#1074 Tweak OpenShift test template
Merged 8 months ago by mprahl. Opened 8 months ago by csomh.
csomh/fm-orchestrator openshift-tweaks  into  master

file modified
+7 -11

@@ -10,23 +10,19 @@ 

  # The caller can chose to provide an already built module-build-service RPM.

  ARG mbs_rpm=module-build-service

  ARG mbs_messaging_umb_rpm

+ ARG umb_ca_crt

  

  RUN dnf -y install \

+             python2-pungi \

+             python2-psycopg2 \

+             https://dl.fedoraproject.org/pub/epel/7Server/x86_64/Packages/s/stomppy-3.1.6-3.el7.noarch.rpm \

              $mbs_rpm \

              $mbs_messaging_umb_rpm \

-             python2-psycopg2 \

      && dnf -y clean all

  

- # 1. Use latest stomp.py - hackish way for making this change, until there is

- #    sufficient proof that newer versions don't break mbs_messaging_umb

- #

- # 2. Install python2-docopt - required by the latest version of stomp.py

- #

- # 3. Install python2-pungi - to make MBS RPMs built for RHEL work with a Fedora

- #    base image

- RUN sed -i 's/==3\.1\.6//g' /usr/lib/python2.7/site-packages/mbs_messaging_umb-*-py2.7.egg-info/requires.txt \

-     && dnf -y install python2-docopt python2-pungi \

-     && dnf -y clean all

+ ADD $umb_ca_crt /etc/pki/ca-trust/source/anchors/umb_serverca.crt

+ # Do this as a workaround instead of `update-ca-trust`

+ RUN cat /etc/pki/ca-trust/source/anchors/umb_serverca.crt >> /etc/pki/tls/certs/ca-bundle.crt

  

  VOLUME ["/etc/module-build-service", "/etc/fedmsg.d", "/etc/mbs-certs"]

  ENTRYPOINT fedmsg-hub

@@ -112,7 +112,7 @@ 

  

            SYSTEM = 'koji'

            MESSAGING = 'umb'

-           MESSAGING_TOPIC_PREFIX = ['']

+           MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng']

            KOJI_CONFIG = '/etc/module-build-service/koji.conf'

            KOJI_PROFILE = 'test'

            KOJI_ARCHES = ['x86_64']

@@ -122,6 +122,7 @@ 

            PDC_INSECURE = True

            PDC_DEVELOP = True

            SCMURLS = []

+           ALLOW_CUSTOM_SCMURLS = True

  

            RESOLVER = 'db'

  

@@ -138,8 +139,8 @@ 

            KOJI_CG_BUILD_TAG_TEMPLATE = ''

            KOJI_CG_DEFAULT_BUILD_TAG = ''

  

-           # yes, we want everyone to authenticate

-           NO_AUTH = False

+           # Disable authentication

+           NO_AUTH = True

  

            YAML_SUBMIT_ALLOWED = False

  

@@ -155,11 +156,9 @@ 

            # and be in the build state at a time. Set this to 0 for no restrictions

            NUM_CONCURRENT_BUILDS = 2

  

-           RPMS_DEFAULT_REPOSITORY = ''

+           RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/'

            RPMS_ALLOW_REPOSITORY = False

-           RPMS_DEFAULT_CACHE = ''

-           RPMS_ALLOW_CACHE = False

-           MODULES_DEFAULT_REPOSITORY = ''

+           MODULES_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/modules/'

            MODULES_ALLOW_REPOSITORY = False

  

            # Our per-build logs for the Koji content generator go here.

@@ -242,11 +241,12 @@ 

          profiles:

            buildroot:

              rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk,

-               gcc, gcc-c++, grep, gzip, info, make, patch, redhat-rpm-config, rpm-build,

-               sed, shadow-utils, tar, unzip, util-linux, which, xz]

+               gcc, gcc-c++, grep, gzip, info, make, module-build-macros, patch,

+               redhat-rpm-config, rpm-build, sed, shadow-utils, tar, unzip,

+               util-linux, which, xz]

            srpm-buildroot:

-             rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, redhat-rpm-config, rpm-build,

-               shadow-utils]

+             rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, module-build-macros,

+               redhat-rpm-config, rpm-build, shadow-utils]

          stream: f28

          summary: Fedora 28 traditional base

          version: 3

@@ -492,6 +492,7 @@ 

            'stomp_heartbeat': 5000,

            'stomp_ssl_crt': '/etc/mbs-certs/messaging.crt',

            'stomp_ssl_key': '/etc/mbs-certs/messaging.key',

+           'stomp_ca_certs': None,

            'stomp_ack_mode': 'auto',

        }

      mbs-scheduler.py: |

@@ -523,7 +524,7 @@ 

  

            SYSTEM = 'koji'

            MESSAGING = 'umb'

-           MESSAGING_TOPIC_PREFIX = ['']

+           MESSAGING_TOPIC_PREFIX = ['/queue/Consumer.mbs.queue.VirtualTopic.eng']

            KOJI_CONFIG = '/etc/module-build-service/koji.conf'

            KOJI_PROFILE = 'test'

            KOJI_ARCHES = ['x86_64']

@@ -533,6 +534,7 @@ 

            PDC_INSECURE = True

            PDC_DEVELOP = True

            SCMURLS = []

+           ALLOW_CUSTOM_SCMURLS = True

  

            RESOLVER = 'db'

  

@@ -549,8 +551,8 @@ 

            KOJI_CG_BUILD_TAG_TEMPLATE = ''

            KOJI_CG_DEFAULT_BUILD_TAG = ''

  

-           # yes, we want everyone to authenticate

-           NO_AUTH = False

+           # Disable authentication

+           NO_AUTH = True

  

            YAML_SUBMIT_ALLOWED = False

  

@@ -560,17 +562,15 @@ 

  

            # How often should we resort to polling, in seconds

            # Set to zero to disable polling

-           POLLING_INTERVAL = 20

+           POLLING_INTERVAL = 600

  

            # Determines how many builds that can be submitted to the builder

            # and be in the build state at a time. Set this to 0 for no restrictions

            NUM_CONCURRENT_BUILDS = 2

  

-           RPMS_DEFAULT_REPOSITORY = ''

+           RPMS_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/rpms/'

            RPMS_ALLOW_REPOSITORY = False

-           RPMS_DEFAULT_CACHE = ''

-           RPMS_ALLOW_CACHE = False

-           MODULES_DEFAULT_REPOSITORY = ''

+           MODULES_DEFAULT_REPOSITORY = 'git+https://src.fedoraproject.org/modules/'

            MODULES_ALLOW_REPOSITORY = False

  

            # Our per-build logs for the Koji content generator go here.

@@ -646,11 +646,12 @@ 

          profiles:

            buildroot:

              rpms: [bash, bzip2, coreutils, cpio, diffutils, fedora-release, findutils, gawk,

-               gcc, gcc-c++, grep, gzip, info, make, patch, redhat-rpm-config, rpm-build,

-               sed, shadow-utils, tar, unzip, util-linux, which, xz]

+               gcc, gcc-c++, grep, gzip, info, make, module-build-macros, patch,

+               redhat-rpm-config, rpm-build, sed, shadow-utils, tar, unzip,

+               util-linux, which, xz]

            srpm-buildroot:

-             rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, redhat-rpm-config, rpm-build,

-               shadow-utils]

+             rpms: [bash, fedora-release, fedpkg-minimal, gnupg2, module-build-macros,

+               redhat-rpm-config, rpm-build, shadow-utils]

          stream: f28

          summary: Fedora 28 traditional base

          version: 3

In order to be able to run a successful module build using a test setup, configs in the OpenShift template had to be tweaked a little.

@mprahl @jkaluza ptal

I broke this up to multiple commits, and made an attempt to explain each change in the commit message.

If you think this is too much, just let me know, and I'll squash them.

Does it make sense to make this change in mbs_messaging_umb?

Yeah, I've tried that, and I've tried it again today, both with adding the CA cert for the test UMB in /etc/pki/ca-trust/source/anchors/ and /usr/share/pki/ca-trust-source/anchors/ and running update-ca-trust.

But for some reason the certificate is not added to the bundle. update-ca-trust gives no error.

I'll try to do a few more experiments with self-signed certs. Maybe there is something wrong with the way the self-signed cert was generated.

Appending a PEM formatted cert to ca-bundle.crt seems to work. But this is just another workaround. I would postpone figuring out how to make this in a proper manner.

Do you have any preference which workaround to keep? :)

Appending a PEM formatted cert to ca-bundle.crt seems to work. But this is just another workaround. I would postpone figuring out how to make this in a proper manner.
Do you have any preference which workaround to keep? :)

I prefer appending to ca-bundle.crt of the two workarounds. I'm confused as to why it wouldn't work though. As long as you're running update-ca-trust as root, it should work, if you're not root, then it'll silently fail from what I've seen.

@mprahl I'm also confused why update-ca-trust is not working. Both cat and update-ca-trust are run by root during the build, so that should not be the problem. This is the cert I'm trying to add to the bundle.

I'll update this PR with the cat workaround.

rebased onto d30c50c

8 months ago

@mprahl @lucarval, updated this with the changes discussed above, ptal.

Pull-Request has been merged by mprahl

8 months ago