Monday, March 28, 2011

First BUILD on Open-RD Koji - 0.2

I have done it...finally, a couple of days ago i posted that i finally had koji up and running on the Open-RD system and needed to grapple with kojira next, to get repo's setup. Finally after a couple of days, I was able to build a src.rpm for filezilla, with a wonderful green complete within a few seconds; this is excited not only because I am finally %99.99 complete on my journey with Koji and ARM, but because the build showed that the setup between the two arm systems Open-RD(HUB/WEB) and GuruPlug(Builder) proves very efficient for builds. That being said, I find the web interface is still a tad to slow for my liking, and i plan to soon begin researching more efficient ways for it to function...not to jump to a conclusion but placing koji-web on a separate dedicated arm machine may be a great option, and i hope i can obtain the resources to begin testing this theory.



One thing to note, is that the koji how-to documentation does not outline how to go about the repo setup, however it does provide a link that does. ServerBootstrap Is the walk through i followed to get base tags setup that are required for build's to function. It was straight forward and believe it or not for once i had no error troubles.

That's all for now,

Stay Tuned

Saturday, March 26, 2011

Koji + 1 Builder Running on Open-RD

It is with great excitement that I announce the installing of the koji build system running on an ARM based platform. After a few days which followed a few months of grappling with koji and it's howto guide, I was able to get koji web and hub up and running on an Open-RD system, with one attached koji builder Guru Plug.


http://italy.proximity.on.ca/koji     
      ||
Open-RD <--PrivateLan-->GuruServerPlug
Koji-Hub                               Koji-Builder
Koji-Web

Above is a more visual breakdown on whats running what. So far the builder is able to communicate with the hub and all Lights are green :-). Next step is to create the kojira repo, and in the following week I will begin testing the building of packages to see what the speeds are like, with builds, web interface, and the Open-RD itself. This should allow for further determination on what types of tweaks can be made to ensure an efficient as possible, fully ARM supported build farm.

Stay Tuned!

Tuesday, March 22, 2011

Kojiadmin CN=fqdn Mixup


I was able to solve my server certificate error from before, but the next error proved a little bit tricky and took me a couple of days to figure out the fix to. When attempting to issue admin level commands with the kojiadmin user I was faced with ActionNotAllowed: admin permission required 

What could be causing this? I thought. The certs were all in the right spots but for some reason I could still could not issue admin commands, the apache error_log reported the following: 

/usr/lib64/python2.6/site-packages/mod_python/importer.py:32: DeprecationWarning: the md5 module is deprecated; use hashlib instead
import md5
2011-03-15 15:41:44,145 [WARNING] m=createUser u=iraq.proximity.on.ca koji.xmlrpc: Traceback (most recent call last):
File "/usr/share/koji-hub/kojixmlrpc.py", line 191, in _marshaled_dispatch
response = self._dispatch(method, params)
File "/usr/share/koji-hub/kojixmlrpc.py", line 253, in _dispatch
ret = func(*params,**opts)
File "/usr/share/koji-hub/kojihub.py", line 7867, in createUser
context.session.assertPerm('admin')
File "/usr/lib/python2.6/site-packages/koji/auth.py", line 527, in assertPerm
raise koji.ActionNotAllowed, "%s permission required" % name
ActionNotAllowed: admin permission required

Solution: 
For some reason iraq.proximity.on.ca was auto added to the psql database, when giving it admin permissions kojiadmin could add users----Possible cert issue?

I regenerated certs, and found it was occurring due to the CN being set as iraq.proximity.on.ca with the kojiadmin cert. It was attempting to authenticate the fqdn instead of the OU with was kojiadmin. 

By regenerating the certificates for kojiadmin and making the CN=kojiadmin with a blank OU the error no longer occured, and kojiadmin was able to be authenticated to add users or perform other administrative tasks on koji with the kojiadmin user.

Koji Cert FUN!

The generation of the certs, though it is tedious, it's not to painful so long as you understand exactly how they function between koji hub, and ssl for user authentication. I learned how they interacted with certs the hard way, the first main issue i ran into was far into the configuration of koji when issuing the add-user koji command i was faced with the following:


Command: koji add-user kojira
Error:

[('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')]

Solution:

Apache may be pointing to the incorrect certs for ssl authentication, in my case my apache ssl configuration was looking in /etc/pki/tls/certs/localhost.crt for the server cert and /etc/pki/tls/private/localhost.key for the server private key.

This can be fixed two ways, either by changing apache ssl to point to your koji_ca_cert.crt and koji_ca_cert.key files 

ssl.conf (Option 1)
#   Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate.  If
# the certificate is encrypted, then you will be prompted for a
# pass phrase.  Note that a kill -HUP will prompt again.  A new
# certificate can be generated using the genkey(1) command.
SSLCertificateFile /etc/pki/koji/koji_ca_cert.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/pki/koji/private/koji_ca_cert.key
Or by leaving the SSL configs to defaults and copying koji_ca_cert.crt to /etc/pki/tls/certs/localhost.crt and overwriting it and doing the same for the private key by copying the koji_ca_cert.key to /etc/pki/tls/private/localhost.key

Commands (Option 2):
cp /etc/pki/koji/koji_ca_cert.crt /etc/pki/tls/certs/localhost.crt
cp /etc/pki/koji/private/koji_ca_cert.key /etc/pki/tls/private/localhost.key

Through this problem I was clear on how koji authenticates its user which is sending commands in this case from the CLI with apache SSL, the user kojiadmin does not just have to have a config file with pointers to the correct certs, the server certificates must point to the valid koji_ca generated certificate authority cert since the koji setup creates a standalone cert auithority. The certificates were definitely the most challenging part of this config as they spread across multiple aspects of koji, and must be configured in line with the other parts of Koji in order to flawlessly function.

Sunday, March 13, 2011

Adventures in Koji

Hello, All

Okay so it has been long overdue that I post something, recently I have been going about the process of installing the Koji Build system on Fedora 13. So far it has been a bit of a headache, fun, and a great learning experience. The next several posts will outline step by step what I have done so far, the errors I encountered and how I went about fixing them. Throughout my adventure in Koji I have been following the fedora wiki walk through, which as many may already know is a great guide, but doesn't really go to in depth on the install process, and the common issues some may face, so for some added help to any others who may be on the same road as me or same road block as I once was with this process, I will be trying to be as detailed as possible as I post each step of my adventure with Koji.