On Mon, Aug 10, 2015 at 4:49 PM, Howard Johnson merlin@mwob.org.uk wrote:
On 10/08/2015 21:18, Karanbir Singh wrote:
ok, so we need to nfs share /mnt/koji amongst all the builders, regardless of arch or target; apart from this - are there any other challenges ? how did fedora run the shadow builders back in the day of secondary arch's - is that still a thing ?
PPC64(le), s390(x) and aarch64 are all Fedora secondary architectures. Each one has its own Koji environment, seperate from the primary env in the Fedora infrastructure. Koji-shadow works by pulling build information down via the Koji hub web server, not using a shared NFS mount. As each shadow koji manages its own build yum repos, access to the primary koji's NFS mount isn't needed. My recollection is that the original Fedora ARM Koji setup (when armv7hl was a secondary arch) was hosted at Seneca in Toronto.
So, if you want to use the Fedora model, all primary arch builders need access to a common NFS mount. Any secondary arches don't.
Please tell me it's at least an NFSv4 share and mount, with Kerberized authentication? I've had some difficulty explaing to some of my colleagues for the last 20 years that NFS shares present some real security issues without tight user and environmental control. If I find one more set of Subversion or passphrase free SSH or LDAP credentials in a plain-text, shared home directory I'm going to. well, get paid for cleaning up the mess. But it wastes time cleaning up security as an afterthought.