Changes

From SME Server
Jump to navigationJump to search
4,743 bytes added ,  01:57, 19 July 2023
no edit summary
Line 53: Line 53:  
dnf install setroubleshoot-server
 
dnf install setroubleshoot-server
 
setsebool -P allow_httpd_anon_write=1
 
setsebool -P allow_httpd_anon_write=1
setsebool -P httpd_can_network_connect_db 1
   
reboot
 
reboot
 
</syntaxhighlight>Install koji hub and pre-requisites<syntaxhighlight lang="bash">
 
</syntaxhighlight>Install koji hub and pre-requisites<syntaxhighlight lang="bash">
Line 226: Line 225:  
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
 
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
 
\q
 
\q
</syntaxhighlight>We can now set up the hub itself<syntaxhighlight lang="bash">
+
exit
 +
</syntaxhighlight>We can now set up the hub itself.
 +
 
 +
As we are using SSL certificates, we need to tweak the httpd configs<syntaxhighlight lang="bash">
 
nano /etc/httpd/conf.d/kojihub.conf
 
nano /etc/httpd/conf.d/kojihub.conf
 
</syntaxhighlight>and uncomment the lines as below<syntaxhighlight lang="ini">
 
</syntaxhighlight>and uncomment the lines as below<syntaxhighlight lang="ini">
Line 235: Line 237:  
         SSLOptions +StdEnvVars
 
         SSLOptions +StdEnvVars
 
</Location>
 
</Location>
 +
</syntaxhighlight>Setup the SSL certificates required<syntaxhighlight lang="bash">
 +
nano /etc/httpd/conf.d/ssl.conf
 +
</syntaxhighlight>and add these lines<syntaxhighlight lang="ini">
 +
SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
 +
SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key
 +
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
 +
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
 +
</syntaxhighlight>Point Koji Hub to the database<syntaxhighlight lang="bash">
 +
nano /etc/koji-hub/hub.conf
 +
</syntaxhighlight>and set these parameters. Make sure that DBHost and DBPass are commented out as we are using the DB on the same host <syntaxhighlight lang="ini">
 +
DBName = koji
 +
DBUser = koji
 +
 +
# If PostgreSQL is on another host, set that here:
 +
#DBHost = db.example.com
 +
#DBPass = mypassword
 +
 +
KojiDir = /mnt/koji
 +
LoginCreatesUser = On
 +
KojiWebURL = https://koji.example.com/koji
 +
</syntaxhighlight>edit the koi-hub conf file for access <syntaxhighlight lang="bash">
 +
nano /etc/koji-hub/hub.conf
 +
</syntaxhighlight>ProxyDNs should be set to the DN of the kojiweb certificate. For example: <syntaxhighlight lang="ini">
 +
DNUsernameComponent = CN
 +
ProxyDNs = CN=koji.koozali.org,OU=kojiweb,O=Koozali,ST=Victoria,C=AU
 +
</syntaxhighlight>create the koji skeleton file system<syntaxhighlight lang="bash">
 +
cd /mnt
 +
mkdir koji
 +
cd koji
 +
mkdir {packages,repos,work,scratch,repos-dist}
 +
chown apache.apache *
 +
</syntaxhighlight>and tweak SELinux to allow apache write access<syntaxhighlight lang="bash">
 +
setsebool -P allow_httpd_anon_write=1
 +
semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?"
 +
restorecon -r -v /mnt/koji
 +
</syntaxhighlight>We'll want the build servers to have access to the koji filesystem via nfs<syntaxhighlight lang="bash">
 +
dnf install nfs-utils
 +
systemctl enable --now nfs-server
 +
nano /etc/exports
 +
 +
</syntaxhighlight>we only have one build server, but you can add additional to the line, separated by a space<syntaxhighlight lang="ini">
 +
/mnt/koji build1.koozali.org(rw,sync,root_squash)
 +
</syntaxhighlight>export, verify and allow Apache access via SELinux<syntaxhighlight lang="bash">
 +
exportfs -ra
 +
exportfs -v
 +
setsebool -P httpd_use_nfs=1
 +
</syntaxhighlight>Allow nfs access through the firewall<syntaxhighlight lang="bash">
 +
firewall-cmd --permanent --add-service=nfs
 +
firewall-cmd --permanent --add-service=mountd
 +
firewall-cmd --permanent --add-service=rpc-bind
 +
firewall-cmd --reload
 +
 +
</syntaxhighlight>Restart httpd<syntaxhighlight lang="bash">
 +
systemctl restart httpd
 +
 +
</syntaxhighlight>
 +
 +
===== Koji CLI client =====
 +
Let's configure the cli client. The system setting is in /etc/koji.conf, individual user settings can be set in ~/.koji/config<syntaxhighlight lang="bash">
 +
nano /etc/koji.conf
 +
 +
</syntaxhighlight>We define the urls of each component and tell it where to find the SSL certificates (we copied them across earlier)<syntaxhighlight lang="ini">
 +
[koji]
 +
 +
;url of XMLRPC server
 +
server = https://koji.koozali.org/kojihub
 +
 +
;url of web interface
 +
weburl = http://koji.koozali.org/koji
 +
 +
;url of package download site
 +
topurl = http://koji.koozali.org/kojifiles
 +
 +
;path to the koji top directory
 +
topdir = /mnt/koji
 +
 +
; configuration for SSL athentication
 +
 +
;client certificate
 +
cert = ~/.koji/client.crt
 +
 +
;certificate of the CA that issued the HTTP server certificate
 +
serverca = ~/.koji/serverca.crt
 +
</syntaxhighlight>Log in as kojiadmin and test the connection<syntaxhighlight lang="bash">
 +
su - kojiadmin
 +
koji moshimoshi
 +
exit
 +
</syntaxhighlight>you should see<syntaxhighlight lang="bash">
 +
zdravstvuite, kojiadmin!
 +
 +
You are using the hub at https://koji.koozali.org/kojihub
 +
Authenticated via client certificate /home/kojiadmin/.koji/client.crt
 +
</syntaxhighlight>
 +
 +
===== Koji Web Service =====
 +
Install the koji web components<syntaxhighlight lang="bash">
 +
dnf install koji-web mod_ssl
 +
</syntaxhighlight>edit the web config file to point at the right urls and SSL certificates<syntaxhighlight lang="bash">
 +
nano /etc/kojiweb/web.conf
 +
</syntaxhighlight><syntaxhighlight lang="ini">
 +
[web]
 +
SiteName = koji
 +
# KojiTheme =
 +
 +
# Necessary urls
 +
KojiHubURL = https://koji.koozali.org/kojihub
 +
KojiFilesURL = http://koji.koozali.org/kojifiles
 +
 +
## Kerberos authentication options
 +
; WebPrincipal = koji/web@EXAMPLE.COM
 +
; WebKeytab = /etc/httpd.keytab
 +
; WebCCache = /var/tmp/kojiweb.ccache
 +
 +
## SSL authentication options
 +
WebCert = /etc/pki/koji/koji-web.pem
 +
KojiHubCA = /etc/pki/koji/koji_ca_cert.crt
 +
 +
LoginTimeout = 72
 +
 +
# This must be set before deployment
 +
Secret = CHANGE_ME
 +
 +
LibPath = /usr/share/koji-web/lib
 +
</syntaxhighlight>Make sure that the firewall will allow http & https access<syntaxhighlight lang="bash">
 +
firewall-cmd --permanent --add-service=http
 +
firewall-cmd --permanent --add-service=https
 +
firewall-cmd --reload
 
</syntaxhighlight>
 
</syntaxhighlight>
381

edits

Navigation menu