X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=dgit.git;a=blobdiff_plain;f=infra%2Fdgit-repos-server;h=acff1727541491ace4bfc45ba4e56a63a7e40c84;hp=551efff9fb5f466ec716dbd0d951fd83040443dd;hb=d395baaa070686dce79a9ad7cd02777a4caa4778;hpb=4487fc3517fb6db0dd8f25199cc0654c026d203d diff --git a/infra/dgit-repos-server b/infra/dgit-repos-server index 551efff9..acff1727 100755 --- a/infra/dgit-repos-server +++ b/infra/dgit-repos-server @@ -22,7 +22,31 @@ use strict; -# What we do is this: +# DGIT-REPOS-DIR contains: +# git tree (or other object) lock (in acquisition order, outer first) +# +# _tmp/PACKAGE_prospective ! } SAME.lock, held during receive-pack +# +# _tmp/PACKAGE_incoming$$ ! } SAME.lock, held during receive-pack +# _tmp/PACKAGE_incoming$$_fresh ! } +# +# PACKAGE.git } PACKAGE.git.lock +# PACKAGE_garbage } (also covers executions of +# PACKAGE_garbage-old } policy hook script for PACKAGE) +# PACKAGE_garbage-tmp } +# policy* } (for policy hook script, covered by +# } lock only when invoked for a package) +# +# leaf locks, held during brief operaton only: +# +# _empty } SAME.lock +# _empty.new } +# +# _template } SAME.lock +# +# locks marked ! may be held during client data transfer + +# What we do on push is this: # - extract the destination repo name # - make a hardlink clone of the destination repo # - provide the destination with a stunt pre-receive hook @@ -44,13 +68,16 @@ use strict; # + verify the signature on the signed tag # and if necessary check that the keyid and package are listed in dm.txt # + check various correspondences: -# * the suite is one of those permitted # * the signed tag must refer to a commit # * the signed tag commit must be the refs/dgit value # * the name in the signed tag must correspond to its ref name # * the tag name must be debian/ (massaged as needed) +# * the suite is one of those permitted # * the signed tag has a suitable name -# * the commit is a fast forward +# * run the "push" policy hook +# * replay prevention for --deliberately-not-fast-forward +# * check the commit is a fast forward +# * handle a request from the policy hook for a fresh repo # + push the signed tag and new dgit branch to the actual repo # # If the destination repo does not already exist, we need to make @@ -63,8 +90,6 @@ use strict; # of _template # - we use the prospective new destination repo instead of the # actual new destination repo (since the latter doesn't exist) -# - we set up a post-receive hook as well, which -# + touches a stamp file # - after git-receive-pack exits, we # + check that the prospective repo contains a tag and head # + rename the prospective destination repo into place @@ -82,6 +107,35 @@ use strict; # the corresponding temporary tree, as the lockfile is also # a stampfile whose presence indicates that there may be # cleanup to do +# +# Policy hook script is invoked like this: +# POLICY-HOOK-SCRIPT DISTRO DGIT-REPOS-DIR ACTION... +# ie. +# POLICY-HOOK-SCRIPT ... check-list [...] +# POLICY-HOOK-SCRIPT ... check-package PACKAGE [...] +# POLICY-HOOK-SCRIPT ... push|push-confirm PACKAGE \ +# VERSION SUITE TAGNAME DELIBERATELIES [...] +# +# Exit status is a bitmask. Bit weight constants are defined in Dgit.pm. +# NOFFCHECK (2) +# suppress dgit-repos-server's fast-forward check ("push" only) +# FRESHREPO (4) +# blow away repo right away (ie, as if before push or fetch) +# ("check-package" and "push" only) +# any unexpected bits mean failure, and then known set bits are ignored +# if no unexpected bits set, operation continues (subject to meaning +# of any expected bits set). So, eg, exit 0 means "continue normally" +# and would be appropriate for an unknown action. +# +# cwd for push and push-confirm is a temporary repo where the +# to-be-pushed objects have been received; TAGNAME is the +# version-based tag +# +# if push requested FRESHREPO, push-confirm happens in said fresh repo +# +# policy hook for a particular package will be invoked only once at +# a time - (see comments about DGIT-REPOS-DIR, above) + use POSIX; use Fcntl qw(:flock); @@ -134,7 +188,7 @@ sub acquirelock ($$) { return $fh; } -sub acquiretree ($$) { +sub acquirermtree ($$) { my ($tree, $must) = @_; my $fh = acquirelock("$tree.lock", $must); if ($fh) { @@ -144,6 +198,15 @@ sub acquiretree ($$) { return $fh; } +sub locksometree ($) { + my ($tree) = @_; + acquirelock("$tree.lock", 1); +} + +sub lockrealtree () { + locksometree($realdestrepo); +} + sub mkrepotmp () { my $tmpdir = "$dgitrepos/_tmp"; return if mkdir $tmpdir; @@ -188,7 +251,7 @@ sub runcmd { sub policyhook { my ($policyallowbits, @polargs) = @_; - # => ($exitstatuspolicybitmap, $policylockfh); + # => ($exitstatuspolicybitmap); die if $policyallowbits & ~0x3e; my @cmd = ($policyhook,$distro,$repos,@polargs); debugcmd @_; @@ -206,14 +269,15 @@ sub mkemptyrepo ($$) { sub mkrepo_fromtemplate ($) { my ($dir) = @_; my $template = "$dgitrepos/_template"; - debug "copy tempalate $template -> $dir"; + locksometree($template); + debug "copy template $template -> $dir"; my $r = system qw(cp -a --), $template, $dir; !$r or die "create new repo $dir failed: $r $!"; } sub movetogarbage () { + # $realdestrepo must have been locked my $garbagerepo = "$dgitrepos/${package}_garbage"; - my $lfh =acquiretree($garbagerepo,1); # We arrange to always keep at least one old tree, for anti-rewind # purposes (and, I guess, recovery from mistakes). This is either # $garbage or $garbage-old. @@ -229,7 +293,6 @@ sub movetogarbage () { rename $realdestrepo, $garbagerepo or $! == ENOENT or die "$garbagerepo $!"; - close $lfh; } sub onwardpush () { @@ -248,15 +311,17 @@ sub onwardpush () { sub fixmissing__git_receive_pack () { mkrepotmp(); $destrepo = "$dgitrepos/_tmp/${package}_prospective"; - acquiretree($destrepo, 1); + acquirermtree($destrepo, 1); mkrepo_fromtemplate($destrepo); } sub makeworkingclone () { mkrepotmp(); $workrepo = "$dgitrepos/_tmp/${package}_incoming$$"; - acquiretree($workrepo, 1); + acquirermtree($workrepo, 1); + my $lfh = lockrealtree(); runcmd qw(git clone -l -q --mirror), $destrepo, $workrepo; + close $lfh; rmtree "${workrepo}_fresh"; } @@ -320,7 +385,11 @@ sub maybeinstallprospective () { die Dumper(\%got)." -- missing refs in new repo" if grep { !$_ } values %got; - movetogarbage; # in case of FRESHREPO + lockrealtree(); + + if ($destrepo eq "${workrepo}_fresh") { + movetogarbage; + } debug "install $destrepo => $realdestrepo"; rename $destrepo, $realdestrepo or die $!; @@ -545,7 +614,7 @@ sub checktagnoreplay () { return unless $policy & (FRESHREPO|NOFFCHECK); my $garbagerepo = "$dgitrepos/${package}_garbage"; - acquiretree($garbagerepo,1); + lockrealtree(); local $ENV{GIT_DIR}; foreach my $garb ("$garbagerepo", "$garbagerepo-old") { @@ -625,9 +694,11 @@ sub checks () { debug "translated version $v"; $tagname eq "debian/$v" or die; - $policy = policyhook(NOFFCHECK|FRESHREPO, 'push',$package, - $version,$suite,$tagname, - join(",",@delberatelies)); + lockrealtree(); + + my @policy_args = ($package,$version,$suite,$tagname, + join(",",@delberatelies)); + $policy = policyhook(NOFFCHECK|FRESHREPO, 'push', @policy_args); checktagnoreplay(); checksuite(); @@ -656,6 +727,8 @@ sub checks () { $destrepo = "${workrepo}_fresh"; # workrepo lock covers mkrepo_fromtemplate $destrepo; } + + policyhook(0, 'push-confirm', @policy_args); } sub stunthook () { @@ -674,7 +747,7 @@ sub stunthook () { sub fixmissing__git_upload_pack () { $destrepo = "$dgitrepos/_empty"; - my $lfh = acquiretree($destrepo,1); + my $lfh = locksometree($destrepo); return if stat_exists $destrepo; rmtree "$destrepo.new"; mkemptyrepo "$destrepo.new", "0644"; @@ -684,7 +757,10 @@ sub fixmissing__git_upload_pack () { } sub main__git_upload_pack () { - runcmd qw(git upload-pack), $destrepo; + my $lfh = locksometree($destrepo); + chdir $destrepo or die "$destrepo: $!"; + close $lfh; + runcmd qw(git upload-pack), "."; } #----- arg parsing and main program ----- @@ -758,11 +834,14 @@ sub parseargsdispatch () { reject "unknown method" unless $mainfunc; - my ($policy, $pollock) = policyhook(FRESHREPO,'check-package',$package); + my $lfh = lockrealtree(); + + $policy = policyhook(FRESHREPO,'check-package',$package); if ($policy & FRESHREPO) { movetogarbage; } - close $pollock or die $!; + + close $lfh; if (stat_exists $realdestrepo) { $destrepo = $realdestrepo; @@ -789,7 +868,7 @@ sub cleanup () { foreach my $lf (<*.lock>) { my $tree = $lf; $tree =~ s/\.lock$//; - next unless acquiretree($tree, 0); + next unless acquirermtree($tree, 0); remove $lf or warn $!; unlockall(); }