Hi all, just be careful with the self signed certs to use at least SHA256, not MD5, since openssl in Red Hat 7 does not support MD5 any more. For example if you want to run RHEL7/Centos7 as koji builder, you will have a problem with MD5 certs. I had the same problem with an existing koji and RHEL7 builders. :) Cheers, Peter Bojtos ULX Ltd. ----- Eredeti üzenet ----- > Feladó: "Thomas Oulevey" <thomas.oulevey at cern.ch> > Címzett: centos-devel at centos.org > Elküldött üzenetek: Csütörtök, 2014. Június 26. 14:56:52 > Tárgy: [CentOS-devel] Community build system > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > Hi All, > The initial idea is to configure Koji and make it available to the > community. > Thanks to Karanbir/Fabian we already got the hardware and installation > is on going. > But first, we would like to ask for feedback: > 1/ PKI setup, a proposal: > - - koji-web use a certificate signed by an external CA (and obviously > trusted) > - - the rest of the koji architecture (hub and kojid) will use a > self-signed CA that we'll use to also generate other certs. The > proposal is to gpg encrypt the CA within a non-public GIT repo. > Talking with Fabian, he already use this method for other > infrastructure project. > - - the clients (at the beginning git.c.o) will use self-signed CA. > This need to be discussed in the light of future integration of > different user facing tools (koji, git, etc...) and if we want to > provide koji client accesses, as Fedora project does. > 2/ Hostnames to use: > - - After a round on #centos-devel, cbs.centos.org was the best we can > come up with. Comments ? > - - For the builders machine, we should decide on a decent naming as > this info appears in RPM metadata. > i.e : builder01.cbs.centos.org, builder02.cbs.centos.org, etc... > Do we want to deal with different "architecture family" within the > name (e.g ARM) ? > i.e : x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org > Your comments are very welcome! > cheers, > - -- > Thomas 'alphacc' Oulevey > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.14 (GNU/Linux) > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > iQEcBAEBAgAGBQJTrBiUAAoJEH2Wn86OP8Ni5xYH/jYyRN+gr6r8v8zih/yF7fOi > INws9FC9+U+kP1r9Wsfg6Ge92uQJdX7t5G6Oom89ZcHoshVY685Cv647Es5ySkMP > ls5NBXQu92l5QcXFOSP6gcThOyd7bO7Kh5onziULmIkdDWkEdz12kBPI2bVPQqwI > JrZVTwvHSEN+5sVBccMKGYmiqFhs/qt12i/EaK2bvWCs/CRcrjyKJiHhlej3Zo+7 > nSo8pwFCsq2T08FWfvnWYfjzFs8RmpFclBGakYRRyKk74TV63jKExqAL1zJGhaSF > yZxYt8XZeXrv5fdxXtKzA0WL8rf3tKN0rRC/mMcQUo28OaN53Wxuzw/YCRnN0po= > =2Hqy > -----END PGP SIGNATURE----- > _______________________________________________ > CentOS-devel mailing list > CentOS-devel at centos.org > http://lists.centos.org/mailman/listinfo/centos-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20140626/9b7e4f89/attachment-0007.html>