Difference between revisions of "Koji Build Farm"

From SME Server
Jump to navigationJump to search
Line 185: Line 185:
 
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
 
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
 
exit
 
exit
 +
</syntaxhighlight>
 +
 +
====== POSTGRES setup ======
 +
As root we need to do the initial config<syntaxhighlight lang="bash">
 +
postgresql-setup --initdb --unit postgresql
 +
systemctl enable postgresql --now
 +
</syntaxhighlight>We have a different account for managing the database (i.e. create the koji user and add a password)<syntaxhighlight lang="bash">
 +
useradd koji
 +
passwd koji
 +
</syntaxhighlight>Create the koji user and database and add password for user<syntaxhighlight lang="bash">
 +
su - postgres
 +
createuser --no-superuser --no-createrole --no-createdb koji
 +
createdb -O koji koji
 +
psql -c "alter user koji with encrypted password 'mypassword';"
 +
logout
 +
 +
</syntaxhighlight>Create the koji db schema from the included script (need to be the koji user)<syntaxhighlight lang="bash">
 +
su - koji
 +
psql koji koji < /usr/share/doc/koji*/docs/schema.sql
 +
exit
 +
</syntaxhighlight>Authorize the Koji-hub service to PostgreSQL. As the hub and DB are on the same server we are using Unix sockets for connection<syntaxhighlight lang="bash">
 +
nano /var/lib/pgsql/data/pg_hba.conf
 +
</syntaxhighlight>and add the following lines<syntaxhighlight lang="text">
 +
#TYPE  DATABASE    USER    CIDR-ADDRESS      METHOD
 +
local  koji        koji                      trust
 +
local  all        postgres                  peer
 +
</syntaxhighlight>and blank out the listen address (we are using sockets, not via IP)<syntaxhighlight lang="bash">
 +
nano /var/lib/pgsql/data/postgresql.conf
 +
</syntaxhighlight>by changing this line<syntaxhighlight lang="text">
 +
listen_addresses = ''
 +
</syntaxhighlight>and reload the PostgreSQL daemon<syntaxhighlight lang="bash">
 +
systemctl reload postgresql
 +
</syntaxhighlight>add the initial admin user manually to the user database (we need to be the koji user to do this)
 +
 +
We can add additional users and change privileges of those users via the koji command line tool<syntaxhighlight lang="bash">
 +
su - koji
 +
psql
 +
koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
 +
koji=> select * from users;
 +
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
 +
\q
 +
</syntaxhighlight>We can now set up the hub itself<syntaxhighlight lang="bash">
 +
nano /etc/httpd/conf.d/kojihub.conf
 +
</syntaxhighlight>and uncomment the lines as below<syntaxhighlight lang="ini">
 +
# uncomment this to enable authentication via SSL client certificates
 +
<Location /kojihub/ssllogin>
 +
#        SSLVerifyClient require
 +
#        SSLVerifyDepth  10
 +
        SSLOptions +StdEnvVars
 +
</Location>
 
</syntaxhighlight>
 
</syntaxhighlight>

Revision as of 08:51, 18 July 2023

Official Koji documentation can be found at: https://docs.pagure.org/koji/


Important.png Note:
This is a work in progress.....

And some components do not work yet


I'll document what I have done so far, what is working and what is not.

When the build farm is working, we'll add in how to configure it for building smeserver (packages, repositories and ISOs etc.)

Building blocks

A Koji Build farm is comprised of a number of components that work together.

Major Koji components:

  • hub
  • web server
  • build servers
  • build daemon
  • Dnf|Yum repository creation and maintenance daemon

In our build, we will have only 2 servers.

  • hub - which will run the hub, web, build daemon and def|Yum repository daemon
  • build server - there can be multiple of these, but we'll just do 1 to start with

These servers will be based on bare Rocky 8 - minimal install, servers.

Hub/Web Server

OS: Rocky 8.8-minimal

Memory: 8GB

Disk: 20GB (but I'm only using ~25%)

You'll need to set up your network:

Log into your server as root and

nmtui
ip address
ping google.com

I'd suggest an update is in order

dnf update

Configure some basic tools and settings

dnf install setools-console
dnf config-manager --set-enabled powertools
dnf install epel-release
dnf install policycoreutils-python-utils
dnf install rsyslog
dnf install cockpit
systemctl enable cockpit.socket --now
systemctl start cockpit.socket
dnf install setroubleshoot-server
setsebool -P allow_httpd_anon_write=1
setsebool -P httpd_can_network_connect_db 1
reboot

Install koji hub and pre-requisites

dnf install koji-hub mod_ssl
dnf module enable postgresql:10
dnf install postgresql-server
dnf install koji

We'll be using ssl certificates so let's create the koji ssl working directories and edit the koji ssl config file

mkdir -p /etc/pki/koji/{certs,private,confs}
cd /etc/pki/koji
nano ssl.cnf

and insert the following into ssl.conf

I suggest you change the defaults in [req_distinguished_name] to yours to make it easier when generating certs....

Important.png Note:
I suggest you change the defaults in [req_distinguished_name] to yours to make it easier when generating certs....


HOME                    = .
RANDFILE                = .rand

[ca]
default_ca              = ca_default

[ca_default]
dir                     = .
certs                   = $dir/certs
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/%s_ca_cert.pem
private_key             = $dir/private/%s_ca_key.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 3650
default_crl_days        = 30
default_md              = sha256
preserve                = no
policy                  = policy_match

[policy_match]
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req]
default_bits            = 2048
default_keyfile         = privkey.pem
default_md              = sha256
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extensions to add to the self signed cert
string_mask             = MASK:0x2002

[req_distinguished_name]
countryName                     = Country Name (2 letter code)
countryName_default             = AU
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Victoria
localityName                    = Locality Name (eg, city)
localityName_default            = Melbourne
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Koozali
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[req_attributes]
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[usr_cert]
basicConstraints                = CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[v3_ca]
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = CA:true

Create the ca key for the server

touch index.txt
echo 01 > serial
openssl genrsa -out private/koji_ca_cert.key 2048
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca

Create a script to make certs

mkdir -p ~/bin
nano ~/bin/koji_make_cert.sh

and add the following

#!/bin/bash
# if you change your certificate authority name to something else you will
# need to change the caname value to reflect the change.
caname=koji

# user is equal to parameter one or the first argument when you actually
# run the script
user=$1

openssl genrsa -out private/${user}.key 2048
cat ssl.cnf | sed 's/insert_hostname/'${user}'/'> ssl2.cnf
openssl req -config ssl2.cnf -new -nodes -out certs/${user}.csr -key private/${user}.key
openssl ca -config ssl2.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
    -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt private/${user}.key > ${user}.pem
mv ssl2.cnf confs/${user}-ssl.cnf

and make it executable

chmod a+x ~/bin/koji_make_cert.sh

Lets create some certificates and add our admin user

koji_make_cert.sh kojihub
koji_make_cert.sh kojiweb
koji_make_cert.sh kojira
koji_make_cert.sh kojid
koji_make_cert.sh kojiadmin
useradd kojiadmin

We need to be the kojiadmin user to get the right permissions when we copy over the required certs, so...

su - kojiadmin
mkdir ~/.koji
cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt   # NOTE: It is IMPORTANT you use the PEM and NOT the CRT
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
exit
POSTGRES setup

As root we need to do the initial config

postgresql-setup --initdb --unit postgresql
systemctl enable postgresql --now

We have a different account for managing the database (i.e. create the koji user and add a password)

useradd koji
passwd koji

Create the koji user and database and add password for user

su - postgres
createuser --no-superuser --no-createrole --no-createdb koji
createdb -O koji koji
psql -c "alter user koji with encrypted password 'mypassword';"
logout

Create the koji db schema from the included script (need to be the koji user)

su - koji
psql koji koji < /usr/share/doc/koji*/docs/schema.sql
exit

Authorize the Koji-hub service to PostgreSQL. As the hub and DB are on the same server we are using Unix sockets for connection

nano /var/lib/pgsql/data/pg_hba.conf

and add the following lines

#TYPE   DATABASE    USER    CIDR-ADDRESS      METHOD
local   koji        koji                       trust
local   all         postgres                   peer

and blank out the listen address (we are using sockets, not via IP)

nano /var/lib/pgsql/data/postgresql.conf

by changing this line

listen_addresses = ''

and reload the PostgreSQL daemon

systemctl reload postgresql

add the initial admin user manually to the user database (we need to be the koji user to do this) We can add additional users and change privileges of those users via the koji command line tool

su - koji
psql
koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
koji=> select * from users;
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
\q

We can now set up the hub itself

nano /etc/httpd/conf.d/kojihub.conf

and uncomment the lines as below

# uncomment this to enable authentication via SSL client certificates
<Location /kojihub/ssllogin>
#         SSLVerifyClient require
#         SSLVerifyDepth  10
        SSLOptions +StdEnvVars
</Location>