[vdsm] Jenkins and Gerrit.

Thu Aug 9 07:30:19 UTC 2012

On Wed, Aug 08, 2012 at 03:53:35PM -0400, Robert Middleswarth wrote:
> On 08/08/2012 03:07 PM, Dan Kenigsberg wrote:
> >On Wed, Aug 08, 2012 at 09:58:17AM -0400, Robert Middleswarth wrote:
> >>On 08/08/2012 09:50 AM, Dan Kenigsberg wrote:
> >>>On Wed, Aug 08, 2012 at 02:55:17PM +0200, Ewoud Kohl van Wijngaarden wrote:
> >>>>On Wed, Aug 08, 2012 at 03:48:13PM +0300, Dan Kenigsberg wrote:
> >>>>>On Wed, Aug 08, 2012 at 07:47:02AM -0400, Robert Middleswarth wrote:
> >>>>>>I have setup patch review on Jenkins.info for newly submitted
> >>>>>>patches and it seems to be working pretty well over all but last
> >>>>>>night well tweaking the process I broken it for a few min but that
> >>>>>>was long enough that about 50 jobs were marked -1 I will be fixing
> >>>>>>that today by rerunning the jobs.  I am sorry if one of your patches
> >>>>>>was dinged and it should be fixed by this time tomorrow.
> >>>>>Thanks, Robert, for working on this. It is highly important for me to
> >>>>>know that something is going to break the build before taking it in.
> >>>>>
> >>>>>However, would it be possible to have a repository where we can review
> >>>>>the code of the robot?
> >>>>It's Gerrit Trigger[1] and the code is on github[2].
> >>>>
> >>>>>I think it is important for the robot to be less noisy, and
> >>>>>particularly, never give V+1. This task is reserved to humans that
> >>>>>actually know what the patch should be doing.
> >>>>The V+1 has been fixed. Will give 0 when they pass, -1 when they fail.
> >>>>
> >>>>>Also, I am not at all sure that the robot is limitting itself to be
> >>>>>running code of trustworthy authors.
> >>>>Eyal added a feature request for this[3]. This was the result of a
> >>>>discussion on the infra mailing list[4].
> >>>As much as I like (and need) this per-commit verification, I think we
> >>>should not deploy it before the feature is implemented.
> >>>
> >>>BTW, Federico suggested to initiate the test only on request (when oVirt
> >>>Jenkins CI Server is added as reviewer). This would allow a more silent
> >>>start for CI.
> >>>
> >>>Thanks,
> >>>Dan.
> >>I already wrote a little bash code to do this outside the plug-in.
> >>It will be in place by the end of the day.
> >This kind of script is exactly the thing I'd like to be peer-reviewed
> >before applied en mass to gerrit changes. Particularly due to the
> >security implications.
> >
> >Regards,
> >Dan.
> If you are talking about the jenkins app that updates Gerrit that is
> has been in use on ovirt-node-devel for some time. As for the
> whitelist script that is like 4 lines.
> 
> git log --pretty="%ce" -n 1 >  $WORKSPACE/current_author.txt

Are we sure that the top author is good enough?
What if a trusted user builds on top of a non-trusted user? Does it
mean that the lower commits are automatically trusted?

> grep -f $WORKSPACE/current_author.txt $WORKSPACE/jenkins-whitelist.txt
> RETVAL=$?
> [ $RETVAL -ne 0 ] && curl -u jenkins_bot:xxxxxx $BUILD_URL/stop;
> 
> It is simple and the files are generated outside of the repo so it
> should be safe.