-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 26/06/14 14:56, Thomas Oulevey wrote:
Hi All,
The initial idea is to configure Koji and make it available to the community.
Thanks to Karanbir/Fabian we already got the hardware and installation is on going.
But first, we would like to ask for feedback:
1/ PKI setup, a proposal: - koji-web use a certificate signed by an external CA (and obviously trusted) - the rest of the koji architecture (hub and kojid) will use a self-signed CA that we'll use to also generate other certs. The proposal is to gpg encrypt the CA within a non-public GIT repo. Talking with Fabian, he already use this method for other infrastructure project. - the clients (at the beginning git.c.o) will use self-signed CA.
This need to be discussed in the light of future integration of different user facing tools (koji, git, etc...) and if we want to provide koji client accesses, as Fedora project does.
Well, I'll (obviously) agree with what we discussed previously. But just keep in mind that normally we'll not have a bunch of clients cert to generate, because the normal flow will go like this (if i'm not wrong) : SIGs -> git commit & push -> git.c.o -> hooks -> koji So in that case, all builds will be triggered by Git, and so we don't have to generate client certs for people submitting build jobs in the queue . That's also worth noting than when we say "community" that doesn't mean that we open buildservice to the wide world (no OBS here :-) ), just that SIGs will build packages on that Koji setup (in a automated way)
2/ Hostnames to use: - After a round on #centos-devel, cbs.centos.org was the best we can come up with. Comments ? - For the builders machine, we should decide on a decent naming as this info appears in RPM metadata. i.e : builder01.cbs.centos.org, builder02.cbs.centos.org, etc... Do we want to deal with different "architecture family" within the name (e.g ARM) ? i.e : x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
Your comments are very welcome!
cheers,
I'm fine with the $arch in the fqdn (for logging purposes) so let's say : builder01-x86.cbs.centos.org ? (or the reverse, as you proposed : $arch-builder${num}.cbs.centos.org
Cheers,
- -- Fabian Arrotin gpg key: 56BEC54E | twitter: @arrfab