From: Andrew Grimberg Date: Thu, 7 Sep 2017 14:07:09 +0000 (+0000) Subject: Merge "Create job to lock|unlock branches via Gerrit" X-Git-Tag: v0.9.0~11 X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=commitdiff_plain;h=92a481651941f5e235ce7205ebed1a7d0c6501f8;hp=4b443776a06b171d842e2d66c6d21ceddb176909;p=releng%2Fglobal-jjb.git Merge "Create job to lock|unlock branches via Gerrit" --- diff --git a/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master b/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master new file mode 100644 index 00000000..1ca7ec2f --- /dev/null +++ b/.jjb-test/expected-xml/gerrit-ciman-gerrit-branch-lock-master @@ -0,0 +1,517 @@ + + + + <!-- Managed by Jenkins Job Builder --> + false + false + false + false + build-vm + false + + + + 1 + -1 + -1 + 0 + + + + + + PROJECT + Parameter to identify a Gerrit project. This is typically the +project repo path as exists in Gerrit. +For example: ofextensions/circuitsw + + releng/ciman + + + STREAM + Stream is often set to the same name as 'branch' but can +sometimes be used as a name representing a project's release code +name. + + master + + + GERRIT_PROJECT + Parameter to identify Gerrit project. This is typically the +project repo path as exists in Gerrit. +For example: ofextensions/circuitsw + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + releng/ciman + + + GERRIT_BRANCH + Parameter to identify a Gerrit branch. + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + master + + + GERRIT_REFSPEC + Parameter to identify a refspec when pulling from Gerrit. + +Note that Gerrit will override this parameter automatically if a +job is triggered by Gerrit. + + refs/heads/master + + + LFTOOLS_VERSION + Version of lftools to install. Can be a specific version like +'0.6.0' or a PEP-440 definition. +https://www.python.org/dev/peps/pep-0440/ +For example '<1.0.0' or '>=1.0.0,<2.0.0'. + + <1.0.0 + + + + + + 2 + + + origin + + $GIT_URL/$GERRIT_PROJECT + test-credential + + + + + refs/heads/master + + + + + false + false + true + false + false + Default + + + + + + true + + false + false + + + false + false + false + + 10 + + + + + + + + + + ANT + releng/ciman + + + ANT + **/master + + + false + + + + false + false + false + false + + false + false + true + false + false + + + False + + false + + + (un)?lock branch$ + + + + + + + + + + test-server + + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# Generates a patch to lock|unlock a branch in Gerrit +# +# Assumes that the project repository was cloned via ssh and thus uses ssh to +# install the git commit hook. + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +git fetch origin refs/meta/config:config +git checkout config + +install_gerrit_hook() { + ssh_url=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $1}') + ssh_port=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $2}') + + if [ -z $ssh_url ]; then + echo "ERROR: Gerrit SSH URL not found." + exit 1 + fi + + scp -p -P "$ssh_port" "$ssh_url":hooks/commit-msg .git/hooks/ + chmod u+x .git/hooks/commit-msg +} +install_gerrit_hook + +# Groups must be mapped in the groups file before they can be used +if ! grep 'Registered Users'; then + echo -e "global:Registered-Users\tRegistered Users" >> groups +fi + +mode=$(echo "$GERRIT_EVENT_COMMENT_TEXT" | grep branch | awk '{print $1}') +case $mode in + lock) + echo "Locking branch: $GERRIT_BRANCH" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.exclusiveGroupPermissions" "submit" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.submit" "block group Registered Users" + git commit -asm "Lock branch $GERRIT_BRANCH" + ;; + + unlock) + echo "Unlocking branch: $GERRIT_BRANCH" + git config -f project.config --remove-section "access.refs/heads/${GERRIT_BRANCH}" || true + git commit -asm "Unlock branch $GERRIT_BRANCH" + ;; + + *) + echo "ERROR: Unknown mode selected '$mode'." + exit 1 + ;; +esac + +git diff HEAD~1 +git push origin HEAD:refs/for/refs/meta/config + + + + + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> sysstat.sh" +set +e # DON'T fail build if script fails. + +OS=$(facter operatingsystem) +case "$OS" in + Ubuntu) + SYSSTAT_PATH="/var/log/sysstat" + + # Dont run the script when systat is not enabled by default + if ! grep --quiet 'ENABLED="true"' "/etc/default/sysstat"; then + exit 0 + fi + ;; + CentOS|RedHat) + SYSSTAT_PATH="/var/log/sa" + ;; + *) + # nothing to do + exit 0 + ;; +esac + +SAR_DIR="$WORKSPACE/archives/sar-reports" +mkdir -p "$SAR_DIR" +cp "$SYSSTAT_PATH/"* "$_" +# convert sar data to ascii format +while IFS="" read -r s +do + [ -f "$s" ] && LC_TIME=POSIX sar -A -f "$s" > "$SAR_DIR/sar${s//[!0-9]/}" +done < <(find "$SYSSTAT_PATH" -name "sa[0-9]*" || true) + +# DON'T fail build if script fails. +exit 0 + + + + + + jenkins-log-archives-settings + + SETTINGS_FILE + + + + + + SERVER_ID=logs + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> create-netrc.sh" + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +NEXUS_URL="${NEXUS_URL:-$NEXUSPROXY}" +CREDENTIAL=$(xmlstarlet sel -N "x=http://maven.apache.org/SETTINGS/1.0.0" \ + -t -m "/x:settings/x:servers/x:server[x:id='${SERVER_ID}']" \ + -v x:username -o ":" -v x:password \ + "$SETTINGS_FILE") + +machine=$(echo "$NEXUS_URL" | awk -F/ '{print $3}') +user=$(echo "$CREDENTIAL" | cut -f1 -d:) +pass=$(echo "$CREDENTIAL" | cut -f2 -d:) + +echo "machine $machine login $user password $pass" > ~/.netrc + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> lftools-install.sh" + +# Script to install lftools via a version passed in via lf-infra-parameters +# +# Required parameters: +# +# LFTOOLS_VERSION: Passed in via lf-infra-parameters configuration. Can be +# set to a strict version number like '1.2.3' or using +# PEP-440 definitions. +# +# Examples: +# <1.0.0 +# >=1.0.0,<2.0.0 +# +# By default a released version of lftools should always be used. +# The purpose of the 2 variables below is so that lftools devs can test +# unreleased versions of lftools. There are 2 methods to install a dev version +# of lftools: +# +# 1) gerrit patch: Used to test a patch that has not yet been merged. +# To do this set something like this: +# LFTOOLS_MODE=gerrit +# LFTOOLS_REFSPEC=refs/changes/96/5296/7 +# +# 2) git branch: Used to install an lftools version from a specific branch. +# To use this set the variables as follows: +# LFTOOLS_MODE=git +# LFTOOLS_REFSPEC=master +# +# 3) release : The intended use case and default setting. +# Set LFTOOLS_MODE=release, in this case LFTOOLS_REFSPEC is unused. + +LFTOOLS_MODE=release # release | git | gerrit +LFTOOLS_REFSPEC=master + +# Ensure we fail the job if any steps fail. +# DO NOT set -u as virtualenv's activate script has unbound variables +set -e -o pipefail + +virtualenv --quiet "/tmp/v/lftools" +# shellcheck source=/tmp/v/lftools/bin/activate disable=SC1091 +source "/tmp/v/lftools/bin/activate" +pip install --quiet --upgrade pip + +case $LFTOOLS_MODE in + gerrit) + git clone https://gerrit.linuxfoundation.org/infra/releng/lftools.git /tmp/lftools + pushd /tmp/lftools + git fetch origin "$LFTOOLS_REFSPEC" + git checkout FETCH_HEAD + pip install --quiet --upgrade -r requirements.txt + pip install --quiet --upgrade -e . + popd + ;; + + git) + pip install --quiet --upgrade git+https://gerrit.linuxfoundation.org/infra/releng/lftools.git@"$BRANCH" + ;; + + release) + if [[ $LFTOOLS_VERSION =~ ^[0-9] ]]; then + LFTOOLS_VERSION="==$LFTOOLS_VERSION" + fi + + pip install --quiet --upgrade "lftools${LFTOOLS_VERSION}" + ;; +esac + +lftools --version + +# pipdeptree prints out a lot of information because lftools pulls in many +# dependencies. Let's only print it if we want to debug. +# echo "----> Pip Dependency Tree" +# pip install --quiet --upgrade pipdeptree +# pipdeptree + +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +echo "---> logs-deploy.sh" + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +set -x # Trace commands for this script to make debugging easier. + +ARCHIVE_ARTIFACTS="${ARCHIVE_ARTIFACTS:-}" +LOGS_SERVER="${LOGS_SERVER:-None}" + +if [ "${LOGS_SERVER}" == 'None' ] +then + set +x # Disable trace since we no longer need it + + echo "WARNING: Logging server not set" +else + NEXUS_URL="${NEXUS_URL:-$NEXUSPROXY}" + NEXUS_PATH="${SILO}/${JENKINS_HOSTNAME}/${JOB_NAME}/${BUILD_NUMBER}" + BUILD_URL="${BUILD_URL}" + + lftools deploy archives -p "$ARCHIVE_ARTIFACTS" "$NEXUS_URL" "$NEXUS_PATH" "$WORKSPACE" + lftools deploy logs "$NEXUS_URL" "$NEXUS_PATH" "$BUILD_URL" + + set +x # Disable trace since we no longer need it. + + echo "Build logs: <a href=\"$LOGS_SERVER/$NEXUS_PATH\">$LOGS_SERVER/$NEXUS_PATH</a>" +fi + + + + #!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## + +# Clear log credential files +rm "$SETTINGS_FILE" +rm ~/.netrc + + + + ^Build logs: .* + + + false + false + false + + + + + **/*.jenkins-trigger + EXCLUDE + + + false + false + + true + true + true + true + true + true + + + + + + 5 + BUILD_TIMEOUT + true + false + 0 + 3 + absolute + + + + test-credential + + + + diff --git a/.jjb-test/lf-ci-jobs.yaml b/.jjb-test/lf-ci-jobs.yaml index bb2dd42a..ecf365d9 100644 --- a/.jjb-test/lf-ci-jobs.yaml +++ b/.jjb-test/lf-ci-jobs.yaml @@ -3,6 +3,7 @@ name: gerrit-ci-jobs jobs: - "{project-name}-ci-jobs" + - gerrit-branch-lock project-name: gerrit-ciman diff --git a/jjb/lf-ci-jobs.yaml b/jjb/lf-ci-jobs.yaml index cebe4bc9..09dc191a 100644 --- a/jjb/lf-ci-jobs.yaml +++ b/jjb/lf-ci-jobs.yaml @@ -182,6 +182,76 @@ publishers: - lf-infra-publish +###################### +# Gerrit Branch Lock # +###################### + +- job-template: + name: '{project-name}-gerrit-branch-lock-{stream}' + id: gerrit-branch-lock + + ###################### + # Default parameters # + ###################### + + branch: master + git-url: '$GIT_URL/$GERRIT_PROJECT' + stream: master + gerrit_merge_triggers: + - comment-added-contains-event: + comment-contains-value: (un)?lock branch$ + + ##################### + # Job Configuration # + ##################### + + project-type: freestyle + node: '{build-node}' + + properties: + - lf-infra-properties: + project: '{project}' + build-days-to-keep: 1 + + parameters: + - lf-infra-parameters: + project: '{project}' + stream: '{stream}' + branch: '{branch}' + lftools-version: '{lftools-version}' + + wrappers: + - lf-infra-wrappers: + build-timeout: 5 + jenkins-ssh-credential: '{jenkins-ssh-credential}' + + scm: + - lf-infra-gerrit-scm: + git-url: '{git-url}' + refspec: '' + branch: '{branch}' + submodule-recursive: false + choosing-strategy: default + jenkins-ssh-credential: '{jenkins-ssh-credential}' + + triggers: + - gerrit: + server-name: '{gerrit-server-name}' + trigger-on: '{obj:gerrit_merge_triggers}' + projects: + - project-compare-type: ANT + project-pattern: '{project}' + branches: + - branch-compare-type: ANT + branch-pattern: '**/{branch}' + + builders: + - shell: !include-raw-escape: ../shell/gerrit-branch-lock.sh + + + publishers: + - lf-infra-publish + ############# # JJB Merge # ############# diff --git a/shell/gerrit-branch-lock.sh b/shell/gerrit-branch-lock.sh new file mode 100644 index 00000000..64d6ec9c --- /dev/null +++ b/shell/gerrit-branch-lock.sh @@ -0,0 +1,65 @@ +#!/bin/bash +# SPDX-License-Identifier: EPL-1.0 +############################################################################## +# Copyright (c) 2017 The Linux Foundation and others. +# +# All rights reserved. This program and the accompanying materials +# are made available under the terms of the Eclipse Public License v1.0 +# which accompanies this distribution, and is available at +# http://www.eclipse.org/legal/epl-v10.html +############################################################################## +# Generates a patch to lock|unlock a branch in Gerrit +# +# Assumes that the project repository was cloned via ssh and thus uses ssh to +# install the git commit hook. + +# Ensure we fail the job if any steps fail. +set -eu -o pipefail + +git fetch origin refs/meta/config:config +git checkout config + +install_gerrit_hook() { + ssh_url=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $1}') + ssh_port=$(git remote show origin | grep Fetch | grep 'ssh://' \ + | awk -F'/' '{print $3}' | awk -F':' '{print $2}') + + if [ -z $ssh_url ]; then + echo "ERROR: Gerrit SSH URL not found." + exit 1 + fi + + scp -p -P "$ssh_port" "$ssh_url":hooks/commit-msg .git/hooks/ + chmod u+x .git/hooks/commit-msg +} +install_gerrit_hook + +# Groups must be mapped in the groups file before they can be used +if ! grep 'Registered Users'; then + echo -e "global:Registered-Users\tRegistered Users" >> groups +fi + +mode=$(echo "$GERRIT_EVENT_COMMENT_TEXT" | grep branch | awk '{print $1}') +case $mode in + lock) + echo "Locking branch: $GERRIT_BRANCH" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.exclusiveGroupPermissions" "submit" + git config -f project.config "access.refs/heads/${GERRIT_BRANCH}.submit" "block group Registered Users" + git commit -asm "Lock branch $GERRIT_BRANCH" + ;; + + unlock) + echo "Unlocking branch: $GERRIT_BRANCH" + git config -f project.config --remove-section "access.refs/heads/${GERRIT_BRANCH}" || true + git commit -asm "Unlock branch $GERRIT_BRANCH" + ;; + + *) + echo "ERROR: Unknown mode selected '$mode'." + exit 1 + ;; +esac + +git diff HEAD~1 +git push origin HEAD:refs/for/refs/meta/config