Gerrit is usually a central part of an engineering change-control process.
Configuration should prioritize identity integration, permissions, submit rules, and audit retention.
¶ Main configuration file
Primary file: $site_path/etc/gerrit.config
Example:
[gerrit]
basePath = git
canonicalWebUrl = https://gerrit.example.com/
[database]
type = postgresql
hostname = 127.0.0.1
database = gerrit
username = gerrit
[auth]
type = OPENID
[receive]
enableSignedPush = true
[sendemail]
smtpServer = 127.0.0.1
smtpServerPort = 25
¶ Access and permissions model
- Use external IdP (OIDC/SSO) when possible.
- Keep
Administrators group membership minimal and audited.
- Require review labels (Code-Review, Verified) before submit.
- Restrict direct pushes to protected branches.
¶ Repository and review policy
- Enforce signed commits or signed pushes for sensitive repos.
- Define default submit strategy consistently (rebase, merge-if-necessary, etc.).
- Configure replication with least-privilege SSH keys if mirroring.
¶ Backups and recovery
Backup scope:
- Gerrit site directory (
$site_path/etc, git, index, cache as needed)
- PostgreSQL database
- SSH host keys and replication credentials
Restore drill:
- Restore DB and site config on a test node.
- Reindex if required.
- Validate clone, review, vote, and submit flow.
- HTTPS enforced.
- Review queues and indexing health monitored.
- Email notifications and hooks validated.
- Upgrade rollback plan documented.
Running Gerrit in regulated environments? We assist with:
- 🔐 TLS/SSL configuration
- 🔑 Authentication and authorization setup
- 📋 Audit logging and compliance reporting
- 🛡️ Security hardening benchmarks (CIS, STIG)
Secure your deployment: office@linux-server-admin.com | Contact Page