From Fedora Project Wiki
Line 6: Line 6:
 
== PreReqs of Knowledge ==
 
== PreReqs of Knowledge ==
  
* Basic understanding of SSL and authentication via certificates
+
* Basic understanding of SSL and authentication via certificates and/or Kerberos credentials
 
* Basic knowledge about creating a database in PostgreSQL and importing a schema
 
* Basic knowledge about creating a database in PostgreSQL and importing a schema
 
* Working with psql
 
* Working with psql
Line 26: Line 26:
 
* rpm-build
 
* rpm-build
 
* createrepo
 
* createrepo
 +
 +
== Koji Authentication Selection ==
 +
Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji command line access, plain user/pass combinations are possible.  However, kojiweb does '''not''' support plain user/pass authentication. Furthermore, once either Kerberos or SSL Certificate authentication is enabled so that kojiweb will work, the plain user/pass method will stop working entirely.  As such plain user/pass authentication is a stop gap measure at best unless you intend to never setup a fully functional kojiweb instance.  We encourage skipping the plain user/pass method altogether and properly configuring either Kerberos or SSL Certification authentication from the start.  Deciding on how to authenticate users colors all the other actions you take in setting up koji so it's a decision best made up front.
 +
 +
For Kerberos authentication, a working Kerberos environment (the user is assumed to either already have this or know how to set it up themselves, instructions for it are not included here) and the Kerberos credentials of the initial admin user will be necessary to bootstrap the user database.
 +
 +
For SSL authentication, SSL certificates for the xmlrpc server, for the various koji components, and one for the admin user will need to be setup (the user need not know how to create certificate chains already, we include the instructions for this below).
  
 
== PostgreSQL Server ==
 
== PostgreSQL Server ==
Line 79: Line 86:
 
</pre>
 
</pre>
  
 +
'''Bootstrapping the initial koji admin user into the PostgreSQL database:'''
 +
The initial admin user must be manually added to the user database using sql commands.  Once they are added and given admin privilege, they may add additional users and change privileges of those users via the koji command line tool's administrative commands.  However, if you choose to use the simple user/pass method of authentication, then any password setting/changing must be done manually via sql commands as there is no password manipulation support exposed through the koji tools.
  
== Koji Authentication Setup ==
+
''Add needed information to the koji database (user/pass authentication):''
Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji-cli access, plain user/pass combinations are possible. For Kerberos authentication, a Kerberos server will need to be setup and configured. For SSL authentication, SSL certificates and the needed cert. chains will need to be setup.
 
 
 
'''Adding basic user/pass combinations for authentication:'''
 
Any password setting/changing still needs to be done manually in the database though (it is not exposed through the API).
 
 
 
''Add needed information to the koji database:''
 
  
 
<pre>
 
<pre>
 
koji@localhost$ psql
 
koji@localhost$ psql
koji=> insert into users (name, password, status, usertype) values ('my-user-name', 'my-password-in-plain-test', 0, 0);
+
koji=> insert into users (name, password, status, usertype) values ('admin-user-name', 'admin-password-in-plain-text', 0, 0);
 
koji=> insert into user_perms (user_id, perm_id) values (<id of user inserted above>, 1);
 
koji=> insert into user_perms (user_id, perm_id) values (<id of user inserted above>, 1);
 
</pre>
 
</pre>
Line 99: Line 102:
 
</pre>
 
</pre>
  
You can then perform Koji admin commands by calling
+
The process is very similar for Kerberos authentication except you would replace the first insert above with this:
 +
 
 
<pre>
 
<pre>
kojiadmin@localhost$ koji --user <username> --password <password>"
+
koji=> insert into users (name, krb_principal, status, usertype) values ('admin-user-name', 'admin@EXAMPLE.COM', 0, 0);
 
</pre>
 
</pre>
  
Both kojira and kojid accept "user" and "password" options in their config files, and will use those for authentication if present.  Note that for kojira, you will need to create a user:
+
For SSL Certificate authentication, there is no need for either a password or a Kerberos principal, so this will suffice:
  
 
<pre>
 
<pre>
kojiadmin@localhost$ koji add-user <username>
+
koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);
 
</pre>
 
</pre>
  
Set the password for it as above, as well as granting it the "repo" permission (perm_id == 3)For kojid you will need to create a "host" entry (koji add-host), and set the password for the associated user (the user gets created at the same time as the host entry).
+
You can't actually log in and perform any actions until kojihub is up and running in your web server.  In order to get to that point you still need to complete the authentication setup and the kojihub configurationIf you wish to access koji via a web browser, you will also need to get kojiweb up and running.
 +
 
  
'''Setting up SSL Certificates for authentication:'''
+
== Setting up SSL Certificates for authentication ==
  
 
'''Certificate generation'''
 
'''Certificate generation'''
  
* Get the ssl.cnf (listed on this page) and *edit* it! (0.organizationName_default should be modified)
+
* Copy-and-paste the ssl.cnf listed here, save it in /etc/pki/koji/ssl.cnf, and then *edit* it! (0.organizationName_default should be modified at a minimum)
  
 
'''ssl.cnf'''
 
'''ssl.cnf'''
Line 197: Line 202:
  
 
'''Generate CA'''
 
'''Generate CA'''
 +
The CA is the Certificate Authority.  It's the key/cert pair used to sign all the other certificate requests.  When configuring the various koji components, both the client CA and the server CA will be the CA generated here.
 +
 
<pre>
 
<pre>
caname="koji"
+
cd /etc/pki/koji/
mkdir -p /etc/kojiweb/clients
 
cd /etc/kojiweb/clients
 
 
mkdir {certs,private}
 
mkdir {certs,private}
 
touch index.txt
 
touch index.txt
 
echo 01 > serial
 
echo 01 > serial
 +
caname=koji
 
openssl genrsa -out private/${caname}_ca_cert.key 2048
 
openssl genrsa -out private/${caname}_ca_cert.key 2048
 
 
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \
 
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \
 
-out ${caname}_ca_cert.crt -extensions v3_ca
 
-out ${caname}_ca_cert.crt -extensions v3_ca
 
</pre>
 
</pre>
  
'''Generate the kojira user certificate'''
+
The last command above will ask you to confirm a number of items about the certificate you are generating.  Presumably you already edited sane defaults for the country, state/province, locale, and organization into the ssl.cnf file and you only needed to hit enter.  It's the organizational unit and the common name that we will be changing in the various certs we create. For the CA itself, these fields don't have a hard requirement.
 +
 
 +
'''Generate the koji component certificates and the admin certificate'''
 +
 
 +
Each koji component needs its own certificate to identify it.  Two of the certificates (kojihub and kojiweb) are used as server side certificates that authenticate the server to the client.  For this reason, you want the common name on both of those certs to be the fully qualified domain name of the web server they are running on so that clients don't complain about the common name and the server not being the same.  For the other certificates (kojira, kojid, the initial admin account, and all user certificates), the cert is used to authenticate the client to the server and the common name in the cert is the login name.  Therefore the common name must be same as the user name in the koji database.  Note: when using ''koji add-host'' to add a build machine into the koji database, it creates a user account for that host even though the user account doesn't appear in the user list.  The user account created during an add-host operation must match the common name of the certificate used by the kojid program on that host.  Note2: when creating the kojiweb certificate, you'll want to remember exactly what values you enter for each field as you'll have to regurgitate those into the /etc/httpd/conf.d/kojihub.conf file as the ProxyDNs entry.
 +
 
 
<pre>
 
<pre>
caname=koji
+
for user in kojira kojiweb kojihub kojibuilder{1..5} admin-account; do
user="kojira"
 
 
 
 
openssl genrsa -out certs/${user}.key 2048
 
openssl genrsa -out certs/${user}.key 2048
 
 
openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
 
openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
 
 
openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
 
openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
 
-out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
 
-out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt certs/${user}.key > /etc/kojira/${user}.pem
+
cat certs/${user}.crt certs/${user}.key > ${user}.pem
</pre>
+
done
 
 
'''Generate the kojihub server certificate'''
 
 
 
<pre>
 
Do the same as for the kojira user, but with e.g. user="kojihub".
 
Set the common name to the fully-qualified domain name of the Kojihub server.
 
</pre>
 
 
 
'''Generate the kojiweb server certificate'''
 
 
 
<pre>
 
Do the same as for the kojira user, but with e.g. user="kojiweb".
 
Set the common name to the fully-qualified domain name of the Kojiweb server.
 
</pre>
 
 
 
'''Generate the kojid certificate'''
 
 
 
<pre>
 
Do the same as for kojira user, but "user" (i.e. the CN of the certificate) should be the fully-qualified
 
domain name of the machine where the builder will be running, for example: kojibuilder1.example.com
 
</pre>
 
 
 
'''Generate other client certificates'''
 
 
 
<pre>
 
Do the same as for the kojira user, but with e.g. user=<name of user>.  These certificates will be used to
 
authenticate to the Koji Hub.  The user will be identified in the Koji UI by the CN of their certificate.
 
 
</pre>
 
</pre>
  
 
''' Generate a PKCS12 user certificate (for web browser)'''
 
''' Generate a PKCS12 user certificate (for web browser)'''
This is only required for user certificates,
+
This is only required for user certificates.
not for kojira, kojid, or the other service certificates created above.
 
 
<pre>
 
<pre>
 
openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \
 
openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \
Line 260: Line 238:
 
</pre>
 
</pre>
  
 +
When generating certs for a user, the user will need the ${user}.pem, the ${caname}_ca_cert.crt, and the ${user}_browser_cert.p12 files.  The ${user}.pem file would normally be installed as ~/.fedora.cert, the ${caname}_ca_cert.crt file would be installed as both ~/.fedora-upload-ca.cert and ~/.fedora-server-ca.cert, and the user would import the ${user}_brower_cert.p12 into their web browser as a personal certificate.
  
'''Setting up Kerberos for authentication:'''
 
 
----
 
==== Oh yeah, add some kerberos magic here! ====
 
----
 
  
  
Right now kojiweb only supports Kerberos or SSL authentication to the hub.  However, Koji Web is fully functional in read-only mode (without logging in), and all operations exposed via the web UI are also available via the cli.  Just comment out everything in /etc/httpd/conf.d/kojiweb.conf related to authentication, and don't click the login link. ;-)
+
=== Setting up Kerberos for authentication ===
 +
Oops, nothing here yet.
  
  
Line 326: Line 301:
 
''Add the needed SSL options for apache.''
 
''Add the needed SSL options for apache.''
 
<pre>
 
<pre>
SSLCertificateFile /path/to/kojihub.crt
+
SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
SSLCertificateKeyFile /path/to/kojihub.key
+
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /path/to/koji_ca_cert.crt
+
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /path/to/koji_ca_cert.crt
+
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
 
SSLVerifyClient require
 
SSLVerifyClient require
 
SSLVerifyDepth  10
 
SSLVerifyDepth  10
Line 341: Line 316:
 
</pre>
 
</pre>
  
 +
==== Koji filesystem skeleton ====
 +
 +
Above in the kojihub.conf file we set KojiDir to /mnt/koji.  For certain reasons, if you change this, you should make a symlink from /mnt/koji to the new location (note: this is a bug and should be fixed eventually).  However, before other parts of koji will operate properly, we need to create a skeleton filesystem structure for koji as well as make the file area owned by apache so that the xmlrpc interface can write to it as needed.
 +
 +
<pre>
 +
cd /mnt
 +
mkdir koji
 +
cd koji
 +
mkdir {packages,repos,work}
 +
chown apache.apache *
 +
</pre>
 +
 +
At this point, you can now restart the web server and you should have at least minimal operation.  The admin user should be able to connect via the command line client, add new users, etc.  It's possible at this time to undertake initial administrative steps such as adding users and hosts to the koji database.  For example, the kojira component needs repo privileges, but if you just let the account get auto created the first time you run kojira, it won't have that privilege, so you could pre-create the account and grant it the repo privilege now.
 +
 +
<pre>
 +
kojiadmin@localhost$ koji add-user kojira
 +
kojiadmin@localhost$ koji grant-permission repo kojira
 +
</pre>
 +
 +
For similar technical reasons, you need to add-host each build host prior to starting kojid on that host the first time and could also do that now.
 +
 +
<pre>
 +
kojiadmin@localhost$ koji add-host kojibuilder1 x86_64 i386
 +
kojiadmin@localhost$ koji add-host kojibuilder2 ppc ppc64
 +
kojiadmin@localhost$ koji add-host kojibuilder3 ia64
 +
</pre>
  
 
== Koji Web - Interface for the Masses ==
 
== Koji Web - Interface for the Masses ==
Line 364: Line 365:
  
  
PythonOption WebCert /etc/kojiweb/kojiweb.pem
+
PythonOption WebCert /etc/pki/koji/kojiweb.pem
PythonOption ClientCA /etc/kojiweb/clientca.crt
+
PythonOption ClientCA /etc/pki/koji/koji_ca_cert.crt
PythonOption KojiHubCA /etc/kojiweb/kojihubca.crt
+
PythonOption KojiHubCA /etc/pki/koji/koji_ca_cert.crt
  
 
PythonOption LoginTimeout 72
 
PythonOption LoginTimeout 72
Line 406: Line 407:
 
</pre>
 
</pre>
  
 +
==== Web interface now operational ====
 +
 +
At this point you should be able to point your web browser at the kojiweb URL and be presented with the koji interface.  Many operations should work in read only mode at this point, and any configured users should be able to log in.
  
 
== Koji Daemon - Builder ==
 
== Koji Daemon - Builder ==
Line 445: Line 449:
  
 
;certificate of the CA that issued the client certificate
 
;certificate of the CA that issued the client certificate
ca = /etc/kojid/clientca.crt
+
ca = /etc/kojid/koji_ca_cert.crt
  
 
;certificate of the CA that issued the HTTP server certificate
 
;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/serverca.crt
+
serverca = /etc/kojid/koji_ca_cert.crt
 
</pre>
 
</pre>
  
Line 462: Line 466:
 
==== Add the host to the createrepo channel ====
 
==== Add the host to the createrepo channel ====
 
Channels are a way to control which builders process which tasks.  By default
 
Channels are a way to control which builders process which tasks.  By default
hosts are added to the ''default'' channel.  This host also needs to be added
+
hosts are added to the ''default'' channel.  At least some build hosts also needs to be added
to the ''createrepo'' channel so it will process repo creation tasks.
+
to the ''createrepo'' channel so there will be someone to process repo creation tasks initiated by kojira.
  
 
<pre>
 
<pre>
Line 502: Line 506:
 
;client certificate
 
;client certificate
 
; This should reference the kojira certificate we created above
 
; This should reference the kojira certificate we created above
cert = /etc/kojira/kojira.pem
+
cert = /etc/pki/koji/kojira.pem
  
 
;certificate of the CA that issued the client certificate
 
;certificate of the CA that issued the client certificate
ca = /etc/kojid/clientca.crt
+
ca = /etc/pki/koji/koji_ca_cert.crt
  
 
;certificate of the CA that issued the HTTP server certificate
 
;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/serverca.crt
+
serverca = /etc/pki/koji/koji_ca_cert.crt
 
</pre>
 
</pre>
  

Revision as of 00:50, 17 July 2008

Setting Up a Koji Build System

The Koji components may live on separate resources as long as all resources are able to communicate. This document will cover how to setup each service individually, however, all services may live on the same resource.

[[TableOfContents()]

PreReqs of Knowledge

  • Basic understanding of SSL and authentication via certificates and/or Kerberos credentials
  • Basic knowledge about creating a database in PostgreSQL and importing a schema
  • Working with psql
  • Basic knowledge about Apache configuration
  • Basic knowledge about yum/createrepo/mock - else you'll not be able to debug problems!
  • Basic knowledge about using command line
  • Basic knowledge about RPM building

PreReqs of Packages

On the server (koji-hub/koji-web)

  • httpd
  • mod_ssl
  • postgresql-server

On the builder (koji-builder)

  • mock
  • setarch (for some archs you'll require a patched version)
  • rpm-build
  • createrepo

Koji Authentication Selection

Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji command line access, plain user/pass combinations are possible. However, kojiweb does not support plain user/pass authentication. Furthermore, once either Kerberos or SSL Certificate authentication is enabled so that kojiweb will work, the plain user/pass method will stop working entirely. As such plain user/pass authentication is a stop gap measure at best unless you intend to never setup a fully functional kojiweb instance. We encourage skipping the plain user/pass method altogether and properly configuring either Kerberos or SSL Certification authentication from the start. Deciding on how to authenticate users colors all the other actions you take in setting up koji so it's a decision best made up front.

For Kerberos authentication, a working Kerberos environment (the user is assumed to either already have this or know how to set it up themselves, instructions for it are not included here) and the Kerberos credentials of the initial admin user will be necessary to bootstrap the user database.

For SSL authentication, SSL certificates for the xmlrpc server, for the various koji components, and one for the admin user will need to be setup (the user need not know how to create certificate chains already, we include the instructions for this below).

PostgreSQL Server

The PostgreSQL server must be installed and the database primed.

Configuration Files:

  • /var/lib/pgsql/data/pg_hba.conf
  • /var/lib/pgsql/data/postgresql.conf

Install PostgreSQL:

root@localhost$ yum install postgresql-server

Setup User Accounts:

root@localhost$ useradd koji
root@localhost$ passwd -d koji

Setup PostgreSQL and populate schema:

root@localhost$ su - postgres
postgres@localhost$ createuser koji
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
postgres@localhost$ createdb -O koji koji
postgres@localhost$ logout
root@localhost$ su - koji
koji@localhost$ psql koji koji < /usr/share/doc/koji*/docs/schema.sql
koji@localhost$ exit

Authorize Koji-web and Koji-hub resources: In this example, Koji-web and Koji-hub are running on localhost.

/var/lib/pgsql/data/pg_hba.conf: These settings need to be valid and inline with other services configurations. Please note, the first matching auth line is used so this line must be above any other potential matches. Add:

host    koji        koji        127.0.0.1/32          trust

Make auth changes live:

root@localhost$ su - postgres
postgres@localhost$ pg_ctl reload
postgres@localhost$ exit

Bootstrapping the initial koji admin user into the PostgreSQL database: The initial admin user must be manually added to the user database using sql commands. Once they are added and given admin privilege, they may add additional users and change privileges of those users via the koji command line tool's administrative commands. However, if you choose to use the simple user/pass method of authentication, then any password setting/changing must be done manually via sql commands as there is no password manipulation support exposed through the koji tools.

Add needed information to the koji database (user/pass authentication):

koji@localhost$ psql
koji=> insert into users (name, password, status, usertype) values ('admin-user-name', 'admin-password-in-plain-text', 0, 0);
koji=> insert into user_perms (user_id, perm_id) values (<id of user inserted above>, 1);

Note: you can get the ID of the new user by running the query:

koji=> select * from users;

The process is very similar for Kerberos authentication except you would replace the first insert above with this:

koji=> insert into users (name, krb_principal, status, usertype) values ('admin-user-name', 'admin@EXAMPLE.COM', 0, 0);

For SSL Certificate authentication, there is no need for either a password or a Kerberos principal, so this will suffice:

koji=> insert into users (name, status, usertype) values ('admin-user-name', 0, 0);

You can't actually log in and perform any actions until kojihub is up and running in your web server. In order to get to that point you still need to complete the authentication setup and the kojihub configuration. If you wish to access koji via a web browser, you will also need to get kojiweb up and running.


Setting up SSL Certificates for authentication

Certificate generation

  • Copy-and-paste the ssl.cnf listed here, save it in /etc/pki/koji/ssl.cnf, and then *edit* it! (0.organizationName_default should be modified at a minimum)

ssl.cnf

HOME                    = .
RANDFILE                = .rand

[ca] 
default_ca              = ca_default

[ca_default] 
dir                     = .
certs                   = $dir/certs
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/%s_ca_cert.pem
private_key             = $dir/private/%s_ca_key.pem
serial                  = $dir/serial
crl                     = $dir/crl.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 3650
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_match

[policy_match] 
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req] 
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extentions to add to the self signed cert
string_mask             = MASK:0x2002

[req_distinguished_name] 
countryName                     = Country Name (2 letter code)
countryName_default             = AT
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vienna
localityName                    = Locality Name (eg, city)
localityName_default            = Vienna
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = My company
organizationalUnitName          = Organizational Unit Name (eg, section)
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_max                = 64

[req_attributes] 
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[usr_cert] 
basicConstraints                = CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[v3_ca] 
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = CA:true

Generate CA The CA is the Certificate Authority. It's the key/cert pair used to sign all the other certificate requests. When configuring the various koji components, both the client CA and the server CA will be the CA generated here.

cd /etc/pki/koji/
mkdir {certs,private}
touch index.txt
echo 01 > serial
caname=koji
openssl genrsa -out private/${caname}_ca_cert.key 2048
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key \
-out ${caname}_ca_cert.crt -extensions v3_ca

The last command above will ask you to confirm a number of items about the certificate you are generating. Presumably you already edited sane defaults for the country, state/province, locale, and organization into the ssl.cnf file and you only needed to hit enter. It's the organizational unit and the common name that we will be changing in the various certs we create. For the CA itself, these fields don't have a hard requirement.

Generate the koji component certificates and the admin certificate

Each koji component needs its own certificate to identify it. Two of the certificates (kojihub and kojiweb) are used as server side certificates that authenticate the server to the client. For this reason, you want the common name on both of those certs to be the fully qualified domain name of the web server they are running on so that clients don't complain about the common name and the server not being the same. For the other certificates (kojira, kojid, the initial admin account, and all user certificates), the cert is used to authenticate the client to the server and the common name in the cert is the login name. Therefore the common name must be same as the user name in the koji database. Note: when using koji add-host to add a build machine into the koji database, it creates a user account for that host even though the user account doesn't appear in the user list. The user account created during an add-host operation must match the common name of the certificate used by the kojid program on that host. Note2: when creating the kojiweb certificate, you'll want to remember exactly what values you enter for each field as you'll have to regurgitate those into the /etc/httpd/conf.d/kojihub.conf file as the ProxyDNs entry.

for user in kojira kojiweb kojihub kojibuilder{1..5} admin-account; do
openssl genrsa -out certs/${user}.key 2048
openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
-out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt certs/${user}.key > ${user}.pem
done

Generate a PKCS12 user certificate (for web browser) This is only required for user certificates.

openssl pkcs12 -export -inkey certs/${user}.key -in certs/${user}.crt -CAfile ${caname}_ca_cert.crt \
-out certs/${user}_browser_cert.p12

When generating certs for a user, the user will need the ${user}.pem, the ${caname}_ca_cert.crt, and the ${user}_browser_cert.p12 files. The ${user}.pem file would normally be installed as ~/.fedora.cert, the ${caname}_ca_cert.crt file would be installed as both ~/.fedora-upload-ca.cert and ~/.fedora-server-ca.cert, and the user would import the ${user}_brower_cert.p12 into their web browser as a personal certificate.


Setting up Kerberos for authentication

Oops, nothing here yet.


Koji Hub

Koji-hub is the center of all Koji operations. It is an XML-RPC server running under mod_python in Apache. koji-hub is passive in that it only receives XML-RPC calls and relies upon the build daemons and other components to initiate communication. Koji-hub is the only component that has direct access to the database and is one of the two components that have write access to the file system.

Configuration Files:

  • /etc/httpd/conf.d/kojihub.conf
  • /etc/httpd/conf.d/ssl.conf (when using ssl auth)

Install koji-hub:

root@localhost$ yum install koji-hub httpd mod_ssl mod_python

Required Configuration

/etc/httpd/conf.d/kojihub.conf: These settings need to be valid and inline with other services configurations.

PythonOption DBName koji
PythonOption DBUser koji
PythonOption DBHost db.example.com
PythonOption KojiDir /mnt/koji
PythonOption LoginCreatesUser On
PythonOption KojiWebURL http://kojiweb.example.com/koji

Optional Configuration

/etc/httpd/conf.d/kojihub.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.

PythonOption AuthPrincipal kojihub@EXAMPLE.COM
PythonOption AuthKeytab /etc/koji.keytab
PythonOption ProxyPrincipals kojihub@EXAMPLE.COM
PythonOption HostPrincipalFormat compile/%s@EXAMPLE.COM

/etc/httpd/conf.d/kojihub.conf: If using SSL auth, these settings need to be valid and inline with other services configurations. ProxyDNs should be set to the DN of the kojiweb certificate.

PythonOption DNUsernameComponent CN
PythonOption ProxyDNs "/C=US/ST=Massachusetts/O=Example Org/OU=Example User/CN=example/emailAddress=example@example.com"
<Location /kojihub>
SSLOptions +StdEnvVars
</Location>

/etc/httpd/conf.d/ssl.conf: Add the needed SSL options for apache.

SSLCertificateFile /etc/pki/koji/certs/kojihub.crt
SSLCertificateKeyFile /etc/pki/koji/certs/kojihub.key
SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt
SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt
SSLVerifyClient require
SSLVerifyDepth  10

SELinux Configuration

If running in Enforcing mode, you will need to allow apache to connect to the postgreSQL server.

root@localhost$ setsebool -P httpd_can_network_connect_db 1

Koji filesystem skeleton

Above in the kojihub.conf file we set KojiDir to /mnt/koji. For certain reasons, if you change this, you should make a symlink from /mnt/koji to the new location (note: this is a bug and should be fixed eventually). However, before other parts of koji will operate properly, we need to create a skeleton filesystem structure for koji as well as make the file area owned by apache so that the xmlrpc interface can write to it as needed.

cd /mnt
mkdir koji
cd koji
mkdir {packages,repos,work}
chown apache.apache *

At this point, you can now restart the web server and you should have at least minimal operation. The admin user should be able to connect via the command line client, add new users, etc. It's possible at this time to undertake initial administrative steps such as adding users and hosts to the koji database. For example, the kojira component needs repo privileges, but if you just let the account get auto created the first time you run kojira, it won't have that privilege, so you could pre-create the account and grant it the repo privilege now.

kojiadmin@localhost$ koji add-user kojira
kojiadmin@localhost$ koji grant-permission repo kojira

For similar technical reasons, you need to add-host each build host prior to starting kojid on that host the first time and could also do that now.

kojiadmin@localhost$ koji add-host kojibuilder1 x86_64 i386
kojiadmin@localhost$ koji add-host kojibuilder2 ppc ppc64
kojiadmin@localhost$ koji add-host kojibuilder3 ia64

Koji Web - Interface for the Masses

Koji-web is a set of scripts that run in mod_python and use the Cheetah templating engine to provide an web interface to Koji. koji-web exposes a lot of information and also provides a means for certain operations, such as cancelling builds.

Configuration Files:

  • /etc/httpd/conf.d/kojiweb.conf
  • /etc/httpd/conf.d/ssl.conf

Install Koji-Web:

root@localhost$ yum install koji-web httpd mod_python mod_ssl

Required Configuration

/etc/httpd/conf.d/kojiweb.conf:

PythonOption KojiHubURL http://hub.example.com/kojihub
PythonOption KojiWebURL http://www.example.com/koji
PythonOption KojiPackagesURL http://server.example.com/mnt/koji/packages


PythonOption WebCert /etc/pki/koji/kojiweb.pem
PythonOption ClientCA /etc/pki/koji/koji_ca_cert.crt
PythonOption KojiHubCA /etc/pki/koji/koji_ca_cert.crt

PythonOption LoginTimeout 72
PythonOption Secret CHANGE_ME

Optional Configuration

/etc/httpd/conf.d/kojiweb.conf: If using Kerberos, these settings need to be valid and inline with other services configurations.

<Location /koji/login>
AuthType Kerberos
AuthName "Koji Web UI"
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbServiceName HTTP
KrbAuthRealm EXAMPLE.COM
Krb5Keytab /etc/httpd.keytab
KrbSaveCredentials off
Require valid-user
ErrorDocument 401 /koji-static/errors/unauthorized.html
</Location>

/etc/httpd/conf.d/kojiweb.conf: If using SSL auth, these settings need to be valid and inline with other services configurations.

<Location /koji/login>
SSLOptions +StdEnvVars
</Location>

/etc/httpd/conf.d/ssl.conf: Add the needed SSL options for apache.

SSLVerifyClient require
SSLVerifyDepth  10

Web interface now operational

At this point you should be able to point your web browser at the kojiweb URL and be presented with the koji interface. Many operations should work in read only mode at this point, and any configured users should be able to log in.

Koji Daemon - Builder

Kojid is the build daemon that runs on each of the build machines. Its primary responsibility is polling for incoming build requests and handling them accordingly. Koji also has support for tasks other than building. Creating install images is one example. kojid is responsible for handling these tasks as well. kojid uses mock for building. It also creates a fresh buildroot for every build. kojid is written in Python and communicates with koji-hub via XML-RPC.

Configuration Files:

  • /etc/kojid/kojid.conf - Koji Daemon Configuration
  • /etc/sysconfig/kojid - Koji Daemon Switches

Install kojid:

root@localhost$ yum install koji-builder

Required Configuration

/etc/kojid/kojid.conf: This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub

; the username has to be the same as what you used with add-host
; in this example follow as below
user = kojibuilder1.example.com

Optional Configuration

/etc/kojid/kojid.conf: If using SSL, these settings need to be valid.

;client certificate
; This should reference the builder certificate we created above, for
; kojibuilder1.example.com
cert = /etc/kojid/kojid.pem

;certificate of the CA that issued the client certificate
ca = /etc/kojid/koji_ca_cert.crt

;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/koji_ca_cert.crt


Add the host entry for the koji builder to the database

Make sure you do this before you start kojid for the first time, or you'll need to manually remove entries from the sessions and users table before it can be run successfully.

kojiadmin@localhost$ koji add-host kojibuilder1.example.com i386 x86_64

Add the host to the createrepo channel

Channels are a way to control which builders process which tasks. By default hosts are added to the default channel. At least some build hosts also needs to be added to the createrepo channel so there will be someone to process repo creation tasks initiated by kojira.

kojiadmin@localhost$ koji add-host-to-channel kojibuilder1.example.com createrepo

Start Kojid

root@localhost$ /sbin/service kojid start

Check /var/log/kojid.log to verify that kojid has started successfully.

Kojira - Yum repository creation and maintenance

Configuration Files:

  • /etc/kojira/kojira.conf - Kojira Daemon Configuration
  • /etc/sysconfig/kojira - Kojira Daemon Switches

Install kojira

root@localhost$ yum install koji-utils

Required Configuration

/etc/kojira/kojira.conf: This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub

Optional Configuration

/etc/kojira/kojira.conf: If using SSL, these settings need to be valid.

;client certificate
; This should reference the kojira certificate we created above
cert = /etc/pki/koji/kojira.pem

;certificate of the CA that issued the client certificate
ca = /etc/pki/koji/koji_ca_cert.crt

;certificate of the CA that issued the HTTP server certificate
serverca = /etc/pki/koji/koji_ca_cert.crt

/etc/sysconfig/kojira: The local user kojira runs as needs to be able to read and write to /mnt/koji/repos/. If the volume that directory resides on is root-squashed or otherwise unmodifiable by root, you can set RUNAS= to a user that has the required privileges.

Add the user entry for the kojira user

Create the kojira user, and grant it the repo permission.

kojiadmin@localhost$ koji add-user kojira
kojiadmin@localhost$ koji grant-permission repo kojira

Start Kojira

root@localhost$ /sbin/service kojira start

Check /var/log/kojira/kojira.log to verify that kojira has started successfully.

Bootstrapping the Koji build environment

For instructions on importing packages and preparing Koji to run builds, see ServerBootstrap .

Minutia and Miscellany

Please see KojiMisc for additional details and notes about operating a koji server.