Koji RPM Build System Installation Part 2

So in Part1 we started with setting up the SSL certificates. Now we are going deeper

Database Setup

Start with installing postgresql and setting up Koji users and schema.

yum install postgresql-server koji
service postgresql initdb
service postgresql start
useradd koji;passwd -d koji
su postgres;createuser koji;createdb -O koji koji
su koji; psql koji koji < /usr/share/doc/koji*/docs/schema.sql

Edit /var/lib/pgsql/data/pg_hba.conf and add users

# "local" is for Unix domain socket connections only
local koji apache trust
local koji koji trust
local all all ident
# IPv4 local connections:
host koji koji 127.0.0.1/32 trust
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident

In /var/lib/pgsql/data/postgresql.conf set

listen_addresses = '*'

and then service postgresql restart

Now we need to add the initial admin user to the DB:

su - koji;
psql
insert into users (name, status, usertype) values ('kojiadmin', 0, 0);
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);

Thats it for the Database. Now over to…

Koji-Hub

yum install koji-hub httpd mod_ssl mod_python
setsebool -P httpd_can_network_connect_db 1

In /etc/httpd/conf/httpd.conf edit and change all occurences of “MaxRequestsPerChild 100”

Now its time for some more SSL certificates. Pay attention to the CN to match your FQDN. If all runs on the same server, its the same FQDN obviously.

cd /etc/pki/koji
./certgen.sh kojiweb # OU=kojiweb,CN=koji.example.com -> the FQDN of your kojiweb server
./certgen.sh kojihub #OU=kojihub,CN=koji.example.com -> the FQDN of your kojihub server

in /etc/koji-hub/hub.conf set

DBName = koji
DBUser = koji
DBHost = 127.0.0.1
#DBPass = example_password
KojiDir = /mnt/koji
......
DNUsernameComponent = CN
ProxyDNs = /C=DE/ST=Bavaria/O=Foobar/OU=kojiweb/CN=koji.example.com
......
LoginCreatesUser = On
KojiWebURL = http://koji.example.com/koji

Pay attention here: The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.

Now in /etc/httpd/conf.d/kojihub.conf you have to uncomment the entire block of <Location /kojihub/ssllogin>

Then in /etc/httpd/conf.d/ssl.conf set:

SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10

Preparing the filesystem

In the Koji-Hub config, we set the KojiDir but still need to create that. If for some reason, you want to use a different directory you still have to symlink /mnt/koji to your other location. This is a bug.
You could also mount a NFS to /mnt/koji

cd /mnt
mkdir koji
cd koji
mkdir {packages,repos,work,scratch}
chown apache:apache *
service httpd restart

Koji CLI

The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the “-c” option when using the Koji client to specify an alternative configuration file.
Note that the URLs can differ if you are running the components on different systems.

So set /etc/koji.conf to

[koji]

;configuration for koji cli tool

;url of XMLRPC server
server = http://koji.example.com/kojihub

;url of web interface
weburl = http://koji.example.com/koji

;url of package download site
topurl = http://koji.example.com/kojifiles

;path to the koji top directory
topdir = /mnt/koji

;configuration for SSL authentication

;client certificate
cert = ~/.koji/client.crt

;certificate of the CA that issued the client certificate
ca = ~/.koji/clientca.crt

;certificate of the CA that issued the HTTP server certificate
serverca = ~/.koji/serverca.crt

Now everything is setup for rudimentary operation. Test it with

su kojiadmin;
koji call getLoggedInUser

You should then get a) no error and b) see a blob of yourself being logged in:

{'id': 1,
'krb_principal': None,
'name': 'kojiadmin',
'status': 0,
'usertype': 0}

Thats it for now. If you dont have it working so far, you should double-check your certificates here /etc/pki/koji/index.txt . And verify the ProxyDN setting.

In the next article we will be setting up Koji-Web, Kojid (the Builder), Kojira. Stay tuned..

    • Jeremy Hansen
    • November 8th, 2015 10:54pm

    I’m having an issue generating the certs for kojiweb and kojihub:

    Sign the certificate? [y/n]:y
    failed to update database
    TXT_DB error number 2

    I understand the error is due to using the same commonName I already used when generating the kojiadmin user, but I’m not exactly sure how to work around this. Everything is running on a single host.

      • phil
      • November 19th, 2015 2:41pm

      I didnt work with Koji for quite a while and I also cant recall seeing that error so I wont be able to help you :/

    • Ath Kebei
    • July 3rd, 2017 10:51pm

    Hi ya Phil,
    Worked well and all certs came out great. Trying to use just SSL authentication.

    But when I try to login as kojiadmin I get an sslverify failed error.
    [root@koji~]# su kojiadmin
    [kojiadmin@koji root]$ koji call getLoggedInUser
    SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579

    Little clarification, which proxydns has to be used?
    kojiadmin certificate or kojiweb ProxyDNs. in /etc/koji-hub/hub.conf? I tried both and none is working

      • phil
      • July 4th, 2017 10:36am

      Hi, its been a long time since I worked with Koji, so I quote what I wrote back then:
      “The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.”
      So its the kojiweb certificates DN.

  1. March 13th, 2013
  2. March 15th, 2013