概述¶
此操作指南尚未完善,基于 https://docs.pagure.org/koji/
设置如下:* 已安装 CentOS-8 * 防火墙允许主机之间通信 * 用于访问的公共网络和用于 koji 和 Kerberos 主机之间通信的私有网络 * koji.gnulab.org/10.10.10.2 主机 koji、kojiweb、koji-hub、kojira、Kerberos 服务器、Kerberos 工作站“用于测试” * builder1.gnulab.org/10.10.10.3 主机 kojid 构建守护进程和 Kerberos 工作站“用于测试” * 您的本地机器也应具有 Kerberos 工作站,并且浏览器配置为使用 Kerberos * 使用 Let's Encrypt 为面向 Web 的服务设置 SSL,您需要解决此问题
启动和运行 Kerberos¶
!!!此指南仅供测试使用!!!
此设置需要安装 Kerberos,但我假设 IPA 已就位并将被使用
在 koji.gnulab.org 机器上执行以下操作:* 安装所需的软件包:dnf install krb5-server.x86_64 krb5-workstation.x86_64 -y * 编辑 ** /etc/krb5.conf ** 以使其如下所示
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = GNULAB.ORG
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
GNULAB.ORG = {
kdc = koji.gnulab.org
admin_server = koji.gnulab.org
}
[domain_realm]
.gnulab.org = GNULAB.ORG
gnulab.org = GNULAB.ORG
kdb5_util create -s * 编辑 Kerberos ACL ** /var/kerberos/krb5kdc/kadm5.acl ** 以如下所示*/admin@GNULAB.ORG *
kadmin.local -q "addprinc admin/admin" * 启动您的服务:systemctl enable krb5kdc --now && systemctl enable kadmin --now
主体¶
koji 需要 Kerberos 中的一些主体进行身份验证,如下所示
- host/kojihub@GNULAB.ORG:koji-hub 服务器在与 koji 客户端通信时使用
- HTTP/kojiweb@GNULAB.ORG:koji-web 服务器在与 Web 浏览器执行协商的 Kerberos 身份验证时使用。这是 Apache 的 mod_auth_gssapi 的服务主体。
- koji/kojiweb@GNULAB.ORG:koji-web 服务器在与 koji-hub 通信期间使用。这是一个用户主体,它将“koji/kojiweb@GNULAB.ORG”身份验证到 Kerberos。Koji-web 将代理 mod_auth_gssapi 用户信息到 koji-hub(ProxyPrincipals koji-hub 配置选项)。
- koji/kojira@GNULAB.ORG:kojira 服务器在与 koji-hub 通信期间使用
- compile/builder1.gnulab.org@GNULAB.ORG:在 builder1 上用于与 koji-hub 通信。这是一个用户主体,它将“compile/builder1.gnulab.org@GNULAB.ORG”身份验证到 Kerberos。每个构建器主机都将拥有自己的唯一 Kerberos 用户主体以进行身份验证到中心。
- snagy@GNULAB.ORG:用于我的测试和软件包所有者
- HTTP/koji.gnulab.org@GNULAB.ORG:允许客户端使用 HTTP“我不确定”
我们可以开始创建所需的主体:* 运行 kadmin.local 然后运行以下命令
addprinc host/kojihub@GNULAB.ORG
addprinc HTTP/kojiweb@GNULAB.ORG
addprinc koji/kojiweb@GNULAB.ORG
addprinc koji/kojira@GNULAB.ORG
addprinc HTTP/koji.gnulab.org@GNULAB.ORG
addprinc snagy@GNULAB.ORG
addprinc kojiadmin@GNULAB.ORG
- 现在我们需要创建密钥表,密钥表用于非密码身份验证,我猜一旦您这样做,您将无法使用密码,但这没关系,因为大多数这些都是服务主体,而不是您可以使用多个文件(如果需要),运行
kadmin.local然后运行以下命令ktadd -k /etc/koji.keytab host/kojihub@GNULAB.ORG ktadd -k /etc/koji.keytab HTTP/kojiweb@GNULAB.ORG ktadd -k /etc/koji.keytab koji/kojira@GNULAB.ORG ktadd -k /etc/koji.keytab koji/kojiweb@GNULAB.ORG ktadd -k /etc/koji.keytab HTTP/koji.gnulab.org@GNULAB.ORG - 通过运行
klist -k -t /etc/koji.keytab完成验证 - 运行更改权限:
chmod 644 /etc/koji.keytabroot# klist -k -t /etc/koji.keytab Keytab name: FILE:/etc/koji.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 12/19/2020 15:00:53 koji/kojira@GNULAB.ORG 2 12/19/2020 15:00:53 koji/kojira@GNULAB.ORG 2 12/19/2020 15:01:08 koji/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:08 koji/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:14 HTTP/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:14 HTTP/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:20 host/kojihub@GNULAB.ORG 2 12/19/2020 15:01:20 host/kojihub@GNULAB.ORG 2 12/19/2020 15:38:52 HTTP/koji.gnulab.org@GNULAB.ORG 2 12/19/2020 15:38:52 HTTP/koji.gnulab.org@GNULAB.ORG
设置 koji 生态系统¶
我们将首先设置 DB、koji-hub、kojiweb,然后是 kojira
数据库¶
在主服务器 koji.gnulab.org 上,执行以下操作:* 我们需要安装 postgreqsl:dnf install postgresql-server -y * 初始化 postgresql 数据库:postgresql-setup --initdb --unit postgresql * 启动服务:systemctl enable postgresql --now * 添加 Koji 用户
useradd koji
passwd koji
su - postgres
createuser --no-superuser --no-createrole --no-createdb koji
createdb -O koji koji
psql -c "alter user koji with encrypted password 'mysupercomplexpassword';"
dnf install koji -y * 将 DB 加载到 postgresql 中:su - koji psql koji koji < /usr/share/doc/koji*/docs/schema.sql * Postgresql 权限由于我的 koji 服务器与 postgresql 位于同一台机器上,因此我使用套接字通信而不是 TCP/IP * 编辑 ** /var/lib/pgsql/data/pg_hba.conf ** 如下所示“顺序很重要”# "local" is for Unix domain socket connections only
local koji koji trust
local all all peer
systemctl reload postgresql * 为 Kerberos 创建 koji 身份验证su - koji
psql <<EOF
with user_id as (
insert into users (name, status, usertype) values ('kojiadmin', 0, 0) returning id
)
insert into user_krb_principals (user_id, krb_principal) values (
(select id from user_id),
'kojiadmin@GNULAB.ORG');
EOF
su - koji
psql
koji=> select * from users;
koji=> insert into user_perms (user_id, perm_id, creator_id) values ("id of user inserted above", 1, "id of user inserted above");
/mnt/koji 和 NFS¶
- 创建 koji 文件系统骨架
- 设置 NFS 和 apache:
dnf install nfs-utils httpd -ycd /mnt mkdir koji cd koji mkdir {packages,repos,work,scratch,repos-dist} chown apache.apache * - 启动服务:
systemctl enable --now nfs-server - 编辑 ** /etc/exports ** 如下所示
/mnt/koji 10.10.10.3(ro,sync,no_all_squash,root_squash) - 导出文件系统:
exportfs -ra - 查看当前状态:
exportfs -v - 在客户端上安装 NFS 客户端软件包:
dnf install nfs-utils nfs4-acl-tools -y - 创建本地目录:
mkdir /mnt/koji - 挂载 NFS:
mount -t nfs 10.10.10.2:/mnt/koji /mnt/koji
Kojihub¶
- 安装 kojihub
dnf install koji-hub mod_ssl -y - 启用 postgresql 清理功能:
systemctl enable --now koji-sweep-db.timer - 在 ** /etc/httpd/conf.d/kojihub.conf ** 中启用 Kerberos 身份验证,方法是取消注释以下部分
# uncomment this to enable authentication via GSSAPI <Location /kojihub/ssllogin> AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:/etc/koji.keytab Require valid-user </Location> - koji-hub 配置如下所示,位于 ** /etc/koji-hub/hub.conf ** 中
[hub] DBName = koji DBUser = koji KojiDir = /mnt/koji AuthPrincipal = host/kojihub@GNULAB.ORG AuthKeytab = /etc/koji.keytab ProxyPrincipals = koji/kojiweb@GNULAB.ORG HostPrincipalFormat = compile/%s@GNULAB.ORG LoginCreatesUser = On KojiWebURL = https://koji.gnulab.org/koji NotifyOnSuccess = True - 安装 selinux policyutils:
dnf install policycoreutils-python-utils -y - 让我们修复一些 selinux 问题[koji]
setsebool -P allow_httpd_anon_write=1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_use_nfs=1 semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" restorecon -r -v /mnt/koji ``` ## Configure koji cli client * edit **/etc/koji.conf** as follows:
server = https://koji.gnulab.org/kojihub weburl = https://koji.gnulab.org/koji topurl = https://koji.gnulab.org/ topdir = /mnt/koji authtype = kerberos krb_rdns = false plugins = runroot use_fast_upload = yes
* restart httpd: ```systemctl restart httpd```
* Test by running the following on koji server:
* kinit -p kojiadmin@GNULAB.ORG
* koji moshimoshi
您正在使用 https://koji.gnulab.org/kojihub 上的中心 通过 GSSAPI 进行身份验证
## Kojiweb
* Install kojiweb: ```dnf install koji-web -y```
* Edit **/etc/httpd/conf.d/kojiweb.conf** to allow kerberos:
取消注释此以启用通过 Kerberos 进行身份验证¶
* Edit Kojiweb configuration **/etc/kojiweb/web.conf**
KojiHubURL = https://koji.gnulab.org/kojihub KojiFilesURL = https://koji.gnulab.org/kojifiles
WebPrincipal = koji/kojiweb@GNULAB.ORG WebKeytab = /etc/koji.keytab WebCCache = /var/tmp/kojiweb.ccache KrbService = koji.gnulab.org KrbServerRealm = GNULAB.ORG LoginTimeout = 72 Secret = asdasdf12313ewdasfq234f LibPath = /usr/share/koji-web/lib LiteralFooter = True
* restart apache: ```systemctl reload httpd```
## Setting up the builder / kojid / koji-builder
This will configuration will be on the building node(s)
* Install koji-builder: ```dnf install koji-builder -y```
* Edit **/etc/kojid/kojid.conf** as follows:
topdir=/mnt/koji workdir=/tmp/koji server=https://koji.gnulab.org/kojihub topurl=https://koji.gnulab.org/kojifiles ; 这些用于从 git.c.o 和 Mustafa 的 git 构建软件包 allowed_scms=git.centos.org:/:off:get_sources.sh gitlab.rockylinux.bycrates.org:/:off:/bin/sh,/usr/bin/srpmproc_wrapper host_principal_format=compile/%s@GNULAB.ORG
On koji main server, run the following commands:
* Add the new builder: ```koji add-host builder1.gnulab.org x86_64```
* Add the createrepo channel: ```koji add-host-to-channel builder1.gnulab.org createrepo```
* I did adjust the capacity since it is a small machine: ```koji edit-host --capacity=8 builder1.gnulab.org```
* Note, by default kojid uses DNS to talk to koji-hub, so you need to have SRV record in your DNS as follows:
* Kojid looks for **/etc/kojid/kojid.keytab** by default, so you need to create a file with compile principle as above and place it in the right location on builder node(s)
On the builder node, restart kojid: ```systemctl enable kojid --now```
## Kojira
* Install koji-utils: ```dnf install koji-utils -y```
* Add kojira user and give it permission for repo
* Edit **/etc/kojira/kojira.conf** as following:
server=https://koji.gnulab.org/kojihub topdir=/mnt/koji logfile=/var/log/kojira.log principal = koji/kojira@GNULAB.ORG keytab = /etc/koji.keytab
* Start Kojira service: ```systemctl enable kojira --now```
# Koji bootstrapping
I went with the external repo method to bootstrap the setup, so I added external repos and create the following tags and targets, this work is based on: https://docs.pagure.org/koji/external_repo_server_bootstrap/
On the main node, run the following:
* Add your final dist tag: ```koji add-tag dist-rocky8```
* Create the build tag:
```koji add-tag --parent dist-rocky8 --arches "x86_64" -x mock.yum.module_hotfixes=1 dist-rocky8-build```
* Add the external repos, I hard coded the ARCH, but you can use \$arch instaed of x86_64 in the repo URL:
* I also created a small package for centospkg-minimal and srpmproc and create local repo, so adding that too:
* Add the targets: ```koji add-target dist-rocky8 dist-rocky8-build dist-rocky8```
* Create the bootstrapping groups for build and srpm-build
* Add the bootstrapping packages:
* Regenerating the repos ```koji regen-repo dist-rocky8-build```
# Running a test
I ran the following test to build package from git.centos.org:
```koji add-user snagy```
```koji add-pkg --owner snagy dist-rocky8 python36``` "need to check if this is needed"