ubuntu搭建Gerrit代码审核服务器
谷歌的 Android 开源项目在 Git 的使用上有两个重要的创新,一个是为多版本库协同而引入的 repo,另外一个重要的创新就是 Gerrit —— 代码审核服务器。Gerrit 为 git 引入的代码审核是强制性的,就是说除非特别的授权设置,向 Git 版本库的推送(Push)必须要经过 Gerrit 服务器,修订必须经过代码审核的一套工作流之后,才可能经批准并纳入正式代码库中。
Gerrit工作原理和流程
首先贡献者的代码通过 git 命令(或git review封装)推送到 Gerrit 管理下的 Git 版本库,推送的提交转化为一个一个的代码审核任务,审核任务可以通过 refs/changes/下的引用访问到。代码审核者可以通过 Web 界面查看审核任务、代码变更,通过 Web 界面做出通过代码审核或者打回等决定。测试者也可以通过 refs/changes/引用获取(fetch)修订对其进行测试,如果测试通过就可以将该评审任务设置为校验通过(verified)。最后经过了审核和校验的修订可以通过 Gerrit 界面中提交动作合并到版本库对应的分支中。更详细的流程描述见下图所示:
创建gerrit用户
sudo adduser gerrit chmod u+w /etc/sudoers sudo vi /etc/sudoers gerrit ALL=(ALL) ALL su gerrit
Gerrit安装与配置
安装Gerrit需要装有最低1.6版本的JDK:
sudo apt-get install default-jresudo apt-get install git
https://code.google.com/p/gerrit/
https://gerrit-releases.storage.googleapis.com/gerrit-2.12.war
安装Gerrit
java -jar gerrit-2.11.war init -d review_site
*** Git Repositories*** Location of Git repositories [git]: /home/gerrit/repositories*** SQL Database*** Database server type [h2]: postgresqlServer hostname [localhost]: Server port [(postgresql default)]: Database name [reviewdb]: Database username [gerrit]: gerrit's password : confirm password :*** User Authentication*** Authentication method [OPENID/?]: httpGet username from custom HTTP header [y/N]? SSO logout URL *** Review Labels*** Install Verified label [y/N]? y*** Email Delivery*** SMTP server hostname [localhost]: smtp.163.comSMTP server port [(default)]: 25SMTP encryption [NONE/?]: SMTP username [gerrit]: your_namegerrit's password : confirm password : *** SSH Daemon*** Listen on address [*]: Listen on port [29418]: *** HTTP Daemon*** Behind reverse proxy [y/N]yUse SSL (https://) [y/N]? Listen on address [*]: Listen on port [8080]: 8081Canonical URL [http://learnLinux:8081/]: http://localhost:8080*** Plugins *** Installing plugins.Install plugin download-commands version v2.11 [y/N]? yInstall plugin reviewnotes version v2.11 [y/N]? yInstall plugin singleusergroup version v2.11 [y/N]? yInstall plugin replication version v2.11 [y/N]? yInstall plugin commit-message-length-validator version v2.11 [y/N]? yInitializing plugins.
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
Gerrit支持H2(内置) / MySQL / PostgreSQL数据库,简单使用默认数据库H2,mysql和postgreSQL数据库在认证人数比较多时选用.
Gerrit支持OpenID / HTTP / LDAP, 认证方式没有选择OpenId, 而是http, 因为这样会使得gerrit对外部系统有依赖, 目前gerrit支持google和yahoo提供的openid.
选择http需要反向代理支持, 这和http认证有关.
LDAP是轻量目录访问协议,英文全称是Lightweight Directory Access Protocol,一般都简称为LDAP
配置文件review_site/etc/gerrit.config,邮箱密码存在review_site/etc/secure.config文件中.
vi ./review_site/etc/gerrit.config#将canonicalWebUrl修改为代理服务器地址[gerrit] basePath = /home/gerrit/repositories canonicalWebUrl = http:[database] type = postgresql hostname = localhost database = reviewdb username = gerrit[index] type = LUCENE[auth] type = HTTP[sendemail] enable = true smtpServer = smtp.163.com smtpServerPort = 25 smtpUser = your_name@163.com from = gerrit<your_name@163.com>[sshd] listenAddress = *:29418[httpd] listenUrl = proxy-http:[cache] directory = cache
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
vi etc/secure.config[database] password = your_password[auth] registerEmailPrivateKey = your_password restTokenPrivateKey = your_password[sendemail] smtpPass = your_password
配置nginx代理服务器
nginx作为代理服务器更加方便,在/etc/nginx/sites-enabled添加一个server模块
server { listen *:8090; server_name localhost; location / { auth_basic "Welcomme to Gerrit Code Review Site"; auth_basic_user_file /home/gerrit/review_site/etc/passwd; proxy_pass http://localhost:8081; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; } location /login/ { proxy_pass http://localhost:8081; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; } }
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
touch ./review_site/etc/passwd#添加gerrit账号htpasswd -b ./review_site/etc/passwd yourname yourpassword#重启gerrit,账号才会生效./review_site/bin/gerrit.sh restart
账户配置
第一次成功登录的用户会被gerrit作为管理员用户。登录后点击右上角的”匿名懦夫”Anonymous Coward -> Settings来配置账户。
添加SSH公钥
要使用gerrit必须要提供用户的公钥。选择页面左侧的SSH Public Keys为当前用户添加公钥。直接将公钥粘贴到Add SSH Public Key框内,然后点击add即可。
添加其他普通账户
如果采用http认证,那么添加其他账户时,需要现添加http认证账户。用htpasswd创建的用户时,并没有往gerrit中添加账号,只有当该用户通过web登陆gerrit服务器时,该账号才会被添加进gerrit数据库中。
为什么不能Sign Out
也行你会发现用gerrit+HTTP认证,通过web登陆后,点击右上角的Sign Out无法登出。要么是依然保持登陆的状态,要么就是直接出错。
不要以为怎么了,其实这是正常现象,以下这段话是从网上看到的:You are using HTTP Basic authentication. There is no way to tell abrowser to quit sending basic authentication credentials, to logout with basicauthentication is to close the Webbrowser.
SSH访问
#默认使用.ssh/id_rsa.pub公钥ssh -p 29418 -i admin@localhost **** Welcome to Gerrit Code Review **** Hi admin, you have successfully connected over SSH. Unfortunately, interactive shells are disabled. To clone a hosted Git repository, use: git clone ssh:Connection to localhost closed.
git仓库
新建一个gerritRepo仓库,git clone http://127.0.0.1:8080/gerritRepo
在推送时
remote: Unauthorizedfatal: Authentication failed for 'http://admin@127.0.0.1:8080/gerritRepo/'
改用ssh方式push
git remote remove origingit remote add origin ssh://admin@127.0.0.1:29418/gerritRepogit push origin master
将commit提交到服务器接受代码审核。
remote: Branch refs/heads/master:remote: You are not allowed to perform this operation.remote: To push into this reference you need 'Push' rights.remote: User: memberremote: Please read the documentation and contact an administratorremote: if you feel the configuration is incorrectremote: Processing changes: refs: 1, done To ssh: ! [remote rejected] master -> master (prohibited by Gerrit)error: 无法推送一些引用到 'ssh://member@127.0.0.1:29418/hello1'
这就是gerrit的精髓所在了。原因是gerrit不允许直接将本地修改同步到远程仓库。客户机必须先push到远程仓库的refs/for/*分支上,等待审核。这也是为什么我们需要使用gerrit的原因。gerrit本身就是个代码审核工具。
提交changes
gerrit项目分支权限
git push origin HEAD:refs/for/mastergit push origin refs/heads/*:refs/for/*[remote "origin"] url = ssh://chenjianhua@127.0.0.1:29418/hello1 fetch = +refs/heads/*:refs/remotes/origin/* push = HEAD:refs/for/*
下载hook
再次推送到服务器
remote: Processing changes: refs: 1, done remote: ERROR: missing Change-Id in commit message footerremote: remote: Hint: To automatically insert Change-Id, install the hook:remote: gitdir=$(git rev-parse --git-dir); scp -p -P 29418 root@ubuntu:hooks/commit-msg ${gitdir}/hooks/remote: And then amend the commit:remote: git commit --amendremote: To ssh://member@127.0.0.1:29418/hello1 ! [remote rejected] master -> refs/for/master (missing Change-Id in commit message footer)error: 无法推送一些引用到 'ssh://member@127.0.0.1:29418/gerritRepo'
push时提示需要Change-Id在提交信息中, 需要从gerrit server上下载一个脚本
钩子的目的是在提交信息中自动创建 ‘Change-Id:’ 标签
scp -p -P 29418 admin@127.0.0.1:hooks/commit-msg gerritRepo/.git/hooks/git commit --amendremote: Processing changes: new: 1, refs: 1, done remote: remote: New Changes:remote: http://localhost:8081/2 vi READMEremote: To ssh://member@127.0.0.1:29418/gerritRepo * [new branch] master -> refs/for/master
审查代码
配置项目权限
给refs/head/*分支Label Verified权限添加用户分组,这里分配Administrators组.
项目评审过程中,需要几个条件,代码才能最终提交到分支
评审过程通常有三个人参与,代码提交,代码验证(Verify),代码审查(Review). 通常由自动测试工具jenkins完成代码验证(Verify).
Needs Verified , Needs Code-Review
验证和审查通过后,显示Ready to Submit状态,现在就可以合并代码到head/*分支中
查看合并结果
jenkins自动验证
patch补丁集
开发者的代码需要先提交到refs/for/master分支上,变动的代码称作补丁集,保存在 refs/changes/* 命名空间下.
git ls-remoteFrom ssh:5f8ed98b0f88787c22e705595e2818db62874f56 HEADeeaef9da4ea27d7c23bfb5f9a2ed1b5357ebbba8 refs/changes/01/1/15f8ed98b0f88787c22e705595e2818db62874f56 refs/changes/02/2/1bfdb700f4aab3afc32ec79a29b0e25f8be758f8f refs/changes/03/3/15f8ed98b0f88787c22e705595e2818db62874f56 refs/heads/master887107fcb25c48d1a1eb116ec466fc4f9b298a5c refs/meta/config21be8fce8a38d9437363128d214739c64bdd5710 refs/notes/review#下载补丁git fetch ssh:
Draft草案
Topic主题
使用postgreSQL数据库
安装postgreSQL
sudo apt-get install postgresqlsudo su postgrespsql postgresALTER USER postgres with PASSWORD 'password'postgres=postgres=CREATE USER gerrit WITH PASSWORD 'password';CREATE DATABASE reviewdb OWNER gerrit;GRANT ALL PRIVILEGES ON DATABASE reviewdb to gerrit;
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
#vi etc/gerrit.config[database] type = postgresql hostname = localhost database = reviewdb username = gerrit#vi etc/secure.config[database] password = password
使用mysql数据库
#连接数据库mysql -u root -p#查看帮助help contents;help Administration;#创建gerrit用户和reviewdb数据库CREATE USER 'git'@'localhost' IDENTIFIED BY 'git'; CREATE DATABASE reviewdb; ALTER DATABASE reviewdb charset=latin1; GRANT ALL ON reviewdb.* TO 'git'@'localhost'; FLUSH PRIVILEGES; #查看所有数据库SHOW DATABASES;#查看所有用户SELECT DISTINCT CONCAT('User: ''',user,'''@''',host,''';') AS query FROM mysql.user;
*** SQL Database*** Database server type [h2]: mysqlGerrit Code Review is not shipped with MySQL Connector/J 5.1.21** This library is required for your configuration. **Download and install it now [Y/n]? yDownloading http://repo2.maven.org/maven2/mysql/mysql-connector-java/5.1.21/mysql-connector-java-5.1.21.jar ... OKChecksum mysql-connector-java-5.1.21.jar OKServer hostname [localhost]: Server port [(mysql default)]: 3306Database name [reviewdb]: reviewdbDatabase username [gerrit]: gerritgerrit's password : confirm password :
也可以将mysql-connector-Java-5.1.21.jar放入lib目录下
参照
- Gerrit Code Review - Uploading Changes
- 搭建代码审查系统Gerrit
- Gerrit2安装配置
- gerrit使用总结
- Gerrit工作流
- PostgreSQL新手入门
