194 lines
8.9 KiB
Django/Jinja
194 lines
8.9 KiB
Django/Jinja
[hub]
|
|
|
|
## Basic options ##
|
|
DBName = koji
|
|
DBUser = koji
|
|
{% if env == "staging" %}
|
|
DBHost = db-koji01
|
|
LogLevel = koji:INFO koji-fedmsg-plugin:INFO
|
|
LogFormat = %(asctime)s [%(levelname)s] m=%(method)s u=%(user_name)s p=%(process)s r=%(remoteaddr)s %(name)s: %(message)s
|
|
{% else %}
|
|
DBHost = db-koji01
|
|
{% endif %}
|
|
DBPass = {{ kojiPassword }}
|
|
AuthPrincipal = host/koji{{env_suffix}}.fedoraproject.org
|
|
{% if env == "staging" %}
|
|
ProxyPrincipals = modularity@STG.FEDORAPROJECT.ORG,HTTP/koji.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG,sigul/sign-bridge01.stg.iad2.fedoraproject.org@STG.FEDORAPROJECT.ORG
|
|
{% else %}
|
|
ProxyPrincipals = HTTP/koji.fedoraproject.org@FEDORAPROJECT.ORG,sigul/sign-bridge01.iad2.fedoraproject.org@FEDORAPROJECT.ORG
|
|
{% endif %}
|
|
KojiDir = /mnt/koji
|
|
MemoryWarnThreshold = 10000
|
|
MaxRequestLength = 167772160
|
|
RLIMIT_AS = 10737418240
|
|
CheckClientIP = False
|
|
|
|
# Kerb auth
|
|
{% if env == "staging" %}
|
|
HostPrincipalFormat = compile/%s@STG.FEDORAPROJECT.ORG
|
|
{% else %}
|
|
HostPrincipalFormat = compile/%s@FEDORAPROJECT.ORG
|
|
{% endif %}
|
|
AuthKeytab = /etc/koji-hub/koji-hub.keytab
|
|
|
|
## SSL client certificate auth configuration ##
|
|
#note: ssl auth may also require editing the httpd config (conf.d/kojihub.conf)
|
|
|
|
## the client username is the common name of the subject of their client certificate
|
|
DNUsernameComponent = CN
|
|
## separate multiple DNs with |
|
|
ProxyDNs = emailAddress=buildsys@fedoraproject.org,CN=kojiweb,OU=Fedora Builders,O=Fedora Project,ST=North Carolina,C=US|emailAddress=releng@fedoraproject.org,CN=sign-bridge1,OU=Package Signing,O=Fedora Project,ST=North Carolina,C=US
|
|
|
|
## end SSL client certificate auth configuration
|
|
|
|
|
|
|
|
## Other options ##
|
|
LoginCreatesUser = On
|
|
KojiWebURL = http://koji.fedoraproject.org/koji
|
|
# The domain name that will be appended to Koji usernames
|
|
# when creating email notifications
|
|
EmailDomain = fedoraproject.org
|
|
# Disable sending all notifications from koji, people need to use FMN now
|
|
DisableNotifications = True
|
|
|
|
## If KojiDebug is on, the hub will be /very/ verbose and will report exception
|
|
## details to clients for anticipated errors (i.e. koji's own exceptions --
|
|
## subclasses of koji.GenericError).
|
|
# KojiDebug = On
|
|
|
|
## If MissingPolicyOk is on, and given policy is not set up,
|
|
## policy test will pass as ok. If 'deny' result is desired, set it
|
|
## to off
|
|
# MissingPolicyOk = True
|
|
MissingPolicyOk = False
|
|
|
|
## Determines how much detail about exceptions is reported to the client (via faults)
|
|
## Meaningful values:
|
|
## normal - a basic traceback (format_exception)
|
|
## extended - an extended traceback (format_exc_plus)
|
|
## anything else - no traceback, just the error message
|
|
## The extended traceback is intended for debugging only and should NOT be
|
|
## used in production, since it may contain sensitive information.
|
|
# KojiTraceback = normal
|
|
|
|
## These options are intended for planned outages
|
|
#ServerOffline = True
|
|
#OfflineMessage = Offline
|
|
#LockOut = True
|
|
#OfflineMessage = 'koji is being migrated to a new datacenter'
|
|
## If ServerOffline is True, the server will always report a ServerOffline fault (with
|
|
## OfflineMessage as the fault string).
|
|
## If LockOut is True, the server will report a ServerOffline fault for all non-admin
|
|
## requests.
|
|
|
|
#Plugins = koji-disable-builds-plugin
|
|
#Plugins = darkserver-plugin
|
|
Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag_hub save_failed_tree
|
|
|
|
[policy]
|
|
|
|
tag =
|
|
user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign fwupd fwupd-efi:: allow
|
|
user bodhi && tag *-override && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
has_perm secure-boot && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
|
|
# CoreOS continuous builds, https://pagure.io/releng/issue/8165
|
|
operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
|
|
operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
|
|
# CoreOS coreos-pool and intermediate signing tags as well
|
|
# as the coreos-release tag. https://pagure.io/releng/issue/8294
|
|
operation tag && tag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
|
|
operation untag && fromtag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
|
|
# eln builds, https://pagure.io/releng/issue/9538
|
|
operation tag && tag eln* && has_perm eln :: allow
|
|
operation untag && fromtag eln* && has_perm eln :: allow
|
|
# deny tagging secureboot packages that are not related to coreos-continuous and eln
|
|
package kernel shim grub2 pesign fwupd fwupd-efi :: deny
|
|
# Allow people to tag stuff into infra-candidate if they're infra
|
|
tag *-infra-candidate && has_perm infra :: allow
|
|
tag *-infra-candidate :: deny
|
|
# Allow people from infra to promote builds from -infra-stg to -infra tags
|
|
tag *-infra && fromtag *-infra-stg && has_perm infra :: allow
|
|
# These two rules makes sure people can't build srpms in infra tags and tag them into distribution tags
|
|
tag *infra* && fromtag *infra* && has_perm infra :: allow
|
|
fromtag *infra* :: deny
|
|
all :: allow
|
|
|
|
channel =
|
|
method newRepo distRepo buildSRPMFromSCM :: use createrepo
|
|
method buildContainer :: use container
|
|
has req_channel && has_perm customchannel :: req
|
|
|
|
#we want pesign-test-app to always go to the secure-boot channel even for scratch builds
|
|
source */pesign-test-app* && has_perm secure-boot :: use secure-boot
|
|
#make sure all scratch builds go to default channel
|
|
method build && bool scratch :: use default
|
|
|
|
#policys to deal with secure boot allowing only people in the secure-boot group to build the packages
|
|
source */kernel* && has_perm secure-boot :: use secure-boot
|
|
source */shim* && has_perm secure-boot :: use secure-boot
|
|
source */grub2* && has_perm secure-boot :: use secure-boot
|
|
source */pesign* && has_perm secure-boot :: use secure-boot
|
|
source */fwupdate* && has_perm secure-boot :: use secure-boot
|
|
source */fwupd* && has_perm secure-boot :: use secure-boot
|
|
source */fwupd-efi* && has_perm secure-boot :: use secure-boot
|
|
|
|
# set this package to use the 'heavybuilder' channel. Note that this is NOT good for most anything.
|
|
# It just happens to be for this particular package. Please check before adding anything here, you could
|
|
# cause it to end up building a lot slower.
|
|
source */chromium* :: use heavybuilder
|
|
|
|
is_child_task :: parent
|
|
all :: use default
|
|
|
|
|
|
build_from_srpm =
|
|
has_perm admin :: allow
|
|
tag *-infra-candidate && has_perm infra :: allow
|
|
all :: deny
|
|
|
|
|
|
# Policy for manipulating package lists for tags.
|
|
package_list =
|
|
# Removing packages is almost always a mistake, so deny it.
|
|
# Admins can still override this with --force, if necessary.
|
|
match action remove :: deny
|
|
# Admins can do pretty much everything.
|
|
has_perm admin :: allow
|
|
# People with pkglist permission can manage package lists in
|
|
# active f$N and epel$N tags.
|
|
has_perm pkglist :: {
|
|
# Rawhide and epel7: adding, unblocking and blocking is allowed.
|
|
tag f{{FedoraRawhideNumber}} epel7 && match action add unblock block :: allow
|
|
# In branched blocking is allowed only before final freeze.
|
|
tag f{{FedoraBranchedNumber}} && match action add unblock {{ 'block' if not Frozen or FedoraBranchedBodhi != 'postbeta' else '' }} :: allow
|
|
# Stable releases: only adding and unblocking is allowed.
|
|
tag f{{FedoraCycleNumber}} f{{FedoraPreviousCycleNumber}} && match action add unblock :: allow
|
|
}
|
|
# Infra people can themselves add/block/unblock packages in their
|
|
# tags without bothering admins.
|
|
tag *infra* && has_perm infra && match action add unblock block :: allow
|
|
# CoreOS continuous builds, https://pagure.io/releng/issue/8165
|
|
tag f{{FedoraRawhideNumber}}-coreos-continuous f{{FedoraBranchedNumber}}-coreos-continuous f{{FedoraCycleNumber}}-coreos-continuous f{{FedoraPreviousCycleNumber}}-coreos-continuous && has_perm coreos-continuous && match action add unblock block :: allow
|
|
# CoreOS coreos-pool and coreos-release tags, https://pagure.io/releng/issue/8294
|
|
tag coreos-pool coreos-release && has_perm coreos-continuous && match action add unblock block :: allow
|
|
# Allow people to manage their side tags, https://pagure.io/releng/issue/9229
|
|
is_sidetag_owner && match action add update remove unblock block :: allow
|
|
# Catch-all rule.
|
|
all :: deny
|
|
|
|
sidetag =
|
|
tag f37-build :: allow
|
|
tag f36-build :: allow
|
|
tag f35-build :: allow
|
|
tag f34-build :: allow
|
|
tag eln-build :: allow
|
|
tag epel9-next-build :: allow
|
|
tag epel9-build :: allow
|
|
tag epel8-next-build :: allow
|
|
tag epel8-build :: allow
|
|
tag epel7-build :: allow
|
|
all :: deny
|