Koji RPM Build System Installation Part 2

So in Part1 we started with setting up the SSL certificates. Now we are going deeper

Database Setup

Start with installing postgresql and setting up Koji users and schema.

yum install postgresql-server koji
service postgresql initdb
service postgresql start
useradd koji;passwd -d koji
su postgres;createuser koji;createdb -O koji koji
su koji; psql koji koji < /usr/share/doc/koji*/docs/schema.sql

Edit /var/lib/pgsql/data/pg_hba.conf and add users

# "local" is for Unix domain socket connections only
local koji apache trust
local koji koji trust
local all all ident
# IPv4 local connections:
host koji koji trust
host all all ident
# IPv6 local connections:
host all all ::1/128 ident

In /var/lib/pgsql/data/postgresql.conf set

listen_addresses = '*'

and then service postgresql restart

Now we need to add the initial admin user to the DB:

su - koji;
insert into users (name, status, usertype) values ('kojiadmin', 0, 0);
insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);

Thats it for the Database. Now over to…


yum install koji-hub httpd mod_ssl mod_python
setsebool -P httpd_can_network_connect_db 1

In /etc/httpd/conf/httpd.conf edit and change all occurences of “MaxRequestsPerChild 100”

Now its time for some more SSL certificates. Pay attention to the CN to match your FQDN. If all runs on the same server, its the same FQDN obviously.

cd /etc/pki/koji
./certgen.sh kojiweb # OU=kojiweb,CN=koji.example.com -> the FQDN of your kojiweb server
./certgen.sh kojihub #OU=kojihub,CN=koji.example.com -> the FQDN of your kojihub server

in /etc/koji-hub/hub.conf set

DBName = koji
DBUser = koji
DBHost =
#DBPass = example_password
KojiDir = /mnt/koji
DNUsernameComponent = CN
ProxyDNs = /C=DE/ST=Bavaria/O=Foobar/OU=kojiweb/CN=koji.example.com
LoginCreatesUser = On
KojiWebURL = http://koji.example.com/koji

Pay attention here: The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.

Now in /etc/httpd/conf.d/kojihub.conf you have to uncomment the entire block of <Location /kojihub/ssllogin>

Then in /etc/httpd/conf.d/ssl.conf set:

SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth 10

Preparing the filesystem

In the Koji-Hub config, we set the KojiDir but still need to create that. If for some reason, you want to use a different directory you still have to symlink /mnt/koji to your other location. This is a bug.
You could also mount a NFS to /mnt/koji

cd /mnt
mkdir koji
cd koji
mkdir {packages,repos,work,scratch}
chown apache:apache *
service httpd restart

Koji CLI

The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the “-c” option when using the Koji client to specify an alternative configuration file.
Note that the URLs can differ if you are running the components on different systems.

So set /etc/koji.conf to


;configuration for koji cli tool

;url of XMLRPC server
server = http://koji.example.com/kojihub

;url of web interface
weburl = http://koji.example.com/koji

;url of package download site
topurl = http://koji.example.com/kojifiles

;path to the koji top directory
topdir = /mnt/koji

;configuration for SSL authentication

;client certificate
cert = ~/.koji/client.crt

;certificate of the CA that issued the client certificate
ca = ~/.koji/clientca.crt

;certificate of the CA that issued the HTTP server certificate
serverca = ~/.koji/serverca.crt

Now everything is setup for rudimentary operation. Test it with

su kojiadmin;
koji call getLoggedInUser

You should then get a) no error and b) see a blob of yourself being logged in:

{'id': 1,
'krb_principal': None,
'name': 'kojiadmin',
'status': 0,
'usertype': 0}

Thats it for now. If you dont have it working so far, you should double-check your certificates here /etc/pki/koji/index.txt . And verify the ProxyDN setting.

In the next article we will be setting up Koji-Web, Kojid (the Builder), Kojira. Stay tuned..

    • Jeremy Hansen
    • November 8th, 2015 10:54pm

    I’m having an issue generating the certs for kojiweb and kojihub:

    Sign the certificate? [y/n]:y
    failed to update database
    TXT_DB error number 2

    I understand the error is due to using the same commonName I already used when generating the kojiadmin user, but I’m not exactly sure how to work around this. Everything is running on a single host.

      • phil
      • November 19th, 2015 2:41pm

      I didnt work with Koji for quite a while and I also cant recall seeing that error so I wont be able to help you :/

    • Ath Kebei
    • July 3rd, 2017 10:51pm

    Hi ya Phil,
    Worked well and all certs came out great. Trying to use just SSL authentication.

    But when I try to login as kojiadmin I get an sslverify failed error.
    [root@koji~]# su kojiadmin
    [kojiadmin@koji root]$ koji call getLoggedInUser
    SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:579

    Little clarification, which proxydns has to be used?
    kojiadmin certificate or kojiweb ProxyDNs. in /etc/koji-hub/hub.conf? I tried both and none is working

      • phil
      • July 4th, 2017 10:36am

      Hi, its been a long time since I worked with Koji, so I quote what I wrote back then:
      “The ProxyDNs needs to absolutely fit what you entered in the Kojiweb certificate. If you additionally supplied emailAddress for example, you will also have to add that to the Proxy line.”
      So its the kojiweb certificates DN.

    • CN_user
    • December 30th, 2019 10:23am

    hello , i guest i get error ,i don not know how to solve it ,could u help me ?

    [kojiadmin@localhost ~]$ koji add-user l
    SSLError: [SSL] PEM lib (_ssl.c:2578)

    • andrew
    • April 7th, 2020 9:13am

    Hi there! I got an error when calling getLoggedInUser, and I do not understand what the problem is, I did not find a solution on the network.

    [root@kojistream koji]# su kojiadmin
    [kojiadmin@kojibuilder koji]$ koji call getLoggedInUser
    2020-04-07 05:10:35,910 [ERROR] koji: ConnectionError: HTTPSConnectionPool(host=’kojibuilder.example.ru’, port=443): Max retries exceeded with url: /kojihub/ssllogin (Caused by NewConnectionError(‘: Failed to establish a new connection: [Errno 111] Connection refused’,))

    I adhered to all the recommendations from the manual, but does not go out to log in.

    Help me pleace.

    • andrew
    • April 9th, 2020 8:05am

    Hello! That is, it is not possible to start the httpd server with the ssl module, but I completely did everything according to the instructions. Maybe I missed something or the instruction is not complete? OS Centos 8 stream.

  1. March 13th, 2013
  2. March 15th, 2013