+++ /dev/null
-#!/usr/bin/python
-
-"""Process the Invirt build queue.
-
-The Invirtibuilder handles package builds and uploads. On demand, it
-attempts to build a particular package.
-
-If the build succeeds, the new version of the package is uploaded to
-the apt repository, tagged in its git repository, and the Invirt
-superrepo is updated to point at the new version.
-
-If the build fails, the Invirtibuilder sends mail with the build log.
-
-The build queue is tracked via files in /var/lib/invirt-dev/queue. In
-order to maintain ordering, all filenames in that directory are the
-timestamp of their creation time.
-
-Each queue file contains a file of the form
-
- pocket package hash principal
-
-where pocket is one of the pockets globally configured in
-git.pockets. For instance, the pockets in XVM are "prod" and "dev".
-
-principal is the Kerberos principal that requested the build.
-"""
-
-
-import contextlib
-import os
-import re
-import shutil
-import subprocess
-
-import pyinotify
-
-from invirt.config import structs as config
-from invirt import database
-
-
-_QUEUE_DIR = '/var/lib/invirt-dev/queue'
-_REPO_DIR = '/srv/git'
-_LOG_DIR = '/var/log/invirt/builds'
-_HOOKS_DIR = '/usr/share/invirt-dev/build.d'
-
-
-DISTRIBUTION = 'hardy'
-
-
-class InvalidBuild(ValueError):
- pass
-
-
-def captureOutput(popen_args, stdin_str=None, *args, **kwargs):
- """Capture stdout from a command.
-
- This method will proxy the arguments to subprocess.Popen. It
- returns the output from the command if the call succeeded and
- raises an exception if the process returns a non-0 value.
-
- This is intended to be a variant on the subprocess.check_call
- function that also allows you access to the output from the
- command.
- """
- if 'stdin' not in kwargs:
- kwargs['stdin'] = subprocess.PIPE
- if 'stdout' not in kwargs:
- kwargs['stdout'] = subprocess.PIPE
- if 'stderr' not in kwargs:
- kwargs['stderr'] = subprocess.STDOUT
- p = subprocess.Popen(popen_args, *args, **kwargs)
- out, _ = p.communicate(stdin_str)
- if p.returncode:
- raise subprocess.CalledProcessError(p.returncode, popen_args, out)
- return out
-
-
-def getRepo(package):
- """Return the path to the git repo for a given package."""
- return os.path.join(_REPO_DIR, 'packages', '%s.git' % package)
-
-
-def pocketToGit(pocket):
- """Map a pocket in the configuration to a git branch."""
- return config.git.pockets[pocket].get('git', pocket)
-
-
-def pocketToApt(pocket):
- """Map a pocket in the configuration to an apt repo pocket."""
- return config.git.pockets[pocket].get('apt', pocket)
-
-
-def getGitFile(package, ref, path):
- """Return the contents of a path from a git ref in a package."""
- return captureOutput(['git', 'cat-file', 'blob', '%s:%s' % (ref, path)],
- cwd=getRepo(package))
-
-
-def getChangelog(package, ref):
- """Get a changelog object for a given ref in a given package.
-
- This returns a debian_bundle.changelog.Changelog object for a
- given ref of a given package.
- """
- return changelog.Changelog(getGitFile(package, ref, 'debian/changelog'))
-
-
-def getVersion(package, ref):
- """Get the version of a given package at a particular ref."""
- return getChangelog(package, ref).get_version()
-
-
-def getControl(package, ref):
- """Get the parsed debian/control file for a given package.
-
- This returns a list of debian_bundle.deb822.Deb822 objects, one
- for each section of the debian/control file. Each Deb822 object
- acts roughly like a dict.
- """
- return deb822.Deb822.iter_paragraphs(
- getGitFile(package, ref, 'debian/control').split('\n'))
-
-
-def getBinaries(package, ref):
- """Get a list of binary packages in a package at a given ref."""
- return [p['Package'] for p in getControl(package, ref)
- if 'Package' in p]
-
-
-def getArches(package, ref):
- """Get the set of all architectures in any binary package."""
- arches = set()
- for section in getControl(package, ref):
- if 'Architecture' in section:
- arches.update(section['Architecture'].split())
- return arches
-
-
-def getDscName(package, ref):
- """Return the .dsc file that will be generated for this package."""
- v = getVersion(package, ref)
- return '%s_%s-%s.dsc' % (
- package,
- version.upstream_version,
- version.debian_version)
-
-
-def validateBuild(pocket, package, commit):
- """Given the parameters of a new build, validate that build.
-
- The checks this function performs vary based on whether or not the
- pocket is configured with allow_backtracking.
-
- A build of a pocket without allow_backtracking set must be a
- fast-forward of the previous revision, and the most recent version
- in the changelog most be strictly greater than the version
- currently in the repository.
-
- In all cases, this revision of the package can only have the same
- version number as any other revision currently in the apt
- repository if they have the same commit ID.
-
- If it's unspecified, it is assumed that pocket do not
- allow_backtracking.
-
- If this build request fails validation, this function will raise a
- InvalidBuild exception, with information about why the validation
- failed.
-
- If this build request can be satisfied by copying the package from
- another pocket, then this function returns that pocket. Otherwise,
- it returns True.
- """
- package_repo = getRepo(package)
- new_version = getVersion(package, commit)
-
- for p in config.git.pockets:
- if p == pocket:
- continue
-
- b = pocketToGit(p)
- current_commit = captureOutput(['git', 'rev-parse', b],
- cwd=package_repo)
- current_version = getVersion(package, b)
-
- if current_version == new_version:
- if current_commit == commit:
- return p
- else:
- raise InvalidBuild('Version %s of %s already available in '
- 'pocket %s from commit %s' %
- (new_version, package, p, current_commit))
-
- if config.git.pockets[pocket].get('allow_backtracking', False):
- branch = pocketToGit(pocket)
- current_version = getVersion(package, branch)
- if new_version <= current_version:
- raise InvalidBuild('New version %s of %s is not newer than '
- 'version %s currently in pocket %s' %
- (new_version, package, current_version, pocket))
-
- # Almost by definition, A is a fast-forward of B if B..A is
- # empty
- if not captureOutput(['git', 'rev-list', '%s..%s' % (commit, branch)]):
- raise InvalidBuild('New commit %s of %s is not a fast-forward of'
- 'commit currently in pocket %s' %
- (commit, package, pocket))
-
-
-def sanitizeVersion(version):
- """Sanitize a Debian package version for use as a git tag.
-
- This function strips the epoch from the version number and
- replaces any tildes with periods."""
- v = '%s-%s' % (version.upstream_version,
- version.debian_version)
- return v.replace('~', '.')
-
-
-def aptCopy(packages, dst_pocket, src_pocket):
- """Copy a package from one pocket to another."""
- binaries = []
- for line in getGitFile(package, commit, 'debian/control').split('\n'):
- m = re.match('Package: (.*)$')
- if m:
- binaries.append(m.group(1))
-
- cpatureOutput(['reprepro-env', 'copy',
- pocketToApt(dst_pocket),
- pocketToApt(src_pocket),
- package] + binaries)
-
-
-def sbuild(package, ref, arch, workdir, arch_all=False):
- """Build a package for a particular architecture."""
- args = ['sbuild', '-d', DISTRIBUTION, '--arch', arch]
- if arch_all:
- args.append('-A')
- args.append(getDscName(package, ref))
- captureOutput(args, cwd=workdir, stdout=None)
-
-
-def sbuildAll(package, ref, workdir):
- """Build a package for all architectures it supports."""
- arches = getArches(package, ref)
- if 'all' in arches or 'any' in arches or 'amd64' in arches:
- sbuild(package, ref, 'amd64', workdir, arch_all=True)
- if 'any' in arches or 'i386' in arches:
- sbuild(package, ref, 'i386', workdir)
-
-
-def tagSubmodule(pocket, package, ref, principal):
- """Tag a new version of a submodule.
-
- If this pocket does not allow_backtracking, then this will create
- a new tag of the version at ref.
-
- This function doesn't need to care about lock
- contention. git-receive-pack updates one ref at a time, and only
- takes out a lock for that ref after it's passed the update
- hook. Because we reject pushes to tags in the update hook, no push
- can ever take out a lock on any tags.
-
- I'm sure that long description gives you great confidence in teh
- legitimacy of my reasoning.
- """
- if config.git.pockets[pocket].get('allow_backtracking', False):
- env = dict(os.environ)
- branch = pocketToGit(pocket)
- version = getVersion(package, ref)
-
- env['GIT_COMMITTER_NAME'] = config.git.tagger.name
- env['GIT_COMMITTER_EMAIL'] = config.git.tagger.email
- tag_msg = ('Tag %s of %s\n\n'
- 'Requested by %s' % (version.full_version,
- package,
- principal))
-
- captureOutput(
- ['git', 'tag', '-m', tag_msg, commit],
- stdout=None,
- env=env)
-
-
-def updateSubmoduleBranch(pocket, package, ref):
- """Update the appropriately named branch in the submodule."""
- branch = pocketToGit(pocket)
- captureOutput(
- ['git', 'update-ref', 'refs/heads/%s' % branch, ref])
-
-
-def uploadBuild(pocket, workdir):
- """Upload all build products in the work directory."""
- apt = pocketToApt(pocket)
- for changes in glob.glob(os.path.join(workdir, '*.changes')):
- captureOutput(['reprepro-env',
- 'include',
- '--ignore=wrongdistribution',
- apt,
- changes])
-
-
-def updateSuperrepo(pocket, package, commit, principal):
- """Update the superrepo.
-
- This will create a new commit on the branch for the given pocket
- that sets the commit for the package submodule to commit.
-
- Note that there's no locking issue here, because we disallow all
- pushes to the superrepo.
- """
- superrepo = os.path.join(_REPO_DIR, 'packages.git')
- branch = pocketToGit(pocket)
- tree = captureOutput(['git', 'ls-tree', branch],
- cwd=superrepo)
-
- new_tree = re.compile(
- r'^(160000 commit )[0-9a-f]*(\t%s)$' % package, re.M).sub(
- r'\1%s\2' % commit,
- tree)
-
- new_tree_id = captureOutput(['git', 'mktree'],
- cwd=superrepo,
- stdin_str=new_tree)
-
- commit_msg = ('Update %s to version %s\n\n'
- 'Requested by %s' % (package,
- version.full_version,
- principal))
- new_commit = captureOutput(
- ['git', 'commit-tree', new_tree_hash, '-p', branch],
- cwd=superrepo,
- env=env,
- stdin_str=commit_msg)
-
- captureOutput(
- ['git', 'update-ref', 'refs/heads/%s' % branch, new_commit],
- cwd=superrepo)
-
-
-@contextlib.contextmanager
-def packageWorkdir(package):
- """Checkout the package in a temporary working directory.
-
- This context manager returns that working directory. The requested
- package is checked out into a subdirectory of the working
- directory with the same name as the package.
-
- When the context wrapped with this context manager is exited, the
- working directory is automatically deleted.
- """
- workdir = tempfile.mkdtemp()
- try:
- p_archive = subprocess.Popen(
- ['git', 'archive',
- '--remote=file://%s' % getRepo(package),
- '--prefix=%s' % package,
- commit,
- ],
- stdout=subprocess.PIPE,
- )
- p_tar = subprocess.Popen(
- ['tar', '-x'],
- stdin=p_archive.stdout,
- cwd=workdir,
- )
- p_archive.wait()
- p_tar.wait()
-
- yield workdir
- finally:
- shutil.rmtree(workdir)
-
-
-def reportBuild(build):
- """Run hooks to report the results of a build attempt."""
-
- captureOutput(['run-parts',
- '--arg=%s' % build.build_id,
- '--',
- _HOOKS_DIR])
-
-
-def build():
- """Deal with items in the build queue.
-
- When triggered, iterate over build queue items one at a time,
- until there are no more pending build jobs.
- """
- while True:
- stage = 'processing incoming job'
- queue = os.listdir(_QUEUE_DIR)
- if not queue:
- break
-
- build = min(queue)
- job = open(os.path.join(_QUEUE_DIR, build)).read().strip()
- pocket, package, commit, principal = job.split()
-
- database.session.begin()
- db = database.Build()
- db.package = package
- db.pocket = pocket
- db.commit = commit
- db.principal = principal
- database.session.save_or_update(db)
- database.commit()
-
- database.begin()
-
- try:
- db.failed_stage = 'validating job'
- src = validateBuild(pocket, package, commit)
-
- db.version = str(getVersion(package, commit))
-
- # If validateBuild returns something other than True, then
- # it means we should copy from that pocket to our pocket.
- #
- # (If the validation failed, validateBuild would have
- # raised an exception)
- if src != True:
- db.failed_stage = 'copying package from another pocket'
- aptCopy(packages, pocket, src)
- # If we can't copy the package from somewhere, but
- # validateBuild didn't raise an exception, then we need to
- # do the build ourselves
- else:
- db.failed_stage = 'checking out package source'
- with packageWorkdir(package) as workdir:
- db.failed_stage = 'preparing source package'
- packagedir = os.path.join(workdir, package)
-
- # We should be more clever about dealing with
- # things like non-Debian-native packages than we
- # are.
- #
- # If we were, we could use debuild and get nice
- # environment scrubbing. Since we're not, debuild
- # complains about not having an orig.tar.gz
- captureOutput(['dpkg-buildpackage', '-us', '-uc', '-S'],
- cwd=packagedir,
- stdout=None)
-
- try:
- db.failed_stage = 'building binary packages'
- sbuildAll(package, commit, workdir)
- finally:
- logdir = os.path.join(_LOG_DIR, db.build_id)
- if not os.path.exists(logdir):
- os.makedirs(logdir)
-
- for log in glob.glob(os.path.join(workdir, '*.build')):
- os.copy2(log, logdir)
- db.failed_stage = 'tagging submodule'
- tagSubmodule(pocket, package, commit, principal)
- db.failed_stage = 'updating submodule branches'
- updateSubmoduleBranch(pocket, package, commit)
- db.failed_stage = 'updating superrepo'
- updateSuperrepo(pocket, package, commit, principal)
- db.failed_stage = 'uploading packages to apt repo'
- uploadBuild(pocket, workdir)
-
- db.failed_stage = 'cleaning up'
-
- # Finally, now that everything is done, remove the
- # build queue item
- os.unlink(os.path.join(_QUEUE_DIR, build))
- except:
- db.traceback = traceback.format_exc()
- else:
- db.succeeded = True
- db.failed_stage = None
- finally:
- database.session.save_or_update(db)
- database.session.commit()
-
- reportBuild(db)
-
-
-class Invirtibuilder(pyinotify.ProcessEvent):
- """Process inotify triggers to build new packages."""
- def process_IN_CREATE(self, event):
- """Handle a created file or directory.
-
- When an IN_CREATE event comes in, trigger the builder.
- """
- build()
-
-
-def main():
- """Initialize the inotifications and start the main loop."""
- database.connect()
-
- watch_manager = pyinotify.WatchManager()
- invirtibuilder = Invirtibuilder()
- notifier = pyinotify.Notifier(watch_manager, invirtibuilder)
- watch_manager.add_watch(_QUEUE_DIR,
- pyinotify.EventsCodes.ALL_FLAGS['IN_CREATE'])
-
- # Before inotifying, run any pending builds; otherwise we won't
- # get notified for them.
- build()
-
- while True:
- notifier.process_events()
- if notifier.check_events():
- notifier.read_events()
-
-
-if __name__ == '__main__':
- main()
projects / invirt/scripts/git-hooks.git / commitdiff
