On Mon, Sep 16, 2013 at 11:05:34AM +0200, David Caro wrote:
On Fri 13 Sep 2013 09:24:24 PM CEST, Ewoud Kohl van Wijngaarden wrote:
On Fri, Sep 13, 2013 at 11:00:27AM +0200, David Caro wrote:
On Wed 11 Sep 2013 04:09:17 PM CEST, Ewoud Kohl van Wijngaarden wrote:
For https://fedorahosted.org/ovirt/ticket/71 I submitted http://gerrit.ovirt.org/19141 to use r10k for module deployment.
I do have some concerns for further deployment. Until now I've assumed that we want jenkins to build on new git versions (possibly via the jenkins patch merged trigger) and then push that to foreman.ovirt.org. However, that means we give jenkins implicit root on all of our infra which is a bad thing.
Some solutions I can think of:
1. Set up a cronjob on foreman to poll git 1.1. Run make as the current patch 1.2. Change the patch and switch to dynamic environment support[1] 2. Set up an infra jenkins to automate this
We can also restrict the ssh commands that the user can run, and restrict it to the script that updates the manifests. That will avoid having to give root access to the puppetmaster, that said, the manifests that will be applied have implicit root access everywhere too, but if we want automatic deployments that's what you get (only maintainers should have merge access, meaning that anything that goes through has been reviewed, so what we are really doing is reducing the manual steps to one, when the reviewer merges the patch).
I like this solution. It would remove the polling from foreman and give us logging in jenkins. I'd prefer if foreman retrieves the sources straight from gerrit so jenkins is more like a glorified cron. I think that's less insecure ;)
Agree, so what we need then is: * Create update scripts * Set up restricted shell account to only run that script * Create jenkins job
So I was looking into installing r10k. First of all, I don't like installing through gem. So my next try was using fpm to package it, but it needs rubygem(systemu) >= 2.5.2 and 1.2.0 is in epel. Some options: * Create a newer rubygem(systemu) and hope nothing needs < 2.5.2. * Install through gem and hope nothing breaks * Set up a user with minimal privileges, install it to its homedir. I'm toward the last option, but would love to hear a better alternative.