commit e8aac02d42824aeb6e84b9933a1e8c33c21afcaf Author: Xavier Lamien <laxathom(a)old03.ovh.rpmfusion.lan&gt; Date: Mon Sep 10 23:13:12 2012 +0200 Add module koji modules/koji/files/builder/kojid | 3 + modules/koji/files/hub/kojihub.conf | 24 ++++ modules/koji/files/kojira/kojira | 4 + modules/koji/files/kojira/kojira.conf | 34 ++++++ modules/koji/files/web/kojiweb.conf | 57 ++++++++++ modules/koji/manifests/init.pp | 141 ++++++++++++++++++++++++ modules/koji/templates/builder/kojid.conf.erb | 64 +++++++++++ modules/koji/templates/hub-server/hub.conf.erb | 56 ++++++++++ 8 files changed, 383 insertions(+), 0 deletions(-) --- diff --git a/modules/koji/files/builder/kojid b/modules/koji/files/builder/kojid new file mode 100644 index 0000000..da2e97d --- /dev/null +++ b/modules/koji/files/builder/kojid @@ -0,0 +1,3 @@ +FORCE_LOCK=Y +KOJID_DEBUG=Y +KOJID_VERBOSE=Y diff --git a/modules/koji/files/hub/kojihub.conf b/modules/koji/files/hub/kojihub.conf new file mode 100644 index 0000000..3f1911c --- /dev/null +++ b/modules/koji/files/hub/kojihub.conf @@ -0,0 +1,24 @@ +# +# koji-hub is an xmlrpc interface to the Koji database +# + +Alias /kojihub "/usr/share/koji-hub/XMLRPC" + +<Directory /usr/share/koji-hub> + SetHandler mod_python + PythonHandler kojixmlrpc + + PythonOption ConfigFile /etc/koji-hub/hub.conf + + PythonDebug Off + # autoreload is mostly useless to us (it would only reload kojixmlrpc.py) + PythonAutoReload Off +</Directory> + +# uncomment this to enable authentication via SSL client certificates +<Location /kojihub> + SSLOptions +StdEnvVars +</Location> +# these options must be enabled globally (in ssl.conf) +# SSLVerifyClient require +# SSLVerifyDepth 10 diff --git a/modules/koji/files/kojira/kojira b/modules/koji/files/kojira/kojira new file mode 100644 index 0000000..830c183 --- /dev/null +++ b/modules/koji/files/kojira/kojira @@ -0,0 +1,4 @@ +FORCE_LOCK=Y +KOJIRA_DEBUG=N +KOJIRA_VERBOSE=Y +RUNAS=root diff --git a/modules/koji/files/kojira/kojira.conf b/modules/koji/files/kojira/kojira.conf new file mode 100644 index 0000000..7a8f707 --- /dev/null +++ b/modules/koji/files/kojira/kojira.conf @@ -0,0 +1,34 @@ +[kojira] +; For user/pass authentication +; user=kojira +; password=kojira + +; For Kerberos authentication +; the principal to connect with +;principal=koji/repo(a)EXAMPLE.COM +; The location of the keytab for the principal above +;keytab=/etc/kojira.keytab + +; The URL for the koji hub server +server=http://buildsys.rpmfusion.org/kojihub + +; The directory containing the repos/ directory +topdir=/srv/koji + +; Logfile +logfile=/var/log/kojira.log + +; Include srpms in repos? (not needed for normal operation) +with_src=no + +;configuration for SSL athentication + +;client certificate +cert = /etc/kojira/kojira.pem + +;certificate of the CA that issued the client certificate +ca = /etc/kojira/rpmfusion_ca_cert.crt +serverca = /etc/kojira/rpmfusion_ca_cert.crt + +;certificate of the CA that issued the HTTP server certificate +;serverca = /etc/kojira/serverca.crt diff --git a/modules/koji/files/web/kojiweb.conf b/modules/koji/files/web/kojiweb.conf new file mode 100644 index 0000000..9d5d59a --- /dev/null +++ b/modules/koji/files/web/kojiweb.conf @@ -0,0 +1,57 @@ +Alias /koji "/usr/share/koji-web/scripts/" +Alias /koji-packages /srv/koji/packages/ +Alias /koji-repos /srv/koji/repos/ + +<Directory "/usr/share/koji-web/scripts/"> + # Config for the publisher handler + SetHandler mod_python + # Use kojiweb's publisher (which handles errors more gracefully) + # You can also use mod_python.publisher, but you will lose the pretty tracebacks + PythonHandler kojiweb.publisher + + # General settings + PythonDebug On + PythonOption SiteName "RPM Fusion Build System" + PythonOption KojiHubURL http://buildsys.rpmfusion.org/kojihub + PythonOption KojiPackagesURL http://buildsys.rpmfusion.org/koji-packages + PythonOption KojiImagesURL http://buildsys.rpmfusion.org/koji/images + PythonOption DNUsernameComponent CN + PythonOption ProxyDNs "/C=ES/ST=Barcelona/O=RPM Fusion/CN=kojiweb" + +# PythonOption WebPrincipal koji/web(a)EXAMPLE.COM +# PythonOption WebKeytab /etc/httpd.keytab + PythonOption WebCCache /var/tmp/kojiweb.ccache + PythonOption WebCert /etc/pki/koji/kojiweb.pem + PythonOption ClientCA /etc/pki/koji/rpmfusion_ca_cert.crt + PythonOption KojiHubCA /etc/pki/koji/rpmfusion_ca_cert.crt + PythonOption LoginTimeout 72 + # This must be changed before deployment + PythonOption Secret CHANGE_ME123 + PythonPath "sys.path + ['/usr/share/koji-web/lib']" + PythonCleanupHandler kojiweb.handlers::cleanup + PythonAutoReload Off +</Directory> + +# uncomment this to enable authentication via SSL client certificates +<Location /koji/login> + SSLOptions +StdEnvVars +</Location> +# these options must be enabled globally (in ssl.conf) +# SSLVerifyClient require +# SSLVerifyDepth 10 + +Alias /koji-static/ "/usr/share/koji-web/static/" + +<Directory "/usr/share/koji-web/static/"> + Options None + AllowOverride None + Order allow,deny + Allow from all +</Directory> + +<Directory "/srv/koji/repos/"> + Options +Indexes + AllowOverride None + Order Allow,Deny + Allow from All +</Directory> diff --git a/modules/koji/manifests/init.pp b/modules/koji/manifests/init.pp new file mode 100644 index 0000000..58c1ab1 --- /dev/null +++ b/modules/koji/manifests/init.pp @@ -0,0 +1,141 @@ +class koji { + + package { "koji": + ensure => installed + } + + class hub inherits koji { + + include httpd + + package { "koji-hub": + ensure => installed + } + + #configfile { '/etc/cron.d/koji-directory-cleanup': + # source => 'build/koji-directory-cleanup', + #} + #configfile { '/etc/cron.d/koji-gc': + # source => 'build/koji-gc', + #} + #configfile { '/etc/cron.d/koji-prunesigs': + # source => 'build/koji-prunesigs', + #} + + file { '/etc/httpd/conf.d/kojihub.conf': + source => 'web/applications/kojihub.conf', + } + + file { '/etc/koji-hub/hub.conf': + path => '/etc/koji-hub/hub.conf', + owner => apache, #TODO: move this to variable if we manage more than one webserver app. + group => apache, + mode => 600, + require => Package[koji-hub], + content => template('build/hub.conf.erb'), + notify => Service['httpd'] #TODO: same as above. + } + } + + class web inherits koji { + + include httpd + + package { koji-web: + ensure => present, + } + + file { '/etc/httpd/conf.d/kojiweb.conf': + content => template('koji/web/kojiweb.conf'), + mode => 640, + owner => 'root', + group => 'root', + backup => main, + recurse => false, + ensure => file, + notify => Service['httpd'], + require => Package['httpd'] + } + + file { "/etc/pki/koji": + replace => false, + ensure => directory + } + + file { "/srv/koji/repos": + replace => false, + ensure => directory + } + + cert { "/etc/pki/koji/rpmfusion_ca_cert.crt": + source => "secure/certs/CA/rpmfusion_ca_cert.crt", + notify => Service['httpd'], + } + + cert { "/etc/pki/koji/kojiweb.pem": + source => "secure/certs/web/kojiweb.pem", + notify => Service['httpd'], + } + } + + class builder inherits koji { + + include mock + + package { "koji-builder": + ensure => installed + } + + service { kojid: + ensure => true, + subscribe => [ Package["koji-builder"] ] + } + + file { '/etc/kojid/kojid.conf': + content => template('koji/builder/kojid.conf.erb'), + path => '/etc/kojid/kojid.conf', + owner => root, + group => root, + mode => 644, + require => Package[koji-builder], + notify => Service['kojid'] + } + + file { ['/pub', '/srv/koji', '/pub/fedora', '/pub/epel' ]: + ensure => directory + } + + cert { "/etc/kojid/rpmfusion_ca_cert.crt": + source => "secure/certs/CA/rpmfusion_ca_cert.crt", + notify => Service['kojid'], + } + + cert { "/etc/kojid/$hostname.es.rpmfusion.net.pem": + source => "secure/certs/builders/$hostname.pem", + notify => Service['kojid'], + } + } + + class kojira inherits koji { + + package { "koji-utils": + ensure => installed + } + + service { kojira: + require => Package['koji-utils'], + ensure => true, + enable => true, + } + + cert { "/etc/pki/koji/rpmfusion_ca_cert.crt": + source => "secure/certs/CA/rpmfusion_ca_cert.crt", + notify => Service['kojira'], + } + + cert { "/etc/kojira/kojira.pem": + source => "secure/certs/web/kojira.pem", + notify => Service['kojira'], + } + } +} diff --git a/modules/koji/templates/builder/kojid.conf.erb b/modules/koji/templates/builder/kojid.conf.erb new file mode 100644 index 0000000..5729fb8 --- /dev/null +++ b/modules/koji/templates/builder/kojid.conf.erb @@ -0,0 +1,64 @@ +[kojid] +; The number of seconds to sleep between tasks +sleeptime=15 + +; The maximum number of jobs that kojid will handle at a time +maxjobs=<%= smp_mflags %> + +; The minimum amount of free space (in MBs) required for each build root +minspace=8192 + +; The directory root where work data can be found from the koji hub +topdir=/srv/koji + +; The directory root for temporary storage +workdir=/srv/koji + +; The directory root for mock +mockdir=/srv/koji/mock/ + +; The user to run as when doing builds +mockuser=kojibuilder + +; The vendor to use in rpm headers +vendor=RPM Fusion + +; The packager to use in rpm headers +packager=RPM Fusion + +; The distribution to use in rpm headers +distribution=RPM Fusion + +; The _host string to use in mock +; mockhost=koji-linux-gnu + +; The URL for the xmlrpc server +server=http://buildsys.rpmfusion.org/kojihub + +; The URL for the packages tree +pkgurl=http://buildsys.rpmfusion.org/koji-packages + +; A space-separated list of hostname:repository[:use_common] tuples that kojid is authorized to checkout from (no quotes). +; Wildcards (as supported by fnmatch) are allowed. +; If use_common is specified and is one of "false", "no", "off", or "0" (without quotes), then kojid will not attempt to checkout +; a common/ dir when checking out sources from the source control system. Otherwise, it will attempt to checkout a common/ +; dir, and will raise an exception if it cannot. +allowed_scms=cvs.rpmfusion.org:/cvs/free/ cvs.rpmfusion.org:/cvs/nonfree +; git.example.org:/example svn.example.org:/users/*:no + +; The mail host to use for sending email notifications +smtphost=localhost + +; The From address used when sending email notifications +from_addr=RPM Fusion Build System <buildsys(a)rpmfusion.org&gt; + +;configuration for SSL athentication + +;client certificate +cert = /etc/kojid/<%= hostname %>.es.rpmfusion.net.pem + +;certificate of the CA that issued the client certificate +ca = /etc/kojid/rpmfusion_ca_cert.crt + +;certificate of the CA that issued the HTTP server certificate +serverca = /etc/kojid/rpmfusion_ca_cert.crt diff --git a/modules/koji/templates/hub-server/hub.conf.erb b/modules/koji/templates/hub-server/hub.conf.erb new file mode 100644 index 0000000..dbd5f79 --- /dev/null +++ b/modules/koji/templates/hub-server/hub.conf.erb @@ -0,0 +1,56 @@ +[hub] + +## Basic options +DBName = koji +DBUser = koji +DBHost = <%= koji_db_host %> +DBPass = <%= koji_db_pass %> +KojiDir = /srv/koji + +## SSL client certificate auth configuration ## +## the client username is the common name of the subject of their client certificate +DNUsernameComponent = CN +ProxyDNs = /C=ES/ST=Barcelona/O=RPM Fusion/CN=kojiweb + + + +LoginCreatesUser = On +KojiWebURL = http://buildsys.rpmfusion.org/koji +# The domain name that will be appended to Koji usernames +# when creating email notifications +#EmailDomain = rpmfusion.org + +# Notification +NotifyOnSuccess = True + +## Disables all notifications +DisableNotifications = False + +## Koji hub plugins +## The path where plugins are found +# PluginPath = /usr/lib/koji-hub-plugins +## A space-separated list of plugins to load +# Plugins = echo + +## If KojiDebug is on, the hub will be /very/ verbose and will report exception +## details to clients for anticipated errors (i.e. koji's own exceptions -- +## subclasses of koji.GenericError). +KojiDebug = Off + +## Determines how much detail about exceptions is reported to the client (via faults) +## Meaningful values: +## normal - a basic traceback (format_exception) +## extended - an extended traceback (format_exc_plus) +## anything else - no traceback, just the error message +## The extended traceback is intended for debugging only and should NOT be +## used in production, since it may contain sensitive information. +# KojiTraceback = normal + +## These options are intended for planned outages +# ServerOffline = False +# OfflineMessage = temporary outage +# LockOut = False +## If ServerOffline is True, the server will always report a ServerOffline fault (with +## OfflineMessage as the fault string). +## If LockOut is True, the server will report a ServerOffline fault for all non-admin +## requests.