#740 CBS tags and group for AutoSD
Closed: Fixed 2 years ago by pingou. Opened 2 years ago by pingou.

A little while ago the Automotive SIG introduced autosd: https://lists.centos.org/pipermail/centos-automotive-sig/2022-March/000073.html
However, we currently do not have a way to distinguish between builds that are meant to go into AutoSD (and thus the RH product down the line) and builds that are experimental or work in progress and may or may not land into autosd down the line.

The easiest solution for this, I believe, is to have new tags in CBS dedicated for AutoSD.
However, since AutoSD is the public, in development, version of a product, not everyone in the Automotive SIG should be able to interact with it, so we need to allow only a subset of the automotive SIG members. The list of people authorized to interact with autosd can be maintained by the Automotive SIG, I figure this list of people could simply be a group defined in ACO.

So our ask is:
- Create new CBS tags for AutoSD
- Restrict who can tag builds into those tags to a list of people the Automotive SIG will maintain

I'm happy to provide the $sig, $version, $project, $version variables as in #464 once we have a known path forward as I believe this is the first request of this type.


Note: we'll need the autosd tags to not allow building from SRPM as well

as the current automated workflow for cbs/mirrors/etc is based on the sig-<name> convention, maybe it would be better if autosd has some restrictions and so not the same members list as sig-automotive, that it would be its own "virtual" sig ? something like sig-autosd ? we can have people members of both, same for sponsorship level and so nothing to change elsewhere (as the autosd* tags would automatically inherit permissions from the sig-autosd group, so basically like it's done for all existing SIGs

Having a sig-autosd group would work for me.

I figure this would make the tags be:

$sig = autosd
$version = 9s
$project = packages
$version = main

Leading to:
autosd9s-packages-main-{candidate,testing,release}

which would then publish to:
/SIGs/9-stream/autosd/$arch/packages/main

Metadata Update from @arrfab:
- Issue assigned to arrfab

2 years ago

Metadata Update from @arrfab:
- Issue tagged with: authentication, cbs, centos-common-infra, high-gain, medium-gain

2 years ago

@pingou thanks for confirmation. Only question I have is about gpg signing : can we just instruct signing process to use the sig-automotive gpg key for these tags ? or do you want a new one ?

Metadata Update from @arrfab:
- Issue priority set to: Waiting on External (was: Needs Review)

2 years ago

Give me a little time, I'd like to discuss this with more folks from the SIG. The first feedback seems to be to go for 1 key for both, but I'd like to discuss with it with a wider audience.

I'll get back to you asap :)

sig-autosd group created : https://accounts.centos.org/group/sig-autosd/

cbs/koji tags created too :

* Checking distribution el9s configuration...
 -> Checking autosd config...
Using default options for autosd/packages
Creating tag  : autosd9s-packages-main-candidate
Creating tag  : autosd9s-packages-main-testing
Creating tag  : autosd9s-packages-main-release
 -> creating autosd9s-packages-main-el9s
Added external repo centos9s-baseos to tag autosd9s-packages-main-el9s-build (priority 5)
Added external repo centos9s-appstream to tag autosd9s-packages-main-el9s-build (priority 10)
Added external repo centos9s-crb to tag autosd9s-packages-main-el9s-build (priority 15)

Waiting for the gpg key info but you can start building in these tags. btw, it's using just the default repositories for buildroot, so if you need other ones (like centos9s-buildroot ) just update this ticket and I can modify koji tags

So we've agreed on using the same key for both tags for the moment. If needed we may ask you to help revise this in the future :)

As for centos9s-buildroot I think we want it for both the automotive and the autosd tags, could you adjust both?

it was already added on automotive tags, reason why I asked for the autosd one :-)

It's now added

cbs taginfo autosd9s-packages-main-el9s-build
Tag: autosd9s-packages-main-el9s-build [2609]
Arches: x86_64 aarch64
Groups: build, srpm-build
Tag options:
  mock.new_chroot : 0
  mock.package_manager : 'dnf'
  mock.yum.module_hotfixes : 1
This tag is a buildroot for one or more targets
Current repo: repo#904556: 2022-04-12 14:50:15.043388+00:00
Targets that build from this tag:
  autosd9s-packages-main-el9s
External repos:
    5 centos9s-baseos (http://mirror.stream.centos.org/9-stream/BaseOS/$arch/os/, merge mode: bare), arches: inherited from tag
   10 centos9s-appstream (http://mirror.stream.centos.org/9-stream/AppStream/$arch/os/, merge mode: bare), arches: inherited from tag
   15 centos9s-crb (http://mirror.stream.centos.org/9-stream/CRB/$arch/os/, merge mode: bare), arches: inherited from tag
   20 centos9s-buildroot (https://cbs.centos.org/kojifiles/repos/c9s-buildroot/$arch/, merge mode: bare), arches: inherited from tag
Inheritance:
  5    .... buildsys9s-release [2363]
  10   .... autosd9s-packages-main-candidate [2606]

the signing process was adapted so packages tagged in autosd tags will be signed with existing automotive SIG key.
Let me know if there is anything that needs to be done but I think you should be all set from this point ?

I'll give it some testing tomorrow but this looks good, thanks!

A modified kojihub policy was pushed to meet your requirements and I think it should be working now for you.
One thing to notice is that while each autosd tag has Required permission: 'build-autosd' (meaning sig-autosd FAS/ACO group membership) a tag-build operation happens after a build so one can still submit a build task , which would run, and it would only be denied to be tagged in destination tag.

From official koji documentation , there is a build permission but "Defined in the database but currently unused" ... so don't know if that's something you'd want to create a RFE ticket upstream ? or is the solution in place (already working for all other SIGs) good enough for now for you ?

I've created the RFE ticket on koji: https://pagure.io/koji/issue/3323

I think we can close this, I don't think we can do more for now.

Many thanks for your help!

Metadata Update from @pingou:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Login to comment on this ticket.

Metadata
Boards 2
CBS Status: Backlog