Skip to content

osbuild/koji-osbuild

Repository files navigation

Koji osbuild

This project provides osbuild integration with Koji. It makes it possible to build images and other OS artifacts via osbuild-composer through koji, This is done via three plugins:

  • Koji hub plugin: Provides a new XMLRPC API endpoint that clients can use to create new osbuildImage Koji tasks.

  • Koji builder plugin: Handles osbuildImage Koji tasks and will talk to osbuild-composer to create new composes via composer's Koji API.

  • Koji cli plugin: Adds a new osbuild-image to the existing koji command line client. This will then use the new XMLRPC API to request a new compose.

The following image visualizes the overall architecture and integration points of koji-osbuild with koji/brew and Composer:

overview

Installation

The plugins need to be installed on the machines running the corresponding services. Installation via RPMs is recommended. The RPMs for the latest git commit of the source can be easily created via meson:

meson . build
ninja -C build rpms

The RPMs should then be in build/rpmbuild. The hub and builder plugin also need to be explicitly enabled in the respective configuration files. The hub plugin configuration file at /etc/koji-hub/hub.conf. The plugin is enabled by adding osbuild to the Plugins directive. The builder: configuration file at /etc/kojid/kojid.conf. Here osbuild needs to be added to the plugin directive. For an example, see the test container configuration files hub.conf for the hub and kojid.conf for the builder.

Additionally, an osbuild-composer instance, at least version 21, with the koji API enabled needs to be running and reachable via TCP from the host running the koji builder.

Configuration

The builder plugin needs to be configured via a builder.conf file that can be located in either /usr/share/koji-osbuild or /etc/koji-osbuild.

[composer]
# The host, port and transport (https vs http) of osbuild composer
# NB: The 'https' transport is required for SSL/TLS authorization
server = https://composer.osbuild.org

# Authorization via client side certificates: can be either a pair of
# certificate and key files separated by comma or a file combining both.
ssl_cert = /share/worker-crt.pem, /share/worker-key.pem

# Verification of the server side: either a boolean (True / False) to
# enable or disable verification, or a path to a CA_BUNDLE file or a
# directory containing certificates of trusted CAs.
ssl_verify = /share/worker-ca.pem

# URI of proxy that's used for all composer requests including requests to
# an OAuth server if OAuth is enabled. Note that this proxy isn't used
# to route any requests for Koji hub.
proxy = http://squid.example.com:3128

[composer:oauth]
# Authorization via OAuth2/SSO, as alternative to client side certs.
# The "Client Credentials Grant" (RFC 6749 section 4.4) flow is used,
# which requires the client id and secret to be specified as well as
# the endpoint of where to obtain tokens.

# String that uniquely identifies the client (RFC 6749, 2.2).
client_id = koji

# Secret corresponding to the client id.
client_secret = koji

# URL to the endpoint that will provide the token.
token_url = https://localhost:8081/token

[koji]
# The URL to the koji hub XML-RPC endpoint
server = https://koji.fedoraproject.org/kojihub

Development

See HACKING.md for how to develop and test this project.