[CentOS-devel] Community build system

Thu Jun 26 14:57:20 UTC 2014
Karanbir Singh <mail-lists at karan.org>

On 06/26/2014 03:21 PM, Fabian Arrotin wrote:
> On 26/06/14 15:49, Karanbir Singh wrote:
>> On 06/26/2014 02:13 PM, Fabian Arrotin wrote:
>>> On 26/06/14 14:56, Thomas Oulevey wrote:
>>>> Hi All,
>>>
>>>> The initial idea is to configure Koji and make it available to the 
>>>> community.
>>>
>>>> Thanks to Karanbir/Fabian we already got the hardware and
>>>> installation is on going.
>>>
>>>> But first, we would like to ask for feedback:
>>>
>>>> 1/ PKI setup, a proposal: - koji-web use a certificate signed by an
>>>> external CA (and obviously trusted) - the rest of the koji
>>>> architecture (hub and kojid) will use a self-signed CA that we'll
>>>> use to also generate other certs. The proposal is to gpg encrypt
>>>> the CA within a non-public GIT repo. Talking with Fabian, he
>>>> already use this method for other infrastructure project. - the
>>>> clients (at the beginning git.c.o) will use self-signed CA.
>>>
>>>> This need to be discussed in the light of future integration of 
>>>> different user facing tools (koji, git, etc...) and if we want to 
>>>> provide koji client accesses, as Fedora project does.
>>>
>>> Well, I'll (obviously) agree with what we discussed previously. But
>>> just keep in mind that normally we'll not have a bunch of clients cert
>>> to generate, because the normal flow will go like this (if i'm not
>>> wrong) :
>>> SIGs -> git commit & push -> git.c.o -> hooks -> koji
>>> So in that case, all builds will be triggered by Git, and so we don't
>>> have to generate client certs for people submitting build jobs in the
>>> queue .
>>
>> I agree, but users should still be able to run scratch builds and get
>> their logs and status / tags etc - so we will need some mechanism for
>> those bits to happen, I assumed this would be via the koji clients
>> rather than a web interface?
> 
> yes, that's true, so using the certs we'll sign with our "self-signed" CA

could this CA be shared with gitblit as well ? that can do cert based
auth too, and afaik, it will handle and external CA

> 
>>
>>> That's also worth noting than when we say "community" that doesn't
>>> mean that we open buildservice to the wide world (no OBS here :-) ),
>>> just that SIGs will build packages on that Koji setup (in a automated way)
>>>
>>>
>>>> 2/ Hostnames to use: - After a round on #centos-devel,
>>>> cbs.centos.org was the best we can come up with. Comments ? - For
>>>> the builders machine, we should decide on a decent naming as this
>>>> info appears in RPM metadata. i.e : builder01.cbs.centos.org,
>>>> builder02.cbs.centos.org, etc... Do we want to deal with different
>>>> "architecture family" within the name (e.g ARM) ? i.e :
>>>> x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
>>>
>>>> Your comments are very welcome!
>>>
>>>> cheers,
>>>
>>> I'm fine with the $arch in the fqdn (for logging purposes) so let's say :
>>> builder01-x86.cbs.centos.org ? (or the reverse, as you proposed :
>>> $arch-builder${num}.cbs.centos.org
>>
>> why not drop the word 'builder' completely, x8664-0.cbs.c.o etc
>>
> 
> fine for me too .. don't want to start a "pets vs cattle" debate here :-)
> 
> 


-- 
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc