-
Notifications
You must be signed in to change notification settings - Fork 437
/
BSConfig.pm.template
378 lines (323 loc) · 13.1 KB
/
BSConfig.pm.template
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
#
# Copyright (c) 2006, 2007 Michael Schroeder, Novell Inc.
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program (see the file COPYING); if not, write to the
# Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
#
################################################################
#
# Open Build Service Configuration
#
package BSConfig;
use Net::Domain;
use Socket;
my $hostname = Net::Domain::hostfqdn() || 'localhost';
# IP corresponding to hostname (only used for $ipaccess); fallback to localhost since inet_aton may fail to resolve at shutdown.
my $ip = quotemeta inet_ntoa(inet_aton($hostname) || inet_aton("localhost"));
my $frontend = undef; # FQDN of the WebUI/API server if it's not $hostname
# If defined, restrict access to the backend servers (bs_repserver, bs_srcserver, bs_service)
our $ipaccess = {
'^::1$' => 'rw', # only the localhost can write to the backend
'^127\..*' => 'rw', # only the localhost can write to the backend
"^$ip\$" => 'rw', # Permit IP of FQDN
'.*' => 'worker', # build results can be delivered from any client in the network
};
# IP of the WebUI/API Server (only used for $ipaccess)
if ($frontend) {
my $frontendip = quotemeta inet_ntoa(inet_aton($frontend) || inet_aton("localhost"));
$ipaccess->{$frontendip} = 'rw' ; # in dotted.quad format
}
#our $ssl_keyfile = "/path/to/tls.key";
#our $ssl_certfile = "/path/to/tls.pem";
# Change also the SLP reg files in /etc/slp.reg.d/ when you touch hostname or port
our $srcserver = "http://$hostname:5352";
our $reposerver = "http://$hostname:5252";
our $serviceserver = "http://$hostname:5152";
our $clouduploadserver = "http://$hostname:5452";
# you can use different ports for worker connections
#our $workersrcserver = "http://$hostname:5353";
#our $workerreposerver = "http://$hostname:5253";
our $servicedir = "/usr/lib/obs/service/";
#our $servicetempdir = "/srv/obs/service";
#our $serviceroot = "/opt/obs/MyServiceSystem";
# Maximum number of concurrent jobs for source server
#our $srcserver_maxchild = 20;
# Maximum number of concurrent jobs for source service
#our $service_maxchild = 20;
# Maximum number of concurrent jobs for binaries proxy
#our $binproxy_maxchild = 40;
# optional notification service:
#our $hermesserver = "http://$hostname/hermes";
#our $hermesnamespace = "OBS";
#
# Notification Plugin, multiple plugins supported, separated by space
#our $notification_plugin = "notify_hermes notify_rabbitmq";
#
# Package defaults
our $bsdir = '/srv/obs';
our $bsuser = 'obsrun';
our $bsgroup = 'obsrun';
# user and group for bs_service (if the lxc service wrapper is used, set
# $bsserviceuser to root). If several obs services (e.g., bs_service and
# bs_srcserver) run on the same host, make sure that $bsservicegroup is set
# to $bsgroup.
our $bsserviceuser = 'obsservicerun';
our $bsservicegroup = $bsgroup;
#our $bsquotafile = '/srv/obs/quota.xml';
# Use asynchronus scheduler. This avoids hanging schedulers on remote projects,
# when the network is slow or broken. This will become the default in future
# our $sched_asyncmode = 1;
# Define how the scheduler does a cold start. The default (0) is to request the
# data for all packages, (1) means that only the non-remote packages are fetched,
# (2) means that all of the package data fetches get delayed.
# our $sched_startupmode = 0;
# Disable fdatasync calls, increases the speed, but may lead to data
# corruption on system crash when the filesystem does not guarantees
# data write before rename.
# It is esp. required on XFS filesystem.
# It is safe to be disabled on ext4 and btrfs filesystems.
#our $disable_data_sync = 1;
# configure special handling of selected repositories
# our $publishredirect = { 'My:Project/repo' =>
# [ "/srv/local/directory/",
# undef, # or local sub path
# "http://my.local.download.server/and/the/path/to/reach/repo",
# "rsync://my.stage.server/module",
# undef, # or special string for a repository pusher trigger file
# ];
# 'My:Other:Project/images' => '/srv/local/other/directory/'
# };
# Package rc script / backend communication + log files
our $rundir = "$bsdir/run";
our $logdir = "$bsdir/log";
# optional for non-acl systems, should be set for access control
# 0: trees are shared between projects (built-in default)
# 1: trees are not shared (only usable for new installations)
# 2: new trees are not shared, in case of a missing tree the shared
# location is also tried (package default)
our $nosharedtrees = 2;
# enable binary release tracking by default for release projects
our $packtrack = [];
# use the more efficient sqlite database for new installations by default
our $source_db_sqlite = 1;
our $published_db_sqlite = 1;
# Generating SLSA provenance data can get enabled by listing the projects.
# WARNING: the SLSA spec is still at level 0.2 Alpha and will change in
# future. Our implementation will follow without backward compatibility
# WARNING: All used binaries for any build will be kept, this will increase
# the disk space requirements a lot
# our $slsaprovenance = [ "openSUSE:Leap:.*:Update", "AnotherProject" ];
# optional: limit visibility of projects for some architectures
#our $limit_projects = {
# "ppc" => [ "openSUSE:Factory", "FATE" ],
# "ppc64" => [ "openSUSE:Factory", "FATE" ],
#};
# optional: allow separation of releasnumber syncing per architecture
# one counter pool for all ppc architectures, one for i586/x86_64,
# arm archs are separated and one for the rest in this example
our $relsync_pool = {
"local" => "local",
"i586" => "i586",
"x86_64" => "i586",
"ppc" => "ppc",
"ppc64" => "ppc",
"ppc64le" => "ppc",
"mips" => "mips",
"mips64" => "mips",
"mipsel" => "mipsel",
"mips64el" => "mipsel",
"aarch64" => "arm",
"aarch64_ilp32" => "arm",
"armv4l" => "arm",
"armv5l" => "arm",
"armv6l" => "arm",
"armv6hl" => "arm",
"armv7l" => "arm",
"armv7hl" => "arm",
"armv8l" => "arm",
"armv8hl" => "arm",
"armv5el" => "armv5el", # not defined in api so far
"armv6el" => "armv6el",
"armv7el" => "armv7el",
"armv8el" => "armv8el",
"sparcv9" => "sparcv9",
"sparc64" => "sparcv9",
};
#No extra stage server sync
#our $stageserver = 'rsync://127.0.0.1/put-repos-main';
#our $stageserver_sync = 'rsync://127.0.0.1/trigger-repos-sync';
#additional options for calling rsync in the publisher
#for example "--whole-file" if network faster than disk
#our $rsync_extra_options = "--whole-file";
# optional source publishing to rsync server
#our $sourcepublish_sync = 'rsync://127.0.0.1/sources';
# optional filter to publish only some areas
#our $sourcepublish_filter = [ "openSUSE:.*", "SUSE:.*" ];
# optional filter to blocklist specific package names independend of the project
#our $sourcepublish_blocklist = [ "flash-player", "binary-only-app" ];
# Define your own global Macros
#my $macro_packager = '<rpm@example.com>';
#my $macro_vendor = 'Name, Company, City, DE';
#our $extramacros = {
# ".*" => "%packager $macro_packager\n%vendor $macro_vendor\n",
#};
#No package signing server
#our $sign = '/usr/bin/sign';
#Extend sign call with project name as argument "--project $NAME"
#our $sign_project = 1;
#Global sign key / cert
#our $keyfile = '/srv/obs/openSUSE-Build-Service.asc';
#our $gpg_standard_key = "/etc/obs-default-gpg.asc";
#our $certfile = '/srv/obs/openSUSE-Build-Service.cert'
# Use a special local arch for product building
# our $localarch = "x86_64";
# config options for the bs_worker
#
#our buildlog_maxsize = 500 * 1000000;
#our buildlog_maxidle = 8 * 3600;
#our xenstore_maxsize = 20 * 1000000;
#our gettimeout = 1 * 3600;
#
# run a script to check if the worker is good enough for the job
#our workerhostcheck = 'my_check_script';
#
# Allow to build as root, exceptions per package
# the keys are actually anchored regexes
# our $norootexceptions = { "my_project/my_package" => 1, "openSUSE:Factory.*/installation-images" => 1 };
# Use old style source service handling
# our $old_style_services = 1;
###
# Optional support to split the binary backend. This can be used on large servers
# to separate projects for better scalability.
# There is still just one source server, but there can be multiple servers which
# run each repserver, schedulers, dispatcher, warden and publisher
#
# This repo service is the 'home' server for all home:* projects. This and the
# $reposerver setting must be different on the binary backend servers.
# our $partition = 'home';
#
# this defines how the projects are split. All home: projects are hosted
# on an own server in this example. Order is important.
# our $partitioning = [ 'home:' => 'home',
# '.*' => 'main',
# ];
#
# our $partitionservers = { 'home' => 'http://home-backend-server:5252',
# 'main' => 'http://main-backend-server:5252',
# };
# host specific configs
my $hostconfig = __FILE__;
$hostconfig =~ s/[^\/]*$/bsconfig.$hostname/;
if (-r $hostconfig) {
print STDERR "reading $hostconfig...\n";
require $hostconfig;
}
# For specific build constraints, for example to require a specific
# security level of the workers.
#
#our $dispatch_constraint = sub {
# my ($job, $worker) = @_;
#
# return 0 unless (grep {$_ eq "OBS_WORKER_SECURITY_LEVEL_1"} @{$worker->{'hostlabel'} || []});
# return 1;
#}
# use createrepo_c instead of createrepo. This gets selected via update-alternatives usualy.
#our $createrepo = '/usr/bin/createrepo_c';
# use modifyrepo_c instead of modifyrepo
#our $modifyrepo = '/usr/bin/modifyrepo_c';
# enable service dispatcher
our $servicedispatch = 1;
# max of 4 parallel running services (default)
# our $servicedispatch_maxchild = 4;
# print all messages with a lower level than $debuglevel in addition to the normal log messages
#our $debuglevel = 1;
our $container_registries = {
'local' => {
server => $hostname,
pushserver => 'local:'
},
# 'staging-registry.example.com' => {
# server => '',
# user => '',
# password => '',
# repository_base => '',
# },
# 'hub.docker.com' => {
# server => '',
# user => '',
# password => '',
# repository_base => '',
# },
};
# You can define a custom mapper function to remove project prefix for some selected projects
# In the following example, containers from the official:Containers project would not get
# official:Containers as prefix when they are published to registry.
#
# sub custom_container_mapper {
# my ($registry, $containerinfo, $projid, $repoid, $arch) = @_;
# if ($projid =~ /^official:Containers/) {
# return @{$containerinfo->{'tags'} || []};
# }
# return BSPublisher::Container::default_container_mapper(@_);
# }
#
# our $container_registries = {
# ...
# mapper => \&custom_container_mapper,
# ...
# }
our $publish_containers = [
# # key: regex to match projid or projid/repoid
# # value: ArrayRef with identifiers for registries configured in $container_registries
# 'SUSE:.*/containers' => [ 'myregistry.example.com', 'local' ],
# 'SUSE:' => [ 'registry.example.com', 'hub.docker.com' ],
# '.*:branches:' => [ 'staging-registry.example.com' ],
'.*' => ['local'],
];
# enable this to announce the X-Registry-Supports-Signatures extension
# (this needs a proxy entry for /extensions/v2 in the web server config)
our $local_registry_signatures_extension = 1;
# special options to use for starting containers in run-service-containerized
# our $docker_custom_opt = [];
#
### Service wapper configuration
# our $service_wrapper = {
# '*' => '/usr/lib/obs/server/call-service-in-container', # '*' declares the default
# # '<service_name>' => '/path/to/my/service_wrapper'
# };
### Options used by call-service-in-container
#
# container image to use
#our $container_image="localhost/obs-source-service-podman:latest";
#
# special options to use for starting containers in run-service-containerized
#our $container_custom_opt = '-e DEBUG_TAR_SCM=1';
#
# option where to store container images
#our $containers_root="$bsdir/service/containers";
## Server where mirrored gems could be found - used in services like obs-service-bundle_gems
# our $gems_mirror = '';
#
## Container which should be 'linked' when running "bundle_gems" service
# our $geminabox_container = '';
#
# public cloud uploader configuration
# our $cloudupload_pubkey = "/etc/obs/cloudupload/_pubkey"; # default setting
# user/password to be used by services which needs to authenticate at
# OBS (e.g. kiwi_import)
# our $obs_service_user = "";
# our $obs_service_pass = "";
# network name required for services using a local proxy/cache like gemianbox
# our $obs_service_network = "obs_services";
1;