Hi all,
just be careful with the self signed certs to use at least SHA256, not MD5, since openssl in Red Hat 7 does not support MD5 any more. For example if you want to run RHEL7/Centos7 as koji builder, you will have a problem with MD5 certs. I had the same problem with an existing koji and RHEL7 builders. :)
Cheers, Peter Bojtos ULX Ltd.
----- Eredeti üzenet -----
Feladó: "Thomas Oulevey" thomas.oulevey@cern.ch Címzett: centos-devel@centos.org Elküldött üzenetek: Csütörtök, 2014. Június 26. 14:56:52 Tárgy: [CentOS-devel] Community build system
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi All,
The initial idea is to configure Koji and make it available to the community.
Thanks to Karanbir/Fabian we already got the hardware and installation is on going.
But first, we would like to ask for feedback:
1/ PKI setup, a proposal:
- koji-web use a certificate signed by an external CA (and obviously
trusted)
- the rest of the koji architecture (hub and kojid) will use a
self-signed CA that we'll use to also generate other certs. The proposal is to gpg encrypt the CA within a non-public GIT repo. Talking with Fabian, he already use this method for other infrastructure project.
- the clients (at the beginning git.c.o) will use self-signed CA.
This need to be discussed in the light of future integration of different user facing tools (koji, git, etc...) and if we want to provide koji client accesses, as Fedora project does.
2/ Hostnames to use:
- After a round on #centos-devel, cbs.centos.org was the best we can
come up with. Comments ?
- For the builders machine, we should decide on a decent naming as
this info appears in RPM metadata. i.e : builder01.cbs.centos.org, builder02.cbs.centos.org, etc... Do we want to deal with different "architecture family" within the name (e.g ARM) ? i.e : x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
Your comments are very welcome!
cheers,
Thomas 'alphacc' Oulevey -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTrBiUAAoJEH2Wn86OP8Ni5xYH/jYyRN+gr6r8v8zih/yF7fOi INws9FC9+U+kP1r9Wsfg6Ge92uQJdX7t5G6Oom89ZcHoshVY685Cv647Es5ySkMP ls5NBXQu92l5QcXFOSP6gcThOyd7bO7Kh5onziULmIkdDWkEdz12kBPI2bVPQqwI JrZVTwvHSEN+5sVBccMKGYmiqFhs/qt12i/EaK2bvWCs/CRcrjyKJiHhlej3Zo+7 nSo8pwFCsq2T08FWfvnWYfjzFs8RmpFclBGakYRRyKk74TV63jKExqAL1zJGhaSF yZxYt8XZeXrv5fdxXtKzA0WL8rf3tKN0rRC/mMcQUo28OaN53Wxuzw/YCRnN0po= =2Hqy -----END PGP SIGNATURE----- _______________________________________________ CentOS-devel mailing list CentOS-devel@centos.org http://lists.centos.org/mailman/listinfo/centos-devel