Bugzilla – Full Text Bug Listing
| Summary: | Hudson instance for Gyrex | ||
|---|---|---|---|
| Product: | Community | Reporter: | Gunnar Wagenknecht <gunnar> |
| Component: | CI-Jenkins | Assignee: | CI Admin Inbox <ci.admin-inbox> |
| Status: | VERIFIED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | P3 | CC: | denis.roy, thanh.ha |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Bug Depends on: | 403843 | ||
| Bug Blocks: | |||
|
Description
Gunnar Wagenknecht
Sorry for the noise. I tried to be smart and use the Bugzilla clone feature. I'll try harder next time! Gunnar, looks like you're next in line for a HIPP instance now that Sapphire has cleared the way. I've setup HIPP for Gyrex: https://hudson.eclipse.org/gyrex I also setup the Gerrit Trigger plugin since that's what's setup on the sandbox and the other Gerrit plugin seems like it hasn't been updated since 2010. Gunnar you should be able to login now (using your email address as user). You should be able to create/delete/manage jobs configuration as well. Let me know if anything needs tweaking. Denis, One thing I had to do to setup the Gerrit Trigger was configure an ssh key and Gerrit user. I decided to just copy the id_rsa file from hudson-sandbox over for the gyrex user and reuse the same user that hudson-sandbox was using. Not sure if it's worth having extra Gerrit accounts / different ssh public key files for each HIPP that needs to connect to gerrit? > Not sure if it's worth having extra Gerrit accounts / different ssh public
> key files for each HIPP that needs to connect to gerrit?
I don't think so. Nothing stops us from changing our minds later on if we see a potential issue.
Is this user a "real" ssh/Unix user or just a virtual user in Gerrit? Also, what are the privileges of this user? (Just curious) Your HIPP instance runs under a real *Nix account (with no shell). We can optionally put that user account in your Gyrex *nix group(s) so that your Hudson can write directly. The Gerrit use is just that -- a Gerrit-only account with only a voting permission (Thanh please correct me if I'm wrong). (In reply to comment #7) > Your HIPP instance runs under a real *Nix account (with no shell). We can > optionally put that user account in your Gyrex *nix group(s) so that your > Hudson can write directly. > > The Gerrit use is just that -- a Gerrit-only account with only a voting > permission (Thanh please correct me if I'm wrong). Correct, except the hipp user is already in the rt.gyrex group. I've been assigning the hipp user to the project group when I create the users. I'm a big fan of the least permissions to get the job done, so the user shouldn't be in the project group by default. I'll craft some HIPP docs tomorrow to explain what group membership entails. For now, let's simply ask when a hipp request comes in. Gunnar? Also, Thanh, can you circle back with Konstantin/Sapphire to see if they want their hipp instance to have access to non-Gerrit Gir repos and downloads? I like the idea of allowing Hudson to "tag" in Git/Gerrit. I'm concerned by downloads permission as well. Currently, Hudson publishes to /shared/rt/gyrex. I have a cron-job running under my user ID, that rsync from there to download. This way, I'm able to login and cleanup download myself when required. (In reply to comment #10) > I like the idea of allowing Hudson to "tag" in Git/Gerrit. I'm concerned by > downloads permission as well. Currently, Hudson publishes to > /shared/rt/gyrex. I have a cron-job running under my user ID, that rsync > from there to download. This way, I'm able to login and cleanup download > myself when required. Just want to make sure I didn't misunderstand. Your saying you'd rather not have Hudson be in the rt.gyrex group? As for tagging we can likely allow it on a per repo (or project) bases by adding the Hudson user to refs/tags/* for all the tagging permissions. Unless you want Hudson to only be able to make specific kinds of tags? Create Reference (allows non-annotated tags) Push Annotated Tag Push Signed Tag (In reply to comment #11) > Just want to make sure I didn't misunderstand. Your saying you'd rather not > have Hudson be in the rt.gyrex group? +1 > As for tagging we can likely allow it on a per repo (or project) bases by > adding the Hudson user to refs/tags/* for all the tagging permissions. > Unless you want Hudson to only be able to make specific kinds of tags? > > Create Reference (allows non-annotated tags) > Push Annotated Tag > Push Signed Tag +1 I've removed the hipp user from the gyrex group and also added the Hudson user permissions to tagging for the following repos: gyrex/addons/gyrex-jersey-jaxrs gyrex/addons/gyrex-mongodb-persistence gyrex/addons/gyrex-search gyrex/examples/gyrex-bugsearch gyrex/examples/gyrex-fanshop gyrex/examples/gyrex-hello-cloud gyrex/gyrex-admin gyrex/gyrex-platform gyrex/gyrex-releng Noticed the gyrex group was missing "Create Reference" and "Push signed tag" permissions for refs/tags/* so I went ahead and added them too. This is still open. Is there anything else that needs to be done here? (In reply to comment #14) > This is still open. Is there anything else that needs to be done here? No, I'll resolve it now. Feel free to reopen if you find anything else you need on the HIPP instance. Thanks! Please feel free to delete our old build jobs on global Hudson. Hmmm, looks like the proxy is not configured.
> Connection to http://repo.maven.apache.org refused: Connection timed out -> [Help 2]
(In reply to comment #17) > Hmmm, looks like the proxy is not configured. > > > Connection to http://repo.maven.apache.org refused: Connection timed out -> [Help 2] Looks like we were missing ~/.m2/settings.xml I linked it to the one on the shared Hudson instance in /shared/common so it should be working now. I also created a toolchains.xml based on the one on the shared instance too and symlinked to it. Thx. It's working now. |