Repo 1.7.4, Gerrit 2.2.2 and SSL
Grégory Bougeard
I'm trying to launch a "repo upload" but I have some troubles .
Access to the gerrit server web interface is authenticated with SSL
client certificates.
Here are the different manifest configuration I tried and the
results :
==== REVIEW in SSH
<remote name="gerrit_it"
fetch="ssh://gerrit.it.int:29418/"
review="ssh://gerrit.it.int:29418/"
/>
repo upload
Upload project sql/ to remote branch SPRINT_49:
branch SPRINT_49 ( 2 commits, Mon Jan 30 18:16:37 2012 +0100):
a35441fe Historize S48
89529d22 History S48
to ssh://gerrit.it.int:29418/ (y/N)? y
Traceback (most recent call last):
File "/itsrc/java/.repo/repo/main.py", line 366, in <module>
_Main(sys.argv[1:])
File "/itsrc/java/.repo/repo/main.py", line 346, in _Main
result = repo._Run(argv) or 0
File "/itsrc/java/.repo/repo/main.py", line 137, in _Run
result = cmd.Execute(copts, cargs)
File "/itsrc/java/.repo/repo/subcmds/upload.py", line 377, in
Execute
self._SingleBranch(opt, pending[0][1][0], people)
File "/itsrc/java/.repo/repo/subcmds/upload.py", line 183, in
_SingleBranch
self._UploadAndReport(opt, [branch], people)
File "/itsrc/java/.repo/repo/subcmds/upload.py", line 311, in
_UploadAndReport
branch.UploadForReview(people, auto_topic=opt.auto_topic)
File "/itsrc/java/.repo/repo/project.py", line 182, in
UploadForReview
auto_topic=auto_topic)
File "/itsrc/java/.repo/repo/project.py", line 869, in
UploadForReview
url = branch.remote.ReviewUrl(self.UserEmail)
File "/itsrc/java/.repo/repo/git_config.py", line 582, in ReviewUrl
info = urllib2.urlopen(info_url).read()
File "/usr/lib/python2.6/urllib2.py", line 126, in urlopen
return _opener.open(url, data, timeout)
File "/usr/lib/python2.6/urllib2.py", line 391, in open
response = self._open(req, data)
File "/usr/lib/python2.6/urllib2.py", line 409, in _open
'_open', req)
File "/usr/lib/python2.6/urllib2.py", line 369, in _call_chain
result = func(*args)
File "/usr/lib/python2.6/urllib2.py", line 1161, in http_open
return self.do_open(httplib.HTTPConnection, req)
File "/usr/lib/python2.6/urllib2.py", line 1107, in do_open
h = http_class(host, timeout=req.timeout) # will parse host:port
File "/usr/lib/python2.6/httplib.py", line 657, in __init__
self._set_hostport(host, port)
File "/usr/lib/python2.6/httplib.py", line 682, in _set_hostport
raise InvalidURL("nonnumeric port: '%s'" % host[i+1:])
httplib.InvalidURL: nonnumeric port: ''
===== REVIEW in HTTPS
<remote name="gerrit_it"
fetch="ssh://gerrit.it.int:29418/"
review="https://gerrit.it.int/"
/>
repo upload
Upload project sql/ to remote branch SPRINT_49:
branch SPRINT_49 ( 2 commits, Mon Jan 30 18:16:37 2012 +0100):
a35441fe Historize S48
89529d22 History S48
to https://gerrit.it.int/ (y/N)? y
----------------------------------------------------------------------
[FAILED] sql/ SPRINT_49
(https://gerrit.it.int/: <urlopen error [Errno 1] _ssl.c:480:
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure>)
I really don't understand.
In the manifest format doc I read :
"Attribute `review`: Hostname of the Gerrit server where reviews
are uploaded to by `repo upload`. This attribute is optional;
if not specified then `repo upload` will not function."
So, attribute is optional, but if you don't have it , it will not
function... well
I also read : "The review attribute should point to the HTTP URL of
your Gerrit", So why it's needed by repo for doing a git push to
gerrit?
It's really a showstopper for me, so if you have any idea...
Thanks a lot
Luciano Carvalho
The review should point to your http port, which will provide repo with the proper ssh_info.
Try : review=http://<your-server>:8080
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
Shawn Pearce
> I'm trying to launch a "repo upload" but I have some troubles .
> Access to the gerrit server web interface is authenticated with SSL
> client certificates.
>
> Here are the different manifest configuration I tried and the
> results :
>
> ==== REVIEW in SSH
> <remote name="gerrit_it"
> fetch="ssh://gerrit.it.int:29418/"
> review="ssh://gerrit.it.int:29418/"
As you discovered, review cannot be an ssh:// URL.
> ===== REVIEW in HTTPS
> <remote name="gerrit_it"
> fetch="ssh://gerrit.it.int:29418/"
> review="https://gerrit.it.int/"
...
> (https://gerrit.it.int/: <urlopen error [Errno 1] _ssl.c:480:
> error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure>)
And as you just discovered, the client doesn't have the user's SSL
certificate. :-(
> I really don't understand.
> In the manifest format doc I read :
> "Attribute `review`: Hostname of the Gerrit server where reviews
> are uploaded to by `repo upload`. This attribute is optional;
> if not specified then `repo upload` will not function."
>
> So, attribute is optional, but if you don't have it , it will not
> function... well
Its optional in that the rest of repo works correctly without it. You
can run repo init and repo sync for example. But currently upload is
designed to work only with Gerrit Code Review, as that is the only
review system it understands.
> I also read : "The review attribute should point to the HTTP URL of
> your Gerrit", So why it's needed by repo for doing a git push to
> gerrit?
This is a long history and its basically all my fault. repo upload is
asking over HTTP for $review/ssh_info so it can get the SSH hostname
and port that it should direct git push to for the actual upload. We
did this because eons ago Gerrit Code Review was on Google AppEngine
and only used HTTP for the initial upload. When we upgrade to Gerrit
2.0 and had SSH available, we didn't want to push new manifests right
away so we added a way for repo upload to "upgrade" itself to the SSH
format, and then never made review accept ssh:// syntax.
Is there some way you can modify your HTTP server configuration to
allow just /ssh_info to connect anonymously? This is the only URL
upload is asking for, and its reasonably safe to expose anonymously.
The content returned is just "hostname port".