- Description
- Setup - The basics of getting started with koji
- Usage - Configuration options and additional functionality
- Reference - An under-the-hood peek at what the module is doing and how
- Limitations - OS compatibility, etc.
- Development - Guide for contributing to the module
The typical Koji build system deployment consists of one or more Builders, a Web portal, a CLI, and a Hub that coordinates activities. There's also some "behind the scenes" components such a Garbage Collector, database and that service know as Kojira. This Puppet module aims to make deployment of all these components relatively easy, while allowing considerable flexibility for advanced setups.
Classes:
- koji::builder
- koji::cli
- koji::database
- koji::gc
- koji::httpd
- koji::hub
- koji::kojira
- koji::utils
- koji::web
Defined types:
This class manages a host as a Koji Builder.
An array of tuples from which kojid is allowed to checkout. The format of each tuple is:
host:repository[:use_common[:source_cmd]]
Incorrectly-formatted tuples will be ignored.
If use_common is not present, kojid will attempt to checkout a 'common/'
directory from the repository. If use_common is set to no, 'off',
false, or 0, it will not attempt to checkout a 'common/' directory.
source_cmd is a shell command (args separated with commas instead of spaces)
to run before building the srpm. It is generally used to retrieve source files
from a remote location. If no source_cmd is specified, 'make sources' is
run by default.
URL of your package download site.
URL of your Koji Hub service.
Literal string or Puppet source URI providing the CA certificate which signed the Koji Hub certificate. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
Literal string or Puppet source URI providing the builder's identity certificate which must be in PEM format.
Name of the directory containing the 'repos/' directory.
Don't cancel sub-task when other fails. In some cases it makes sense to
continue with sibling task even if some of them already failed. E.g., with
a kernel build it could be of use if the submitter knows for which
architectures it succeeds and for which it fails. Repeated builds could take
a lot of time and resources. Note, that this shouldn't be enabled ordinarily
as it could result in unnecessary resource consumption. The default is
false.
Enable verbose debugging for the Koji Builder. One of: true or false
(default).
Instance is to be started at boot. Either true (default) or false.
Instance is to be 'running' (default) or 'stopped'. Alternatively,
a Boolean value may also be used with true equivalent to 'running' and
false equivalent to 'stopped'.
The number of seconds a buildroot should be retained by kojid after a build failure occurs. It is sometimes necessary to manually chroot into the buildroot to determine exactly why a build failed and what might done to resolve the issue. The default is 4 hours (or 14,400 seconds).
It must be noted here that this feature is somewhat flaky because Koji seems to set the expiration time based not on when the build started but on some other event, likely when the buildroot was created. This might not sound all that different but bear in mind that kojid doesn't fully destroy the build roots; it merely empties them. So in effect, kojid can reuse a buildroot -- one which may already be hours towards its expiration. If you wish to use this feature, you may want to use a value of a day or more, but keep in mind you might then exhaust the storage capacity of the mock_dir.
If true, additional packages will be installed to permit this host to perform
image building tasks. The default is false.
An array of extra package names needed for the Koji Builder installation when
image_building is true.
The minimum amount of free space (in MiB) required for each build root.
The directory under which mock will do its work and create buildroots.
The default is '/var/lib/mock'.
The user to run as when doing builds. The default is 'kojibuilder'.
An array of package names needed for the Koji Builder installation.
The service name of the Koji Builder daemon.
The mail host to use for sending email notifications. The Koji Builder must be
able to connect to this host via TCP on port 25. The default is 'localhost'.
Enable using createrepo_c instead of createrepo. The default is false.
Name of the directory where temporary work will be performed. The default
is '/tmp/koji'.
This class manages the Koji CLI on a host.
An array of package names needed for the Koji CLI installation.
A hash whose keys are profile names and whose values are hashes comprising the same parameters you would otherwise pass to koji::cli::profile.
This class manages the Koji database on a host.
This class presently assumes a PostgreSQL database.
Specifically, this class will:
- install/configure the PostgreSQL server, including authentication
- create the database and PostgreSQL user role
- import the Koji database schema
- bootstrap the database with an initial Koji administrator account
Upgrading
This class is primarily useful for establishing new Koji setups. If you already have a Koji setup and you are building a newer one to replace it, a suggested procedure is as follows:
- successfully apply this to the new Koji host ($NEW)
- stop the Puppet agent on $NEW
- stop the PostgreSQL server on $NEW
- reinitialize the database cluster
- perform a full dump on the old Koji host $(OLD)
- transfer the dumped content to $NEW
- load the dumped content on $NEW
- review migration documents on $NEW; see
rpm -qd koji
Password for the database user.
Name of the of the Koji administrator. Defaults to 'kojiadmin'.
Name of the database. Defaults to 'koji'.
From where may the PostgreSQL server accept connections? Defaults to
'localhost' which means it will only accept connections originating from the
local host. A value of '*' makes the PostgreSQL server accept connections
from any remote host. You may instead choose to specify a comma-separated list
of host names and/or IP addresses.
NB: This parameter affects the entire PostgreSQL server, not just the Koji database. If the database cluster has other duties, additional work must be done here to permit that.
Source URI for the Koji database schema. The default is
'/usr/share/doc/koji/docs/schema.sql'.
Name of the user who is to own the database. Defaults to 'koji'.
Name of the user that runs the Koji-Web server. Defaults to 'apache'.
This class manages the Koji garbage collector on a host.
Literal string or Puppet source URI providing the Koji garbage collector's certificate. This must be in PEM format.
URL of your Koji-Hub server.
Literal string or Puppet source URI providing the CA certificate which signed Koji-Hub. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
GPG key IDs that were used to sign packages, as a hash. E.g.:
{ 'fedora-gold' => '4F2A6FD2', 'fedora-test' => '30C9ECF8' }
Name of the OS user account under which the garbage collection process will run.
Directory containing the 'repos/' directory.
URL of your Koji-Web server.
The domain name that will be appended to Koji user names when creating
email notifications. Defaults to the $domain fact.
Determines the length of time that builds are held in the trash can before
their ultimate demise. The default is '4 weeks'.
Name of the OS group account under which the garbage collection process will run. The default is to be the same as owner.
Any scratch builds that were last modified more than this number of days ago are eligible for purging. Set to a negative number to prohibit purging any scratch builds. The default is 90 days.
The mail host to use for sending email notifications. The Koji garbage
collector must be able to connect to this host via TCP on port 25. The
default is 'localhost'.
An array of names in keys which are to be considered unprotected by the garbage collector. Any key not listed here is considered a protected key.
This class manages Apache httpd for the needs of the Koji Hub/Web components.
This manages those parts of httpd that are common to both the Koji Hub and the Koji Web components, which may be on the same or different hosts.
This class manages the Koji Hub component on a host.
This manages the Koji Hub, an XML-RPC server running under mod_wsgi in Apache's httpd. It also manages Koji's skeleton file system. The Koji Hub may be run on the same host as the Koji Web, but that's not required.
Literal string or Puppet source URI providing the CA certificate which signed the client certificates that wish to connect to this Koji Hub. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
Name of host that provides the Koji database.
Password for the Koji database connection.
User name for the Koji database connection.
Literal string or Puppet source URI providing the CA certificate which signed hub_cert_source. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
Literal string or Puppet source URI providing the Koji Hub's certificate. This must be in PEM format.
Literal string or Puppet source URI providing the private key that was used to sign the Koji Hub's certificate contained in hub_cert_source. This must be in PEM format.
Directory containing the 'repos/' directory.
An array of Distinguished Names (DN) of the clients allowed to proxy SSL authentication requests through the Koji Hub.
Enable verbose debugging for the Koji Hub. One of: true or false
(default).
The domain name that will be append to Koji user names when creating email
notifications. Defaults to the $domain fact.
An array of package names needed for the Koji Hub installation.
An array of strings, each naming a Koji Hub plugin that is to be enabled. The default is for no plugins to be enabled.
Determines how much detail about exceptions is reported to the client (via
faults). The 'extended' format is intended for debugging only and should NOT
be used in production, since it may contain sensitive information. The default
is 'normal'. One of:
'normal'- a basic traceback (format_exception)'extended'- an extended traceback (format_exc_plus)'message'- no traceback, just the error message
This class manages the Kojira component on a host.
URL of your Koji Hub service.
Literal string or Puppet source URI providing the CA certificate which signed the Koji Hub certificate. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
Literal string or Puppet source URI providing the Kojira component's identity certificate which must be in PEM format.
Name of the directory containing the 'repos/' directory.
Enable verbose debugging for Kojira. One of: true or false (default).
The number of seconds expired repositories must age before they will be cleaned up. The default is one week.
The number of seconds dist repositories must age before they will be cleaned up. The default is one week.
Instance is to be 'running' (default) or 'stopped'. Alternatively,
a Boolean value may also be used with true equivalent to 'running' and
false equivalent to 'stopped'.
Instance is to be started at boot. Either true (default) or false.
The service name of the Kojira daemon.
This class manages Koji utilities package.
Instance is to be 'present' (default) or 'absent'. Alternatively,
a Boolean value may also be used with true equivalent to 'present' and
false equivalent to 'absent'.
An array of package names needed for the Koji utilities installation.
This class manages the Koji Web component on a host.
The Koji Web may be run on the same host as the Koji Hub, but that's not required.
URL for accessing Koji's file resources.
Literal string or Puppet source URI providing the CA certificate which signed the Koji Hub certificate. This must be in PEM format and include all intermediate CA certificates, sorted and concatenated from the leaf CA to the root CA.
URL for accessing the Koji Hub's RPC services.
Literal string or Puppet source URI providing the Koji Web's certificate. This must be in PEM format.
Undocumented by the Koji project, but required. Pass in a reasonably long random string. It is unknown where/how this is used exactly without deeper investigation, but you won't need during normal use.
Enable verbose debugging for the Koji Web. When enabled, a full traceback will
be shown to the client for unhandled exceptions. One of: true or false
(default).
hidden_users
An array of the numeric IDs of users that you want to hide from tasks listed on the front page. You might want to, for instance, hide the activity of an account used for continuous integration. The default is to not hide any user's tasks.
Automatically logout users after this many hours. The default is 72 hours.
An array of package names needed for the Koji Web installation.
Name of the web theme that Koji is to use. Content under
'/usr/share/koji-web/static/themes/$theme' will be used instead of the normal
files under '/usr/share/koji-web/static/'. Any absent files will fall back
to the normal files. This module provides only the configuration to use
theme and provides nothing to actually install theme.
This defined type manages a Koji CLI configuration profile.
Profiles can be utilized by the Koji CLI using:
koji -p|--profile PROFILE
The Koji CLI will use a default profile named koji unless another is
specified.
An identifier for the configuration profile instance. Specify koji to configure the default profile.
URL of your package download site.
URL of your Koji-Hub server.
Directory containing the 'repos/' directory.
URL of your Koji-Web server.
The method the client should use to authenticate itself to the Koji-Hub. Must
be one of: 'noauth', 'ssl', 'password', or 'kerberos'. The default is
'ssl'.
When making Koji calls, if the Koji Hub reports a temporary failure, how many
times should the call be retried? The default is 30.
When making Koji calls, if the Koji Hub reports itself as offline, should the
call be retried automatically? The default is false.
Note that offline failures are treated specially from other temporary failures. These are not constrained by other failure handling options, most notably max_retries.
When making Koji calls, if the Koji Hub reports itself as offline and
offline_retry is true, this determines how many seconds the Koji Client
will wait before attempting the call again. The default is 20 seconds.
When making Koji calls, if the Koji Hub reports a temporary failure, this determines how many seconds the Koji Client will wait before attempting the call again. The default is 20 seconds.
This defined type manages a policy rule for the Koji garbage collector.
The pruning policy is a series of rules. During pruning, the garbage collector goes through each tag in the system and considers its contents. For each build within the tag, it goes through the pruning policy rules until it finds one that matches. It it does, it takes that action for it.
An arbitrary identifier for the policy rule instance.
Literal string describing one policy rule. The general format is:
test <args> [ && test <args> ...] :: action
The available tests are:
tag <pattern> [<pattern> ...]- The name of the tag must match one of the patterns.
package <pattern> [<pattern> ...]- The name of the package must match one of the patterns.
age <operator> <value>- A comparison against the length of time since the build was tagged. This is not the same as the age of the build.
- Valid operators are
<,<=,==,=>,>. - Value is something like
1 dayor4 weeks.
sig <key>- The build's component rpms are signed with a matching key.
order <operator> <value>- Like the
agetest, but the comparison is against the order number of the build within a given tag. The order number is the number of more recently tagged builds for the same package within the tag. For example, the latest build of FOO in tag BAR has order number 0, the next latest has order number 1, and so on. - The
skipaction modifies this -- the build is kept, but is not counted for ordering.
- Like the
Note that the tests are not being applied to just a build, but to a build within a tag. If a build is multiply tagged, it will be checked against these policies for each tag and may be kept in some but untagged in others.
The available actions are:
keep- Do not untag the build from this tag.
untag- Untag the build from this tag.
skip- Like keep, but do not count the build for ordering.
Determines the evaluation sequence of this rule amongst all of the policy
rules. This should be a 3-digit numerical string with lower values taking
precedence. Value '000' is reserved for use by this module.
Tested on modern Fedora and CentOS releases, but likely to work on any Red Hat variant. Adaptations for other operating systems should be trivial as this module follows the data-in-module paradigm. See data/common.yaml for the most likely obstructions. If "one size can't fit all", the value should be moved from data/common.yaml to data/os/%{facts.os.name}.yaml instead. See hiera.yaml for how this is handled.
This should be compatible with Puppet 3.x and is being used with Puppet 4.x as well.
Contributions are welcome via pull requests. All code should generally be compliant with puppet-lint.