Opened 5 years ago

Closed 16 months ago

#8033 closed Feature/Enhancement Request (fixed)

we should move mf/pl git repositories off tachanka infrastructure

Reported by: https://id.mayfirst.org/ross Owned by: https://id.mayfirst.org/jaimev
Priority: Medium Component: Tech
Keywords: git.mayfirst.org git mfpl-repositories Cc: https://id.mayfirst.org/jeremyb
Sensitive: no

Description (last modified by https://id.mayfirst.org/dkg)

Currently git.mayfirst.org is served from tachanka infrastructure (git.tachanka.org). Since this infrastructure basically limits access to our services to two people (dkg and jamie), the rest of the support team cannot participate in maintenance of our git repositories. Thus, we should move git.mayfirst.org into a space shared by the support team.

As part of this move, we should determine what we would want out of the new git.mayfirst.org. dkg, the current gitkeeper, has made the following suggestions:

  1. publicly-visible read-only access to git repositories in a reasonable namespace (probably also preserving the namespace we currently offer)
  2. the ability to grant specific people write access to specific repositories
  3. the ability to mirror repositories over to moses where they can show up on SMO.
  4. the ability to host non-publicly-visible repositories (e.g. for keyringer)

In order to accomplish these things, we need to make some basic decisions:

  1. Where (what server) should git.mayfirst.org live?
  2. Should there be a gitweb (similar to https://git.mayfirst.org ) front end in addition to https://support.mayfirst.org/browser
  3. Is there a standard way to implement git such that items 0-3 above might be fulfilled? If so, what is the standard and are there any instruction sets for building it out?
  4. Since there are few support-team members with gitkeeper experience, when and how will the current gitkeeper share his knowledge?

Change History (12)

comment:1 Changed 5 years ago by https://id.mayfirst.org/ross

  • Owner set to https://id.mayfirst.org/ross
  • Status changed from new to assigned

comment:2 Changed 5 years ago by https://id.mayfirst.org/dkg

  • Description modified (diff)

comment:3 follow-up: Changed 5 years ago by https://id.mayfirst.org/dkg

  • Description modified (diff)

fwiw, i am not a "gitkeeper", i'm just someone who happens to have maintained git repositories. Much of what i've done that is mayfirst-related is already documented here in SMO. Perhaps resolving #7906 could be a first start.

Maybe we should set up a minimalist newgit.mayfirst.org, transfer what repos we can transfer, enable whatever services we want to enable, and then repoint the git.mayfirst.org name to it when that's done, leaving tachanka to clean up the old repos.

comment:4 in reply to: ↑ 3 ; follow-up: Changed 5 years ago by https://id.mayfirst.org/ross

Replying to https://id.mayfirst.org/dkg:

Perhaps resolving #7906 could be a first start.

It looks to me like #7906 requires interaction with the current git.mayfirst.org. Are you suggesting making kvm-manager a part of newgit.mayfirst.org instead of fully implementing it under the old architecture?

Maybe we should set up a minimalist newgit.mayfirst.org, transfer what repos we can transfer, enable whatever services we want to enable, and then repoint the git.mayfirst.org name to it when that's done, leaving tachanka to clean up the old repos.

Should newgit.mayfirst.org be put on moses.mayfirst.org or somewhere else?

comment:5 in reply to: ↑ 4 ; follow-up: Changed 5 years ago by https://id.mayfirst.org/dkg

Replying to https://id.mayfirst.org/ross:

It looks to me like #7906 requires interaction with the current git.mayfirst.org. Are you suggesting making kvm-manager a part of newgit.mayfirst.org instead of fully implementing it under the old architecture?

Yes, precisely. Then when we're ready to re-point the git.mayfirst.org name, it will appear in the right place. Perhaps git.dev.mayfirst.org is a better initial name for this interstitial service, though, given our approach for staging in new services.

Should newgit.mayfirst.org be put on moses.mayfirst.org or somewhere else?

I'm inclined to isolate it to a separate KVM guest, since i would rather minimize the amount of ssh access we grant to moses. Also, keeping git.dev.mayfirst.org on a separate server could also mean more robust read-only access if we wanted to publish the git repositories themselves across multiple machines (we could serve the content read-only from moses too). But the synchronization to moses would certainly be simpler if it all happened on moses. What do you think about the tradeoffs?

comment:6 in reply to: ↑ 5 Changed 5 years ago by https://id.mayfirst.org/ross

Replying to https://id.mayfirst.org/dkg:

I'm inclined to isolate it to a separate KVM guest, since i would rather minimize the amount of ssh access we grant to moses. Also, keeping git.dev.mayfirst.org on a separate server could also mean more robust read-only access if we wanted to publish the git repositories themselves across multiple machines (we could serve the content read-only from moses too). But the synchronization to moses would certainly be simpler if it all happened on moses. What do you think about the tradeoffs?

Interesting, as a potential gitkeeper, I'm all for simplicity. However, I think during development it would be less risky and error prone to work from an isolated KVM guest. So I suspect, against my simpler tendencies, a separate guest is probably a better idea. :-(

comment:7 Changed 4 years ago by https://id.mayfirst.org/jeremyb

  • Cc https://id.mayfirst.org/jeremyb added

comment:8 Changed 20 months ago by https://id.mayfirst.org/jamie

Tachanka is about to retire the server providing git.mayfirst.org so this ticket now has more urgency.

Also, we have setup git on allende (restricted access to the MF/PL puppet repo via ssh), so I think that would be a good candidate to install gitolite and take over git.mayfirst.org using the method described by dkg.

comment:9 Changed 19 months ago by https://id.mayfirst.org/jaimev

  • Owner changed from https://id.mayfirst.org/ross to https://id.mayfirst.org/jaimev

I've installed gitolite3 in allende and redirected git.mayfirst.org to the same ip.

The initial setup is using my ssh public key and I can now clone the gitolite-admin repo locally add new users and ssh keys and push changes, but I've not yet figured out how to integrate user/key management in gitolite with monkeysphere.

This repo looks interesting but is a few years old: https://github.com/EtiennePerot/gitolite-monkeysphere-integration

Last edited 19 months ago by https://id.mayfirst.org/jaimev (previous) (diff)

comment:10 Changed 19 months ago by https://id.mayfirst.org/jamie

I don't think we need a web service for our git.mayfirst.org, but we do need git-daemon to run so we can check out projects via the git protocol.

I just made the following changes:

  • I added /etc/systemd/system/git-daemon.service:
    [Unit]
    Description=Git Repositories Server Daemon
    Documentation=man:git-daemon(1)
    
    [Service]
    User=nobody
    Group=gitolite3
    ExecStart=/usr/lib/git-core/git-daemon --reuseaddr --base-path=/var/lib/gitolite3/repositories --verbose
    
  • I edited /var/lib/gitolite3/.gitolite.rc and changed the UMASK from 0007 to 0027 - so files/directories are created group readable

Now, you can make a gitolite repo accessible via the git protocol if, in the gitolite3 configuration, you give read access to the daemon, e.g.:

repo mfpl/red
    RW+ = @support_team
    R   = daemon

comment:11 Changed 16 months ago by https://id.mayfirst.org/jamie

I've update both faq/git and added git-admin with basic documentation. I think we can now close this ticket.

comment:12 Changed 16 months ago by https://id.mayfirst.org/jamie

  • Resolution set to fixed
  • Status changed from assigned to closed

Please login to add comments to this ticket.

Note: See TracTickets for help on using tickets.