On 06/26/2014 02:13 PM, Fabian Arrotin wrote:
> On 26/06/14 14:56, Thomas Oulevey wrote:
>> Hi All,
>
>> The initial idea is to configure Koji and make it available to the
>> community.
>
>> Thanks to Karanbir/Fabian we already got the hardware and
>> installation is on going.
>
>> But first, we would like to ask for feedback:
>
>> 1/ PKI setup, a proposal: - koji-web use a certificate signed by an
>> external CA (and obviously trusted) - the rest of the koji
>> architecture (hub and kojid) will use a self-signed CA that we'll
>> use to also generate other certs. The proposal is to gpg encrypt
>> the CA within a non-public GIT repo. Talking with Fabian, he
>> already use this method for other infrastructure project. - the
>> clients (at the beginning git.c.o) will use self-signed CA.
>
>> This need to be discussed in the light of future integration of
>> different user facing tools (koji, git, etc...) and if we want to
>> provide koji client accesses, as Fedora project does.
>
> Well, I'll (obviously) agree with what we discussed previously. But
> just keep in mind that normally we'll not have a bunch of clients cert
> to generate, because the normal flow will go like this (if i'm not
> wrong) :
> SIGs -> git commit & push -> git.c.o -> hooks -> koji
> So in that case, all builds will be triggered by Git, and so we don't
> have to generate client certs for people submitting build jobs in the
> queue .
I agree, but users should still be able to run scratch builds and get
their logs and status / tags etc - so we will need some mechanism for
those bits to happen, I assumed this would be via the koji clients
rather than a web interface?
> That's also worth noting than when we say "community" that doesn't
> mean that we open buildservice to the wide world (no OBS here :-) ),
> just that SIGs will build packages on that Koji setup (in a automated way)
>
>
>> 2/ Hostnames to use: - After a round on #centos-devel,
>> cbs.centos.org was the best we can come up with. Comments ? - For
>> the builders machine, we should decide on a decent naming as this
>> info appears in RPM metadata. i.e : builder01.cbs.centos.org,
>> builder02.cbs.centos.org, etc... Do we want to deal with different
>> "architecture family" within the name (e.g ARM) ? i.e :
>> x86-builder01.cbs.centos.org, arm-builder01.cbs.centos.org
>
>> Your comments are very welcome!
>
>> cheers,
>
> I'm fine with the $arch in the fqdn (for logging purposes) so let's say :
> builder01-x86.cbs.centos.org ? (or the reverse, as you proposed :
> $arch-builder${num}.cbs.centos.org
why not drop the word 'builder' completely, x8664-0.cbs.c.o etc
--
Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc