Setting Up a Koji Build System

The Koji components may live on seperate resources as long as all resources are able to communicate. This document will cover how to setup each service individually, however, all services may live on the same resource.

[[TableOfContents()]

PreReqs of Knowledge

• Basic understanding of SSL and authentication via certificates
• Basic knowledge about creating a database in PostgreSQL and importing a schema
• Working with psql
• Basic knowledge about Apache configuration
• Basic knowledge about yum/createrepo/mock - else you'll not be able to debug problems!
• Basic knowledge about using command line
• Basic knowledge about RPM building

PreReqs of Packages

On the server (koji-hub/koji-web)

• httpd
• mod_ssl
• postgresql-server

On the builder (koji-builder)

• mock
• setarch (for some archs you'll require a patched version)
• rpm-build
• createrepo

PostgreSQL Server

The PostgreSQL server must be installed and the database primed.

Configuration Files:

• /var/lib/pgsql/data/pg_hba.conf
• /var/lib/pgsql/data/postgresql.conf

Install PostgreSQL:

root@localhost$ yum install postgresql-server

Setup User Accounts:

root@localhost$ useradd koji
root@localhost$ passwd -d koji

Setup PostgreSQL and populate schema:

root@localhost$ su - postgres
postgres@localhost$ createuser koji
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@localhost$ createdb -O koji koji
postgres@localhost$ logout
root@localhost$ su - koji
koji@localhost$ psql koji koji < /usr/share/doc/koji*/docs/schema.sql
koji@localhost$ exit

Authorize Koji-web and Koji-hub resources: In this example, Koji-web and Koji-hub are running on localhost.

/var/lib/pgsql/data/pg_hba.conf: These settings need to be valid and inline with other services configurations. Please note, the first matching auth line is used so this line must be above any other potential matches. Add:

host    koji        koji        127.0.0.1/32          trust

Make auth changes live:

root@localhost$ su - postgres
postgres@localhost$ pg_ctl reload
postgres@localhost$ exit

Koji Authentication Setup

Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji-cli access, plain user/pass combinations are possible. For Kerberos authentication, a Kerberos server will need to be setup and configured. For SSL authentication, SSL certificates and the needed cert. chains will need to be setup.

Adding basic user/pass combinations for authentication: Any password setting/changing still needs to be done manually in the database though (it is not exposed through the API).

Add needed information to the koji database:

koji@localhost$ psql
koji=> insert into users (name, password, status, usertype) values ('my-user-name', 'my-password-in-plain-test', 0, 0);
koji=> insert into user_perms (user_id, perm_id) values (<id of user inserted above>, 1);

Note: you can get the ID of the new user by running the query:

koji=> select * from users;

You can then perform Koji admin commands by calling

kojiadmin@localhost$ koji --user <username> --password <password>"

Both kojira and kojid accept "user" and "password" options in their config files, and will use those for authentication if present. Note that for kojira, you will need to create a user:

kojiadmin@localhost$ koji add-user <username>

Set the password for it as above, as well as granting it the "repo" permission (perm_id == 3). For kojid you will need to create a "host" entry (koji add-host), and set the password for the associated user (the user gets created at the same time as the host entry).

Setting up SSL Certificates for authentication:

Certificate generation

• Get the ssl.cnf (listed on this page) and *edit* it! (0.organizationName_default should be modified)

ssl.cnf

HOME                    = .
RANDFILE                = .rand

[ca] 
default_ca              = ca_default

[ca_default] 
dir                     = .
certs                   = $dir/certs
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/%s_ca_cert.pem
private_key             = $dir/private/%s_ca_key.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 3650
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_match

[policy_match] 
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req] 
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extentions to add to the self signed cert
string_mask             = MASK:0x2002

[req_distinguished_name] 
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vienna
localityName                    = Locality Name (eg, city)
localityName_default            = Vienna
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = My company
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[req_attributes] 
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[usr_cert] 
basicConstraints                = CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[v3_ca] 
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = CA:true

Generate CA

caname="koji"
mkdir -p /etc/kojiweb/clients
cd /etc/kojiweb/clients
mkdir {certs,private}
touch index.txt
echo 01 > serial
openssl genrsa -out private/${caname}_ca_cert.key 2048

openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \
-out ${caname}_ca_cert.crt -extensions v3_ca

Generate the kojira user certificate

caname=koji
user="kojira"

openssl genrsa -out certs/${user}.key 2048

openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key

openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
-out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt certs/${user}.key > /etc/kojira/${user}.pem

Generate the kojihub server certificate

Do the same as for the kojira user, but with e.g. user="kojihub".
Set the common name to the fully-qualified domain name of the Kojihub server.

Generate the kojiweb server certificate

Do the same as for the kojira user, but with e.g. user="kojiweb".
Set the common name to the fully-qualified domain name of the Kojiweb server.

Generate the kojid certificate

Do the same as for kojira user, but "user" (i.e. the CN of the certificate) should be the fully-qualified
domain name of the machine where the builder will be running, for example: kojibuilder1.example.com

Generate other client certificates

Do the same as for the kojira user, but with e.g. user=<name of user>.  These certificates will be used to
authenticate to the Koji Hub.  The user will be identified in the Koji UI by the CN of their certificate.

Generate a PKCS12 user certificate (for web browser) This is only required for user certificates, not for kojira, kojid, or the other service certificates created above.

openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \
-out certs/${user}_browser_cert.p12

Setting up Kerberos for authentication:

---

Oh yeah, add some kerberos magic here!

---

Right now kojiweb only supports Kerberos or SSL authentication to the hub. However, Koji Web is fully functional in read-only mode (without logging in), and all operations exposed via the web UI are also available via the cli. Just comment out everything in /etc/httpd/conf.d/kojiweb.conf related to authentication, and don't click the login link. ;-)

Koji Hub

Koji-hub is the center of all Koji operations. It is an XML-RPC server running under mod_python in Apache. koji-hub is passive in that it only receives XML-RPC calls and relies upon the build daemons and other components to initiate communication. Koji-hub is the only component that has direct access to the database and is one of the two components that have write access to the file system.

Configuration Files:

• /etc/httpd/conf.d/kojihub.conf
• /etc/httpd/conf.d/ssl.conf (when using ssl auth)

Install koji-hub:

root@localhost$ yum install koji-hub httpd mod_ssl mod_python

Required Configuration

/etc/httpd/conf.d/kojihub.conf: These settings need to be valid and inline with other services configurations.

PythonOption DBName koji
PythonOption DBUser koji
PythonOption DBHost db.example.com
PythonOption KojiDir /mnt/koji
PythonOption LoginCreatesUser On
PythonOption KojiWebURL http://kojiweb.example.com/koji

Optional Configuration

/etc/httpd/conf.d/kojihub.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.

PythonOption AuthPrincipal kojihub@EXAMPLE.COM
PythonOption AuthKeytab /etc/koji.keytab
PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
PythonOption HostPrincipalFormat compile/%s@EXAMPLE.COM

/etc/httpd/conf.d/kojihub.conf: If using SSL auth, these settings need to be valid and inline with other services configurations. ProxyDNs should be set to the DN of the kojiweb certificate.

PythonOption DNUsernameComponent CN
PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"

<Location /kojihub>
SSLOptions +StdEnvVars
</Location>

/etc/httpd/conf.d/ssl.conf: Add the needed SSL options for apache.

SSLCertificateFile /path/to/kojihub.crt
SSLCertificateKeyFile /path/to/kojihub.key
SSLCertificateChainFile /path/to/koji_ca_cert.crt
SSLCACertificateFile /path/to/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth  10

SELinux Configuration

If running in Enforcing mode, you will need to allow apache to connect to the postgreSQL server.

root@localhost$ setsebool -P httpd_can_network_connect_db 1

Koji Web - Interface for the Masses

Koji-web is a set of scripts that run in mod_python and use the Cheetah templating engine to provide an web interface to Koji. koji-web exposes a lot of information and also provides a means for certain operations, such as cancelling builds.

Configuration Files:

• /etc/httpd/conf.d/kojiweb.conf
• /etc/httpd/conf.d/ssl.conf

Install Koji-Web:

root@localhost$ yum install koji-web httpd mod_python mod_ssl

Required Configuration

/etc/httpd/conf.d/kojiweb.conf:

PythonOption KojiHubURL http://hub.example.com/kojihub
PythonOption KojiWebURL http://www.example.com/koji
PythonOption KojiPackagesURL http://server.example.com/mnt/koji/packages


PythonOption WebCert /etc/kojiweb/kojiweb.pem
PythonOption ClientCA /etc/kojiweb/clientca.crt
PythonOption KojiHubCA /etc/kojiweb/kojihubca.crt

PythonOption LoginTimeout 72
PythonOption Secret CHANGE_ME

Optional Configuration

/etc/httpd/conf.d/kojiweb.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.

<Location /koji/login>
AuthType Kerberos
AuthName "Koji Web UI"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealm EXAMPLE.COM
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html
</Location>

/etc/httpd/conf.d/kojiweb.conf: If using SSL auth, these settings need to be valid and inline with other services configurations.

<Location /koji/login>
SSLOptions +StdEnvVars
</Location>

/etc/httpd/conf.d/ssl.conf: Add the needed SSL options for apache.

SSLVerifyClient require
SSLVerifyDepth  10

Koji Daemon - Builder

Kojid is the build daemon that runs on each of the build machines. Its primary responsibility is polling for incoming build requests and handling them accordingly. Koji also has support for tasks other than building. Creating install images is one example. kojid is responsible for handling these tasks as well. kojid uses mock for building. It also creates a fresh buildroot for every build. kojid is written in Python and communicates with koji-hub via XML-RPC.

Configuration Files:

• /etc/kojid/kojid.conf - Koji Daemon Configuration
• /etc/sysconfig/kojid - Koji Daemon Switches

Install kojid:

root@localhost$ yum install koji-builder

Required Configuration

/etc/kojid/kojid.conf: This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub

; the username has to be the same as what you used with add-host
; in this example follow as below
user = kojibuilder1.example.com

Optional Configuration

/etc/kojid/kojid.conf: If using SSL, these settings need to be valid.

;client certificate
; This should reference the builder certificate we created above, for
; kojibuilder1.example.com
cert = /etc/kojid/kojid.pem

;certificate of the CA that issued the client certificate
ca = /etc/kojid/clientca.crt

;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/serverca.crt

Add the host entry for the koji builder to the database

Make sure you do this before you start kojid for the first time, or you'll need to manually remove entries from the sessions and users table before it can be run successfully.

kojiadmin@localhost$ koji add-host kojibuilder1.example.com i386 x86_64

Add the host to the createrepo channel

Channels are a way to control which builders process which tasks. By default hosts are added to the default channel. This host also needs to be added to the createrepo channel so it will process repo creation tasks.

kojiadmin@localhost$ koji add-host-to-channel kojibuilder1.example.com createrepo

Start Kojid

root@localhost$ /sbin/service kojid start

Check /var/log/kojid.log to verify that kojid has started successfully.

Kojira - Yum repository creation and maintenance

Configuration Files:

• /etc/kojira/kojira.conf - Kojira Daemon Configuration
• /etc/sysconfig/kojira - Kojira Daemon Switches

Install kojira

root@localhost$ yum install koji-utils

Required Configuration

/etc/kojira/kojira.conf: This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub

Optional Configuration

/etc/kojira/kojira.conf: If using SSL, these settings need to be valid.

;client certificate
; This should reference the kojira certificate we created above
cert = /etc/kojira/kojira.pem

;certificate of the CA that issued the client certificate
ca = /etc/kojid/clientca.crt

;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/serverca.crt

/etc/sysconfig/kojira: The local user kojira runs as needs to be able to read and write to /mnt/koji/repos/. If the volume that directory resides on is root-squashed or otherwise unmodifiable by root, you can set RUNAS= to a user that has the required privileges.

Add the user entry for the kojira user

Create the kojira user, and grant it the repo permission.

kojiadmin@localhost$ koji add-user kojira
kojiadmin@localhost$ koji grant-permission repo kojira

Start Kojira

root@localhost$ /sbin/service kojira start

Check /var/log/kojira/kojira.log to verify that kojira has started successfully.

Bootstrapping the Koji build environment

For instructions on importing packages and preparing Koji to run builds, see ServerBootstrap .