(→基础软件包) |
|||
Line 22: | Line 22: | ||
* mod_ssl | * mod_ssl | ||
* postgresql-server | * postgresql-server | ||
* mod_python ( | * mod_python (为了满足 Kerberos 认证功能,mod_python 版本需要大于等于3.3.1) | ||
'''编译机端 (koji-builder)''' | '''编译机端 (koji-builder)''' | ||
* mock | * mock | ||
* setarch ( | * setarch (某些特殊架构需要专门打补丁) | ||
* rpm-build | * rpm-build | ||
* createrepo | * createrepo |
Revision as of 16:09, 23 March 2012
搭建一套Koji编译系统
Koji 编译系统的各个组件可以分别搭建在不同的设备上,只要这些设备之间可以相互通信就可以了。这篇文章分别介绍了各个组件的搭建过程,然而,所有组件也可以搭建在同一台设备上。
必备知识
- Basic understanding of SSL and authentication via certificates and/or Kerberos credentials
- Basic knowledge about creating a database in PostgreSQL and importing a schema
- Working with psql
- Basic knowledge about Apache configuration
- Basic knowledge about yum/createrepo/mock - else you'll not be able to debug problems!
- Basic knowledge about using command line
- Basic knowledge about RPM building
- Simple usage of the Koji client
- For an overview of yum, mock, Koji (and all its subcomponents), mash, and how they all work together, see the excellent slides put together by Steve Traylen at CERN [1].
基础软件包
服务器端(koji-hub/koji-web)
- httpd
- mod_ssl
- postgresql-server
- mod_python (为了满足 Kerberos 认证功能,mod_python 版本需要大于等于3.3.1)
编译机端 (koji-builder)
- mock
- setarch (某些特殊架构需要专门打补丁)
- rpm-build
- createrepo
关于文件系统容量的说明
Koji will consume copious amounts of disk space under the primary KojiDir directory (as set in the kojihub.conf file). However, as koji makes use of mock on the backend to actually create build roots and perform the builds in those build roots, it might come to a surprise to users that a running koji server will consume large amounts of disk space under /var/lib/mock and /var/cache/mock as well. Users should either plan the disk and filesystem allocations for this, or plan to modify the default mock build directory in the kojid.conf file. If you change the location, ensure that the new directories are owned by the group "mock" and have 02755 permission.
为 Koji 选择认证机制
Koji 主要支持 Kerberos 和 SSL 证书两种认证机制。在基本的终端交互模式中,Koji 还支持基于明文的用户名/密码的认证方式。然而,kojiweb 不支持用户名/密码认证方式,并且一旦 kojiweb 采用了 Kerberos 或者 SSL 证书认证方式, 用户名/密码认证方式将会完全失去作用。 因此,我们建议从系统搭建开始就不要采用用户名/密码认证方式,而是合理配置 Kerberos 或者 SSL 证书认证方式。
采用哪种认证方式将会影响到 koji 系统搭建过程中的所有其他方面,因此你最好现在就选定一种认证方式。
For Kerberos authentication, a working Kerberos environment (the user is assumed to either already have this or know how to set it up themselves, instructions for it are not included here) and the Kerberos credentials of the initial admin user will be necessary to bootstrap the user database.
如果选择 SSL 认证方式,你需要为 xmlrp c服务器、koji 中各种组件和系统管理员创建 SSL 证书。你不需要知道证书的创建过程,我们在后面会详细介绍证书的创建过程。
为认证机制创建SSL证书
生成证书
- 创建一个新目录 /etc/pki/koji,将下面文件的内容保存在该目录新创建的文件 ssl.cnf 中。这个配置文件和 openssl 命令配合使用,用来生成 koji 各个组件需要的 SSL 证书。
ssl.cnf
HOME = . RANDFILE = .rand [ca] default_ca = ca_default [ca_default] dir = . certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/%s_ca_cert.pem private_key = $dir/private/%s_ca_key.pem serial = $dir/serial crl = $dir/crl.pem x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = md5 preserve = no policy = policy_match [policy_match] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = MASK:0x2002 [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = AT countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Vienna localityName = Locality Name (eg, city) localityName_default = Vienna 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My company organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [req_attributes] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [usr_cert] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true
虽然不是必须的,但是我们建议你根据自己的实际信息修改配置文件中[req_distinguished_name]部分的默认值。这样,当你创建证书的时候你就可以使用大部分的默认值而不需要自己填写信息。配置文件中的其他部分不需要修改。
生成 CA 证书
CA 证书用来标识 SSL 证书的颁发机构。它是用来签发其他证书的密钥/证书对。当配置 koji 中各种组件时,客户端和服务器端的 CA 证书都使用这里生成的 CA 证书的一份拷贝。CA 证书将被放置在目录 /etc/pki/koji 中,koji 各个组件的证书将放置在目录 /etc/pki/koji/certs 中。另外需要创建一个 index.txt 文件,这个文件作为数据库保存了已经创建了的证书的信息。通过查看文件 index.txt 的内容,我们可以方便地查看任何证书的信息。
cd /etc/pki/koji/ mkdir {certs,private} touch index.txt echo 01 > serial caname=koji openssl genrsa -out private/${caname}_ca_cert.key 2048 openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \ -out ${caname}_ca_cert.crt -extensions v3_ca
上面脚本中的最后一条命令会提示你输入与正在创建的证书相关的一组信息。想必你已经修改了配置文件 ssl.cnf 中国家、州/省、城市和机构这几个字段的默认值,因此你直接按回车键就可以了。部门和通用名两个字段的值需要根据不同的证书进行修改。对于 CA 证书,这些字段的取值没有硬性的规定,一种建议是使用服务器的完整域名(FQDN)。
为koji各个组件和系统管理员创建证书
Koji中的每个组件都需要一个单独的证书标识自己。其中两个组件(kojihub and kojiweb)的证书作为服务器端的证书用来提供服务器端到客户端的认证。基于这个原因,你希望用运行这两个组件的网络服务器的完整域名(FQDN)作为这两个证书中的通用名。这样,客户端就不会抱怨证书中的通用名和服务器不一致。为了便于认证,你可以将这两个证书中的 OU (怎么翻译)分别设置为 kojihub 和 kojiweb。
For the other certificates (kojira, kojid, the initial admin account, and all user certificates), 证书用来提供客户端到服务器端的认证功能。这些证书的通用名应该设置成组件或者用户的登录名。例如,kojira 证书中的通用名应该设置成 kojira,这样登录名就和组件的名称相匹配了。这样做的原因是证书中的通用名需要和数据库中组件或用户的名称一致。如果在数据库中找不到和证书中 CN (通用名)相匹配的组件或者用户,客户端将不能通过认证,因此就不能登录系统。
在后面的步骤中,你会通过 koji add-host 命令向数据库中添加一个编译机。系统将会为这个编译机创建一个帐号,虽然这个帐号不会显示在用户列表中。创建的帐号必须与组件登录服务器时使用的证书中的通用名相同。当你为 kojiweb 创建证书的时候,你需要牢牢记住你为每一个选项填写的值,你需要根据这些选项的值拼成配置文件/etc/koji-hub/hub.conf 中 ProxyDNs 选项的值。
当你需要创建多个证书的时候,一种简便的方法是编写像下面列出的代码这样的循环语句,甚至可以将这些循环语句写到一个脚本文件中,然后执行这个脚本文件。你只需要按照自己的意愿简单地调整代码中编译机的数量和系统管理员的名称就可以了。在本文档中,我们设置系统管理员的名称为 "kojiadmin"。
for user in kojira kojiweb kojihub kojibuilder{1..5} admin-account; do openssl genrsa -out certs/${user}.key 2048 openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \ -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr cat certs/${user}.crt certs/${user}.key > ${user}.pem done
为用户创建一个 PKCS12 证书(用于通过浏览器登录系统) 只需要为实际的用户创建这个证书。
openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \ -out certs/${user}_browser_cert.p12
当为用户创建证书的时候,我们需要通过上面的代码为用户创建三个证书文件,分别为:${user}.pem、 ${caname}_ca_cert.crt 和 ${user}_browser_cert.p12。一般情况下,我们将 ${user}.pem 放置在 ~/.fedora.cert,将 ${caname}_ca_cert.crt 拷贝两份分别放置在 ~/.fedora-upload-ca.cert 和 ~/.fedora-server-ca.cert,将 ${user}_brower_cert.p12 作为用户证书导入到浏览器中。
Copy certificates into ~/.koji for kojiadmin
You're going to want to be able to send admin commands to the kojihub. In order to do so, you'll need to use the newly created certificates to authenticate with the hub. Copy the certificates for the koji CA and the kojiadmin user to ~/.koji:
kojiadmin@localhost$ mkdir ~/.koji kojiadmin@localhost$ cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt kojiadmin@localhost$ cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt kojiadmin@localhost$ cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
Note: See /etc/koji.conf for the current system wide koji client configuration. Copy /etc/koji.conf to ~/.koji/config if you wish to change the config on a per user basis.
Setting up Kerberos for authentication
The initial configuration of a kerberos service is outside the scope of this document, however there are a few specific things required by koji.
DNS
The koji builders (kojid) use DNS to find the kerberos servers for any given realm.
_kerberos._udp IN SRV 10 100 88 kerberos.EXAMPLE.COM.
The trailing dot denotes DNS root and is needed if FQDN is used.
Principals and Keytabs
It should be noted that in general you will need to use the fully qualified domain name of the hosts when generating the keytabs for services.
You will need the following principals extracted to a keytab for a fully kerborised configuration, the requirement for a host key for the koji-hub is currently hard coded into the koji client.
- host/kojihub@EXAMPLE.COM
- Used by the koji-hub server when communicating with the koji client
- HTTP/kojiweb@EXAMPLE.COM
- Used by the koji-web server when performing a negotiated Kerberos authentication with a web browser. This is a service principal for Apache's mod_auth_kerb.
- koji/kojiweb@EXAMPLE.COM
- Used by the koji-web server during communications with the koji-hub. This is a user principal that will authenticate koji-web to Kerberos as "koji/kojiweb@EXAMPLE.COM". Koji-web will proxy the mod_auth_kerb user information to koji-hub (the
ProxyPrincipals
koji-hub config option).
- Used by the koji-web server during communications with the koji-hub. This is a user principal that will authenticate koji-web to Kerberos as "koji/kojiweb@EXAMPLE.COM". Koji-web will proxy the mod_auth_kerb user information to koji-hub (the
- koji/kojira@EXAMPLE.COM
- Used by the kojira server during communications with the koji-hub
- compile/builder1@EXAMPLE.COM
- Used on builder1 to communicate with the koji-hub
PostgreSQL 服务器
一旦认证机制配置完毕,你需要安装和配置一个 PostgreSQL 服务器,在服务器中创建一个数据库用来保存用户的信息。
配置文件:
- /var/lib/pgsql/data/pg_hba.conf
- /var/lib/pgsql/data/postgresql.conf
安装 PostgreSQL:
root@localhost$ yum install postgresql-server
初始化 PostgreSQL 数据库:
下面的命令用来初始化 PostgreSQL 并且开启数据库服务
root@localhost$ service postgresql initdb root@localhost$ service postgresql start
设置用户帐号
下面的命令可以创建一个名称为 koji 的帐号,并且为该帐号设置密码。
root@localhost$ useradd koji root@localhost$ passwd -d koji
设置 PostgreSQL 并导入视图:
下面的命令可以在 PostgreSQL 中创建一个名称为 koji 的帐号,然后用 /usr/share/doc/koji*/docs/schema.sql 中的视图初始化一个名称为 koji 的数据库。
root@localhost$ su - postgres postgres@localhost$ createuser koji Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n postgres@localhost$ createdb -O koji koji postgres@localhost$ logout root@localhost$ su - koji koji@localhost$ psql koji koji < /usr/share/doc/koji*/docs/schema.sql koji@localhost$ exit
注意: When issuing the command to import the psql schema into the new database it is important to ensure that the directory path /usr/share/doc/koji*/docs/schema.sql remains intact and is not resolved to a specific version of koji. In test it was discovered that when the path is resolved to a specific version of koji then not all of the tables were created correctly
Authorize Koji-web and Koji-hub resources:
In this example, Koji-web and Koji-hub are running on localhost.
/var/lib/pgsql/data/pg_hba.conf: These settings need to be valid and inline with other services configurations. Please note, the first matching auth line is used so this line must be above any other potential matches. Add:
host koji koji 127.0.0.1/32 trust host koji koji ::1/128 trust
You can also use UNIX socket access. The DBHost variable must be unset to use this method. Add:
local koji apache trust local koji apache 127.0.0.1/32 trust local koji apache ::1/128 trust local koji koji trust
Make auth changes live:
The following commands let postgreSQL know that changes have been made and forces it to reload its configuration so that changes become active
root@localhost$ su - postgres postgres@localhost$ pg_ctl reload postgres@localhost$ exit
在 PostgreSQL 数据库中添加系统管理员的信息:
最初的系统管理员信息必须通过 sql 语句手动添加到数据库中。一旦系统管理员的信息添加完毕并且赋予了管理员权限,就可以通过 koji 命令行工具中的系统管理命令添加其他的用户,以及更改这些用户的权限。但是,如果你选择采用简单的用户名/密码认证方式,你只能通过 sql 语句设置/更改用户的密码,因为 koji 命令行工具没有提供密码维护的功能。
根据认证机制的不同,你需要执行不同的 sql 语句。
用户名/密码认证方式:
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, password, status, usertype) values ('admin-user-name', 'admin-password-in-plain-text', 0, 0);
Kerberos 认证方式: 除了需要将上面第一条插入语句改写成下面的样子,处理过程和用户名/密码认证方式的处理过程非常相似。
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, krb_principal, status, usertype) values ('admin-user-name', 'admin@EXAMPLE.COM', 0, 0);
SSL 证书认证方式: 这种方式既不需要密码也不需要 Kerberos principal,所以像下面这样写就可以了:
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
为自己分配系统管理员权限
下面的命令将为一个用户分配系统管理员权限。为了完成权限分配工作你需要知道这个用户的 ID 。
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
注意:如果你不知道管理员用户的ID,你可以通过以下方法进行查询:
koji=> select * from users;
在 kojihub 设置好并且能够在你的网站服务器上运行之前,你不能登录到系统中,也不能进行任何操作。为了能够让 kojihub 正常运行,你还需要完成认证的设置工作以及 kojihub 的配置工作。如果你希望通过浏览器登录系统,你还需要设置 kojiweb,使之正常运行。
Koji Hub
Koji-hub 是所有 Koji 操作的核心。它是一个运行在 Apache 服务器的 mod_python 模块下的 XML-RPC 服务器。koji-hub 采用被动方式工作,它只接收 XML-RPC 请求,然后依靠编译守护进程以及其他组件来进行交互。Koji-hub 是唯一可以直接访问数据库的组件,也是两个对文件系统具有写权限的组件之一。
配置文件:
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d/kojihub.conf
- /etc/httpd/conf.d/ssl.conf (如果采用 ssl 认证机制)
- /etc/koji-hub/hub.conf
安装 koji-hub:
root@localhost$ yum install koji-hub httpd mod_ssl mod_python
必须的配置
/etc/httpd/conf/httpd.conf:
apache 服务器中有两个地方可以设置服务器重启之前可以处理的最大请求数量。kojihub 中的 xmlrpc 接口是一个 python 应用程序, 当内存不能及时得到回收的时候,mod_python 占用的内容量将急剧增长。因此,为了避免服务器负载过重甚至崩溃,我们强烈建议你将配置文件 httpd.conf 中两个对 MaxRequestsPerChild 进行设置的地方修改为合理的数值。(at 100 the httpd processes will grow to about 75MB resident set size before respawning).
<IfModule prefork.c> ... MaxRequestsPerChild 100 </IfModule> <IfModule worker.c> ... MaxRequestsPerChild 100 </IfModule>
You'll need to make /mnt/koji/packages web-accessible, either here on the hub, or on koji-web, or on another web server altogether. This URL will later go into the builders' pkgurl config option.
Alias /packages/ /mnt/koji/packages/ <Directory "/mnt/koji/packages"> Options Indexes AllowOverride None Order allow,deny Allow from all </Directory>
/etc/koji-hub/hub.conf:
这个文件中包含 Koji Hub 的配置信息。你需要编辑这个文件使得 Koji Hub 能够连接到你正使用的数据库,并且 Koji Hub 能够正确识别开始时你选择的认证方式。
DBName = koji DBUser = koji DBHost = db.example.com KojiDir = /mnt/koji LoginCreatesUser = On KojiWebURL = http://kojiweb.example.com/koji
可选的配置
/etc/koji-hub/hub.conf: 如果你选择的是 Kerberos 认证方式,下面的这些配置必须修改为有效值,并且与其他的配置项联合使用。
AuthPrincipal host/kojihub@EXAMPLE.COM AuthKeytab /etc/koji.keytab ProxyPrincipals koji/kojiweb@EXAMPLE.COM HostPrincipalFormat compile/%s@EXAMPLE.COM
/etc/koji-hub/hub.conf: 如果你选择的是 SSL 认证方式,为了使用户可以通过浏览器登录 kojiweb,下面的这些配置必须修改为有效值,并且与其他的配置项联合使用。ProxyDNs应该设置成 kojiweb 证书中DN (DirName)字段的值。
DNUsernameComponent = CN ProxyDNs = "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"
/etc/httpd/conf.d/kojihub.conf: 如果你选择的是 SSL 认证方式,请取消下面几个配置项的注释,以便户可以通过浏览器登录 kojiweb。"
<Location /kojihub> SSLOptions +StdEnvVars </Location>
/etc/httpd/conf.d/ssl.conf: 如果你选择的是 SSL 认证方式,你还需要为 apache 服务器添加一些必须的 SSL 配置项。这些配置项指向 Koji Hub 服务器中证书的保存位置。
SSLCertificateFile /etc/pki/koji/certs/kojihub.crt SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt SSLVerifyClient require SSLVerifyDepth 10
配置 SELinux
如果 SELinux处于 Enforcing 状态,你需要保证 apache 服务能够连接 postgreSQL 服务器。即使 SELinux 目前不是处于 Enforcing 状态,我们仍然建议你执行下面的命令,以确保即使以后 SELinux 启用了 Enforcing 模式了也不会产生新的问题。
root@localhost$ setsebool -P httpd_can_network_connect_db 1
Koji 文件系统框架
在前面 kojihub.conf 文件的配置过程中,我们设置 KojiDir 的路径为 /mnt/koji。如果你处于某种考虑更改了这个路径,你应该创建一个符号链接 /mnt/koji 指向你设置的实际路径(注意:这是一个bug,最终会得到解决的)。切记,在系统其他组件正常工作之前,你需要在设置的目录中创建合适的目录结构,并将这些目录的属主设置为 apache。这样,在需要的时候 xmlrpc 接口就可以向目录中写入数据了。
cd /mnt mkdir koji cd koji mkdir {packages,repos,work,scratch} chown apache.apache *
现在重新启动 apache 服务,你可以对系统进行一些最基本的操作了。比如:系统管理员可以通过命令行工具客户端连接到系统中,添加新用户,等等。现在你可以进行一些系统管理方面的操作,如向数据库中添加用户和编译机。
确保你的客户端配置没有问题,能够连接到服务器并且工作正常。对客户端所有用户都可用的配置文件是 /etc/koji.conf,对客户端特定用户可用的配置文件是 ~/.koji/config。当使用 Koji 客户端时,你也可以使用"-c"选项指定另外一个配置文件。下面这条命令可以测试你能否正常登录到服务器:
koji call getLoggedInUser
如果你选择的是 SSL 认证方式,你需要编辑 Koji 客户端的配置文件,为各种 Koji 组件指定正确的 URL 地址,并且需要指定 SSL 证书在本地的存放位置。
[koji] ;url of XMLRPC server server = http://hongkong.proximity.on.ca/kojihub ;url of web interface weburl = http://hongkong.proximity.on.ca/koji ;url of package download site pkgurl = http://hongkong.proximity.on.ca/packages ;path to the koji top directory topdir = /mnt/koji ;configuration for SSL athentication ;client certificate cert = ~/.koji/client.crt ;certificate of the CA that issued the client certificate ca = ~/.koji/clientca.crt ;certificate of the CA that issued the HTTP server certificate serverca = ~/.koji/serverca.crt
需要注意的一点是 kojira 组件需要 repo 权限,第一次运行 kojira 时系统会自动为你创建这个帐号,但是这种方式创建的帐号没有 repo 权限,所以你需要提前创建这个帐号并且马上赋予它 repo 权限。
kojiadmin@localhost$ koji add-user kojira kojiadmin@localhost$ koji grant-permission repo kojira
相似的原因,在每台编译机第一次开启 kojid 守护进程之前,你需要运行 add-host 将编译机添加到数据库中,最好现在就做。
kojiadmin@localhost$ koji add-host kojibuilder1 x86_64 i386 kojiadmin@localhost$ koji add-host kojibuilder2 ppc ppc64 kojiadmin@localhost$ koji add-host kojibuilder3 ia64
Koji Web - 用户接口
Koji-web 是一系列运行在 mod_python 模块下,采用 Cheetah 模板引擎生成的脚本文件,它可以对 Koji 提供一套 web 页面接口。通过 koji-web,你可以查看 Koji 系统中很多信息,并且提供了一种方式完成系统中的部分操作,如取消软件包编译任务。
配置文件
- /etc/httpd/conf.d/kojiweb.conf
- /etc/httpd/conf.d/ssl.conf
安装 Koji-Web:
root@localhost$ yum install koji-web mod_ssl
必须的配置
/etc/httpd/conf.d/kojiweb.conf: 你需要编辑 kojiweb 的配置文件,正确配置 koji-hub 的地址、软件包的存放地址以及 kojiweb 本身的地址。你还需要指定各个组件的 SSL 证书的存放位置。如果你选择的是 SSL 认证方式,下面例子中的"PythonOption WebCert"字段中指定的证书必须既包含公钥又包含私钥。也许你还希望将下面例子中最后一行更改为一个唯一的密码。
PythonOption KojiHubURL http://hub.example.com/kojihub PythonOption KojiWebURL http://www.example.com/koji PythonOption KojiPackagesURL http://server.example.com/mnt/koji/packages PythonOption WebCert /etc/pki/koji/kojiweb.pem PythonOption ClientCA /etc/pki/koji/koji_ca_cert.crt PythonOption KojiHubCA /etc/pki/koji/koji_ca_cert.crt PythonOption LoginTimeout 72 PythonOption Secret CHANGE_ME
可选的配置
你还需要编辑文件 /etc/httpd/conf.d/kojiweb.conf,根据最开始时你选择的认证机制正确配置其中的认证项。
/etc/httpd/conf.d/kojiweb.conf:
如果你选择的是 Kerberos 认证方式,下面的这些项必须设置成有效值,并且与其他的配置项联合使用。
<Location /koji/login> AuthType Kerberos AuthName "Koji Web UI" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealm EXAMPLE.COM Krb5Keytab /etc/httpd.keytab KrbSaveCredentials off Require valid-user ErrorDocument 401 /koji-static/errors/unauthorized.html </Location>
/etc/httpd/conf.d/kojiweb.conf: 如果你选择的是 SSL 认证方式,下面的这些项必须设置成有效值,并且与其他的配置项联合使用。
<Location /koji/login> SSLOptions +StdEnvVars </Location>
/etc/httpd/conf.d/ssl.conf: 如果你选择的是 SSL 认证方式,你需要为 apache 添加必需的 SSL 选项。
SSLVerifyClient require SSLVerifyDepth 10
网页接口可以工作了
现在你可以在你的浏览器中输入 kojiweb 的地址,你会看到系统的 web 页面。当然,现在你只可以浏览系统中的数据。如果你已经设置好了证书,就可以登录系统了。
Koji 守护进程 - 编译机
Kojid is the build daemon that runs on each of the build machines. Its primary responsibility is polling for incoming build requests and handling them accordingly. Koji also has support for tasks other than building such as creating livecd images or raw disk images, and kojid is responsible for handling these tasks as well. kojid uses mock for creating pristine build environments and creates a fresh one for every build, ensuring that artifacts of build processes cannot contaminate each other. kojid is written in Python and communicates with koji-hub via XML-RPC.
Configuration Files:
- /etc/kojid/kojid.conf - Koji Daemon Configuration
- /etc/sysconfig/kojid - Koji Daemon Switches
Install kojid:
root@localhost$ yum install koji-builder
必须的配置
/etc/kojid/kojid.conf: The configuration file for each koji builder must be edited so that the line below points to the URL for the koji hub. The user tag must also be edited to point to the username used to add the koji builder.
; The URL for the xmlrpc server server=http://hub.example.com/kojihub ; the username has to be the same as what you used with add-host ; in this example follow as below user = kojibuilder1.example.com
This item may be changed, but may not be the same as KojiDir on the kojihub.conf file (although it can be something under KojiDir, just not the same as KojiDir)
; The directory root for temporary storage workdir=/tmp/koji
可选的配置 (SSL 证书)
/etc/kojid/kojid.conf: If you are using SSL, these settings need to be edited to point to the certificates you generated at the beginning of the setup process.
;client certificate ; This should reference the builder certificate we created above, for ; kojibuilder1.example.com cert = /etc/kojid/kojid.pem ;certificate of the CA that issued the client certificate ca = /etc/kojid/koji_ca_cert.crt ;certificate of the CA that issued the HTTP server certificate serverca = /etc/kojid/koji_ca_cert.crt
It is important to note that if your builders are hosted on seperate machines from koji hub and koji web, you will need to scp the certificates mentioned in the above configuration file from the /etc/kojid/ directory on koji hub to the /etc/koji/ directory on the local machine so that the builder can be authenticated.
可选的配置 (Kerberos 认证)
/etc/kojid/kojid.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.
; the username has to be the same as what you used with add-host ;user = host_principal_format=compile/%s@EXAMPLE.COM
By default it will look for the Kerberos keytab in /etc/kojid/kojid.keytab
Note: Kojid will not attempt kerberos authentication to the koji-hub unless the username field is commented out
将代表 koji 编译机的主机条目添加到数据库中
You will now need to add the koji builder to the database so that they can be utilized by kojij hub. Make sure you do this before you start kojid for the first time, or you'll need to manually remove entries from the sessions and users table before it can be run successfully.
kojiadmin@localhost$ koji add-host kojibuilder1.example.com i386 x86_64
The first argument used after the add-host command should the username of the builder. The second argument is used to specify the architecture which the builder uses.
将主机添加到 createrepo channel 中
Channels are a way to control which builders process which tasks. By default hosts are added to the default channel. At least some build hosts also needs to be added to the createrepo channel so there will be someone to process repo creation tasks initiated by kojira.
kojiadmin@localhost$ koji add-host-to-channel kojibuilder1.example.com createrepo
关于负载能力的一点说明
The default capacity of a host added to the host database is 2. This means that once the load average on that machine exceeds 2, kojid will not accept any additional tasks. This is separate from the maxjobs item in the configuration file. Before kojid will accept a job, it must pass both the test to ensure the load average is below capacity and that the current number of jobs it is already processing is less than maxjobs. However, in today's modern age of quad core and higher CPUs, a load average of 2 is generally insufficient to fully utilize hardware. As there is not an option to set the capacity of the host via the command line tools, it must be done manually in psql.
koji@localhost$ psql koji koji=# select (id, name, capacity) from host; row -------------------------------- (1,kojibuilder1.example.com,2) (2,kojibuilder2.example.com,2) (2 rows) koji=# update host set capacity = 16 where id = 1; UPDATE 1 koji=#
开启 Kojid
Once the builder has been added to the database you must start kojira
root@localhost$ /sbin/service kojid start
Check /var/log/kojid.log to verify that kojid has started successfully. If the log does not show any errors then the koji builder should be up and ready. You can check this by pointing your web browser to the web interface and clicking on the hosts tab. This will show you a list of builders in the database and the status of each builder.
Kojira - 创建和维护 Yum 库
Configuration Files:
- /etc/kojira/kojira.conf - Kojira Daemon Configuration
- /etc/sysconfig/kojira - Kojira Daemon Switches
Install kojira
root@localhost$ yum install koji-utils
必须的配置
/etc/kojira/kojira.conf: This needs to point at your koji-hub.
; The URL for the xmlrpc server server=http://hub.example.com/kojihub
Additional Notes:
- Kojira needs read-write access to /mnt/koji.
- There should only be one instance of kojira running at any given time.
- It is not recommended that kojira run on the builders, as builders only should require read-only access to /mnt/koji.
可选的配置
/etc/kojira/kojira.conf: If using SSL, these settings need to be valid.
;client certificate ; This should reference the kojira certificate we created above cert = /etc/pki/koji/kojira.pem ;certificate of the CA that issued the client certificate ca = /etc/pki/koji/koji_ca_cert.crt ;certificate of the CA that issued the HTTP server certificate serverca = /etc/pki/koji/koji_ca_cert.crt
If using Kerberos, these settings need to be valid.
; For Kerberos authentication ; the principal to connect with principal=koji/kojira@EXAMPLE.COM ; The location of the keytab for the principal above keytab=/etc/kojira.keytab
/etc/sysconfig/kojira: The local user kojira runs as needs to be able to read and write to /mnt/koji/repos/. If the volume that directory resides on is root-squashed or otherwise unmodifiable by root, you can set RUNAS= to a user that has the required privileges.
为 kojira 用户添加用户条目
If you did not already do so above, create the kojira user, and grant it the repo permission.
kojiadmin@localhost$ koji add-user kojira kojiadmin@localhost$ koji grant-permission repo kojira
开启 Kojira
root@localhost$ /sbin/service kojira start
Check /var/log/kojira/kojira.log to verify that kojira has started successfully.
Bootstrapping the Koji build environment
For instructions on importing packages and preparing Koji to run builds, see Server Bootstrap .
For instructions on using External Repos and preparing Koji to run builds, see External Repo Server Bootstrap .
Useful scripts and config files for setting up a Koji instance are available here
Minutia and Miscellany
Please see KojiMisc for additional details and notes about operating a koji server.