled - whether or not this job should be disabled
|
||||
|
||||
Testing for Job Changes
|
||||
-----------------------
|
||||
|
||||
The Jenkins Jobs builder maintains a special YAML file in
|
||||
``~/.jenkins_jobs_cache.yml``. This contains an MD5 of every generated XML that
|
||||
it builds. If it finds the XML is different then it will proceed to send this
|
||||
to Jenkins, otherwise it is skipped. If a job is accidentally deleted then this
|
||||
file should be modified or removed.
|
||||
|
||||
Sending a Job to Jenkins
|
||||
------------------------
|
||||
|
||||
The Jenkins Jobs builder talks to Jenkins using the Jenkins API. This means
|
||||
that it can create and modify jobs directly without the need to restart or
|
||||
reload the Jenkins server. It also means that Jenkins will verify the XML and
|
||||
cause the Jenkins Jobs builder to fail if there is a problem.
|
||||
|
||||
For this to work a configuration file is needed. This needs to be stored in
|
||||
``/root/secret-files/jenkins_jobs.ini`` and puppet will automatically put it in
|
||||
the right place. The format for this file is as follows:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[jenkins]
|
||||
user=username
|
||||
password=password
|
||||
url=jenkins_url
|
||||
|
||||
The password can be obtained by logging into the Jenkins user, clicking on your
|
||||
username in the top-right, clicking on `Configure` and then `Show API Token`.
|
||||
This API Token is your password for the API.
|
||||
|
||||
Adding a Module
|
||||
---------------
|
||||
|
||||
Modules need to contain a class with the same name as the filename. The basic
|
||||
layout is:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
import xml.etree.ElementTree as XML
|
||||
|
||||
class my_module(object):
|
||||
def __init__(self, data):
|
||||
self.data = data
|
||||
|
||||
def gen_xml(self, xml_parent):
|
||||
|
||||
The ``__init__`` function will be provided with ``data`` which is a Python
|
||||
dictionary representing the YAML data for the job.
|
||||
|
||||
The ``gen_xml`` function will be provided with ``xml_parent`` which is an
|
||||
XML ElementTree object to be modified.
|
89
doc/meetbot.rst
Normal file
89
doc/meetbot.rst
Normal file
@ -0,0 +1,89 @@
|
||||
Meetbot
|
||||
==============
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
The OpenStack CI team run a slightly modified
|
||||
`Meetbot <http://wiki.debian.org/MeetBot>`_ to log IRC channel activity and
|
||||
meeting minutes. Meetbot is a plugin for
|
||||
`Supybot <http://sourceforge.net/projects/supybot/>`_ which adds meeting
|
||||
support features to the Supybot IRC bot.
|
||||
|
||||
Supybot
|
||||
-------
|
||||
|
||||
In order to run Meetbot you will need to get Supybot. You can find the latest
|
||||
release `here <http://sourceforge.net/projects/supybot/files/>`_. Once you have
|
||||
extracted the release you will want to read the ``INSTALL`` and
|
||||
``doc/GETTING_STARTED`` files. Those two files should have enough information to
|
||||
get you going, but there are other goodies in ``doc/``.
|
||||
|
||||
Once you have Supybot installed you will need to configure a bot. The
|
||||
``supybot-wizard`` command can get you started with a basic config, or you can
|
||||
have Puppet do the heavy lifting. The OpenStack CI Meetbot Puppet module creates
|
||||
a configuration and documentation for that module is at
|
||||
:ref:`Meetbot_Puppet_Module`.
|
||||
|
||||
One important config setting is ``supybot.reply.whenAddressedBy.chars``, which
|
||||
sets the prefix character for this bot. This should be set to something other
|
||||
than ``#`` as ``#`` will conflict with Meetbot (you can leave the setting blank
|
||||
if you don't want a prefix character).
|
||||
|
||||
Meetbot
|
||||
-------
|
||||
|
||||
The OpenStack CI Meetbot fork can be found at
|
||||
https://github.com/openstack-ci/meetbot. Manual installation of the Meetbot
|
||||
plugin is straightforward and documented in that repository's README.
|
||||
OpenStack CI installs and configures Meetbot through Puppet. Documentation for
|
||||
the Puppet module that does that can be found at :ref:`Meetbot_Puppet_Module`.
|
||||
|
||||
Voting
|
||||
^^^^^^
|
||||
|
||||
The OpenStack CI Meetbot fork adds simple voting features. After a meeting has
|
||||
been started a meeting chair can begin a voting block with the ``#startvote``
|
||||
command. The command takes two arguments, a question posed to voters (ending
|
||||
with a ``?``), and the valid voting options. If the second argument is missing
|
||||
the default options are "Yes" and "No". For example:
|
||||
|
||||
``#startvote Should we vote now? Yes, No, Maybe``
|
||||
|
||||
Meeting participants vote using the ``#vote`` command. This command takes a
|
||||
single argument, which should be one of the options listed for voting by the
|
||||
``#startvote`` command. For example:
|
||||
|
||||
``#vote Yes``
|
||||
|
||||
Note that you can vote multiple times, but only your last vote will count.
|
||||
|
||||
One can check the current vote tallies useing the ``#showvote`` command, which
|
||||
takes no arguments. This will list the number of votes and voters for each item
|
||||
that has votes.
|
||||
|
||||
When the meeting chair(s) are ready to stop the voting process they can issue
|
||||
the ``#endvote`` command, which takes no arguments. Doing so will report the
|
||||
voting results and log these results in the meeting minutes.
|
||||
|
||||
A somewhat contrived voting example:
|
||||
|
||||
::
|
||||
|
||||
foo | #startvote Should we vote now? Yes, No, Maybe
|
||||
meetbot | Begin voting on: Should we vote now? Valid vote options are Yes, No, Maybe.
|
||||
meetbot | Vote using '#vote OPTION'. Only your last vote counts.
|
||||
foo | #vote Yes
|
||||
bar | #vote Absolutely
|
||||
meetbot | bar: Absolutely is not a valid option. Valid options are Yes, No, Maybe.
|
||||
bar | #vote Yes
|
||||
bar | #showvote
|
||||
meetbot | Yes (2): foo, bar
|
||||
foo | #vote No
|
||||
foo | #showvote
|
||||
meetbot | Yes (1): bar
|
||||
meetbot | No (1): foo
|
||||
foo | #endvote
|
||||
meetbot | Voted on "Should we vote now?" Results are
|
||||
meetbot | Yes (1): bar
|
||||
meetbot | No (1): foo
|
97
doc/puppet.rst
Normal file
97
doc/puppet.rst
Normal file
@ -0,0 +1,97 @@
|
||||
Puppet Master
|
||||
=============
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Instead of using a cron job, StackForge uses a puppet master to host the puppet
|
||||
manifests and modules. The other nodes then connect to this as puppet agents
|
||||
to get their configuration.
|
||||
|
||||
Puppet Master
|
||||
-------------
|
||||
|
||||
The puppet master is setup using a combination of Apache and mod passenger to
|
||||
ship the data to the clients. To install this:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo apt-get install puppet puppetmaster puppetmaster-passenger
|
||||
|
||||
Note that this may break the first time round due to not-so-perfect packaging
|
||||
involved. You will also need to stop the puppetmaster service and edit the
|
||||
``/etc/defaults/puppetmaster`` file to change ``START=no``. Puppetmaster needs
|
||||
to run first because it creates the SSL CA used to sign puppet agents (the
|
||||
passenger service does not do this).
|
||||
|
||||
This should then allow you to start ``apache2`` which in turn will automatically
|
||||
manage the puppet master.
|
||||
|
||||
Files for puppet master are stored in ``/etc/puppet`` with the subdirectories
|
||||
``manifests`` and ``modules`` being the important ones. In StackForge we have
|
||||
a ``root`` cron job that automatically populates these from our puppet git
|
||||
repository as follows:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
*/15 * * * * sleep $((RANDOM\%600)) && cd /srv/openstack-ci-puppet && /usr/bin/git pull -q && cp /srv/openstack-ci-puppet/manifests/users.pp /etc/puppet/manifests/ && cp /srv/openstack-ci-puppet/manifests/stackforge.pp /etc/puppet/manifests/site.pp && cp -a /srv/openstack-ci-puppet/modules/ /etc/puppet/
|
||||
|
||||
Adding a node
|
||||
-------------
|
||||
|
||||
On the new server connecting to the puppet master:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo apt-get install puppet
|
||||
|
||||
Then edit the ``/etc/default/puppet`` file to look like this:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
# Defaults for puppet - sourced by /etc/init.d/puppet
|
||||
|
||||
# Start puppet on boot?
|
||||
START=yes
|
||||
|
||||
# Startup options
|
||||
DAEMON_OPTS="--server puppet.stackforge.org"
|
||||
|
||||
You can then start the puppet agent with:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo service puppet start
|
||||
|
||||
Once the node has started it will make a request to the puppet master to have
|
||||
its SSL cert signed. On the puppet master:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo puppet cert list
|
||||
|
||||
You should get a list of entries similar to the one below::
|
||||
|
||||
review.novalocal (44:18:BB:DF:08:50:62:70:17:07:82:1F:D5:70:0E:BF)
|
||||
|
||||
If you see the new node there you can sign its cert on the puppet master with:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo puppet cert sign review.novalocal
|
||||
|
||||
Now that it is signed the puppet agent will execute any instructions for its
|
||||
node on the next run (default is every 30 minutes). You can trigger this
|
||||
earlier by restarting the puppet service on the new node.
|
||||
|
||||
Important Notes
|
||||
---------------
|
||||
|
||||
#. The hostname of the nodes **must** match the the forward looking for the DNS.
|
||||
For example the server pointed to with the DNS entry
|
||||
``jenkins.stackforge.org`` must have the hostname ``jenkins.stackforge.org``
|
||||
otherwise the SSL signing or standard run will fail.
|
||||
|
||||
#. Make sure the site manifest **does not** include the puppet cron job, this
|
||||
conflicts with puppet master and can cause issues. The initial puppet run
|
||||
that create users should be done using the puppet agent configuration above.
|
276
doc/puppet_modules.rst
Normal file
276
doc/puppet_modules.rst
Normal file
@ -0,0 +1,276 @@
|
||||
Puppet Modules
|
||||
==============
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Much of the OpenStack project infrastructure is deployed and managed using
|
||||
puppet.
|
||||
The OpenStack CI team manage a number of custom puppet modules outlined in this
|
||||
document.
|
||||
|
||||
Doc Server
|
||||
----------
|
||||
|
||||
The doc_server module configures nginx [3]_ to serve the documentation for
|
||||
several specified OpenStack projects. At the moment to add a site to this
|
||||
you need to edit ``modules/doc_server/manifests/init.pp`` and add a line as
|
||||
follows:
|
||||
|
||||
.. code-block:: ruby
|
||||
:linenos:
|
||||
|
||||
doc_server::site { "swift": }
|
||||
|
||||
In this example nginx will be configured to serve ``swift.openstack.org``
|
||||
from ``/srv/docs/swift`` and ``swift.openstack.org/tarballs/`` from
|
||||
``/srv/tarballs/swift``
|
||||
|
||||
Lodgeit
|
||||
-------
|
||||
|
||||
The lodgeit module installs and configures lodgeit [1]_ on required servers to
|
||||
be used as paste installations. For OpenStack we use
|
||||
`a fork <https://github.com/openstack-ci/lodgeit>`_ of this which is based on
|
||||
one with bugfixes maintained by
|
||||
`dcolish <https://bitbucket.org/dcolish/lodgeit-main>`_ but adds back missing
|
||||
anti-spam features required by Openstack.
|
||||
|
||||
Puppet will configure lodgeit to use drizzle [2]_ as a database backend,
|
||||
nginx [3]_ as a front-end proxy and upstart scripts to run the lodgeit
|
||||
instances. It will store and maintain local branch of the the mercurial
|
||||
repository for lodgeit in ``/tmp/lodgeit-main``.
|
||||
|
||||
To use this module you need to add something similar to the following in the
|
||||
main ``site.pp`` manifest:
|
||||
|
||||
.. code-block:: ruby
|
||||
:linenos:
|
||||
|
||||
node "paste.openstack.org" {
|
||||
include openstack_server
|
||||
include lodgeit
|
||||
lodgeit::site { "openstack":
|
||||
port => "5000",
|
||||
image => "header-bg2.png"
|
||||
}
|
||||
|
||||
lodgeit::site { "drizzle":
|
||||
port => "5001"
|
||||
}
|
||||
}
|
||||
|
||||
In this example we include the lodgeit module which will install all the
|
||||
pre-requisites for Lodgeit as well as creating a checkout ready.
|
||||
The ``lodgeit::site`` calls create the individual paste sites.
|
||||
|
||||
The name in the ``lodgeit::site`` call will be used to determine the URL, path
|
||||
and name of the site. So "openstack" will create ``paste.openstack.org``,
|
||||
place it in ``/srv/lodgeit/openstack`` and give it an upstart script called
|
||||
``openstack-paste``. It will also change the h1 tag to say "Openstack".
|
||||
|
||||
The port number given needs to be a unique port which the lodgeit service will
|
||||
run on. The puppet script will then configure nginx to proxy to that port.
|
||||
|
||||
Finally if an image is given that will be used instead of text inside the h1
|
||||
tag of the site. The images need to be stored in the ``modules/lodgeit/files``
|
||||
directory.
|
||||
|
||||
Lodgeit Backups
|
||||
^^^^^^^^^^^^^^^
|
||||
|
||||
The lodgeit module will automatically create a git repository in ``/var/backups/lodgeit_db``. Inside this every site will have its own SQL file, for example "openstack" will have a file called ``openstack.sql``. Every day a cron job will update the SQL file (one job per file) and commit it to the git repository.
|
||||
|
||||
.. note::
|
||||
Ideally the SQL files would have a row on every line to keep the diffs stored
|
||||
in git small, but ``drizzledump`` does not yet support this.
|
||||
|
||||
Planet
|
||||
------
|
||||
|
||||
The planet module installs Planet Venus [4]_ along with required dependancies
|
||||
on a server. It also configures specified planets based on options given.
|
||||
|
||||
Planet Venus works by having a cron job which creates static files. In this
|
||||
module the static files are served using nginx [3]_.
|
||||
|
||||
To use this module you need to add something similar to the following into the
|
||||
main ``site.pp`` manifest:
|
||||
|
||||
.. code-block:: ruby
|
||||
:linenos:
|
||||
|
||||
node "planet.openstack.org" {
|
||||
include planet
|
||||
|
||||
planet::site { "openstack":
|
||||
git_url => "https://github.com/openstack/openstack-planet.git"
|
||||
}
|
||||
}
|
||||
|
||||
In this example the name "openstack" is used to create the site
|
||||
``paste.openstack.org``. The site will be served from
|
||||
``/srv/planet/openstack/`` and the checkout of the ``git_url`` supplied will
|
||||
be maintained in ``/var/lib/planet/openstack/``.
|
||||
|
||||
This module will also create a cron job to pull new feed data 3 minutes past each hour.
|
||||
|
||||
The ``git_url`` parameter needs to point to a git repository which stores the
|
||||
planet.ini configuration for the planet (which stores a list of feeds) and any required theme data. This will be pulled every time puppet is run.
|
||||
|
||||
.. _Meetbot_Puppet_Module:
|
||||
|
||||
Meetbot
|
||||
-------
|
||||
|
||||
The meetbot module installs and configures meetbot [5]_ on a server. The
|
||||
meetbot version installed by this module is pulled from the
|
||||
`Openstack CI fork <https://github.com/openstack-ci/meetbot/>`_ of the project.
|
||||
|
||||
It also configures nginix [3]_ to be used for accessing the public IRC logs of
|
||||
the meetings.
|
||||
|
||||
To use this module simply add a section to the site manifest as follows:
|
||||
|
||||
.. code-block:: ruby
|
||||
:linenos:
|
||||
|
||||
node "eavesdrop.openstack.org" {
|
||||
include openstack_cron
|
||||
class { 'openstack_server':
|
||||
iptables_public_tcp_ports => [80]
|
||||
}
|
||||
include meetbot
|
||||
|
||||
meetbot::site { "openstack":
|
||||
nick => "openstack",
|
||||
network => "FreeNode",
|
||||
server => "chat.us.freenode.net:7000",
|
||||
url => "eavesdrop.openstack.org",
|
||||
channels => "#openstack #openstack-dev #openstack-meeting",
|
||||
use_ssl => "True"
|
||||
}
|
||||
}
|
||||
|
||||
You will also need a file ``/root/secret-files/name-nickserv.pass`` where `name`
|
||||
is the name specified in the call to the module (`openstack` in this case).
|
||||
|
||||
Each call to meetbot::site will create setup a meebot in ``/var/lib/meetbot``
|
||||
under a subdirectory of the name of the call to the module. It will also
|
||||
configure nginix to go to that site when the ``/meetings`` directory is
|
||||
specified on the URL.
|
||||
|
||||
The puppet module also creates startup scripts for meetbot and will ensure that
|
||||
it is running on each puppet run.
|
||||
|
||||
Gerrit
|
||||
------
|
||||
|
||||
The Gerrit puppet module configures the basic needs of a Gerrit server. It does
|
||||
not (yet) install Gerrit itself and mostly deals with the configuration files
|
||||
and skinning of Gerrit.
|
||||
|
||||
Using Gerrit
|
||||
^^^^^^^^^^^^
|
||||
|
||||
Gerrit is set up when the following class call is added to a node in the site
|
||||
manifest:
|
||||
|
||||
.. code-block:: ruby
|
||||
|
||||
class { 'gerrit':
|
||||
canonicalweburl => "https://review.stackforge.org/",
|
||||
email => "review@stackforge.org",
|
||||
github_projects => [ {
|
||||
name => 'stackforge/MRaaS',
|
||||
close_pull => 'true'
|
||||
} ],
|
||||
logo => 'stackforge.png'
|
||||
}
|
||||
|
||||
Most of these options are self-explanitory. The github_projects is a list of
|
||||
all projects in GitHub which are managed by the gerrit server.
|
||||
|
||||
Skinning
|
||||
^^^^^^^^
|
||||
|
||||
Gerrit is skinned using files supplied by the puppet module. The skin is
|
||||
automatically applied as soon as the module is executed. In the site manifest
|
||||
setting the logo is important:
|
||||
|
||||
.. code-block:: ruby
|
||||
|
||||
class { 'gerrit':
|
||||
...
|
||||
logo => 'openstack.png'
|
||||
}
|
||||
|
||||
This specifies a PNG file which must be stored in the ``modules/gerrit/files/``
|
||||
directory.
|
||||
|
||||
Jenkins Master
|
||||
--------------
|
||||
|
||||
The Jenkins Master puppet module installs and supplies a basic Jenkins
|
||||
configuration. It also supplies a skin to Jenkins to make it look more like an
|
||||
OpenStack site. It does not (yet) install the additional Jenkins plugins used
|
||||
by the OpenStack project.
|
||||
|
||||
Using Jenkins Master
|
||||
^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
In the site manifest a node can be configured to be a Jenkins master simply by
|
||||
adding the class call below:
|
||||
|
||||
.. code-block:: ruby
|
||||
|
||||
class { 'jenkins_master':
|
||||
site => 'jenkins.openstack.org',
|
||||
serveradmin => 'webmaster@openstack.org',
|
||||
logo => 'openstack.png'
|
||||
}
|
||||
|
||||
The ``site`` and ``serveradmin`` parameters are used to configure Apache. You
|
||||
will also need in this instance the following files for Apache to start::
|
||||
|
||||
/etc/ssl/certs/jenkins.openstack.org.pem
|
||||
/etc/ssl/private/jenkins.openstack.org.key
|
||||
/etc/ssl/certs/intermediate.pem
|
||||
|
||||
The ``jenkins.openstack.org`` is replace by the setting in the ``site``
|
||||
parameter.
|
||||
|
||||
Skinning
|
||||
^^^^^^^^
|
||||
|
||||
The Jenkins skin uses the `Simple Theme Plugin
|
||||
<http://wiki.jenkins-ci.org/display/JENKINS/Simple+Theme+Plugin>`_ for Jenkins.
|
||||
The puppet module will install and configure most aspects of the skin
|
||||
automatically, with a few adjustments needed.
|
||||
|
||||
In the site.pp file the ``logo`` parameter is important:
|
||||
|
||||
.. code-block:: ruby
|
||||
|
||||
class { 'jenkins_master':
|
||||
...
|
||||
logo => 'openstack.png'
|
||||
}
|
||||
|
||||
This relates to a PNG file that must be in the ``modules/jenkins_master/files/``
|
||||
directory.
|
||||
|
||||
Once puppet installs this and the plugin is installed you need to go into
|
||||
``Manage Jenkins -> Configure System`` and look for the ``Theme`` heading.
|
||||
Assuming we are skinning the main OpenStack Jenkins site, in the ``CSS`` box
|
||||
enter
|
||||
``https://jenkins.openstack.org/plugin/simple-theme-plugin/openstack.css`` and
|
||||
in the ``JS`` box enter
|
||||
``https://jenkins.openstack.org/plugin/simple-theme-plugin/openstack.js``.
|
||||
|
||||
.. rubric:: Footnotes
|
||||
.. [1] `Lodgeit homepage <http://www.pocoo.org/projects/lodgeit/>`_
|
||||
.. [2] `Drizzle homepage <http://www.drizzle.org/>`_
|
||||
.. [3] `nginx homepage <http://nginx.org/en/>`_
|
||||
.. [4] `Planet Venus homepage <http://intertwingly.net/code/venus/docs/index.html>`_
|
||||
.. [5] `Meetbot homepage <http://wiki.debian.org/MeetBot>`_
|
41
doc/stackforge.rst
Normal file
41
doc/stackforge.rst
Normal file
@ -0,0 +1,41 @@
|
||||
HOWTO: Add a Project to StackForge
|
||||
==================================
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
StackForge is a Gerrit review and Jenkins CI setup similar to that of the main
|
||||
OpenStack project but for use with projects that are not under the main
|
||||
OpenStack umbrella.
|
||||
|
||||
Any project can be added to StackForge as long as it is related to OpenStack in
|
||||
some way.
|
||||
|
||||
Launchpad
|
||||
---------
|
||||
|
||||
All the developers of the project need to sign up to Launchpad and a team is
|
||||
needed for the core project reviewers to join. This team also needs to be
|
||||
a sub-team of the `OpenStack team <https://launchpad.net/~openstack>`_ so that
|
||||
Gerrit will be able to see it.
|
||||
|
||||
GitHub
|
||||
------
|
||||
|
||||
If you already have a branch on GitHub for the project this will need moving to
|
||||
the StackForge GitHub organization. Otherwise a new branch will need creating
|
||||
for you. The OpenStack Core Infrastructure team can assist in this.
|
||||
|
||||
Jenkins and Gerrit
|
||||
------------------
|
||||
|
||||
Until the setup is more automated the OpenStack Core Infrastructure team will
|
||||
need to do the Jenkins and Gerrit portion of the setup too. If you project is
|
||||
Python based we have a `Project Testing Interface <http://wiki.openstack.org/ProjectTestingInterface>`_ that we prefer you use. Otherwise please let the CI
|
||||
team know the testing requirements for Jenkins.
|
||||
|
||||
Contacting the CI Team
|
||||
----------------------
|
||||
|
||||
The best way to get the CI team to help with the above steps is to `file a CI bug <https://bugs.launchpad.net/openstack-ci>`_. We are also available on the
|
||||
#openstack-infra IRC channel or to the `CI Admins email address <mailto:openstack-ci-admins@lists.launchpad.net>`_.
|
77
doc/systems.rst
Normal file
77
doc/systems.rst
Normal file
@ -0,0 +1,77 @@
|
||||
:title: Infrastructure Systems
|
||||
|
||||
Infrastructure Systems
|
||||
######################
|
||||
|
||||
The OpenStack CI team maintains a number of systems that are critical
|
||||
to the operation of the OpenStack project. At the time of writing,
|
||||
these include:
|
||||
|
||||
* Gerrit (review.openstack.org)
|
||||
* Jenkins (jenkins.openstack.org)
|
||||
* community.openstack.org
|
||||
|
||||
Additionally the team maintains the project sites on Launchpad and
|
||||
GitHub. The following policies have been adopted to ensure the
|
||||
continued and secure operation of the project.
|
||||
|
||||
SSH Access
|
||||
**********
|
||||
|
||||
For any of the systems managed by the CI team, the following practices
|
||||
must be observed for SSH access:
|
||||
|
||||
* SSH access is only permitted with SSH public/private key
|
||||
authentication.
|
||||
* Users must use a strong passphrase to protect their private key. A
|
||||
passphrase of several words, at least one of which is not in a
|
||||
dictionary is advised, or a random string of at least 16
|
||||
characters.
|
||||
* To mitigate the inconvenience of using a long passphrase, users may
|
||||
want to use an SSH agent so that the passphrase is only requested
|
||||
once per desktop session.
|
||||
* Users private keys must never be stored anywhere except their own
|
||||
workstation(s). In particular, they must never be stored on any
|
||||
remote server.
|
||||
* If users need to 'hop' from a server or bastion host to another
|
||||
machine, they must not copy a private key to the intermediate
|
||||
machine (see above). Instead SSH agent forwarding may be used.
|
||||
However due to the potential for a compromised intermediate machine
|
||||
to ask the agent to sign requests without the users knowledge, in
|
||||
this case only an SSH agent that interactively prompts the user
|
||||
each time a signing request (ie, ssh-agent, but not gnome-keyring)
|
||||
is received should be used, and the SSH keys should be added with
|
||||
the confirmation constraint ('ssh-add -c').
|
||||
* The number of SSH keys that are configured to permit access to
|
||||
OpenStack machines should be kept to a minimum.
|
||||
* OpenStack CI machines must use puppet to centrally manage and
|
||||
configure user accounts, and the SSH authorized_keys files from the
|
||||
openstack-ci-puppet repository.
|
||||
* SSH keys should be periodically rotated (at least once per year).
|
||||
During rotation, a new key can be added to puppet for a time, and
|
||||
then the old one removed.
|
||||
|
||||
GitHub Access
|
||||
*************
|
||||
|
||||
To ensure that code review and testing are not bypassed in the public
|
||||
Git repositories, only Gerrit will be permitted to commit code to
|
||||
OpenStack repositories. Because GitHub always allows project
|
||||
administrators to commit code, accounts that have access to manage the
|
||||
GitHub projects necessarily will have commit access to the
|
||||
repositories. Therefore, to avoid inadvertent commits to the public
|
||||
repositories, unique administrative-only accounts must be used to
|
||||
manage the OpenStack GitHub organization and projects. These accounts
|
||||
will not be used to check out or commit code for any project.
|
||||
|
||||
Launchpad Teams
|
||||
***************
|
||||
|
||||
Each OpenStack project should have the following teams on Launchpad:
|
||||
|
||||
* foo -- contributors to project 'foo'
|
||||
* foo-core -- core developers
|
||||
* foo-bugs -- people interested in receieving bug reports
|
||||
* foo-drivers -- people who may approve and target blueprints
|
||||
|
||||
The openstack-admins team should be a member of each of those teams.
|
153
doc/third_party.rst
Normal file
153
doc/third_party.rst
Normal file
@ -0,0 +1,153 @@
|
||||
HOWTO: Third Party Testing
|
||||
==========================
|
||||
|
||||
Overview
|
||||
--------
|
||||
|
||||
Gerrit has an event stream which can be subscribed to, using this it is possible
|
||||
to test commits against testing systems beyond those supplied by OpenStack's
|
||||
Jenkins setup. It is also possible for these systems to feed information back
|
||||
into Gerrit and they can also leave non-gating votes on Gerrit review requests.
|
||||
|
||||
An example of one such system is `Smokestack <http://smokestack.openstack.org/>`_.
|
||||
Smokestack reads the Gerrit event stream and runs it's own tests on the commits.
|
||||
If one of the tests fails it will publish information and links to the failure
|
||||
on the review in Gerrit.
|
||||
|
||||
Reading the Event Stream
|
||||
------------------------
|
||||
|
||||
It is possible to use ssh to connect to ``review.openstack.org`` on port 29418
|
||||
with your ssh key if you are signed up as an OpenStack developer on Launchpad.
|
||||
|
||||
This will give you a real-time JSON stream of events happening inside Gerrit.
|
||||
For example:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ssh -p 29418 review.example.com gerrit stream-events
|
||||
|
||||
Will give a stream with an output like this (line breaks and indentation added
|
||||
in this document for readability, the read JSON will be all one line per event):
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{"type":"comment-added","change":
|
||||
{"project":"openstack/keystone","branch":"stable/essex","topic":"bug/969088","id":"I18ae38af62b4c2b2423e20e436611fc30f844ae1","number":"7385","subject":"Make import_nova_auth only create roles which don\u0027t already exist","owner":
|
||||
{"name":"Chuck Short","email":"chuck.short@canonical.com","username":"zulcss"},"url":"https://review.openstack.org/7385"},
|
||||
"patchSet":
|
||||
{"number":"1","revision":"aff45d69a73033241531f5e3542a8d1782ddd859","ref":"refs/changes/85/7385/1","uploader":
|
||||
{"name":"Chuck Short","email":"chuck.short@canonical.com","username":"zulcss"},
|
||||
"createdOn":1337002189},
|
||||
"author":
|
||||
{"name":"Mark McLoughlin","email":"markmc@redhat.com","username":"markmc"},
|
||||
"approvals":
|
||||
[{"type":"CRVW","description":"Code Review","value":"2"},{"type":"APRV","description":"Approved","value":"0"}],
|
||||
"comment":"Hmm, I actually thought this was in Essex already.\n\nIt\u0027s a pretty annoying little issue for folks migrating for nova auth. Fix is small and pretty safe. Good choice for backporting"}
|
||||
|
||||
For most purposes you will want to trigger on ``patchset-created`` for when a
|
||||
new patchset has been uploaded.
|
||||
|
||||
Further documentation on how to use the events stream can be found in `Gerrit's stream event documentation page <http://gerrit-documentation.googlecode.com/svn/Documentation/2.3/cmd-stream-events.html>`_.
|
||||
|
||||
Posting Result To Gerrit
|
||||
------------------------
|
||||
|
||||
External testing systems can give non-gating votes to Gerrit by means of a -1/+1
|
||||
verify vote. OpenStack Jenkins has extra permissions to give a +2/-2 verify
|
||||
vote which is gating. Comments should also be provided to explain what kind of
|
||||
test failed.. We do also ask that the comments contain public links to the
|
||||
failure so that the developer can see what caused the failure.
|
||||
|
||||
An example of how to post this is as follows:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ ssh -p 29418 review.example.com gerrit review -m '"Test failed on MegaTestSystem <http://megatestsystem.org/tests/1234>"' --verified=-1 c0ff33
|
||||
|
||||
In this example ``c0ff33`` is the commit ID for the review. You can set the
|
||||
verified to either `-1` or `+1` depending on whether or not it passed the tests.
|
||||
|
||||
Further documentation on the `review` command in Gerrit can be found in the `Gerrit review documentation page <http://gerrit-documentation.googlecode.com/svn/Documentation/2.3/cmd-review.html>`_.
|
||||
|
||||
We do suggest cautious testing of these systems and have a development Gerrit
|
||||
setup to test on if required. In SmokeStack's case all failures are manually
|
||||
reviewed before getting pushed to OpenStack, whilst this may no scale it is
|
||||
advisable during initial testing of the setup.
|
||||
|
||||
.. _request-account-label:
|
||||
|
||||
Requesting a Service Account
|
||||
----------------------------
|
||||
|
||||
To request a sevice acconut for your system you first need to create a new
|
||||
account in LaunchPad. This account needs to be joined to the
|
||||
`OpenStack Team <https://launchpad.net/~openstack>`_ or one of the related teams
|
||||
so that Gerrit can pick it up. You can then contact the
|
||||
OpenStack CI Admins via `email <mailto:openstack-ci-admins@lists.launchpad.net>`_
|
||||
or the #openstack-infra IRC channel. We will set things up on Gerrit to
|
||||
receive your system's votes.
|
||||
|
||||
Feel free to contact the CI team to arrange setting up a dedicated user so your
|
||||
system can post reviews up using a system name rather than your user name.
|
||||
|
||||
The Jenkins Gerrit Trigger Plugin Way
|
||||
-------------------------------------
|
||||
|
||||
There is a Gerrit Trigger plugin for Jenkins which automates all of the
|
||||
processes described in this document. So if your testing system is Jenkins
|
||||
based you can use it to simplify things. You will still need an account to do
|
||||
this as described in the :ref:`request-account-label` section above.
|
||||
|
||||
The OpenStack version of the Gerrit Trigger plugin for Jenkins can be found on
|
||||
`the Jenkins packaging job <https://jenkins.openstack.org/view/All/job/gerrit-trigger-plugin-package/lastSuccessfulBuild/artifact/gerrithudsontrigger/target/gerrit-trigger.hpi>`_ for it. You can install it using the Advanced tab in the
|
||||
Jenkins Plugin Manager.
|
||||
|
||||
Once installed Jenkins will have a new `Gerrit Trigger` option in the `Manage
|
||||
Jenkins` menu. This should be given the following options::
|
||||
|
||||
Hostname: review.openstack.org
|
||||
Frontend URL: https://review.openstack.org/
|
||||
SSH Port: 29418
|
||||
Username: (the Launchpad user)
|
||||
SSH Key File: (path to the user SSH key)
|
||||
|
||||
Verify
|
||||
------
|
||||
Started: 0
|
||||
Successful: 1
|
||||
Failed: -1
|
||||
Unstable: 0
|
||||
|
||||
Code Review
|
||||
-----------
|
||||
Started: 0
|
||||
Successful: 0
|
||||
Failed: 0
|
||||
Unstable: 0
|
||||
|
||||
(under Advanced Button):
|
||||
|
||||
Stated: (blank)
|
||||
Successful: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Successful <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW> --submit
|
||||
Failed: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Failed <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>
|
||||
Unstable: gerrit approve <CHANGE>,<PATCHSET> --message 'Build Unstable <BUILDS_STATS>' --verified <VERIFIED> --code-review <CODE_REVIEW>
|
||||
|
||||
Note that it is useful to include something in the messages about what testing
|
||||
system is supplying these messages.
|
||||
|
||||
When creating jobs in Jenkins you will have the option to add triggers. You
|
||||
should configure as follows::
|
||||
|
||||
Trigger on Patchset Uploaded: ticked
|
||||
(the rest unticked)
|
||||
|
||||
Type: Plain
|
||||
Pattern: openstack/project-name (where project-name is the name of the project)
|
||||
Branches:
|
||||
Type: Path
|
||||
Pattern: **
|
||||
|
||||
This job will now automatically trigger when a new patchset is uploaded and will
|
||||
report the results to Gerrit automatically.
|
||||
|
189
modules/jenkins_slave/files/slave_scripts/tardiff.py
Executable file
189
modules/jenkins_slave/files/slave_scripts/tardiff.py
Executable file
@ -0,0 +1,189 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# tardiff.py -- compare the tar package with git archive. Error out if
|
||||
# it's different. The files to exclude are stored in a file, one per line,
|
||||
# and it's passed as argument to this script.
|
||||
#
|
||||
# You should run this script from the project directory. For example, if
|
||||
# you are verifying the package for glance project, you should run this
|
||||
# script from that directory.
|
||||
|
||||
import getopt
|
||||
import sys
|
||||
import os
|
||||
import commands
|
||||
|
||||
|
||||
class OpenStackTarDiff:
|
||||
""" main class to verify tar generated in each openstack projects """
|
||||
|
||||
def __init__(self):
|
||||
self.init_vars()
|
||||
self.validate_args()
|
||||
self.check_env()
|
||||
|
||||
def check_env(self):
|
||||
""" exit if dist/ directory already exists """
|
||||
if not self.package and os.path.exists(self.dist_dir):
|
||||
self.error("dist directory '%s' exist. Please remove it before " \
|
||||
"running this script" % self.dist_dir)
|
||||
|
||||
def validate_args(self):
|
||||
try:
|
||||
opts = getopt.getopt(sys.argv[1:], 'hvp:e:',
|
||||
['help', 'verbose', 'package=',
|
||||
'exclude='])[0]
|
||||
except getopt.GetoptError:
|
||||
self.usage('invalid option selected')
|
||||
|
||||
for opt, value in opts:
|
||||
if (opt in ('-h', '--help')):
|
||||
self.usage()
|
||||
elif (opt in ('-e', '--exclude')):
|
||||
self.e_file = value
|
||||
elif (opt in ('-p', '--package')):
|
||||
self.package = value
|
||||
elif (opt in ('-v', '--verbose')):
|
||||
self.verbose = True
|
||||
else:
|
||||
self.usage('unknown option : ' + opt)
|
||||
if not self.e_file:
|
||||
self.usage('specify file name containing list of files to '
|
||||
'exclude in tar diff')
|
||||
if not os.path.exists(self.e_file):
|
||||
self.usage("file '%s' does not exist" % self.e_file)
|
||||
if self.package and not os.path.exists(self.package):
|
||||
self.usage("package '%s' specified, but does not "
|
||||
"exist" % self.package)
|
||||
|
||||
def init_vars(self):
|
||||
self.dist_dir = 'dist/'
|
||||
self.verbose = False
|
||||
|
||||
self.e_file = None
|
||||
self.project_name = None
|
||||
self.prefix = None
|
||||
self.package = None
|
||||
self.sdist_files = []
|
||||
self.exclude_files = []
|
||||
self.git_files = []
|
||||
self.missing_files = []
|
||||
|
||||
def verify(self):
|
||||
self.get_exclude_files()
|
||||
self.get_project_name()
|
||||
self.get_sdist_files()
|
||||
self.prefix = self.sdist_files[0]
|
||||
self.get_git_files()
|
||||
|
||||
for file in self.git_files:
|
||||
if os.path.basename(file) in self.exclude_files:
|
||||
self.debug("excluding file '%s'" % file)
|
||||
continue
|
||||
|
||||
if file not in self.sdist_files:
|
||||
self.missing_files.append(file)
|
||||
else:
|
||||
#self.debug("file %s matches" % file)
|
||||
pass
|
||||
if len(self.missing_files) > 0:
|
||||
self.error("files missing in package: %s" % self.missing_files)
|
||||
print "SUCCESS: Generated package '%s' is valid" % self.package
|
||||
|
||||
def get_project_name(self):
|
||||
""" get git project name """
|
||||
self.project_name = os.path.basename(os.path.abspath(os.curdir))
|
||||
|
||||
def get_exclude_files(self):
|
||||
""" read the file and get file list """
|
||||
fh = open(self.e_file, 'r')
|
||||
content = fh.readlines()
|
||||
fh.close()
|
||||
self.debug("files to exclude: %s" % content)
|
||||
|
||||
# remove trailing new lines.
|
||||
self.exclude_files = [x.strip() for x in content]
|
||||
|
||||
def get_git_files(self):
|
||||
""" read file list from git archive """
|
||||
git_tar = os.path.join(os.getcwd(), '%s.tar' % self.project_name)
|
||||
try:
|
||||
a_cmd = "git archive -o %s HEAD --prefix=%s" % \
|
||||
(git_tar, self.prefix)
|
||||
self.debug("executing command '%s'" % a_cmd)
|
||||
(status, out) = commands.getstatusoutput(a_cmd)
|
||||
if status != 0:
|
||||
self.debug("command '%s' returned status '%s'" %
|
||||
(a_cmd, status))
|
||||
if os.path.exists(git_tar):
|
||||
os.unlink(git_tar)
|
||||
self.error('git archive failed: %s' % out)
|
||||
except Exception, err:
|
||||
if os.path.exists(git_tar):
|
||||
os.unlink(git_tar)
|
||||
self.error('git archive failed: %s' % err)
|
||||
|
||||
try:
|
||||
tar_cmd = "tar tf %s" % git_tar
|
||||
self.debug("executing command '%s'" % tar_cmd)
|
||||
(status, out) = commands.getstatusoutput(tar_cmd)
|
||||
if status != 0:
|
||||
self.error('invalid tar file: %s' % git_tar)
|
||||
self.git_files = out.split('\n')
|
||||
self.debug("Removing git archive ... %s ..." % git_tar)
|
||||
os.remove(git_tar)
|
||||
except Exception, err:
|
||||
self.error('unable to read tar: %s' % err)
|
||||
|
||||
def get_sdist_files(self):
|
||||
""" create package for project and get file list in it"""
|
||||
if not self.package:
|
||||
try:
|
||||
sdist_cmd = "python setup.py sdist"
|
||||
self.debug("executing command '%s'" % sdist_cmd)
|
||||
(status, out) = commands.getstatusoutput(sdist_cmd)
|
||||
if status != 0:
|
||||
self.error("command '%s' failed" % sdist_cmd)
|
||||
except Exception, err:
|
||||
self.error("command '%s' failed" % (sdist_cmd, err))
|
||||
|
||||
self.package = os.listdir(self.dist_dir)[0]
|
||||
self.package = os.path.join(self.dist_dir, self.package)
|
||||
tar_cmd = "tar tzf %s" % self.package
|
||||
try:
|
||||
self.debug("executing command '%s'" % tar_cmd)
|
||||
(status, out) = commands.getstatusoutput(tar_cmd)
|
||||
if status != 0:
|
||||
self.error("command '%s' failed" % tar_cmd)
|
||||
#self.debug(out)
|
||||
self.sdist_files = out.split('\n')
|
||||
except Exception, err:
|
||||
self.error("command '%s' failed: %s" % (tar_cmd, err))
|
||||
|
||||
def debug(self, msg):
|
||||
if self.verbose:
|
||||
sys.stdout.write('DEBUG: %s\n' % msg)
|
||||
|
||||
def error(self, msg):
|
||||
sys.stderr.write('ERROR: %s\n' % msg)
|
||||
sys.exit(1)
|
||||
|
||||
def usage(self, msg=None):
|
||||
if msg:
|
||||
stream = sys.stderr
|
||||
else:
|
||||
stream = sys.stdout
|
||||
stream.write("usage: %s [--help|h] [-v] "
|
||||
"[-p|--package=sdist_package.tar.gz] "
|
||||
"-e|--exclude=filename\n" \
|
||||
% os.path.basename(sys.argv[0]))
|
||||
if msg:
|
||||
stream.write("\nERROR: " + msg + "\n")
|
||||
exitCode = 1
|
||||
else:
|
||||
exitCode = 0
|
||||
sys.exit(exitCode)
|
||||
|
||||
if __name__ == '__main__':
|
||||
tardiff = OpenStackTarDiff()
|
||||
tardiff.verify()
|
21
setup.py
Normal file
21
setup.py
Normal file
@ -0,0 +1,21 @@
|
||||
import datetime
|
||||
from setuptools import setup
|
||||
from sphinx.setup_command import BuildDoc
|
||||
|
||||
ci_cmdclass={}
|
||||
|
||||
class local_BuildDoc(BuildDoc):
|
||||
def run(self):
|
||||
for builder in ['html', 'man']:
|
||||
self.builder = builder
|
||||
self.finalize_options()
|
||||
BuildDoc.run(self)
|
||||
ci_cmdclass['build_sphinx'] = local_BuildDoc
|
||||
|
||||
setup(name='nova',
|
||||
version="%d.%02d" % (datetime.datetime.now().year, datetime.datetime.now().month),
|
||||
description="OpenStack Continuous Integration Scripts",
|
||||
author="OpenStack CI Team",
|
||||
author_email="openstack-ci@lists.launchpad.net",
|
||||
url="http://launchpad.net/openstack-ci",
|
||||
cmdclass=ci_cmdclass)
|
Loading…
x
Reference in New Issue
Block a user