gerrit readonly plugin NOT work

[tmc...@gmail.com]

Dear gerrit plugin maintainer

I used readonly plugin for gerrit mirror replication server, but in web page i could also to modify config and push git changes 

i do NOT know what miss ??

https://gerrit-review.googlesource.com/admin/repos/plugins/readonly

$site_path/etc/readonly.config

[readonly]
  message = Gerrit is down for maintenance

[Gert van Dijk]

Did you reload the plugin after applying the configuration - as mentioned in the documentation? For example:

    ssh -p 29418 admi...@gerrit.mydomain.tld gerrit plugin reload readonly

If you still experience this, please provide the Gerrit version you're running as well as the plugin version.

HTH

[tmc...@gmail.com]

Dear Gert van Dijk,

Of course, i do NOT reload, but i restart entire gerrit server like below:

ubuntu@ubuntu-vm:~/gerrit/review_site$ ./bin/gerrit.sh restart

ubuntu@ubuntu-vm:~/gerrit/review_site$ grep -nr readonly

logs/error_log:272:[2019-02-07 21:23:28,769] [main] INFO  com.google.gerrit.server.plugins.PluginLoader : Loaded plugin readonly, version 93e7337ee6

在 2019年2月7日星期四 UTC+8下午9:20:45，Gert van Dijk写道：

On Thursday, 7 February 2019 14:09:07 UTC+1, tmc...@gmail.com wrote:

I used readonly plugin for gerrit mirror replication server, but in web page i could also to modify config and push git changes 

i do NOT know what miss ??

https://gerrit-review.googlesource.com/admin/repos/plugins/readonly

$site_path/etc/readonly.config

[readonly]
  message = Gerrit is down for maintenance

Did you reload the plugin after applying the configuration - as mentioned in the documentation? For example:

    ssh -p 29418 adminuser gerrit plugin reload readonly

[Luca Milanesio]

On 7 Feb 2019, at 13:27, tmc...@gmail.com wrote:

Dear Gert van Dijk,

Of course, i do NOT reload, but i restart entire gerrit server like below:

ubuntu@ubuntu-vm:~/gerrit/review_site$ ./bin/gerrit.sh restart

ubuntu@ubuntu-vm:~/gerrit/review_site$ grep -nr readonly

logs/error_log:272:[2019-02-07 21:23:28,769] [main] INFO  com.google.gerrit.server.plugins.PluginLoader : Loaded plugin readonly, version 93e7337ee6

Try to execute this:

touch ~gerrit/review_site/etc/gerrit.readonly

And then try to push against one of the Gerrit repos.

HTH

Luca.

在 2019年2月7日星期四 UTC+8下午9:20:45，Gert van Dijk写道：

On Thursday, 7 February 2019 14:09:07 UTC+1, tmc...@gmail.com  wrote:

I used readonly plugin for gerrit mirror replication server, but in web page i could also to modify config and push git changes 

i do NOT know what miss ??

https://gerrit-review.googlesource.com/admin/repos/plugins/readonly

$site_path/etc/readonly.config

[readonly]
  message = Gerrit is down for maintenance

Did you reload the plugin after applying the configuration - as mentioned in the documentation? For example:

    ssh -p 29418 adminuser gerrit plugin reload readonly

If you still experience this, please provide the Gerrit version you're running as well as the plugin version.

HTH

-- 
-- 
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[gm]

Hi Luca,

Could you please let us know how to allow ssh commands(READ only), 

read-only config contents as below. 

[readonly]

        message = this is readonly mirror 

        allowSshCommand = "^ssh://<username>@<servername>:29418/*"

        allowSshCommand = "^ssh.*"

        allowSshCommand = "^s.*"

When I create gerrit.readonly under $SITE_PATH/etc/gerrit.readonly, I am getting the below error. 

SSH subsystem is temporarily disabled: this is readonly mirror. 

Please help. Thanks in advance. 

Best Regards, GM

To unsubscribe, email rep...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

--- 
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-d...@googlegroups.com.

[David Pursehouse]

On Tue, May 28, 2019 at 8:15 PM gm <mannemgo...@gmail.com> wrote:

Hi Luca,

Could you please let us know how to allow ssh commands(READ only), 

read-only config contents as below. 

[readonly]

        message = this is readonly mirror 

        allowSshCommand = "^ssh://<username>@<servername>:29418/*"

        allowSshCommand = "^ssh.*"

        allowSshCommand = "^s.*"

The documentation about this setting is lacking, but I think the name of the allowed command should be specified, for example:

  allowSshCommand = "query"

 

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/428c0d6c-3df1-4e9e-8860-a9d2d33e007a%40googlegroups.com.

[gm]

Hi David,

Thanks for your response!

As per the documentation, I have tried to use the regEx to allow all the ssh connections to the server, however, I need to clone a repository when the system is in read-only mode, this is what I am looking for.

With that, I can make all the mirror's read-only. Right now, I have created a group "git-receive-false" and allowed only for that group in receive-pack on mirror servers. 

I just need the format of the allowSshCommand - 

I have tried with and without quotations as well. please help. Thanks in advance!

Best Regards, GM

To unsubscribe, email repo-d...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-d...@googlegroups.com.

[Sven Selberg]

Hi

You can clone with HTTP in readonly mode, if that's an option.

Regarding the configuration:

IIUC the ssh command in readonly.allowSshCommand does not include user, hostname..., example to allow reload plugin:

    allowSshCommand = gerrit plugin reload readonly

In your case you would have to allow  "git-upload-pack *something, something*".

[gm]

Dear Sven,

Thanks a lot! It worked. 

Below is what I have included. 

[readonly]

        message = this is readonly mirror

        allowSshCommand = gerrit plugin reload readonly

        allowSshCommand = gerrit plugin ls  ##test command.

        allowSshCommand = git-upload-pack

Thanks again. 

Best Regards,

GM

[Sven Selberg]

Great!

/Sven

[Luca Milanesio]

On 29 May 2019, at 10:41, gm <mannemgo...@gmail.com> wrote:

Dear Sven,

Thanks a lot! It worked. 

Below is what I have included. 

[readonly]

        message = this is readonly mirror

        allowSshCommand = gerrit plugin reload readonly

        allowSshCommand = gerrit plugin ls  ##test command.

        allowSshCommand = git-upload-pack

Can you raise an issue with that?

'git-upload-pack' isn't a write operation and thus should be allowed by default.

Luca.

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/eaeb1eea-f47b-4745-80be-9dffd8890b12%40googlegroups.com.

[gc]

Hi Luca, 

Done, Issue 10938. Hope I've raised at the correct portal, please excuse otherwise!. 

Also, please let me know, how to allow ssh-keys addition, permissions change, and replication to the mirrors.

With that -- mirrors will only be in the readonly state 

                  Users can add ssh-keys to mirror 

                  Admins can edit/modify the permissions 

                  Replication would work without any troubles. 

Thanks in advance!

Best Regards, GM

[David Pursehouse]

On Wed, May 29, 2019 at 8:27 PM gc <mannemgo...@gmail.com> wrote:

Hi Luca, 

Done, Issue 10938. Hope I've raised at the correct portal, please excuse otherwise!. 

Also, please let me know, how to allow ssh-keys addition, permissions change, and replication to the mirrors.

With that -- mirrors will only be in the readonly state 

                  Users can add ssh-keys to mirror 

                  Admins can edit/modify the permissions 

These operations are changing information that is potentially stored in git, so be aware that allowing the read-only replica to do this will potentially introduce inconsistencies.

 

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/b60a6070-c24a-461e-bd8a-694d308eacaf%40googlegroups.com.

[gc]

Hi David,

Thanks for your response!

However, we need to allow ssh-keys addition and permissions change. I am yet to check the replication part, will check and update you shortly. 

The reasons as below. 

As we have integrated our systems with LDAP, we would like to use LDAP groups to maintain permissions. And for ssh-keys, it is a little difficult to always type in HTTP (UI generated ) password for syncing. 

Please suggest how can we achieve that. thanks in advance!

Best Regards, GM.

[Sven Selberg]

On Wednesday, May 29, 2019 at 3:22:20 PM UTC+2, gc wrote:

Hi David,

Thanks for your response!

However, we need to allow ssh-keys addition and permissions change. I am yet to check the replication part, will check and update you shortly. 

The reasons as below. 

As we have integrated our systems with LDAP, we would like to use LDAP groups to maintain permissions. And for ssh-keys, it is a little difficult to always type in HTTP (UI generated ) password for syncing. 

I use ~/.netrc to not have to write the http-pass on every git operation.

/Sven

[gc]

Thank you Sven!

BR, GM

[Tao Jin]

Bumping up this old thread. 

We try to configure our Gerrit into RO mode for backup.  Still running into this issue - Putting Gerrit into RO mode with this plugin failed the git clone over SSH. 

Is git-upload-pack going to be a default allowed operation in this plugin ?  Or this is still there for a reason ?

Thanks in advance for your help!

Tao

[Matthias Sohn]

On Mon, Aug 5, 2024 at 8:21 AM Tao Jin <jinta...@gmail.com> wrote:

Bumping up this old thread. 

We try to configure our Gerrit into RO mode for backup.  Still running into this issue - Putting Gerrit into RO mode with this plugin failed the git clone over SSH. 

Is git-upload-pack going to be a default allowed operation in this plugin ?  Or this is still there for a reason ?

Nobody addressed the corresponding issue 40010735 yet hence you still need to explicitly allow upload-pack
by configuring in `$gerrit_site/etc/readonly.config` :

[readonly]

allowSshCommand = git upload-pack

 

To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/746fac16-8601-41d4-a40f-a743524ef36dn%40googlegroups.com.