On 06/26/2014 03:21 PM, Fabian Arrotin wrote:
On 26/06/14 15:49, Karanbir Singh wrote:
On 06/26/2014 02:13 PM, Fabian Arrotin wrote:
On 26/06/14 14:56, Thomas Oulevey wrote:
Hi All,
The initial idea is to configure Koji and make it available to the community.
Thanks to Karanbir/Fabian we already got the hardware and installation is on going.
But first, we would like to ask for feedback:
1/ PKI setup, a proposal: - koji-web use a certificate signed by an external CA (and obviously trusted) - the rest of the koji architecture (hub and kojid) will use a self-signed CA that we'll use to also generate other certs. The proposal is to gpg encrypt the CA within a non-public GIT repo. Talking with Fabian, he already use this method for other infrastructure project. - the clients (at the beginning git.c.o) will use self-signed CA.
This need to be discussed in the light of future integration of different user facing tools (koji, git, etc...) and if we want to provide koji client accesses, as Fedora project does.
Well, I'll (obviously) agree with what we discussed previously. But just keep in mind that normally we'll not have a bunch of clients cert to generate, because the normal flow will go like this (if i'm not wrong) : SIGs -> git commit & push -> git.c.o -> hooks -> koji So in that case, all builds will be triggered by Git, and so we don't have to generate client certs for people submitting build jobs in the queue .
I agree, but users should still be able to run scratch builds and get their logs and status / tags etc - so we will need some mechanism for those bits to happen, I assumed this would be via the koji clients rather than a web interface?
yes, that's true, so using the certs we'll sign with our "self-signed" CA
could this CA be shared with gitblit as well ? that can do cert based auth too, and afaik, it will handle and external CA
That's also worth noting than when we say "community" that doesn't mean that we open buildservice to the wide world (no OBS here :-) ), just that SIGs will build packages on that Koji setup (in a automated way)
2/ Hostnames to use: - After a round on #centos-devel, cbs.centos.org was the best we can come up with. Comments ? - For the builders machine, we should decide on a decent naming as this info appears in RPM metadata. i.e : builder01.cbs.centos.org, builder02.cbs.centos.org, etc... Do we want to deal with different "architecture family" within the name (e.g ARM) ? i.e : x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
Your comments are very welcome!
cheers,
I'm fine with the $arch in the fqdn (for logging purposes) so let's say : builder01-x86.cbs.centos.org ? (or the reverse, as you proposed : $arch-builder${num}.cbs.centos.org
why not drop the word 'builder' completely, x8664-0.cbs.c.o etc
fine for me too .. don't want to start a "pets vs cattle" debate here :-)