== Project Description ==
The Fedora-ARM koji system uese HongKongIRAQ,an x86_64 system, as the Koji hub.
The Fedora-ARM project to use ARM system as the Koji hub(this is called "Eating own dogfood" in the industry)
== Project Details ==
'''First stage'''
* '''Koji Authentication Selection'''
Setting Up a Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji command line access, plain user/pass combinations are possible. However, kojiweb does not support plain user/pass authentication. Furthermore, once either Kerberos or SSL Certificate authentication is enabled so that kojiweb will work, the plain user/pass method will stop working entirely. As such plain user/pass authentication is a stop gap measure at best unless you intend to never setup a fully functional kojiweb instance.Build System
The Kerberos credentials of the initial admin user will be necessary Koji components may live on separate resources as long as all resources are able to bootstrap the user databasecommunicate.To understand koji configuration is an important in project.
For SSL authentication, SSL certificates for the xmlrpc server, for the various koji components, and one for the admin user will need to be setup'''KOJI Configuration'''
1.[http://fedoraproject.org/wiki/Koji/ServerHowTo#Koji_Authentication_Selection Setting up * SSL Certificates for and authentication]via certificates* Creating a database in PostgreSQL and importing a schema* Working with psql* Apache configuration* Koji web and Koji hub
2.[http://fedoraproject.org/wiki/Koji/ServerHowTo#Setting_up_Kerberos_for_authentication Setting up Kerberos for authentication]
So,Release 0.1 results here [http://ycshon.blogspot.com/2010/11/sbr-600-project-release-01.html in my blog]
'''Second stagePackages'''
* Koji DatabaseOn the server (koji-hub/koji-web)
* httpd* mod_ssl* postgresql-server* mod_python (>= 3.3.1.Create Databasefor Kerberos authentication)
yum install postgresqlOn the builder (koji-serverbuilder)
2. Once installed you will then need to initialize the Database with the following command:* mock* rpm-build* createrepo
service postgresql initdbOn the yum repository creation and maintenance (kojira)
3.Start On the Postgresql service with:Bootrapping the Koji build environment
service postgresql start* Importing packages and preparing Koji to run builds* External Repos and preparing Koji to run builds
4. At this point the Postgresql server is installed and operational provided no errors were reported with the database initialized.== Project Plan ==
The next steps is to create a user named “koji”, set up Postgresql and populate the schemaGoals for each release:
useradd koji passwd '''release 0.1 -d koji su - postgres createuser koji Shall the new role be a superuser? (y/n) n Shall the new role be allowed to create databases? (y/n) n Shall the new role be allowed to create more new roles?(y/n) nKoji Certificates '''
createdb -O koji koji logout su - koji psql koji koji < /usr/share/doc/koji*/docs/schema.sql exit'''setting up SSL Certificates for Authentication'''
So,Release 0.2-1 results here [http://ycshon.blogspot.com/2010/11* Certificate generation* Generate CA* Generate the koji component certificates and the admin certificate* Copy certificates into ~/sbr-600-project-release-02-1.html in my blog]koji for kojiadmin
* Koji Hub Configuration
1. introduction
It was agreed that all parts of our Koji build system would reside on IRAQ'''release 0.2 - PostgreSQL and koji hub'''
After successfully installing and configuring Postgresql the next step is the Koji Hub'''release 0.2-1'''
In order for the Koji Hub to work Apache should be installed as well as a few additional modules'''1.PostgreSQL Server'''
Run the following command as root:* Install PostgreSQL* Initialize PostgreSQL DB* Setup User Accounts* Setup PostgreSQL and populate schema* Authorize Koji-web and Koji-hub resources* Make auth changes live* SSL Certificate authentication* Give yourself admin permissions
yum install koji-hub httpd mod_ssl mod_python
'''release 0.2. Edit the Apache conf file-2'''
~/etc/httpd/conf/httpd.conf and change the “MaxRequestsPerChild” to 100'''2.Koji hub'''
On IRAQ these setting were already in place as Apache was running and configured.* Install koji-hub* Required Configuration* Optional Configuration* SELinux Configuration* Koji filesystem skeleton
Next edit the ‘/etc/koji-hub/hub.conf’ file and add the following lines:
DBName = koji DBUser = koji DBHost = localhost KojiDir = /mnt/koji LoginCreatesUser = On KojiWebURL = http://iraq* 0.proximity.on.ca/koji 3. Using SSL for authentication Add this line. DNUsernameComponent = CN ProxyDNs = "/C=CA/ST=Ontario/O=Seneca CDOT/OU=/CN=kojiweb/emailAddress=" And in the /etc/httpd/conf.d/kojihub.conf uncomment the following lines: <Location /kojihub> SSLOptions +StdEnvVars </Location> 4.Using [http://zenit.senecac.on.ca/wiki/index.php/Fedora_Arm_Secondary_Architecture/Koji_Certificates the - '''Koji certificates] ,and add the following lines to ‘/etc/httpd/conf.d/ssl.conf’, under the section ‘VirtualHost _default_:443′: SSLCertificateFile /etc/pki/koji/certs/kojihub.crtSSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crtSSLCACertificateFile /etc/pki/koji/koji_ca_cert.crtSSLVerifyClient requireSSLVerifyDepth 10 5. SE LinuxIn the IRAQ. In order to allow Apache to connect to the Postgresql database run the following command as root: setsebool -P httpd_can_network_connect_db 1 6.A skeleton filesystemWeb'''
To allow Koji to work, a skeleton filesystem needs to be created and the ownership'''release 0.3-1'''
changed so Apache can write to it as required'''1. The following commands were executed:kojiweb '''
* Install Koji-Web mkdir -p /mnt/koji/{packages,repos,work,scratch}* Required Configuration chown -R apache.apache /mnt/koji* Optional Configuration
Then edited the '/etc/koji''2.confKoji Builder''' file and changed the following lines:
;url of XMLRPC server* Install kojid server = http://iraq.proximity.on.ca/kojihub* Required Configuration ;url of web interface* Optional Configuration (SSL certificates) weburl = http://iraq.proximity.on.ca/koji ;url of package download site pkgurl = http://iraq.proximity.on.ca/packages ;path to * Add the koji top directory topdir = /mnt/koji ;configuration host entry for SSL athentication ;client certificate cert = ~/.the koji/client.crt ;certificate of the CA that issued builder to the client certificate ca = ~/.koji/clientca.crtdatabase ;certificate of * Add the CA that issued host to the HTTP server certificatecreaterepo channel serverca = ~/.koji/serverca.crt* A note on capacity * Start Kojid
7. Build accountsThe final step is the addition of the user and builder accounts'''3.kojira'''
First add the * Install kojira account and grant repo privileges with * Required Configuration* Optional Configuration* Add the following command( this should be done before running kojira user entry for the first time) :kojira user* Start Kojira
su - kojiadmin
koji add-user kojira
koji grant-permission repo kojira
Then add as many builders as required using the following commands editing where required (this should also be done prior to running kojid on each host):
koji add'''release 0.3-host arm-001-001 arm koji add-host arm-001-002 arm koji add-host arm-001-003 arm2'''
So,Release 0.2-2 results here [http://ycshon.blogspot.com/2010/11/sbr-600-project-release-02-'''2.html in my blog]Test kojiweb'''
'''Last stage'''* User account* Build packages
Authorize Koji-web and Koji-hub resources: In this example, Koji-web and Koji-hub are running on localhost.
/var/lib/pgsql/data/pg_hba.conf: These settings need to be valid and inline with other services configurations.
Please note, the first matching auth line is used so this line must be above any other potential matches. Add:
host koji koji 127.0.0.1/32 trust
local koji apache trust
local koji koji trust
'''TO enable auth changes live:'''
root@localhost$ su - postgres
postgres@localhost$ pg_ctl reload
postgres@localhost$ exit
Bootstrapping the initial koji admin user into the PostgreSQL database: The initial admin user must be manually added to the user database using sql commands. Once they are added and given admin privilege, they may add additional users and change privileges of those users via the koji command line tool's administrative commands. However, if you choose to use the simple user/pass method of authentication, then any password setting/changing must be done manually via sql commands as there is no password manipulation support exposed through the koji tools.
The sql commands you need to use vary by authentication mechanism.
SSL Certificate authentication: there is no need for either a password or a Kerberos principal, so this will suffice:
koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
Give yourself admin permissions
koji=> insert into user_perms (user_id, perm_id, creator_id) values (<id of user inserted above>, 1, <id of user inserted above>);
you can get the ID of the new user by running the query:
koji=> select * from users;
So,Release 0.3-1 results here [http://ycshon.blogspot.com/2010/11/sbr-600-project-release-02-1.html in my blog]
'''Setup Koji Web'''
1.Introduction
Koji-web is a set of scripts that run in mod_python and use the Cheetah templating engine to provide an web interface to Koji.
koji-web exposes a lot of information and also provides a means for certain operations, such as cancelling builds.
Run the following command as root:
root@localhost$ yum install koji-web mod_ssl
2. Edit the file /etc/httpd/conf.d/kojiweb.conf:
PythonOption KojiHubURL http://hub.example.com/kojihub
PythonOption KojiWebURL http://www.example.com/koji
PythonOption KojiPackagesURL http://server.example.com/mnt/koji/packages
PythonOption WebCert /etc/pki/koji/kojiweb.pem
PythonOption ClientCA /etc/pki/koji/koji_ca_cert.crt
PythonOption KojiHubCA /etc/pki/koji/koji_ca_cert.crt
PythonOption LoginTimeout 72
PythonOption Secret CHANGE_ME
3. Optional Configuration
/etc/httpd/conf.d/kojiweb.conf:
If using Kerberos, these settings need to be valid and inline with other services configurations.
<pre><Location /koji/login>
AuthType Kerberos
AuthName "Koji Web UI"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealm EXAMPLE.COM
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html
</Location></pre>
/etc/httpd/conf.d/kojiweb.conf:
If using SSL auth, these settings need to be valid and inline with other services configurations.
<pre><Location /koji/login>
SSLOptions +StdEnvVars
</Location></pre>
/etc/httpd/conf.d/ssl.conf: Add the needed SSL options for apache.
<pre>SSLVerifyClient require
SSLVerifyDepth 10</pre>
If you are using SSL authentication, the "PythonOption WebCert" file above must contain both the public and private key.
Web interface now operational
At this point you should be able to point your web browser at the kojiweb URL and be presented with the koji interface. Many operations should work in read only mode at this point, and any configured users should be able to log in.
== Project Plan ==
Goals for each release:
* 0.1 - '''Koji Certificates '''
Koji Hub setup - Certificates/security
* 0.2 - '''Koji Hub setup and Koji Database'''
Koji Hub Setup- Configuration
To setup PostgreSQL for use with Koji
* 0.3 - '''Koji Web'''
Create koji web
== Project News ==
19,November I set up Koji Database.
26,November I set Setting up Postgresql server for Koji hub Configurationpart 1
6,Dec Setting up Postgresql server for Koji part two
16,Dev setting up Koji hub and Koji web,
== Resources ==
[http://fedoraproject.org/wiki/Koji/ServerHowTo#PostgreSQL_Server PostgreSQL_Server]
[http://fedoraproject.org/wiki/Koji/ServerBootstrap importing packages and preparing Koji to run builds]
[http://fedoraproject.org/wiki/Koji/ExternalRepoServerBootstrap External Repos and preparing Koji to run builds]
