New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch to building stage repository by combining production and diff … #280
Conversation
59b8d6f
to
c54955a
Compare
I decided to split this into:
|
c54955a
to
94286b1
Compare
24a8598
to
d572019
Compare
d572019
to
706ec5f
Compare
@@ -0,0 +1,8 @@ | |||
#!/bin/bash -e |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This script is designed to work with this change theforeman/foreman-infra#1948 that allows infra users to rsync as yumrepostage
user.
2d97b06
to
3e677d4
Compare
3e677d4
to
9eadfad
Compare
9eadfad
to
a61fda1
Compare
Why do you need to "Copy all RPMs from production (yum.theforeman.org) to a local repository"? It it so that you can generate "composed" repo (old plus new) locally, including module metadata? (Today, we push the diff only and the remote regenerates the repodata) |
Yes. This was in service of:
Thinking about it more I could optimize and have support for that with an option to generate the whole thing locally but require web01 to be a tad smarter than it is today. Optimized WorkflowFor a release:
For nightly:
|
I think I am cool with the current flow (and generally in favor of dumbing down web01). Just needed to have a clearer picture. Does downloading the existing RPMs from prod keep their filesystem timestamps, or would these be updated during rsync back to web01? If possible, I'd try to retain them, so people have a clearer picture when things changed. |
That will require some testing. |
Do I understand correctly: Your suggestion is to swap away from reposync to a method that downloads the RPMs individually and using this code chunk to do so in order to maintain the modification date. |
Nah, just make me read the code better 🙈 |
Does the new structure help at all? |
ea4e4b5
to
b476b65
Compare
|
||
output = check_output(cmd, universal_newlines=True, stderr=STDOUT) | ||
|
||
if gpgkey.lower() not in output: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps we should lower case it in handle_args
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My thinking was to make absolutely sure it's lowered when it's needed to avoid any future changes that might would break this identification of what is signed or not signed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also modify this as needed:
theforeman-rel-eng/procedures/foreman/release.md.erb
Lines 71 to 80 in d27cef5
- Sign the RPMs in the release | |
- [ ] <%= rel_eng_script('download_rpms') %> | |
- [ ] <%= rel_eng_script('sign_rpms') %> | |
- [ ] <%= rel_eng_script('upload_rpm_signatures') %> | |
- [ ] <%= rel_eng_script('upload_rpms') %> | |
- Sign RPMs for client repos (call scripts with `PROJECT=client`) | |
- [ ] <%= rel_eng_script('download_rpms') %> | |
- [ ] <%= rel_eng_script('sign_rpms') %> | |
- [ ] <%= rel_eng_script('upload_rpm_signatures') %> | |
- [ ] <%= rel_eng_script('upload_rpms') %> |
- [ ] <%= rel_eng_script('download_rpms') %>, <%= rel_eng_script('sign_rpms') %>, <%= rel_eng_script('upload_rpm_signatures') %>, <%= rel_eng_script('upload_rpms') %> |
This is handled over here -- #285. I do not want to update the procedures until all the infrastructure is in place. |
b476b65
to
8545088
Compare
@evgeni I was able to add a partial optimization with filtering on download. The reason we cannot do a complete is repodiff returns the full NEVRA, e.g.
And comps contains just the name |
8545088
to
13c79d5
Compare
You can split NEVRAs like this: package, _version, _release = nevra.rsplit('-', 2) |
I noticed that rpmsign does seem to help prevent us from re-signing an already signed package:
|
13c79d5
to
93c7303
Compare
@@ -73,6 +73,7 @@ | |||
|
|||
# Short GPGKEY is used by koji and is the last 8 chars or the full key | |||
GPGKEY="$(echo ${FULLGPGKEY: -8} | tr '[A-Z]' '[a-z]')" | |||
HALFGPGKEY="$(echo ${FULLGPGKEY: -16} | tr '[A-Z]' '[a-z]')" |
Check notice
Code scanning / shellcheck
Double quote to prevent globbing and word splitting. Note
@@ -73,6 +73,7 @@ | |||
|
|||
# Short GPGKEY is used by koji and is the last 8 chars or the full key | |||
GPGKEY="$(echo ${FULLGPGKEY: -8} | tr '[A-Z]' '[a-z]')" | |||
HALFGPGKEY="$(echo ${FULLGPGKEY: -16} | tr '[A-Z]' '[a-z]')" |
Check notice
Code scanning / shellcheck
Don't use [] around classes in tr, it replaces literal square brackets. Note
@@ -73,6 +73,7 @@ | |||
|
|||
# Short GPGKEY is used by koji and is the last 8 chars or the full key | |||
GPGKEY="$(echo ${FULLGPGKEY: -8} | tr '[A-Z]' '[a-z]')" | |||
HALFGPGKEY="$(echo ${FULLGPGKEY: -16} | tr '[A-Z]' '[a-z]')" |
Check notice
Code scanning / shellcheck
Don't use [] around classes in tr, it replaces literal square brackets. Note
93c7303
to
216976b
Compare
Updated with some included README workflow layout. This can be merged prior to (theforeman/foreman-infra#1948) for nightly, but theforeman/foreman-infra#1948 must be merged prior to this if I am to test this for releases and rsyncing to stagingyum. |
One thing that I realized while reviewing theforeman/foreman-infra#1948: Shouldn't block this PR, but something to keep an eye on. Edit (after reading All good. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sprinkled a few comments here and there, but overall I like the flow!
216976b
to
e3cb6e6
Compare
…of Copr When the version is nightly, this will not pull from production but instead treat what is in Copr as the source of truth. At the end, the output for a versioned repository is a list of unsigned packages.
e3cb6e6
to
479a376
Compare
if ':' in version: | ||
version_without_epoch = version.rsplit(':')[1] | ||
else: | ||
version_without_epoch = version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this too smart? version_without_epoch = version.rsplit(':', 1)[-1]
#286
…of Copr
When the version is nightly, this will not pull from production but instead treat what is in Copr as the source of truth. At the end, the output for a versioned repository is a list of unsigned packages.
There is a lot of change here, and I can likely do some re-factoring now or after merge. I wanted to get a working version of the concept available.
Here is how this generates the stage repository.
For nightly:
This is done for RPM and SRPMs. For this workflow, Jenkins will run this script and push the RPMs via rsync to stagingyum.theforeman.org.
For releases:
For this workflow, the release engineer will run this script, perform a signing of unsigned packages and push the RPMs via rsync to stagingyum.theforeman.org.
The idea is then that either one of these options will happen (via a follow up PR):