概述¶
此操作指南正在开发中,并基于 https://pagure.io/fm-orchestrator
设置如下:* 目前我们正在测试 mbs 2.32 * 已安装 CentOS-8 * 防火墙允许主机之间通信 * 公共网络用于访问,私有网络用于主机之间的 koji、psql 和 Kerberos 通信 * mbs.gnulab.org/10.10.10.4 主机托管 mbs 和 fedmsg * SSL 使用 Let's Encrypt 为面向 Web 的服务设置,并且有一个目录服务设置,您需要解决此问题
安装 mbs 和 fedmsg¶
!!!此指南仅供测试使用!!! * 目前我们使用源代码中的 pip 进行安装,但是最新版本可在以下位置获得:https://copr.fedorainfracloud.org/coprs/nalika/rockylinux-tools/packages/ * 通过运行 dnf copr enable nalika/rockylinux-tools 启用当前临时 rockylinux-tools 存储库 * 安装所需的软件包:dnf install epel-release -y && dnf install fedmsg python3-gssapi git httpd mod_ssl python3-mod_wsgi python3-solv python3-pungi python3-psycopg2 mod_auth_gssapi -y
git clone https://pagure.io/fm-orchestrator.git
cd fm-orchestrator
git checkout v2.32.0
pip3 install .
启动 fedmsg¶
我们需要 fedmsg-hub 和 fedmsg-relay 来启动和运行“据我所知”,但我禁用了 Fedora 的传入消息和消息签名 * 编辑 /etc/fedmsg.d/endpoints.py 并注释掉 "tcp://hub.fedoraproject.org:9940" * 编辑 /etc/fedmsg.d/module_build_service.py 如下“保留所有其他内容”
# "tcp://stg.fedoraproject.org:9940"
]
},
# Start of code signing configuration
'sign_messages': False,
'validate_signatures': False,
config = dict(
sign_messages=False,
validate_signatures=False,
topic_prefix="org.gnulab" 和 environment="prod" * 启动 fedmsg-hub 和 fedmsg-relay 服务systemctl enable fedmsg-hub --now
systemctl enable fedmsg-relay --now
Apache 的 mbs-frontend 配置¶
- 使用以下内容创建一个新文件 /etc/httpd/conf.d/mbs.conf
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName mbs.gnulab.org WSGIDaemonProcess mbs user=mbs group=mbs threads=5 WSGIScriptAlias / /etc/module-build-service/mbs.wsgi WSGIPassAuthorization on <Directory /etc/module-build-service> WSGIProcessGroup mbs WSGIApplicationGroup %{GLOBAL} Require all granted </Directory> <Location /> AuthType GSSAPI AuthName "GSSAPI Single Sign On Login" GssapiCredStore keytab:/etc/koji.keytab Require valid-user </Location> SSLCertificateFile /etc/letsencrypt/live/mbs.gnulab.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/mbs.gnulab.org/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> - 创建 wsgi 文件 /etc/module-build-service/mbs.wsgi 如下
import logging logging.basicConfig(level=logging.DEBUG) from module_build_service import app as application
Kerberos 设置¶
- 确保 /etc/krb5.conf 具有正确的领域和设置,如下所示
# To opt out of the system crypto-policies configuration of krb5, remove the # symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated. includedir /etc/krb5.conf.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] dns_lookup_realm = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true rdns = false pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt spake_preauth_groups = edwards25519 default_realm = GNULAB.ORG default_ccache_name = KEYRING:persistent:%{uid} [realms] GNULAB.ORG = { kdc = koji.gnulab.org admin_server = koji.gnulab.org } [domain_realm] .gnulab.org = GNULAB.ORG gnulab.org = GNULAB.ORG
mbs 的常规设置¶
- 创建 mbs 用户并为其设置密码,如下所示
useradd mbs passwd mbs - 修复 /etc/module-build-service/ 的权限为 mbs:
chown -R mbs:mbs /etc/module-build-service/
PostgreSQL 配置¶
我正在使用与 koji 相同的数据库服务器,该服务器托管在 koji.gnulab.org 上 * 通过编辑 /var/lib/pgsql/data/pg_hba.conf 创建所需的访问权限,如下所示
# IPv4 local connections:
host mbs mbs 10.10.10.4/32 md5
host all all 127.0.0.1/32 ident
listen_addresses = 'localhost,10.10.10.2' * 创建 mbs pgsql 用户和数据库createuser --no-superuser --no-createrole --no-createdb mbs
createdb -O mbs mbs
psql -c "alter user mbs with encrypted password 'mysupersecretepasswordmbs';"
systemctl restart postgresql
mbs 配置¶
- 编辑 /etc/module-build-service/koji.conf 如下所示
[koji] ;configuration for koji cli tool ;url of XMLRPC server server = https://koji.gnulab.org/kojihub ;url of web interface weburl = https://koji.gnulab.org/koji ;url of package download site topurl = https://koji.gnulab.org/ authtype = kerberos krb_rdns = false use_fast_upload = true [staging] server = https://koji.gnulab.org/kojihub weburl = https://koji.gnulab.org/koji topurl = https://koji.gnulab.org/ authtype = kerberos krb_rdns = false use_fast_upload = true - 编辑 /etc/module-build-service/config.py 如下所示
# -*- coding: utf-8 -*- # SPDX-License-Identifier: MIT from os import environ, path # FIXME: workaround for this moment till confdir, dbdir (installdir etc.) are # declared properly somewhere/somehow confdir = path.abspath(path.dirname(__file__)) # use parent dir as dbdir else fallback to current dir dbdir = path.abspath(path.join(confdir, "..")) if confdir.endswith("conf") else confdir class ProdConfiguration(object): DEBUG = True # Make this random (used to generate session keys) SECRET_KEY = "74d9e9f9cd40e66fc6c4c2e9987dce48df3ce98542529126" #SQLALCHEMY_DATABASE_URI = "sqlite:///{0}".format(path.join(dbdir, "module_build_service.db")) SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:mysupersecretepasswordmbs@koji.gnulab.org/mbs' SQLALCHEMY_TRACK_MODIFICATIONS = True # Where we should run when running "manage.py run" directly. HOST = "0.0.0.0" PORT = 5000 # Global network-related values, in seconds NET_TIMEOUT = 120 NET_RETRY_INTERVAL = 30 #DISTGITS = {"git+https://git.centos.org": ("git clone {repo_path}", "get_sources.sh")} SYSTEM = "koji" MESSAGING = "fedmsg" # or amq MESSAGING_TOPIC_PREFIX = ["org.gnulab.prod"] KOJI_CONFIG = "/etc/module-build-service/koji.conf" KOJI_PROFILE = "koji" ARCHES = ["x86_64"] ALLOW_ARCH_OVERRIDE = False KOJI_REPOSITORY_URL = "https://koji.gnulab.org/kojifiles/repos" KOJI_TAG_PREFIXES = ["module", "scrmod"] KOJI_ENABLE_CONTENT_GENERATOR = True CHECK_FOR_EOL = False PDC_URL = "https://pdc.fedoraproject.org/rest_api/v1" PDC_INSECURE = False PDC_DEVELOP = True SCMURLS = ["git+https://git.centos.org/", "https://git.centos.org/"] YAML_SUBMIT_ALLOWED = False # How often should we resort to polling, in seconds # Set to zero to disable polling POLLING_INTERVAL = 600 # Determines how many builds that can be submitted to the builder # and be in the build state at a time. Set this to 0 for no restrictions NUM_CONCURRENT_BUILDS = 5 ALLOW_CUSTOM_SCMURLS = False RPMS_DEFAULT_REPOSITORY = "git+https://git.centos.org/rpms/" RPMS_ALLOW_REPOSITORY = False #RPMS_DEFAULT_CACHE = "http://pkgs.fedoraproject.org/repo/pkgs/" RPMS_ALLOW_CACHE = False MODULES_DEFAULT_REPOSITORY = "git+https://git.centos.org/modules/" MODULES_ALLOW_REPOSITORY = False MODULES_ALLOW_SCRATCH = True ALLOW_ONLY_COMPATIBLE_BASE_MODULES = True ALLOWED_GROUPS_TO_IMPORT_MODULE = set() # Available backends are: console and file LOG_BACKEND = "file" # Path to log file when LOG_BACKEND is set to "file". LOG_FILE = "/tmp/module_build_service.log" # Available log levels are: debug, info, warn, error. LOG_LEVEL = "debug" # Allow stream override ALLOW_STREAM_OVERRIDE_FROM_SCM = True # Settings for Kerberos KRB_KEYTAB = "/etc/mbs.keytab" KRB_PRINCIPAL = "mbs@GNULAB.ORG" # AMQ prefixed variables are required only while using 'amq' as messaging backend # Addresses to listen to AMQ_RECV_ADDRESSES = [ "amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.koji", "amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.module_build_service", ] # Address for sending messages AMQ_DEST_ADDRESS = \ "amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.module_build_service" AMQ_CERT_FILE = "/etc/module_build_service/msg-m8y-client.crt" AMQ_PRIVATE_KEY_FILE = "/etc/module_build_service/msg-m8y-client.key" AMQ_TRUSTED_CERT_FILE = "/etc/module_build_service/Root-CA.crt" # Disable Client Authorization NO_AUTH = False AUTH_METHOD = "kerberos" LDAP_URI = "ldap://koji.gnulab.org" LDAP_GROUPS_DN = "ou=group,dc=gnulab,dc=org" ADMIN_GROUPS = {"packageradmin"} ALLOWED_GROUPS = {"packager"} KOJI_CG_DEVEL_MODULE = True KOJI_PROXYUSER = True REBUILD_STRATEGY = 'only-changed' REBUILD_STRATEGY_ALLOW_OVERRIDE = True KOJI_CG_BUILD_TAG_TEMPLATE = "{}-modular-updates-candidate" KOJI_CG_DEFAULT_BUILD_TAG = "modular-updates-candidate" # Extra options set for newly created Koji tags KOJI_TAG_EXTRA_OPTS = { "mock.package_manager": "dnf", # This is needed to include all the Koji builds (and therefore # all the packages) from all inherited tags into this tag. # See https://pagure.io/koji/issue/588 and # https://pagure.io/fm-orchestrator/issue/660 for background. "repo_include_all": True, # Has been requested by Fedora infra in # https://pagure.io/fedora-infrastructure/issue/7620. # Disables systemd-nspawn for chroot. "mock.new_chroot": 0, # Works around fail-safe mechanism added in DNF 4.2.7 # https://pagure.io/fedora-infrastructure/issue/8410 "mock.yum.module_hotfixes": 1, } # DEFAULT_DIST_TAG_PREFIX = 'module_' - 创建日志文件 /tmp/module_build_service.log 并设置正确的权限
touch /tmp/module_build_service.log chown mbs:fedmsg /tmp/module_build_service.log chmod 664 /tmp/module_build_service.log - 重新启动服务
systemctl restart fedmsg-hub systemctl restart fedmsg-relay systemctl restart httpd
测试模块构建服务¶
我们将需要为此创建一些标签才能使其工作,因此在 koji 管理员机器上,运行以下命令:* 创建标签
koji add-tag module-centos-8.2.0-build
koji add-tag module-centos-8.3.0-build
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-baseos-external http://mirror.centos.org/centos-8/8.3.2011/BaseOS/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-appstream-external http://mirror.centos.org/centos-8/8.3.2011/AppStream/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-devel-external http://mirror.centos.org/centos-8/8.3.2011/Devel/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-ha-external http://mirror.centos.org/centos-8/8.3.2011/HighAvailability/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-pt-external http://mirror.centos.org/centos-8/8.3.2011/PowerTools/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-cp-external http://mirror.centos.org/centos-8/8.3.2011/centosplus/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-cr-external http://mirror.centos.org/centos-8/8.3.2011/cr/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-extras-external http://mirror.centos.org/centos-8/8.3.2011/extras/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-fasttrack-external http://mirror.centos.org/centos-8/8.3.2011/fasttrack/\$arch/os
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-debuginfo-external http://debuginfo.centos.org/8/\$arch/
koji add-external-repo -m bare -t module-centos-8.2.0-build module-cent-8.2-sheriflocalrepo-external https://koji.gnulab.org/localrepo/\$arch/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-baseos-external http://mirror.centos.org/centos-8/8.3.2011/BaseOS/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-appstream-external http://mirror.centos.org/centos-8/8.3.2011/AppStream/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-devel-external http://mirror.centos.org/centos-8/8.3.2011/Devel/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-ha-external http://mirror.centos.org/centos-8/8.3.2011/HighAvailability/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-pt-external http://mirror.centos.org/centos-8/8.3.2011/PowerTools/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-cp-external http://mirror.centos.org/centos-8/8.3.2011/centosplus/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-cr-external http://mirror.centos.org/centos-8/8.3.2011/cr/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-extras-external http://mirror.centos.org/centos-8/8.3.2011/extras/\$arch/os/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-fasttrack-external http://mirror.centos.org/centos-8/8.3.2011/fasttrack/\$arch/os
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-debuginfo-external http://debuginfo.centos.org/8/\$arch/
koji add-external-repo -m bare -t module-centos-8.3.0-build module-cent-8.3-sheriflocalrepo-external https://koji.gnulab.org/localrepo/\$arch/
koji add-user mbs
koji call addBType module
koji grant-cg-access mbs module-build-service --new
现在,在 mbs 服务器上,我们需要执行以下操作:* 升级 mbs 数据库 mbs-manager db upgrade`` * 下载平台模块git clone https://git.centos.org/modules/platform* 切换到所需的 branch 并加载它
git branch -a
git checkout c8-stream-el8.2.0
mbs-manager import_module platform.yaml
git checkout c8-stream-el8.3.0
mbs-manager import_module platform.yaml
* 创建模块构建 json 文件,例如 **redis.json** { "scmurl": "https://git.centos.org/modules/redis.git?#f042b198bcbc0fe410be219f27cd041deea7bcc3", "branch": "c8-stream-5" }
* 生成您的 Kerberos 票证kinit snagy* 提交作业 curl -X POST -H "Content-Type: application/json" -u : --negotiate -d @redis.json https://mbs.gnulab.org/module-build-service/1/module-builds/``` * 检查 koji 上的任务