1.10 introduces a PASSWORD_COMPLEXITY setting with a default value
of lower,upper,digit,spec - which requires passwords to have an
upper, lower, digit and special character. Our example password does
not have this, so set the PASSWORD_COMPLEXITY setting. We could
alternately leave it at the default and ensure that our passwords
meet the spec.
The sshd_config file is templated now, so we can set the listen port
via env var.
Change-Id: I6e4b595eabb9c6885d78fff1109ea9f602e89ef7
In the dependent change, the docker roles will add sibling packages to
the .zuul-siblings directory of the checked-out source.
Refactor the "assemble" script to handle this. Essentially we build
the wheel for "." and then iterate over ZUUL_SIBLINGS subdirectories
(set in a --build-arg by the role in dependent change) to also build
the sibling packages. Note we concatenate the bindep.txt files, so
that we end up with the complete package list required by the main
code and its dependencies.
"install-from-bindep" now installs all the wheels, using --force to
make sure we re-install the speculatively built packages.
This means that a single Dockerfile works under Zuul when
ZUUL_SIBLINGS is set, pointing to Zuul's checkouts; but it also works
stand-alone -- in this case ZUUL_SIBLINGS is empty and we just install
from upstream as usual.
Depends-On: https://review.opendev.org/696987
Change-Id: I4943ae723b06b0ad808e7c7f20788109e21aa8bf
We are seeing issues with hanging git connections discussed in [1].
It is suggested to upgrade to gitea 1.9.6; do that.
[1] https://github.com/go-gitea/gitea/issues/9006
Change-Id: Ibbbe73b5487d3d01a8d7ba23ecca16c2264973ca
I'm bad at Gitea templates, so the recently-introduced "proposed
changes" tab is active-selected (while it should never be) and the link
is missing the repository name.
This should fix it...
Change-Id: I02adc8ebd012adc233a37223480d14517c7f3c98
Gitea is quickly becoming the public face of Opendev, however it can
be difficult for visitors to understand how to propose changes (or
access already-proposed changes), and then assume everything on opendev
is read-only (which is the exact opposite of what we want to convey).
In the spirit of further integrating Opendev tooling, add a link to
on every repository to open proposed changes on Gerrit.
NB: the link is not I18n-ilized since there is no simple way to add a
new string there, and I did not want to use teh "Pull requests"
terminology.
Change-Id: I851a1e7d25556194947198a8f5534542d167c7f8
Java is in /usr/local in these base images. Also, combining
ENTRYPOINT and CMD with [] syntax seems to lead to the whole
thing with [ getting passed to the entrypoint - which leads to
errors like:
/bin/sh: 1: [/usr/bin/java,: not found
Change-Id: I7c1ebdff58d6590724eaf5d429437a5c8c25fe22
Also Revert "Update gitea build to golang 1.13 on buster-slim"
1.9.4 has a bug where doing a get as an unauthenticated user
results in a 500:
http://paste.openstack.org/show/785534/
A pull request has been submitted upstream:
https://github.com/go-gitea/gitea/pull/8653
This reverts commit 1993d985d037a24f31c85026d8add2a8d23b4d9a.
This reverts commit cedb272a9bcbc044180b5caef81567673b0434ff.
Change-Id: I75c117d0dc851f7b3c389a19ad0c8e233886b250
buster is the new debian release, use it. And use the
slim image, rather than the full, because we can.
Upstream is now building with 1.13 - follow suit.
Update the FROM lines to use explicit paths to images.
Change-Id: I42f7cea1365b8bb0af56861f38107cbdffd130b0
This is the latest release from upstream. We're not
currently running with any additional patches, although
we did submit one for the atomic updating of repo counts. That
patch will be in 1.10.
There is only one change to the templates we've customized
since the ref we're running from. That is included in the
repo/header.tmpl.
Change-Id: Id426ce6072e127a08810b9fbb109445d36bef2d9
Apparently, an update to the python-base image caused a new image
to be uploaded to dockerhub. Because python-builder was not updated,
it is running a slightly older base image which we believe is causing
issues with python wheel packaging due to possible different python
versions.
Change-Id: I38948882131e30c7358a970292621b0280b75aac
A few things have changed and we need to fix them in one go.
Use mirror for installing docker for buildset-registry
While, we need to make this more systemic, that's hanging off of the
mirror rework. For now, since we know all of these jobs are debian
based, just set the mirror location.
Replace use of zuul cloner with git clones
You can never be a prophet in your own hometown. This is now broken
because of the git cache rework, so just replace it.
Update libjemalloc library
python:slim is based on buster now, which has libjemalloc2 not
libjemalloc1.
Remove gerrit repo remote for submodules
A recent change to the base jobs to use prepare-workspace-git
broke the gerrit image builds by actually having the origin
remote by /dev/null as intended. This breaks submodules because
for a few of them where we don't have matching stable branches
the submodule relative path behavior is actually exactly what
we want.
Since we don't care about the remote otherwise, remove the
origin remote before doing the submodule update --init so that
the submodule will clone the refs from the zuul prepared repo.
Change-Id: Ieb5b6bc8711fe971ed3445c7c267306ac4616464
Our existing config management puts files into hooks and static.
We can bind mount those in, but having the mount-points in the
image is useful.
The tmp dir is important for gerrit to be able to write
plugin expansions and javaamelody data.
Change-Id: Idd917c268ed7bdead412620dfe3ca842736b7463
1.0.0 has released, which is what gerrit wants now. Use it.
Depends-On: https://review.opendev.org/688555
Change-Id: I6cd76b8cfda3656d6105f9fe96b82a388809375f
We need jeepyb installed because the content of the gerrit hook scripts
we install is done via jeepyb commands. Use python-builder so that we
can just install the jeepyb wheel.
Should we maybe transition these hooks into being zuul jobs?
Depends-On: https://review.opendev.org/683146/
Change-Id: I8899885b05d1e9f48b3f354ca22b360b54d455a3
Use latest bazel
It seems 0.27 is now too old. This is what happens when I go on vacation
apparently.
Add in a hack to override the bazelversion. We'll remove this once
https://gerrit-review.googlesource.com/c/gerrit/+/237495 lands and
has been merged up.
Change-Id: Ib7a6d33ce8bf8498fd5cd09b25087dc09acb8df4
There is a bunch of duplication which needs to be redone almost never.
Split those into their own images so we can run them once and reuse them.
Change-Id: I923d4bff96dae75eb52a1c271fa52d5ae79933a0
We had some extra bazel options that don't seem to be necessary
anymore now that we are using upstream bazel options appropriately.
Retry the build a couple of times if it goes south, inside of the
build image. This should allow re-use of the cache the second time,
and if there is a temporary error, it should pick up and move
forward.
Change-Id: I5f304acb21fd3a4d40701fc0414ae0c424c838e5
During the Gerrit Hackathon, we learned some things about setting
bazel options. Use the ones recommended in upstream docs rather than
these. The outcome should be largely the same.
Change-Id: I32b4c567488f0739fb80f69dc881b9837803575c
Currently we don't have any logs from our gitea sshd processes because
sshd logs to syslog by default and /dev/log isn't in our containers. You
can ask sshd nicely to log to stderr instead with the -e flag which
docker will pick up and store for us.
Update the sshd command to include -e then use testinfra to check we
collect logs and they are accssible from docker.
Change-Id: Ib7d6d405554c3c30be410bc08c6fee7d4363b096
Our goal is upgrading to 3.0. To do that we need to upgrade to 2.15, then
to 2.16, then to 3.0. Build all of the images so that we can do that.
2.16 and 3.0 also use bazel, so just use one copy of the Dockerfile for
all three and let zuul check out the repos to the right versions.
Depends-On: https://review.opendev.org/673147
Depends-On: https://review.opendev.org/672320
Change-Id: I35bd278e0c70c871fa44d005c60a987d1d8e3cdc
To provide a stepwise upgrade path from 2.13 running directly to
2.15 in a container, make a container image containing the war we're
using currently. This should let us make a change to how we run the
war without changing the war at all, and then update the war.
Instead of trying to make a clean build for gerrit 2.13 inside of a
builder image, just have it wget the already built wars and jars we
have.
There are pieces of this that duplicate what's being done in puppet,
but in this context it's not immediately clear these are important to
do. However, it's also not clear they're a bad idea.
The gerrit 2.15 build needs a newer bazel. Looking at the CI scripts
that are used by gerrithub, we find that they use bazel 0.26.1
and nodesource v10. Use the bazel image published by google to get
a bazel builder image.
Set gerrit uid/git to 3000 in both images to match the existing
directory ownership so that bindmounting doesn't face permissions
problems.
Change-Id: I3533f01c0859ed50640dcfd98023994c5867c056
This reverts commit fe1b3cee80982fa1ec9c084196dd3b19b3f27f44.
We suspect this may be the cause of some templates going all weird:
* times are showing up as "ago%!(EXTRA string=months%!(EXTRA int64=8))"
* many strings are now showing up as lower cased (eg "explore")
Also, the link to gerrit for nova is "project:openstack/" and is
missing the "nova" portion of the name.
Change-Id: I72a06efd118ad0eae231f5ddf1a9888cb8d35aba
Build a container image with the haproxy-statsd script, and run that
along with the haproxy container.
Change-Id: I18be70d339df613bf9a72e115e80a6da876111e0
The current gitea master has our change to avoid indexing extra
refs, so we can start replicating refs/changes and refs/notes to
it. It also fixes a bug we observed when viewing the index of
the starlingx/integ repo.
This also switches us back to the upstream repo, though since
we're using an intermediate commit, the version displayed in
the web ui will be "6eb53ac570ab9af51fc9cbd79f1db782edce57e0".
The docker entrypoint script has moved, so the Dockerfile is updated
to reflect that.
Change-Id: I47769fc1ca62a39122d96a1fc0c1bfc2caca6a4f
This has a few emergency local patches while we wait for them to
appear in an upstream release.
This updates the modified templates to match the changes in 1.8.0
upstream.
This also disables the oauth2 service, which is new in 1.8.0.
Without disabling this, gitea tries to generate a JWT secret and
write it to the file, which in our case is read only. If we want
to enable it, we need to add a new JWT_SECRET setting.
Change-Id: I969682bce6ff25b7614ce9265097307ee9cbc6cb
Co-Authored-By: Monty Taylor <mordred@inaugust.com>
This helps to reduce the image size but not creating /root/.cache folder
for pip related files.
Change-Id: I1162d7d6fd2e4c7dd9cde44c964aec610a4dd6d3
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
By removing /var/lib/apt/lists it reduces the image size.
Change-Id: Icbe118a2725700b9e5e8da97d062161c5b9a5d2d
Signed-off-by: Paul Belanger <pabelanger@redhat.com>
jemalloc is apparently good with python memory according to
https://zapier.com/engineering/celery-python-jemalloc/
Also, according to these graphs from Tobias:
https://paste.pics/581cc286226407ab0be400b94951a7d9
it helps with the apparent memory leak seen in python3.6
and python3.7 with zuul.
There doesn't seem to be any downside to it, so install it
and enable it.
Change-Id: I354bc35e5fa1aee90e1c8b6918c5a70dafd4f990
There's no real need to tie these together into a multi-stage
Dockerfile as they don't really share anything. Split them.
Change-Id: Ifd7ccadcd8048eeb57797d60356aec2f9f0d2c80
Depends-On: https://review.openstack.org/641805