9f15884401
Enables the `image-builder` plugin from `koji-image-builder` in the staging environment for both the koji hub, and the koji builder (kojid). Signed-off-by: Simon de Vlieger <supakeen@redhat.com>
288 lines
13 KiB
Django/Jinja
288 lines
13 KiB
Django/Jinja
[hub]
|
|
|
|
## Basic options ##
|
|
DBName = koji
|
|
DBUser = koji
|
|
{% if env == "staging" %}
|
|
DBHost = db-koji01
|
|
LogLevel = koji._koji_plugin__koji-fedoramessaging:DEBUG
|
|
LogFormat = %(asctime)s [%(levelname)s] m=%(method)s u=%(user_name)s p=%(process)s r=%(remoteaddr)s %(name)s: %(message)s
|
|
DBPass = {{ kojiStgPassword }}
|
|
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
|
|
{% elif koji_instance == "primary" %}
|
|
DBHost = db-koji01
|
|
DBPass = {{ kojiPassword }}
|
|
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
|
|
{% else %}
|
|
DBHost = db-riscv-koji01
|
|
DBPass = {{ riscvkojiPassword }}
|
|
AuthPrincipal = host/riscv-koji{{env_suffix}}.fedoraproject.org
|
|
{% endif %}
|
|
{% if env == "staging" %}
|
|
ProxyPrincipals = HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.iad2.fedoraproject.org@STG.FEDORAPROJECT.ORG
|
|
{% elif koji_instance == "primary" %}
|
|
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
|
|
{% else %}
|
|
ProxyPrincipals = HTTP/riscv-koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
|
|
{% endif %}
|
|
KojiDir = /mnt/koji
|
|
MemoryWarnThreshold = 10000
|
|
MaxRequestLength = 167772160
|
|
RLIMIT_AS = 10737418240
|
|
CheckClientIP = False
|
|
# Max newrepo tasks at a time
|
|
MaxRepoTasks = 30
|
|
# We want a srpms repo for rawhide and eln only
|
|
SeparateSourceTags = f{{ FedoraRawhideNumber }}-build eln-build
|
|
|
|
# Kerb auth
|
|
{% if env == "staging" %}
|
|
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
|
|
{% elif koji_instance == "primary" %}
|
|
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
|
|
{% else %}
|
|
HostPrincipalFormat = compile-riscv/%s@FEDORAPROJECT.ORG
|
|
{% endif %}
|
|
{% if koji_instance == "primary" %}
|
|
AuthKeytab = /etc/koji-hub/koji-hub.keytab
|
|
{% elif koji_instance == "secondary" %}
|
|
AuthKeytab = /etc/krb5.HTTP_riscv-koji.fedoraproject.org.keytab
|
|
{% else %}
|
|
AuthKeytab = /etc/koji-hub/koji-hub.keytab
|
|
{% endif %}
|
|
|
|
## SSL client certificate auth configuration ##
|
|
#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)
|
|
|
|
## the client username is the common name of the subject of their client certificate
|
|
DNUsernameComponent = CN
|
|
## separate multiple DNs with |
|
|
ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US
|
|
|
|
## end SSL client certificate auth configuration
|
|
|
|
|
|
|
|
## Other options ##
|
|
LoginCreatesUser = On
|
|
{% if env == "staging" %}
|
|
KojiWebURL = https://koji.stg.fedoraproject.org/koji
|
|
{% elif koji_instance == "primary" %}
|
|
KojiWebURL = https://koji.fedoraproject.org/koji
|
|
{% else %}
|
|
KojiWebURL = https://riscv-koji.fedoraproject.org/koji
|
|
{% endif %}
|
|
# The domain name that will be appended to Koji usernames
|
|
# when creating email notifications
|
|
EmailDomain = fedoraproject.org
|
|
# Disable sending all notifications from koji, people need to use FMN now
|
|
DisableNotifications = True
|
|
|
|
## If KojiDebug is on, the hub will be /very/ verbose and will report exception
|
|
## details to clients for anticipated errors (i.e. koji's own exceptions --
|
|
## subclasses of koji.GenericError).
|
|
# KojiDebug = On
|
|
|
|
## If MissingPolicyOk is on, and given policy is not set up,
|
|
## policy test will pass as ok. If 'deny' result is desired, set it
|
|
## to off
|
|
# MissingPolicyOk = True
|
|
MissingPolicyOk = False
|
|
|
|
## Determines how much detail about exceptions is reported to the client (via faults)
|
|
## Meaningful values:
|
|
## normal - a basic traceback (format_exception)
|
|
## extended - an extended traceback (format_exc_plus)
|
|
## anything else - no traceback, just the error message
|
|
## The extended traceback is intended for debugging only and should NOT be
|
|
## used in production, since it may contain sensitive information.
|
|
# KojiTraceback = normal
|
|
|
|
## These options are intended for planned outages
|
|
#ServerOffline = True
|
|
#OfflineMessage = 'planned outage see https://www.fedorastatus.org'
|
|
#OfflineMessage = 'koji is being migrated to a new datacenter'
|
|
#OfflineMessage = 'We are in the middle of branching new fedora release'
|
|
#LockOut = True
|
|
|
|
## If ServerOffline is True, the server will always report a ServerOffline fault (with
|
|
## OfflineMessage as the fault string).
|
|
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
|
|
## requests.
|
|
|
|
#Plugins = koji-disable-builds-plugin
|
|
#Plugins = darkserver-plugin
|
|
{% if env == "staging" %}
|
|
Plugins = osbuild koji-fedoramessaging runroot_hub tag2distrepo sidetag_hub save_failed_tree flatpak kiwi image_builder
|
|
{% elif koji_instance == "primary" %}
|
|
Plugins = osbuild koji-fedoramessaging runroot_hub tag2distrepo sidetag_hub save_failed_tree flatpak kiwi
|
|
{% else %}
|
|
Plugins = osbuild koji-fedoramessaging runroot_hub tag2distrepo sidetag_hub save_failed_tree flatpak kiwi
|
|
{% endif %}
|
|
[policy]
|
|
|
|
tag =
|
|
# We don't want to allow any draft builds to be tagged yet
|
|
is_draft :: deny
|
|
user bodhi && tag *-override && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm secure-boot && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
# CoreOS continuous builds, https://pagure.io/releng/issue/8165
|
|
operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
|
|
operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
|
|
# CoreOS coreos-pool and intermediate signing tags as well
|
|
# as the coreos-release tag. https://pagure.io/releng/issue/8294
|
|
operation tag && tag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
|
|
operation untag && fromtag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
|
|
# eln builds, https://pagure.io/releng/issue/9538
|
|
operation tag && tag eln* && has_perm eln :: allow
|
|
operation untag && fromtag eln* && has_perm eln :: allow
|
|
# deny tagging secureboot packages that are not related to coreos-continuous and eln
|
|
package kernel shim grub2 pesign fwupd fwupd-efi :: deny
|
|
# Allow people to tag stuff into infra-candidate if they're infra
|
|
tag *-infra-candidate && has_perm infra :: allow
|
|
tag *-infra-candidate :: deny
|
|
# Allow people from infra to promote builds from -infra-stg to -infra tags
|
|
tag *-infra && fromtag *-infra-stg && has_perm infra :: allow
|
|
# These two rules makes sure people can't build srpms in infra tags and tag them into distribution tags
|
|
tag *infra* && fromtag *infra* && has_perm infra :: allow
|
|
fromtag *infra* :: deny
|
|
all :: allow
|
|
|
|
channel =
|
|
method osbuildImage :: use osbuild
|
|
method buildContainer :: use container
|
|
method flatpakBuild :: use flatpak
|
|
user bpeck/jenkins-continuous-infra.apps.ci.centos.org :: use ci
|
|
user zuul :: use ci
|
|
has req_channel :: {
|
|
# require customchannel to override build channel
|
|
method build chainbuild !! req
|
|
has_perm customchannel :: req
|
|
}
|
|
|
|
#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
|
|
source */pesign-test-app* && has_perm secure-boot :: use secure-boot
|
|
#make sure all scratch builds go to default channel
|
|
method build && bool scratch :: use default
|
|
|
|
#policys to deal with secure boot allowing only people in the secure-boot group to build the packages
|
|
source */kernel* && has_perm secure-boot :: use secure-boot
|
|
source */shim* && has_perm secure-boot :: use secure-boot
|
|
source */grub2* && has_perm secure-boot :: use secure-boot
|
|
source */pesign* && has_perm secure-boot :: use secure-boot
|
|
source */fwupdate* && has_perm secure-boot :: use secure-boot
|
|
source */fwupd* && has_perm secure-boot :: use secure-boot
|
|
source */fwupd-efi* && has_perm secure-boot :: use secure-boot
|
|
|
|
# set this package to use the 'heavybuilder' channel. Note that this is NOT good for most anything.
|
|
# It just happens to be for this particular package. Please check before adding anything here, you could
|
|
# cause it to end up building a lot slower.
|
|
source */chromium* :: use heavybuilder
|
|
source */webkitgtk* :: use heavybuilder
|
|
source */webkit2gtk4* :: use heavybuilder
|
|
source */firefox* :: use heavybuilder
|
|
|
|
is_child_task :: parent
|
|
all :: use default
|
|
|
|
|
|
build_from_srpm =
|
|
has_perm admin :: allow
|
|
tag *-infra-candidate && has_perm infra :: allow
|
|
all :: deny
|
|
|
|
|
|
# Policy for manipulating package lists for tags.
|
|
package_list =
|
|
# Removing packages is almost always a mistake, so deny it.
|
|
# Admins can still override this with --force, if necessary.
|
|
match action remove :: deny
|
|
# Admins can do pretty much everything.
|
|
has_perm admin :: allow
|
|
# People with pkglist permission can manage package lists in
|
|
# active f$N and epel$N tags.
|
|
has_perm pkglist :: {
|
|
# Rawhide adding, unblocking and blocking is allowed.
|
|
tag f{{FedoraRawhideNumber}} && match action add unblock block :: allow
|
|
# In branched blocking is allowed only before final freeze.
|
|
tag f{{FedoraBranchedNumber}} && match action add unblock {{ 'block' if not NextReleaseFrozen or FedoraBranchedBodhi != 'postbeta' else '' }} :: allow
|
|
# Stable releases: only adding and unblocking is allowed.
|
|
tag f{{FedoraCycleNumber}} f{{FedoraPreviousCycleNumber}} && match action add unblock :: allow
|
|
# EPEL: adding, blocking, and unblocking are allowed
|
|
tag epel8 epel9 epel9-next epel10.0 epel10.1 && match action add unblock block :: allow
|
|
}
|
|
# Infra people can themselves add/block/unblock packages in their
|
|
# tags without bothering admins.
|
|
tag *infra* && has_perm infra && match action add unblock block :: allow
|
|
# CoreOS continuous builds, https://pagure.io/releng/issue/8165
|
|
tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous && match action add unblock block :: allow
|
|
# CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
|
|
tag coreos-pool coreos-release && has_perm coreos-continuous && match action add unblock block :: allow
|
|
# Allow people to manage their side tags, https://pagure.io/releng/issue/9229
|
|
is_sidetag_owner && match action add update remove unblock block :: allow
|
|
# Catch-all rule.
|
|
all :: deny
|
|
|
|
sidetag =
|
|
tag f43-build :: allow
|
|
tag f42-build :: allow
|
|
tag f41-build :: allow
|
|
tag f40-build :: allow
|
|
tag f39-build :: allow
|
|
tag eln-build :: allow
|
|
tag epel10.1-build :: allow
|
|
tag epel10.0-build :: allow
|
|
tag epel9-next-build :: allow
|
|
tag epel9-build :: allow
|
|
tag epel8-build :: allow
|
|
all :: deny
|
|
|
|
{% if env == "staging" %}
|
|
build_from_scm =
|
|
match scm_host src.stg.fedoraproject.org :: {
|
|
bool scratch :: allow fedpkg sources
|
|
match scm_repository /rpms/* :: allow fedpkg sources
|
|
match scm_repository /container/* :: allow fedpkg sources
|
|
match scm_repository /flatpaks/* :: allow fedpkg sources
|
|
}
|
|
match scm_host pkgs.stg.fedoraproject.org :: {
|
|
bool scratch :: allow fedpkg sources
|
|
match scm_repository /rpms/* :: allow fedpkg sources
|
|
match scm_repository /container/* :: allow fedpkg sources
|
|
match scm_repository /flatpaks/* :: allow fedpkg sources
|
|
}
|
|
match scm_host pkgs.fedoraproject.org && match scm_repository /* :: allow fedpkg sources
|
|
match scm_host pagure.io && match scm_repository /fedora-kickstarts.git :: allow
|
|
match scm_host pagure.io && match scm_repository /fedora-kiwi-descriptions.git :: allow
|
|
match scm_host src.fedoraproject.org :: allow fedpkg sources
|
|
all :: deny
|
|
{% else %}
|
|
build_from_scm =
|
|
match scm_host src.fedoraproject.org :: {
|
|
bool scratch :: allow fedpkg sources
|
|
match scm_repository /rpms/* :: allow fedpkg sources
|
|
match scm_repository /container/* :: allow fedpkg sources
|
|
match scm_repository /flatpaks/* :: allow fedpkg sources
|
|
}
|
|
match scm_host pkgs.fedoraproject.org :: {
|
|
bool scratch :: allow fedpkg sources
|
|
match scm_repository /rpms/* :: allow fedpkg sources
|
|
match scm_repository /container/* :: allow fedpkg sources
|
|
match scm_repository /flatpaks/* :: allow fedpkg sources
|
|
}
|
|
match scm_host pagure.io :: {
|
|
bool scratch :: allow
|
|
match scm_repository /fedora-kickstarts.git :: allow
|
|
match scm_repository /fork/*/fedora-kickstarts.git :: allow
|
|
match scm_repository /fedora-kiwi-descriptions.git :: allow
|
|
}
|
|
all :: deny
|
|
{% endif %}
|
|
|
|
scm =
|
|
# allow scratch builds from any commits
|
|
bool scratch :: allow
|
|
match_all branches * !! deny Commit must be present on some branch
|
|
all :: allow
|