Page MenuHomePhabricator

Have Phabricator take over replication to Github
Closed, DeclinedPublic

Description

Right now we replicate repositories from Gerrit to Github. Phabricator should take over this job.

Event Timeline

demon created this task.Oct 15 2015, 4:16 PM
demon updated the task description. (Show Details)
demon raised the priority of this task from to Normal.
demon added a subscriber: demon.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 15 2015, 4:16 PM
greg moved this task from To Triage to Tooling on the Gerrit-Migration board.Dec 1 2015, 4:38 PM

This is easy: We just need:

  • Create Credentials for push accounts
  • Create repos at github (or copy the URL of existing)
  • Make sure, that the push accounts can access the github repos
  • Add the github repos as mirror at the git at phabricator
  • Phabricator will now push every new change to github, if phabricator recives a new one

Is there a list of repos, that need a push from phabricator (in future)? I can do this, I need only the password for the push account at github (not directly, you can put it in a credential, and phab uses it, I don't need to see it (so you can configure it, that I can see it, but I can not edit it, so I can say to phab, that he can use it, but I can not see it on my own)), and than I can configure mirrors. The only thing, that I can not (yet) do, is that @demon said, that gerrit replicates that repos. Once a mirror at phab is enabled, this replication from gerrit is no longer needed, and should be turned off, this is the thing I can't to yet (don't have the rights / don't know which site I have to visit).

demon added a comment.Jan 7 2016, 10:12 PM

The credentials already exist as K13.

I do hope this doesn't break our replication from Github to specific repositories hosted on Gerrit!

demon added a comment.Jan 7 2016, 10:26 PM

I do hope this doesn't break our replication from Github to specific repositories hosted on Gerrit!

Replication from Github to Gerrit? It must be done manually...?

@demon: The problem, I can't add it, at the moment I get:
Access Denied: Restricted Passphrase Credential
Users with the "Can View" capability:

  • Administrators can take this action.

I guess it is not a problem, if you add me, that I'm able to view it (then I can add it at phab). It is not required that I'm able to edit it, and as long as I can not edit it, I can not view it, so I can just use it, but don't see it (the password), so I guess this is not so problematic?

@mwjames We don't have real automation here. I do have some script to help with it, though always manually merge (so I can also catch harmfull updates getting merged via Gerrit). If the repos move from Gerrit to Phabricator, then perhaps we can finally properly have them be read only except for TWN and us. I don't see this move making anything worse for us.

demon added a comment.Jan 11 2016, 4:38 PM

@demon: The problem, I can't add it, at the moment I get:
Access Denied: Restricted Passphrase Credential
Users with the "Can View" capability:

  • Administrators can take this action.

    I guess it is not a problem, if you add me, that I'm able to view it (then I can add it at phab). It is not required that I'm able to edit it, and as long as I can not edit it, I can not view it, so I can just use it, but don't see it (the password), so I guess this is not so problematic?

I had K13 a little too tightly set on permissions. It's now set to viewable by Repository-Admins and editable only by Phab admins. You shouldn't be able to view the actual password but the credential itself should work.

Yeah, that works, thanks. I can not edit and view the password, but I can add it :).
So, as sayed above, I would volunteer to migrate the migration, if you want too, but I need the following things in this case:

  • A overview about the repos to migrate
  • A way to disable the gerrit replication, when phab replication is enabled

Yeah, that works, thanks. I can not edit and view the password, but I can add it :).
So, as sayed above, I would volunteer to migrate the migration, if you want too, but I need the following things in this case:

  • A overview about the repos to migrate

"Everything" ... considering we have a Github mirror for basically everything that's in Gerrit/Phab

  • A way to disable the gerrit replication, when phab replication is enabled

Easiest way is to have gerrit project owners (or gerrit admins) set DENY on the READ permission for the mediawiki-replication group on refs/* in a project's project.config.

That'll keep us from having to update replication.config in puppet for every single repository to add exceptions.

I guess phab should use the same repos as gerrit use currently...

So every repo to migrate exists here: https://github.com/wikimedia?

In this case I guess I would make a task for gerrit admins to disable the replication at repos, where the phab mirror is active. (I think there would be no problem, if both are active. gerrit replicates, and phab will see, that this repo is active, and do nothing). Or do you think there is a better way?

What do you think, can I start now, or is there still something to do, which blocks this?

Paladox added a subscriber: Paladox.EditedJan 22 2016, 1:10 PM

I think that they are currently trying to do this to mediawiki/core but it doesn't seem to be working.

mediawiki/core at git.wikimedia.org isent updating either. could git.wikimedia.org still be left to replicate from gerrit.

maybe it isent working because it is missing the configuration file

They stopped replicating to git.wikimedia.org on prupose so phabricator could take over.

@demon I asked @mmodell to turn replication on https://phabricator.wikimedia.org/diffusion/SMTL/ and it works https://github.com/wikimedia/mediawiki-skins-Metrolook

Could we try doing it to other repos.

If we deny mediawiki-replication like we did before it may have got in the way and caused the problem we had before with replication to GitHub.

But could we try adding the mirror in diffusion on mediawiki core please.

@mmodell.

MediaWiki core has been enabled for mirroring from diffusion. It isent pushing due to the size of the repo. We will need to manually add refs/changes and 1-10 folders at a time in that ref. This will let diffusion start mirroring.

We can start to enable other repos to mirror because mw extensions or skins should not be no way near the size of mw core.

demon added a comment.May 19 2016, 4:54 PM

We can start to enable other repos to mirror because mw extensions or skins should not be no way near the size of mw core.

Yeah, I'm pretty sure MW and Puppet are the only two repos with enough refs to give us problems.

@demon yep, we can do mw core and puppet manually. Then diffusion will start pushing.

Paladox added a comment.EditedMay 19 2016, 10:45 PM
  • CentralAuth
  • Wikibase
  • Wikidata
  • Echo
  • Flow

Have all been turned on for mirroring from diffusion. Thanks @Luke081515 for turning them on.

We should create a script for this.

Paladox added a subscriber: QChris.May 20 2016, 1:52 PM

@QChris hi could you when you create repos in gerrit and also create them in diffusion please add the mirror to diffusion too please.

Paladox removed a subscriber: QChris.May 20 2016, 1:52 PM

These repos have been turned on for diffusion mirroring to GitHub..

  • integration/config
  • operations/mediawiki/config
  • operations/puppet

Thanks @Luke081515 for turning mirroring on these repos.

These repos have been switched on for diffusion mirroring.

  • mediawiki extension VisualEditor
  • visualeditor/visualeditor
  • mediawiki extension TimedMediaHandler
  • mediawiki extension MobileFrontend
  • mediawiki extension Translate

Thanks @Luke081515 for adding the mirrors to the repos.

For mw core and operations-puppet we can do this

mw core

[remote "git@github.com:wikimedia/mediawiki.git"]

url = git@github.com:wikimedia/mediawiki.git
push = +refs/heads/*:refs/heads/*
push = +refs/tags/*:refs/tags/*
threads = 3

operations-puppet

[remote "git@github.com:wikimedia/operations-puppet.git"]

url = git@github.com:wikimedia/operations-puppet.git
push = +refs/heads/*:refs/heads/*
push = +refs/tags/*:refs/tags/*
threads = 3

We add the above to the config file inside the repos manually on the server where phabricator saves the repos.

@demon or @mmodell would you be able to do the above please or would you be able to add refs/changes manually to the GitHub mirror please.

@Paladox: How does adding those options in phabricator fix the problem? I'm slightly confused.

Paladox added a comment.EditedMay 22 2016, 10:18 AM

@mmodell since it won't mirror refs/changes/ which is causing the problem unless we add refs/changes manually to the mirror.

If we add that config to the config file it will stop refs/changes from being mirrored which will allow diffusion to mirror.

The way around it if you have time is to add refs/changes/ manually to the mw core and operations-puppet manually on GitHub.

@demon and @mmodell I contacted GitHub and they said yes they do have a limited they didn't say what the limit is only that we may have hit the limit with refs/changes/

I created P3245 so that we can edit it and add the GitHub mirrors.

We need to reverse it so the callsign is first then GitHub mirror. Then we will need to update it to support conduit.

In conduit we will also need to use the GitHub confidentials.

@demon could you create a script we could use that will add the mirrors to all the repos please?

Also exclude the ones that have already been converted to use the mirror in diffusion please?

demon moved this task from Backlog to Other on the Repository-Admins board.Mar 17 2017, 10:57 PM

We should start doing this for repos :). we will then have two backups of the git repos as refs/changes/ will be on GitHub :)

This will also enable the download button to make it easier to download repos.

Are there any repos that still mirror from gerrit rather than phab?

Are there any repos that still mirror from gerrit rather than phab?

Um, almost all of them?

demon closed this task as Declined.Mar 7 2018, 10:14 PM