Gerrit Administration Training

Take full control of your Gerrit deployment with this 3-day administration deep dive. From gerrit.config tuning and authentication backends to access control inheritance, custom labels, replication, and plugin management — this training equips administrators with the knowledge to run Gerrit reliably at scale in production environments.

Training Details

Duration	3 days (24 hours)
Level	Intermediate
Delivery	In-person, Live online, Hybrid
Certification	N/A

Who Is This For?

• System administrators responsible for Gerrit server operations
• DevOps engineers deploying and maintaining Gerrit infrastructure
• Engineering managers defining review policies and access control
• Platform engineers integrating Gerrit into the development toolchain
• Anyone tasked with migrating to or upgrading a Gerrit installation

Learning Outcomes

After completing this training, participants will be able to:

• Configure gerrit.config for production deployments including caching, indexing, and HTTP settings
• Integrate LDAP, OAuth, and SAML authentication providers
• Design access control hierarchies using All-Projects inheritance and ref-level permissions
• Define custom review labels and configure submit requirements
• Set up replication between Gerrit instances for disaster recovery and geographic distribution
• Automate workflows using hooks and event streaming
• Install, configure, and manage Gerrit plugins
• Monitor Gerrit health and troubleshoot common operational issues

Detailed Agenda

Day 1: Configuration, Authentication, and Project Setup

Module 1: gerrit.config Deep Dive

• Configuration file hierarchy: gerrit.config, secure.config, replication.config
• Core sections: gerrit, database, index, cache, sshd, httpd
• Database backends: H2 (development), PostgreSQL, MySQL/MariaDB (production)
• Lucene index configuration and online reindexing
• Cache tuning: web_sessions, projects, accounts, diff
• Hands-on: Configure a production-grade gerrit.config with PostgreSQL and tuned caches

Module 2: Authentication and Identity

• Authentication types: LDAP, HTTP, OAuth, SAML, OpenID Connect
• LDAP integration: bind credentials, user/group search bases, attribute mapping
• OAuth provider configuration (GitHub, Google, Keycloak, Azure AD)
• SAML integration for enterprise SSO
• Account deactivation, external IDs, and identity linking
• Hands-on: Configure LDAP authentication with group sync against an OpenLDAP server

Module 3: Project Creation and Repository Management

• Creating projects: UI, REST API, and gerrit create-project SSH command
• Project configuration in project.config (stored in refs/meta/config)
• Parent project inheritance and the All-Projects root
• Branch permissions, tag creation rules, and ref namespaces
• Repository maintenance: GC, pack, and fsck operations
• Hands-on: Create a project hierarchy with parent-child inheritance and custom branch permissions

Module 4: Access Control Model

• Permission model: groups, projects, refs, and actions
• Built-in groups: Administrators, Project Owners, Anonymous Users, Registered Users
• Ref-level permissions: read, push, create, submit, label voting
• BLOCK, ALLOW, and DENY rules — evaluation order and precedence
• Exclusive vs inclusive group membership strategies
• Hands-on: Design and implement ACLs for a multi-team project with branch protection and restricted submit rights

Day 2: Labels, Submit Rules, and Automation

Module 5: Custom Label Definitions

• Default labels (Code-Review, Verified) and their configuration
• Creating custom labels: design-review, security-review, qa-sign-off
• Label functions: MaxWithBlock, AnyWithBlock, MaxNoBlock, NoBlock, NoOp
• Copy conditions: copyMinScore, copyAllScoresIfNoChange, copyAllScoresOnTrivialRebase
• Label applicability by branch and file pattern
• Hands-on: Create a three-label review workflow with security-review and qa-sign-off labels

Module 6: Submit Requirements

• Modern submit requirements replacing legacy Prolog rules
• Submit requirement expressions: label, uploader, and author predicates
• Combining requirements with AND/OR logic
• Override and emergency submit workflows
• Testing submit requirements with the REST API
• Hands-on: Configure submit requirements that enforce separate author and reviewer, plus mandatory security review for release branches

Module 7: Hooks and Server-Side Actions

• Synchronous hooks: ref-update, commit-received, submit
• Asynchronous hooks: patchset-created, comment-added, change-merged
• Hook script environment: available variables and exit codes
• Validation hooks for commit message format and content policy enforcement
• Hook performance considerations and timeout configuration
• Hands-on: Write a commit-received hook that enforces commit message format and a patchset-created hook that triggers a notification

Module 8: Event Handling and Stream Events

• The stream-events SSH command and event types
• Event payload structure: patchSet, change, author, approvals
• Consuming events with gerrit stream-events for real-time automation
• Event filtering and connection management
• Integration patterns: event consumer services, message queues
• Hands-on: Build an event consumer that monitors stream-events and posts change statistics to a Slack channel

Day 3: Replication, High Availability, and Plugins

Module 9: Replication Configuration

• Push replication plugin: replication.config, destination setup
• Replication triggers: ref-updated, project creation, manual trigger
• Filtering replicated refs and projects
• Pull replication for multi-site deployments
• Replication monitoring: replication lag, queue depth, error handling
• Hands-on: Configure push replication between two Gerrit instances with project filtering and verify ref consistency

Module 10: High Availability Strategies

• Primary-replica architecture with shared filesystem
• Multi-site plugin for active-active deployments
• Global replication with Kafka or NATS event brokers
• Load balancing and session affinity considerations
• Backup and disaster recovery procedures
• Hands-on: Set up a primary-replica pair with shared NFS storage and verify failover behavior

Module 11: Plugin Management

• Plugin architecture: ClassLoader isolation and extension points
• Installing plugins: core plugins, CI builds, Gerrit marketplace
• Essential plugins: webhooks, download-commands, delete-project, reviewers
• Plugin configuration in gerrit.config and plugin-specific config files
• Upgrading plugins during Gerrit version upgrades
• Hands-on: Install and configure the webhooks plugin, delete-project plugin, and reviewers plugin from the marketplace

Module 12: Monitoring, Troubleshooting, and Capstone

• JMX metrics and Prometheus exposition via the metrics-reporter plugin
• Key metrics: request latency, queue sizes, cache hit rates, replication lag
• Log analysis: httpd_log, sshd_log, error_log, gc_log
• Common issues: index corruption, lock contention, SSH connection limits
• Performance tuning: thread pools, pack cache, receive buffer
• Hands-on: Capstone — deploy a production-ready Gerrit instance with LDAP auth, custom labels, submit requirements, replication, monitoring, and a plugin stack

Prerequisites

• Completion of Gerrit Fundamentals Training or equivalent hands-on Gerrit experience
• Basic Linux system administration (package management, systemd, file permissions)
• Understanding of Git internals (refs, objects, packfiles)
• Familiarity with Docker and Docker Compose for lab environments

Delivery Formats

Format	Description
In-Person	On-site at your company's location, hands-on with direct interaction
Live Online	Interactive virtual sessions with screen sharing and real-time labs
Hybrid	Combination of on-site and remote sessions, flexible scheduling

All formats include hands-on labs, course materials, and post-training support.