概述¶
本指南正在撰写中,基于 https://docs.pagure.org/koji/
设置如下:* 安装了 CentOS-8 * 防火墙允许主机间通信 * 用于访问的公共网络和用于主机间 Koji 和 Kerberos 通信的私有网络 * koji.gnulab.org/10.10.10.2 托管 Koji、KojiWeb、Koji-hub、Kojira、Kerberos 服务器、Kerberos 工作站“用于测试” * builder1.gnulab.org/10.10.10.3 托管 Kojid 构建守护进程和 Kerberos 工作站“用于测试” * 您的本地机器也应具有 Kerberos 工作站,并配置好浏览器使用 Kerberos * 使用 Let's Encrypt 为面向 Web 的服务设置了 SSL,您需要自行处理此项
启动并运行 Kerberos¶
!!!这只是一个快速测试指南!!!
您需要为此设置安装 Kerberos,但我假设 IPA 已到位并将被使用
在 koji.gnulab.org 机器上执行以下操作:* 安装所需的软件包:dnf install krb5-server.x86_64 krb5-workstation.x86_64 -y * 编辑 /etc/krb5.conf,使其如下所示
# To opt out of the system crypto-policies configuration of krb5, remove the
# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
includedir /etc/krb5.conf.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
spake_preauth_groups = edwards25519
default_realm = GNULAB.ORG
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
GNULAB.ORG = {
kdc = koji.gnulab.org
admin_server = koji.gnulab.org
}
[domain_realm]
.gnulab.org = GNULAB.ORG
gnulab.org = GNULAB.ORG
kdb5_util create -s * 编辑 Kerberos ACL /var/kerberos/krb5kdc/kadm5.acl,使其如下所示*/admin@GNULAB.ORG *
kadmin.local -q "addprinc admin/admin" * 启动您的服务:systemctl enable krb5kdc --now && systemctl enable kadmin --now
Principals¶
Koji 在 Kerberos 中需要几个 principals 用于身份验证,如下所示
- host/kojihub@GNULAB.ORG:Koji-hub 服务器在与 Koji 客户端通信时使用
- HTTP/kojiweb@GNULAB.ORG:Koji-web 服务器在与 Web 浏览器执行协商的 Kerberos 身份验证时使用。这是 Apache 的 mod_auth_gssapi 的服务 principal。
- koji/kojiweb@GNULAB.ORG:Koji-web 服务器在与 Koji-hub 通信时使用。这是一个用户 principal,它将 Koji-web 身份验证到 Kerberos,名为“koji/kojiweb@GNULAB.ORG”。Koji-web 将 mod_auth_gssapi 用户信息代理到 Koji-hub(Koji-hub 的 ProxyPrincipals 配置选项)。
- koji/kojira@GNULAB.ORG:Kojira 服务器在与 Koji-hub 通信时使用
- compile/builder1.gnulab.org@GNULAB.ORG:在 builder1 上用于与 Koji-hub 通信。这是一个用户 principal,它将 Koji-builder 身份验证到 Kerberos,名为“compile/builder1.gnulab.org@GNULAB.ORG”。每个构建器主机将拥有自己独特的 Kerberos 用户 principal 来向 hub 进行身份验证。
- snagy@GNULAB.ORG:用于我的测试和软件包所有者
- HTTP/koji.gnulab.org@GNULAB.ORG:允许客户端使用 HTTP“我不确定”
我们可以开始创建所需的 principals:* 运行 kadmin.local 然后执行以下操作
addprinc host/kojihub@GNULAB.ORG
addprinc HTTP/kojiweb@GNULAB.ORG
addprinc koji/kojiweb@GNULAB.ORG
addprinc koji/kojira@GNULAB.ORG
addprinc HTTP/koji.gnulab.org@GNULAB.ORG
addprinc snagy@GNULAB.ORG
addprinc kojiadmin@GNULAB.ORG
- 现在我们需要创建 keytab,keytab 用于非密码认证,另外我猜一旦你完成了这个,你就不能再使用密码了,但这没关系,因为其中大部分是服务 principal,而不是说如果你需要,你可以使用多个文件,运行
kadmin.local然后ktadd -k /etc/koji.keytab host/kojihub@GNULAB.ORG ktadd -k /etc/koji.keytab HTTP/kojiweb@GNULAB.ORG ktadd -k /etc/koji.keytab koji/kojira@GNULAB.ORG ktadd -k /etc/koji.keytab koji/kojiweb@GNULAB.ORG ktadd -k /etc/koji.keytab HTTP/koji.gnulab.org@GNULAB.ORG - 通过运行
klist -k -t /etc/koji.keytab进行验证 - 运行更改权限:
chmod 644 /etc/koji.keytabroot# klist -k -t /etc/koji.keytab Keytab name: FILE:/etc/koji.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 2 12/19/2020 15:00:53 koji/kojira@GNULAB.ORG 2 12/19/2020 15:00:53 koji/kojira@GNULAB.ORG 2 12/19/2020 15:01:08 koji/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:08 koji/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:14 HTTP/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:14 HTTP/kojiweb@GNULAB.ORG 2 12/19/2020 15:01:20 host/kojihub@GNULAB.ORG 2 12/19/2020 15:01:20 host/kojihub@GNULAB.ORG 2 12/19/2020 15:38:52 HTTP/koji.gnulab.org@GNULAB.ORG 2 12/19/2020 15:38:52 HTTP/koji.gnulab.org@GNULAB.ORG
设置 Koji 生态系统¶
我们将从设置数据库、Koji-hub、KojiWeb 然后 Kojira 开始
数据库¶
在主服务器 koji.gnulab.org 上,执行以下操作:* 我们需要安装 postgresql:dnf install postgresql-server -y * 初始化 postgresql 数据库:postgresql-setup --initdb --unit postgresql * 启动服务:systemctl enable postgresql --now * 添加 Koji 用户
useradd koji
passwd koji
su - postgres
createuser --no-superuser --no-createrole --no-createdb koji
createdb -O koji koji
psql -c "alter user koji with encrypted password 'mysupercomplexpassword';"
dnf install koji -y * 将数据库加载到 postgresql:su - koji psql koji koji < /usr/share/doc/koji*/docs/schema.sql * Postgresql 权限 由于我的 Koji 服务器与 postgresql 在一起,我使用套接字通信而不是 TCP/IP * 编辑 /var/lib/pgsql/data/pg_hba.conf 如下“顺序很重要”# "local" is for Unix domain socket connections only
local koji koji trust
local all all peer
systemctl reload postgresql * 为 Kerberos 创建 Koji 身份验证su - koji
psql <<EOF
with user_id as (
insert into users (name, status, usertype) values ('kojiadmin', 0, 0) returning id
)
insert into user_krb_principals (user_id, krb_principal) values (
(select id from user_id),
'kojiadmin@GNULAB.ORG');
EOF
su - koji
psql
koji=> select * from users;
koji=> insert into user_perms (user_id, perm_id, creator_id) values ("id of user inserted above", 1, "id of user inserted above");
/mnt/koji 和 NFS¶
- 创建 Koji 文件系统骨架
- 设置 NFS 和 Apache:
dnf install nfs-utils httpd -ycd /mnt mkdir koji cd koji mkdir {packages,repos,work,scratch,repos-dist} chown apache.apache * - 启动服务:
systemctl enable --now nfs-server - 编辑 /etc/exports 如下
/mnt/koji 10.10.10.3(ro,sync,no_all_squash,root_squash) - 导出文件系统:
exportfs -ra - 查看当前状态:
exportfs -v - 在客户端上安装 NFS 客户端软件包:
dnf install nfs-utils nfs4-acl-tools -y - 创建本地目录:
mkdir /mnt/koji - 挂载 NFS:
mount -t nfs 10.10.10.2:/mnt/koji /mnt/koji
Kojihub¶
- 安装 kojihub
dnf install koji-hub mod_ssl -y - 启用 postgresql sweep 功能:
systemctl enable --now koji-sweep-db.timer - 在 /etc/httpd/conf.d/kojihub.conf 中启用 Kerberos 身份验证,取消注释下方部分,如下所示
# uncomment this to enable authentication via GSSAPI <Location /kojihub/ssllogin> AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:/etc/koji.keytab Require valid-user </Location> - Koji-hub 配置如下,在 /etc/koji-hub/hub.conf 中
[hub] DBName = koji DBUser = koji KojiDir = /mnt/koji AuthPrincipal = host/kojihub@GNULAB.ORG AuthKeytab = /etc/koji.keytab ProxyPrincipals = koji/kojiweb@GNULAB.ORG HostPrincipalFormat = compile/%s@GNULAB.ORG LoginCreatesUser = On KojiWebURL = https://koji.gnulab.org/koji NotifyOnSuccess = True - 安装 selinux policyutils:
dnf install policycoreutils-python-utils -y - 让我们修复一些 selinux 问题[koji]
setsebool -P allow_httpd_anon_write=1 setsebool -P httpd_can_network_connect 1 setsebool -P httpd_use_nfs=1 semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" restorecon -r -v /mnt/koji ``` ## Configure koji cli client * edit **/etc/koji.conf** as follows:
server = https://koji.gnulab.org/kojihub weburl = https://koji.gnulab.org/koji topurl = https://koji.gnulab.org/ topdir = /mnt/koji authtype = kerberos krb_rdns = false plugins = runroot use_fast_upload = yes
* restart httpd: ```systemctl restart httpd```
* Test by running the following on koji server:
* kinit -p kojiadmin@GNULAB.ORG
* koji moshimoshi
您正在使用 hub https://koji.gnulab.org/kojihub,已通过 GSSAPI 身份验证
## Kojiweb
* Install kojiweb: ```dnf install koji-web -y```
* Edit **/etc/httpd/conf.d/kojiweb.conf** to allow kerberos:
取消注释此项以启用通过 Kerberos 进行身份验证¶
* Edit Kojiweb configuration **/etc/kojiweb/web.conf**
KojiHubURL = https://koji.gnulab.org/kojihub KojiFilesURL = https://koji.gnulab.org/kojifiles
WebPrincipal = koji/kojiweb@GNULAB.ORG WebKeytab = /etc/koji.keytab WebCCache = /var/tmp/kojiweb.ccache KrbService = koji.gnulab.org KrbServerRealm = GNULAB.ORG LoginTimeout = 72 Secret = asdasdf12313ewdasfq234f LibPath = /usr/share/koji-web/lib LiteralFooter = True
* restart apache: ```systemctl reload httpd```
## Setting up the builder / kojid / koji-builder
This will configuration will be on the building node(s)
* Install koji-builder: ```dnf install koji-builder -y```
* Edit **/etc/kojid/kojid.conf** as follows:
topdir=/mnt/koji workdir=/tmp/koji server=https://koji.gnulab.org/kojihub topurl=https://koji.gnulab.org/kojifiles ; 这些用于从 git.c.o 和 Mustafa 的 git 构建软件包 allowed_scms=git.centos.org:/:off:get_sources.sh gitlab.rockylinux.bycrates.org:/:off:/bin/sh,/usr/bin/srpmproc_wrapper host_principal_format=compile/%s@GNULAB.ORG
On koji main server, run the following commands:
* Add the new builder: ```koji add-host builder1.gnulab.org x86_64```
* Add the createrepo channel: ```koji add-host-to-channel builder1.gnulab.org createrepo```
* I did adjust the capacity since it is a small machine: ```koji edit-host --capacity=8 builder1.gnulab.org```
* Note, by default kojid uses DNS to talk to koji-hub, so you need to have SRV record in your DNS as follows:
* Kojid looks for **/etc/kojid/kojid.keytab** by default, so you need to create a file with compile principle as above and place it in the right location on builder node(s)
On the builder node, restart kojid: ```systemctl enable kojid --now```
## Kojira
* Install koji-utils: ```dnf install koji-utils -y```
* Add kojira user and give it permission for repo
* Edit **/etc/kojira/kojira.conf** as following:
server=https://koji.gnulab.org/kojihub topdir=/mnt/koji logfile=/var/log/kojira.log principal = koji/kojira@GNULAB.ORG keytab = /etc/koji.keytab
* Start Kojira service: ```systemctl enable kojira --now```
# Koji bootstrapping
I went with the external repo method to bootstrap the setup, so I added external repos and create the following tags and targets, this work is based on: https://docs.pagure.org/koji/external_repo_server_bootstrap/
On the main node, run the following:
* Add your final dist tag: ```koji add-tag dist-rocky8```
* Create the build tag:
```koji add-tag --parent dist-rocky8 --arches "x86_64" -x mock.yum.module_hotfixes=1 dist-rocky8-build```
* Add the external repos, I hard coded the ARCH, but you can use \$arch instaed of x86_64 in the repo URL:
* I also created a small package for centospkg-minimal and srpmproc and create local repo, so adding that too:
* Add the targets: ```koji add-target dist-rocky8 dist-rocky8-build dist-rocky8```
* Create the bootstrapping groups for build and srpm-build
* Add the bootstrapping packages:
* Regenerating the repos ```koji regen-repo dist-rocky8-build```
# Running a test
I ran the following test to build package from git.centos.org:
```koji add-user snagy```
```koji add-pkg --owner snagy dist-rocky8 python36``` "need to check if this is needed"