搭建一套Koji编译系统
Koji编译系统的各个组件可以分别搭建在不同的设备上,只要这些设备之间可以相互通信就可以了。这篇文章分别介绍了各个组件的搭建过程,然而,所有组件也可以搭建在同一台设备上。
必备知识
- Basic understanding of SSL and authentication via certificates and/or Kerberos credentials
- Basic knowledge about creating a database in PostgreSQL and importing a schema
- Working with psql
- Basic knowledge about Apache configuration
- Basic knowledge about yum/createrepo/mock - else you'll not be able to debug problems!
- Basic knowledge about using command line
- Basic knowledge about RPM building
- Simple usage of the Koji client
- For an overview of yum, mock, Koji (and all its subcomponents), mash, and how they all work together, see the excellent slides put together by Steve Traylen at CERN [1].
基础软件包
服务器端 (koji-hub/koji-web)
- httpd
- mod_ssl
- postgresql-server
- mod_python (为了满足Kerberos认证功能,mod_python版本需要大于等于3.3.1)
编译机端 (koji-builder)
- mock
- setarch (for some archs you'll require a patched version)
- rpm-build
- createrepo
关于文件系统容量的说明
Koji will consume copious amounts of disk space under the primary KojiDir directory (as set in the kojihub.conf file). However, as koji makes use of mock on the backend to actually create build roots and perform the builds in those build roots, it might come to a surprise to users that a running koji server will consume large amounts of disk space under /var/lib/mock and /var/cache/mock as well. Users should either plan the disk and filesystem allocations for this, or plan to modify the default mock build directory in the kojid.conf file. If you change the location, ensure that the new directories are owned by the group "mock" and have 02755 permission.
为Koji选择认证机制
Koji主要支持Kerberos和SSL证书两种认证机制。在基本的终端交互模式中,Koji还支持基于明文的用户名/密码的认证方式。然而,kojiweb不支持用户名/密码认证方式,并且一旦kojiweb采用了Kerberos或者SSL证书认证方式, 用户名/密码认证方式将会完全失去作用。 因此,我们建议从系统搭建开始就不要采用用户名/密码认证方式,而是合理配置Kerberos或者SSL证书认证方式。
采用哪种认证方式将会影响到koji系统搭建过程中的所有其他方面,因此你最好现在就选定一种认证方式。
For Kerberos authentication, a working Kerberos environment (the user is assumed to either already have this or know how to set it up themselves, instructions for it are not included here) and the Kerberos credentials of the initial admin user will be necessary to bootstrap the user database.
如果选择SSL认证方式,你需要为xmlrpc服务器、koji中各种组件和系统管理员创建SSL证书。你不需要知道证书的创建过程,我们在后面会详细介绍证书的创建过程。
为认证机制创建SSL证书
生成证书
- 创建一个新目录/etc/pki/koji,将下面文件的内容保存在该目录新创建的文件ssl.cnf中。这个配置文件和openssl命令配合使用,用来生成koji各个组件需要的SSL证书。
ssl.cnf
HOME = . RANDFILE = .rand [ca] default_ca = ca_default [ca_default] dir = . certs = $dir/certs crl_dir = $dir/crl database = $dir/index.txt new_certs_dir = $dir/newcerts certificate = $dir/%s_ca_cert.pem private_key = $dir/private/%s_ca_key.pem serial = $dir/serial crl = $dir/crl.pem x509_extensions = usr_cert name_opt = ca_default cert_opt = ca_default default_days = 3650 default_crl_days = 30 default_md = md5 preserve = no policy = policy_match [policy_match] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional [req] default_bits = 1024 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert string_mask = MASK:0x2002 [req_distinguished_name] countryName = Country Name (2 letter code) countryName_default = AT countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Vienna localityName = Locality Name (eg, city) localityName_default = Vienna 0.organizationName = Organization Name (eg, company) 0.organizationName_default = My company organizationalUnitName = Organizational Unit Name (eg, section) commonName = Common Name (eg, your name or your server\'s hostname) commonName_max = 64 emailAddress = Email Address emailAddress_max = 64 [req_attributes] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = An optional company name [usr_cert] basicConstraints = CA:FALSE nsComment = "OpenSSL Generated Certificate" subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always [v3_ca] subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always basicConstraints = CA:true
虽然不是必须的,但是我们建议你根据自己的实际信息修改配置文件中[req_distinguished_name]部分的默认值。这样,当你创建证书的时候你就可以使用大部分的默认值而不需要自己填写信息。配置文件中的其他部分不需要修改。
生成CA证书
CA证书用来标识SSL证书的颁发机构。它是用来签发其他证书的密钥/证书对。当配置koji中各种组件时,客户端和服务器端的CA证书都使用这里生成的CA证书的一份拷贝。CA证书将被放置在目录/etc/pki/koji中,koji各个组件的证书将放置在目录 /etc/pki/koji/certs中。另外需要创建一个index.txt文件,这个文件作为数据库保存了已经创建了的证书的信息。通过查看文件index.txt的内容,我们可以方便地查看任何证书的信息。
cd /etc/pki/koji/ mkdir {certs,private} touch index.txt echo 01 > serial caname=koji openssl genrsa -out private/${caname}_ca_cert.key 2048 openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \ -out ${caname}_ca_cert.crt -extensions v3_ca
上面脚本中的最后一条命令会提示你输入与正在创建的证书相关的一组信息。想必你已经修改了配置文件ssl.cnf中国家、州/省、城市和机构这几个字段的默认值,因此你直接按回车键就可以了。部门和通用名两个字段的值需要根据不同的证书进行修改。对于CA证书,这些字段的取值没有硬性的规定,一种建议是使用服务器的完整域名(FQDN)。
Generate the koji component certificates and the admin certificate
Each koji component needs its own certificate to identify it. Two of the certificates (kojihub and kojiweb) are used as server side certificates that authenticate the server to the client. For this reason, you want the common name on both of those certs to be the fully qualified domain name of the web server they are running on so that clients don't complain about the common name and the server not being the same. You can set the OU for these two certificates to be kojihub and kojiweb for identification purposes.
For the other certificates (kojira, kojid, the initial admin account, and all user certificates), the cert is used to authenticate the client to the server. The common name for these certs should be set to the login name for that specific component. For example the common name for the kojira cert should be set to kojira so that it matches the username. The reason for this is that the common name of the cert will be matched to the corresponding user name in the koji database. If there is not a username in the database which matches the CN of the cert the client will not be authenticated and access will be denied.
When you later use koji add-host to add a build machine into the koji database, it creates a user account for that host even though the user account doesn't appear in the user list. The user account created must match the common name of the certificate which that component uses to authenticate with the server. When creating the kojiweb certificate, you'll want to remember exactly what values you enter for each field as you'll have to regurgitate those into the /etc/koji-hub/hub.conf file as the ProxyDNs entry.
When you need to create multiple certificates it may be convenient to create a loop like the on listed below or to even place the code into a script and run the script in a loop. You can simply adjust the number of kojibuilders and the name of the admin account as you see fit. For much of this guide, the admin account is called "kojiadmin".
for user in kojira kojiweb kojihub kojibuilder{1..5} admin-account; do openssl genrsa -out certs/${user}.key 2048 openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \ -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr cat certs/${user}.crt certs/${user}.key > ${user}.pem done
Generate a PKCS12 user certificate (for web browser) This is only required for user certificates.
openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \ -out certs/${user}_browser_cert.p12
When generating certs for a user, the user will need the ${user}.pem, the ${caname}_ca_cert.crt, and the ${user}_browser_cert.p12 files which were generated above. The ${user}.pem file would normally be installed as ~/.fedora.cert, the ${caname}_ca_cert.crt file would be installed as both ~/.fedora-upload-ca.cert and ~/.fedora-server-ca.cert, and the user would import the ${user}_brower_cert.p12 into their web browser as a personal certificate.
Copy certificates into ~/.koji for kojiadmin
You're going to want to be able to send admin commands to the kojihub. In order to do so, you'll need to use the newly created certificates to authenticate with the hub. Copy the certificates for the koji CA and the kojiadmin user to ~/.koji:
kojiadmin@localhost$ mkdir ~/.koji kojiadmin@localhost$ cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt kojiadmin@localhost$ cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt kojiadmin@localhost$ cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
Note: See /etc/koji.conf for the current system wide koji client configuration. Copy /etc/koji.conf to ~/.koji/config if you wish to change the config on a per user basis.
Setting up Kerberos for authentication
The initial configuration of a kerberos service is outside the scope of this document, however there are a few specific things required by koji.
DNS
The koji builders (kojid) use DNS to find the kerberos servers for any given realm.
_kerberos._udp IN SRV 10 100 88 kerberos.EXAMPLE.COM.
The trailing dot denotes DNS root and is needed if FQDN is used.
Principals and Keytabs
It should be noted that in general you will need to use the fully qualified domain name of the hosts when generating the keytabs for services.
You will need the following principals extracted to a keytab for a fully kerborised configuration, the requirement for a host key for the koji-hub is currently hard coded into the koji client.
- host/kojihub@EXAMPLE.COM
- Used by the koji-hub server when communicating with the koji client
- HTTP/kojiweb@EXAMPLE.COM
- Used by the koji-web server when performing a negotiated Kerberos authentication with a web browser. This is a service principal for Apache's mod_auth_kerb.
- koji/kojiweb@EXAMPLE.COM
- Used by the koji-web server during communications with the koji-hub. This is a user principal that will authenticate koji-web to Kerberos as "koji/kojiweb@EXAMPLE.COM". Koji-web will proxy the mod_auth_kerb user information to koji-hub (the
ProxyPrincipals
koji-hub config option).
- Used by the koji-web server during communications with the koji-hub. This is a user principal that will authenticate koji-web to Kerberos as "koji/kojiweb@EXAMPLE.COM". Koji-web will proxy the mod_auth_kerb user information to koji-hub (the
- koji/kojira@EXAMPLE.COM
- Used by the kojira server during communications with the koji-hub
- compile/builder1@EXAMPLE.COM
- Used on builder1 to communicate with the koji-hub
PostgreSQL Server
Once the authentication scheme has been setup your will need to install and configure a PostgreSQL server and prime the database which will be used to hold the koji users.
Configuration Files:
- /var/lib/pgsql/data/pg_hba.conf
- /var/lib/pgsql/data/postgresql.conf
Install PostgreSQL:
root@localhost$ yum install postgresql-server
Initialize PostgreSQL DB:
The following commands will initialize PostgreSQL and will start the database service
root@localhost$ service postgresql initdb root@localhost$ service postgresql start
Setup User Accounts:
The following commands will setup the koji account and assign it a password
root@localhost$ useradd koji root@localhost$ passwd -d koji
Setup PostgreSQL and populate schema:
The following commands will create the koji user within PostgreSQL and will then create the koji database using the schema within the /usr/share/doc/koji*/docs/schema.sql directory
root@localhost$ su - postgres postgres@localhost$ createuser koji Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles? (y/n) n postgres@localhost$ createdb -O koji koji postgres@localhost$ logout root@localhost$ su - koji koji@localhost$ psql koji koji < /usr/share/doc/koji*/docs/schema.sql koji@localhost$ exit
NOTE: When issuing the command to import the psql schema into the new database it is important to ensure that the directory path /usr/share/doc/koji*/docs/schema.sql remains intact and is not resolved to a specific version of koji. In test it was discovered that when the path is resolved to a specific version of koji then not all of the tables were created correctly
Authorize Koji-web and Koji-hub resources:
In this example, Koji-web and Koji-hub are running on localhost.
/var/lib/pgsql/data/pg_hba.conf: These settings need to be valid and inline with other services configurations. Please note, the first matching auth line is used so this line must be above any other potential matches. Add:
host koji koji 127.0.0.1/32 trust host koji koji ::1/128 trust
You can also use UNIX socket access. The DBHost variable must be unset to use this method. Add:
local koji apache trust local koji apache 127.0.0.1/32 trust local koji apache ::1/128 trust local koji koji trust
Make auth changes live:
The following commands let postgreSQL know that changes have been made and forces it to reload its configuration so that changes become active
root@localhost$ su - postgres postgres@localhost$ pg_ctl reload postgres@localhost$ exit
Bootstrapping the initial koji admin user into the PostgreSQL database:
The initial admin user must be manually added to the user database using sql commands. Once they are added and given admin privilege, they may add additional users and change privileges of those users via the koji command line tool's administrative commands. However, if you choose to use the simple user/pass method of authentication, then any password setting/changing must be done manually via sql commands as there is no password manipulation support exposed through the koji tools.
The sql commands you need to use vary by authentication mechanism.
User/Password Authentication:
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, password, status, usertype) values ('admin-user-name', 'admin-password-in-plain-text', 0, 0);
Kerberos authentication: The process is very similar to user/pass except you would replace the first insert above with this:
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, krb_principal, status, usertype) values ('admin-user-name', 'admin@EXAMPLE.COM', 0, 0);
SSL Certificate authentication: there is no need for either a password or a Kerberos principal, so this will suffice:
root@localhost$ su - koji koji@localhost$ psql koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
Give yourself admin permissions
The following command will give the user admin permissions. In order to do this you will need to know the ID of the user.
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
Note: If you do not know the ID of the admin user, you can get the ID by running the query:
koji=> select * from users;
You can't actually log in and perform any actions until kojihub is up and running in your web server. In order to get to that point you still need to complete the authentication setup and the kojihub configuration. If you wish to access koji via a web browser, you will also need to get kojiweb up and running.
Koji Hub
Koji-hub is the center of all Koji operations. It is an XML-RPC server running under mod_python in Apache. koji-hub is passive in that it only receives XML-RPC calls and relies upon the build daemons and other components to initiate communication. Koji-hub is the only component that has direct access to the database and is one of the two components that have write access to the file system.
Configuration Files:
- /etc/httpd/conf/httpd.conf
- /etc/httpd/conf.d/kojihub.conf
- /etc/httpd/conf.d/ssl.conf (when using ssl auth)
- /etc/koji-hub/hub.conf
Install koji-hub:
root@localhost$ yum install koji-hub httpd mod_ssl mod_python
Required Configuration
/etc/httpd/conf/httpd.conf:
The apache web server has two places that it sets maximum requests a server will handle before the server restarts. The xmlrpc interface in kojihub is a python application, and mod_python can sometimes grow outrageously large when it doesn't reap memory often enough. As a result, it is strongly recommended that you set both instances of MaxRequestsPerChild in httpd.conf to something reasonable in order to prevent the server from becoming overloaded and crashing (at 100 the httpd processes will grow to about 75MB resident set size before respawning).
<IfModule prefork.c> ... MaxRequestsPerChild 100 </IfModule> <IfModule worker.c> ... MaxRequestsPerChild 100 </IfModule>
You'll need to make /mnt/koji/packages web-accessible, either here on the hub, or on koji-web, or on another web server altogether. This URL will later go into the builders' pkgurl config option.
Alias /packages/ /mnt/koji/packages/ <Directory "/mnt/koji/packages"> Options Indexes AllowOverride None Order allow,deny Allow from all </Directory>
/etc/koji-hub/hub.conf:
This file contains the configuration information for the hub. You will need to edit this configuration to point Koji Hub to the database you are using and to setup Koji Hub to utilize the authentication scheme you selected in the beginning.
DBName = koji DBUser = koji DBHost = db.example.com KojiDir = /mnt/koji LoginCreatesUser = On KojiWebURL = http://kojiweb.example.com/koji
Optional Configuration
/etc/koji-hub/hub.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.
AuthPrincipal host/kojihub@EXAMPLE.COM AuthKeytab /etc/koji.keytab ProxyPrincipals koji/kojiweb@EXAMPLE.COM HostPrincipalFormat compile/%s@EXAMPLE.COM
/etc/koji-hub/hub.conf: If using SSL auth, these settings need to be valid and inline with other services configurations for kojiweb to allow logins. ProxyDNs should be set to the DN of the kojiweb certificate.
DNUsernameComponent = CN ProxyDNs = "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"
/etc/httpd/conf.d/kojihub.conf: If using SSL auth, uncomment these lines for kojiweb to allow logins."
<Location /kojihub> SSLOptions +StdEnvVars </Location>
/etc/httpd/conf.d/ssl.conf: If using SSL you will also need to add the needed SSL options for apache. These options should point to where the certificates are located on the hub.
SSLCertificateFile /etc/pki/koji/certs/kojihub.crt SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt SSLVerifyClient require SSLVerifyDepth 10
SELinux Configuration
If running in Enforcing mode, you will need to allow apache to connect to the postgreSQL server. Even if you are not running currently running in Enforcing mode it is still recommended to run the following command to ensure that there are no future issues with SELinux if Enforcing mode is later enabled.
root@localhost$ setsebool -P httpd_can_network_connect_db 1
Koji filesystem skeleton
Above in the kojihub.conf file we set KojiDir to /mnt/koji. For certain reasons, if you change this, you should make a symlink from /mnt/koji to the new location (note: this is a bug and should be fixed eventually). However, before other parts of koji will operate properly, we need to create a skeleton filesystem structure for koji as well as make the file area owned by apache so that the xmlrpc interface can write to it as needed.
cd /mnt mkdir koji cd koji mkdir {packages,repos,work,scratch} chown apache.apache *
At this point, you can now restart apache and you should have at least minimal operation. The admin user should be able to connect via the command line client, add new users, etc. It's possible at this time to undertake initial administrative steps such as adding users and hosts to the koji database.
Ensure that your client is configured to work with your server. The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the "-c" option when using the Koji client to specify an alternative configuration file. The following command will test your login to the hub:
koji call getLoggedInUser
If you are using SSL for authentication, you will need to edit the Koji client configuration to tell it which URLs to use for the various Koji components and where their SSL certificates can be found.
[koji] ;url of XMLRPC server server = http://hongkong.proximity.on.ca/kojihub ;url of web interface weburl = http://hongkong.proximity.on.ca/koji ;url of package download site pkgurl = http://hongkong.proximity.on.ca/packages ;path to the koji top directory topdir = /mnt/koji ;configuration for SSL athentication ;client certificate cert = ~/.koji/client.crt ;certificate of the CA that issued the client certificate ca = ~/.koji/clientca.crt ;certificate of the CA that issued the HTTP server certificate serverca = ~/.koji/serverca.crt
It is important to note that the kojira component needs repo privileges, but if you just let the account get auto created the first time you run kojira, it won't have that privilege, so you should pre-create the account and grant it the repo privilege now.
kojiadmin@localhost$ koji add-user kojira kojiadmin@localhost$ koji grant-permission repo kojira
For similar technical reasons, you need to add-host each build host prior to starting kojid on that host the first time and could also do that now.
kojiadmin@localhost$ koji add-host kojibuilder1 x86_64 i386 kojiadmin@localhost$ koji add-host kojibuilder2 ppc ppc64 kojiadmin@localhost$ koji add-host kojibuilder3 ia64
Koji Web - Interface for the Masses
Koji-web is a set of scripts that run in mod_python and use the Cheetah templating engine to provide an web interface to Koji. koji-web exposes a lot of information and also provides a means for certain operations, such as cancelling builds.
Configuration Files:
- /etc/httpd/conf.d/kojiweb.conf
- /etc/httpd/conf.d/ssl.conf
Install Koji-Web:
root@localhost$ yum install koji-web mod_ssl
Required Configuration
/etc/httpd/conf.d/kojiweb.conf: You will need to edit the kojiweb configuration file to tell kojiweb which URLs it should use to access the hub, the koji packages and its own web interface. You will also need to tell kojiweb where it can find the SSL certificates for each of these components. If you are using SSL authentication, the "PythonOption WebCert" line below must contain both the public and private key. You will also want to change the last line in the example below to a unique password.
PythonOption KojiHubURL http://hub.example.com/kojihub PythonOption KojiWebURL http://www.example.com/koji PythonOption KojiPackagesURL http://server.example.com/mnt/koji/packages PythonOption WebCert /etc/pki/koji/kojiweb.pem PythonOption ClientCA /etc/pki/koji/koji_ca_cert.crt PythonOption KojiHubCA /etc/pki/koji/koji_ca_cert.crt PythonOption LoginTimeout 72 PythonOption Secret CHANGE_ME
Optional Configuration
You will also need to edit the /etc/httpd/conf.d/kojiweb.conf to configure it for the authentication scheme you have selected at the beginning of the setup.
/etc/httpd/conf.d/kojiweb.conf:
If using Kerberos, these settings need to be valid and inline with other services configurations.
<Location /koji/login> AuthType Kerberos AuthName "Koji Web UI" KrbMethodNegotiate on KrbMethodK5Passwd off KrbServiceName HTTP KrbAuthRealm EXAMPLE.COM Krb5Keytab /etc/httpd.keytab KrbSaveCredentials off Require valid-user ErrorDocument 401 /koji-static/errors/unauthorized.html </Location>
/etc/httpd/conf.d/kojiweb.conf: If using SSL, these settings need to be valid and inline with other services configurations.
<Location /koji/login> SSLOptions +StdEnvVars </Location>
/etc/httpd/conf.d/ssl.conf: If you are using SSL you will need to add the needed SSL options for apache.
SSLVerifyClient require SSLVerifyDepth 10
Web interface now operational
At this point you should be able to point your web browser at the kojiweb URL and be presented with the koji interface. Many operations should work in read only mode at this point, and any configured users should be able to log in.
Koji Daemon - Builder
Kojid is the build daemon that runs on each of the build machines. Its primary responsibility is polling for incoming build requests and handling them accordingly. Koji also has support for tasks other than building such as creating livecd images or raw disk images, and kojid is responsible for handling these tasks as well. kojid uses mock for creating pristine build environments and creates a fresh one for every build, ensuring that artifacts of build processes cannot contaminate each other. kojid is written in Python and communicates with koji-hub via XML-RPC.
Configuration Files:
- /etc/kojid/kojid.conf - Koji Daemon Configuration
- /etc/sysconfig/kojid - Koji Daemon Switches
Install kojid:
root@localhost$ yum install koji-builder
Required Configuration
/etc/kojid/kojid.conf: The configuration file for each koji builder must be edited so that the line below points to the URL for the koji hub. The user tag must also be edited to point to the username used to add the koji builder.
; The URL for the xmlrpc server server=http://hub.example.com/kojihub ; the username has to be the same as what you used with add-host ; in this example follow as below user = kojibuilder1.example.com
This item may be changed, but may not be the same as KojiDir on the kojihub.conf file (although it can be something under KojiDir, just not the same as KojiDir)
; The directory root for temporary storage workdir=/tmp/koji
Optional Configuration (SSL certificates)
/etc/kojid/kojid.conf: If you are using SSL, these settings need to be edited to point to the certificates you generated at the beginning of the setup process.
;client certificate ; This should reference the builder certificate we created above, for ; kojibuilder1.example.com cert = /etc/kojid/kojid.pem ;certificate of the CA that issued the client certificate ca = /etc/kojid/koji_ca_cert.crt ;certificate of the CA that issued the HTTP server certificate serverca = /etc/kojid/koji_ca_cert.crt
It is important to note that if your builders are hosted on seperate machines from koji hub and koji web, you will need to scp the certificates mentioned in the above configuration file from the /etc/kojid/ directory on koji hub to the /etc/koji/ directory on the local machine so that the builder can be authenticated.
Optional Configuration (Kerberos Authentication)
/etc/kojid/kojid.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.
; the username has to be the same as what you used with add-host ;user = host_principal_format=compile/%s@EXAMPLE.COM
By default it will look for the Kerberos keytab in /etc/kojid/kojid.keytab
Note: Kojid will not attempt kerberos authentication to the koji-hub unless the username field is commented out
Add the host entry for the koji builder to the database
You will now need to add the koji builder to the database so that they can be utilized by kojij hub. Make sure you do this before you start kojid for the first time, or you'll need to manually remove entries from the sessions and users table before it can be run successfully.
kojiadmin@localhost$ koji add-host kojibuilder1.example.com i386 x86_64
The first argument used after the add-host command should the username of the builder. The second argument is used to specify the architecture which the builder uses.
Add the host to the createrepo channel
Channels are a way to control which builders process which tasks. By default hosts are added to the default channel. At least some build hosts also needs to be added to the createrepo channel so there will be someone to process repo creation tasks initiated by kojira.
kojiadmin@localhost$ koji add-host-to-channel kojibuilder1.example.com createrepo
A note on capacity
The default capacity of a host added to the host database is 2. This means that once the load average on that machine exceeds 2, kojid will not accept any additional tasks. This is separate from the maxjobs item in the configuration file. Before kojid will accept a job, it must pass both the test to ensure the load average is below capacity and that the current number of jobs it is already processing is less than maxjobs. However, in today's modern age of quad core and higher CPUs, a load average of 2 is generally insufficient to fully utilize hardware. As there is not an option to set the capacity of the host via the command line tools, it must be done manually in psql.
koji@localhost$ psql koji koji=# select (id, name, capacity) from host; row -------------------------------- (1,kojibuilder1.example.com,2) (2,kojibuilder2.example.com,2) (2 rows) koji=# update host set capacity = 16 where id = 1; UPDATE 1 koji=#
Start Kojid
Once the builder has been added to the database you must start kojira
root@localhost$ /sbin/service kojid start
Check /var/log/kojid.log to verify that kojid has started successfully. If the log does not show any errors then the koji builder should be up and ready. You can check this by pointing your web browser to the web interface and clicking on the hosts tab. This will show you a list of builders in the database and the status of each builder.
Kojira - Yum repository creation and maintenance
Configuration Files:
- /etc/kojira/kojira.conf - Kojira Daemon Configuration
- /etc/sysconfig/kojira - Kojira Daemon Switches
Install kojira
root@localhost$ yum install koji-utils
Required Configuration
/etc/kojira/kojira.conf: This needs to point at your koji-hub.
; The URL for the xmlrpc server server=http://hub.example.com/kojihub
Additional Notes:
- Kojira needs read-write access to /mnt/koji.
- There should only be one instance of kojira running at any given time.
- It is not recommended that kojira run on the builders, as builders only should require read-only access to /mnt/koji.
Optional Configuration
/etc/kojira/kojira.conf: If using SSL, these settings need to be valid.
;client certificate ; This should reference the kojira certificate we created above cert = /etc/pki/koji/kojira.pem ;certificate of the CA that issued the client certificate ca = /etc/pki/koji/koji_ca_cert.crt ;certificate of the CA that issued the HTTP server certificate serverca = /etc/pki/koji/koji_ca_cert.crt
If using Kerberos, these settings need to be valid.
; For Kerberos authentication ; the principal to connect with principal=koji/kojira@EXAMPLE.COM ; The location of the keytab for the principal above keytab=/etc/kojira.keytab
/etc/sysconfig/kojira: The local user kojira runs as needs to be able to read and write to /mnt/koji/repos/. If the volume that directory resides on is root-squashed or otherwise unmodifiable by root, you can set RUNAS= to a user that has the required privileges.
Add the user entry for the kojira user
If you did not already do so above, create the kojira user, and grant it the repo permission.
kojiadmin@localhost$ koji add-user kojira kojiadmin@localhost$ koji grant-permission repo kojira
Start Kojira
root@localhost$ /sbin/service kojira start
Check /var/log/kojira/kojira.log to verify that kojira has started successfully.
Bootstrapping the Koji build environment
For instructions on importing packages and preparing Koji to run builds, see Server Bootstrap .
For instructions on using External Repos and preparing Koji to run builds, see External Repo Server Bootstrap .
Useful scripts and config files for setting up a Koji instance are available here
Minutia and Miscellany
Please see KojiMisc for additional details and notes about operating a koji server.