[openstack-dev] China blocking access to OpenStack git review push

Clark Boylan cboylan at sapwetik.org
Mon Sep 8 19:46:19 UTC 2014 

On Mon, Sep 8, 2014, at 12:20 PM, Thomas Goirand wrote:
> Am I dreaming, or is the Chinese government is trying to push for the
> cloud, they said. However, today, bad surprise:
> 
> # nmap -p 29418 23.253.232.87
> 
> Starting Nmap 6.00 ( http://nmap.org ) at 2014-09-09 03:10 CST
> Nmap scan report for review.openstack.org (23.253.232.87)
> Host is up (0.21s latency).
> PORT      STATE    SERVICE
> 29418/tcp filtered unknown
> 
> Oh dear ... not fun!
> 
> FYI, this is from China Unicom (eg: CNC Group)
> 
> I'm guessing that this is the Great Firewall of China awesome automated
> ban script which detected too many ssh connection to a weird port. It
> has blocked a few of my servers recently too, as it became a way too
> aggressive. I very much prefer to use my laptop to use git review than
> having to bounce around servers. :(
> 
> Are their alternative IPs that I could use for review.openstack.org?
> 
> Cheers,
> 
> Thomas Goirand (zigo)
> 
> P.S: If a Chinese official read this, an easy way to unlist (legitimate)
> servers access would be the first action any reasonable Chinese
> government people must do.
> 
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

As an alternative to pushing via ssh you can push via https over port
443 which may bypass this port blockage. Both latest git review and the
version of gerrit that we are running support this.

The first step is to generate a gerrit http password, this will be used
to authenticate against Gerrit. Go to
https://review.openstack.org/#/settings/http-password and generate a
password there (note this is independent of your launchpad openid
password).

Next step is to get some code clone it from eg
https://git.openstack.org/openstack-dev/sandbox. Now I am sure there is
a better way to have git-review do this for you with config overrides
somewhere but we need to add a git remote in that repo called 'gerrit'.
By default all of our .gitreview files set this up for ssh so we will
manually add one. `git remote add gerrit
https://username@review.openstack.org/openstack-dev/sandbox`. Finally
run `git review -s` to get the needed commit hook and now you are ready
to push code with `git review` as you normally would. Note when git
review asks for a password it will want the password we generated in the
first step.

I am pretty sure this is can be made easier and the manual git remote
step is not required if you set up some overrides in git(review) config
files. Maybe the folks that added https support for git review can fill
us in.

Clark

More information about the OpenStack-dev mailing list