Koji RPM Build System Installation Part 1

Introduction

So you decided to also take a shot at Koji, congrats. You won’t regret it.

At first, its helpful to understand the inner architecture of Koji for knowing when to look in which config files:

koji architecture

Koji architecture


First of all there is the Koji-Hub, which acts as a broker service between the DB, Filesystem and all other parts that are talking to the Hub rather than directly to the DB or Filesystem.

Then you have Kojira, which is a service that keeps your repos clean and updated. Think of it as a janitor. You wont see it, but you need it.

You will have at least one Kojid. Its the builder service that actually does all the work, like rpm building.

Koji-Web is the Webinterface to Koji and looks like this http://koji.fedoraproject.org/koji/ . You cant control everything thru the web-interface. You could also run Koji entirely without it.

Koji-Client is a CLI tool to fully control Koji. Even when you run the web-interface, you will need the client from time to time for various reasons.

All those parts, including the DB and the NFS, can be run separately on different servers. It all interoperates with SSL certificates or Kerberos. However we will go and install everything on one main machine, where worker/builder machines can be added to.

Lets get started

Certificates

We will be using SSL certificates throughout, whos using Kerberos anyway? So start with setting up the Koji Root CA:

Create /etc/pki/koji/ssl.cnf and modify the req_distinguished_name to fit you

HOME = .
RANDFILE = .rand

[ca]
default_ca = ca_default

[ca_default]
dir = .
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/%s_ca_cert.pem
private_key = $dir/private/%s_ca_key.pem
serial = $dir/serial
crl = $dir/crl.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = md5
preserve = no
policy = policy_match

[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
string_mask = MASK:0x2002

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Bavaria
localityName = Locality Name (eg, city)
localityName_default = Munich
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Foobar Ltd.
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = YOUR_KOJI_HOSTNAME
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64

[req_attributes]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name

[usr_cert]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always

[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true

then do..

cd /etc/pki/koji/
mkdir {certs,private,config}
touch index.txt
echo 01 > serial
openssl genrsa -out private/koji_ca_cert.key 2048
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca

Then create the file /etc/pki/koji/certgen.sh which will ease the next steps, and we are lazy:

#!/bin/bash
#if you change your certificate authority name to something else you will need to change the caname value to reflect the change.
caname=koji

# user is equal to parameter one or the first argument when you actually run the script
user=$1

openssl genrsa -out certs/${user}.key 2048
cat ssl.cnf | sed 's/YOUR_KOJI_HOSTNAME/'${user}'/'> ssl2.cnf
openssl req -config ssl2.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
openssl ca -config ssl2.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt certs/${user}.key > ${user}.pem
mv ssl2.cnf config/${user}-ssl.cnf

Kojiadmin shell user

This is the system user that you need to “su” to when using the Koji-Client, so do

# for SSL OU/CN use "kojiadmin" , if you change the name, change it everywhere in the following steps.
./certgen.sh kojiadmin
useradd kojiadmin
su kojiadmin
mkdir /home/kojiadmin/.koji
cp /etc/pki/koji/kojiadmin.pem ~/.koji/client.crt
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/clientca.crt
cp /etc/pki/koji/koji_ca_cert.crt ~/.koji/serverca.crt
ln -s /etc/koji.conf ~/.koji/config

Pay attention to the CommonName (CN) you specify in the certificates as this is used as login/authentication name throughout Koji!

That was it for starters, read on in the next part how to setup the Postgres DB, Koji-Web, Koji-Hub…

    • John Florian
    • October 2nd, 2013 8:47pm

    According to your diagram at the top of Part 1, only the Koji-Hub connects to the database. You state that you’re installing all components on one server, so why is editing /var/lib/pgsql/data/postgresql.conf to set listen_addresses = ‘*’ necessary?

      • phil
      • October 5th, 2013 12:46pm

      Hi John,
      you are right. Setting listen_addresses = ‘*’ is obsolete if you run it on a single host. In fact as long as Koji-Hub and the DB are on the same host you dont need it. No matter where the rest runs.

  1. In script “/etc/pki/koji/certgen.sh” , the command seems not do anything because in ssl.cnf has not “insert_hostname” word.

    cat ssl.cnf | sed ‘s/insert_hostname/’${user}’/’> ssl2.cnf

    why you use “sed ‘s/insert_hostname/’${user}’/'” ?

      • phil
      • January 15th, 2014 11:42pm

      Ah that was a bit irritating, thanks for the feedback. The sed should contain the same value you used for commonName in [req_distinguished_name] section. For the hosts, its the hostname, for users its usernames. Its the only thing that changes in the ssl.cnf

      I updated the post to be more precise.

  2. for epel7 and Fedora 21, on ssl.cnf, you need change default_md to

    default_md = sha256

    https://lists.fedoraproject.org/pipermail/buildsys/2014-August/004359.html

      • jefby
      • May 21st, 2015 2:35pm

      bingo! Thanks very much

  1. March 8th, 2013
  2. March 13th, 2013