2022-01-26 12:50:43 +01:00
|
|
|
|
= Bodhi Infrastructure Release and Deployment SOP
|
|
|
|
|
|
|
|
|
|
|
|
Bodhi is used by Fedora developers to submit potential package updates
|
|
|
|
|
|
for releases and to manage buildroot overrides. From here, bodhi handles
|
|
|
|
|
|
all of the dirty work, from sending around emails, dealing with Koji, to
|
|
|
|
|
|
composing the repositories.
|
|
|
|
|
|
|
|
|
|
|
|
Bodhi production instance: https://bodhi.fedoraproject.org
|
|
|
|
|
|
|
|
|
|
|
|
Bodhi project page: https://github.com/fedora-infra/bodhi
|
|
|
|
|
|
|
2022-04-04 21:19:30 +02:00
|
|
|
|
See also: xref:bodhi.adoc[Bodhi Infrastructure - Releng SOP]
|
|
|
|
|
|
|
|
|
|
|
|
== Performing a bodhi upgrade
|
|
|
|
|
|
|
2022-01-26 12:50:43 +01:00
|
|
|
|
=== Necessary permissions
|
|
|
|
|
|
|
2022-04-04 21:19:30 +02:00
|
|
|
|
Groups to be member in:
|
2022-01-26 12:50:43 +01:00
|
|
|
|
|
|
|
|
|
|
* https://github.com/orgs/fedora-infra/teams/bodhi
|
|
|
|
|
|
* https://src.fedoraproject.org/group/infra-sig
|
|
|
|
|
|
* https://accounts.fedoraproject.org/group/infra-sig/
|
|
|
|
|
|
* https://accounts.fedoraproject.org/group/packager/
|
|
|
|
|
|
* https://accounts.fedoraproject.org/group/sysadmin/
|
|
|
|
|
|
* https://accounts.fedoraproject.org/group/sysadmin-noc/
|
|
|
|
|
|
* https://accounts.fedoraproject.org/group/sysadmin-bodhi/
|
|
|
|
|
|
|
|
|
|
|
|
In addition you should be named as app-owner in the bodhi os playbook.
|
|
|
|
|
|
|
|
|
|
|
|
=== Have the release in the official Bodhi repository ready
|
|
|
|
|
|
|
|
|
|
|
|
Following steps were taken from
|
|
|
|
|
|
https://github.com/fedora-infra/bodhi/blob/develop/docs/developer/releases.rst[_https://github.com/fedora-infra/bodhi/blob/develop/docs/developer/releases.rst_]
|
|
|
|
|
|
up to the point of building a beta-release.
|
|
|
|
|
|
|
|
|
|
|
|
Changing the specfile manually is tedious and error-prone, it is more
|
|
|
|
|
|
useful to just do several patch releases on staging, before we commit to
|
|
|
|
|
|
one to deploy on production.
|
|
|
|
|
|
|
|
|
|
|
|
==== Releasing a patch-release
|
|
|
|
|
|
|
|
|
|
|
|
Make sure you have all of the code you want to release in the branch. I.e. for 5.7.3 release,
|
|
|
|
|
|
you would be looking at https://github.com/fedora-infra/bodhi/tree/5.7
|
|
|
|
|
|
|
|
|
|
|
|
Easiest way to incorporate additional changes from PRs targetting develop,
|
|
|
|
|
|
is to tag them with `*-backports` tag, i.e. `5.7-backports`. Mergify will automatically create a cherry-picked PR
|
|
|
|
|
|
targetting the release branch.
|
|
|
|
|
|
|
|
|
|
|
|
When you are ready to denote the new patch version:
|
|
|
|
|
|
|
|
|
|
|
|
1. bump __version__ in ./bodhi/__init__.py
|
|
|
|
|
|
2. run the get-authors.py in ./news
|
|
|
|
|
|
3. run towncrier
|
|
|
|
|
|
4. review the docs/user/release_notes.rst
|
|
|
|
|
|
5. commit, push to your branch and make a PR against develop with the corect `*-backports` label
|
|
|
|
|
|
|
|
|
|
|
|
After all of the tests successfully passed in the PRs, and both of them are merged, tag the release:
|
|
|
|
|
|
1. git checkout 5.7
|
|
|
|
|
|
2. git pull origin 5.7
|
|
|
|
|
|
3. git tag 5.7.3
|
|
|
|
|
|
4. git push origin refs/tags/5.7.3
|
|
|
|
|
|
|
|
|
|
|
|
If you push the wrong tag, you can delete it by `git push origin :refs/tags/5.7.3`
|
|
|
|
|
|
|
|
|
|
|
|
Beware, mergify creates the bacport PR only after the pr to develop was merged.
|
|
|
|
|
|
|
|
|
|
|
|
==== Testing deployed Bodhi without making a release
|
|
|
|
|
|
|
|
|
|
|
|
If the Bodhi changes don’t involve any of
|
|
|
|
|
|
|
|
|
|
|
|
* Composer code
|
|
|
|
|
|
* Doesn’t include any upgrades to database with alembic
|
|
|
|
|
|
|
|
|
|
|
|
You can opt to use the hotfix-style container-image that can be found
|
|
|
|
|
|
among the templates:
|
|
|
|
|
|
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/bodhi/templates/dockerfile-base-hotfix[_https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/bodhi/templates/dockerfile-base-hotfix_]
|
|
|
|
|
|
|
|
|
|
|
|
Change the env-vars in the docker-file-base-hotfix to reflect the commit
|
|
|
|
|
|
to be built. The image definition is not buildable locally, as it needs
|
|
|
|
|
|
the openshift environment to configure koji and kerberos.
|
|
|
|
|
|
|
|
|
|
|
|
Change the buildconfig to point to the new definition:
|
|
|
|
|
|
|
|
|
|
|
|
https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/bodhi/templates/buildconfig.yml#_14[_https://pagure.io/fedora-infra/ansible/blob/main/f/roles/openshift-apps/bodhi/templates/buildconfig.yml#_14_]
|
|
|
|
|
|
|
|
|
|
|
|
Then commit and push the changes, to be able to deploy from batcave
|
|
|
|
|
|
with:
|
|
|
|
|
|
|
|
|
|
|
|
sudo rbac-playbook openshift-apps/bodhi.yml -l staging
|
|
|
|
|
|
|
|
|
|
|
|
Make sure to check os.stg.fedoraproject.org to see if the build completed successfully.
|
|
|
|
|
|
|
|
|
|
|
|
==== Build Bodhi
|
|
|
|
|
|
|
|
|
|
|
|
Bodhi is deployed from the infrastructure Koji repositories. At the time
|
|
|
|
|
|
of this writing, it is deployed from the f34-infra and f34-infra-stg
|
|
|
|
|
|
(for staging) repositories. Bodhi is built for these repositories from
|
|
|
|
|
|
the master branch of thehttps://src.fedoraproject.org/rpms/bodhi[
|
|
|
|
|
|
]https://src.fedoraproject.org/rpms/bodhi[_bodhi dist-git repository_].
|
|
|
|
|
|
|
|
|
|
|
|
You can use fedpkg to download the package:
|
|
|
|
|
|
....
|
|
|
|
|
|
fedpkg clone rpms/bodhi
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
Curently we are interested in f34 builds as all of the bodhi infra runs on f34 servers:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
fedpkg switch-branch f34
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
Edit the bodhi.spec specfile to have the correct release version.
|
|
|
|
|
|
|
|
|
|
|
|
Download the sources to the SOURCES folder (if it doesn't exist, just mkdir -p /rpmbuild/SOURCES/)
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
wget https://github.com/fedora-infra/bodhi/archive/refs/tags/5.7.3.tar.gz -o /rpmbuild/SOURCES/bodhi-5.7.3.tar.gz
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
As an example, to build a Bodhi for the f34-infra-stg repository, you
|
|
|
|
|
|
can use this command:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
$ rpmbuild --define "dist .f34.infra" -bs bodhi.spec
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
Wrote: /home/bowlofeggs/rpmbuild/SRPMS/bodhi-5.7.3-0.f34.infra.src.rpm
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
$ koji build f34-infra ~/rpmbuild/SRPMS/bodhi-5.7.3-0.f34.infra.src.rpm
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
When building a Bodhi release that is intended for production, we should
|
|
|
|
|
|
build from the production dist-git repo instead of uploading an SRPM:
|
|
|
|
|
|
|
|
|
|
|
|
$ koji build f34-infra
|
|
|
|
|
|
git+https://src.fedoraproject.org/rpms/bodhi.git#d64f40408876ec85663ec52888c4e44d92614b37
|
|
|
|
|
|
|
|
|
|
|
|
All builds against the f34-infra build target will go into the
|
|
|
|
|
|
f34-infra-stg repository. If you wish to promote a build from staging to
|
|
|
|
|
|
production, you can do something like this command:
|
|
|
|
|
|
|
|
|
|
|
|
$ koji move-build f34-infra-stg f34-infra bodhi-5.7.3-0.f34.infra
|
|
|
|
|
|
|
|
|
|
|
|
=== Staging
|
|
|
|
|
|
|
|
|
|
|
|
The upgrade playbook will apply configuration changes after running the
|
|
|
|
|
|
alembic upgrade. Sometimes you may need changes applied to the Bodhi
|
|
|
|
|
|
systems in order to get the upgrade playbook to succeed. If you are in
|
|
|
|
|
|
this situation, you can apply those changes by running the bodhi-backend
|
|
|
|
|
|
playbook:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
sudo rbac-playbook -l staging groups/bodhi-backend.yml
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
In
|
|
|
|
|
|
the https://pagure.io/fedora-infra/ansible/blob/main/f/inventory/group_vars/os_masters_stg, edit the bodhi_version setting to the version you wish to
|
|
|
|
|
|
deploy to staging. For example, to deploy version 5.7.3 to
|
|
|
|
|
|
staging, I would set that varible like this:
|
|
|
|
|
|
|
|
|
|
|
|
bodhi_version: ‘5.7.3’
|
|
|
|
|
|
|
|
|
|
|
|
The package itself will then be installed in container build by ‘dnf
|
|
|
|
|
|
install -y bodhi-server-\{\{bodhi_version}}’
|
|
|
|
|
|
|
|
|
|
|
|
Beware, when running the playbooks on the backend vm, it currently
|
|
|
|
|
|
installs the latest bodhi package available in the respective
|
|
|
|
|
|
infra/infra-stg tag.
|
|
|
|
|
|
|
|
|
|
|
|
It can be useful to verify correct version is available on the backend,
|
|
|
|
|
|
i.e. for staging run
|
|
|
|
|
|
|
|
|
|
|
|
....
|
2025-07-04 11:55:02 +02:00
|
|
|
|
ssh bodhi-backend01.stg.rdu3.fedoraproject.org
|
2022-01-26 12:50:43 +01:00
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
dnf list bodhi-server --refresh --all --showduplicates
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
In future we will probably pin these in the VM as well.
|
|
|
|
|
|
|
|
|
|
|
|
Make sure you have the correct docker-image set in the configuration.
|
|
|
|
|
|
in the ansible repo:
|
|
|
|
|
|
....
|
|
|
|
|
|
vim roles/openshift-apps/bodhi/templates/buildconfig.yml
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
After you checked, and have the correct version, commit and create a PR for ansible repo.
|
|
|
|
|
|
|
|
|
|
|
|
After it has been merged, run these commands:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
# Synchronize the database from production to staging
|
|
|
|
|
|
$ sudo rbac-playbook manual/staging-sync/bodhi.yml -l staging
|
|
|
|
|
|
# Upgrade the Bodhi backend on staging
|
|
|
|
|
|
$ sudo rbac-playbook manual/upgrade/bodhi.yml -l staging
|
|
|
|
|
|
# Upgrade the Bodhi frontend on staging
|
|
|
|
|
|
$ sudo rbac-playbook openshift-apps/bodhi.yml -l staging
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
==== Tests to run
|
|
|
|
|
|
|
|
|
|
|
|
For compose test you can follow
|
|
|
|
|
|
https://github.com/fedora-infra/bodhi/blob/develop/docs/developer/releases.rst#test-the-beta[_https://github.com/fedora-infra/bodhi/blob/develop/docs/developer/releases.rst#test-the-beta_]
|
|
|
|
|
|
|
|
|
|
|
|
For automated health-check, you can run
|
|
|
|
|
|
https://pagure.io/fedora-ci/monitor-gating[_https://pagure.io/fedora-ci/monitor-gating_],
|
|
|
|
|
|
|
|
|
|
|
|
It should be sufficient to check the openshift project
|
|
|
|
|
|
https://os.fedoraproject.org/console/project/monitor-gating[_https://os.fedoraproject.org/console/project/monitor-gating_]
|
|
|
|
|
|
where it is being run every few hours. There is a dashboard available
|
|
|
|
|
|
https://monitor-dashboard-web-monitor-dashboard.app.os.fedoraproject.org/d/6q2qpcvGz/monitor-gating
|
|
|
|
|
|
|
|
|
|
|
|
==== Production
|
|
|
|
|
|
|
|
|
|
|
|
After testing in staging, you should be able to move the rpm from
|
|
|
|
|
|
staging to production:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
koji move-build f34-infra-stg f34-infra bodhi-5.7.3-0.fc34
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
Even if the rpm version is pinned in your deploy, double check the
|
|
|
|
|
|
availability in the tag
|
|
|
|
|
|
|
|
|
|
|
|
The upgrade playbook will apply configuration changes after running the
|
|
|
|
|
|
alembic upgrade. Sometimes you may need changes applied to the Bodhi
|
|
|
|
|
|
systems in order to get the upgrade playbook to succeed. If you are in
|
|
|
|
|
|
this situation, you can apply those changes by running the bodhi-backend
|
|
|
|
|
|
playbook:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
sudo rbac-playbook groups/bodhi-backend.yml -l bodhi-backend
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
In
|
|
|
|
|
|
thehttps://pagure.io/fedora-infra/ansible/blob/main/f/inventory/group_vars/os_masters[
|
|
|
|
|
|
]https://pagure.io/fedora-infra/ansible/blob/main/f/inventory/group_vars/os_masters[_os_masters
|
|
|
|
|
|
inventory_], edit the bodhi_version setting to the version you wish to
|
|
|
|
|
|
deploy to production. For example, to deploy bodhi-5.7.3-0.f34.infra to
|
|
|
|
|
|
production, I would set that varible like this:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
bodhi_version: "5.7.3"
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
To update the bodhi RPMs in production:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
# Update the backend VMs (this will also run the migrations, if any)
|
|
|
|
|
|
$ sudo rbac-playbook manual/upgrade/bodhi.yml -l bodhi-backend
|
|
|
|
|
|
# Update the frontend
|
|
|
|
|
|
$ sudo rbac-playbook openshift-apps/bodhi.yml
|
|
|
|
|
|
....
|
|
|
|
|
|
|
|
|
|
|
|
All of the playbooks should finish with no failures.
|
|
|
|
|
|
|
|
|
|
|
|
Afterwards, check
|
|
|
|
|
|
https://os.fedoraproject.org/console/project/bodhi/overview[_https://os.fedoraproject.org/console/project/bodhi/overview_]
|
|
|
|
|
|
to see if the image has been built and if it has been properly deployed.
|
|
|
|
|
|
|
|
|
|
|
|
Things to watchout for
|
|
|
|
|
|
|
|
|
|
|
|
* Correct rpm not being available for container build
|
|
|
|
|
|
** This is the reason to check the infra-tag for bodhi
|
|
|
|
|
|
* Failure to start the pod due to backend db mismatch
|
|
|
|
|
|
** Sometimes the alembic upgrade that is supposed to run as part of
|
|
|
|
|
|
playbooks/manual/upgrade/bodhi.yml fails silently
|
|
|
|
|
|
* Some issues resurface only after few days in production, resulting in
|
|
|
|
|
|
visible stack-traces in logs.
|
|
|
|
|
|
|
|
|
|
|
|
=== Syncing the production database to staging
|
|
|
|
|
|
|
|
|
|
|
|
This can be useful for testing issues with production data in staging:
|
|
|
|
|
|
|
|
|
|
|
|
....
|
|
|
|
|
|
$ sudo rbac-playbook manual/staging-sync/bodhi.yml -l staging
|
|
|
|
|
|
....
|
