fedora-infrastructure

Clone
Source Code
GIT

#6530 ODCS: Request for keytabs for Pungi to run runroot Koji tasks
Closed 6 years ago Opened 6 years ago by jkaluza.

Closed
Reopen Issue

Hi,

in this ticket, I would like to ask for keytabs for Pungi running on ODCS prod/stg instances with permissions to run runroot Koji tasks. Reasoning is below:

in order to rebuild base container images by Freshmaker, we need ODCS to generate boot.iso. ODCS is using Pungi as a backend, so in fact it is Pungi spawning this Koji runroot task to generate boot.iso. We therefore need a keytab for ODCS staging and prod instances, which would be used by Pungi installed on those instances to run runroot task with lorax to generate boot.iso.

We could probably reuse existing boot.iso from official composes, but these are easy to find only in Fedora. Since the ODCS and Freshmaker are running also internally in red hat, where this situation is much more complex, we would like to use the same approach on both deployments and therefore would like to generate boot.iso also in Fedora land.

Note that although the boot.iso for base container images rebuild is the only use-case for runroot we have right now, it might prove that there will be requests for ODCS to generate other artifacts which need boot.iso. It just makes sense for ODCS to be able to build anything which can be build with Pungi in long-term and the only thing we miss for that right now is the runroot perm.

@puiterwijk told me there is keytab/service ansible role I can use myself, so I have created keytabs for ODCS staging/prod using this role.

Now I just need the runroot permissions for them.

Principals should be:

  • odcs/odcs.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG
  • odcs/odcs.fedoraproject.org@FEDORAPROJECT.ORG

Hm, looks like I need to somehow create the user in koji's DB first.

λ koji --profile stg grant-permission runroot odcs/odcs.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG                                   ~
Usage: koji grant-permission <permission> <user> [<user> ...]
(Specify the --help global option for a list of other help options)

koji: error: No such user: odcs/odcs.stg.fedoraproject.org@STG.FEDORAPROJECT.ORG

@ralph Users are created upon login.

Metadata Update from @ralph:
- Issue assigned to ralph
6 years ago

Metadata Update from @ralph:
- Issue tagged with: factory2
6 years ago

Users created and permissions granted.

Metadata Update from @ralph:
- Issue status updated to: Closed (was: Open)
6 years ago

Thanks @ralph :).

Login to comment on this ticket.

Metadata

factory2

None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.