It's been pointed out that remembering port 29418 to hit gerrit.wikimedia.org is kind of annoying at best and confusing at worst.
Tim suggested we get a second IP/host to forward port 22 to gerrit.wikimedia.org:29418.
Maybe git.wikimedia.org:22 -> gerrit.wikimedia.org:29418?
Version: unspecified
Severity: enhancement
| Subject | Repo | Branch | Lines +/- | |
|---|---|---|---|---|
| WIP: add port forwarding to ferm | operations/puppet | production | +31 -0 |
Somebody should fix the rt linker to operate on word boundaries so the word "port" doesn't link ;-)
This is also annoying when you're on a network that blocks unknown ports (such as 29418).
I think you could do it on gerrit.wikimedia.org, without any need for a second hostname. If you wanted to log in to the actual host rather than the gerrit installation, you would use formey.wikimedia.org. The IP referred to by gerrit.wikimedia.org would basically be a service IP with Gerrit web on port 80 and Gerrit SSH on port 22.
(In reply to comment #1)
Somebody should fix the rt linker to operate on word boundaries so the word
"port" doesn't link ;-)
xxxrt 22 RT 22 RT22 ...rt22...
How's that?
How difficult would it be to do this? My school network blocks most ports above 200 so I'm kinda blocked by this.
Change 172313 had a related patch set uploaded by Dereckson:
Gerrit also listens on port 22
As a workaround (which can still be useful if port 22 is also blocked), one can clone and push over https (the latter with the credentials provided in https://gerrit.wikimedia.org/r/#/settings/http-password )
(In reply to Merlijn van Deen from comment #13)
As a workaround (which can still be useful if port 22 is also blocked), one
can clone and push over https
This is not really a viable workaround if an user uses Gerrit intensively, as it would require to store https password on clear, or write it at each operation.
Change 172803 had a related patch set uploaded by Dzahn:
ssh server: make ListenAddress configurable
Status update: to achieve this, we first needed to have a dedicated IP for Gerrit (already done during a server migration) and to allow SSHD configuration in puppet (done by Dzahn in the previous merged change).
The prerequisites being all cleared, we can now take change 172313 in consideration.
unfortunately more to do before we can. next we would need this or similar to make gerrit nodes setup a SSHD to listen only on the non-Gerrit IP:
https://gerrit.wikimedia.org/r/#/c/174015/
(now that we can even do that after the change before that)
and then we would have to _not_ include 'base' on that node, so that we don't get the default SSHD from there that listen on everything
Change 185340 had a related patch set uploaded (by Dzahn):
WIP: add port forwarding to ferm
Given the phabricator plans, gerrit's inability to listen on port 22 and the minimal relevant traffic on this ticket since 2 years ago, I am inclined to suggest we should close this as unresolved
unless we still add the iptables rule on ytterbium itself (that's different from my abandoned patch above which expected we'd have to forward it between machines for a scenario where gerrit is behind misc-web. now that i don't think is going to happen anymore, but we could still do it ytterbium, because we already have 2 interfaces). Faidon once pasted an example on IRC but unfortunately i have not saved it.
The idea was to use the REDIRECT target. However, this won't work for IPv6 unless we upgrade to a more recent kernel (3.7+ I believe). Honestly... I'm not sure we should bother.
FWIW I think the port is only part of the story, what's useful is tooling that will DTRT and setup other things like the commit hook. I've been using such a script for some time and I've polished a bit, published here: https://gerrit.wikimedia.org/r/#/c/189971/
I'd like to close this as declined if no one minds. I look forward to filippo's script being made available.
I think this hurts the participation of enterprise MediaWiki developers as corporate firewalls typically disallow unknown ports (e.g. the NASA people complained recently about not being to able to use Gerrit with SSH) and sometimes it even causes trouble at our own events (T122814: IRC and gerrit blocked on dev summit wifi). IMO it would be worth to put more effort into it.
Re-opening on the basis that since 2015 the aforementioned "Phabricator plans" no longer apply, and that our kernals are now one major version ahead (4.x) of the version that was considered troublesome (3.x).
This was an idea that floated around in the early day of us adopting Gerrit. The point was to save the hassle of having to use ssh -p 29418. I think most people clone from https and use git-review to setup the push url. I thus don't think it is much of a problem. The reality is we will not provide the effort to do this change and I am thus declining this task.