+ #   5001:5001 -- DistGit Apache

+     command: "/usr/bin/copr_run_logger.py"

+     command: ["/run-backend", "--sign-host", "keygen-signd", "/usr/bin/copr-run-dispatcher", "builds"]

+     command: ["/run-backend", "--sign-host", "keygen-signd", "/usr/bin/copr-run-dispatcher", "actions"]

+       context: docker/distgit/

+       - "5001:5001"

+     command: /usr/sbin/httpd -DFOREGROUND

+       context: docker/keygen/

+     command: /signd-entrypoint

+       context: docker/keygen/

+ # Copr user needs permissions for /bin/sign.  We drop the setuid bit here as in

+ # container scenario it is not desired.  We use the downstream-only option

+ # allow-unprivileged-ports option: https://github.com/openSUSE/obs-sign/pull/36

+ RUN chmod 0755 /usr/bin/sign

+ 

+ # entrypoint needs to have write access here (group=0)

+ RUN chown copr:root /etc/sign.conf && \

+     chmod 0660 /etc/sign.conf

+ USER copr

+ 

+ CMD ["/run-backend"]

+ #! /bin/bash

+ 

+ option_variable()

+ {

+     opt=$1

+     opt=${1##--}

+     opt=${opt##-}

+     opt=${opt//-/_}

+     option_variable_result=opt_$opt

+ }

+ 

+ opt_sign_user=$(id -u)

+ opt_sign_host=keygen-signd

+ 

+ ARGS=$(getopt -o "" -l "sign-user:,sign-host:" -n "getopt" -- "$@") \

+     || show_help 1

+ eval set -- "$ARGS"

+ while true; do

+     case $1 in

+     # options with arguments

+     --sign-host|--sign-user)

+         option_variable "$1"

+         eval "$option_variable_result=\$2"

+         shift 2

+         ;;

+     --) shift; break;;  # end

+     *) echo "programmer mistake ($1)" >&2; exit 1;;

+     esac

+ done

+ 

+ cat >/etc/sign.conf <<EOF

+ server: $opt_sign_host

+ allowuser: $opt_sign_user

+ allow-unprivileged-ports: true

+ EOF

+ 

+ # execute the remaining part of the command

+ exec "$@"

+                    ethtool \

+     && dnf clean all

+ lookaside_location = http://distgit-httpd:5001

+                    python3-ipdb \

+                    tini \

+                    && \

+     dnf -y install copr-dist-git && \

+ RUN rm /etc/httpd/conf.d/ssl.conf

+ 

+ RUN echo "AliasMatch \"/repo(/.*)/md5(/.*)\" \"/var/lib/dist-git/cache/lookaside\\$1\\$2\"" >> /etc/httpd/conf.d/dist-git/lookaside-copr.conf && \

+     echo "Alias /repo/ /var/lib/dist-git/cache/lookaside/" >>  /etc/httpd/conf.d/dist-git/lookaside-copr.conf

+ 

+ RUN sed -i 's/Listen 80/Listen 5001/' /etc/httpd/conf/httpd.conf

+ 

+ RUN directories="/etc/httpd /var/run/httpd /var/log/httpd /var/lib/dist-git /run/lock" ; \

+     chown -R copr-dist-git:root $directories && \

+     chmod -R g+rwX $directories

+ 

+ USER copr-dist-git

+ 

+ ENTRYPOINT ["/usr/bin/tini", "--"]

+ CMD ["bash", "-c", "mkdir -p /var/lib/dist-git/cache /var/lib/dist-git/git && exec /usr/bin/importer_runner.py"]

+                    modulemd-tools \

+     && dnf clean all

+ cd /usr/share/copr/coprs_frontend/

+ DIST_GIT_CLONE_URL = 'http://distgit-httpd:5001/git/'

+ RUN useradd -r copr-signer -u 993 -g 992 -G 0 -d /var/lib/copr-keygen

+                    tini \

+ # OpenShift runs this project as <RANDOMUID>:root

+ # Podman runs this as copr-signer with root in supplementary groups

+ RUN chmod g+rwx /var/log/httpd

+ 

+ # Drop the suid bit

+ RUN chmod 0755 /usr/bin/sign

+ 

+ # entrypoint needs to have write access here (group=0)

+ RUN chown copr-signer:root /etc/sign.conf && \

+     chmod 0660 /etc/sign.conf

+ 

+ # TODO: we should just check for non-root accounts

+ RUN sed -i "s|getpass.getuser() != 'copr-signer'|False|" /usr/bin/gpg-copr

+ 

+ RUN dirs="/var/run/signd /var/run/httpd" ; \

+     for dir in $dirs; do \

+       mkdir -p "$dir" && \

+       chown root:root "$dir" && \

+       chmod 0770 "$dir" ; \

+     done

+ 

+ USER copr-signer

+ 

+ ENTRYPOINT ["/usr/bin/tini", "--"]

+ CMD ["/usr/sbin/httpd", "-DFOREGROUND"]

+ #! /bin/bash

+ 

+ allow_statement=$1

+ test -z "$allow_statement" && allow_statement="0.0.0.0/0"

+ 

+ # Backend sends signature request to keygen.  We need to configure the /bin/sign

+ # client utility.

+ 

+ cat >/etc/sign.conf <<EOF

+ allow: $allow_statement

+ phrases: /var/lib/copr-keygen/phrases

+ gpg: /usr/bin/gpg-copr

+ allowuser: $(id -u)

+ # we can't open a privileged (for the remote keygen server)

+ allow-unprivileged-ports: true

+ EOF

+ 

+ # In case the volume is empty.

+ mkdir --mode=0700 -p /var/lib/copr-keygen/phrases /var/lib/copr-keygen/gnupg

+ 

+ exec /usr/sbin/signd

+ RUN dnf install -y ansible \

+                    vim \

+                    resalloc-aws \

+                    openssh-clients \

+     && dnf clean all

+ secret*

+ AP := ansible-playbook -vv -c local -i localhost,

+ 

+ deploy:

+ 	$(AP) deploy.yml

+ Deploy Copr build system in OpenShift

+ =====================================

+ 

+ ... in two minutes, if you have a configuration file in hand.

+ 

+ This directory contains the deployment scripts and base configuration that

+ allows you to quickly deploy a fully-working Copr build system infrastructure

+ into an OpenShift cluster, with builders (virtual machines) being automatically

+ started/stopped in external clouds (currently just pre-configured AWS).

+ 

+ Note: At the time of writing this document, it is not common to be able to start

+ privileged containers in OpenShift, nor rootless containers (user namespaces).

+ Therefore, builders need to stay as virtual machines only.

+ 

+ 1. get an OpenShift Cluster

+ 2. get AWS token (for EC2 access)

+ 3. $ cp secret-vars.yml.template secret-vars.yml and fill the gaps

+ 4. hit the $ make

+ 

+ Currently we maintain the images here: https://quay.io/organization/copr

+ 

+ WARNING: This deployment is in a pre-production state!

+ 

+ TODO list

+ ---------

+ 

+ - copr-keygen pod signing process needs to be secured, currently the pod accepts

+   sign requests from any other pod in the project because we "allow 0.0.0.0/0"

+ 

+ - start logging to stdout/stderr, so we can just do

+   'oc logs <podname> -c <container>', according to

+   https://docs.openshift.com/container-platform/4.9/openshift_images/create-images.html

+   Alternatively at least implement log-rotation.

+ 

+ - we should merge https://github.com/openSUSE/obs-sign/pull/36 - currently

+   patched Fedora-only

+ 

+ - zombie reaping - use tini

+ 

+ - Let's Encrypt automation

+ 

+ - starting the containers against a locally maintained code (from git root),

+   currently we just use 'docker-compose'

+ 

+ - automate PostgreSQL initialization from a SQL dump file, for easier debugging

+   of complicated scenarios

+ 

+ - setup cron jobs (automatic build removals, etc.)

+ 

+ - better container image tagging (currently everything in :test)

+ 

+ - automatic image builds (quay.io builds are broken for F35

+   https://bugzilla.redhat.com/show_bug.cgi?id=2025899)

+ 

+ - automatize the AWS SSH key creation/removal (this is the hardest part in the

+   secret-vars.yml config file)

+ 

+ - separate the normal and secret vars (now everything is in secret-vars.yml)

+ 

+ 

+ Research

+ ========

+ 

+ - write an operator for starting builders hosted in OpenShift?  But we need to

+   wait for the state when "user namespaces" are "commonly" available

+ 

+ - automatic termination of orphaned resalloc instances - this happens easily

+   when project is deleted (oc delete project <your project>)

+ 

+ - experiment with Terraform

+ [backend]

+ results_baseurl=http://copr-backend:8080/results/

+ frontend_base_url=http://copr-frontend:5000

+ frontend_auth={{ frontend_backend_password }}

+ destdir=/var/lib/copr/public_html/results

+ sleeptime=20

+ builds_max_workers=3

+ actions_max_workers=2

+ do_sign=true

+ keygen_host=copr-keygen:5003

+ prune_days=14

+ resalloc_connection=http://resalloc:49100

+ 

+ redis_host=redis

+ redis_port=6379

+ redis_db=1

+ 

+ 

+ [builder]

+ timeout=108000

+ consecutive_failure_threshold=30

+ 

+ [ssh]

+ builder_config=/backend-home/.ssh/config

+ [dist-git]

+ frontend_base_url=http://copr-frontend:5000

+ frontend_auth={{ frontend_backend_password }}

+ per_task_log_dir=/var/lib/copr-dist-git/per-task-logs/

+ [dist-git]

+ git_author_name  = Copr Dist Git

+ git_author_email = <copr-devel@lists.fedoraproject.org>

+ 

+ cache_dir   = /var/lib/dist-git/cache

+ gitroot_dir = /var/lib/dist-git/git

+ #this is difference from standard config!

+ git_gc_depth   = 3

+ 

+ gitolite    = False

+ ENV="local"

+ BACKEND_PASSWORD = "{{ frontend_backend_password }}"

+ SQLALCHEMY_DATABASE_URI = 'postgresql+psycopg2://{{ postgres_user }}:{{ postgres_password }}@postgresql/{{ postgres_database_name }}'

+ DEBUG = True

+ SQLALCHEMY_ECHO = False

+ SEND_EMAILS = False

+ PUBLIC_COPR_HOSTNAME = 'localhost:5000'

+ PUBLIC_COPR_BASE_URL = 'http://frontend:5000'

+ BACKEND_BASE_URL = 'http://{{ backend_fqdn }}/'

+ DIST_GIT_CLONE_URL = 'http://{{ distgit_fqdn }}/git/'

+ DIST_GIT_URL = 'http://localhost:5001/cgit'

+ COPR_DIST_GIT_LOGS_URL = 'http://localhost:5001/per-task-logs'

+ LOG_FILENAME = "/var/log/copr-frontend/frontend.log"

+ LOG_DIR = "/var/log/copr-frontend/"

+ INTRANET_IPS = ["127.0.0.1", "192.168.1.0/24"]

+ BUILDER_IPS = ["127.0.0.1"]

+ STORAGE_DIR = "/var/lib/copr/data/srpm_storage"

+ GROUP_DENYLIST = ['fedorabugs', 'packager', 'provenpackager']

+ REDIS_HOST = "redis"

+ REDIS_PORT = 6379

+ NEWS_URL = "https://fedora-copr.github.io/"

+ NEWS_FEED_URL = "https://fedora-copr.github.io/feed.xml"

+ OPENID_PROVIDER_URL = "https://id.fedoraproject.org"

+ DELETE_EOL_CHROOTS_AFTER = 180

+ EOL_CHROOTS_NOTIFICATION_PERIOD = 80

+ ENABLE_DISCUSSION = False

+ ITEMS_PER_PAGE = 10

+ PAGES_URLS_COUNT = 5

+ DEFAULT_BUILD_MEMORY = 2048

+ MIN_BUILD_MEMORY = 2048

+ MAX_BUILD_MEMORY = 4096

+ DEFAULT_BUILD_TIMEOUT = 3600 * 5

+ MIN_BUILD_TIMEOUT = 0

+ MAX_BUILD_TIMEOUT = 108000

+ CACHE_TYPE = "NullCache"

+ [default]

+ aws_access_key_id={{ aws_config.access_key_id }}

+ aws_secret_access_key={{ aws_config.secret_access_key }}

+ # vi: ft=yaml

+ ---

+ copr_os_{{ project.replace("-", "_") }}_{{ deployment }}_aws_x86:

+   max: 4

+   max_starting: 1

+   max_prealloc: 1

+   tags:

+     - copr_builder

+     - arch_noarch

+     - arch_x86_64

+     - arch_x86_64_native

+     - arch_i386

+     - arch_i386_native

+     - arch_i586

+     - arch_i586_native

+     - arch_i686

+     - arch_i686_native

+     - arch_s390x

+     - arch_s390x_emulated

+     - arch_ppc64le

+     - arch_ppc64le_emulated

+     - arch_aarch64

+     - arch_aarch64_emulated

+   cmd_new: |

+     set -x

+     /usr/bin/resalloc-aws-new \

+     --aws-profile default \

+     --ami ami-09127a5df568314d3 \

+     --ssh-key-name "{{ aws_config.ssh_key.name }}" \

+     --debug \

+     --private-ip \

+     --security-group-id sg-07a0adee998a8fcde \

+     --possible-subnet subnet-0b853a752f0f7eba5 \

+     --possible-subnet subnet-05dd25fba5582bb6a \

+     --instance-type t3a.medium \

+     --tag RedHatGroup=copr \

+     --tag ServiceName=copr \

+     --tag ServiceComponent=builder-testing-copr-openshift \

+     --tag ServiceOwner=Copr \

+     --tag AppCode=COPR-001 \

+     --tag ServicePhase=Dev \

+     --tag CoprInstance=testing-openshift \

+     --tag arch=x86_64 \

+     --playbook /etc/resallocserver/spinup-playbook.yml

+ 

+   cmd_delete: /usr/bin/resalloc-aws-delete --aws-profile default

+   cmd_livecheck: "resalloc-check-vm-ip"

+   livecheck_period: 180

+   reuse_opportunity_time: 180

+   reuse_max_count: 8

+   reuse_max_time: 1800

+ db_url: 'sqlite:////var/lib/resallocserver/db.sqlite'

+ logdir: '/var/log/resallocserver'

+ hostname: '0.0.0.0'

+ loglevel: 'debug'

+ ---

+ - name: provision AWS builder

+   hosts: all

+   become: true

+   user: fedora

+ 

+   vars:

+     devel: true

+     ansible_python_interpreter: /usr/bin/python3

+ 

+   tasks:

+     - name: setup the hostname so we can easily identify the box

+       hostname: name="{% raw %}{{ lookup('env', 'RESALLOC_NAME') | default('unknown-builder') | replace('_', '-') }}{% endraw %}"

+ 

+     - name: disable updates-testing

+       file:

+         path: /etc/yum.repos.d/fedora-updates-testing.repo

+         state: absent

+ 

+     - name: stop and disable systemd-oomd, rhbz 2051154

+       service:

+         name: systemd-oomd

+         state: stopped

+         enabled: no

+ 

+     - name: install copr-builder and other latest packages

+       dnf: state=latest pkg=copr-builder

+ 

+     - name: run /bin/copr-update-builder from copr-builder package

+       shell: /usr/bin/copr-update-builder

+ 

+     - name: put copr-rpmbuild configuration file in the right place

+       copy:

+         dest: /etc/copr-rpmbuild/main.ini

+         content: |

+           [main]

+           frontend_url = {{ frontend_base_url }}

+           distgit_lookaside_url = https://{{ '${%' }} raw {{ '%}{{' }} git_props:remote_netloc {{ '}}{%' }} endraw {{ '%}' }}/repo/pkgs/%(repo_path)s/%(filename)s/%(hashtype)s/%(hash)s/%(filename)s

+           distgit_clone_url = {scheme}://{netloc}/%(repo_path)s

+           rpm_vendor_copr_name = Testing Copr

+ 

+           [distgit0]

+           distgit_hostname_pattern = src.fedoraproject.org

+           distgit_lookaside_url = https://src.fedoraproject.org/repo/pkgs/%(ns1)s/%(name)s/%(filename)s/%(hashtype)s/%(hash)s/%(filename)s

+           distgit_clone_url = https://src.fedoraproject.org/%(repo_path)s

+ 

+     - name: install copr-distgit-client configuration

+       copy:

+         dest: /etc/copr-distgit-client/local-copr.ini

+         content: |

+           [local-copr]

+           clone_hostnames = {{ distgit_fqdn }}

+           lookaside_location = http://{{ distgit_fqdn }}

+           lookaside_uri_pattern = repo/pkgs/{namespace[1]}/{namespace[0]}/{name}/{filename}/{hash}/{filename}

+ 

+     - name: mockbuilder authorized_keys

+       authorized_key: user=mockbuilder key="{{ aws_config.ssh_key.public }}"

+ 

+     - name: root authorized_keys

+       authorized_key: user=root key="{{ aws_config.ssh_key.public }}"

+ 

+     - name: mount cache filesystem on /var/cache/mock

+       mount: path=/var/cache/mock state=mounted src=mock_cache_tmpfs fstype=tmpfs opts="size=32G"

+ 

+     - name: Collect facts about builder hardware

+       setup:

+         gather_subset:

+           - hardware

+ ---

+ - name: Copr deployment

+   hosts: all

+   vars:

+     validate_certs: false

+     service: copr

+     deployment: dev

+     sandbox_namespace: "{{ service }}-{{ deployment }}-sandbox"

+     project_dir: "{{ playbook_dir }}"

+     path_to_secrets: "{{ project_dir }}/secrets"

+     path_to_services: "{{ project_dir }}/services"

+ 

+     postgres_user: copr-fe

+     postgres_database_name: copr-db

+ 

+   vars_files:

+     "{{ project_dir }}/secret-vars.yml"

+ 

+   tasks:

+     - name: detect the currently operated OpenShift cluster

+       shell: oc config view --minify -o jsonpath='{.clusters[*].cluster.server}'

+       register: oc_api_endpoint_detected

+       changed_when: false

+       tags: always

+ 

+     - name: check that we work with the right OpenShift cluster

+       assert:

+         that:

+           - oc_api_endpoint_detected.stdout_lines[0] == oc_api_endpoint

+         msg: "OpenShift API mismatch"

+       tags: always

+ 

+     - name: detect the OpenShift API key - ARE YOU LOGGED IN?

+       command: oc whoami -t

+       register: openshift_token_detected

+       no_log: true

+       changed_when: false

+       tags: always

+ 

+     - name: define the api_key variable

+       set_fact:

+         api_key: "{{ openshift_token_detected.stdout_lines[0] }}"

+       tags: always

+ 

+     - name: Create the project

+       k8s:

+         definition: "{{ lookup('template', 'project.yaml.j2') }}"

+         api_key: "{{ api_key }}"

+         validate_certs: "{{ validate_certs }}"

+       tags: always

+ 

+     # Normally we would use 'image: " "' in the PG template, but the k8s Ansible

+     # module doesn't seem to realize it means "no change" and reports "changed"

+     # all the time.  Therefore we detect it first.

+     - name: Get the actual PostgreSQL image from ImageStream

+       shell: oc get dc postgresql -o jsonpath='{.spec.template.spec.containers[0].image}'

+       register: pgis

+       changed_when: false

+       failed_when: false

+ 

+     - set_fact: postgresql_image={{ pgis.stdout }}

+ 

+     - name: Deploy PostgreSQL service

+       k8s:

+         namespace: "{{ project }}"

+         definition: "{{ lookup('template', '{{ path_to_services }}/postgres.yml.j2') }}"

+         api_key: "{{ api_key }}"

+         validate_certs: "{{ validate_certs }}"

+ 

+ 

+     # Normally we would use 'image: " "' in the PG template, but the k8s Ansible

+     # module doesn't seem to realize it means "no change" and reports "changed"

+     # all the time.  Therefore we detect it first.

+     - name: Get the actual Redis image from ImageStream

+       shell: oc get dc redis -o jsonpath='{.spec.template.spec.containers[0].image}'

+       register: r_is