Changes

Changes

4,743 bytes added , 01:57, 19 July 2023

no edit summary

Line 53: Line 53:

dnf install setroubleshoot-server

setsebool -P allow_httpd_anon_write=1

−

~~setsebool -P httpd_can_network_connect_db 1~~

reboot

</syntaxhighlight>Install koji hub and pre-requisites<syntaxhighlight lang="bash">

Line 226: Line 225:

koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);

−

</syntaxhighlight>We can now set up the hub itself<syntaxhighlight lang="bash">

exit

</syntaxhighlight>We can now set up the hub itself.

As we are using SSL certificates, we need to tweak the httpd configs<syntaxhighlight lang="bash">

nano /etc/httpd/conf.d/kojihub.conf

</syntaxhighlight>and uncomment the lines as below<syntaxhighlight lang="ini">

Line 235: Line 237:

SSLOptions +StdEnvVars

</Location>

</syntaxhighlight>Setup the SSL certificates required<syntaxhighlight lang="bash">

nano /etc/httpd/conf.d/ssl.conf

</syntaxhighlight>and add these lines<syntaxhighlight lang="ini">

SSLCertificateFile /etc/pki/koji/certs/kojihub.crt

SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key

SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt

SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt

</syntaxhighlight>Point Koji Hub to the database<syntaxhighlight lang="bash">

nano /etc/koji-hub/hub.conf

</syntaxhighlight>and set these parameters. Make sure that DBHost and DBPass are commented out as we are using the DB on the same host <syntaxhighlight lang="ini">

DBName = koji

DBUser = koji

# If PostgreSQL is on another host, set that here:

#DBHost = db.example.com

#DBPass = mypassword

KojiDir = /mnt/koji

LoginCreatesUser = On

KojiWebURL = https://koji.example.com/koji

</syntaxhighlight>edit the koi-hub conf file for access <syntaxhighlight lang="bash">

nano /etc/koji-hub/hub.conf

</syntaxhighlight>ProxyDNs should be set to the DN of the kojiweb certificate. For example: <syntaxhighlight lang="ini">

DNUsernameComponent = CN

ProxyDNs = CN=koji.koozali.org,OU=kojiweb,O=Koozali,ST=Victoria,C=AU

</syntaxhighlight>create the koji skeleton file system<syntaxhighlight lang="bash">

cd /mnt

mkdir koji

cd koji

mkdir {packages,repos,work,scratch,repos-dist}

chown apache.apache *

</syntaxhighlight>and tweak SELinux to allow apache write access<syntaxhighlight lang="bash">

setsebool -P allow_httpd_anon_write=1

semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?"

restorecon -r -v /mnt/koji

</syntaxhighlight>We'll want the build servers to have access to the koji filesystem via nfs<syntaxhighlight lang="bash">

dnf install nfs-utils

systemctl enable --now nfs-server

nano /etc/exports

</syntaxhighlight>we only have one build server, but you can add additional to the line, separated by a space<syntaxhighlight lang="ini">

/mnt/koji build1.koozali.org(rw,sync,root_squash)

</syntaxhighlight>export, verify and allow Apache access via SELinux<syntaxhighlight lang="bash">

exportfs -ra

exportfs -v

setsebool -P httpd_use_nfs=1

</syntaxhighlight>Allow nfs access through the firewall<syntaxhighlight lang="bash">

firewall-cmd --permanent --add-service=nfs

firewall-cmd --permanent --add-service=mountd

firewall-cmd --permanent --add-service=rpc-bind

firewall-cmd --reload

</syntaxhighlight>Restart httpd<syntaxhighlight lang="bash">

systemctl restart httpd

</syntaxhighlight>

===== Koji CLI client =====

Let's configure the cli client. The system setting is in /etc/koji.conf, individual user settings can be set in ~/.koji/config<syntaxhighlight lang="bash">

nano /etc/koji.conf

</syntaxhighlight>We define the urls of each component and tell it where to find the SSL certificates (we copied them across earlier)<syntaxhighlight lang="ini">

[koji]

;url of XMLRPC server

server = https://koji.koozali.org/kojihub

;url of web interface

weburl = http://koji.koozali.org/koji

;url of package download site

topurl = http://koji.koozali.org/kojifiles

;path to the koji top directory

topdir = /mnt/koji

; configuration for SSL athentication

;client certificate

cert = ~/.koji/client.crt

;certificate of the CA that issued the HTTP server certificate

serverca = ~/.koji/serverca.crt

</syntaxhighlight>Log in as kojiadmin and test the connection<syntaxhighlight lang="bash">

su - kojiadmin

koji moshimoshi

exit

</syntaxhighlight>you should see<syntaxhighlight lang="bash">

zdravstvuite, kojiadmin!

You are using the hub at https://koji.koozali.org/kojihub

Authenticated via client certificate /home/kojiadmin/.koji/client.crt

</syntaxhighlight>

===== Koji Web Service =====

Install the koji web components<syntaxhighlight lang="bash">

dnf install koji-web mod_ssl

</syntaxhighlight>edit the web config file to point at the right urls and SSL certificates<syntaxhighlight lang="bash">

nano /etc/kojiweb/web.conf

</syntaxhighlight><syntaxhighlight lang="ini">

[web]

SiteName = koji

# KojiTheme =

# Necessary urls

KojiHubURL = https://koji.koozali.org/kojihub

KojiFilesURL = http://koji.koozali.org/kojifiles

## Kerberos authentication options

; WebPrincipal = koji/web@EXAMPLE.COM

; WebKeytab = /etc/httpd.keytab

; WebCCache = /var/tmp/kojiweb.ccache

## SSL authentication options

WebCert = /etc/pki/koji/koji-web.pem

KojiHubCA = /etc/pki/koji/koji_ca_cert.crt

LoginTimeout = 72

# This must be set before deployment

Secret = CHANGE_ME

LibPath = /usr/share/koji-web/lib

</syntaxhighlight>Make sure that the firewall will allow http & https access<syntaxhighlight lang="bash">

firewall-cmd --permanent --add-service=http

firewall-cmd --permanent --add-service=https

firewall-cmd --reload

</syntaxhighlight>

TrevorB

381

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/42143"

Koji Build Farm (view source)

Revision as of 01:57, 19 July 2023

Navigation menu

Search