We only want to start it when we've installed or upgraded.
The initial-init and init are designed to either one of them run,
one if there is no init script (initial install) the other if there
is (upgrade). The things they trigger should only run in response
to those actions.
Change-Id: I3bcaaed07bcf6239e053789b9b6241cbf652e7d4
The replication_targets parameter doesn't appear to be used anywhere,
let's get rid of it to avoid confusion.
Change-Id: I25fdb9d5e99b3876e6a363e5f967f22f8674b7c6
This change configures puppet to install core plugins which are packaged with
the released gerrit.war file. The method to install the plugins is to just extract
them from the war file and place them into review_site/plugins folder. This method seemed
easier than using the 'init --install-plugin' option because the --install-plugin
option requires listing every plugin by name.
Change-Id: I08335f970cee9e88d41c3695fccb370d05d1a4d1
The ssh key in ~gerrit2/.ssh/id_rsa which is what is used for outbound
ssh-based replication is currently just kinda there by hand. Add management
of the files there.
Change-Id: I5bfea4543d6eb46ba2e9f3c791f4e6b6c5534522
Closes-Bug: 1209464
This patch addresses:
LDAP not requiring username or password (anonymous bind)
This is required to support configurations where LDAP is on a secure network,
and anonymous bind is enabled.
LDAP using a self signed SSL cert (verify ssl on or off)
This is required to support configurations where LDAP requires SSL, but ssl is
using an internal or self signed certificate, and therefore fails cert checks.
This also covers testing conditions where a consumer might use OS with LDAP+ssl
unsigned.
LDAP using a nonstandard cn naming convention (ie email address).
This is required to deal with an edge case where 'cn' in ldap might be something
other than a bare username. Gerrit pulls the ssh username from that value and
will not accept a non-alphanumeric address. By setting 'accountSshUserName' in
puppet, that is setable.
LDAP prepopulating account Full name.
Gerrit has a configuration option to pull Full Name from LDAP, this change exposes
that option.
Change-Id: Ibd41d59ff98e406b42e1e14cc17e23b3d6211d58
It would be good to keep the command output and exit code when installing or
upgrading gerrit in case it doesn't work.
Change-Id: Ia93001706b4ea509797419b74716c23db47aaed1
The `$mysql_password` variable is used by the `secure.config.erb`
template in the gerrit class, but is not passed from
openstack_project::review -> openstack_project::gerrit -> gerrit.
Instead it uses dynamic scopeing to find the variable and won't work in
Puppet 3. This adds the full parameter passing for Puppet 3.
This commit also adds "Template uses" comments immediately preceding
resources declarations which use a `template()` function to describe all
variables used by the gerrit templates. This greatly helps with
debugging issues such as this.
Change-Id: I747e3e4623444c0345a7aed3732b7d316f1a7726
These things were listed before we had jeepyb as its own things
(gerritlib in gerrit) and before jeepyb has pbr/requirements.txt
as it does now. With the move to pip install -U . in /opt/jeepyb,
there is no need to also ask puppet to manage these.
Change-Id: I7b521d03b3df8c0bde37586748769f160e615d31
* modules/gerrit/manifests/init.pp: The gerrit installer adds
jarfiles for bcprov and mysql-connector into its lib directory, but
puppet needs to know how to add them itself.
Change-Id: Id61260d0d28f1aadf85dc8604688b0131cddf682
Puppetlabs-mysql 0.6.1 correctly removes the local ::1 root user in the
account_security manifest. Upgrade to this version to take advantage of
that. Do not upgrade to latest version (0.9.0) to minimize delta that
needs testing.
Change-Id: Ic8265733f1159f34ae0afcccdea4c7d8cd44e3cb
The version of puppetlabs-mysql that we use does not remove the local
::1 root user from the mysqld. Explicitly remove this user.
Change-Id: I626fcc77c75a29d3f3cab57217b714e68a30b468
This time, make the default value false instead of empty string.
This reverts commit 99d3283dc246da4b4d2d26ecfb193b308881f05d
Change-Id: I88108ff75f1c2bd3aa78856c186312340258ec3c
Make it possible to configure with LDAP or OPENID_SSO.
Also, it's possible to not want to need CLAs.
Change-Id: Ie6660c819f4078dd4dd5be052e74aaa98c54cab4
This commit moves the MySQL configuration from the gerrit puppet
module into a seperate mysql puppet module. The purpose of
this change is to allow us to more easily customise gerrit's
mysql configuration for each instance of gerrit that we deploy..
Partial-Bug: 1083101
Change-Id: Ibcc31b3fce8af54229fd4de69a49842ac1c428ae
Modify gerrit's git replication configuration so that it
pulls in from a list of replication targets defined in
puppet rather than individually added stanzas.
Pull the replicate_github variable from files, since it
is no longer required.
The replicate_local variable remains because it's used
in the apache configuration and for setup of the local
replication space for git.
Also add the cgit server to the list of servers.
Change-Id: I68de89bb216565f1754eb9b192bd437adcbf768b
Oracle has EOLed Java 6. While OpenJDK 6 is still supported, development
on it has slowed. Upgrade to OpenJDK 7 and run Gerrit on this newer
platform.
Change-Id: Id5867a0269bc6af3e7f6214112e91c8848ffbbe4
Actually, it's support for parameterized listen_address, but the
real thing you want it for is setting the port.
Change-Id: If75fedce32f35a8f72c92fc709d5c9e8b2d35235
Reviewed-on: https://review.openstack.org/33925
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
And slow down bing (msnbot).
Change-Id: Id8361047abc2cfb52260b3d0ef01275ec3a923f5
Reviewed-on: https://review.openstack.org/32435
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Elizabeth Krumbach Joseph <lyz@princessleia.com>
Reviewed-by: Anita Kuno <anita.kuno@enovance.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: If87b0242c9203175335842832d13ebc6dfec2950
Reviewed-on: https://review.openstack.org/25119
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
This is useful for testing Gerrit's contactstore features if you
don't have a real contact store server set up already.
* modules/gerrit/files/fakestore.cgi: An extremely trivial shell
script which returns the content Gerrit expects from a successful
submission to a contactstore server. Note this does not check the
application security key or store any of the post variables--it is
simply a black hole for contact updates.
* modules/gerrit/manifests/init.pp: If the contactstore feature is
enabled in Gerrit, install the fakestore.cgi script so it can be
available for testing.
* modules/gerrit/templates/gerrit.vhost.erb: If the contactstore
feature is enabled, ScriptAlias the /fakestore URL to the
fakestore.cgi script.
Change-Id: Ifa0f80bab9e8b8e207f0ffd83f01c8a3d904618e
Reviewed-on: https://review.openstack.org/19939
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Change-Id: I6d6addc2bc0e28b289726cddd6626669dbec1e17
Reviewed-on: https://review.openstack.org/17292
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I6e5fa77a301eec30cff8e16bad33a91bfd95b13f
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-on: https://review.openstack.org/17176
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Jeremy Stanley <fungi@yuggoth.org>
Tested-by: Jenkins
Instead of keeping many of these files directly in the tree, use them
from the out-of-tree jeepyb project, which makes them easier to consume
for other people who are not us.
Change-Id: Id704f2e17dd80709ef63cbbf2c5475a08a835f91
Reviewed-on: https://review.openstack.org/16777
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Mostly documentation and parameterised class parameter complaints.
Change-Id: Idbfd348a5befb041ce6eb36f9c6b195fc0c6799f
Reviewed-on: https://review.openstack.org/16685
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
Manage project creation via yaml files. Also,
Modify the manage_projects scripts to configure Gerrit project ACLs.
This change expects the project yaml to exist. The change will clone the
project for the localhost Gerrit install. It will then checkout the
meta/config ref, copy the ACL config file into the repo, commit, and
push to the origin. The ACL config location should be specified in the
projects.yaml file with the acl_config key.
For this to work the ACLs will need to be copied by Puppet from Puppet
to the Gerrit host. Add the file resource to do this as well.
Change-Id: I15a1ec13b381dce3c115c01c21f404ab79e72cc4
Reviewed-on: https://review.openstack.org/15352
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
* Rakefile: Override line length warnings from puppet-lint with its
disable_80chars option.
* modules/gerrit/manifests/cron.pp, modules/gerrit/manifests/init.pp,
modules/gerrit/manifests/remotes.pp, modules/lodgeit/manifests/site.pp,
modules/openstack_project/manifests/cacti.pp: Undo line continuations on
long strings. These were causing particular problems when attempting to
apply crontab entries.
Change-Id: I417788d7953ee0d2b717349564ee9cc78c0c49c2
Reviewed-on: https://review.openstack.org/15822
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Tested-by: Jenkins
Change-Id: I5a52c0fd0f5a35c32aa71c0f93500aa59e495066
Reviewed-on: https://review.openstack.org/14910
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Have hiera and puppet manage gerrits ssh:29418 keys (RSA and DSA). These
keys go in /home/gerrit2/review_site/etc.
Change-Id: If8cb3ec5a2e2c582b7fa6d87c520fc0cb7c2f205
Reviewed-on: https://review.openstack.org/14365
Reviewed-by: James E. Blair <corvus@inaugust.com>
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
I hope. The grant parameter appears to want an array so give it one.
Also enforce order by requiring the mysql server and account security
settings in the DB resource.
Change-Id: I2c99c25cb09cb5b68240a5fbd146f47ba8aee410
Reviewed-on: https://review.openstack.org/14320
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
The destination dir for the bcpg link needs to be present before the
link can be made. Add that dir to the gerrit init manifest and require
it in the link file resource.
Change-Id: I462cc96dcd0eafa814e3e3599a96eacc64665bcf
Reviewed-on: https://review.openstack.org/14319
Reviewed-by: Jeremy Stanley <fungi@yuggoth.org>
Reviewed-by: Paul Belanger <paul.belanger@polybeacon.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Change-Id: I68c6cd9b24c93f9f1cc2ba92eceae49b3c38ed36
Reviewed-on: https://review.openstack.org/14176
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
Recent ssl cert management changed the group on the ssl keys to root
from ssl-cert. Change it back.
Change-Id: I6dcbeca364fa9c435aee520248a59f0917cd02a8
Reviewed-on: https://review.openstack.org/14116
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
Use Hiera to store the review.o.o SSL certs and pass them down to the
gerrit module.
While modifying these files fix indentation and rocket ship alignment
according to puppet lint in the sections touched.
Change-Id: I914b0dea72c77dedb44a4e6f51417985e673b315
Reviewed-on: https://review.openstack.org/13975
Approved: James E. Blair <corvus@inaugust.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Tested-by: Jenkins
* modules/gerrit/manifests/init.pp: The file block for the bcpg.jar
symlink should require the libbcpg-java package rather than the jarfile
it installs.
Change-Id: Icf4356c51425a816aea523f835e8bc7c62055b28
Reviewed-on: https://review.openstack.org/13392
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Approved: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
This replaces the previous Echosign+Launchpad+Wiki+approver-based
asynchronous contributor license agreement signing process with a
fully-automated one contained entirely within Gerrit itself.
Note that the CLA features in Gerrit's WebUI depend on a modified
gerrit.war with an earlier patch reverted:
https://review.openstack.org/12716
* manifests/site.pp(review-dev.openstack.org): Fill contactstore_appsec
and contactstore_pubkey private material from hiera, for use by Gerrit's
contact store feature. Similar entries should be added for
review.openstack.org before going into production.
* modules/gerrit/manifests/init.pp(gerrit): Add contactstore,
contactstore_appsec and contactstore_url variables needed by the
gerrit.config.erb template, and contactstore_pubkey needed by the
contact_information.pub.erb template. Add a conditional block so that if
contactstore is enabled it installs the libbcpg-java package which
Bouncy Castle needs for OpenPGP operations, links the bcpg.jar into
Gerrit's lib directory, and builds contact_information.pub from the
contact_information.pub.erb template.
* modules/gerrit/templates/contact_information.pub.erb: New template
which is effectively an empty file waiting to be filled with the
contents of the contactstore_pubkey variable. The
gerrit_contact_information.pub file built from it gets used to encrypt
contact information filed by users in such a way that it can only be
decrypted by the private key held by the Foundation.
* modules/gerrit/templates/gerrit.config.erb(contactstore): New section,
implemented conditionally for safety. Once enabled, if the
contactstore_appsec and contactstore_url are unset then Gerrit will
refuse to start. If the system referred to by contactstore_url is
unresponsive or contactstore_appsec does not contain the shared secret
it's expecting, contributors will be unable to file initial or updated
contact information through Gerrit's WebUI.
* modules/openstack_project/files/gerrit/cla.html: A stripped-down HTML
copy of http://wiki.openstack.org/CLA retaining all the original
wording. This will probably need updating by OpenStack Foundation staff.
* modules/openstack_project/manifests/gerrit.pp
(openstack_project::gerrit): Add contactstore, contactstore_appsec,
contactstore_pubkey and contactstore_url variables to pass back into the
gerrit module. Also define the cla_description, cla_file, cla_id and
cla_name variables which get used in the gerrit_set_agreements.sh.erb
template. Add an entry to install the cla.html file.
* modules/openstack_project/manifests/review_dev.pp
(openstack_project::review_dev): Add the contactstore_appsec and
contactstore_pubkey variables so they can be filled in by hiera.
Override the war to pull in the g69c8fa6 test build which has the
aforementioned CLA bits restored. Turn on contactstore and set
contactstore_url to point to an existing test CGI on the Internet until
the Foundation has theirs ready. Pass contactstore_appsec and
contactstore_pubkey through up into gerrit.pp. Add an entry for the
set_agreements.sh script built from the gerrit_set_agreements.sh.erb
template and then execute it to add the new CLA to Gerrit's DB and mark
the old one expired. Similar changes should be made in review.pp before
going into production.
* modules/openstack_project/templates/gerrit_set_agreements.sh.erb: New
template used to build a set_agreements.sh script which checks Gerrit's
database and, if necessary, expires the old Echosign CLA and adds the
new local CLA. These conditions are checked and associated operations
performed independently, so subsequent runs become a no-op.
Post-migration, this can probably be neutered further and kept around
for pushing future CLA modifications into the database when needed.
Change-Id: Ib7136fef23dbd5602955649b33a57bc8d7106026
Reviewed-on: https://review.openstack.org/13058
Reviewed-by: Monty Taylor <mordred@inaugust.com>
Reviewed-by: Clark Boylan <clark.boylan@gmail.com>
Reviewed-by: James E. Blair <corvus@inaugust.com>
Approved: Monty Taylor <mordred@inaugust.com>
Tested-by: Jenkins
