new check-g2-compat, lots of migration related changes

- rc differences moved to their own file
  - main g2migr now helps interpret output of check-g2-compat
  - Gitolite::Compat gone; no point...
This commit is contained in:
Sitaram Chamarty 2012-03-25 09:15:39 +05:30
parent c14e01d6c0
commit 3ed923f503
7 changed files with 287 additions and 84 deletions

87
check-g2-compat Executable file
View file

@ -0,0 +1,87 @@
#!/usr/bin/perl
use Cwd;
my $h = $ENV{HOME};
my $rc = "$h/.gitolite.rc";
my %count;
intro();
msg( FATAL => "no rc file found; do you even *have* g2 running?" ) if not -f $rc;
do $rc;
unless ( $return = do $rc ) {
msg( FATAL => "couldn't parse $rc: $@" ) if $@;
msg( FATAL => "couldn't do $rc: $!" ) unless defined $return;
msg( WARNING => "couldn't run $rc" ) unless $return;
}
print "checking rc file...\n";
rc_basic();
rest_of_rc();
print "\n";
print "checking conf file(s)...\n";
conf();
print "\n";
print "checking repos...\n";
repo();
print "\n";
# ----------------------------------------------------------------------
sub intro {
msg( INFO => "This program only checks for uses that make the new g3 completely unusable" );
msg( '' => "or that might end up giving *more* access to someone if migrated as-is." );
msg( '' => "It does NOT attempt to catch all the differences described in the docs." );
msg( '', '' );
msg( INFO => "'see docs' usually means doc/g2migr.mkd");
msg( '', => "(online at http://sitaramc.github.com/gitolite/g3/g2migr.html)" );
msg( '', '' );
}
sub rc_basic {
msg( FATAL => "GL_ADMINDIR in the wrong place -- aborting; see docs" ) if $GL_ADMINDIR ne "$h/.gitolite";
msg( NOTE => "GL_ADMINDIR is in the right place; assuming you did not mess with" );
msg( '', "GL_CONF, GL_LOGT, GL_KEYDIR, and GL_CONF_COMPILED" );
msg( FATAL => "REPO_BASE in the wrong place -- aborting; see docs" ) if $REPO_BASE ne "$h/repositories" and $REPO_BASE ne "repositories";
# ( abs or rel both ok)
}
sub rest_of_rc {
msg( SEVERE => "GIT_PATH found; see docs" ) if $GIT_PATH;
msg( SEVERE => "GL_ALL_INCLUDES_SPECIAL found; see docs" ) if $GL_ALL_INCLUDES_SPECIAL;
msg( SEVERE => "GL_GET_MEMBERSHIPS_PGM not yet implemented" ) if $GL_GET_MEMBERSHIPS_PGM;
msg( SEVERE => "GL_NO_CREATE_REPOS not yet implemented" ) if $GL_NO_CREATE_REPOS;
msg( SEVERE => 'htpasswd, rsync, and svnserve not yet implemented' ) if $HTPASSWD_FILE or $RSYNC_BASE or $SVNSERVE;
msg( WARNING => "ADMIN_POST_UPDATE_CHAINS_TO found; see docs" ) if $ADMIN_POST_UPDATE_CHAINS_TO;
msg( WARNING => "GL_NO_DAEMON_NO_GITWEB found; see docs" ) if $GL_NO_DAEMON_NO_GITWEB;
msg( WARNING => "GL_NO_SETUP_AUTHKEYS found; see docs" ) if $GL_NO_SETUP_AUTHKEYS;
msg( WARNING => "UPDATE_CHAINS_TO found; see docs" ) if $UPDATE_CHAINS_TO;
msg( WARNING => "GL_ADC_PATH found; many ADCs not yet implemented") if $GL_ADC_PATH;
msg( WARNING => "non-default GL_WILDREPOS_PERM_CATS found" ) if $GL_WILDREPOS_PERM_CATS ne 'READERS WRITERS';
}
sub conf {
chdir($h);
chdir($GL_ADMINDIR);
my $conf = `find . -name "*.conf" | xargs cat`;
msg( "SEVERE", "fallthru in NAME rules; see docs" ) if $conf =~ m(NAME/);
msg( "SEVERE", "subconf command in admin repo; see docs" ) if $conf =~ m(NAME/conf/fragments);
}
sub repo {
chdir($h);
chdir($REPO_BASE);
my @creater = `find . -name gl-creater`;
if (@creater) {
msg( WARNING => "found " . scalar(@creater) . " gl-creater files; see docs" );
}
my @perms = `find . -name gl-perms | xargs egrep -l -w R\\|RW`;
if (@perms) {
msg( WARNING => "found " . scalar(@perms) . " gl-perms files with R or RW; see docs" );
}
}

View file

@ -1,2 +1,4 @@
## #g2dropped g2 features dropped ## #g2dropped g2 features dropped
(none yet that are not already covered in the rc section in [this][g2migr]
page).

View file

@ -1,4 +1,6 @@
## #g2incompat compatibility with g2 ## #g2incompat incompatibility with g2
(other than in the rc file, which is dealt with [elsewhere][g2rcdiff])
The following incompatibilities exist, in vaguely decreasing order of The following incompatibilities exist, in vaguely decreasing order of
severity. **The ones in the first section are IMPORTANT because they allow severity. **The ones in the first section are IMPORTANT because they allow
@ -8,8 +10,8 @@ the new gitolite!**
### fallthru in NAME rules ### fallthru in NAME rules
Fallthru on all VREFs is "success" now, so any NAME/ rules you have **MUST** Fallthru on all VREFs is "success" now, so any NAME/ rules you have **MUST**
change the ruleset in some way. The simplest is to add the following line to change the ruleset in some way to maintain the same restrictions. The
the end of each repo's rule list: simplest is to add the following line to the end of each repo's rule list:
- NAME/ = @all - NAME/ = @all
@ -33,3 +35,7 @@ line. As the [vref documentation][vref] says:
> **Virtual refs are best used as additional "deny" rules**, performing > **Virtual refs are best used as additional "deny" rules**, performing
> extra checks that core gitolite cannot. > extra checks that core gitolite cannot.
The second part explicitly says when and where to include the subconf files.
(Before subconf was invented, this used to happen implicitly at the end of the
main conf file, and was hardcoded to that specific glob.)

View file

@ -10,113 +10,98 @@ move to g3.**
First things first: g2 will be supported for a good long time. My current First things first: g2 will be supported for a good long time. My current
*expert* users do not cause me any load anyway. *expert* users do not cause me any load anyway.
Migration should be straightforward, but it is not automatic. When you first Migration should be straightforward, but it is not automatic. You should run
run "gitolite setup [...]", gitolite3 will try to detect at least the big the "check-g2-compat" program first, to see any *major* differences that
problems. However, converting the RC file and the conf files is (as of now) affect you. The bulk of the changes are in the RC file, which must be
still a manual exercise, though not very difficult. manually handled (links below). The conf files have very few changes -- they
apply only if you use "NAME/" or delegation.
You must first read about [incompatible][g2incompat] features and You must first read about [incompatible][g2incompat] features and
[dropped][g2dropped] features. Some features have been replaced with [dropped][g2dropped] features. Some features have been replaced with
[alternatives][g2alt]. [alternatives][g2alt].
Since the majority of changes are in the rc file, we list them all here. Since the majority of changes are in the rc file, they're all listed
[here][g2rcdiff].
### rc file differences The rest of this page describes the completely standalone "check-g2-compat"
script that you can find in the repo root (i.e., not in "src/").
**DROPPED** variables (possible high impact): these could be show-stoppers for ### the "check-g2-compat" program
migration, at least for now.
* `BIG_INFO_CAP` -- if you think you must have this, try it without and see This program checks a few things only, not everything. In particular, it
if there's a difference. If you *know* you need this, convince me. looks for settings and status that might:
* `GL_ALL_READ_ALL` -- same * make g3 unusable for lots of users
* make g3 give *more* access than g2 under some conditions.
* `GL_NO_CREATE_REPOS` -- if you think you need this, email me. I know one It does NOT look for or warn about anything else; you're expected to read (and
group who does need this so I will be putting it in eventually but not act upon, if needed) the rest of the migration guide links given a few paras
right away. above to cover everything else.
* `HTPASSWD_FILE`, `RSYNC_BASE`, `SVNSERVE` -- need work. Email me if you Here's an explanation of those messages that the check-g2-compat program may
are using any of these. put that contain the words "see docs":
* `GL_GET_MEMBERSHIPS_PGM` -- is on my todo list * `GL_ADMINDIR in the wrong place -- aborting`
* `GL_LOGT` -- is now fixed; you can't change it. Email me if this is a It expects to find `GL_ADMINDIR` and `REPO_BASE` pointing to the right
problem. places. It aborts if these conditions are not met and does not scan
further since that sort of guesswork is not good. If you are in that
position, make a symlink from the real location to the expected location,
change the RC accordingly, and re-try.
**DROPPED** variables (medium impact): these have alternative implementations * `REPO_BASE in the wrong place -- aborting`
or mechanisms, but you have to do some setup work.
* `GL_ADMINDIR` -- this is now at a fixed location: `~/.gitolite`. If you same as above
want it somewhere else go ahead and move it, then place a symlink from the
assumed location to the real one.
* `REPO_BASE` -- this is now at a fixed location: `~/repositories`. If you * `fallthru in NAME rules`
want it somewhere else go ahead and move it, then place a symlink from the
assumed location to the real one.
* `PROJECTS_LIST` -- it's called `GITWEB_PROJECTS_LIST` now, but more **This is a significant difference and affects access badly (gives access
importantly, it is only used by update-gitweb-access-list in that would otherwise not be given)**. Please see the [list of non-RC
src/commands/post-compile. This variable now has nothing to do with incompatibilities][g2incompat].
gitolite core, and the rc is just helping to store settings for external
programs like that one.
`WEB_INTERFACE` and `GITWEB_URI_ESCAPE` are also gone; patches to the * `subconf command in admin repo`
update program to directly do those things are welcome.
* `GL_NO_DAEMON_NO_GITWEB` -- uncomment the appropriate lines in the rc This is not so bad security wise but it might *reduce* access by not
file, in both the `POST_COMPILE` and `POST_CREATE` trigger sections. processing files you intended to. Again, see the same link as in the
previous bullet.
* `NICE_VALUE` -- use the `PRE_GIT` trigger to attach a program that renices * `found N gl-creater files`
the pid given by $GL_TID (that's the pid of the initial gitolite entry
point, usually gitolite-shell, and propagates from there once set).
You may have to add this list to the rc file; if you don't know perl use These need to be renamed to `gl-creator` (the correct spelling at last,
one of the others as a model or ask me. hooray!). Suggested command sequence:
* `GIT_PATH` -- gone, not needed. Just add these lines to the end of the rc cd $HOME/repositories
file: find . -type d -name "*.git" -prune | while read r
do
mv \$r/gl-creater \$r/gl-creator
done 2>/dev/null
$ENV{PATH}="...whatever you want..."; Once you do this, the g2 will not work completely unless you change them
1; back.
* `GL_NO_SETUP_AUTHKEYS` -- comment out the lines that call ssh-authkeys, in * `found N gl-perms files with R or RW`
the rc file.
* `GL_WILDREPOS_DEFPERMS` -- if you need this, add a `POST_CREATE` script Setting perms of R and RW will no longer work; you have to say READERS and
that does it. Or email me and I will write it for you. WRITERS now. Suggested command:
* `UPDATE_CHAINS_TO` -- use a [vref][] instead. You can directly use the The following variables need to be [preset][rc-preset] in the rc file
chained-to script as a VREF; it'll work. **before** running `gitolite setup`. Otherwise the default actions will
clobber something and require some recovery.
* `ADMIN_POST_UPDATE_CHAINS_TO` -- add your script to the `POST_COMPILE` * `GL_NO_SETUP_AUTHKEYS` (default will clobber your authkeys file)
trigger chain. You won't be getting any arguments but for the admin repo
the only argument that ever comes in is "refs/heads/master" anyway.
* `GL_ADC_PATH` -- obsolete; use [commands][] or add [your own][dev-notes]. * `GL_NO_DAEMON_NO_GITWEB` (default will clobber your projects.list file and
git-daemon-export-ok files)
* `GL_ALL_INCLUDES_SPECIAL` -- obsolete; @all always includes gitweb and * `UPDATE_CHAINS_TO` (default will fail to run this extra check when users
daemon now. Use [deny-rules][] if you want to say `R = @all` but not have push)
it be visible to gitweb or daemon.
* `GL_PERFLOGT` -- see the entry for "gl-time" in the [alternative * `ADMIN_POST_UPDATE_CHAINS_TO` (severity depends on what your code is
implementations][g2alt] page. doing; see [g2rcdiff][] for how to fix this)
**DROPPED** variables (no impact/low impact): these variables should not * `GL_ALL_INCLUDES_SPECIAL` (default will allow gitweb and daemon to be able
actually affect anything anyway, so even if you had them set you should not to read any repos that have `R = @all`)
feel their loss.
* `GL_CONF`, `GL_KEYDIR`, and `GL_CONF_COMPILED` -- you had no business * `GIT_PATH` (presumably your git is in some non-std path so unless you
touching these anyway; if you did, move them into the expected default preset `$ENV{PATH}` per instructions in the [rc file
locations before attempting to run `gitolite setup` differences][g2rcdiff] doc, nothing will work).
* `GL_PACKAGE_HOOKS` -- not needed anymore, but check if you had any custom
hooks set there and copy them across.
* `GL_WILDREPOS` -- dropped; this feature is default now.
* `GL_BIG_CONFIG` -- dropped; this feature is default now.
**RENAMED** variables (no impact): these are functionally the same but are
renamed.
* `REPO_UMASK` is now `UMASK`
* `GL_GITCONFIG_KEYS` is now `GITCONFIG_KEYS`
* `GL_WILDREPOS_PERM_CATS` is now the ROLES hash in the rc file
* `GL_SITE_INFO` is not `SITE_INFO`

120
doc/g2rcdiff.mkd Normal file
View file

@ -0,0 +1,120 @@
## #g2rcdiff rc file differences between g2 and g3
The new rc file has far fewer variables; many have been dropped. You should
not see much ill effect though, but please read below.
### #rc-preset pre-setting the rc file
Some of these settings are such that you cannot directly run `gitolite setup`
when you're ready to migrate. Instead, you need to run
# (assuming you saved your g2 rc file somewhere)
gitolite print-default-rc > $HOME/.gitolite.rc
$EDITOR $HOME/.gitolite.rc
# make appropriate changes, save
gitolite setup
One example of this is `GL_NO_SETUP_AUTHKEYS`. If you don't jump in and fix
the rc first, the first run will clobber your authkeys file.
### rc file differences
**DROPPED** variables (possible high impact): these could be show-stoppers for
migration, at least for now.
* `BIG_INFO_CAP` -- if you think you must have this, try it without and see
if there's a difference. If you *know* you need this, convince me.
* `GL_ALL_READ_ALL` -- same
* `GL_NO_CREATE_REPOS` -- if you think you need this, email me. I know one
group who does need this so I will be putting it in eventually but not
right away.
* `HTPASSWD_FILE`, `RSYNC_BASE`, `SVNSERVE` -- need work. Email me if you
are using any of these.
* `GL_GET_MEMBERSHIPS_PGM` -- is high on my todo list
* `GL_LOGT` -- is now fixed; you can't change it. Email me if this is a
problem.
**DROPPED** variables (medium impact): these have alternative implementations
or mechanisms, but you have to do some setup work.
* `GL_ADMINDIR` -- this is now at a fixed location: `~/.gitolite`. If you
want it somewhere else go ahead and move it, then place a symlink from the
assumed location to the real one.
* `REPO_BASE` -- this is now at a fixed location: `~/repositories`. If you
want it somewhere else go ahead and move it, then place a symlink from the
assumed location to the real one.
* `PROJECTS_LIST` -- it's called `GITWEB_PROJECTS_LIST` now, but more
importantly, it is only used by update-gitweb-access-list in
src/commands/post-compile. This variable now has nothing to do with
gitolite core, and the rc is just helping to store settings for external
programs like that one.
`WEB_INTERFACE` and `GITWEB_URI_ESCAPE` are also gone; patches to the
update program to directly do those things are welcome. Personally, I
think people who use spaces and other funky characters in dir/file names
should be shot but luckily no one listens to me :-)
* `GL_NO_DAEMON_NO_GITWEB` -- uncomment the appropriate lines in the rc
file, in both the `POST_COMPILE` and `POST_CREATE` trigger sections.
* `NICE_VALUE` -- use the `PRE_GIT` trigger to attach a program that renices
the pid given by $GL_TID (that's the pid of the initial gitolite entry
point, usually gitolite-shell, and propagates from there once set).
You may have to add this list to the rc file; if you don't know perl use
one of the others as a model or ask me.
* `GIT_PATH` -- gone, not needed. Just add these lines to the end of the rc
file:
$ENV{PATH}="...whatever you want...";
1;
* `GL_NO_SETUP_AUTHKEYS` -- comment out the lines that call ssh-authkeys, in
the rc file.
* `GL_WILDREPOS_DEFPERMS` -- if you need this, add a `POST_CREATE` script
that does it. Or email me and I will write it for you.
* `UPDATE_CHAINS_TO` -- use a [vref][] instead. You can directly use the
chained-to script as a VREF; it'll work.
* `ADMIN_POST_UPDATE_CHAINS_TO` -- add your script to the `POST_COMPILE`
trigger chain. You won't be getting any arguments but for the admin repo
the only argument that ever comes in is "refs/heads/master" anyway.
* `GL_ADC_PATH` -- obsolete; use [commands][] or add [your own][dev-notes].
* `GL_ALL_INCLUDES_SPECIAL` -- obsolete; @all always includes gitweb and
daemon now. Use [deny-rules][] if you want to say `R = @all` but not have
it be visible to gitweb or daemon.
* `GL_PERFLOGT` -- see the entry for "gl-time" in the [alternative
implementations][g2alt] page.
**DROPPED** variables (no impact/low impact): these variables should not
actually affect anything anyway, so even if you had them set you should not
feel their loss.
* `GL_CONF`, `GL_KEYDIR`, and `GL_CONF_COMPILED` -- you had no business
touching these anyway; if you did, move them into the expected default
locations before attempting to run `gitolite setup`
* `GL_PACKAGE_HOOKS` -- not needed anymore, but check if you had any custom
hooks set there and copy them across.
* `GL_WILDREPOS` -- dropped; this feature is default now.
* `GL_BIG_CONFIG` -- dropped; this feature is default now.
**RENAMED** variables (no impact): these are functionally the same but are
renamed.
* `REPO_UMASK` is now `UMASK`
* `GL_GITCONFIG_KEYS` is now `GITCONFIG_KEYS`
* `GL_WILDREPOS_PERM_CATS` is now the ROLES hash in the rc file
* `GL_SITE_INFO` is now `SITE_INFO`

View file

@ -5,6 +5,7 @@ why.mkd
g3why.mkd g3why.mkd
dev-status.mkd dev-status.mkd
g2migr.mkd g2migr.mkd
g2rcdiff.mkd
g2incompat.mkd g2incompat.mkd
g2dropped.mkd g2dropped.mkd
g2alt.mkd g2alt.mkd

View file

@ -59,8 +59,8 @@ my $rc = glrc('filename');
do $rc if -r $rc; do $rc if -r $rc;
if ( defined($GL_ADMINDIR) ) { if ( defined($GL_ADMINDIR) ) {
say2 ""; say2 "";
say2 "FATAL: $rc seems to be for older gitolite; checking compat"; say2 "FATAL: $rc seems to be for older gitolite; please see doc/g2migr.mkd\n" .
require Gitolite::Compat; "(online at http://sitaramc.github.com/gitolite/g3/g2migr.html)";
exit 1; exit 1;
} }
@ -250,7 +250,9 @@ __DATA__
# used by the info command # used by the info command
# SITE_INFO => 'Please see http://blahblah/gitolite for more help', # SITE_INFO => 'Please see http://blahblah/gitolite for more help',
# add more roles (like MANAGER, TESTER, ...) here # add more roles (like MANAGER, TESTER, ...) here.
# WARNING: if you make changes to this hash, you MUST run 'gitolite
# compile' afterward, and possibly also 'gitolite trigger POST_COMPILE'
ROLES => ROLES =>
{ {
READERS => 1, READERS => 1,