diff --git a/install-koji-farm.sh b/install-koji-farm.sh index 04523de..08167d8 100644 --- a/install-koji-farm.sh +++ b/install-koji-farm.sh @@ -1,11 +1,12 @@ #!/bin/bash +set -e DEBUG= for param in $1 $2 $3 ; do if [ $param ] ; then case $param in debug ) - DEBUG=true ;; + DEBUG="debug" ;; esac else break @@ -18,28 +19,26 @@ if [ $DEBUG ] ; then set -xe SILENT= QUIET="-v" -else - set -e fi # pull down the deploy scripts SCRIPT_GIT="https://src.koozali.org/smedev/smeserver-koji/raw/branch/master/koji-setup" SCRIPT_DIR="$(echo ~)/bin" -KOJI_PKI_DIR="/etc/pki/koji" mkdir -p $SCRIPT_DIR -curl $SILENT $SCRIPT_GIT/gencert.sh > $SCRIPT_DIR/gencert.sh -curl $SILENT $SCRIPT_GIT/deploy-koji.sh > $SCRIPT_DIR/deploy-koji.sh -curl $SILENT $SCRIPT_GIT/bootstrap-build.sh > $SCRIPT_DIR/bootstrap-build.sh +curl $SILENT $SCRIPT_GIT/koji-deploy-hub.sh > $SCRIPT_DIR/koji-deploy-hub.sh +curl $SILENT $SCRIPT_GIT/koji-bootstrap-build.sh > $SCRIPT_DIR/koji-bootstrap-build.sh chmod o+x $SCRIPT_DIR/*.sh # install any required packages -dnf install -y epel-release $QUIET -dnf install -y netcat $QUIET +if [ ! "dnf list installed | grep epel-release" ] ; then + dnf install -y epel-release $QUIET +fi +if [ ! "dnf list installed | grep netcat" ] ; then + dnf install -y netcat $QUIET +fi # ask for required parameters (ssh settings and build server FQDN) -KOJID_CAPACITY=16 -KOJI_HUB_FQDN="$(hostname -f)" while true ; do read -p "Country Code (eg, US) " COUNTRY_CODE if [ ${#COUNTRY_CODE} -ne 2 ] ; then @@ -65,29 +64,33 @@ while true ; do if [ $ORG_UNIT ] ; then break ; else echo "Organizational Unit MUST be entered" ; fi done -# create the parameter scripts used by deploy scripts -cat > $SCRIPT_DIR/globals.sh <<- EOT -#!/bin/bash -# Copyright (C) 2019 Intel Corporation -# SPDX-License-Identifier: Apache-2.0 +# setup default parameters +KOJI_HUB_FQDN="$(hostname -f)" +KOJI_DIR="/mnt/koji" +TAG_NAME="sme" +RPM_ARCH="x86_64 noarch" +KOJID_CAPACITY=16 +SRC_RPM_DIR= +BIN_RPM_DIR= +DEBUG_RPM_DIR= +EXTERNAL_REPO="http://mirrorlist.centos.org/releases/10/smeos/" -#### START DO NOT EDIT #### +# create the parameter script used by koji scripts +cat > $SCRIPT_DIR/koji-parameters.sh <<- EOT +#!/bin/bash +## Standard locations export POSTGRES_USER=postgres export POSTGRES_DEFAULT_DIR=/var/lib/pgsql export HTTPD_USER=apache export HTTPD_DOCUMENT_ROOT=/var/www/html export KOJI_PKI_DIR=/etc/pki/koji -#### END DO NOT EDIT -EOT - -cat > $SCRIPT_DIR/parameters.sh <<- EOT -#!/bin/bash ## KOJI RPM BUILD AND TRACKER -export KOJI_DIR=/mnt/koji +export SCRIPT_GIT=$SCRIPT_GIT +export KOJI_DIR=$KOJID_DIR export KOJI_HUB_FQDN="$KOJI_HUB_FQDN" export KOJI_URL=http://"$KOJI_HUB_FQDN" export KOJID_CAPACITY=$KOJID_CAPACITY -export TAG_NAME=sme +export TAG_NAME=$TAG_NAME # Use for koji SSL certificates export COUNTRY_CODE='$COUNTRY_CODE' export STATE='$STATE' @@ -95,21 +98,21 @@ export LOCATION='$LOCATION' export ORGANIZATION='$ORGANIZATION' export ORG_UNIT='$ORG_UNIT' # Use for importing existing RPMs -export RPM_ARCH='x86_64' -export SRC_RPM_DIR= -export BIN_RPM_DIR= -export DEBUG_RPM_DIR= +export RPM_ARCH=$RPM_ARCH +export SRC_RPM_DIR=$SRC_RPM_DIR +export BIN_RPM_DIR=$BIN_RPM_DIR +export DEBUG_RPM_DIR=$DEBUG_PRM_DIR # Comment the following if supplying all RPMs as an upstream and not a downstream -export EXTERNAL_REPO=http://mirrorlist.centos.org/releases/10/smeos/ +export EXTERNAL_REPO=$EXTERNAL_REPO ## POSTGRESQL DATABASE export POSTGRES_DIR=/var/lib/pgsql EOT -# deploy thecentral koji components -deploy-koji.sh +# deploy the central koji components +koji-deploy-hub.sh $DEBUG -# if there is a separate koji builder deploy that -PROMPT="Build server FQDN (will default to hub FQDN '$KOJI_HUB_FQDN' if left blank) " +# add builders +PROMPT="Build server FQDN (will default to hub '$KOJI_HUB_FQDN' if left blank) " BSNO=1 while true ; do read -p "$PROMPT" KOJI_BUILD_FQDN @@ -118,11 +121,8 @@ while true ; do if [[ $BSNO -gt 1 ]] ; then break else - KOJI_BUILD_FQDN=$KOJI_HUB_FQDN echo "All-in-one: Hub will now be a build server as well" - curl $SILENT $SCRIPT_GIT/deploy-koji-builder.sh > $SCRIPT_DIR/deploy-koji-builder.sh - chmod o+x $SDRIPT_DIR/deploy-koji-builder.sh - deploy-koji-builder.sh + koji-add-builder.sh $DEBUG break fi fi @@ -134,7 +134,7 @@ while true ; do echo "- FQDN= # if you've mis-typed the name" echo "- IP= # I'll add this to your /etc/hosts file" echo "- # try again (I've started the server)" - echo "- Q # quit this loop" + echo "- Q # quit this loop (give up)" read RESPONSE case $RESPONSE in Q | q ) @@ -158,64 +158,13 @@ while true ; do ;; esac done + # we found the server and will deploy to it echo "$KOJI_BUILD_FQDN will be Koji Build server No. $BSNO" ((BSNO=BSNO+1)) + koji-add-builder.sh $KOJI_BUILD_FQDN $DEBUG - ## On the HUB - # Add the host entry for the koji builder to the database - sudo -u kojiadmin koji add-host "$KOJI_BUILD_FQDN" "$RPM_ARCH" - # Add the host to the createrepo channel - sudo -u kojiadmin koji add-host-to-channel "$KOJI_BUILD_FQDN" createrepo - # A note on capacity - sudo -u kojiadmin koji edit-host --capacity="$KOJID_CAPACITY" "$KOJI_BUILD_FQDN" - if [ $KOJI_BUILD_FQDN eq $KOJI_HUB_FQDN ] ; then - deploy-koji-builder.sh - else - ## On the HUB - # check if nfs has been installed on the hub (only need to install once) - if [ ! -s /etc/exports ] ; then - # add nfs share for koji files direcory to hub - curl $SILENT $SCRIPT_GIT/deploy-koji-nfs-server.sh > $SCRIPT_DIR/deploy-koji-nfs-server.sh - chmod o+x $SCRIPT_DIR/deploy-koji-nfs-server.sh - deploy-koji-nfs-server.sh $KOJI_BUILD_FQDN - else - # add build server to nfs exports line - echo " $KOJI_BUILD_FQDN(ro,no_root_squash)" >> /etc/exports - fi - # Generate a certificate for the builder - pushd "$KOJI_PKI_DIR" - ./gencert.sh "$KOJI_BUILD_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_BUILD_FQDN" - popd - # generate a hub ssl key if there isn't one already (for scp & ssh to builders) - if [ ! -f /root/.ssh/id-rsa ] ; then - # create a ssh key on build server - mkdir -p ~/.ssh - ssh-keygen -t rsa -f /root/.ssh/id_rsa -N "" - fi - - ## On the BUILDER - # copy the server key into authorized keys on the build server - ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_BUILD_FQDN - # copy across the ssl keys - ssh $QUIET root@$KOJI_BUILD_FQDN mkdir $KOJI_PKI_DIR - scp $QUIET $KOJI_PKI_DIR/$KOJI_BUILD_FQDN.pem root@$KOJI_BUILD_FQDN:$KOJI_PKI_DIR/. - scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_BUILD_FQDN:$KOJI_PKI_DIR/. - # copy across the parameter files (we built them on the hub) - ssh $QUIET root@$KOJI_BUILD_FQDN mkdir -p $SCRIPT_DIR - scp $QUIET $SCRIPT_DIR/globals.sh root@$KOJI_BUILD_FQDN:$SCRIPT_DIR/globals.sh - scp $QUIET $SCRIPT_DIR/parameters.sh root@$KOJI_BUILD_FQDN:$SCRIPT_DIR/parameters.sh - # pull down the required scripts - ssh $QUIET root@$KOJI_BUILD_FQDN "curl $SILENT $SCRIPT_GIT/deploy-koji-nfs-client.sh > $SCRIPT_DIR/deploy-koji-nfs-client.sh" - ssh $QUIET root@$KOJI_BUILD_FQDN "curl $SILENT $SCRIPT_GIT/deploy-koji-builder.sh > $SCRIPT_DIR/deploy-koji-builder.sh" - # make them executeable - ssh $QUIET root@$KOJI_BUILD_FQDN "chmod o+x $SCRIPT_DIR/*" - # connect to nfs share - ssh $QUIET root@$KOJI_BUILD_FQDN $SCRIPT_DIR/deploy-koji-nfs-client.sh - # deploy koji builder - ssh $QUIET root@$KOJI_BUILD_FQDN $SCRIPT_DIR/deploy-koji-builder.sh - done -fi +done # -bootstrap-build.sh \ No newline at end of file +koji-bootstrap-build.sh \ No newline at end of file diff --git a/koji-setup/add-koji-builder.sh b/koji-setup/add-koji-builder.sh new file mode 100644 index 0000000..63c6f7d --- /dev/null +++ b/koji-setup/add-koji-builder.sh @@ -0,0 +1,123 @@ +#!/bin/bash + +set -e +DEBUG= +SILENT="-s" +QUIET="-q" +for param in $1 $2 ; do + if [ $param ] ; then + case $param in + debug ) + DEBUG="debug" ;; + * ) + KOJI_BUILD_FQDN=$param ;; + esac + else + break + fi +done + +if [ $DEBUG ] ; then + set -x + SILENT= + QUIET="-v" +fi + +# load required parameters +SCRIPT_DIR="$(echo ~)/bin" +if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then + echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" + exit 1 +fi +source "$SCRIPT_DIR"/koji-parameters.sh +KOJI_HUB_FQDN="$(hostname -f)" + +# pull down any required scripts +curl $SILENT $SCRIPT_GIT/koji-deploy-hub.sh > $SCRIPT_DIR/koji-deploy-hub.sh + +if [ ! -d $SCRIPT_DIR ] ; then mkdir -p $SCRIPT_DIR ; fi + +# install any required packages +if [ ! "dnf list installed | grep epel-release" ] ; then + dnf install -y epel-release $QUIET +fi +if [ ! "dnf list installed | grep netcat" ] ; then + dnf install -y netcat $QUIET +fi + +# if no build server given, deploy locally +if [ -z $KOJI_BUILD_FQDN ] ; then + KOJI_BUILD_FQDN=$KOJI_HUB_FQDN +fi +if [ ! (nc -z $KOJI_BUILD_FQDN 22) ] ; then + echo "I cannot connect to $KOJI_BUILD_FQDN! Is it online? " + echo "Options:" + echo "- turn on the server" + echo "- add this server into the /etc/hosts file on this server" + exit 1 +fi + +## On the HUB +# Add the host entry for the koji builder to the database +sudo -u kojiadmin koji add-host "$KOJI_BUILD_FQDN" "$RPM_ARCH" +# Add the host to the createrepo channel +sudo -u kojiadmin koji add-host-to-channel "$KOJI_BUILD_FQDN" createrepo +# A note on capacity +sudo -u kojiadmin koji edit-host --capacity="$KOJID_CAPACITY" "$KOJI_BUILD_FQDN" +# check if local install or remote +if [ $KOJI_BUILD_FQDN eq $KOJI_HUB_FQDN ] ; then + # deploy locally + echo "All-in-one: Hub will now be a build server as well" + if [ ! -f $SCRIPT_DIR/koji-deploy-builder.sh ] then + curl $SILENT $SCRIPT_GIT/koji-deploy-builder.sh > $SCRIPT_DIR/koji-deploy-builder.sh + chmod o+x $SCRIPT_DIR/koji-deploy-builder.sh + fi + koji-deploy-builder.sh $DEBUG +else + ## On the HUB + # check if nfs has been installed on the hub (only need to install once) + if [ ! "dnf list installed | grep nfs-server" ] ; then + # add nfs share for koji files direcory to hub + curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-server.sh > $SCRIPT_DIR/koji-deploy-nfs-server.sh + chmod o+x $SCRIPT_DIR/koji-deploy-nfs-server.sh + koji-deploy-nfs-server.sh $DEBUG + fi + + # add build server to nfs exports line + # echo " $KOJI_BUILD_FQDN(ro,no_root_squash)" >> /etc/exports + + # Generate a certificate for the builder + pushd "$KOJI_PKI_DIR" + ./gencert.sh "$KOJI_BUILD_FQDN" "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/CN=$KOJI_BUILD_FQDN" + popd + # generate a hub ssl key if there isn't one already (for scp & ssh to builder) + if [ ! -f /root/.ssh/id-rsa ] ; then + # create a ssh key on build server + mkdir -p ~/.ssh + ssh-keygen -t rsa -f /root/.ssh/id_rsa -N "" + fi + + ## On the BUILDER + # copy the server key into authorized keys on the build server + ssh-copy-id -i ~/.ssh/id_rsa.pub $KOJI_BUILD_FQDN + # copy across the ssl keys + ssh $QUIET root@$KOJI_BUILD_FQDN mkdir $KOJI_PKI_DIR + scp $QUIET $KOJI_PKI_DIR/$KOJI_BUILD_FQDN.pem root@$KOJI_BUILD_FQDN:$KOJI_PKI_DIR/. + scp $QUIET $KOJI_PKI_DIR/koji_ca_cert.crt root@$KOJI_BUILD_FQDN:$KOJI_PKI_DIR/. + # copy across the parameter files (we built them on the hub) + ssh $QUIET root@$KOJI_BUILD_FQDN mkdir -p $SCRIPT_DIR + scp $QUIET $SCRIPT_DIR/koji-parameters.sh root@$KOJI_BUILD_FQDN:$SCRIPT_DIR/koji-parameters.sh + # pull down the required scripts + ssh $QUIET root@$KOJI_BUILD_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-nfs-client.sh > $SCRIPT_DIR/koji-deploy-nfs-client.sh" + ssh $QUIET root@$KOJI_BUILD_FQDN "curl $SILENT $SCRIPT_GIT/koji-deploy-builder.sh > $SCRIPT_DIR/koji-deploy-builder.sh" + # make them executeable + ssh $QUIET root@$KOJI_BUILD_FQDN "chmod o+x $SCRIPT_DIR/*" + + # connect to nfs share + ssh $QUIET root@$KOJI_BUILD_FQDN $SCRIPT_DIR/koji-deploy-nfs-client.sh $DEBUG + # deploy koji builder + ssh $QUIET root@$KOJI_BUILD_FQDN $SCRIPT_DIR/koji-deploy-builder.sh $DEBUG +fi + +# +koji-bootstrap-build.sh $DEBUG \ No newline at end of file diff --git a/koji-setup/koji-deploy-builder.sh b/koji-setup/koji-deploy-builder.sh new file mode 100755 index 0000000..32e082f --- /dev/null +++ b/koji-setup/koji-deploy-builder.sh @@ -0,0 +1,85 @@ +#!/bin/bash +# Copyright (C) 2019 Intel Corporation +# SPDX-License-Identifier: Apache-2.0 + +set -e +DEBUG= +SILENT="-s" +QUIET="-q" +for param in $1 $2 ; do + if [ $param ] ; then + case $param in + debug ) + DEBUG="debug" ;; + esac + else + break + fi +done + +if [ $DEBUG ] ; then + set -x + SILENT= + QUIET="-v" +fi + +# load required parameters +SCRIPT_DIR="$(dirname "$(realpath "$0")")" +if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then + echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" + exit 1 +fi +source "$SCRIPT_DIR"/koji-parameters.sh +KOJI_BUILD_FQDN="$(hostname -f)" + +# Install the koji builder componelts from epel +if [ ! "dnf list installed | grep epel-release" ] ; then + dnf install -y epel-release $QUIET +fi +if [ ! "dnf list installed | grep koji-builder" ] ; then + dnf install -y koji-builder +fi + +# Create mock folders and permissions +mkdir -p /etc/mock/koji +mkdir -p /var/lib/mock +chown -R root:mock /var/lib/mock + +# Setup User Accounts +# useradd -r kojibuilder +usermod -G mock kojibuilder + +# Kojid Configuration Files +KOJI_TOP_DIR="$KOJI_DIR" +mkdir -p /etc/kojid +cat > /etc/kojid/kojid.conf <<- EOF +[kojid] +sleeptime=5 +maxjobs=16 +topdir=$KOJI_TOP_DIR +workdir=/tmp/koji +mockdir=/var/lib/mock +mockuser=kojibuilder +mockhost=generic-linux-gnu +user=$KOJI_BUILD_FQDN +server=$KOJI_URL/kojihub +topurl=$KOJI_URL/kojifiles +use_createrepo_c=True +allowed_scms=$GIT_FQDN:/packages/* +cert = $KOJI_PKI_DIR/$KOJI_BUILD_FQDN.pem +serverca = $KOJI_PKI_DIR/koji_ca_cert.crt +EOF + +if env | grep -q proxy; then + echo "yum_proxy = $https_proxy" >> /etc/kojid/kojid.conf + mkdir -p /etc/systemd/system/kojid.service.d + cat > /etc/systemd/system/kojid.service.d/00-proxy.conf <<- EOF + [Service] + Environment="http_proxy=$http_proxy" + Environment="https_proxy=$https_proxy" + Environment="no_proxy=$no_proxy" + EOF + systemctl daemon-reload +fi + +systemctl enable --now kojid diff --git a/koji-setup/koji-deploy-hub.sh b/koji-setup/koji-deploy-hub.sh new file mode 100644 index 0000000..883d75f --- /dev/null +++ b/koji-setup/koji-deploy-hub.sh @@ -0,0 +1,375 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 + +set -e +DEBUG= +SILENT="-s" +QUIET="-q" +for param in $1 $2 ; do + if [ $param ] ; then + case $param in + debug ) + DEBUG="debug" ;; + * ) + KOJI_BUILD_FQDN=$param ;; + esac + else + break + fi +done + +if [ $DEBUG ] ; then + set -x + SILENT= + QUIET="-v" +fi + +# load required parameters +SCRIPT_DIR="$(dirname "$(realpath "$0")")" +if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then + echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" + exit 1 +fi +source "$SCRIPT_DIR"/koji-parameters.sh + +# pull down any required scripts +if [ ! -f $SCRIPTS_DIR/koji-gencert.sh ] ; then + curl $SILENT $SCRIPT_GIT/koji-deploy-hub.sh > $SCRIPT_DIR/koji-deploy-hub.sh +fi + +# Install all the required packages (some live in the epel repo, so we need to install that too) +dnf config-manager --set-enabled powertools $QUIET +dnf install -y epel-release $QUIET +dnf install -y koji-hub mod_ssl koji koji-web koji-utils policycoreutils-python-utils $QUIET +dnf module enable postgresql:10 -y $QUIET +dnf install -y postgresql-server $QUIET + +## SETTING UP SSL CERTIFICATES FOR AUTHENTICATION +mkdir -p "$KOJI_PKI_DIR"/{certs,private} +RANDFILE="$KOJI_PKI_DIR"/.rand +dd if=/dev/urandom of="$RANDFILE" bs=256 count=1 + +# Certificate generation +cat > "$KOJI_PKI_DIR"/ssl.cnf <<- EOF +HOME = $KOJI_PKI_DIR +RANDFILE = $RANDFILE + +[ca] +default_ca = ca_default + +[ca_default] +dir = $KOJI_PKI_DIR +certs = \$dir/certs +crl_dir = \$dir/crl +database = \$dir/index.txt +new_certs_dir = \$dir/newcerts +certificate = \$dir/%s_ca_cert.pem +private_key = \$dir/private/%s_ca_key.pem +serial = \$dir/serial +crl = \$dir/crl.pem +x509_extensions = usr_cert +name_opt = ca_default +cert_opt = ca_default +default_days = 3650 +default_crl_days = 30 +default_md = sha512 +preserve = no +policy = policy_match + +[policy_match] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[req] +default_bits = 4096 +default_keyfile = privkey.pem +default_md = sha512 +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert +string_mask = MASK:0x2002 + +[req_distinguished_name] +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, your name or your server\'s hostname) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 + +[req_attributes] +challengePassword = A challenge password +challengePassword_min = 8 +challengePassword_max = 64 +unstructuredName = An optional company name + +[usr_cert] +basicConstraints = CA:FALSE +nsComment = "OpenSSL Generated Certificate" +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always + +[v3_ca] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = CA:true +EOF + +# Generate and trust CA +touch "$KOJI_PKI_DIR"/index.txt +echo 01 > "$KOJI_PKI_DIR"/serial +openssl genrsa -out "$KOJI_PKI_DIR"/private/koji_ca_cert.key 2048 +openssl req -subj "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=koji_ca/CN=$KOJI_HUB_FQDN" -config "$KOJI_PKI_DIR"/ssl.cnf -new -x509 -days 3650 -key "$KOJI_PKI_DIR"/private/koji_ca_cert.key -out "$KOJI_PKI_DIR"/koji_ca_cert.crt -extensions v3_ca +mkdir -p /etc/ca-certs/trusted + +# Generate the koji component certificates and the admin certificate and generate a PKCS12 user certificate (for web browser) +cp "$SCRIPT_DIR"/koji-gencert.sh "$KOJI_PKI_DIR" $DEBUG +pushd "$KOJI_PKI_DIR" +gencert.sh kojiweb "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojiweb/CN=$KOJI_HUB_FQDN" +gencert.sh kojihub "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=kojihub/CN=$KOJI_HUB_FQDN" +gencert.sh kojiadmin "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojiadmin" +gencert.sh kojira "/C=$COUNTRY_CODE/ST=$STATE/L=$LOCATION/O=$ORGANIZATION/OU=$ORG_UNIT/CN=kojira" +popd + +# Copy certificates into ~/.koji for kojiadmin +useradd kojiadmin +ADMIN_KOJI_DIR="$(echo ~kojiadmin)"/.koji +mkdir -p "$ADMIN_KOJI_DIR" +cp -f "$KOJI_PKI_DIR"/kojiadmin.pem "$ADMIN_KOJI_DIR"/client.crt +cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/clientca.crt +cp -f "$KOJI_PKI_DIR"/koji_ca_cert.crt "$ADMIN_KOJI_DIR"/serverca.crt +chown -R kojiadmin:kojiadmin "$ADMIN_KOJI_DIR" + + +## POSTGRESQL SERVER +# Initialize PostgreSQL DB +mkdir -p "$POSTGRES_DIR" +chown -R "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DIR" +if [[ "$POSTGRES_DIR" != "$POSTGRES_DEFAULT_DIR" ]]; then + if [ "$(ls -A "$POSTGRES_DEFAULT_DIR")" ]; then + mv "$POSTGRES_DEFAULT_DIR" "$POSTGRES_DEFAULT_DIR".old + else + rm -rf "$POSTGRES_DEFAULT_DIR" + fi + ln -sf "$POSTGRES_DIR" "$POSTGRES_DEFAULT_DIR" + chown -h "$POSTGRES_USER":"$POSTGRES_USER" "$POSTGRES_DEFAULT_DIR" +fi +sudo -u "$POSTGRES_USER" initdb --pgdata "$POSTGRES_DEFAULT_DIR"/data +systemctl enable --now postgresql + +# Setup User Accounts +useradd -r koji + +# Setup PostgreSQL and populate schema +sudo -u "$POSTGRES_USER" createuser --no-superuser --no-createrole --no-createdb koji +sudo -u "$POSTGRES_USER" createdb -O koji koji +sudo -u koji psql koji koji < /usr/share/doc/koji*/docs/schema.sql + +# Authorize Koji-web and Koji-hub resources +cat > "$POSTGRES_DEFAULT_DIR"/data/pg_hba.conf <<- EOF +#TYPE DATABASE USER CIDR-ADDRESS METHOD +host koji all 127.0.0.1/32 trust +host koji all ::1/128 trust +local koji all trust +EOF +systemctl reload postgresql + +# Bootstrapping the initial koji admin user into the PostgreSQL database +# SSL Certificate authentication +sudo -u koji psql -c "insert into users (name, status, usertype) values ('kojiadmin', 0, 0);" + +# Give yourself admin permissions +sudo -u koji psql -c "insert into user_perms (user_id, perm_id, creator_id) values (1, 1, 1);" + +## KOJI CONFIGURATION FILES +# Koji Hub +mkdir -p /etc/koji-hub +cat > /etc/koji-hub/hub.conf <<- EOF +[hub] +DBName = koji +DBUser = koji +KojiDir = $KOJI_DIR +DNUsernameComponent = CN +ProxyDNs = C=$COUNTRY_CODE,ST=$STATE,L=$LOCATION,O=$ORGANIZATION,OU=kojiweb,CN=$KOJI_HUB_FQDN +LoginCreatesUser = On +KojiWebURL = $KOJI_URL/koji +DisableNotifications = True +EOF + +mkdir -p /etc/httpd/conf.d +cat > /etc/httpd/conf.d/kojihub.conf <<- EOF +Alias /kojihub /usr/share/koji-hub/kojiapp.py + + Options ExecCGI + SetHandler wsgi-script + Require all granted + +Alias /kojifiles "$KOJI_DIR" + + Options Indexes SymLinksIfOwnerMatch + AllowOverride None + Require all granted + + + SSLVerifyClient require + SSLVerifyDepth 10 + SSLOptions +StdEnvVars + +EOF + +# SELinux changes to allow db access +setsebool -P httpd_can_network_connect_db 1 + +# Koji Web +mkdir -p /etc/kojiweb +cat > /etc/kojiweb/web.conf <<- EOF +[web] +SiteName = koji +KojiHubURL = $KOJI_URL/kojihub +KojiFilesURL = $KOJI_URL/kojifiles +WebCert = $KOJI_PKI_DIR/kojiweb.pem +ClientCA = $KOJI_PKI_DIR/koji_ca_cert.crt +KojiHubCA = $KOJI_PKI_DIR/koji_ca_cert.crt +LoginTimeout = 72 +Secret = NITRA_IS_NOT_CLEAR +LibPath = /usr/share/koji-web/lib +LiteralFooter = True +EOF + +mkdir -p /etc/httpd/conf.d +cat > /etc/httpd/conf.d/kojiweb.conf <<- EOF +Alias /koji "/usr/share/koji-web/scripts/wsgi_publisher.py" + + Options ExecCGI + SetHandler wsgi-script + Require all granted + +Alias /koji-static "/usr/share/koji-web/static" + + Options None + AllowOverride None + Require all granted + +EOF + +# SELinux changes to allow httpd network access +setsebool -P httpd_can_network_connect 1 + +# Koji CLI +cat > /etc/koji.conf <<- EOF +[koji] +server = $KOJI_URL/kojihub +weburl = $KOJI_URL/koji +topurl = $KOJI_URL/kojifiles +topdir = $KOJI_DIR +cert = ~/.koji/client.crt +serverca = ~/.koji/serverca.crt +anon_retry = true +EOF + +## KOJI APPLICATION HOSTING +# Koji Filesystem Skeleton +mkdir -p "$KOJI_DIR"/{packages,repos,work,scratch,repos-dist} +chown -R "$HTTPD_USER":"$HTTPD_USER" "$KOJI_DIR" + +# twealk SELinux to allow $HTTPD_USER write access +setsebool -P allow_httpd_anon_write=1 +semanage fcontext -a -t public_content_rw_t "$KOJI_DIR(/.*)?" +restorecon -r -v $KOJI_DIR + +## Apache Configuration Files +mkdir -p /etc/httpd/conf.d +cat > /etc/httpd/conf.d/ssl.conf <<- EOF +ServerName $KOJI_HUB_FQDN + +Listen 443 https + +#SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog + +#SSLSessionCache shmcb:/run/httpd/sslcache(512000) + +SSLRandomSeed startup file:/dev/urandom 256 +SSLRandomSeed connect builtin + + + ErrorLog /var/log/httpd/ssl_error_log + TransferLog /var/log/httpd/ssl_access_log + LogLevel warn + + SSLEngine on + SSLHonorCipherOrder on + SSLCipherSuite PROFILE=SYSTEM + SSLProxyCipherSuite PROFILE=SYSTEM + + SSLCertificateFile $KOJI_PKI_DIR/kojihub.pem + SSLCertificateKeyFile $KOJI_PKI_DIR/private/kojihub.key + SSLCertificateChainFile $KOJI_PKI_DIR/koji_ca_cert.crt + SSLCACertificateFile $KOJI_PKI_DIR/koji_ca_cert.crt + SSLVerifyClient require + SSLVerifyDepth 10 + + + SSLOptions +StdEnvVars + + + SSLOptions +StdEnvVars + + + CustomLog /var/log/httpd/ssl_request_log "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" + +EOF + +mkdir -p /etc/httpd/conf.modules.d +cat > /etc/httpd/conf.modules.d/wsgi.conf <<- EOF +WSGISocketPrefix /run/httpd/wsgi +EOF +cat > /etc/httpd/conf.modules.d/ssl.conf <<- EOF +LoadModule ssl_module lib/httpd/modules/mod_ssl.so +EOF + +# allow httpd access through firewall +firewall-cmd --permanent --add-service=http +firewall-cmd --permanent --add-service=https +firewall-cmd --reload + +# enable and start the httpd service +systemctl enable --now httpd + + +## TEST KOJI CONNECTIVITY +sudo -u kojiadmin koji moshimoshi + + +## KOJIRA - DNF|YUM REPOSITORY CREATION AND MAINTENANCE +# Add the user entry for the kojira user +sudo -u kojiadmin koji add-user kojira +sudo -u kojiadmin koji grant-permission repo kojira + +# Kojira Configuration Files +mkdir -p /etc/kojira +cat > /etc/kojira/kojira.conf <<- EOF +[kojira] +server=$KOJI_URL/kojihub +topdir=$KOJI_DIR +logfile=/var/log/kojira.log +cert = $KOJI_PKI_DIR/kojira.pem +serverca = $KOJI_PKI_DIR/koji_ca_cert.crt +EOF + +# Ensure postgresql is started prior to running kojira service +mkdir -p /etc/systemd/system/kojira.service.d +cat > /etc/systemd/system/kojira.service.d/after-postgresql.conf < /etc/systemd/system/"$KOJI_MOUNT_SERVICE" <<- EOF +[Unit] +Description=Koji NFS Mount +After=network.target + +[Mount] +What=$KOJI_HUB_FQDN:$KOJI_DIR +Where=$KOJI_DIR +Type=nfs +Options=defaults,ro + +[Install] +WantedBy=multi-user.target +EOF +systemctl daemon-reload +systemctl enable --now "$KOJI_MOUNT_SERVICE" diff --git a/koji-setup/koji-deploy-nfs-server.sh b/koji-setup/koji-deploy-nfs-server.sh new file mode 100755 index 0000000..2755c41 --- /dev/null +++ b/koji-setup/koji-deploy-nfs-server.sh @@ -0,0 +1,47 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 + +set -e +DEBUG= +SILENT="-s" +QUIET="-q" +for param in $1 $2 ; do + if [ $param ] ; then + case $param in + debug ) + DEBUG="debug" ;; + esac + else + break + fi +done + +if [ $DEBUG ] ; then + set -x + SILENT= + QUIET="-v" +fi + +# load required parameters +SCRIPT_DIR="$(dirname "$(realpath "$0")")" +if [ ! -f "$SCRIPT_DIR"/koji-parameters.sh ] ; then + echo "$SCRIPT_DIR/koji-parameters.sh NOT found - aborting" + exit 1 +fi +source "$SCRIPT_DIR"/koji-parameters.sh + +dnf install -y nfs-utils $QUIET + +# Export server directory to be mounted by clients - add script will add clients +echo "$KOJI_DIR" >> /etc/exports + +# allow nfs usage in selinux and firewall +setsebool -P httpd_use_nfs=1 + +firewall-cmd --permanent --add-service=nfs +firewall-cmd --permanent --add-service=mountd +firewall-cmd --permanent --add-service=rpc-bind +firewall-cmd --reload + +systemctl enable --now rpcbind +systemctl enable --now nfs-server diff --git a/koji-setup/gencert.sh b/koji-setup/koji-gencert.sh similarity index 78% rename from koji-setup/gencert.sh rename to koji-setup/koji-gencert.sh index 9c6c896..f469354 100755 --- a/koji-setup/gencert.sh +++ b/koji-setup/koji-gencert.sh @@ -1,10 +1,30 @@ #!/bin/bash -# Copyright (C) 2019 Intel Corporation # SPDX-License-Identifier: Apache-2.0 +set -e KOJI_USER="$1" CERT_SUBJECT="$2" +DEBUG= +SILENT="-s" +QUIET="-q" +for param in $3 ; do + if [ $param ] ; then + case $param in + debug ) + DEBUG="debug" ;; + esac + else + break + fi +done + +if [ $DEBUG ] ; then + set -x + SILENT= + QUIET="-v" +fi + openssl genrsa -out private/"$KOJI_USER".key 2048 if [ -z "$CERT_SUBJECT" ]; then openssl req -config ssl.cnf -new -nodes -out certs/"$KOJI_USER".csr -key private/"$KOJI_USER".key diff --git a/koji-setup/koji-parameters.sh b/koji-setup/koji-parameters.sh new file mode 100644 index 0000000..156d74d --- /dev/null +++ b/koji-setup/koji-parameters.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 + +## Standard locations +export POSTGRES_USER=postgres +export POSTGRES_DEFAULT_DIR=/var/lib/pgsql +export HTTPD_USER=apache +export HTTPD_DOCUMENT_ROOT=/var/www/html +export KOJI_PKI_DIR=/etc/pki/koji + +## KOJI RPM BUILD AND TRACKER +export KOJI_DIR=/mnt/koji +export KOJI_URL=http://"$KOJI_HUB_FQDN" +export KOJID_CAPACITY=16 +export TAG_NAME=sme +# Use for koji SSL certificates +export COUNTRY_CODE='EX' +export STATE='Example' +export LOCATION='Example' +export ORGANIZATION='Koozali' +export ORG_UNIT='Koji' +# Use for importing existing RPMs +export RPM_ARCH='x86_64 noarch' +export SRC_RPM_DIR= +export BIN_RPM_DIR= +export DEBUG_RPM_DIR= +# Comment the following if supplying all RPMs as an upstream and not a downstream +export EXTERNAL_REPO=http://mirrorlist.centos.org/releases/10/smeos/ + +## POSTGRESQL DATABASE +export POSTGRES_DIR=/var/lib/pgsql + +## GIT REPOSITORIES +export GIT_DIR= +export GIT_FQDN="https://src.koozali.org/" +