particle-os/debian-koji-osbuild
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

initial import

Browse source
This commit is contained in:
Christian Kellner 2020-08-25 19:55:39 +02:00
commit aefe1218b5
19 changed files with 467 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

18
container/builder/Dockerfile Normal file
View file

@ -0,0 +1,18 @@
FROM docker.io/library/fedora:latest
RUN dnf -y upgrade \
&& dnf -y \
--setopt=fastestmirror=True \
--setopt=install_weak_deps=False \
install \
koji-builder \
koji-utils \
postgresql \
python3-koji \
&& dnf clean all
COPY container/builder/kojid.conf /etc/kojid/kojid.conf
COPY plugins/builder/osbuild.py /usr/lib/koji-builder-plugins/
COPY container/builder/run-kojid.sh /app/run-kojid.sh
ENTRYPOINT /app/run-kojid.sh

13
container/builder/kojid.conf Normal file
View file

@ -0,0 +1,13 @@
[kojid]
server=http://localhost/kojihub
user = b1.localhost
topurl=http://localhost/kojifiles
workdir=/tmp/koji
topdir=/mnt/koji
cert = /share/ssl/kojid/client.pem
ca = /share/ssl/kojid/serverca.crt
serverca = /share/ssl/kojid/serverca.crt
plugins = osbuild

16
container/builder/run-kojid.sh Executable file
View file

@ -0,0 +1,16 @@
#!/bin/bash
set -eux
koji --server=http://localhost/kojihub \
--user=kojiadmin \
--password=kojipass \
--authtype=password \
add-host kojid i386 x86_64 || true
koji --server=http://localhost/kojihub \
--user=kojiadmin \
--password=kojipass \
--authtype=password \
add-host-to-channel kojid image || true
/usr/sbin/kojid -d -v -f --force-lock || cat /var/log/kojid.log

4
container/env Normal file
View file

@ -0,0 +1,4 @@
POSTGRES_USER=koji
POSTGRES_PASSWORD=kojipass
POSTGRES_DB=koji
POSTGRES_HOST=localhost

7
container/hub/Dockerfile Normal file
View file

@ -0,0 +1,7 @@
FROM quay.io/osbuild/koji:latest
COPY container/hub/hub.conf /etc/koji-hub/hub.conf
COPY plugins/hub/osbuild.py /usr/lib/koji-hub-plugins/
COPY container/hub/run-hub.sh /app/run-hub.sh
ENTRYPOINT /app/run-hub.sh

35
container/hub/hub.conf Normal file
View file

@ -0,0 +1,35 @@
[hub]
## DB
DBName = koji
DBUser = koji
DBHost = localhost
#DBPort = 5432
DBPass = kojipass
## FS
KojiDir = /mnt/koji
## Logging
KojiDebug = On
KojiTraceback = extended
## Kerberos
AuthPrincipal = host/kojihub@LOCAL
AuthKeytab = /share/koji.keytab
## SSL client certificate auth configuration ##
DNUsernameComponent = CN
ProxyDNs = CN=koji,OU=kojiweb,O=RH,L=BE,ST=BE,C=DE
#ProxyDNs = /C=DE/ST=BE/L=BE/O=RH/CN=kojiweb
## end SSL client certificate auth configuration
## Other options ##
LoginCreatesUser = Off
KojiWebURL = http://localhost/koji
EmailDomain = kojihub.local
NotifyOnSuccess = False
## Plugins
PluginPath = /usr/lib/koji-hub-plugins
Plugins = osbuild

31
container/hub/plugin/osbuild.py Normal file
View file

@ -0,0 +1,31 @@
import koji
from koji.tasks import BaseTaskHandler
class OSBuildImage(BaseTaskHandler):
Methods = ['osbuildImage']
_taskWeight = 2.0
def handler(self, name, version, arches, target, opts):
self.logger.debug("Building image %s, %s, %s, %s",
name, str(arches), str(target), str(opts))
#self.logger.debug("Event id: %s", str(self.event_id))
target_info = self.session.getBuildTarget(target, strict=True)
build_tag = target_info['build_tag']
repo_info = self.getRepo(build_tag)
buildconfig = self.session.getBuildConfig(build_tag)
if repo_info:
self.logger.debug("repo info: %s", str(repo_info))
if buildconfig:
self.logger.debug("build-config: %s", str(buildconfig))
return {
'repositories': [],
'koji_builds': [],
'build': 'skipped',
}

53
container/hub/run-hub.sh Executable file
View file

@ -0,0 +1,53 @@
#!/bin/bash
set -eux
sed -i -e "s|LogLevel warn|LogLevel debug|" /etc/httpd/conf/httpd.conf
tee -a /etc/httpd/conf.d/kojihub.conf <<END
<Location /kojihub/ssllogin>
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Location>
END
sed -i -e "s|^SSLCertificateFile.*|SSLCertificateFile /etc/pki/koji/certs/kojihub.crt|" \
-e "s|^SSLCertificateKeyFile.*|SSLCertificateKeyFile /etc/pki/koji/private/kojihub.key|" \
-e "s|^#SSLCertificateChainFile.*|SSLCertificateChainFile /etc/pki/koji/koji_ca_cert.crt|" \
-e "s|^#SSLCACertificateFile.*|SSLCACertificateFile /etc/pki/koji/koji_ca_cert.crt|" \
-e "s|^#SSLVerifyDepth.*|SSLVerifyDepth 1|" \
-e "s|LogLevel warn|LogLevel debug|" \
-e "s|^#ServerName.*|ServerName localhost|" \
/etc/httpd/conf.d/ssl.conf
sed -i -e "s|^#ServerName.*|ServerName localhost|" \
/etc/httpd/conf/httpd.conf
# wait for postgres to come on-line
timeout 10 bash -c "until printf '' 2>/dev/null >/dev/tcp/${POSTGRES_HOST}/5432; do sleep 0.1; done"
# psql uses PGPASSWORD env variable
export PGPASSWORD="${POSTGRES_PASSWORD}"
# create an "alias" for the long psql command
psql_cmd() {
psql -h "${POSTGRES_HOST}" -U "${POSTGRES_USER}" -d "${POSTGRES_DB}" "$@"
}
# initialize the database if it isn't initialized already
if ! psql_cmd -c "select * from users" &>/dev/null; then
psql_cmd -f /usr/share/doc/koji/docs/schema.sql >/dev/null
psql_cmd -c "insert into users (name, password, status, usertype) values ('kojiadmin', 'kojipass', 0, 0)" >/dev/null
psql_cmd -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1)" >/dev/null
psql_cmd -c "insert into users (name, password, status, usertype) values ('osbuild', 'osbuildpass', 0, 0)" >/dev/null
# create content generator osbuild, give osbuild users access to it
psql_cmd -c "insert into content_generator (name) values ('osbuild')" >/dev/null
psql_cmd -c "insert into cg_users (cg_id, user_id, creator_id, active) values (1, 2, 1, true)" >/dev/null
fi
mkdir -p /mnt/koji/{packages,repos,work,scratch,repos-dist}
# run apache
httpd -DFOREGROUND

8
container/make-tags.sh Normal file
View file

@ -0,0 +1,8 @@
#!/usr/bin/sh
KOJI="koji --server=http://localhost/kojihub --user=kojiadmin --password=kojipass --authtype=password"
$KOJI add-tag f32
$KOJI add-tag --parent f32 f32-candidate
$KOJI add-tag --parent f32 --arches=i686,x86_64 f32-build
$KOJI add-target f32-candidate f32-build f32-canidate

42
container/ssl-ca.sh Executable file
View file

@ -0,0 +1,42 @@
#!/bin/bash
set -eux
HOME=pki/koji
CONF=ssl.cnf
# prepare the directories
mkdir -p ${HOME}/{certs,private,confs}
touch "$HOME/index.txt"
echo 01 > "$HOME/serial"
# private key
openssl genrsa -out "$HOME/private/koji_ca_cert.key" 2048
# CA
openssl req -config $CONF \
-new -x509 \
-subj "/C=DE/ST=BE/L=BE/O=RH/CN=koji" \
-days 3650 \
-key "${HOME}/private/koji_ca_cert.key" \
-out "${HOME}/koji_ca_cert.crt" \
-extensions v3_ca
#
openssl genrsa -out "${HOME}/private/kojihub.key" 2048
openssl req -new -sha256 \
-config $CONF \
-key "${HOME}/private/kojihub.key" \
-out "${HOME}/certs/kojihub.csr" \
-subj "/C=DE/ST=BE/L=BE/O=RH/CN=localhost"
openssl x509 -req \
-sha256 \
-in "${HOME}/certs/kojihub.csr" \
-CA "$HOME/koji_ca_cert.crt" \
-CAkey "$HOME/private/koji_ca_cert.key" \
-CAcreateserial \
-out "${HOME}/certs/kojihub.crt"

40
container/ssl-user.sh Executable file
View file

@ -0,0 +1,40 @@
#!/bin/bash
set -eux
USER=$1
PASS="pass"
CONF=ssl.cnf
CACERT="koji_ca_cert.crt"
CAKEY="koji_ca_cert.key"
SSLHOME=pki/koji
openssl genrsa -out ${SSLHOME}/private/${USER}.key 2048
openssl req \
-config ${CONF} \
-new -nodes \
-out ${SSLHOME}/certs/${USER}.csr \
-key ${SSLHOME}/private/${USER}.key \
-subj "/C=DE/ST=BE/L=BE/O=RH/CN=${USER}/emailAddress=${USER}@kojihub.local"
openssl ca \
-config ${CONF} \
-batch \
-keyfile ${SSLHOME}/private/${CAKEY} \
-cert ${SSLHOME}/${CACERT} \
-out ${SSLHOME}/certs/${USER}.crt \
-outdir ${SSLHOME}/certs \
-infiles ${SSLHOME}/certs/${USER}.csr
cat ${SSLHOME}/certs/${USER}.crt ${SSLHOME}/private/${USER}.key > ${SSLHOME}/certs/${USER}.pem
CLIHOME=ssl/${USER}
rm -rf ${CLIHOME}
mkdir -p ${CLIHOME}
cp ${SSLHOME}/certs/${USER}.crt ${CLIHOME}/client.crt
cp ${SSLHOME}/certs/${USER}.pem ${CLIHOME}/client.pem
cp ${SSLHOME}/${CACERT} ${CLIHOME}/clientca.crt
cp ${SSLHOME}/${CACERT} ${CLIHOME}/serverca.crt

75
container/ssl.cnf Normal file
View file

@ -0,0 +1,75 @@
HOME = .
RANDFILE = .rand
[ca]
default_ca = ca_default
[ca_default]
dir = pki/koji
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/%s_ca_cert.pem
private_key = $dir/private/%s_ca_key.pem
serial = $dir/serial
crl = $dir/crl.pem
x509_extensions = usr_cert
name_opt = ca_default
cert_opt = ca_default
default_days = 3650
default_crl_days = 30
default_md = sha256
preserve = no
policy = policy_match
[policy_match]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 2048
default_keyfile = privkey.pem
default_md = sha256
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extensions to add to the self signed cert
string_mask = MASK:0x2002
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = DE
countryName_min = 2
countryName_max = 2
stateOrProvinceName = Berlin
stateOrProvinceName_default = Berlin
localityName = Locality Name (eg, city)
localityName_default = Berlin
0.organizationName = Berlin
0.organizationName_default = Red Hat
organizationalUnitName = Red Hat
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[req_attributes]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[usr_cert]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer:always
[v3_ca]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints = CA:true