[Gluster-infra] [Gluster-devel] Jenkins accounts for all devs.

Ravishankar N ravishankar at redhat.com
Fri Jan 22 12:12:11 UTC 2016 

On 01/22/2016 05:19 PM, Michael Scherer wrote:
> Le vendredi 22 janvier 2016 à 11:31 +0100, Niels de Vos a écrit :
>> On Fri, Jan 22, 2016 at 02:44:05PM +0530, Raghavendra Talur wrote:
>>> On Fri, Jan 22, 2016 at 2:41 PM, Michael Scherer <mscherer at redhat.com>
>>> wrote:
>>>
>>>> Le vendredi 22 janvier 2016 à 11:31 +0530, Ravishankar N a écrit :
>>>>> On 01/14/2016 12:16 PM, Kaushal M wrote:
>>>>>> On Thu, Jan 14, 2016 at 10:33 AM, Raghavendra Talur <rtalur at redhat.com>
>>>> wrote:
>>>>>>> On Thu, Jan 14, 2016 at 10:32 AM, Ravishankar N <
>>>> ravishankar at redhat.com>
>>>>>>> wrote:
>>>>>>>> On 01/08/2016 12:03 PM, Raghavendra Talur wrote:
>>>>>>>>> P.S: Stop using the "universal" jenkins account to trigger jenkins
>>>> build
>>>>>>>>> if you are not a maintainer.
>>>>>>>>> If you are a maintainer and don't have your own jenkins account
>>>> then get
>>>>>>>>> one soon!
>>>>>>>>>
>>>>>>>> I would request for a jenkins account for non-maintainers too, at
>>>> least
>>>>>>>> for the devs who are actively contributing code (as opposed to random
>>>>>>>> one-off commits from persons). That way, if the regression failure is
>>>>>>>> *definitely* not in my patch (or) is a spurious failure (or) is
>>>> something
>>>>>>>> that I need to take a netbsd slave offline to debug etc.,  I don't
>>>> have to
>>>>>>>> be blocked on the Maintainer. Since the accounts are anyway tied to
>>>> an
>>>>>>>> individual, it should be easy to spot if someone habitually
>>>> re-trigger
>>>>>>>> regressions without any initial debugging.
>>>>>>>>
>>>>>>> +1
>>>>>> We'd like to give everyone accounts. But the way we're providing
>>>>>> accounts now gives admin accounts to all. This is not very secure.
>>>>>>
>>>>>> This was one of the reasons misc setup freeipa.gluster.org, to provide
>>>>>> controlled accounts for all. But it hasn't been used yet. We would
>>>>>> need to integrate jenkins and the slaves with freeipa, which would
>>>>>> give everyone easy access.
>>>>> Hi Michael,
>>>>> Do you think it is possible to have this integration soon so that all
>>>>> contributors can re-trigger/initiate builds by themselves?
>>>> The thing that is missing is still the same, how do we consider that
>>>> someone is a contributor. IE, do we want people just say "add me" and
>>>> get root access to all our jenkins builder (because that's also what go
>>>> with jenkins way of restarting a build for now) ?
>> Contributors would need to get root permissions on the Jenkins slaves
>> (the machines that do the actual building/testing).
> I rather prefer to not have people have root access on the builder.
>
> 1) they are used to build the rpms we distribute
> 2) root access also mean that some people might just do a quick fix to
> make some tests pass instead of making a proper long term fix where it
> is needed.


Many of us non maintainers those who never had accounts (including yours 
truly) used the amarts account to *judiciously*  re-trigger builds.Until 
it was disabled. I don't think it caused any problems.
The only quick fix you can do is retrigger the build, which, if it 
passes, means the failure was likely spurious the previous time.

>>   There is no need
>> for root access on the Jenkins master (build.gluster.org). Because
>> Jenkins accounts are connected to the PAM cofiguration on
>> build.gluster.org, contributors would get an account there (does not
>> need to have a shell?).
> This is something that can be fixed by using LDAP.
>
>>>> I did the technical stuff, but so far, no one did the organisational
>>>> part of giving a criteria for who has access to what. Without clear
>>>> process, I can't do much.
>>>>
>>>
>>> +ndevos +vijay
>>>
>>> Something like "should have contributed 10 patches to Gluster and be
>>> supported by at least 1 maintainer" would do?
>> Works for me. Please send a new page with a description on what
>> requirements a (new) contributor needs to fullfill, what privileges are
>> given and a little on when/how to use those.
>>
>>    http://gluster.readthedocs.org/en/latest/Contributors-Guide/Index/
> Also, we expect people to request that access, or someone is in charge
> of picking them ?

I have created an etherpad for those who want to request a login: 
https://public.pad.fsfe.org/p/gerrit_access_request
Folks whose requests have a +1 from a maintainer can be given an account 
like Raghavendra said.

>
> Also, do we have a formal list of maintainers ?

Yes, https://github.com/gluster/glusterfs/blob/master/MAINTAINERS
>   And a process for
> becoming one ?
I would like to know this too  but that is a separate topic. ;-)

-Ravi

More information about the Gluster-infra mailing list