[CentOS-devel] Community build system

Fabian Arrotin fabian.arrotin at arrfab.net
Thu Jun 26 13:13:38 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 26/06/14 14:56, Thomas Oulevey wrote:
> Hi All,
> 
> The initial idea is to configure Koji and make it available to the 
> community.
> 
> Thanks to Karanbir/Fabian we already got the hardware and
> installation is on going.
> 
> But first, we would like to ask for feedback:
> 
> 1/ PKI setup, a proposal: - koji-web use a certificate signed by an
> external CA (and obviously trusted) - the rest of the koji
> architecture (hub and kojid) will use a self-signed CA that we'll
> use to also generate other certs. The proposal is to gpg encrypt
> the CA within a non-public GIT repo. Talking with Fabian, he
> already use this method for other infrastructure project. - the
> clients (at the beginning git.c.o) will use self-signed CA.
> 
> This need to be discussed in the light of future integration of 
> different user facing tools (koji, git, etc...) and if we want to 
> provide koji client accesses, as Fedora project does.

Well, I'll (obviously) agree with what we discussed previously. But
just keep in mind that normally we'll not have a bunch of clients cert
to generate, because the normal flow will go like this (if i'm not
wrong) :
SIGs -> git commit & push -> git.c.o -> hooks -> koji
So in that case, all builds will be triggered by Git, and so we don't
have to generate client certs for people submitting build jobs in the
queue .
That's also worth noting than when we say "community" that doesn't
mean that we open buildservice to the wide world (no OBS here :-) ),
just that SIGs will build packages on that Koji setup (in a automated way)

> 
> 2/ Hostnames to use: - After a round on #centos-devel,
> cbs.centos.org was the best we can come up with. Comments ? - For
> the builders machine, we should decide on a decent naming as this
> info appears in RPM metadata. i.e : builder01.cbs.centos.org,
> builder02.cbs.centos.org, etc... Do we want to deal with different
> "architecture family" within the name (e.g ARM) ? i.e :
> x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
> 
> Your comments are very welcome!
> 
> cheers,

I'm fine with the $arch in the fqdn (for logging purposes) so let's say :
builder01-x86.cbs.centos.org ? (or the reverse, as you proposed :
$arch-builder${num}.cbs.centos.org

Cheers,

- -- 
Fabian Arrotin
gpg key: 56BEC54E | twitter: @arrfab
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlOsHIIACgkQnVkHo1a+xU6wSgCdFABxKL9H9MoHAslghUDpeLSc
2bYAn0rYI+Cvd4whXw5tXxnV3SJxW5J4
=qSkJ
-----END PGP SIGNATURE-----

More information about the CentOS-devel mailing list