Koji RPM Build System Installation Part 2
So in Part1 we started with setting up the SSL certificates. Now we are going deeper
Database Setup
Start with installing postgresql and setting up Koji users and schema.
service postgresql initdb
service postgresql start
useradd koji;passwd -d koji
su postgres;createuser koji;createdb -O koji koji
su koji; psql koji koji < /usr/share/doc/koji*/docs/schema.sql
Edit /var/lib/pgsql/data/pg_hba.conf and add users
local koji apache trust
local koji koji trust
local all all ident
# IPv4 local connections:
host koji koji 127.0.0.1/32 trust
host all all 127.0.0.1/32 ident
# IPv6 local connections:
host all all ::1/128 ident
In /var/lib/pgsql/data/postgresql.conf set
and then service postgresql restart
Now we need to add the initial admin user to the DB:
psql
insert into users (name, status, usertype) values ('kojiadmin', 0, 0);
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);
Thats it for the Database. Now over to…
Koji-Hub
setsebool -P httpd_can_network_connect_db 1
In /etc/httpd/conf/httpd.conf edit and change all occurences of “MaxRequestsPerChild 100”
Now its time for some more SSL certificates. Pay attention to the CN to match your FQDN. If all runs on the same server, its the same FQDN obviously.
./certgen.sh kojiweb # OU=kojiweb,CN=koji.example.com -> the FQDN of your kojiweb server
./certgen.sh kojihub #OU=kojihub,CN=koji.example.com -> the FQDN of your kojihub server
in /etc/koji-hub/hub.conf set
DBUser = koji
DBHost = 127.0.0.1
#DBPass = example_password
KojiDir = /mnt/koji
......
DNUsernameComponent = CN
ProxyDNs = /C=DE/ST=Bavaria/O=Foobar/OU=kojiweb/CN=koji.example.com
......
LoginCreatesUser = On
KojiWebURL = http://koji.example.com/koji
Pay attention here: The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.
Now in /etc/httpd/conf.d/kojihub.conf you have to uncomment the entire block of <Location /kojihub/ssllogin>
Then in /etc/httpd/conf.d/ssl.conf set:
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10
Preparing the filesystem
In the Koji-Hub config, we set the KojiDir but still need to create that. If for some reason, you want to use a different directory you still have to symlink /mnt/koji to your other location. This is a bug.
You could also mount a NFS to /mnt/koji
mkdir koji
cd koji
mkdir {packages,repos,work,scratch}
chown apache:apache *
service httpd restart
Koji CLI
The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the “-c” option when using the Koji client to specify an alternative configuration file.
Note that the URLs can differ if you are running the components on different systems.
So set /etc/koji.conf to
;configuration for koji cli tool
;url of XMLRPC server
server = http://koji.example.com/kojihub
;url of web interface
weburl = http://koji.example.com/koji
;url of package download site
topurl = http://koji.example.com/kojifiles
;path to the koji top directory
topdir = /mnt/koji
;configuration for SSL authentication
;client certificate
cert = ~/.koji/client.crt
;certificate of the CA that issued the client certificate
ca = ~/.koji/clientca.crt
;certificate of the CA that issued the HTTP server certificate
serverca = ~/.koji/serverca.crt
Now everything is setup for rudimentary operation. Test it with
koji call getLoggedInUser
You should then get a) no error and b) see a blob of yourself being logged in:
'krb_principal': None,
'name': 'kojiadmin',
'status': 0,
'usertype': 0}
Thats it for now. If you dont have it working so far, you should double-check your certificates here /etc/pki/koji/index.txt . And verify the ProxyDN setting.
In the next article we will be setting up Koji-Web, Kojid (the Builder), Kojira. Stay tuned..
I’m having an issue generating the certs for kojiweb and kojihub:
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
I understand the error is due to using the same commonName I already used when generating the kojiadmin user, but I’m not exactly sure how to work around this. Everything is running on a single host.
I didnt work with Koji for quite a while and I also cant recall seeing that error so I wont be able to help you :/
Hi ya Phil,
Worked well and all certs came out great. Trying to use just SSL authentication.
But when I try to login as kojiadmin I get an sslverify failed error.
[root@koji~]# su kojiadmin
[kojiadmin@koji root]$ koji call getLoggedInUser
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579
Little clarification, which proxydns has to be used?
kojiadmin certificate or kojiweb ProxyDNs. in /etc/koji-hub/hub.conf? I tried both and none is working
Hi, its been a long time since I worked with Koji, so I quote what I wrote back then:
“The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.”
So its the kojiweb certificates DN.
hello , i guest i get error ,i don not know how to solve it ,could u help me ?
[kojiadmin@localhost ~]$ koji add-user l
SSLError: [SSL] PEM lib (_ssl.c:2578)
Hi there! I got an error when calling getLoggedInUser, and I do not understand what the problem is, I did not find a solution on the network.
[root@kojistream koji]# su kojiadmin
[kojiadmin@kojibuilder koji]$ koji call getLoggedInUser
2020-04-07 05:10:35,910 [ERROR] koji: ConnectionError: HTTPSConnectionPool(host=’kojibuilder.example.ru’, port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by NewConnectionError(‘: Failed to establish a new connection: [Errno 111] Connection refused’,))
I adhered to all the recommendations from the manual, but does not go out to log in.
Help me pleace.
Hello! That is, it is not possible to start the httpd server with the ssl module, but I completely did everything according to the instructions. Maybe I missed something or the instruction is not complete? OS Centos 8 stream.