From 3ed923f503f7cd16289779f31005f8a60e9b276e Mon Sep 17 00:00:00 2001 From: Sitaram Chamarty Date: Sun, 25 Mar 2012 09:15:39 +0530 Subject: [PATCH] new check-g2-compat, lots of migration related changes - rc differences moved to their own file - main g2migr now helps interpret output of check-g2-compat - Gitolite::Compat gone; no point... --- check-g2-compat | 87 ++++++++++++++++++++++++++++ doc/g2dropped.mkd | 2 + doc/g2incompat.mkd | 12 +++- doc/g2migr.mkd | 141 ++++++++++++++++++++------------------------- doc/g2rcdiff.mkd | 120 ++++++++++++++++++++++++++++++++++++++ doc/list | 1 + src/Gitolite/Rc.pm | 8 ++- 7 files changed, 287 insertions(+), 84 deletions(-) create mode 100755 check-g2-compat create mode 100644 doc/g2rcdiff.mkd diff --git a/check-g2-compat b/check-g2-compat new file mode 100755 index 0000000..48472c1 --- /dev/null +++ b/check-g2-compat @@ -0,0 +1,87 @@ +#!/usr/bin/perl + +use Cwd; + +my $h = $ENV{HOME}; +my $rc = "$h/.gitolite.rc"; +my %count; + +intro(); + +msg( FATAL => "no rc file found; do you even *have* g2 running?" ) if not -f $rc; +do $rc; +unless ( $return = do $rc ) { + msg( FATAL => "couldn't parse $rc: $@" ) if $@; + msg( FATAL => "couldn't do $rc: $!" ) unless defined $return; + msg( WARNING => "couldn't run $rc" ) unless $return; +} + +print "checking rc file...\n"; +rc_basic(); +rest_of_rc(); +print "\n"; + +print "checking conf file(s)...\n"; +conf(); +print "\n"; + +print "checking repos...\n"; +repo(); +print "\n"; + +# ---------------------------------------------------------------------- + +sub intro { + msg( INFO => "This program only checks for uses that make the new g3 completely unusable" ); + msg( '' => "or that might end up giving *more* access to someone if migrated as-is." ); + msg( '' => "It does NOT attempt to catch all the differences described in the docs." ); + msg( '', '' ); + msg( INFO => "'see docs' usually means doc/g2migr.mkd"); + msg( '', => "(online at http://sitaramc.github.com/gitolite/g3/g2migr.html)" ); + msg( '', '' ); +} + +sub rc_basic { + msg( FATAL => "GL_ADMINDIR in the wrong place -- aborting; see docs" ) if $GL_ADMINDIR ne "$h/.gitolite"; + msg( NOTE => "GL_ADMINDIR is in the right place; assuming you did not mess with" ); + msg( '', "GL_CONF, GL_LOGT, GL_KEYDIR, and GL_CONF_COMPILED" ); + msg( FATAL => "REPO_BASE in the wrong place -- aborting; see docs" ) if $REPO_BASE ne "$h/repositories" and $REPO_BASE ne "repositories"; +# ( abs or rel both ok) +} + +sub rest_of_rc { + msg( SEVERE => "GIT_PATH found; see docs" ) if $GIT_PATH; + msg( SEVERE => "GL_ALL_INCLUDES_SPECIAL found; see docs" ) if $GL_ALL_INCLUDES_SPECIAL; + msg( SEVERE => "GL_GET_MEMBERSHIPS_PGM not yet implemented" ) if $GL_GET_MEMBERSHIPS_PGM; + msg( SEVERE => "GL_NO_CREATE_REPOS not yet implemented" ) if $GL_NO_CREATE_REPOS; + msg( SEVERE => 'htpasswd, rsync, and svnserve not yet implemented' ) if $HTPASSWD_FILE or $RSYNC_BASE or $SVNSERVE; + msg( WARNING => "ADMIN_POST_UPDATE_CHAINS_TO found; see docs" ) if $ADMIN_POST_UPDATE_CHAINS_TO; + msg( WARNING => "GL_NO_DAEMON_NO_GITWEB found; see docs" ) if $GL_NO_DAEMON_NO_GITWEB; + msg( WARNING => "GL_NO_SETUP_AUTHKEYS found; see docs" ) if $GL_NO_SETUP_AUTHKEYS; + msg( WARNING => "UPDATE_CHAINS_TO found; see docs" ) if $UPDATE_CHAINS_TO; + msg( WARNING => "GL_ADC_PATH found; many ADCs not yet implemented") if $GL_ADC_PATH; + msg( WARNING => "non-default GL_WILDREPOS_PERM_CATS found" ) if $GL_WILDREPOS_PERM_CATS ne 'READERS WRITERS'; +} + +sub conf { + chdir($h); + chdir($GL_ADMINDIR); + + my $conf = `find . -name "*.conf" | xargs cat`; + msg( "SEVERE", "fallthru in NAME rules; see docs" ) if $conf =~ m(NAME/); + msg( "SEVERE", "subconf command in admin repo; see docs" ) if $conf =~ m(NAME/conf/fragments); +} + +sub repo { + chdir($h); + chdir($REPO_BASE); + my @creater = `find . -name gl-creater`; + if (@creater) { + msg( WARNING => "found " . scalar(@creater) . " gl-creater files; see docs" ); + } + + my @perms = `find . -name gl-perms | xargs egrep -l -w R\\|RW`; + if (@perms) { + msg( WARNING => "found " . scalar(@perms) . " gl-perms files with R or RW; see docs" ); + } +} diff --git a/doc/g2dropped.mkd b/doc/g2dropped.mkd index ab5f63c..429cdce 100644 --- a/doc/g2dropped.mkd +++ b/doc/g2dropped.mkd @@ -1,2 +1,4 @@ ## #g2dropped g2 features dropped +(none yet that are not already covered in the rc section in [this][g2migr] +page). diff --git a/doc/g2incompat.mkd b/doc/g2incompat.mkd index c425ec2..2ae1750 100644 --- a/doc/g2incompat.mkd +++ b/doc/g2incompat.mkd @@ -1,4 +1,6 @@ -## #g2incompat compatibility with g2 +## #g2incompat incompatibility with g2 + +(other than in the rc file, which is dealt with [elsewhere][g2rcdiff]) The following incompatibilities exist, in vaguely decreasing order of severity. **The ones in the first section are IMPORTANT because they allow @@ -8,8 +10,8 @@ the new gitolite!** ### fallthru in NAME rules Fallthru on all VREFs is "success" now, so any NAME/ rules you have **MUST** -change the ruleset in some way. The simplest is to add the following line to -the end of each repo's rule list: +change the ruleset in some way to maintain the same restrictions. The +simplest is to add the following line to the end of each repo's rule list: - NAME/ = @all @@ -33,3 +35,7 @@ line. As the [vref documentation][vref] says: > **Virtual refs are best used as additional "deny" rules**, performing > extra checks that core gitolite cannot. + +The second part explicitly says when and where to include the subconf files. +(Before subconf was invented, this used to happen implicitly at the end of the +main conf file, and was hardcoded to that specific glob.) diff --git a/doc/g2migr.mkd b/doc/g2migr.mkd index 21cc4b2..81ce6c9 100644 --- a/doc/g2migr.mkd +++ b/doc/g2migr.mkd @@ -10,113 +10,98 @@ move to g3.** First things first: g2 will be supported for a good long time. My current *expert* users do not cause me any load anyway. -Migration should be straightforward, but it is not automatic. When you first -run "gitolite setup [...]", gitolite3 will try to detect at least the big -problems. However, converting the RC file and the conf files is (as of now) -still a manual exercise, though not very difficult. +Migration should be straightforward, but it is not automatic. You should run +the "check-g2-compat" program first, to see any *major* differences that +affect you. The bulk of the changes are in the RC file, which must be +manually handled (links below). The conf files have very few changes -- they +apply only if you use "NAME/" or delegation. You must first read about [incompatible][g2incompat] features and [dropped][g2dropped] features. Some features have been replaced with [alternatives][g2alt]. -Since the majority of changes are in the rc file, we list them all here. +Since the majority of changes are in the rc file, they're all listed +[here][g2rcdiff]. -### rc file differences +The rest of this page describes the completely standalone "check-g2-compat" +script that you can find in the repo root (i.e., not in "src/"). -**DROPPED** variables (possible high impact): these could be show-stoppers for -migration, at least for now. +### the "check-g2-compat" program - * `BIG_INFO_CAP` -- if you think you must have this, try it without and see - if there's a difference. If you *know* you need this, convince me. +This program checks a few things only, not everything. In particular, it +looks for settings and status that might: - * `GL_ALL_READ_ALL` -- same + * make g3 unusable for lots of users + * make g3 give *more* access than g2 under some conditions. - * `GL_NO_CREATE_REPOS` -- if you think you need this, email me. I know one - group who does need this so I will be putting it in eventually but not - right away. +It does NOT look for or warn about anything else; you're expected to read (and +act upon, if needed) the rest of the migration guide links given a few paras +above to cover everything else. - * `HTPASSWD_FILE`, `RSYNC_BASE`, `SVNSERVE` -- need work. Email me if you - are using any of these. +Here's an explanation of those messages that the check-g2-compat program may +put that contain the words "see docs": - * `GL_GET_MEMBERSHIPS_PGM` -- is on my todo list + * `GL_ADMINDIR in the wrong place -- aborting` - * `GL_LOGT` -- is now fixed; you can't change it. Email me if this is a - problem. + It expects to find `GL_ADMINDIR` and `REPO_BASE` pointing to the right + places. It aborts if these conditions are not met and does not scan + further since that sort of guesswork is not good. If you are in that + position, make a symlink from the real location to the expected location, + change the RC accordingly, and re-try. -**DROPPED** variables (medium impact): these have alternative implementations -or mechanisms, but you have to do some setup work. + * `REPO_BASE in the wrong place -- aborting` - * `GL_ADMINDIR` -- this is now at a fixed location: `~/.gitolite`. If you - want it somewhere else go ahead and move it, then place a symlink from the - assumed location to the real one. + same as above - * `REPO_BASE` -- this is now at a fixed location: `~/repositories`. If you - want it somewhere else go ahead and move it, then place a symlink from the - assumed location to the real one. + * `fallthru in NAME rules` - * `PROJECTS_LIST` -- it's called `GITWEB_PROJECTS_LIST` now, but more - importantly, it is only used by update-gitweb-access-list in - src/commands/post-compile. This variable now has nothing to do with - gitolite core, and the rc is just helping to store settings for external - programs like that one. + **This is a significant difference and affects access badly (gives access + that would otherwise not be given)**. Please see the [list of non-RC + incompatibilities][g2incompat]. - `WEB_INTERFACE` and `GITWEB_URI_ESCAPE` are also gone; patches to the - update program to directly do those things are welcome. + * `subconf command in admin repo` - * `GL_NO_DAEMON_NO_GITWEB` -- uncomment the appropriate lines in the rc - file, in both the `POST_COMPILE` and `POST_CREATE` trigger sections. + This is not so bad security wise but it might *reduce* access by not + processing files you intended to. Again, see the same link as in the + previous bullet. - * `NICE_VALUE` -- use the `PRE_GIT` trigger to attach a program that renices - the pid given by $GL_TID (that's the pid of the initial gitolite entry - point, usually gitolite-shell, and propagates from there once set). + * `found N gl-creater files` - You may have to add this list to the rc file; if you don't know perl use - one of the others as a model or ask me. + These need to be renamed to `gl-creator` (the correct spelling at last, + hooray!). Suggested command sequence: - * `GIT_PATH` -- gone, not needed. Just add these lines to the end of the rc - file: + cd $HOME/repositories + find . -type d -name "*.git" -prune | while read r + do + mv \$r/gl-creater \$r/gl-creator + done 2>/dev/null - $ENV{PATH}="...whatever you want..."; - 1; + Once you do this, the g2 will not work completely unless you change them + back. - * `GL_NO_SETUP_AUTHKEYS` -- comment out the lines that call ssh-authkeys, in - the rc file. + * `found N gl-perms files with R or RW` - * `GL_WILDREPOS_DEFPERMS` -- if you need this, add a `POST_CREATE` script - that does it. Or email me and I will write it for you. + Setting perms of R and RW will no longer work; you have to say READERS and + WRITERS now. Suggested command: - * `UPDATE_CHAINS_TO` -- use a [vref][] instead. You can directly use the - chained-to script as a VREF; it'll work. +The following variables need to be [preset][rc-preset] in the rc file +**before** running `gitolite setup`. Otherwise the default actions will +clobber something and require some recovery. - * `ADMIN_POST_UPDATE_CHAINS_TO` -- add your script to the `POST_COMPILE` - trigger chain. You won't be getting any arguments but for the admin repo - the only argument that ever comes in is "refs/heads/master" anyway. + * `GL_NO_SETUP_AUTHKEYS` (default will clobber your authkeys file) - * `GL_ADC_PATH` -- obsolete; use [commands][] or add [your own][dev-notes]. + * `GL_NO_DAEMON_NO_GITWEB` (default will clobber your projects.list file and + git-daemon-export-ok files) - * `GL_ALL_INCLUDES_SPECIAL` -- obsolete; @all always includes gitweb and - daemon now. Use [deny-rules][] if you want to say `R = @all` but not have - it be visible to gitweb or daemon. + * `UPDATE_CHAINS_TO` (default will fail to run this extra check when users + push) - * `GL_PERFLOGT` -- see the entry for "gl-time" in the [alternative - implementations][g2alt] page. + * `ADMIN_POST_UPDATE_CHAINS_TO` (severity depends on what your code is + doing; see [g2rcdiff][] for how to fix this) -**DROPPED** variables (no impact/low impact): these variables should not -actually affect anything anyway, so even if you had them set you should not -feel their loss. + * `GL_ALL_INCLUDES_SPECIAL` (default will allow gitweb and daemon to be able + to read any repos that have `R = @all`) - * `GL_CONF`, `GL_KEYDIR`, and `GL_CONF_COMPILED` -- you had no business - touching these anyway; if you did, move them into the expected default - locations before attempting to run `gitolite setup` - * `GL_PACKAGE_HOOKS` -- not needed anymore, but check if you had any custom - hooks set there and copy them across. - * `GL_WILDREPOS` -- dropped; this feature is default now. - * `GL_BIG_CONFIG` -- dropped; this feature is default now. - -**RENAMED** variables (no impact): these are functionally the same but are -renamed. - - * `REPO_UMASK` is now `UMASK` - * `GL_GITCONFIG_KEYS` is now `GITCONFIG_KEYS` - * `GL_WILDREPOS_PERM_CATS` is now the ROLES hash in the rc file - * `GL_SITE_INFO` is not `SITE_INFO` + * `GIT_PATH` (presumably your git is in some non-std path so unless you + preset `$ENV{PATH}` per instructions in the [rc file + differences][g2rcdiff] doc, nothing will work). diff --git a/doc/g2rcdiff.mkd b/doc/g2rcdiff.mkd new file mode 100644 index 0000000..81af122 --- /dev/null +++ b/doc/g2rcdiff.mkd @@ -0,0 +1,120 @@ +## #g2rcdiff rc file differences between g2 and g3 + +The new rc file has far fewer variables; many have been dropped. You should +not see much ill effect though, but please read below. + +### #rc-preset pre-setting the rc file + +Some of these settings are such that you cannot directly run `gitolite setup` +when you're ready to migrate. Instead, you need to run + + # (assuming you saved your g2 rc file somewhere) + gitolite print-default-rc > $HOME/.gitolite.rc + $EDITOR $HOME/.gitolite.rc + # make appropriate changes, save + gitolite setup + +One example of this is `GL_NO_SETUP_AUTHKEYS`. If you don't jump in and fix +the rc first, the first run will clobber your authkeys file. + +### rc file differences + +**DROPPED** variables (possible high impact): these could be show-stoppers for +migration, at least for now. + + * `BIG_INFO_CAP` -- if you think you must have this, try it without and see + if there's a difference. If you *know* you need this, convince me. + + * `GL_ALL_READ_ALL` -- same + + * `GL_NO_CREATE_REPOS` -- if you think you need this, email me. I know one + group who does need this so I will be putting it in eventually but not + right away. + + * `HTPASSWD_FILE`, `RSYNC_BASE`, `SVNSERVE` -- need work. Email me if you + are using any of these. + + * `GL_GET_MEMBERSHIPS_PGM` -- is high on my todo list + + * `GL_LOGT` -- is now fixed; you can't change it. Email me if this is a + problem. + +**DROPPED** variables (medium impact): these have alternative implementations +or mechanisms, but you have to do some setup work. + + * `GL_ADMINDIR` -- this is now at a fixed location: `~/.gitolite`. If you + want it somewhere else go ahead and move it, then place a symlink from the + assumed location to the real one. + + * `REPO_BASE` -- this is now at a fixed location: `~/repositories`. If you + want it somewhere else go ahead and move it, then place a symlink from the + assumed location to the real one. + + * `PROJECTS_LIST` -- it's called `GITWEB_PROJECTS_LIST` now, but more + importantly, it is only used by update-gitweb-access-list in + src/commands/post-compile. This variable now has nothing to do with + gitolite core, and the rc is just helping to store settings for external + programs like that one. + + `WEB_INTERFACE` and `GITWEB_URI_ESCAPE` are also gone; patches to the + update program to directly do those things are welcome. Personally, I + think people who use spaces and other funky characters in dir/file names + should be shot but luckily no one listens to me :-) + + * `GL_NO_DAEMON_NO_GITWEB` -- uncomment the appropriate lines in the rc + file, in both the `POST_COMPILE` and `POST_CREATE` trigger sections. + + * `NICE_VALUE` -- use the `PRE_GIT` trigger to attach a program that renices + the pid given by $GL_TID (that's the pid of the initial gitolite entry + point, usually gitolite-shell, and propagates from there once set). + + You may have to add this list to the rc file; if you don't know perl use + one of the others as a model or ask me. + + * `GIT_PATH` -- gone, not needed. Just add these lines to the end of the rc + file: + + $ENV{PATH}="...whatever you want..."; + 1; + + * `GL_NO_SETUP_AUTHKEYS` -- comment out the lines that call ssh-authkeys, in + the rc file. + + * `GL_WILDREPOS_DEFPERMS` -- if you need this, add a `POST_CREATE` script + that does it. Or email me and I will write it for you. + + * `UPDATE_CHAINS_TO` -- use a [vref][] instead. You can directly use the + chained-to script as a VREF; it'll work. + + * `ADMIN_POST_UPDATE_CHAINS_TO` -- add your script to the `POST_COMPILE` + trigger chain. You won't be getting any arguments but for the admin repo + the only argument that ever comes in is "refs/heads/master" anyway. + + * `GL_ADC_PATH` -- obsolete; use [commands][] or add [your own][dev-notes]. + + * `GL_ALL_INCLUDES_SPECIAL` -- obsolete; @all always includes gitweb and + daemon now. Use [deny-rules][] if you want to say `R = @all` but not have + it be visible to gitweb or daemon. + + * `GL_PERFLOGT` -- see the entry for "gl-time" in the [alternative + implementations][g2alt] page. + +**DROPPED** variables (no impact/low impact): these variables should not +actually affect anything anyway, so even if you had them set you should not +feel their loss. + + * `GL_CONF`, `GL_KEYDIR`, and `GL_CONF_COMPILED` -- you had no business + touching these anyway; if you did, move them into the expected default + locations before attempting to run `gitolite setup` + * `GL_PACKAGE_HOOKS` -- not needed anymore, but check if you had any custom + hooks set there and copy them across. + * `GL_WILDREPOS` -- dropped; this feature is default now. + * `GL_BIG_CONFIG` -- dropped; this feature is default now. + +**RENAMED** variables (no impact): these are functionally the same but are +renamed. + + * `REPO_UMASK` is now `UMASK` + * `GL_GITCONFIG_KEYS` is now `GITCONFIG_KEYS` + * `GL_WILDREPOS_PERM_CATS` is now the ROLES hash in the rc file + * `GL_SITE_INFO` is now `SITE_INFO` diff --git a/doc/list b/doc/list index b9f7411..a844832 100644 --- a/doc/list +++ b/doc/list @@ -5,6 +5,7 @@ why.mkd g3why.mkd dev-status.mkd g2migr.mkd +g2rcdiff.mkd g2incompat.mkd g2dropped.mkd g2alt.mkd diff --git a/src/Gitolite/Rc.pm b/src/Gitolite/Rc.pm index 4d9299c..c4c3bcd 100644 --- a/src/Gitolite/Rc.pm +++ b/src/Gitolite/Rc.pm @@ -59,8 +59,8 @@ my $rc = glrc('filename'); do $rc if -r $rc; if ( defined($GL_ADMINDIR) ) { say2 ""; - say2 "FATAL: $rc seems to be for older gitolite; checking compat"; - require Gitolite::Compat; + say2 "FATAL: $rc seems to be for older gitolite; please see doc/g2migr.mkd\n" . + "(online at http://sitaramc.github.com/gitolite/g3/g2migr.html)"; exit 1; } @@ -250,7 +250,9 @@ __DATA__ # used by the info command # SITE_INFO => 'Please see http://blahblah/gitolite for more help', - # add more roles (like MANAGER, TESTER, ...) here + # add more roles (like MANAGER, TESTER, ...) here. + # WARNING: if you make changes to this hash, you MUST run 'gitolite + # compile' afterward, and possibly also 'gitolite trigger POST_COMPILE' ROLES => { READERS => 1,