With the latest urllib3 the CN match is no longer used for hostname
verification and instead the use of subjectAltName is required. With
openssl 3.3.1 this is needed to be handled with both an additional
parameter when generating the cert/request and also some new
configuration for the ssl.cnf. It is also necessary to have extensions
copied so the SAN information is preserved down the cert chain.
Signed-off-by: William Douglas <william.douglas@intel.com>
Koji's koji-hub entrypoint has changed so update the deployjment
script to reflect the new entrypoint.
Signed-off-by: William Douglas <william.douglas@intel.com>
In koji 1.21.0, kojira began logging a deprecation warning for this
option, but it appears to have never had a functional use in the
codebase. Avoid the deprecation warning by removing the option from the
default config.
Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
This option was officially deprecated in koji 1.22.0 and removed in koji
1.24.0. It was internally deprecated a while before 1.22.0, and I've
confirmed that removing the config for koji 1.21.2 -- the current
version in Clear -- is a no-op.
(Note that removing the 'ca' option from the client config is optional,
since unknown options in that config appear to be ignored. But for
completeness, I removed it there as well.)
Signed-off-by: Patrick McCarty <patrick.mccarty@intel.com>
This is a documentation package and is not critical enough to be a part
of every build root.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Want to enable spinning up a development environment quickly.
Increasing the countryName_max SSL configuration did not allow a country
name of 'Example Country Code' to be used when generating a certificate.
Prefer to revert back to the original value for countryName_max and
supply shorter parameters for certificate generation.
Change challengePassword_max to be consistent with the other limits.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
The rpm package is now autospec'd, which comes with it some name
changes. Removing rpm-build and adding rpm, also adding file,
elfutils, and cpio to both build groups.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Supply more reasonable maximum boundaries for country code and challenge
password length. This allows users to get going without modifying any
values from parameter.sh for SSL certificate generation.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Be more descriptive around the assumptions made, which environments are
unsupported, and what the user needs to do to get going.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
When importing RPMs into koji, the RPMs may first be hardlinked to
reduce disk IO. Then, multiple RPMs may be imported at once with a
single command, rather than calling out to the same command multiple
times. Finally, RPMs may be tagged in parallel. These three things
combined significantly decrease the time required to import RPMs into
koji.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Because the mash script will always need to run on the kojimaster
server, it has local access to RPMs. Rather than copying the data,
create a symlink to the data. This reduces disk usage and allows the
mash hosting location to be flexible.
Because the mash is re-generated every time kojira runs and creates a
new koji repository, by nature, the mash is an iterative process.
Existing repository metadata is always available (excpet for the first
run). Pass this existing metadata to createrepo_c so that it may more
efficiently diff and recalculate the updated metadata in order to reduce
CPU and disk usage.
By reducing disk and CPU usage, this reduces the impact of running this
process on a kojimaster which is a shared system responsible for hosting
many resources.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
The mash tool is no longer used, and this directory is no longer needed.
It was only used by this tool.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
swupd should only be run during setup when on an officially released
version of Clear that has an upadate stream. Development versions are
usually indicated when the VERSION_ID is equal to 1 and do not have an
update stream. In these cases, the assumption is that all required
software is already installed prior to setup.
However, add checks for only the most critical dependencies before
continuing with the setup so that it more obvious to the user that these
are missing when they are.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
mod_wsgi is built and loaded with python3 by default. No longer provide
a configuration to load the python2 equivalent, since it is also no
longer included in the koji bundle.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
The mash utility has not been ported to python3. There is also no
comparable replacement utility of a similar scope that can do a similar
job. There is pungi utility, which is the replacement for mash.
However, pungi is Fedora's build process encapsulated into a single tool
and is doing too much for simply creating repos for distribution.
To avoid this complexity, koji does have a dist-repo subcommand.
However, this takes too long to execute at around 15 minutes on powerful
hardware.
In lieu of not wanting to maintain mash any further, write a small bash
script that performs the same function using artifacts for koji on the
disk.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Only install nfs-utils bundle. This package was previously broken and
relied on a dependency in storage-utils, but this has since been fixed.
Add no_root_squash option for exporting a NFS mount to increase the read
performance.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
Koji will not work well if network and time
are not configured properly. All basic
configurations need performed on the host
first prior to attempting to install and
configure koji.
Do not bother using DNF to get the NVR of packages. Call out to RPM
directly instead.
More completely parameterize script to allow for sourcing of variables
from parameters.sh sometime in the future.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
When koji builder and koji master are hosted on different machines, NFS
mounting is needed to connect the services. Make this process more
smooth to minimize manual editing of files. Namely, change the top
directory that koji looks at. If on the master, this is on the local
file system. If on the builder not on the master, this is also on the
local file system, but is backed by a NFS mount in a different location.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
A deployment of a "koji" server consists of additional services that
support development beyond koji itself. These include
git/cgit/gitolite, a mash containing the current snapshot of the
packages in koji, and an upstreams package sources cache.
Because these are required for integration with a DevOps workflow, they
are not included by default in the ansible playbook.
OpenSSL complains if the RANDFILE does not exist when it is generating
certificates. Create an initial seed for this file from urandom.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
kojid will not be able to merge repos and mock will not be able to build
a chroot in an environment where proxy variables are used unless they
are defined in configuration files.
Signed-off-by: George T Kramer <george.t.kramer@intel.com>
