particle-os/debian-koji
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
debian-koji/builder/kojid.conf
Yu Ming Zhu 47c4b5d70b kojid: extend SCM.assert_allowed with hub policy 
This is a simple extention of `SCM.assert_allowed`

- `assert_allowed_by_policy` will set the default "use_common" to False which is different to the old behavior
- `channel`, `user_id`, `scratch` are passed in the `policy_data` with scminfo right now.

This is a prototype for this change, and there are some other solutions could be implemented too

- Use a scmpolicy plugin as `postSCMCheckout` callback, the pro is that we can do more checks after the source is initialized on builder, meanwhile, the con is that the source will be downloaded even it is denied by policy. It might be a potential risk?
- Do the scm check in hub's `make_task`, this looks straightforward, but may lack some builder's information

fixes: #2757
2021-08-16 17:55:26 +00:00

151 lines
4.9 KiB
Text
Raw Blame History

[kojid]
; The number of seconds to sleep between tasks
; sleeptime=15
; The maximum number of jobs that kojid will handle at a time
; maxjobs=10
; Time after successfully finished task's buildroot is deleted (2 minutes in seconds)
; Some logs and directories are left in place until buildroot_final_cleanup_delay
; buildroot_basic_cleanup_delay=120
; Time after successfully finished task's buildroot is deleted completely (1 day in seconds)
; buildroot_final_cleanup_delay=86400
; The minimum amount of free space (in MBs) required for each build root
; minspace=8192
; The directory root where work data can be found from the koji hub
; topdir=/mnt/koji
; The directory root for temporary storage
; workdir=/tmp/koji
; The temporary directory in buildroot
; chroot_tmpdir = /chroot_tmpdir
; The directory root for mock
; mockdir=/var/lib/mock
; The user to run as when doing builds
; mockuser=kojibuilder
; The vendor to use in rpm headers
; vendor=Koji
; The packager to use in rpm headers
; packager=Koji
; The distribution to use in rpm headers
; distribution=Koji
; The _host string to use in mock
; mockhost=koji-linux-gnu
; Timeout for build duration (24 hours)
; rpmbuild_timeout=86400
; Install timeout(seconds) for image build
; Default value is 0, which means using the number in /etc/oz/oz.cfg,
; supported since oz-0.16.0
; oz_install_timeout=7200
; The URL for the xmlrpc server
server=http://hub.example.com/kojihub
; The URL for the file access
topurl=http://hub.example.com/kojifiles
; use createrepo_c rather than createrepo
; use_createrepo_c=True
; A space-separated list of tuples from which kojid is allowed to checkout.
; The format of those tuples is:
;
; host:repository[:use_common[:source_cmd]]
;
; Incorrectly-formatted tuples will be ignored.
;
; If use_common is not present, kojid will attempt to checkout a common/
; directory from the repository. If use_common is set to no, off, false, or 0,
; it will not attempt to checkout a common/ directory.
;
; source_cmd is a shell command (args separated with commas instead of spaces)
; to run before building the srpm. It is generally used to retrieve source
; files from a remote location. If no source_cmd is specified, "make sources"
; is run by default.
allowed_scms=scm.example.com:/cvs/example git.example.org:/example svn.example.org:/users/*:no
; If use the option allowed_scms above for allowing / denying SCM, default: true
; allowed_scms_use_config = true
; If use hub policy build_from_scm for allowing / denying SCM, default: false
; notice that if both options are enabled, both assertions will be applied, and user_common and
; source_cmd will be overridden by the policy's result.
; allowed_scms_use_policy = false
; A directory to bind mount into Source RPM creation so that some
; credentials can be supplied when required to fetch sources, e.g.
; when the place the sources are fetched from requires all accesses to
; be authenticated in order to satisfy auditing requirements.
;
; The directory specified here will turn up in the SRPMfromSCM chroot
; as /credentials. It is up to whatever implements "make_source_cmd"
; to make appropriate use of any credentials supplied.
;
; Be aware that this means "make_source_cmd" has access to these
; credentials and could steal them; any credentials supplied
; should be easily disabled, and not used for other purposes.
; scm_credentials_dir = /etc/kojid/scmcredentials
; The mail host to use for sending email notifications
smtphost=example.com
; SMTP user and pass (uncomment and fill in if your smtp server requires authentication)
;smtp_user=user@example.com
;smtp_pass=CHANGEME
; The From address used when sending email notifications
from_addr=Koji Build System <buildsys@example.com>
;configuration for Kerberos authentication
;the format of the principal used by the build hosts
;%s will be replaced by the FQDN of the host
;host_principal_format = compile/%s@EXAMPLE.COM
;location of the keytab
;keytab = /etc/kojid/kojid.keytab
;configuration for SSL authentication
;client certificate
;cert = /etc/kojid/client.crt
;certificate of the CA that issued the HTTP server certificate
;serverca = /etc/kojid/serverca.crt
;if set to True, failing subtask will not automatically cancel other siblings
;build_arch_can_fail = False
;if set to True, tag extra 'mock.bootstrap_image' can be used
;mock_boostrap_image = False
;image build with raw-xz type will use following xz options
;xz_options=-z6T0
;if set to True additional logs with timestamps will get created and uploaded
;to hub. It could be useful for debugging purposes, but creates twice as many
;log files
;log_timestamps = False
;enabled plugins, base koji installation has access to runroot and save_failed_tree
;none of these is enabled by default
;plugin =
;path where builder plugins are located, there could be multiple paths delimited by :
;pluginpath = /usr/lib/koji-builder-plugins
;allow passing noverifyssl option to anaconda for image builds
;allow_noverifyssl = False
Reference in a new issue View git blame Copy permalink