From Wikitech
Jump to navigation Jump to search

Since Feb 2nd 2021, we deploy the upstream war file as is. It is fetched from , stored using git-lfs (since April 2023) in operations/software/gerrit under a deploy/wmf/stable-X.Y branch. We still build extra plugins from sources, the build relies on the source code held in the Gerrit repository operations/software/gerrit in branch wmf/stable-X.Y

The upstream branches (master, stable-3.5) are manually kept in sync. We have a forked branch wmf/stable-3.5 which has our extra plugins registered as sub-modules as well as some Wikimedia specific build scripts at the root of the repository. Our branch can be used to cherry pick patches for plugins build purpose, but must eventually be send to upstream, reviewed and merged there. The branch overview:

operations/software/gerrit branches layout
Branch Description
stable-3.5 Gerrit core, updated from upstream
wmf/stable-3.5 Fork holding our build script and our plugins as submodules
wmf/deploy/stable-3.5 scap deployment repository holding Gerrit .war and plugins .jar with git-fat

Build prerequisites

The full list of requirements can be found at or from source at

Install OpenJDK 11, git, NodeJS, Python 3. On Debian:

$ sudo apt install git openjdk-11-jdk-headless nodejs python3

Gerrit and its plugins are build using Bazel. Since the exact version to use might differ between branches or can be updated by upstream at any point, one should install Bazelisk. It is a frontend to Bazel which automatically installs the needed Bazel version for the Gerrit branch you are working on. You will require the Go programming language in order to build it. The following will build Bazelisk 1.6.1 from source and copy the resulting binary in your user bin directory (~/.local/bin):

$ which go || sudo apt install golang-go
$ mkdir /tmp/bazelisk-build
$ (/tmp/bazelisk-build && go mod init . && go get
$ mkdir -p "$HOME"/.local/bin && cp /tmp/bazelisk-build/gopath/bin/bazelisk "$HOME"/.local/bin/bazelisk
$ rm -fR /tmp/bazelisk-build

Update our mirror repository

Upgrade Gerrit core branch

Even if we deploy Gerrit core from the upstream released .war, we still need an up-to-date Gerrit copy in order to build our plugins.

  1. Clone Gerrit and submodules from Wikimedia, add upstream as a remote:
    git clone
    cd gerrit
    git remote add upstream
  2. Our repository HEAD points to the branch holding the material for the deployment deploy/wmf/stable-3.5. Checkout the stable-3.5 branch (as of October 2022) which is a copy of the upstream release we currently use:
    git checkout stable-3.5 origin/stable-3.5
  3. Fetch the upstream branch and fast-forward our copy of their branch to the latest tag. Then push the stable-3.5 directly to Gerrit:
    git fetch --tags upstream stable-3.5
    git merge --ff-only v3.5.5
    git push --tags origin HEAD:stable-3.5
  4. Checkout wmf/stable-3.5 and merge the latest tag, push the resulting SINGLE merge commit up for review:
    git checkout wmf/stable-3.5
    git merge v3.5.5
    git commit --amend --no-edit  # add Change-Id
    git push origin HEAD:refs/for/wmf/stable-3.5

Update bundled submodules

Gerrit core comes with bundled plugins and a specific version of jgit which are registered as submodules. The .gitmodules file comes from upstream and uses relative urls. Since your workspace copy points to the Wikimedia Gerrit, the submodules would be fetched from our Gerrit which will would fail since the repositories do not exist. Instead we have to instruct git to rewrite the URLs to use upstream repositories. This can be done using the git configuration setting url.<base>.insteadOf = <our url>.

  1. Ensure you are in our forked branch:
    git checkout wmf/stable-3.5
    # update as needed
  2. Update git submodules from the upstream repository using:
    git -c url."".insteadOf="$(dirname $(git config --get remote.origin.url))" submodule update --init
  3. Push for review. At this point, you will likely be ahead of wmf/stable-3.5 by...quite a bit (hundreds of patches). This is all within a single merge commit though, so Be Bold — push up your change for review:
    git commit --amend --no-edit # to add Change-Id and Phabricator tracking bug to the merge commit
    git push origin HEAD:refs/for/wmf/stable-3.5

Do NOT Code-Review +2 the resulting change yet, plugins need to be updated

Fetch our additional plugins

As our Gerrit instance runs some plugins which are not part of Gerrit upstream set of plugins, we have those extra plugins registered as submodules in our branch. They will need to be updated to match the new Gerrit version. You will need ssh admin access to Gerrit to be able to list the installed plugins as well as jq (sudo apt install jq).

List our plugins:

$ ./ 

Most plugins come with a set of stable- branches, some support multiple versions and solely have a master branch. The proper branch to use for our extra plugins is indicated in .gitmodules , we thus just have to update them from the remote branch (git submodule update --remote plugins/foo). To update our plugins:

$ ./
Updating Wikimedia specific plugins
<the list of our plugins is shown here>
<git submodule update if relevant>

(as of October 2022 we no more fork gitiles) Plugins which we have forked on our Gerrit such as gitiles need the fork to be updated and upstream tag to be pushed:

cd plugins/gitiles
git remote add google
git fetch google
git merge google/stable-3.5
git commit --amend --no-edit # add Change-Id
git remote set-url --push origin ssh://
git push --tags origin HEAD:stable-3.5

Eventually review plugins changes:

$ git diff --submodule=log
Submodule plugins/healthcheck 5be80596ca..c84dfceab2:
  > Make documentation consistent
Submodule plugins/its-base 33380b5e25..84a2ea5694:
  > build: fix log(String) must be compile-time constants
  > Merge branch 'stable-3.6'

Once done updating our plugins submodules, git add them, update your commit and send it for review:

git add $(./
git commit --amend
git push origin HEAD:refs/for/wmf/stable-3.5

CI will build Gerrit core as well as all the extra plugins, the resulting .war and .jar files are attached to the build.


For Gerrit core and its bundled plugins, just use the upstream released .war. This instructions are left here for reference in case we have to build Gerrit ourselves at some point although the logic has been ported to a Jenkins job and CI will happily build Gerrit and the plugins for you.

Gerrit core

Upstream .war

The gerrit.war can be retrieved simply by running mvn package

To update the Gerrit version, edit pom.xml and adjust the gerrit.version property:


Then run mvn package it downloads the Gerrit war released by Google on Maven Central, replaces the /gerrit.war at the root of the repository and unpack the bundled plugins to ./plugins/.

Add the result and craft the commit:

$ mvn package

[INFO] --- maven-dependency-plugin:3.1.2:copy (import upstream gerrit war) @ gerrit ---
[INFO] Configured Artifact:
Downloading from wikimedia.mirrored:
Downloaded from wikimedia.mirrored: (2.8 kB at 1.5 kB/s)
Downloading from wikimedia.mirrored:
Downloaded from wikimedia.mirrored: (85 MB at 1.3 MB/s)
[INFO] Copying gerrit-war-3.5.6.war to ~/projects/operations/software/gerrit-deploy/gerrit.war
[INFO] --- maven-dependency-plugin:3.1.2:unpack (extract upstream plugins) @ gerrit ---
[INFO] Configured Artifact:
[INFO] Unpacking ~/.m2/repository/com/google/gerrit/gerrit-war/3.5.6/gerrit-war-3.5.6.war to ~/projects/operations/software/gerrit-deploy/plugins with includes "WEB-INF/plugins/*.jar" and excludes ""
[INFO] ------------------------------------------------------------------------
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  01:10 min
[INFO] ------------------------------------------------------------------------

$ git add pom.xml gerrit.war plugins/*.jar
$ git commit -m 'Update Gerrit to vX.Y.Z'

Build our own

As of Feb 2nd 2021 we no more build Gerrit ourselves, we instead use the upstream .war, see previous section. The build instructions are left there in case we have to build a fork.


Most plugins come with build instructions usually available at src/main/resources/Documentation/

Since we use the upstream war, we do not need to build the plugins provided with Gerrit core. Instead we only build our extra plugins. can list our plugins:

$ git checkout wmf/stable-3.5
$ ./ 

The whole build logic is implemented in the script:

$ git checkout wmf/stable-3.5
$ ./
Building Wikimedia specific plugins

> Building go-import


Done building
Copying build artifacts

Those should be copied to the wmf/deploy branch

Make sure to remove all content from ./plugins before copying the build artifacts.

Add a new plugin

In our wmf/stable-3.5 branch and the plugin upstream repository as a submodule. It should point to the current stable branch (stable-3.5) if supported, else master.

git submodule add -f -b stable-3.5 -- plugins/rename-project
git add .gitmodules plugins/rename-project
git commit -m 'Add rename-project plugin'

Then follow the instructions from the previous section to build it and add the resulting .jar to our deployment branch.

If we were to fork a plugin, the process is similar. The repository is forked on our Gerrit instance and then registered as a submodule pointing to our Gerrit.

Upload artifacts

After you have imported Gerrit releases.war from upstream and build the plugins (, the artifacts have to be added to the deploy/wmf/stable-X branch.

Since artifacts are rather large, we use git-lfs to offload the git repository:

  1. sudo apt install git-fat
  2. Initialization: git lfs install

Git LFS determine the URL to fetch/push from the git remote, on our setup we have explicitly defined them in a .lfsconfig file. It will fetch over https and pushes over ssh using the same credentials used for regular git operations. It should essentially work out of the box.


  1. Checkout the deploy/wmf/stable-X branch that aligns with the build branch

If you have build locally:

  1. Copy all the previously build plugin jars from ./plugins-wmf to ./plugins in the deploy branch

If you want to rely on CI:

  1. Head to the last merged change of the wmf/stable-3.5 branch and follow the link to the gerrit-docker job build
  2. On the build page follow the Build artifacts link
  3. Download a zip via (all files in zip)
  4. Extract the archive: cd plugins && unzip -o -j /path/to/
  5. Remove the release.war and its-base.jar built by CI: rm plugins/{release.war,its-base.jar}

Prepare the commit:

Ensure Gerrit bundled plugins are not included since they are provided by the releases.war

  • rm plugins/its-base.jar

Commit the changes and upload to Gerrit

  • git add 'plugins/*.jar'
  • Add a note if a plugin is no more present,
  • git commit -m 'Update plugins for Gerrit 3.3.6'
  • git push origin HEAD:refs/for/deploy/wmf/stable-3.5

The git push send the artifacts with git LFS.


When upgrading Gerrit releases.war to a new minor or major version: make sure to have taken in account upgrade steps that are mentioned in the upstream release notes.

Make sure to check the free disk space before deploying a new version (df -h)

You must check Gerrits Icinga alerts manually during the maintenance to make sure no critical alert gets overlooked.

1) Schedule downtime for Gerrit hosts to avoid unwanted notifications in alerting channels.

Add silences in Alert Manager . The form is available via the struck bell at the top right of the web interface. The rules to add are:

  • For Icinga alerts: labels.instance with a regex match on*
  • For Prometheus alerts: labels.job having gerrit or gerrit-metrics

2) Disable Puppet

This make sure Puppet does not restart the service or alter the gerrit.config:

sudo puppet agent --disable 'Gerrit deployment'

3) Deploy artifacts

  1. SSH to the deployment master (ssh deployment.eqiad.wmnet)
  2. cd /srv/deployment/gerrit/gerrit
  3. Update the repository: git fetch
  4. Checkout the appropriate deploy/wmf/stable-X branch: git checkout deploy/wmf/stable-X
  5. Review differences: git log HEAD..HEAD@{u}
  6. git rebase if all is fine

Deploy artifacts to gerrit2002 to ensure that there are no errors with git-fat et al

  1. scap deploy -l 'Gerrit to [version] on gerrit2002'

Deploy to gerrit1001:

  1. scap deploy -l 'Gerrit to [version] on gerrit1001'

4) Refresh plugins

On each server refresh the plugins from the .war and upgrade:

Accessing servers
ssh (replica)
ssh (primary)

TODO: put gerrit in maintenance mode TODO: have scap run commands

Extract plugins bundled in Gerrit core. Since we have forked some of the bundled plugins and Gerrit scans the ./plugins directory and would reload/drop/add the plugins automatically, we need to stop Gerrit.

  1. sudo service gerrit stop
  2. sudo -u gerrit2 -i
  3. cd review_site
  4. java -jar bin/gerrit.war init --batch

5) Run initialization

gerrit init extract the plugins from the upstream war, run their init steps, upgrade the schema and normalize gerrit.config.

For upstream bundled plugins we have forked (such as gitiles), we need to restore our version. That is done by restoring git tracked .jar from our deployment repository. Rest of bundled plugins are untracked in our git repository.

  1. cd plugins
  2. git status
  3. git checkout '*.jar' # restore OUR version of upstream bundled plugins
  4. You can now logout from the gerrit2 user

6) Apply our config Enable and run Puppet:

sudo puppet agent --enable
sudo puppet agent -tv

Take note of any change that might have been applied to gerrit.config: they should be transcribed back to Puppet.

7) Puppet will start up Gerrit for you.

8) Checks

Plugins either on the web or via ssh:

  • ssh -p 29418 gerrit plugin ls
  • ssh -p 29418 gerrit plugin ls

sudo journalctl -u gerrit -n 50 --follow

Logs are in Kibana

9) Resume monitoring