Koji RPM Build System Installation Part 2

So in Part1 we started with setting up the SSL certificates. Now we are going deeper

Database Setup

Start with installing postgresql and setting up Koji users and schema.

yum install postgresql-server koji
service postgresql initdb
service postgresql start
useradd koji;passwd -d koji
su postgres;createuser koji;createdb -O koji koji
su koji; psql koji koji < /usr/share/doc/koji*/docs/schema.sql

Edit /var/lib/pgsql/data/pg_hba.conf and add users

# "local" is for Unix domain socket connections only
local koji apache trust
local koji koji trust
local all all ident
# IPv4 local connections:
host koji koji trust
host all all ident
# IPv6 local connections:
host all all ::1/128 ident

In /var/lib/pgsql/data/postgresql.conf set

listen_addresses = '*'

and then service postgresql restart

Now we need to add the initial admin user to the DB:

su - koji;
insert into users (name, status, usertype) values ('kojiadmin', 0, 0);
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);

Thats it for the Database. Now over to…


yum install koji-hub httpd mod_ssl mod_python
setsebool -P httpd_can_network_connect_db 1

In /etc/httpd/conf/httpd.conf edit and change all occurences of “MaxRequestsPerChild 100”

Now its time for some more SSL certificates. Pay attention to the CN to match your FQDN. If all runs on the same server, its the same FQDN obviously.

cd /etc/pki/koji
./certgen.sh kojiweb # OU=kojiweb,CN=koji.example.com -> the FQDN of your kojiweb server
./certgen.sh kojihub #OU=kojihub,CN=koji.example.com -> the FQDN of your kojihub server

in /etc/koji-hub/hub.conf set

DBName = koji
DBUser = koji
DBHost =
#DBPass = example_password
KojiDir = /mnt/koji
DNUsernameComponent = CN
ProxyDNs = /C=DE/ST=Bavaria/O=Foobar/OU=kojiweb/CN=koji.example.com
LoginCreatesUser = On
KojiWebURL = http://koji.example.com/koji

Pay attention here: The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.

Now in /etc/httpd/conf.d/kojihub.conf you have to uncomment the entire block of <Location /kojihub/ssllogin>

Then in /etc/httpd/conf.d/ssl.conf set:

SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10

Preparing the filesystem

In the Koji-Hub config, we set the KojiDir but still need to create that. If for some reason, you want to use a different directory you still have to symlink /mnt/koji to your other location. This is a bug.
You could also mount a NFS to /mnt/koji

cd /mnt
mkdir koji
cd koji
mkdir {packages,repos,work,scratch}
chown apache:apache *
service httpd restart

Koji CLI

The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the “-c” option when using the Koji client to specify an alternative configuration file.
Note that the URLs can differ if you are running the components on different systems.

So set /etc/koji.conf to


;configuration for koji cli tool

;url of XMLRPC server
server = http://koji.example.com/kojihub

;url of web interface
weburl = http://koji.example.com/koji

;url of package download site
topurl = http://koji.example.com/kojifiles

;path to the koji top directory
topdir = /mnt/koji

;configuration for SSL authentication

;client certificate
cert = ~/.koji/client.crt

;certificate of the CA that issued the client certificate
ca = ~/.koji/clientca.crt

;certificate of the CA that issued the HTTP server certificate
serverca = ~/.koji/serverca.crt

Now everything is setup for rudimentary operation. Test it with

su kojiadmin;
koji call getLoggedInUser

You should then get a) no error and b) see a blob of yourself being logged in:

{'id': 1,
'krb_principal': None,
'name': 'kojiadmin',
'status': 0,
'usertype': 0}

Thats it for now. If you dont have it working so far, you should double-check your certificates here /etc/pki/koji/index.txt . And verify the ProxyDN setting.

In the next article we will be setting up Koji-Web, Kojid (the Builder), Kojira. Stay tuned..

    • Jeremy Hansen
    • November 8th, 2015 10:54pm

    I’m having an issue generating the certs for kojiweb and kojihub:

    Sign the certificate? [y/n]:y
    failed to update database
    TXT_DB error number 2

    I understand the error is due to using the same commonName I already used when generating the kojiadmin user, but I’m not exactly sure how to work around this. Everything is running on a single host.

      • phil
      • November 19th, 2015 2:41pm

      I didnt work with Koji for quite a while and I also cant recall seeing that error so I wont be able to help you :/

  1. March 13th, 2013
  2. March 15th, 2013