[CentOS-devel] Adding geo distributed builder hardware for cbs.centos.org

On Mon, Aug 10, 2015 at 4:49 PM, Howard Johnson <merlin at mwob.org.uk> wrote:
>
> On 10/08/2015 21:18, Karanbir Singh wrote:
>>
>> ok, so we need to nfs share /mnt/koji amongst all the builders, regardless
>> of arch or target; apart from this - are there any other challenges ? how
>> did fedora run the shadow builders back in the day of secondary arch's - is
>> that still a thing ?
>
>
> PPC64(le), s390(x) and aarch64 are all Fedora secondary architectures.  Each
> one has its own Koji environment, seperate from the primary env in the
> Fedora infrastructure.  Koji-shadow works by pulling build information down
> via the Koji hub web server, not using a shared NFS mount.  As each shadow
> koji manages its own build yum repos, access to the primary koji's NFS mount
> isn't needed.  My recollection is that the original Fedora ARM Koji setup
> (when armv7hl was a secondary arch) was hosted at Seneca in Toronto.
>
> So, if you want to use the Fedora model, all primary arch builders need
> access to a common NFS mount.  Any secondary arches don't.

Please tell me it's at least an NFSv4 share and mount, with Kerberized
authentication? I've had some difficulty explaing to some of my
colleagues for the last 20 years that NFS shares present some real
security issues without tight user and environmental control. If I
find one more set of Subversion or passphrase free SSH or LDAP
credentials in a plain-text, shared home directory I'm going to. well,
get paid for cleaning up the mess. But it wastes time cleaning up
security as an afterthought.