release-engineering/dist-git
1
0
Fork 0
mirror of https://github.com/release-engineering/dist-git.git synced 2025-02-23 15:02:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

initial

Browse source
This commit is contained in:
Adam Samalik 2015-03-25 12:22:45 +01:00
commit dd7d694060
25 changed files with 1738 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
files/cgitrc Normal file
View file

@ -0,0 +1,71 @@
#
# See cgitrc(5) or /usr/share/doc/cgit-*/cgitrc.5.html for details
#
# Enable caching of up to 1000 output entries
cache-size=1000
# Specify some default clone prefixes
clone-prefix=git://pkgs.fedoraproject.org ssh://pkgs.fedoraproject.org http://pkgs.fedoraproject.org/git
# Specify the css url
css=/cgit-data/cgit.css
# Show extra links for each repository on the index page
enable-index-links=1
# Enable ASCII art commit history graph on the log pages
enable-commit-graph=1
# Show number of affected files per commit on the log pages
enable-log-filecount=1
# Show number of added/removed lines per commit on the log pages
enable-log-linecount=1
# Add a cgit favicon
#favicon=/favicon.ico
# Use a custom logo
logo=/cgit-data/cgit.png
# Enable statistics per week, month and quarter
max-stats=quarter
# Set the title and heading of the repository index page
root-title=Fedora Project Packages GIT repositories
# Set a subheading for the repository index page
#root-desc=tracking the foobar development
# Include some more info about this site on the index page
#root-readme=/var/www/html/about.html
# Allow download of tar.gz, tar.bz2 and zip-files
snapshots=tar.gz tar.xz zip
##
## List of common mimetypes
##
mimetype.gif=image/gif
mimetype.html=text/html
mimetype.jpg=image/jpeg
mimetype.jpeg=image/jpeg
mimetype.pdf=application/pdf
mimetype.png=image/png
mimetype.svg=image/svg+xml
# Enable syntax highlighting (requires the highlight package)
#source-filter=/usr/libexec/cgit/filters/syntax-highlighting.sh
#email-filter=lua:/usr/libexec/cgit/filters/email-libravatar-korg.lua
##
## List of repositories.
## PS: Any repositories listed when section is unset will not be
## displayed under a section heading
## PPS: This list could be kept in a different file (e.g. '/etc/cgitrepos')
## and included like this:
project-list=/srv/git/pkgs-git-repos-list
scan-path=/srv/git/rpms/

2
files/clean-lock.cron Normal file
View file

@ -0,0 +1,2 @@
*/15 * * * * root find /var/cache/cgit/ -cmin +60 -name '*.lock' -type f -delete -maxdepth 1

238
files/dist-git-upload.cgi Normal file
View file

@ -0,0 +1,238 @@
#!/usr/bin/python
#
# CGI script to handle file updates for the rpms git repository. There
# is nothing really complex here other than tedious checking of our
# every step along the way...
#
# License: GPL
import os
import sys
import cgi
import tempfile
import grp
import pwd
import syslog
import smtplib
import fedmsg
import fedmsg.config
from email import Header, Utils
try:
from email.mime.text import MIMEText
except ImportError:
from email.MIMEText import MIMEText
import hashlib
# Reading buffer size
BUFFER_SIZE = 4096
# We check modules exist from this dircetory
GITREPO = '/srv/git/rpms'
# Lookaside cache directory
CACHE_DIR = '/srv/cache/lookaside/pkgs'
# Fedora Packager Group
PACKAGER_GROUP = 'packager'
def send_error(text):
print text
sys.exit(1)
def check_form(form, var):
ret = form.getvalue(var, None)
if ret is None:
send_error('Required field "%s" is not present.' % var)
if isinstance(ret, list):
send_error('Multiple values given for "%s". Aborting.' % var)
return ret
def check_auth(username):
authenticated = False
try:
if username in grp.getgrnam(PACKAGER_GROUP)[3]:
authenticated = True
except KeyError:
pass
return authenticated
def send_email(pkg, checksum, filename, username):
text = """A file has been added to the lookaside cache for %(pkg)s:
%(checksum)s %(filename)s""" % locals()
msg = MIMEText(text)
try:
sender_name = pwd.getpwnam(username)[4]
sender_email = '%s@fedoraproject.org' % username
except KeyError:
sender_name = ''
sender_email = 'nobody@fedoraproject.org'
syslog.syslog('Unable to find account info for %s (uploading %s)' %
(username, filename))
if sender_name:
try:
sender_name = unicode(sender_name, 'ascii')
except UnicodeDecodeError:
sender_name = Header.Header(sender_name, 'utf-8').encode()
msg.set_charset('utf-8')
sender = Utils.formataddr((sender_name, sender_email))
recipients = ['%s-owner@fedoraproject.org' % pkg,
'scm-commits@lists.fedoraproject.org']
msg['Subject'] = 'File %s uploaded to lookaside cache by %s' % (
filename, username)
msg['From'] = sender
msg['To'] = ', '.join(recipients)
msg['X-Fedora-Upload'] = '%s, %s' % (pkg, filename)
try:
s = smtplib.SMTP('bastion')
s.sendmail(sender, recipients, msg.as_string())
except:
syslog.syslog('sending mail for upload of %s failed!' % filename)
def main():
os.umask(002)
username = os.environ.get('SSL_CLIENT_S_DN_CN', None)
if not check_auth(username):
print 'Status: 403 Forbidden'
print 'Content-type: text/plain'
print
print 'You must connect with a valid certificate and be in the %s group to upload.' % PACKAGER_GROUP
sys.exit(0)
print 'Content-Type: text/plain'
print
assert os.environ['REQUEST_URI'].split('/')[1] == 'repo'
form = cgi.FieldStorage()
name = check_form(form, 'name')
# Search for the file hash, start with stronger hash functions
if form.has_key('sha512sum'):
checksum = check_form(form, 'sha512sum')
hash_type = "sha512"
elif form.has_key('md5sum'):
# Fallback on md5, as it's what we currently use
checksum = check_form(form, 'md5sum')
hash_type = "md5"
else:
send_error('Required checksum is not present.')
action = None
upload_file = None
filename = None
# Is this a submission or a test?
# in a test, we don't get a file, just a filename.
# In a submission, we don;t get a filename, just the file.
if form.has_key('filename'):
action = 'check'
filename = check_form(form, 'filename')
filename = os.path.basename(filename)
print >> sys.stderr, '[username=%s] Checking file status: NAME=%s FILENAME=%s %sSUM=%s' % (username, name, filename, hash_type.upper(), checksum)
else:
action = 'upload'
if form.has_key('file'):
upload_file = form['file']
if not upload_file.file:
send_error('No file given for upload. Aborting.')
filename = os.path.basename(upload_file.filename)
else:
send_error('Required field "file" is not present.')
print >> sys.stderr, '[username=%s] Processing upload request: NAME=%s FILENAME=%s %sSUM=%s' % (username, name, filename, hash_type.upper(), checksum)
module_dir = os.path.join(CACHE_DIR, name)
hash_dir = os.path.join(module_dir, filename, hash_type, checksum)
msgpath = os.path.join(name, module_dir, filename, hash_type, checksum, filename)
if hash_type == "md5":
# Preserve compatibility with the current folder hierarchy for md5
hash_dir = os.path.join(module_dir, filename, checksum)
msgpath = os.path.join(name, module_dir, filename, checksum, filename)
unwanted_prefix = '/srv/cache/lookaside/pkgs/'
if msgpath.startswith(unwanted_prefix):
msgpath = msgpath[len(unwanted_prefix):]
# first test if the module really exists
git_dir = os.path.join(GITREPO, '%s.git' % name)
if not os.path.isdir(git_dir):
print >> sys.stderr, '[username=%s] Unknown module: %s' % (username, name)
send_error('Module "%s" does not exist!' % name)
# try to see if we already have this file...
dest_file = os.path.join(hash_dir, filename)
if os.path.exists(dest_file):
if action == 'check':
print 'Available'
else:
upload_file.file.close()
dest_file_stat = os.stat(dest_file)
print 'File %s already exists' % filename
print 'File: %s Size: %d' % (dest_file, dest_file_stat.st_size)
sys.exit(0)
elif action == 'check':
print 'Missing'
sys.exit(0)
# check that all directories are in place
if not os.path.isdir(module_dir):
os.makedirs(module_dir, 02775)
# grab a temporary filename and dump our file in there
tempfile.tempdir = module_dir
tmpfile = tempfile.mkstemp(checksum)[1]
tmpfd = open(tmpfile, 'w')
# now read the whole file in
m = getattr(hashlib, hash_type)()
filesize = 0
while True:
data = upload_file.file.read(BUFFER_SIZE)
if not data:
break
tmpfd.write(data)
m.update(data)
filesize += len(data)
# now we're done reading, check the checksum of what we got
tmpfd.close()
check_checksum = m.hexdigest()
if checksum != check_checksum:
os.unlink(tmpfile)
send_error("%s check failed. Received %s instead of %s." % (hash_type.upper(), check_checksum, checksum))
# wow, even the checksum matches. make sure full path is valid now
if not os.path.isdir(hash_dir):
os.makedirs(hash_dir, 02775)
print >> sys.stderr, '[username=%s] mkdir %s' % (username, hash_dir)
os.rename(tmpfile, dest_file)
os.chmod(dest_file, 0644)
print >> sys.stderr, '[username=%s] Stored %s (%d bytes)' % (username, dest_file, filesize)
print 'File %s size %d %s %s stored OK' % (filename, filesize, hash_type.upper(), checksum)
send_email(name, checksum, filename, username)
# Emit a fedmsg message. Load the config to talk to the fedmsg-relay.
try:
config = fedmsg.config.load_config([], None)
config['active'] = True
config['endpoints']['relay_inbound'] = config['relay_inbound']
fedmsg.init(name="relay_inbound", cert_prefix="lookaside", **config)
topic = "lookaside.new"
msg = dict(name=name, md5sum=checksum, filename=filename.split('/')[-1],
agent=username, path=msgpath)
fedmsg.publish(modname="git", topic=topic, msg=msg)
except Exception as e:
print "Error with fedmsg", str(e)
if __name__ == '__main__':
main()

4
files/fedmsg-genacls-config.py Normal file
View file

@ -0,0 +1,4 @@
config = {
'genacls.consumer.enabled': True,
'genacls.consumer.delay': 5, # 5 seconds
}

1
files/genacls.cron Normal file
View file

@ -0,0 +1 @@
02 10 * * * root /usr/local/bin/genacls.sh

136
files/genacls.pkgdb Normal file
View file

@ -0,0 +1,136 @@
#!/usr/bin/python -t
#
# Create an /etc/gitolog/conf/getolog.conf file with acls for dist-git
#
# Takes no arguments!
#
import grp
import sys
import requests
if __name__ == '__main__':
# Get the users in various groups
TRUSTED = grp.getgrnam('cvsadmin')[3]
ARM = grp.getgrnam('fedora-arm')[3]
SPARC = grp.getgrnam('fedora-sparc')[3]
IA64 = grp.getgrnam('fedora-ia64')[3]
S390 = grp.getgrnam('fedora-s390')[3]
PPC = grp.getgrnam('fedora-ppc')[3]
PROVEN = grp.getgrnam('provenpackager')[3]
# Set the active branches to create ACLs for
# Give them the git branch eqiv until pkgdb follows suite
ACTIVE = {'OLPC-2': 'olpc2', 'OLPC-3': 'olpc3', 'EL-4': 'el4',
'EL-5': 'el5', 'el5': 'el5', 'el6': 'el6', 'EL-6': 'el6',
'epel7': 'epel7',
'F-11': 'f11', 'F-12': 'f12', 'F-13': 'f13', 'f14': 'f14', 'f15':
'f15', 'f16': 'f16', 'f17': 'f17', 'f18': 'f18', 'f19': 'f19',
'f20': 'f20', 'f21': 'f21', 'f22': 'f22',
'devel': 'master', 'master': 'master'}
# Create a "regex"ish list 0f the reserved branches
RESERVED = ['f[0-9][0-9]', 'epel[0-9]', 'epel[0-9][0-9]', 'el[0-9]', 'olpc[0-9]']
# Read the ACL information from the packageDB
{% if env == 'staging' %}
url = 'https://admin.stg.fedoraproject.org/pkgdb/api/vcs?format=json'
{% else %}
url = 'https://admin.fedoraproject.org/pkgdb/api/vcs?format=json'
{% endif %}
data = requests.get(url).json()
# Get a list of all the packages
acls = data['packageAcls']
pkglist = data['packageAcls'].keys()
pkglist.sort()
# sanity check
if len(pkglist) < 2500:
sys.exit(1)
# print out our user groups
print '@admins = %s' % ' '.join(TRUSTED)
print '@provenpackager = %s' % ' '.join(PROVEN)
print '@fedora-arm = %s' % ' '.join(ARM)
print '@fedora-s390 = %s' % ' '.join(S390)
print '@fedora-ppc = %s' % ' '.join(PPC)
# Get a list of all the groups
{% if env == 'staging' %}
groups = requests.get('https://admin.stg.fedoraproject.org/pkgdb/api/groups?format=json').json()
{% else %}
groups = requests.get('https://admin.fedoraproject.org/pkgdb/api/groups?format=json').json()
{% endif %}
for group in groups['groups']:
print '@%s = %s' % (group, ' '.join(grp.getgrnam(group)[3]))
# Give a little space before moving onto the permissions
print ''
# print our default permissions
print 'repo @all'
print ' - VREF/update-block-push-origin = @all'
print ' RWC = @admins @fedora-arm @fedora-s390 @fedora-ppc'
print ' R = @all'
#print ' RW private- = @all'
# dont' enable the above until we prevent building for real from private-
for pkg in pkglist:
branchAcls = {} # Check whether we need to set separate per branch acls
buffer = [] # Buffer the output per package
masters = [] # Folks that have commit to master
writers = [] # Anybody that has write access
# Examine each branch in the package
branches = acls[pkg].keys()
branches.sort()
for branch in branches:
if not branch in ACTIVE.keys():
continue
if 'packager' in acls[pkg][branch]['commit']['groups']:
# If the packager group is defined, everyone has access
buffer.append(' RWC %s = @all' % (ACTIVE[branch]))
branchAcls.setdefault('@all', []).append((pkg,
ACTIVE[branch]))
if branch == 'master':
masters.append('@all')
if '@all' not in writers:
writers.append('@all')
else:
# Extract the owners
committers = []
owners = acls[pkg][branch]['commit']['people']
owners.sort()
for owner in owners:
committers.append(owner)
for group in acls[pkg][branch]['commit']['groups']:
committers.append('@%s' % group)
if branch == 'master':
masters.extend(committers)
# add all the committers to the top writers list
for committer in committers:
if not committer in writers:
writers.append(committer)
# Print the committers to the acl for this package-branch
committers = ' '.join(committers)
buffer.append(' RWC %s = %s' %
(ACTIVE[branch], committers))
branchAcls.setdefault(committers, []).append((pkg,
ACTIVE[branch]))
print
print 'repo %s' % pkg
#if len(branchAcls.keys()) == 1:
# acl = branchAcls.keys()[0]
# print ' RW = %s' % acl
#else:
print '\n'.join(buffer)
for reserved in RESERVED:
print ' - %s = @all' % reserved
print ' RWC refs/tags/ = %s' % ' '.join(writers)
if masters:
print ' RWC = %s' % ' '.join(masters)
sys.exit(0)

18
files/genacls.sh Normal file
View file

@ -0,0 +1,18 @@
#!/bin/sh
python /usr/local/bin/pkgdb_sync_git_branches.py
TEMPDIR=`mktemp -d -p /var/tmp genacls.XXXXX`
export GL_BINDIR=/usr/bin
cd $TEMPDIR
# Only replace the acls if genacls completes successfully
if /usr/local/bin/genacls.pkgdb > gitolite.conf ; then
mv gitolite.conf /etc/gitolite/conf/
chown gen-acls:gen-acls -R /etc/gitolite/conf/
HOME=/srv/git /usr/bin/gitolite compile
fi
cd /
rm -rf $TEMPDIR
chown root:packager /etc/gitolite/conf/gitolite.conf-compiled.pm
chmod g+r /etc/gitolite/conf/gitolite.conf-compiled.pm

3
files/git-smart-http.conf Normal file
View file

@ -0,0 +1,3 @@
SetEnv GIT_PROJECT_ROOT /srv/git/rpms
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/

16
files/git.j2 Normal file
View file

@ -0,0 +1,16 @@
# default: off
# description: The git server offers access to git repositories
service git
{
disable = no
type = UNLISTED
port = {{ git_port }}
socket_type = stream
wait = no
groups = yes
group = {{ git_group }}
user = nobody
server = {{ git_server }}
server_args = {{ git_server_args }} --base-path={{ git_basepath }} --base-path-relaxed
log_on_failure += HOST
}

9
files/git@.service.j2 Normal file
View file

@ -0,0 +1,9 @@
[Unit]
Description=Git Repositories Server Daemon
Documentation=man:git-daemon(1)
Wants=git.socket
[Service]
User=nobody
ExecStart=/usr/libexec/git-core/git-daemon --base-path={{ git_basepath }} --export-all --user-path=public_git --syslog --inetd --verbose
StandardInput=socket

196
files/gitolite.rc Normal file
View file

@ -0,0 +1,196 @@
# configuration variables for gitolite
# This file is in perl syntax. But you do NOT need to know perl to edit it --
# just mind the commas, use single quotes unless you know what you're doing,
# and make sure the brackets and braces stay matched up!
# (Tip: perl allows a comma after the last item in a list also!)
# HELP for commands can be had by running the command with "-h".
# HELP for all the other FEATURES can be found in the documentation (look for
# "list of non-core programs shipped with gitolite" in the master index) or
# directly in the corresponding source file.
%RC = (
# ------------------------------------------------------------------
# default umask gives you perms of '0700'; see the rc file docs for
# how/why you might change this
UMASK => 0002,
# look for "git-config" in the documentation
GIT_CONFIG_KEYS => '',
# comment out if you don't need all the extra detail in the logfile
LOG_EXTRA => 1,
# syslog options
# 1. leave this section as is for normal gitolite logging
# 2. uncomment this line to log only to syslog:
LOG_DEST => 'syslog',
# 3. uncomment this line to log to syslog and the normal gitolite log:
# LOG_DEST => 'syslog,normal',
# roles. add more roles (like MANAGER, TESTER, ...) here.
# WARNING: if you make changes to this hash, you MUST run 'gitolite
# compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
ROLES => {
READERS => 1,
WRITERS => 1,
},
# enable caching (currently only Redis). PLEASE RTFM BEFORE USING!!!
# CACHE => 'Redis',
# ------------------------------------------------------------------
# rc variables used by various features
# the 'info' command prints this as additional info, if it is set
# SITE_INFO => 'Please see http://blahblah/gitolite for more help',
# the CpuTime feature uses these
# display user, system, and elapsed times to user after each git operation
# DISPLAY_CPU_TIME => 1,
# display a warning if total CPU times (u, s, cu, cs) crosses this limit
# CPU_TIME_WARN_LIMIT => 0.1,
# the Mirroring feature needs this
# HOSTNAME => "foo",
# TTL for redis cache; PLEASE SEE DOCUMENTATION BEFORE UNCOMMENTING!
# CACHE_TTL => 600,
# ------------------------------------------------------------------
# suggested locations for site-local gitolite code (see cust.html)
# this one is managed directly on the server
LOCAL_CODE => "/etc/gitolite/local",
# or you can use this, which lets you put everything in a subdirectory
# called "local" in your gitolite-admin repo. For a SECURITY WARNING
# on this, see http://gitolite.com/gitolite/non-core.html#pushcode
# LOCAL_CODE => "$rc{GL_ADMIN_BASE}/local",
# ------------------------------------------------------------------
# List of commands and features to enable
ENABLE => [
# COMMANDS
# These are the commands enabled by default
'help',
'desc',
'info',
'perms',
'writable',
# Uncomment or add new commands here.
# 'create',
# 'fork',
# 'mirror',
# 'readme',
# 'sskm',
# 'D',
# These FEATURES are enabled by default.
# essential (unless you're using smart-http mode)
'ssh-authkeys',
# creates git-config enties from gitolite.conf file entries like 'config foo.bar = baz'
'git-config',
# creates git-daemon-export-ok files; if you don't use git-daemon, comment this out
# 'daemon',
# creates projects.list file; if you don't use gitweb, comment this out
# 'gitweb',
# These FEATURES are disabled by default; uncomment to enable. If you
# need to add new ones, ask on the mailing list :-)
# user-visible behaviour
# prevent wild repos auto-create on fetch/clone
# 'no-create-on-read',
# no auto-create at all (don't forget to enable the 'create' command!)
'no-auto-create',
# access a repo by another (possibly legacy) name
# 'Alias',
# give some users direct shell access. See documentation in
# sts.html for details on the following two choices.
# "Shell $ENV{HOME}/.gitolite.shell-users",
# 'Shell alice bob',
"Shell /etc/gitolite/admins",
# set default roles from lines like 'option default.roles-1 = ...', etc.
# 'set-default-roles',
# show more detailed messages on deny
# 'expand-deny-messages',
# show a message of the day
# 'Motd',
# system admin stuff
# enable mirroring (don't forget to set the HOSTNAME too!)
# 'Mirroring',
# allow people to submit pub files with more than one key in them
# 'ssh-authkeys-split',
# selective read control hack
# 'partial-copy',
# manage local, gitolite-controlled, copies of read-only upstream repos
# 'upstream',
# updates 'description' file instead of 'gitweb.description' config item
'cgit',
# allow repo-specific hooks to be added
'repo-specific-hooks',
# performance, logging, monitoring...
# be nice
# 'renice 10',
# log CPU times (user, system, cumulative user, cumulative system)
# 'CpuTime',
# syntactic_sugar for gitolite.conf and included files
# allow backslash-escaped continuation lines in gitolite.conf
# 'continuation-lines',
# create implicit user groups from directory names in keydir/
# 'keysubdirs-as-groups',
# allow simple line-oriented macros
# 'macros',
# Kindergarten mode
# disallow various things that sensible people shouldn't be doing anyway
# 'Kindergarten',
],
);
# ------------------------------------------------------------------------------
# per perl rules, this should be the last line in such a file:
1;
# Local variables:
# mode: perl
# End:
# vim: set syn=perl:

4
files/gitolite_admins Normal file
View file

@ -0,0 +1,4 @@
{% for username in admin_user_list.stdout.split('\n') %}
{{ username }}
{% endfor %}

72
files/lookaside-upload.conf Normal file
View file

@ -0,0 +1,72 @@
Alias /repo/ /srv/cache/lookaside/
# default SSL configuration...
Listen 443
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
Mutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
# SSL host
<VirtualHost _default_:443>
# This alias must come before the /repo/ one to avoid being overridden.
ScriptAlias /repo/pkgs/upload.cgi /srv/web/upload.cgi
Alias /repo/ /srv/cache/lookaside/
ServerName pkgs.fedoraproject.org
ServerAdmin webmaster@fedoraproject.org
SSLEngine on
SSLCertificateFile conf/pkgs.fedoraproject.org_key_and_cert.pem
SSLCertificateKeyFile conf/pkgs.fedoraproject.org_key_and_cert.pem
SSLCACertificateFile conf/cacert.pem
SSLCARevocationFile /etc/pki/tls/crl.pem
SSLCipherSuite RSA:!EXPORT:!DH:!LOW:!NULL:+MEDIUM:+HIGH
# Must be 'optional' everywhere in order to have POST operations work to upload.cgi
SSLVerifyClient optional
# Must be here for POST operations to upload.cgi
SSLOptions +OptRenegotiate
ErrorLog logs/ssl_error_log
CustomLog logs/ssl_access_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%{SSL_CLIENT_S_DN_OU}x\" %{SSL_CLIENT_S_DN_CN}x %{SSL_CLIENT_S_DN_emailAddress}x \"%r\" %b"
<Directory /repo/pkgs/>
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
# require that the client auth cert was created by us and signed by us
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
</Directory>
<Location /repo/pkgs/upload.cgi>
SSLRequireSSL
Options +ExecCGI
Require all granted
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StrictRequire +StdEnvVars +OptRenegotiate
# require that the access comes from internal or that
# the client auth cert was created by us and signed by us
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
and %{SSL_CLIENT_S_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_S_DN_OU} eq "Fedora User Cert" \
and %{SSL_CLIENT_I_DN_O} eq "Fedora Project" \
and %{SSL_CLIENT_I_DN_OU} eq "Fedora Project CA" )
</Location>
</VirtualHost>

7
files/lookaside.conf Normal file
View file

@ -0,0 +1,7 @@
Alias /lookaside /srv/cache/lookaside
<Directory /srv/cache/lookaside>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>

14
files/make-cgit-pkgs-list.sh Normal file
View file

@ -0,0 +1,14 @@
#!/bin/sh
#
# This simple script lists out the current pkgs git repos to a file.
# This speeds up cgit as it doesn't have to recurse into all dirs
# Looking for git repos.
#
newfile=`mktemp`
cd /srv/git/rpms
ls > $newfile
mv -Z $newfile /srv/git/pkgs-git-repos-list
chown apache:apache /srv/git/pkgs-git-repos-list
chmod 644 /srv/git/pkgs-git-repos-list

159
files/mkbranch Normal file
View file

@ -0,0 +1,159 @@
#!/bin/bash
#
# Create a new development branch for a module.
# THIS HAS TO BE RUN ON THE GIT SERVER!
# WARNING:
# This file is maintained within puppet?
# All local changes will be lost.
# Figure out the environment we're running in
RUNDIR=$(cd $(dirname $0) && pwd)
GITROOT=/srv/git/rpms
# check if a moron is driving me
if [ ! -d $GITROOT ] ; then
# we're not on the git server (this check is fragile)
echo "ERROR: This script has to be run on the git server."
echo "ERROR: Homer sez 'Duh'."
exit -9
fi
# where are the packages kept
TOPLEVEL=rpms
# Local variables
VERBOSE=0
TEST=
IGNORE=
BRANCH=""
PACKAGES=""
SRC_BRANCH="master"
AUTHOR="Fedora Release Engineering <rel-eng@lists.fedoraproject.org>"
Usage() {
cat <<EOF
Usage:
$0 [ -s <src_branch>] <branch> <package_name>...
Creates a new branch <branch> for the list of <package_name>s.
The /master suffix on branch names is assumed.
Options:
/master suffix on other branches assumed
-n,--test Don't do nothing, only test
-i,--ignore Ignore erroneous modules
-h,--help This help message
-v,--verbose Increase verbosity
EOF
}
# parse the arguments
while [ -n "$1" ] ; do
case "$1" in
-h | --help )
Usage
exit 0
;;
-v | --verbose )
VERBOSE=$(($VERBOSE + 1))
;;
-i | --ignore )
IGNORE="yes"
;;
-n | --test )
TEST="yes"
;;
-b | --branch )
shift
BRANCH=$1/master
;;
* )
if [ -z "$BRANCH" ] ; then
BRANCH="$1"
else
PACKAGES="$PACKAGES $1"
fi
;;
esac
shift
done
# check the arguments
if [ -z "$BRANCH" -o -z "$PACKAGES" ] ; then
Usage
exit -1
fi
# Sanity checks before we start doing damage
NEWP=
for p in $PACKAGES ; do
[ $VERBOSE -gt 1 ] && echo "Checking package $p..."
if [ ! -d $GITROOT/$p.git ] ; then
echo "ERROR: Package module $p is invalid" >&2
[ "$IGNORE" = "yes" ] && continue || exit -1
fi
$(GIT_DIR=$GITROOT/$p.git git rev-parse -q --verify \
$BRANCH >/dev/null) && \
(echo "IGNORING: Package module $p already has a branch $BRANCH" >&2; \
[ "$IGNORE" = "yes" ] && continue || exit -1)
NEWP="$NEWP $p"
done
PACKAGES="$(echo $NEWP)"
if [ -z "$PACKAGES" ] ; then
echo "NOOP: no valid packages found to process"
exit -1
fi
if [ -n "$TEST" ] ; then
echo "Branch $BRANCH valid for $PACKAGES"
exit 0
fi
# "global" permissions check
if [ ! -w $GITROOT ] ; then
echo "ERROR: You can not write to $GITROOT"
echo "ERROR: You can not perform branching operations"
exit -1
fi
# Now start working on creating those branches
# For every module, "create" the branch
for NAME in $PACKAGES ; do
echo
echo "Creating new module branch '$BRANCH' for '$NAME'..."
# permissions checks for this particular module
if [ ! -w $GITROOT/$NAME.git/refs/heads/ ] ; then
echo "ERROR: You can not write to $d"
echo "ERROR: $NAME can not be branched by you"
continue
fi
#### Replace the above with a gitolite permission check
#[ $VERBOSE -gt 0 ] && echo "Creating $BRANCH-split tag for $NAME/$SRC_BRANCH..."
# Is the above needed?
#cvs -Q rtag -f "$BRANCH-split" $TOPLEVEL/$NAME/$SRC_BRANCH || {
#echo "ERROR: Branch split tag for $NAME/$SRC_BRANCH could not be created" >&2
#exit -2
#}
[ $VERBOSE -gt 0 ] && echo "Creating $NAME $BRANCH from $NAME ..."
$(pushd $GITROOT/$NAME.git >/dev/null && \
git branch --no-track $BRANCH `git rev-list --max-parents=0 master | head -1` && \
popd >/dev/null) || {
echo "ERROR: Branch $NAME $BRANCH could not be created" >&2
popd >/dev/null
exit -2
}
done
echo
echo "Done."

165
files/pkgdb2-clone Normal file
View file

@ -0,0 +1,165 @@
#!/usr/bin/env python
import re
import requests
import sys
import getpass
import pkgdb2client
import subprocess
#PAGE_URL = 'https://fedoraproject.org/w/api.php?format=json&action=query&rvprop=content&prop=revisions&titles=User:Codeblock/RequestsSANDBOX'
PAGE_URL = 'https://fedoraproject.org/w/api.php?format=json&action=query&rvprop=content&prop=revisions&titles=EPEL/epel7/Requests'
NEW_EPEL_VERSION = '7'
NEW_EPEL_SOURCE_BRANCH = 'f19'
RHEL_PKGS_PATH = '/var/lib/rhel/rhel' + NEW_EPEL_VERSION
# parse_page :: String -> IO (Map String String)
# This returns a dictionary of {"pkg_name": "branch"}
def parse_page(url):
r = requests.get(url).json()
text = r['query']['pages'][r['query']['pages'].keys()[0]]['revisions'][0]['*']
lines = text.split("\n")
pkgs = filter(lambda y: y.startswith('| '), lines)
__pkgs_list__ = map(lambda y: ''.join(y.split())[1:].split('||'), pkgs)
pkgs_list = filter(lambda y: y[0] != 'foo', __pkgs_list__)
pkgs_dict = dict(pkgs_list)
return pkgs_dict
# is_in_rhel :: String -> IO Bool
def is_in_rhel(pkg):
with open(RHEL_PKGS_PATH) as f:
pkgs = map(lambda x: x.strip(), f.readlines())
return (pkg in pkgs)
# These tuples will be used to substitute one pattern for another.
# Every transform will be run on every branch name so be sure the
# pattern cannot match if you don't want it to be triggered.
transforms = (
(re.compile(r'^devel$'), 'master'),
(re.compile(r'-'), ''),
(re.compile(r'^fc([0-9])'), r'f\1'),
(re.compile(r'^epel([456])$'), r'el\1'),
(re.compile(r'^el([789]|[1-9][0-9])'), r'epel\1'),
)
branch_replacements = {'devel': (re.compile(r'^devel$'), 'master'),}
# generate_collection_cache :: PkgDB -> IO [String]
def generate_collection_cache(pkgdb):
raw_collections = pkgdb.get_collections(clt_status=(
'Active',
'Under Development'))
collection_cache = frozenset(map(lambda y: y['branchname'],
raw_collections['collections']))
return collection_cache
# normalize_branch :: [String] -> String -> IO (Option String)
def normalize_branch(collection_cache, branch):
# I originally had this implemented as a foldRight (which it really is).
# But Python doesn't eliminate tail calls. It probably would have been fine
# because "transforms" above is only 5 elements, but instead I will deal
# with the local mutation and wish that I had a type system to reason with.
# -rbe
norm_branch = branch.lower()
for transform in transforms:
norm_branch = re.sub(transform[0], transform[1], norm_branch)
# Ugh, here we break purity. Where is the option type when you need it?
if not (norm_branch in collection_cache):
print('Unknown collection specified: {0}'.format(branch))
return None
return norm_branch
# process_package :: PkgDB -> String -> String -> IO Bool
def process_package(pkgdb, pkg, src, dest):
print "*** Processing package: " + pkg
data = pkgdb.get_package(pkg)
pkg_list = data['packages']
maybe_source = [branch for branch in pkg_list if branch['collection']['branchname'] == src]
maybe_dest = [branch for branch in pkg_list if branch['collection']['branchname'] == dest]
if len(maybe_source) == 0:
print "Source branch `" + src + "' not found. Please "\
"branch " + pkg + " manually."
return False
if len(maybe_dest) != 0:
print "Package `" + pkg + "' was already branched for `" + dest + "'."\
" Not overwriting branch."
return False
if 'acls' not in maybe_source[0].keys():
print "No 'acls' key given to us by pkgdb. Cloning ACLs from a "\
"branch that has no ACLs due to retirement/orphan?"
return False
acls = [
acl
for acl in maybe_source[0]['acls']
if acl['fas_name'] != 'group::provenpackager'
]
for acl in acls:
pkgdb.update_acl(pkg, dest, acl['acl'], acl['status'], acl['fas_name'])
pkgdb.update_package_poc(pkg, dest, maybe_source[0]['point_of_contact'])
return True
# main :: [String] -> IO Unit
def main(args):
new_epel_requests = "epel" + NEW_EPEL_VERSION + "-requests"
if len(args) < 1 or (len(args) < 3 and args[0] != new_epel_requests) or\
len(args) > 3 or (len(args) > 1 and args[0] == new_epel_requests):
print "Usage: pkgdb2-clone " + new_epel_requests
print " - OR -"
print " pkgdb2-clone <source branch> <dest branch> <pkgs ...>"
sys.exit(1)
pkgdb = pkgdb2client.PkgDB()
username = raw_input('Username: ')
password = getpass.getpass()
pkgdb.login(username, password, True)
collection_cache = generate_collection_cache(pkgdb)
if args[0] == new_epel_requests:
pkgs = parse_page(PAGE_URL)
for key in pkgs:
if is_in_rhel(key):
continue
src_branchname = normalize_branch(collection_cache, pkgs[key])
dest_branchname = normalize_branch(collection_cache,
'epel' + NEW_EPEL_VERSION)
if not src_branchname or not dest_branchname:
print "[" + key + "] Invalid source or destination branch "\
"name, " + src_branchname + " -> " + dest_branchname
else:
if process_package(pkgdb, key, src_branchname, dest_branchname):
subprocess.call(["mkbranch",
"-s",
NEW_EPEL_SOURCE_BRANCH,
"epel" + NEW_EPEL_VERSION,
key])
print "[" + key + "] \033[1m\033[32mSUCCESS\033[0m"
else:
print "[" + key + "] \033[1m\033[31mERROR\033[0m"
print "Done."
else:
src_branchname = normalize_branch(collection_cache, args[0])
dest_branchname = normalize_branch(collection_cache, args[1])
if not src_branchname or not dest_branchname:
print "[" + key + "] Invalid source or destination branch "\
"name, " + src_branchname + " -> " + dest_branchname
for pkg in args[2:]:
if process_package(pkgdb, key, src_branchname, dest_branchname):
print "[" + key + "] \033[1m\033[32mSUCCESS\033[0m"
else:
print "[" + key + "] \033[1m\033[31mERROR\033[0m"
if __name__ == '__main__':
main(sys.argv[1:])

278
files/pkgdb_sync_git_branches.py Normal file
View file

@ -0,0 +1,278 @@
#!/usr/bin/python -tt
# -*- coding: utf-8 -*-
"""
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
This script is able to query pkgdb and retrieve for all packages which active
branches should be there, browse all the git repos and find out which active
branches are missing.
It even goes one step further but actually adjusting the git repo by adding
the missing branches (or even the missing repo)
"""
import multiprocessing.pool
import os
import subprocess
import time
import requests
import fedmsg
# Do some off-the-bat configuration of fedmsg.
# 1) since this is a one-off script and not a daemon, it needs to connect
# to the fedmsg-relay process running on another node (or noone will
# hear it)
# 2) its going to use the 'shell' certificate which only 'sysadmin' has
# read access to. Contrast that with the 'scm' certificate which
# everyone in the 'packager' group has access to.
config = fedmsg.config.load_config([], None)
config['active'] = True
config['endpoints']['relay_inbound'] = config['relay_inbound']
fedmsg.init(name='relay_inbound', cert_prefix='shell', **config)
{% if env == 'staging' %}
PKGDB_URL = 'https://admin.stg.fedoraproject.org/pkgdb'
{% else %}
PKGDB_URL = 'https://admin.fedoraproject.org/pkgdb'
{% endif %}
GIT_FOLDER = '/srv/git/rpms/'
MKBRANCH = '/usr/local/bin/mkbranch'
SETUP_PACKAGE = '/usr/local/bin/setup_git_package'
THREADS = 20
VERBOSE = False
class InternalError(Exception):
pass
class ProcessError(InternalError):
pass
def _invoke(program, args, cwd=None):
'''Run a command and raise an exception if an error occurred.
:arg program: The program to invoke
:args: List of arguments to pass to the program
raises ProcessError if there's a problem.
'''
cmdLine = [program]
cmdLine.extend(args)
if VERBOSE:
print ' '.join(cmdLine)
print ' in', cwd
program = subprocess.Popen(
cmdLine, stdout=subprocess.PIPE, stderr=subprocess.STDOUT, cwd=cwd)
stdout, stderr = program.communicate()
if program.returncode != 0:
e = ProcessError()
e.returnCode = program.returncode
e.cmd = ' '.join(cmdLine)
e.cwd = cwd
e.message = 'Error, "%s" (in %r) returned %s\n stdout: %s\n stderr: %s' % (
e.cmd, e.cwd, e.returnCode, stdout, stderr)
print e.message
raise e
return stdout.strip()
def _create_branch(pkgname, branch, existing_branches):
'''Create a specific branch for a package.
:arg pkgname: Name of the package to branch
:arg branch: Name of the branch to create
:arg existing_branches: A list of the branches that already exist locally.
'''
branch = branch.replace('*', '').strip()
if branch == 'master':
print 'ERROR: Proudly refusing to create master branch. Invalid repo?'
print 'INFO: Please check %s repo' % pkgname
return
if branch in existing_branches:
print 'ERROR: Refusing to create a branch %s that exists' % branch
return
try:
_invoke(MKBRANCH, [branch, pkgname])
fedmsg.publish(
topic='branch',
modname='git',
msg=dict(
agent='pkgdb',
name=pkgname,
branch=branch,
),
)
except ProcessError, e:
if e.returnCode == 255:
# This is a warning, not an error
return
raise
def pkgdb_pkg_branch():
""" Queries pkgdb information about VCS and return a dictionnary of
which branches are available for which packages.
:return: a dict[pkg_name] = [pkg_branches]
:rtype: dict
"""
url = '%s/api/vcs' % PKGDB_URL
req = requests.get(url, params={'format': 'json'})
data = req.json()
output = {}
for pkg in data['packageAcls']:
if pkg in output:
if VERBOSE:
print 'Strange package: %s, it is present twice in the ' \
'pkgdb output' % pkg
output[pkg].updated(data['packageAcls'][pkg].keys())
else:
output[pkg] = set(data['packageAcls'][pkg].keys())
return output
def get_git_branch(pkg):
""" For the specified package name, check the local git and return the
list of branches found.
"""
git_folder = os.path.join(GIT_FOLDER, '%s.git' % pkg)
if not os.path.exists(git_folder):
if VERBOSE:
print 'Could not find %s' % git_folder
return set()
branches = [
lclbranch.replace('*', '').strip()
for lclbranch in _invoke('git', ['branch'], cwd=git_folder).split('\n')
]
return set(branches)
def branch_package(pkgname, requested_branches, existing_branches):
'''Create all the branches that are listed in the pkgdb for a package.
:arg pkgname: The package to create branches for
:arg requested_branches: The branches to creates
:arg existing_branches: A list of existing local branches
'''
if VERBOSE:
print 'Fixing package %s for branches %s' % (pkgname, requested_branches)
# Create the devel branch if necessary
exists = os.path.exists(os.path.join(GIT_FOLDER, '%s.git' % pkgname))
if not exists or 'master' not in existing_branches:
_invoke(SETUP_PACKAGE, [pkgname])
if 'master' in requested_branches:
requested_branches.remove('master') # SETUP_PACKAGE creates master
fedmsg.publish(
topic='branch',
modname='git',
msg=dict(
agent='pkgdb',
name=pkgname,
branch='master',
),
)
# Create all the required branches for the package
# Use the translated branch name until pkgdb falls inline
for branch in requested_branches:
_create_branch(pkgname, branch, existing_branches)
def main():
""" For each package found via pkgdb, check the local git for its
branches and fix inconsistencies.
"""
local_pkgs = set(os.listdir(GIT_FOLDER))
local_pkgs = set([it.replace('.git', '') for it in local_pkgs])
if VERBOSE:
print "Found %i local packages" % len(local_pkgs)
pkgdb_info = pkgdb_pkg_branch()
pkgdb_pkgs = set(pkgdb_info.keys())
if VERBOSE:
print "Found %i pkgdb packages" % len(pkgdb_pkgs)
## Commented out as we keep the git of retired packages while they won't
## show up in the information retrieved from pkgdb.
#if (local_pkgs - pkgdb_pkgs):
#print 'Some packages are present locally but not on pkgdb:'
#print ', '.join(sorted(local_pkgs - pkgdb_pkgs))
if (pkgdb_pkgs - local_pkgs):
print 'Some packages are present in pkgdb but not locally:'
print ', '.join(sorted(pkgdb_pkgs - local_pkgs))
if VERBOSE:
print "Finding the lists of local branches for local repos."
start = time.time()
if THREADS == 1:
git_branch_lookup = map(get_git_branch, sorted(pkgdb_info))
else:
threadpool = multiprocessing.pool.ThreadPool(processes=THREADS)
git_branch_lookup = threadpool.map(get_git_branch, sorted(pkgdb_info))
# Zip that list of results up into a lookup dict.
git_branch_lookup = dict(zip(sorted(pkgdb_info), git_branch_lookup))
if VERBOSE:
print "Found all local git branches in %0.2fs" % (time.time() - start)
tofix = set()
for pkg in sorted(pkgdb_info):
pkgdb_branches = pkgdb_info[pkg]
git_branches = git_branch_lookup[pkg]
diff = (pkgdb_branches - git_branches)
if diff:
print '%s missing: %s' % (pkg, ','.join(sorted(diff)))
tofix.add(pkg)
branch_package(pkg, diff, git_branches)
if tofix:
print 'Packages fixed (%s): %s' % (
len(tofix), ', '.join(sorted(tofix)))
else:
if VERBOSE:
print 'Didn\'t find any packages to fix.'
if __name__ == '__main__':
import sys
sys.exit(main())

1
files/pkgs.fedoraproject.org.conf Normal file
View file

@ -0,0 +1 @@
include "conf.d/pkgs.fedoraproject.org/*.conf"

154
files/redirect.conf Normal file
View file

@ -0,0 +1,154 @@
RedirectMatch permanent ^/$ http://pkgs.fedoraproject.org/cgit/
RewriteEngine on
# Use cgit and redirect (some) old gitweb-caching things
RewriteRule ^/cgit-data/(.*)$ /cgit-data/$1 [L,PT]
RewriteRule ^/cgit/(.*)$ /cgit/$1 [L,PT]
# blob
RewriteCond %{REQUEST_URI} /(.+)(\.git)/blob/(.+)/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=blob;h=(.+);hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%5?id=%3;id2=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/blob/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=blob;hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%4?id=%3 [R,L,NE]
RewriteCond %{query_string} p=(.+)(\.git);a=blob;f=(.+);h=(.+);hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%3?id=%4;id2=%5 [R,L,NE]
RewriteCond %{query_string} p=(.+)(\.git);a=blob;f=(.+);h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%3?id=%4 [R,L,NE]
# tree
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tree/(.+)/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tree;h=(.+);hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%5?id=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tree/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tree;hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/%4?id=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tree/(.+)/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tree;h=(.+);hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/?id=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tree/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tree;hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/?id=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tree [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tree
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tree/? [R,L,NE]
# commitdiff
RewriteCond %{REQUEST_URI} /(.+)(\.git)/commitdiff/(.+)/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=blobdiff;h=(.+);hp=(.+);hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/diff/%6?id2=%4;id=%3;id3=%5 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/commitdiff/(.+)/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=commitdiff;h=(.+);hp=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/diff/?id=%4;id2=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/commitdiff/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=commitdiff;h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/diff/?id=%3 [R,L,NE]
# commit
RewriteCond %{REQUEST_URI} /(.+)(\.git)/commit/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=commit;h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/commit/?id=%3 [R,L,NE]
# summary
RewriteCond %{REQUEST_URI} /(.+)(\.git)/summary [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=summary
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/? [R,L,NE]
# shortlog
RewriteCond %{REQUEST_URI} /(.+)(\.git)/shortlog/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=shortlog;h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/?id=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/shortlog [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=shortlog
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/? [R,L,NE]
# log
RewriteCond %{REQUEST_URI} /(.+)(\.git)/log/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=log;h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/?id=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/log [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=log
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log? [R,L,NE]
# history
RewriteCond %{REQUEST_URI} /(.+)(\.git)/history/(.+)/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=history;h=(.+);hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/%5?id=%4 [R,L,NE]
RewriteCond %{query_string} p=(.+)(\.git);a=history;f=(.+);h=(.+);hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/%3?id=%4;id2=%5 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/history/(.+):/(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/%4?id=%3 [R,L,NE]
RewriteCond %{query_string} p=(.+)(\.git);a=history;f=(.+);h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/%3?id=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/history/(.+)/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=history;h=(.+);hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/?id=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/history/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=history;hb=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/%4?id=%3 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/history/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=history;hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/log/?id=%3 [R,L,NE]
# tag
RewriteCond %{REQUEST_URI} /(.+)(\.git)/tag/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=tag;h=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/tag/?id=%3 [R,L,NE]
# blob_plain
RewriteCond %{REQUEST_URI} /(.+)(\.git)/blob_plain/(.+):/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=blob_plain;h=(.+);f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/plain/%4?id=%3 [R,L,NE]
RewriteCond %{query_string} p=(.+)(\.git);a=blob_plain;f=(.+);hb=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/plain/%3?id2=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/blob_plain/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=blob_plain;f=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/plain/%3 [R,L,NE]
# rss|atom
RewriteCond %{REQUEST_URI} /(.+)(\.git)/(rss|atom)/refs/heads/(.+) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=(rss|atom);h=refsheads/(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/atom?h=%4 [R,L,NE]
RewriteCond %{REQUEST_URI} /(.+)(\.git)/(rss|atom) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=(rss|atom)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/atom? [R,L,NE]
# snapshot
RewriteCond %{REQUEST_URI} /(.+)(\.git)/snapshot/(.+)(\.tar\.gz|\.tar\.bz2) [OR]
RewriteCond %{query_string} p=(.+)(\.git);a=snapshot;h=(.+);sf=(.+)
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/snapshot/%3.tar.gz [R,L,NE]
# base old gitweb project
RewriteCond %{REQUEST_URI} /gitweb/(.+)\.git.* [OR]
RewriteCond %{query_string} p=(.+)\.git.*
RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/? [R,L,NE]
# Fail safes incase nothing above matches, try at least to put the person in the project
#RewriteCond %{REQUEST_URI} /(.+)\.git.* [OR]
#RewriteCond %{query_string} p=(.+)\.git.*
#RewriteRule ^/.*$ http://pkgs.fedoraproject.org/cgit/%1.git/? [R,L,NE]
# Or else in the root of cgit
#RewriteRule ^.* http://pkgs.fedoraproject.org/cgit/ [R,L,NE]

128
files/setup_git_package Normal file
View file

@ -0,0 +1,128 @@
#!/bin/bash
#
# Create a new repo.
# THIS HAS TO BE RUN ON THE GIT SERVER!
# WARNING:
# This file is maintained within ansible
# All local changes will be lost.
# Figure out the environment we're running in
GITROOT=/srv/git/rpms
# check if a moron is driving me
if [ ! -d $GITROOT ] ; then
# we're not on the git server (this check is fragile)
echo "ERROR: This script has to be run on the git server."
echo "ERROR: Homer sez 'Duh'."
exit -9
fi
# Local variables
VERBOSE=0
TEST=
IGNORE=
AUTHOR="Fedora Release Engineering <rel-eng@lists.fedoraproject.org>"
GIT_SSH_URL="ssh://localhost"
Usage() {
cat <<EOF
Usage:
$0 <package_name>
Creates a new repo for <package_name>
Options:
-h,--help This help message
EOF
}
if [ $# -gt 2 ]; then
Usage
exit -1
fi
# parse the arguments
while [ -n "$1" ] ; do
case "$1" in
-h | --help )
Usage
exit 0
;;
* )
PACKAGE="$1"
;;
esac
shift
done
# I hate shell scripting. I'm sure the above is totally wrong
# check the arguments
if [ -z "$PACKAGE" ] ; then
Usage
exit -1
fi
# Sanity checks before we start doing damage
[ $VERBOSE -gt 1 ] && echo "Checking package $PACKAGE..."
if [ -f $GITROOT/$PACKAGE.git/refs/heads/master ] ; then
echo "ERROR: Package module $PACKAGE already exists!" >&2
exit -1
fi
# A cleanup in case gitolite came by this repo
if [ -f $GITROOT/$PACKAGE.git/hooks/update ] ; then
echo "Gitolite already initialized this repo. Will remove its hooks"
rm -f $GITROOT/$PACKAGE.git/hooks/update
fi
# "global" permissions check
if [ ! -w $GITROOT ] ; then
echo "ERROR: You can not write to $GITROOT"
echo "ERROR: You can not create repos"
exit -1
fi
# Now start working on creating those branches
# Create a tmpdir to do some git work in
TMPDIR=$(mktemp -d /tmp/tmpXXXXXX)
# First create the master repo
mkdir -p $GITROOT/$PACKAGE.git
pushd $GITROOT/$PACKAGE.git >/dev/null
git init -q --shared --bare
echo "$PACKAGE" > description # This is used to figure out who to send mail to.
git config --add hooks.mailinglist "$PACKAGE-owner@fedoraproject.org,scm-commits@lists.fedoraproject.org"
git config --add hooks.maildomain fedoraproject.org
popd >/dev/null
# Now clone that repo and create the .gitignore and sources file
git init -q $TMPDIR/$PACKAGE
pushd $TMPDIR/$PACKAGE >/dev/null
touch .gitignore sources
git add .
git commit -q -m 'Initial setup of the repo' --author "$AUTHOR"
git remote add origin $GITROOT/$PACKAGE.git
git push -q origin master
popd >/dev/null
# Place the gitolite update hook in place since we're not using our own
ln -s /etc/gitolite/hooks/common/update $GITROOT/$PACKAGE.git/hooks/update
# Setup our post-receive hooks
mkdir -p $GITROOT/$PACKAGE.git/hooks/post-receive-chained.d
ln -s /usr/share/git-core/mail-hooks/gnome-post-receive-email \
$GITROOT/$PACKAGE.git/hooks/post-receive-chained.d/post-receive-email
ln -s /usr/share/git-core/post-receive-fedmsg \
$GITROOT/$PACKAGE.git/hooks/post-receive-chained.d/post-receive-fedmsg
# This one kicks off all the others in post-receive-chained.d
ln -s /usr/share/git-core/post-receive-chained \
$GITROOT/$PACKAGE.git/hooks/post-receive
rm -rf $TMPDIR
echo "Done."

16
files/ssl.conf Normal file
View file

@ -0,0 +1,16 @@
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.0/mod/mod_ssl.html>
#
# For the moment, see <URL:http://www.modssl.org/docs/> for this info.
# The documents are still being prepared from material donated by the
# modssl project.
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
LoadModule ssl_module modules/mod_ssl.so

21
files/updatecrl.sh Normal file
View file

@ -0,0 +1,21 @@
#!/bin/bash
URL=https://admin.fedoraproject.org/ca/crl.pem
OLD=/etc/pki/tls/crl.pem
NEW=/tmp/crl.pem
if [ -f $OLD ]; then
wget -q $URL -O $NEW
OLDUPDATE=`openssl crl -in $OLD -noout -lastupdate`
NEWUPDATE=`openssl crl -in $NEW -noout -lastupdate`
if [ "$OLDUPDATE" != "$NEWUPDATE" ]; then
mv $NEW $OLD
/usr/sbin/restorecon $OLD
/usr/bin/systemctl reload httpd
fi
else
wget -q $URL -O $OLD
/usr/sbin/restorecon $OLD
/usr/bin/systemctl is-active httpd && /usr/bin/systemctl reload httpd
fi

BIN
files/upload_cgi.pp Normal file
View file

Binary file not shown.

25
files/upload_cgi.te Normal file
View file

@ -0,0 +1,25 @@
policy_module(upload_cgi,1.0.0)
gen_require(` type httpd_git_script_t ; ')
type upload_cgi_tmp_t;
files_tmp_file(upload_cgi_tmp_t);
allow httpd_git_script_t upload_cgi_tmp_t:file manage_file_perms;
files_tmp_filetrans(httpd_git_script_t, upload_cgi_tmp_t, file);
# Do not audit attempts to read the process state (/proc/pid) of all domains.
domain_read_all_domains_state(httpd_git_script_t);
# List the contents of the sysfs directories.
dev_list_sysfs(httpd_git_script_t);
# Allow sending logs to syslog
logging_send_syslog_msg(httpd_git_script_t);
# Get the attributes of all pty device nodes.
term_getattr_all_ptys(httpd_git_script_t);
# Get the attributes of all tty device nodes.
term_getattr_all_ttys(httpd_git_script_t);
# Do not audit attempts to get the attributes of generic pty devices.
term_dontaudit_getattr_generic_ptys(httpd_git_script_t);