Sysadmin report on the modernization of our infrastructure

Jan Kundr√°t jkt at kde.org
Thu Jan 22 02:03:49 GMT 2015


On Wednesday, 21 January 2015 23:57:07 CEST, Ben Cooksley wrote:
> Using either 
> http://www.guywarner.com/2014/06/part-2-integrating-phabricator-and.html
> or http://www.dctrwatson.com/2013/01/jenkins-and-phabricator/ or a
> variation thereof.

That is quite some custom code that one has to maintain, though.

> Commit emails could either be sent by our existing hooks, or we could
> migrate to Herald and customise it's template to fit what we need if
> necessary.
> People would filter them / subscribe to them through Herald.

How would they subcribe via Herald if it was done via the existing hooks?

> Doesn't seem too high, although I don't see how that would be made web
> accessible - which might be the hard and costly part maintenance wise.
> (You have to deal with security issues too as you are in a separate
> web application, so you need to authenticate the developer first).

Well, Apache's mod_authnz_ldap and a "Require group developers" stanza 
makes this really easy. Just look up $user from an appropriate env var 
provided by the web server. Where is the problem?

> Our existing solution is triggered on change events in LDAP and causes
> all SSH keys to be re-read and a new ~/.ssh/authorized_keys file to be
> written out. You can't rely on OpenLDAP stating the addition/removals
> properly when using the syncrepl interface, at least in my experience.
> In this way we avoid dependence on the Identity web application.

A quick & dirty approach:

  `ssh bot at gerrit set-account $user --remove-ssh-keys ALL`
  `ssh bot at gerrit set-account $user --add-ssh-key - < authorized_keys`

A better and race-free code would have to invoke `comm` in addition to 
that, and only add/remove keys which has to be removed or added. That's 
left as an excercise for the reader, it's easy enough. Or, to avoid relying 
on a local state altogether, just issue a REST call for SSH key retrieval 
and base a decision on that. It's gonna be like 10 lines of custom code.

Cheers,
Jan

-- 
Trojit√°, a fast Qt IMAP e-mail client -- http://trojita.flaska.net/




More information about the kde-core-devel mailing list