Line 1: |
Line 1: |
| + | {{Note box|This howto is for building your own koji build farm. |
| + | For how to use the koozali.org build farm, please see [[Koji Usage]]}} |
| + | |
| Official Koji documentation can be found at: https://docs.pagure.org/koji/ | | Official Koji documentation can be found at: https://docs.pagure.org/koji/ |
| | | |
| {{Note box|This is a work in progress..... | | {{Note box|This is a work in progress..... |
− | And some components do not work yet}} | + | And some components do not work yet.}} |
| | | |
| I'll document what I have done so far, what is working and what is not. | | I'll document what I have done so far, what is working and what is not. |
Line 13: |
Line 16: |
| Major Koji components: | | Major Koji components: |
| | | |
− | * hub | + | * hub (koji-hub) |
− | * web server | + | * web server (koji-web) |
− | * build servers | + | * builders |
− | * build daemon | + | * build daemon (kojid) |
− | * Dnf|Yum repository creation and maintenance daemon | + | * Dnf|Yum repository creation and maintenance daemon (kojira) |
| + | |
| + | You need at least the one server which can perform all functions, or split it into a hub, web plus 1+ build servers. |
| + | |
| + | A typical scenario will be to have 2+ servers. |
| + | |
| + | * hub - which will run the hub, web and dnf|Yum repository daemon |
| + | * builders - there can be multiple of these |
| + | |
| + | For our purposes, all of these servers will be based on bare Rocky 8 - minimal install, servers. |
| + | |
| + | == Install == |
| + | {{Note box|1=You can run everything (the hub, web and build) on the one server, just run the script without any parameters.}} |
| + | |
| + | Create your hub, web and build servers (Rocky 8 minimal install). |
| + | |
| + | On all servers enable the network and name the servers as the FQDN (the servers need to be accessible via their FQDN's, so either via DNS or you need to add them to your /etc/hosts files). |
| + | |
| + | It's also a good idea to update them to the latest |
| + | <syntaxhighlight lang="bash"> |
| + | nmtui |
| + | dnf update |
| + | </syntaxhighlight> |
| + | Log into the hub server, download and run the install script |
| + | <syntaxhighlight lang="bash"> |
| + | curl https://src.koozali.org/smedev/smeserver-koji/raw/branch/master/install-koji-farm.sh > install-koji-farm.sh |
| + | chmod o+x install-koji-farm.sh |
| + | ./install-koji-farm.sh |
| + | </syntaxhighlight> |
| + | The install-koji-farm.sh script will accept multiple parameters<syntaxhighlight lang="bash"> |
| + | install-koji-farm.sh [web=<web FQDN> | build=<build FQDN> | scm=<scm ip or name>:/* | debug] |
| + | </syntaxhighlight> |
| + | |
| + | * web=<FQDN> - defaults to hub FQDN |
| + | *build=<FQDN> - multiple allowed |
| + | *scm=<IP or Name of SCM>:/* - multiple allowed |
| + | *debug - will list each line executed, plus lots of other gunk (very noisy) |
| + | |
| + | You will be prompted for various items |
| | | |
− | In our build, we will have only 2 servers.
| + | *values for your ssl certificates (e.g. Country, State, City, Organization, Organisational Unit) |
| + | * For the web server (unless it's the hub) |
| + | **to accept the build server signature |
| + | **for the root password on the web server |
| + | *For each build server |
| + | **to accept the build server signature |
| + | **for the root password on the build server |
| | | |
− | * hub - which will run the hub, web, build daemon and def|Yum repository daemon
| + | The web interface will be available via http://<your hub server>/koji |
− | * build server - there can be multiple of these, but we'll just do 1 to start with
| |
| | | |
− | These servers will be based on bare Rocky 8 - minimal install, servers.
| + | === Build Targets === |
| + | This will have created 6 build targets with various build tags to use |
| | | |
− | ===== Hub/Web Server ===== | + | * dist-sme10-os (dist-sme10-os-build) |
| + | * dist-sme10-contribs (dist-sme10-contribs-build) |
| + | * dist-sme11-os (dist-sme11-os-build) |
| + | * dist-sme11-contribs (dist-sme11-contribs-build) |
| + | * dist-sme12-os (dist-sme12-os-build) |
| + | * dist-sme12-contribs (dist-sme12-contribs-build) |
| + | There is a hierarchy inheritance structure for each release (see 10, 11 & 12), where the basic settings are inherited (e.g. yum or dnf, centos:7 or rockylinux:8 bootstrap image for mock) as well as which external repositories to use (e.g. centos7/el7 versions or rocky8/el8 versions) |
| + | |
| + | + dist-sme<release>-os |
| + | |
| + | ++ dist-sme<release>-os-build |
| + | |
| + | ++ dist-sme<release>-contribs |
| + | |
| + | +++ dist-sme<release>-contribs-buikl |
| + | |
| + | ++ dist-sme<release>-addons |
| + | |
| + | ++ dist-sme<release>-testing |
| + | |
| + | ++ dist-sme<release>-updates |
| + | |
| + | ++ dist-sme<release>-updates-testing |
| + | |
| + | How to build etc. will be covered in the 'to be written' koji usage page...... |
| + | |
| + | ===Additional Builders=== |
| + | |
| + | You can add additional build servers later, via<syntaxhighlight lang="bash"> |
| + | koji-add-builder.sh <FQDN of build server> [debug] |
| + | </syntaxhighlight> |
| + | |
| + | ===Additional Users=== |
| + | You can add end Users via |
| + | <syntaxhighlight lang="bash"> |
| + | koji-add-user.sh <User Name> [ permission=<permission> | debug ] |
| + | </syntaxhighlight> |
| + | Where <permission> could be "admin". |
| + | |
| + | This will add the user into the koji db and generate ssl CLI and browser keys, which will be bundled up in a tgz file at /etc/pki/koji/bundle/koji-<User Name>-bundle.tgz. |
| + | |
| + | This bundle should be copied and extracted into their home (~) directory and will create a .koji directory containing config and keys.This can be on a remote machine with the koji client installed. |
| + | <syntaxhighlight lang="bash"> |
| + | cd ~ |
| + | tar -zxf koji-<User Name>-bundle.tgz |
| + | koji moshimoshi |
| + | </syntaxhighlight> |
| + | |
| + | === Bootstrap === |
| + | The setup of the repos used for building SME10, SME11 & SME12 are all included in the install script, but a brief description of what has been setup seems sensible. |
| + | |
| + | ==Install - The long way (Beware: Demons lurk here) == |
| + | {{Warning box|This has been left here to help understand what is in the scripts (which may have changed since this was written)}} |
| + | |
| + | =====Hub/Web Server===== |
| OS: Rocky 8.8-minimal | | OS: Rocky 8.8-minimal |
| | | |
Line 33: |
Line 134: |
| Disk: 20GB (but I'm only using ~25%) | | Disk: 20GB (but I'm only using ~25%) |
| | | |
− | You'll need to set up your network: | + | FQDN: koji.koozali.org |
| + | |
| + | You'll need to set up your network: either during install or post install (enable adapter, FQDN, IP address, Gateway, DNS) |
| | | |
| Log into your server as root and<syntaxhighlight lang="bash"> | | Log into your server as root and<syntaxhighlight lang="bash"> |
Line 39: |
Line 142: |
| ip addr | | ip addr |
| ping google.com | | ping google.com |
− | </syntaxhighlight>I'd suggest an update is in order<syntaxhighlight lang="bash"> | + | </syntaxhighlight>Let's bring the server up to date<syntaxhighlight lang="bash"> |
| dnf update | | dnf update |
| | | |
− | </syntaxhighlight>Configure some basic tools and settings<syntaxhighlight lang="bash"> | + | </syntaxhighlight>I installed and configured some basic tools and settings to help manage and debug the server (Cockpit can be accessed at http://<ip address or name>:9090)<syntaxhighlight lang="bash"> |
− | dnf install setools-console
| + | systemctl enable --now cockpit.socket |
| + | systemctl start cockpit.socket |
| dnf config-manager --set-enabled powertools | | dnf config-manager --set-enabled powertools |
| dnf install epel-release | | dnf install epel-release |
| dnf install policycoreutils-python-utils | | dnf install policycoreutils-python-utils |
| + | dnf install setools-console |
| dnf install rsyslog | | dnf install rsyslog |
− | dnf install cockpit
| |
− | systemctl enable cockpit.socket --now
| |
− | systemctl start cockpit.socket
| |
| dnf install setroubleshoot-server | | dnf install setroubleshoot-server |
− | setsebool -P allow_httpd_anon_write=1
| |
| reboot | | reboot |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | ===== SSL preparations ===== | + | =====SSL preparations===== |
| We'll be using ssl certificates so let's create the koji ssl working directories and edit the koji ssl config file | | We'll be using ssl certificates so let's create the koji ssl working directories and edit the koji ssl config file |
| | | |
Line 62: |
Line 163: |
| mkdir -p /etc/pki/koji/{certs,private,confs} | | mkdir -p /etc/pki/koji/{certs,private,confs} |
| cd /etc/pki/koji | | cd /etc/pki/koji |
− | nano ssl.cnf
| |
− |
| |
− | </syntaxhighlight>and insert the following into ssl.conf
| |
| | | |
− | I suggest you change the defaults in [req_distinguished_name] to yours to make it easier when generating certs....
| + | </syntaxhighlight>and create ssl.cnf<syntaxhighlight lang="ini"> |
− | {{Note box|I suggest you change the defaults in [req_distinguished_name] to yours to make it easier when generating certs....}}<syntaxhighlight lang="ini">
| + | cat <<_EOT > /etc/pki/koji/ssl.cnf |
| HOME = . | | HOME = . |
| RANDFILE = .rand | | RANDFILE = .rand |
Line 76: |
Line 174: |
| [ca_default] | | [ca_default] |
| dir = . | | dir = . |
− | certs = $dir/certs | + | certs = \$dir/certs |
− | crl_dir = $dir/crl | + | crl_dir = \$dir/crl |
− | database = $dir/index.txt | + | database = \$dir/index.txt |
− | new_certs_dir = $dir/newcerts | + | new_certs_dir = \$dir/newcerts |
− | certificate = $dir/%s_ca_cert.pem | + | certificate = \$dir/%s_ca_cert.pem |
− | private_key = $dir/private/%s_ca_key.pem | + | private_key = \$dir/private/%s_ca_key.pem |
− | serial = $dir/serial | + | serial = \$dir/serial |
− | crl = $dir/crl.pem | + | crl = \$dir/crl.pem |
| x509_extensions = usr_cert | | x509_extensions = usr_cert |
| name_opt = ca_default | | name_opt = ca_default |
Line 143: |
Line 241: |
| authorityKeyIdentifier = keyid:always,issuer:always | | authorityKeyIdentifier = keyid:always,issuer:always |
| basicConstraints = CA:true | | basicConstraints = CA:true |
− | </syntaxhighlight>Create the ca key for the server<syntaxhighlight lang="bash"> | + | _EOT |
| + | </syntaxhighlight>{{Note box|I suggest you change the defaults in [req_distinguished_name] to yours to make it easier when generating certs....}} |
| + | Create the ca key for the server<syntaxhighlight lang="bash"> |
| + | cd /etc/pki/koji |
| touch index.txt | | touch index.txt |
| echo 01 > serial | | echo 01 > serial |
Line 151: |
Line 252: |
| | | |
| | | |
− | Create a script to make certs<syntaxhighlight lang="bash"> | + | |
| + | Create a script to make certs and make it executable<syntaxhighlight lang="bash"> |
| mkdir -p ~/bin | | mkdir -p ~/bin |
− | nano ~/bin/koji_make_cert.sh
| + | cat <<_EOT > ~/bin/koji_make_cert.sh |
− | </syntaxhighlight>and add the following<syntaxhighlight lang="bash">
| |
| #!/bin/bash | | #!/bin/bash |
| # if you change your certificate authority name to something else you will | | # if you change your certificate authority name to something else you will |
Line 162: |
Line 263: |
| # user is equal to parameter one or the first argument when you actually | | # user is equal to parameter one or the first argument when you actually |
| # run the script | | # run the script |
− | user=$1 | + | user=\$1 |
| | | |
− | openssl genrsa -out private/${user}.key 2048 | + | openssl genrsa -out private/\${user}.key 2048 |
− | cat ssl.cnf | sed 's/insert_hostname/'${user}'/'> ssl2.cnf | + | cat ssl.cnf | sed 's/insert_hostname/'\${user}'/'> ssl2.cnf |
− | openssl req -config ssl2.cnf -new -nodes -out certs/${user}.csr -key private/${user}.key | + | openssl req -config ssl2.cnf -new -nodes -out certs/\${user}.csr -key private/\${user}.key |
− | openssl ca -config ssl2.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \ | + | openssl ca -config ssl2.cnf -keyfile private/\${caname}_ca_cert.key -cert \${caname}_ca_cert.crt \ |
− | -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr | + | -out certs/\${user}.crt -outdir certs -infiles certs/\${user}.csr |
− | cat certs/${user}.crt private/${user}.key > ${user}.pem | + | cat certs/\${user}.crt private/\${user}.key > \${user}.pem |
− | mv ssl2.cnf confs/${user}-ssl.cnf | + | mv ssl2.cnf confs/\${user}-ssl.cnf |
− | </syntaxhighlight>and make it executable<syntaxhighlight lang="bash">
| + | _EOT |
| chmod a+x ~/bin/koji_make_cert.sh | | chmod a+x ~/bin/koji_make_cert.sh |
− | </syntaxhighlight>Lets create some certificates and add our admin user | + | </syntaxhighlight>Lets create some certificates and add our admin user{{Note box|The koji documentation states that the kojihub and kojiweb certs must have the fully qualified server name as the common name (e.g. koji.koozali.org). You can differentiate them via the organisation unit name (e.g. kojihub and kojiweb). |
− | {{Note box|The koji documentation states that the kojihub and kojiweb certs must have the fully qualified server name as the common name (e.g. koji.koozali.org). You can differentiate them via the organisation unit name (e.g. kojihub and kojiweb). | |
| | | |
| For the others, the common name should be the login name for that cert (e.g. kojira, kojid, kojiadmin).}}<syntaxhighlight lang="bash"> | | For the others, the common name should be the login name for that cert (e.g. kojira, kojid, kojiadmin).}}<syntaxhighlight lang="bash"> |
Line 182: |
Line 282: |
| koji_make_cert.sh kojid | | koji_make_cert.sh kojid |
| koji_make_cert.sh kojiadmin | | koji_make_cert.sh kojiadmin |
− | </syntaxhighlight>Now we create the koji administration user (kojiadmin) and set up the certs.
| |
− |
| |
− | We need to be the kojiadmin user to get the right permissions when we copy over the required certs, so...<syntaxhighlight lang="bash">
| |
− | useradd kojiadmin
| |
− | su - kojiadmin
| |
− | mkdir ~/.koji
| |
− | cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt # NOTE: It is IMPORTANT you use the PEM and NOT the CRT
| |
− | cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt
| |
− | cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
| |
− | exit
| |
| </syntaxhighlight> | | </syntaxhighlight> |
− | | + | ====== Koji Hub====== |
− | ====== Koji Hub ====== | |
| Install koji hub and pre-requisites<syntaxhighlight lang="bash"> | | Install koji hub and pre-requisites<syntaxhighlight lang="bash"> |
| dnf install koji-hub mod_ssl | | dnf install koji-hub mod_ssl |
Line 201: |
Line 290: |
| dnf install koji | | dnf install koji |
| </syntaxhighlight> | | </syntaxhighlight> |
− | ====== POSTGRES setup ====== | + | ======POSTGRES setup====== |
− | As root we need to do the initial config and add the initial user<syntaxhighlight lang="bash"> | + | As root we need to do the initial config<syntaxhighlight lang="bash"> |
| postgresql-setup --initdb --unit postgresql | | postgresql-setup --initdb --unit postgresql |
| systemctl enable postgresql --now | | systemctl enable postgresql --now |
Line 221: |
Line 310: |
| </syntaxhighlight>Authorize the Koji-hub service to PostgreSQL. As the hub and DB are on the same server we are using Unix sockets for connection<syntaxhighlight lang="bash"> | | </syntaxhighlight>Authorize the Koji-hub service to PostgreSQL. As the hub and DB are on the same server we are using Unix sockets for connection<syntaxhighlight lang="bash"> |
| nano /var/lib/pgsql/data/pg_hba.conf | | nano /var/lib/pgsql/data/pg_hba.conf |
− | </syntaxhighlight>and add the following lines<syntaxhighlight lang="text"> | + | </syntaxhighlight>and add the following lines (before the other settings)<syntaxhighlight lang="text"> |
| #TYPE DATABASE USER CIDR-ADDRESS METHOD | | #TYPE DATABASE USER CIDR-ADDRESS METHOD |
| local koji koji trust | | local koji koji trust |
Line 233: |
Line 322: |
| </syntaxhighlight>add the initial admin user manually to the user database (we need to be the koji user to do this) | | </syntaxhighlight>add the initial admin user manually to the user database (we need to be the koji user to do this) |
| | | |
− | We can add additional users and change privileges of those users via the koji command line tool<syntaxhighlight lang="bash"> | + | We can add additional users and change privileges of those users via the koji command line tool after this |
| + | {{Note box|For the user_perms, we check the user_id of the user we created. |
| + | If it's not 1, the user_perms line should be |
| + | |
| + | insert into user_perms (user_id, perm_id, creator_id) values (<user_id>, 1, <user_id>);}}<syntaxhighlight lang="bash"> |
| su - koji | | su - koji |
| psql | | psql |
− | koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0); | + | koji=> insert into users (name, status, usertype) values ('kojiadmin', 0, 0); |
| koji=> select * from users; | | koji=> select * from users; |
− | koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>); | + | koji=> insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1); |
| \q | | \q |
| exit | | exit |
− | </syntaxhighlight>We can now set up the hub itself. | + | </syntaxhighlight> |
| + | |
| + | =====Koji hub setup===== |
| + | We can now set up the hub itself. |
| | | |
| As we are using SSL certificates, we need to tweak the httpd configs<syntaxhighlight lang="bash"> | | As we are using SSL certificates, we need to tweak the httpd configs<syntaxhighlight lang="bash"> |
Line 254: |
Line 350: |
| </syntaxhighlight>Setup the SSL certificates required<syntaxhighlight lang="bash"> | | </syntaxhighlight>Setup the SSL certificates required<syntaxhighlight lang="bash"> |
| nano /etc/httpd/conf.d/ssl.conf | | nano /etc/httpd/conf.d/ssl.conf |
− | </syntaxhighlight>and add these lines<syntaxhighlight lang="ini"> | + | </syntaxhighlight>and add these lines and comment out any existing sample lines that do NOT point at valid certs etc.<syntaxhighlight lang="ini"> |
| SSLCertificateFile /etc/pki/koji/certs/kojihub.crt | | SSLCertificateFile /etc/pki/koji/certs/kojihub.crt |
| SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key | | SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key |
| SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt | | SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt |
| SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt | | SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt |
| + | </syntaxhighlight>and uncomment the following lines<syntaxhighlight lang="text"> |
| + | SSLVerifyClient require |
| + | SSLVerifyDepth 10 |
| + | |
| </syntaxhighlight>Point Koji Hub to the database<syntaxhighlight lang="bash"> | | </syntaxhighlight>Point Koji Hub to the database<syntaxhighlight lang="bash"> |
| nano /etc/koji-hub/hub.conf | | nano /etc/koji-hub/hub.conf |
Line 271: |
Line 371: |
| KojiDir = /mnt/koji | | KojiDir = /mnt/koji |
| LoginCreatesUser = On | | LoginCreatesUser = On |
− | KojiWebURL = https://koji.example.com/koji | + | KojiWebURL = http://koji.koozali.org/koji |
− | </syntaxhighlight>edit the koi-hub conf file for access <syntaxhighlight lang="bash">
| |
− | nano /etc/koji-hub/hub.conf
| |
| </syntaxhighlight>ProxyDNs should be set to the DN of the kojiweb certificate. For example: <syntaxhighlight lang="ini"> | | </syntaxhighlight>ProxyDNs should be set to the DN of the kojiweb certificate. For example: <syntaxhighlight lang="ini"> |
| DNUsernameComponent = CN | | DNUsernameComponent = CN |
− | ProxyDNs = CN=koji.koozali.org,OU=kojiweb,O=Koozali,ST=Victoria,C=AU | + | ProxyDNs = /C=AU/ST=Victoria/L=Melbourne/O=koji/OU=kojiweb/CN=koji.koozali.org |
− | </syntaxhighlight>create the koji skeleton file system<syntaxhighlight lang="bash"> | + | </syntaxhighlight>SELinux changes to allow access<syntaxhighlight lang="bash"> |
| + | setsebool -P httpd_can_network_connect_db 1 |
| + | </syntaxhighlight>Restart httpd<syntaxhighlight lang="bash"> |
| + | systemctl restart httpd |
| + | |
| + | </syntaxhighlight> |
| + | |
| + | =====Create the koji skeleton file system===== |
| + | <syntaxhighlight lang="bash"> |
| cd /mnt | | cd /mnt |
| mkdir koji | | mkdir koji |
| cd koji | | cd koji |
| mkdir {packages,repos,work,scratch,repos-dist} | | mkdir {packages,repos,work,scratch,repos-dist} |
− | chown apache.apache * | + | chown apache:apache * |
| </syntaxhighlight>and tweak SELinux to allow apache write access<syntaxhighlight lang="bash"> | | </syntaxhighlight>and tweak SELinux to allow apache write access<syntaxhighlight lang="bash"> |
| setsebool -P allow_httpd_anon_write=1 | | setsebool -P allow_httpd_anon_write=1 |
| semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" | | semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" |
| restorecon -r -v /mnt/koji | | restorecon -r -v /mnt/koji |
− | </syntaxhighlight>We'll want the build servers to have access to the koji filesystem via nfs<syntaxhighlight lang="bash"> | + | </syntaxhighlight>Make sure that the firewall will allow http & https access<syntaxhighlight lang="bash"> |
− | dnf install nfs-utils
| + | firewall-cmd --permanent --add-service=http |
− | systemctl enable --now nfs-server
| + | firewall-cmd --permanent --add-service=https |
− | nano /etc/exports
| |
− | | |
− | </syntaxhighlight>we only have one build server, but you can add additional to the line, separated by a space<syntaxhighlight lang="ini">
| |
− | /mnt/koji build1.koozali.org(rw,sync,root_squash)
| |
− | </syntaxhighlight>export, verify and allow Apache access via SELinux<syntaxhighlight lang="bash">
| |
− | exportfs -ra
| |
− | exportfs -v
| |
− | setsebool -P httpd_use_nfs=1
| |
− | </syntaxhighlight>Allow nfs access through the firewall<syntaxhighlight lang="bash">
| |
− | firewall-cmd --permanent --add-service=nfs
| |
− | firewall-cmd --permanent --add-service=mountd | |
− | firewall-cmd --permanent --add-service=rpc-bind | |
| firewall-cmd --reload | | firewall-cmd --reload |
− |
| |
− | </syntaxhighlight>Restart httpd<syntaxhighlight lang="bash">
| |
− | systemctl restart httpd
| |
− |
| |
| </syntaxhighlight> | | </syntaxhighlight> |
− | | + | ===== Koji CLI client===== |
− | ===== Koji CLI client ===== | |
| Let's configure the cli client. The system setting is in /etc/koji.conf, individual user settings can be set in ~/.koji/config<syntaxhighlight lang="bash"> | | Let's configure the cli client. The system setting is in /etc/koji.conf, individual user settings can be set in ~/.koji/config<syntaxhighlight lang="bash"> |
| nano /etc/koji.conf | | nano /etc/koji.conf |
Line 317: |
Line 406: |
| | | |
| ;url of XMLRPC server | | ;url of XMLRPC server |
− | server = https://koji.koozali.org/kojihub | + | server = http://koji.koozali.org/kojihub |
| | | |
| ;url of web interface | | ;url of web interface |
− | weburl = http://koji.koozali.org/koji | + | weburl = https://koji.koozali.org/koji |
| | | |
| ;url of package download site | | ;url of package download site |
Line 335: |
Line 424: |
| ;certificate of the CA that issued the HTTP server certificate | | ;certificate of the CA that issued the HTTP server certificate |
| serverca = ~/.koji/serverca.crt | | serverca = ~/.koji/serverca.crt |
− | </syntaxhighlight>Log in as kojiadmin and test the connection<syntaxhighlight lang="bash"> | + | </syntaxhighlight>Now we create the koji administration user (kojiadmin) and set up the certs. |
| + | |
| + | We need to be the kojiadmin user to get the right permissions when we copy over the required certs, so...<syntaxhighlight lang="bash"> |
| + | useradd kojiadmin |
| su - kojiadmin | | su - kojiadmin |
| + | mkdir ~/.koji |
| + | cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt # NOTE: It is IMPORTANT you use the PEM and NOT the CRT |
| + | cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt |
| + | cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt |
| + | chmod 0600 ~/.koji/*.crt |
| + | </syntaxhighlight>Test the connection<syntaxhighlight lang="bash"> |
| koji moshimoshi | | koji moshimoshi |
− | exit
| |
| </syntaxhighlight>you should see<syntaxhighlight lang="bash"> | | </syntaxhighlight>you should see<syntaxhighlight lang="bash"> |
| zdravstvuite, kojiadmin! | | zdravstvuite, kojiadmin! |
Line 344: |
Line 441: |
| You are using the hub at https://koji.koozali.org/kojihub | | You are using the hub at https://koji.koozali.org/kojihub |
| Authenticated via client certificate /home/kojiadmin/.koji/client.crt | | Authenticated via client certificate /home/kojiadmin/.koji/client.crt |
| + | </syntaxhighlight>and don't forget to logout from the kojiadmin user :)<syntaxhighlight lang="bash"> |
| + | exit |
| </syntaxhighlight> | | </syntaxhighlight> |
| | | |
− | ===== Koji Web Service ===== | + | =====Koji Web Service===== |
| Install the koji web components<syntaxhighlight lang="bash"> | | Install the koji web components<syntaxhighlight lang="bash"> |
| dnf install koji-web mod_ssl | | dnf install koji-web mod_ssl |
| </syntaxhighlight>edit the web config file to point at the right urls and SSL certificates<syntaxhighlight lang="bash"> | | </syntaxhighlight>edit the web config file to point at the right urls and SSL certificates<syntaxhighlight lang="bash"> |
| nano /etc/kojiweb/web.conf | | nano /etc/kojiweb/web.conf |
− | </syntaxhighlight><syntaxhighlight lang="ini"> | + | </syntaxhighlight>Please insert a random string into the secret (replace CHANGE_ME)<syntaxhighlight lang="ini"> |
| [web] | | [web] |
| SiteName = koji | | SiteName = koji |
Line 357: |
Line 456: |
| | | |
| # Necessary urls | | # Necessary urls |
− | KojiHubURL = https://koji.koozali.org/kojihub | + | KojiHubURL = http://koji.koozali.org/kojihub |
| KojiFilesURL = http://koji.koozali.org/kojifiles | | KojiFilesURL = http://koji.koozali.org/kojifiles |
| | | |
Line 366: |
Line 465: |
| | | |
| ## SSL authentication options | | ## SSL authentication options |
− | WebCert = /etc/pki/koji/koji-web.pem | + | WebCert = /etc/kojiweb/client.crt |
− | KojiHubCA = /etc/pki/koji/koji_ca_cert.crt | + | KojiHubCA = /etc/kojiweb/clientca.crt |
| | | |
| LoginTimeout = 72 | | LoginTimeout = 72 |
Line 375: |
Line 474: |
| | | |
| LibPath = /usr/share/koji-web/lib | | LibPath = /usr/share/koji-web/lib |
− | </syntaxhighlight>Make sure that the firewall will allow http & https access<syntaxhighlight lang="bash"> | + | </syntaxhighlight>Copy the certificates into the /etc/kojiweb dir and give the correct permissions<syntaxhighlight lang="bash"> |
− | firewall-cmd --permanent --add-service=http | + | cp /etc/pki/koji/kojiweb.pem /etc/kojiweb/client.crt |
− | firewall-cmd --permanent --add-service=https | + | cp /etc/pki/koji/koji_ca_cert.crt /etc/kojiweb/clientca.crt |
| + | cp /etc/pki/koji/koji_ca_cert.crt /etc/kojiweb/serverca.crt |
| + | chmod 0600 /etc/kojiweb/*.crt |
| + | </syntaxhighlight>Edit the httpd file <syntaxhighlight lang="bash"> |
| + | nano /etc/httpd/conf.d/kojiweb.conf |
| + | </syntaxhighlight>and uncomment the required ssl options<syntaxhighlight lang="ini"> |
| + | # uncomment this to enable authentication via SSL client certificates |
| + | <Location /koji/login> |
| + | # SSLVerifyClient require |
| + | # SSLVerifyDepth 10 |
| + | SSLOptions +StdEnvVars |
| + | </Location> |
| + | |
| + | </syntaxhighlight>Restart the httpd daemon<syntaxhighlight lang="bash"> |
| + | systemctl restart httpd |
| + | </syntaxhighlight> |
| + | |
| + | ====Koji Builders==== |
| + | For this exercise I only created 1 build server. You can have as many as you like... |
| + | |
| + | OS: Rocky 8.8-minimal |
| + | |
| + | Memory: 8GB |
| + | |
| + | Disk: 20GB (can apparently use a lot of disk, depending on how active a build server it is) |
| + | |
| + | FQDN: build1.koozali.org |
| + | |
| + | =====Koji Hub setup for build server===== |
| + | First off, set up some items on the koji hub for your build server/s |
| + | |
| + | Create a ssl cert for the build server with CN=build1.koozali.org<syntaxhighlight lang="bash"> |
| + | koji_make_cert.sh build1.koozali.org |
| + | </syntaxhighlight> |
| + | Add the build server into the koji database<syntaxhighlight lang="bash"> |
| + | su - kojiadmin |
| + | koji add-host build1.koozali.org x86_64 noarch |
| + | koji add-host-to-channel build1.koozali.org createrepo |
| + | exit |
| + | </syntaxhighlight> |
| + | We'll want the build servers to have access to the koji filesystem via nfs, so on the koji hub server (koji.koozali.org)<syntaxhighlight lang="bash"> |
| + | dnf install nfs-utils |
| + | systemctl enable --now nfs-server |
| + | systemctl start nfs-server |
| + | nano /etc/exports |
| + | |
| + | </syntaxhighlight>we only have one build server, but you can add additional build servers to the line, separated by a space<syntaxhighlight lang="ini"> |
| + | /mnt/koji build1.koozali.org(rw,sync,root_squash) |
| + | </syntaxhighlight>export, verify and allow Apache access via SELinux<syntaxhighlight lang="bash"> |
| + | exportfs -ra |
| + | exportfs -v |
| + | setsebool -P httpd_use_nfs=1 |
| + | </syntaxhighlight>Allow nfs access through the firewall<syntaxhighlight lang="bash"> |
| + | firewall-cmd --permanent --add-service=nfs |
| + | firewall-cmd --permanent --add-service=mountd |
| + | firewall-cmd --permanent --add-service=rpc-bind |
| firewall-cmd --reload | | firewall-cmd --reload |
| + | |
| + | </syntaxhighlight> |
| + | |
| + | =====Builder setup===== |
| + | You'll need to set up your network: You can do this during the install or post install (ensure network activated, IP address, FQDN, Gateway, DNS) |
| + | |
| + | Log into your build server as root and<syntaxhighlight lang="bash"> |
| + | nmtui |
| + | ip addr |
| + | ping google.com |
| + | </syntaxhighlight>Let's bring the server up to date<syntaxhighlight lang="bash"> |
| + | dnf update |
| + | |
| + | </syntaxhighlight>Add the epel repository and some tools to help with debugging (cockpit available at http://<IP addr or FQDN>:9090<syntaxhighlight lang="bash"> |
| + | systemctl enable --now cockpit.socket |
| + | systemctl start cockpit.socket |
| + | dnf config-manager --set-enabled powertools |
| + | dnf install epel-release |
| + | dnf install rsyslog |
| + | dnf install setroubleshoot-server |
| + | |
| + | </syntaxhighlight>Install the koji build daemon<syntaxhighlight lang="bash"> |
| + | dnf install koji-builder |
| + | </syntaxhighlight>Edit the kojid config file<syntaxhighlight lang="bash"> |
| + | nano /etc/kojid/kojid.conf |
| + | </syntaxhighlight>Point the builder at your koji hub and setup user/SSL credentials<syntaxhighlight lang="ini"> |
| + | ; The directory root where work data can be found from the koji hub |
| + | topdir=/mnt/koji |
| + | |
| + | ; The directory root for temporary storage |
| + | workdir=/tmp/koji |
| + | |
| + | ; The URL for the xmlrpc server |
| + | server=http://koji.koozali.org/kojihub |
| + | user=build1.koozali.org |
| + | |
| + | ; The URL for the file access |
| + | topurl=http://koji.koozali.org/kojifiles |
| + | |
| + | ;client certificate |
| + | cert = /etc/kojid/client.crt |
| + | |
| + | ;certificate of the CA that issued the HTTP server certificate |
| + | serverca = /etc/kojid/serverca.crt |
| + | </syntaxhighlight>Copy over your ssl certs from your koji hub and set their correct permissions<syntaxhighlight lang="bash"> |
| + | scp root@koji.koozali.org:/etc/pki/koji/build1.koozali.org.pem /etc/kojid/client.crt |
| + | scp root@koji.koozali.org:/etc/pki/koji/koji_ca_cert.crt /etc/kojid/serverca.crt |
| + | chmod 0600 /etc/kojid/*.crt |
| + | |
| + | </syntaxhighlight>Enable and start the kojid service<syntaxhighlight lang="bash"> |
| + | systemctl enable kojid --now |
| + | systemctl start kojid |
| </syntaxhighlight> | | </syntaxhighlight> |
| + | [[Category:Developer]] |
| + | [[Category:Infrastructure]] |