WarlockFish/mbs-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add dockerfile

Browse Source
This commit is contained in:
hunan
2024-11-21 14:58:23 +08:00
parent b817e44f7a
commit aaf1339b26
52 changed files with 326810 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
./postgres/data/*
./postgres/pagure-data-20241118-0030.sql

46
docker-compose.yml Normal file
View File

@@ -0,0 +1,46 @@
---
services:
mbs:
image: mbs:test2
restart: always
container_name: mbs
#volumes:
# - ./data:/var/lib/postgresql/data
ports:
- "8280:80"
- "8243:443"
networks:
- mbs-net
mbs-ui:
image: mbs-ui-test:v2
restart: always
container_name: mbs-ui
volumes:
- ./environment.kylin.ts:/app/src/environments/environment.kylin.ts
ports:
- "4200:8080"
networks:
- mbs-net
db:
image: postgres:11.8-alpine
restart: always
container_name: mbs-postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: Kylin123
POSTGRES_DB: koji
volumes:
# - ./pagure-data-20241118-0030.sql:/docker-entrypoint-initdb.d/pagure-data-20241118-0030.sql
- ./data:/var/lib/postgresql/data
# ports:
# - "5432:5432"
networks:
- mbs-net
networks:
mbs-net:
driver: bridge
external: true

5
environment.kylin.ts Normal file
View File

@@ -0,0 +1,5 @@
export const environment = {
production: true,
mbsUrl: 'http://192.168.68.86:8280/module-build-service/2/',
kojiUrl: 'http://127.0.0.1:9080/koji/'
};

2
mbs-ui/.dockerignore Normal file
View File

@@ -0,0 +1,2 @@
node_modules
dist

23
mbs-ui/Dockerfile Normal file
View File

@@ -0,0 +1,23 @@
FROM node:10.24.0
WORKDIR /app
COPY . /app
RUN npm config set registry https://registry.npmmirror.com \
&& npm install @angular/cli@7.3.10 @angular-devkit/build-angular@0.13.10 @angular/compiler-cli@7.2.16 typescript@3.2.4 @angular/compiler@7.2.16 @angular/core@7.2.16 node-sass@4.14.1 -g --unsafe-perm \
&& npm install
## && npm run build -- --configuration=kylin-prod
## ng serve --host 0.0.0.0 --port 8080 --configuration kylin-prod
## dist
#FROM httpd:2.4
#COPY --from=build /app/dist/ /usr/local/apache2/htdocs/
EXPOSE 8080
#CMD ["nginx", "-g", "daemon off;"]
CMD ["ng", "serve", "--host", "0.0.0.0", "--port","8080", "--configuration" ,"kylin-prod","--disable-host-check"]

18
mbs-ui/docker-compose.yml Normal file
View File

@@ -0,0 +1,18 @@
---
services:
mbs-ui:
image: mbs-ui-test:v2
restart: always
container_name: mbs-ui
volumes:
- ./environment.kylin.ts:/app/src/environments/environment.kylin.ts
ports:
- "4200:4200"
networks:
- mbs-net
networks:
mbs-net:
driver: bridge
external: true

5
mbs-ui/src/environments/environment.kylin.ts Normal file
View File

@@ -0,0 +1,5 @@
export const environment = {
production: true,
mbsUrl: 'http://127.0.0.1:9180/module-build-service/2/',
kojiUrl: 'http://127.0.0.1:9080/koji/'
};

5
mbs-ui/src/environments/environment.kylinos.ts
View File

@@ -1,5 +0,0 @@
export const environment = {
production: true,
mbsUrl: 'https://10.1.82.98:48443/module-build-service/2/',
kojiUrl: 'http://10.0.2.15/koji/'
};

48
mbs/Dockerfile Normal file
View File

@@ -0,0 +1,48 @@
FROM fedora:36
WORKDIR /opt
COPY . /opt/mbs/
RUN rm /etc/yum.repos.d/{fedora-modular.repo,fedora-updates-modular.repo} -rf
RUN dnf install -y /opt/mbs/src/module-build-service-3.9.2-1.fc36.noarch.rpm \
&& dnf install fedmsg supervisor httpd python-psycopg2 python-memcached python-distro python3-libsemanage openssl mod_ssl rabbitmq-server mod_wsgi python3-mod_wsgi sqlite erlang SDL2 postgresql vim -y
## mbs-backend
RUN rm -f /etc/fedmsg.d/{module_build_service.py,mbs-logging.py} \
&& cp -a /opt/mbs/etc/module-build-service/* /etc/module-build-service/ \
&& chown root:fedmsg /etc/module-build-service/config.py /etc/module-build-service/koji.conf \
&& chmod 0640 /etc/module-build-service/config.py \
&& chmod 0644 /etc/module-build-service/koji.conf \
&& mkdir -pv /app/log/{fedmsg,httpd,mbs,mbs-poller,mbs-worker,rabbitmq} \
&& touch /app/log/mbs/module_build_service.log \
&& chmod 777 /app/log/mbs/module_build_service.log \
&& chown root:fedmsg /app -R \
&& mkdir -p /var/cache/fedmsg/ /usr/share/fedmsg \
&& chown fedmsg:fedmsg /var/cache/fedmsg/ /usr/share/fedmsg
## mbs httpd
RUN cp /opt/mbs/etc/httpd/conf.d/mbs.conf /etc/httpd/conf.d/mbs.conf \
&& openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -subj "/ CN=localhost"
RUN cp -a /opt/mbs/etc/fedmsg.d/* /etc/fedmsg.d/ \
&& cp -a /opt/mbs/etc/pki/* /etc/pki/ \
&& cp -a /opt/mbs/etc/supervisord.d/* /etc/supervisord.d/ \
&& cp -a /opt/mbs/etc/rpkg/fedpkg.conf /etc/rpkg/fedpkg.conf \
&& cp -a /opt/mbs/ensure_vhost.sh /
## 修复auth问题
RUN cp -a /opt/mbs/pydist/module_build_service/web/auth.py /usr/lib/python3.10/site-packages/module_build_service/web/auth.py \
&& cp -a /opt/mbs/pydist/pyrpkg/__init__.py /usr/lib/python3.10/site-packages/pyrpkg/__init__.py
RUN rm -f /run/supervisor/supervisor.sock
### 修复本地证书问题
##RUN openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -subj "/CN=localhost"
## supervisord
##RUN cp -a /opt/mbs/etc/supervisord.d/* /etc/supervisord.d/
EXPOSE 80 443
CMD ["/usr/bin/supervisord","-c","/etc/supervisord.conf","-n"]

19
mbs/docker-compose.yml Normal file
View File

@@ -0,0 +1,19 @@
---
services:
mbs:
image: mbs:test2
restart: always
container_name: mbs
#volumes:
# - ./data:/var/lib/postgresql/data
ports:
- "8280:80"
- "8243:443"
networks:
- mbs-net
networks:
mbs-net:
driver: bridge
external: true

20
mbs/ensure_vhost.sh Executable file
View File

@@ -0,0 +1,20 @@
#!/bin/bash
RABBITMQ_USER="mbs"
RABBITMQ_PASSWORD="mbs"
RABBITMQ_VHOST="mbs"
rabbitmqctl start_app
# ensure_vhost.sh
# 确保虚拟主机存在
rabbitmqctl add_vhost "$RABBITMQ_VHOST" || true
# 确保用户存在
if ! rabbitmqctl list_users | grep -q "$RABBITMQ_USER"; then
rabbitmqctl add_user "$RABBITMQ_USER" "$RABBITMQ_PASSWORD"
fi
# 设置用户权限
rabbitmqctl set_permissions -p "$RABBITMQ_VHOST" "$RABBITMQ_USER" ".*" ".*" ".*" || true

87
mbs/env.py Normal file
View File

@@ -0,0 +1,87 @@
from __future__ import with_statement
from alembic import context
from sqlalchemy import engine_from_config, pool
from logging.config import fileConfig
import logging
# this is the Alembic Config object, which provides
# access to the values within the .ini file in use.
config = context.config
# Interpret the config file for Python logging.
# This line sets up loggers basically.
fileConfig(config.config_file_name)
logger = logging.getLogger('alembic.env')
# add your model's MetaData object here
# for 'autogenerate' support
# from myapp import mymodel
# target_metadata = mymodel.Base.metadata
from flask import current_app
config.set_main_option('sqlalchemy.url',
current_app.config.get('SQLALCHEMY_DATABASE_URI'))
target_metadata = current_app.extensions['migrate'].db.metadata
# other values from the config, defined by the needs of env.py,
# can be acquired:
# my_important_option = config.get_main_option("my_important_option")
# ... etc.
def run_migrations_offline():
"""Run migrations in 'offline' mode.
This configures the context with just a URL
and not an Engine, though an Engine is acceptable
here as well. By skipping the Engine creation
we don't even need a DBAPI to be available.
Calls to context.execute() here emit the given string to the
script output.
"""
url = config.get_main_option("sqlalchemy.url")
context.configure(url=url)
with context.begin_transaction():
context.run_migrations()
def run_migrations_online():
"""Run migrations in 'online' mode.
In this scenario we need to create an Engine
and associate a connection with the context.
"""
# this callback is used to prevent an auto-migration from being generated
# when there are no changes to the schema
# reference: http://alembic.readthedocs.org/en/latest/cookbook.html
def process_revision_directives(context, revision, directives):
if getattr(config.cmd_opts, 'autogenerate', False):
script = directives[0]
if script.upgrade_ops.is_empty():
directives[:] = []
logger.info('No changes in schema detected.')
engine = engine_from_config(config.get_section(config.config_ini_section),
prefix='sqlalchemy.',
poolclass=pool.NullPool)
connection = engine.connect()
context.configure(connection=connection,
target_metadata=target_metadata,
process_revision_directives=process_revision_directives,
**current_app.extensions['migrate'].configure_args)
try:
with context.begin_transaction():
context.run_migrations()
finally:
connection.close()
if context.is_offline_mode():
run_migrations_offline()
else:
run_migrations_online()

83
mbs/etc/fedmsg.d/base.py Normal file
View File

@@ -0,0 +1,83 @@
# This file is part of fedmsg.
# Copyright (C) 2012 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
config = dict(
# Prefix for the topic of each message sent.
topic_prefix="org.kylinosproject",
# Set this to dev if you're hacking on fedmsg or an app.
# Set to stg or prod if running in the Fedora Infrastructure
environment="prod",
# Default is 0
high_water_mark=0,
io_threads=1,
# For the fedmsg-hub and fedmsg-relay. ##
# This is a status dir to keep a record of the last processed message
# status_directory=os.getcwd() + "/status",
# status_directory='/var/run/fedmsg/status',
# This is the URL of a datagrepper instance that we can query for backlog.
# datagrepper_url="https://apps.fedoraproject.org/datagrepper/raw",
# We almost always want the fedmsg-hub to be sending messages with zmq as
# opposed to amqp or stomp. You can send with only *one* of the messaging
# backends: zeromq or amqp or stomp. You cannot send with two or more at
# the same time. Here, zmq is either enabled, or it is not. If it is not,
# see the options below for how to configure stomp or amqp.
zmq_enabled=True,
# On the other hand, if you wanted to use STOMP *instead* of zeromq, you
# could do the following...
# zmq_enabled=False,
# stomp_uri='localhost:59597,localhost:59598',
# stomp_user='username',
# stomp_pass='password',
# stomp_ssl_crt='/path/to/an/optional.crt',
# stomp_ssl_key='/path/to/an/optional.key',
# When subscribing to messages, we want to allow splats ('*') so we tell
# the hub to not be strict when comparing messages topics to subscription
# topics.
zmq_strict=False,
# Number of seconds to sleep after initializing waiting for sockets to sync
post_init_sleep=0.5,
# Wait a whole second to kill all the last io threads for messages to
# exit our outgoing queue (if we have any). This is in milliseconds.
zmq_linger=1000,
# See the following
# - http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html
# - http://api.zeromq.org/3-2:zmq-setsockopt
zmq_tcp_keepalive=1,
zmq_tcp_keepalive_cnt=3,
zmq_tcp_keepalive_idle=60,
zmq_tcp_keepalive_intvl=5,
# Number of miliseconds that zeromq will wait to reconnect until it gets
# a connection if an endpoint is unavailable.
zmq_reconnect_ivl=100,
# Max delay that you can reconfigure to reduce reconnect storm spam. This
# is in miliseconds.
zmq_reconnect_ivl_max=1000,
)

38
mbs/etc/fedmsg.d/endpoints.py Normal file
View File

@@ -0,0 +1,38 @@
# This file is part of fedmsg.
# Copyright (C) 2012 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
config = dict(
# This is a dict of possible addresses from which fedmsg can send
# messages. fedmsg.init(...) requires that a 'name' argument be passed
# to it which corresponds with one of the keys in this dict.
endpoints={
# These are here so your local box can listen to the upstream
# infrastructure's bus. Cool, right? :)
"fedora-infrastructure": [
# "tcp://hub.fedoraproject.org:9940",
# "tcp://stg.fedoraproject.org:9940",
],
# "debian-infrastructure": [
# "tcp://fedmsg.olasd.eu:9940",
# ],
# "anitya-public-relay": [
# "tcp://release-monitoring.org:9940",
# ],
},
)

8
mbs/etc/fedmsg.d/gateway.py Normal file
View File

@@ -0,0 +1,8 @@
config = {
# This is the port for a special, outbound ZMQ pub socket on which we'll
# rebroadcast everything on the fedmsg bus.
'fedmsg.consumers.gateway.port': 9940,
# Set this number to near, but not quite the fs.file-limit. Try 160000.
'fedmsg.consumers.gateway.high_water_mark': 10000,
}

58
mbs/etc/fedmsg.d/ircbot.py Normal file
View File

@@ -0,0 +1,58 @@
# This file is part of fedmsg.
# Copyright (C) 2012 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
config = dict(
irc=[
dict(
network='irc.freenode.net',
port=6667,
ssl=False,
nickname='fedmsg-dev',
channel='my-fedmsg-channel',
timeout=120,
make_pretty=True,
make_terse=True,
make_short=True,
line_rate=0.9,
# Don't show the heartbeat... gross.
filters=dict(
topic=[],
body=['lub-dub'],
),
),
],
# the available colors can be looked up from here:
# https://github.com/fedora-infra/fedmsg/blob/0.16.4/fedmsg/consumers/ircbot.py#L48-L65
irc_color_lookup={
"fas": "light blue",
"bodhi": "green",
"git": "red",
"tagger": "brown",
"wiki": "purple",
"logger": "orange",
"pkgdb": "teal",
"buildsys": "yellow",
"planet": "light green",
},
# color for title if color lookup not defined
irc_default_color='light grey',
irc_method='notice', # Either 'msg' or 'notice'
)

35
mbs/etc/fedmsg.d/logging.py Normal file
View File

@@ -0,0 +1,35 @@
# Setup fedmsg logging.
# See the following for constraints on this format https://bit.ly/Xn1WDn
bare_format = "[%(asctime)s][%(name)10s %(levelname)7s] %(message)s"
config = dict(
logging=dict(
version=1,
formatters=dict(
bare={
"datefmt": "%Y-%m-%d %H:%M:%S",
"format": bare_format
},
),
handlers=dict(
console={
"class": "logging.StreamHandler",
"formatter": "bare",
"level": "DEBUG",
"stream": "ext://sys.stdout",
},
),
loggers=dict(
fedmsg={
"level": "DEBUG",
"propagate": True,
"handlers": ["console"],
},
moksha={
"level": "DEBUG",
"propagate": True,
"handlers": ["console"],
},
),
),
)

5
mbs/etc/fedmsg.d/mbs-endpoints.py Normal file
View File

@@ -0,0 +1,5 @@
config = dict(
endpoints={
"module_build_service.mbs-backend": ["tcp://127.0.0.1:3001"]
},
)

17
mbs/etc/fedmsg.d/mbs-fedmsg.py Normal file
View File

@@ -0,0 +1,17 @@
#import socket
#
#config = {
# # So that the MBS can find it's cert in /etc/fedmsg.d/ssl.py
# 'cert_prefix': 'mbs',
# 'name': 'mbs.%s' % socket.gethostname().split('.', 1)[0],
#}
config = {
'zmq_enabled': True,
'validate_signatures': False,
'moksha.blocking_mode': True,
# moksha-monitor-exporter's point of contact
'moksha.monitoring.socket': 'tcp://0.0.0.0:10030',
}

19
mbs/etc/fedmsg.d/mbs-logging.py Normal file
View File

@@ -0,0 +1,19 @@
config = dict(
logging=dict(
loggers=dict(
# Quiet this guy down...
requests={
"level": "DEBUG",
"propagate": True,
},
module_build_service={
"level": "DEBUG",
"propagate": True,
},
),
root=dict(
handlers=["console"],
level="DEBUG",
),
),
)

1
mbs/etc/fedmsg.d/mbs-scheduler.py Normal file
View File

@@ -0,0 +1 @@
config = {"mbsconsumer": True}

44
mbs/etc/fedmsg.d/module_build_service.py Normal file
View File

@@ -0,0 +1,44 @@
import os
config = {
# Just for dev.
"validate_signatures": False,
# Talk to the relay, so things also make it to composer.stg in our dev env
"active": True,
# Since we're in active mode, we don't need to declare any of our own
# passive endpoints. This placeholder value needs to be here for the tests
# to pass in Jenkins, though. \o/
"endpoints": {
"fedora-infrastructure": [
# Just listen to staging for now, not to production (spam!)
# "tcp://hub.fedoraproject.org:9940",
#"tcp://stg.fedoraproject.org:9940"
]
},
# Start of code signing configuration
# 'sign_messages': True,
# 'validate_signatures': True,
# 'crypto_backend': 'x509',
# 'crypto_validate_backends': ['x509'],
# 'ssldir': '/opt/module_build_service/pki',
# 'crl_location': 'http://localhost/crl/ca.crl',
# 'crl_cache': '/etc/pki/fedmsg/crl.pem',
# 'crl_cache_expiry': 10,
# 'ca_cert_location': 'http://localhost/crl/ca.crt',
# 'ca_cert_cache': '/etc/pki/fedmsg/ca.crt',
# 'ca_cert_cache_expiry': 0, # Never expires
# 'certnames': {
# 'module_build_service.localhost': 'localhost'
# }
# End of code signing configuration
}
# developer's instance
true_options = ("1", "on", "true", "y", "yes")
if os.environ.get("MODULE_BUILD_SERVICE_DEVELOPER_ENV", "").lower() in true_options:
config["endpoints"]["relay_outbound"] = ["tcp://fedmsg-relay:2001"]
config["relay_inbound"] = ["tcp://fedmsg-relay:2003"]
else:
# These configuration values are reasonable for most other configurations.
config["endpoints"]["relay_outbound"] = ["tcp://127.0.0.1:4001"]
config["relay_inbound"] = ["tcp://127.0.0.1:2003"]

39
mbs/etc/fedmsg.d/relay.py Normal file
View File

@@ -0,0 +1,39 @@
# This file is part of fedmsg.
# Copyright (C) 2012 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
config = dict(
endpoints={
# This is the output side of the relay to which all other
# services can listen.
"relay_outbound": [
"tcp://127.0.0.1:4001",
#"tcp://127.0.0.1:9941",
],
},
# This is the address of an active->passive relay. It is used for the
# fedmsg-logger command which requires another service with a stable
# listening address for it to send messages to.
# It is also used by the git-hook, for the same reason.
# It is also used by the mediawiki php plugin which, due to the oddities of
# php, can't maintain a single passive-bind endpoint of it's own.
relay_inbound="tcp://127.0.0.1:2003",
#relay_inbound="tcp://127.0.0.1:3999",
)

65
mbs/etc/fedmsg.d/ssl.py Normal file
View File

@@ -0,0 +1,65 @@
# This file is part of fedmsg.
# Copyright (C) 2012 - 2014 Red Hat, Inc.
#
# fedmsg is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# fedmsg is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with fedmsg; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
#
# Authors: Ralph Bean <rbean@redhat.com>
#
import os
SEP = os.path.sep
here = os.getcwd()
config = dict(
sign_messages=False,
validate_signatures=False,
# Use these implementations to sign and validate messages
crypto_backend='x509',
crypto_validate_backends=['x509'],
ssldir="/etc/pki/fedmsg",
crl_location="https://fedoraproject.org/fedmsg/crl.pem",
crl_cache="/var/run/fedmsg/crl.pem",
crl_cache_expiry=3600,
ca_cert_location="https://fedoraproject.org/fedmsg/ca.crt",
ca_cert_cache="/var/run/fedmsg/ca.crt",
ca_cert_cache_expiry=0, # Never expires
certnames={
# In prod/stg, map hostname to the name of the cert in ssldir.
# Unfortunately, we can't use socket.getfqdn()
# "app01.stg": "app01.stg.phx2.fedoraproject.org",
},
# A mapping of fully qualified topics to a list of cert names for which
# a valid signature is to be considered authorized. Messages on topics not
# listed here are considered automatically authorized.
routing_policy={
# Only allow announcements from production if they're signed by a
# certain certificate.
"org.fedoraproject.prod.announce.announcement": [
"announce-lockbox.phx2.fedoraproject.org",
],
},
# Set this to True if you want messages to be dropped that aren't
# explicitly whitelisted in the routing_policy.
# When this is False, only messages that have a topic in the routing_policy
# but whose cert names aren't in the associated list are dropped; messages
# whose topics do not appear in the routing_policy are not dropped.
routing_nitpicky=False,
)

43
mbs/etc/httpd/conf.d/mbs.conf Normal file
View File

@@ -0,0 +1,43 @@
#Listen 0.0.0.0:80 http
#Listen 0.0.0.0:8443 http
#<IfModule mod_ssl.c>
#WSGISocketPrefix run/wsgi
#WSGIRestrictStdout Off
#WSGIRestrictSignal Off
#WSGIPythonOptimize 1
<VirtualHost *:80>
#<VirtualHost *:8443>
ServerName mbs.leap.host
# WSGIDaemonProcess mbs user=mbs group=mbs threads=6
WSGIDaemonProcess mbs user=fedmsg group=fedmsg maximum-requests=1000 display-name=mbs processes=1 threads=1
WSGIScriptAlias / /etc/module-build-service/mbs.wsgi
WSGIPassAuthorization on
<Directory /etc/module-build-service>
WSGIProcessGroup mbs
WSGIApplicationGroup %{GLOBAL}
# WSGIApplicationGroup %{GLOBAL}
Require all granted
</Directory>
# <Location /> # <- 测试时不使用 Krb 注释掉
# AuthType GSSAPI
# AuthName "GSSAPI Single Sign On Login"
# GssapiCredStore keytab:/etc/koji.keytab
# Require valid-user
# </Location>
# 测试时不使用 SSL 注释掉
# SSLCertificateFile /etc/letsencrypt/live/mbs.gnulab.org/fullchain.pem
# SSLCertificateKeyFile /etc/letsencrypt/live/mbs.gnulab.org/privkey.pem
# Include /etc/letsencrypt/options-ssl-apache.conf
CustomLog logs/mbs_access.log combined
ErrorLog logs/mbs_error.log
</VirtualHost>
#</IfModule>
RewriteEngine on
RewriteRule ^(|/+)$ /module-build-service/1/module-builds/ [L,R=302]

BIN
mbs/etc/module-build-service/__pycache__/config.cpython-310.pyc Normal file
View File

Binary file not shown.

13
mbs/etc/module-build-service/client_secrets.json Executable file
View File

@@ -0,0 +1,13 @@
{
"web": {
"auth_uri": "http://192.168.68.86:8080/realms/master/protocol/openid-connect/auth",
"client_id": "module_build_service",
"client_secret": "b8hjG9hI05CPceq83wDudu7t9fQpoJXo",
"redirect_uris": [
"http://localhost:13747/"
],
"token_uri": "http://192.168.68.86:8080/realms/master/protocol/openid-connect/token",
"token_introspection_uri": "http://192.168.68.86:8080/realms/master/protocol/openid-connect/token/introspect",
"userinfo_uri": "http://192.168.68.86:8080/realms/master/protocol/openid-connect/userinfo"
}
}

323
mbs/etc/module-build-service/config.py Executable file
View File

@@ -0,0 +1,323 @@
# -*- coding: utf-8 -*-
# SPDX-License-Identifier: MIT
from os import environ, path
# FIXME: workaround for this moment till confdir, dbdir (installdir etc.) are
# declared properly somewhere/somehow
confdir = path.abspath(path.dirname(__file__))
# use parent dir as dbdir else fallback to current dir
dbdir = path.abspath(path.join(confdir, "..")) if confdir.endswith("conf") else confdir
class BaseConfiguration(object):
DEBUG = False
# Make this random (used to generate session keys)
SECRET_KEY = "74d9e9f9cd40e66fc6c4c2e9987dce48df3ce98542529fd0"
SQLALCHEMY_DATABASE_URI = "sqlite:///{0}".format(path.join(dbdir,"module_build_service.db"))
SQLALCHEMY_TRACK_MODIFICATIONS = True
# Where we should run when running "manage.py run" directly.
HOST = "0.0.0.0"
PORT = 5000
# Global network-related values, in seconds
NET_TIMEOUT = 120
NET_RETRY_INTERVAL = 30
SYSTEM = "koji"
MESSAGING = "fedmsg" ## in_memory, fedmsg or amq
MESSAGING_TOPIC_PREFIX = ["org.fedoraproject.prod"]
KOJI_CONFIG = "/etc/module-build-service/koji.conf"
KOJI_PROFILE = "koji"
ARCHES = ["i686", "armv7hl", "x86_64"]
ALLOW_ARCH_OVERRIDE = False
KOJI_REPOSITORY_URL = "https://kojipkgs.fedoraproject.org/repos"
## 允许的前缀
KOJI_TAG_PREFIXES = ["module", "scrmod"]
KOJI_ENABLE_CONTENT_GENERATOR = True
CHECK_FOR_EOL = False
PDC_URL = "https://pdc.fedoraproject.org/rest_api/v1"
PDC_INSECURE = False
PDC_DEVELOP = True
SCMURLS = ["https://src.fedoraproject.org/modules/"]
YAML_SUBMIT_ALLOWED = False
# How often should we resort to polling, in seconds
# Set to zero to disable polling
POLLING_INTERVAL = 600
# Determines how many builds that can be submitted to the builder
# and be in the build state at a time. Set this to 0 for no restrictions
NUM_CONCURRENT_BUILDS = 5
ALLOW_CUSTOM_SCMURLS = False
RPMS_DEFAULT_REPOSITORY = "https://src.fedoraproject.org/rpms/"
RPMS_ALLOW_REPOSITORY = False
RPMS_DEFAULT_CACHE = "http://pkgs.fedoraproject.org/repo/pkgs/"
RPMS_ALLOW_CACHE = False
MODULES_DEFAULT_REPOSITORY = "https://src.fedoraproject.org/modules/"
MODULES_ALLOW_REPOSITORY = False
MODULES_ALLOW_SCRATCH = False
ALLOWED_GROUPS = {"packager"}
ALLOWED_GROUPS_TO_IMPORT_MODULE = set()
# Available backends are: console and file
LOG_BACKEND = "file"
#LOG_BACKEND = "console"
# Path to log file when LOG_BACKEND is set to "file".
#LOG_FILE = "module_build_service.log"
LOG_FILE = "/tmp/module_build_service.log.1"
# Available log levels are: debug, info, warn, error.
#LOG_LEVEL = "info"
LOG_LEVEL = "debug"
# Settings for Kerberos
KRB_KEYTAB = None
KRB_PRINCIPAL = None
# AMQ prefixed variables are required only while using 'amq' as messaging backend
# Addresses to listen to
#AMQ_RECV_ADDRESSES = [
#"amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.koji",
#"amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.module_build_service",
#]
#OIDC_CLIENT_SECRETS = path.join(confdir, 'client_secrets.json')
#OIDC_REQUIRED_SCOPE = 'https://mbs.fedoraproject.org/oidc/submit-build'
#OIDC_REQUIRED_SCOPE = "openid"
# Address for sending messages
AMQ_DEST_ADDRESS = "amqps://messaging.mydomain.com/Consumer.m8y.VirtualTopic.eng.module_build_service"
AMQ_CERT_FILE = "/etc/module_build_service/msg-m8y-client.crt"
AMQ_PRIVATE_KEY_FILE = "/etc/module_build_service/msg-m8y-client.key"
AMQ_TRUSTED_CERT_FILE = "/etc/module_build_service/Root-CA.crt"
# Disable Client Authorization
NO_AUTH = False
#class TestConfiguration(BaseConfiguration):
# BUILD_LOGS_DIR = "/tmp"
# BUILD_LOGS_NAME_FORMAT = "build-{id}.log"
# LOG_BACKEND = "console"
# LOG_LEVEL = "debug"
# SQLALCHEMY_DATABASE_URI = environ.get("DATABASE_URI", "sqlite:///:memory:")
# DEBUG = True
# MESSAGING = "in_memory"
# PDC_URL = "https://pdc.fedoraproject.org/rest_api/v1"
# # Global network-related values, in seconds
# NET_TIMEOUT = 3
# NET_RETRY_INTERVAL = 1
# # SCM network-related values, in seconds
# SCM_NET_TIMEOUT = 0.1
# SCM_NET_RETRY_INTERVAL = 0.1
# KOJI_CONFIG = "./conf/koji.conf"KOJI_PROFILE = "staging"
# SERVER_NAME = "localhost"
# KOJI_REPOSITORY_URL = "https://kojipkgs.stg.fedoraproject.org/repos"
# SCMURLS = ["https://src.stg.fedoraproject.org/modules/"]
# AUTH_METHOD = "oidc"
# RESOLVER = "db"
# ALLOWED_GROUPS_TO_IMPORT_MODULE = {"mbs-import-module"}
# # Greenwave configuration
# GREENWAVE_URL = "https://greenwave.example.local/api/v1.0/"
# GREENWAVE_DECISION_CONTEXT = "test_dec_context"
# GREENWAVE_SUBJECT_TYPE = "some-module"
# STREAM_SUFFIXES = {r"^el\d+\.\d+\.\d+\.z$": 0.1}
#
class ProdConfiguration(object):
#class ProdConfiguration(BaseConfiguration):
#TEST_URI = "http://127.0.0.1:8000/test"
DEBUG = False
# Make this random (used to generate session keys)
SECRET_KEY = "74d9e9f9cd40e66fc6c4c2e9987dce48df3ce98542529126"
SQLALCHEMY_DATABASE_URI = "sqlite:///{0}".format(path.join(dbdir, "module_build_service.db")) # 测试期间就用 SQLite 了
#SQLALCHEMY_DATABASE_URI = 'postgresql://mbs:mysupersecretepasswordmbs@koji.gnulab.org/mbs'
SQLALCHEMY_TRACK_MODIFICATIONS = True
# Where we should run when running "manage.py run" directly.
#HOST = "0.0.0.0"
#PORT = 5000
# Global network-related values, in seconds
NET_TIMEOUT = 120
NET_RETRY_INTERVAL = 30
#DISTGITS = {"git+https://git.centos.org": ("git clone {repo_path}", "get_sources.sh")}
SYSTEM = "koji"
MESSAGING = "in_memory" # in_memory, fedmsg or amq
#MESSAGING_TOPIC_PREFIX = ["org.kylinosproject.prod"] # 修改为与 Fedmsg 配置一致
#MESSAGING_TOPIC_PREFIX = ['org.kylinosproject.mbs','org.kylinosprojec.prod','org.kylinosprojec.dev'] # 修改为与 Fedmsg 配置一致
KOJI_CONFIG = "/etc/module-build-service/koji.conf"
KOJI_PROFILE = "koji"
ARCHES = ["x86_64"] ### 需要修改
ALLOW_ARCH_OVERRIDE = False
KOJI_PROXYUSER = True
#KOJI_PROXYUSER = False
KOJI_REPOSITORY_URL = "http://leap.host:9081/kojifiles/repo"
#KOJI_REPOSITORY_URL = "http://leap.host/kojifilesi/repo"
#KOJI_REPOSITORY_URL = "http://leap.host/kojifiles"
#KOJI_TAG_PREFIXES = ["module", "scrmod"]
## 前缀
KOJI_TAG_PREFIXES = ["module","scrmod" ]
# 是否将模块导入koji
KOJI_ENABLE_CONTENT_GENERATOR = True
##
KOJI_TAG_PERMISSION = "admin"
DEFAULT_DIST_TAG_PREFIX = 'module_'
# Delete module-* targets one hour after build
KOJI_TARGET_DELETE_TIME = 3600
# These aren't really secret.
OIDC_CLIENT_SECRETS = path.join(confdir, 'client_secrets.json')
#OIDC_REQUIRED_SCOPE = 'https://mbs.fedoraproject.org/oidc/submit-build'
OIDC_REQUIRED_SCOPE = "openid" # 改
CHECK_FOR_EOL = False
PDC_URL = "https://pdc.fedoraproject.org/rest_api/v1"
PDC_INSECURE = False
PDC_DEVELOP = True
## 提交 SUBMIT
SCMURLS = ["https://src.fedoraproject.org","git+https://git.centos.org/", "https://git.centos.org/","git+https://gitea.warlockfish.com/"] ## 需要修改
ALLOW_STREAM_OVERRIDE_FROM_SCM = True
YAML_SUBMIT_ALLOWED = True
## 允许维护人员指定与 git 分支不同的内容
ALLOW_NAME_OVERRIDE_FROM_SCM = True
ALLOW_STREAM_OVERRIDE_FROM_SCM = True
## 控制模块在生成后标记
BASE_MODULE_NAMES = set(['platform', 'bootstrap'])
KOJI_CG_TAG_BUILD = True
KOJI_CG_BUILD_TAG_TEMPLATE = "{}-modular-updates-candidate"
KOJI_CG_DEFAULT_BUILD_TAG = "modular-updates-candidate"
# How often should we resort to polling, in seconds
# Set to zero to disable polling
POLLING_INTERVAL = 3600
## 编译优先级
KOJI_BUILD_PRIORITY = 4
# Determines how many builds that can be submitted to the builder
# and be in the build state at a time. Set this to 0 for no restrictions
NUM_CONCURRENT_BUILDS = 5
NUM_CONSECUTIVE_BUILDS = 5 #增
ALLOW_CUSTOM_SCMURLS = True
RPMS_DEFAULT_REPOSITORY = "git+https://git.centos.org/rpms/" ## 需要修改
RPMS_ALLOW_REPOSITORY = False
RPMS_DEFAULT_CACHE = "https://src.fedoraproject.org/repo/pkgs/" ## 需要修改
RPMS_ALLOW_CACHE = False
MODULES_DEFAULT_REPOSITORY = "git+https://git.centos.org/modules/" ##需要修改
MODULES_ALLOW_REPOSITORY = False
MODULES_ALLOW_SCRATCH = True
ALLOW_ONLY_COMPATIBLE_BASE_MODULES = True
# ALLOWED_GROUPS_TO_IMPORT_MODULE = set()
ALLOWED_GROUPS = {"packager"}
ADMIN_GROUPS = [
# Test env, only packager group exists
'packager',
'factory2',
'releng',
] # 增
# KOJI_CG_DEVEL_MODULE = True
# KOJI_PROXYUSER = True
# REBUILD_STRATEGY = 'only-changed'
## all , only-changed
REBUILD_STRATEGY = 'all'
REBUILD_STRATEGY_ALLOW_OVERRIDE = True
# backends 日志类型: console, file, journal.
LOG_BACKEND = "file"
# Path to log file when LOG_BACKEND is set to "file".
LOG_FILE = "/app/log/mbs/module_build_service.log"
#LOG_FILE = "/var/log/mbs/module_build_service.log"
# Available log levels are: debug, info, warn, error.
LOG_LEVEL = "debug"
# Settings for Kerberos
#KRB_KEYTAB = "/etc/mbs.keytab"
#KRB_PRINCIPAL = "mbs@GNULAB.ORG"
KRB_KEYTAB = None
KRB_PRINCIPAL = None
KRB_CCACHE = None #增
# AMQ prefixed variables are required only while using 'amq' as messaging backend
# Addresses to listen to
#AMQ_RECV_ADDRESSES = [
# "amqps://mbs:mbs@localhost/mbs",
#]
# Address for sending messages
#AMQ_DEST_ADDRESS = \
# "amqps://mbs:mbs@localhost/mbs"
# AMQ_CERT_FILE = "/etc/module_build_service/msg-m8y-client.crt"
# AMQ_PRIVATE_KEY_FILE = "/etc/module_build_service/msg-m8y-client.key"
#AMQ_TRUSTED_CERT_FILE = "/etc/module_build_service/Root-CA.crt"
CELERY_BROKER_URL = "amqp://mbs:mbs@localhost/mbs"
# Disable Client Authorization
#NO_AUTH = True # 测试或者内部使用可以关闭认证
NO_AUTH = False # 测试或者内部使用可以关闭认证
#AUTH_METHOD = "oidc"
# frontend
#AUTH_METHOD = "kerberos"
#LDAP_URI = "ldap://koji.gnulab.org"
#LDAP_GROUPS_DN = "ou=group,dc=gnulab,dc=org"
#ADMIN_GROUPS = {"packageradmin"}
RESOLVER = "db"
NUM_WORKERS = 3
# Extra options set for newly created Koji tags
#KOJI_TAG_EXTRA_OPTS = {
# "mock.package_manager": "dnf",
# This is needed to include all the Koji builds (and therefore
# all the packages) from all inherited tags into this tag.
# See https://pagure.io/koji/issue/588 and
# https://pagure.io/fm-orchestrator/issue/660 for background.
# "repo_include_all": True,
# Has been requested by Fedora infra in
# https://pagure.io/fedora-infrastructure/issue/7620.
# Disables systemd-nspawn for chroot.
# "mock.new_chroot": 0,
# Works around fail-safe mechanism added in DNF 4.2.7
# https://pagure.io/fedora-infrastructure/issue/8410
# "mock.yum.module_hotfixes": 1,
#}
### 每次构建日志
BUILD_LOGS_DIR = '/var/tmp' #增
#class LocalBuildConfiguration(BaseConfiguration):
# CACHE_DIR = "~/modulebuild/cache"
# LOG_LEVEL = "debug"
# MESSAGING = "in_memory"
# ARCH_AUTODETECT = True
# ARCH_FALLBACK = "x86_64"
# ALLOW_CUSTOM_SCMURLS = True
# RESOLVER = "mbs"
# RPMS_ALLOW_REPOSITORY = True
# MODULES_ALLOW_REPOSITORY = True
#
#class OfflineLocalBuildConfiguration(LocalBuildConfiguration):
# RESOLVER = "local"
#
#class DevConfiguration(LocalBuildConfiguration):
# DEBUG = True
# LOG_BACKEND = "console"

18
mbs/etc/module-build-service/koji.conf Executable file
View File

@@ -0,0 +1,18 @@
[koji]
#server = http://192.168.68.86:9080/kojihub
server = https://leap.host:9081/kojihub
weburl = https://leap.host:9081/koji
#weburl = http://192.168.68.86:9080/koji
topdir = /mnt/koji
topurl = https://leap.host:9081/kojifiles
#topurl = http://192.168.68.86:9080/kojifiles
authtype = ssl
cert = /etc/pki/mbs.pem
#cert = /home/mbs/.koji/mbs.pem
#serverca = /home/mbs/.koji/koji_ca_cert.crt
serverca = /etc/pki/koji_ca_cert.crt

3
mbs/etc/module-build-service/mbs.wsgi Executable file
View File

@@ -0,0 +1,3 @@
import logging
logging.basicConfig(level=logging.DEBUG)
from module_build_service import app as application

15
mbs/etc/module-build-service/mock.cfg Executable file
View File

@@ -0,0 +1,15 @@
config_opts['root'] = '$root'
config_opts['target_arch'] = '$arch'
config_opts['legal_host_arches'] = ('$arch',)
config_opts['chroot_setup_cmd'] = 'install $group'
config_opts['dist'] = ''
config_opts['extra_chroot_dirs'] = [ '/run/lock', ]
config_opts['releasever'] = '$releasever'
config_opts['package_manager'] = 'dnf'
config_opts['nosync'] = True
config_opts['use_bootstrap_container'] = False
config_opts['module_enable'] = $enabled_modules
config_opts['yum.conf'] = """
$yum_conf
"""

BIN
mbs/etc/module-build-service/module_build_service.db Executable file
View File

Binary file not shown.

BIN
mbs/etc/module-build-service/module_build_service.db.1 Executable file
View File

Binary file not shown.

BIN
mbs/etc/module-build-service/module_build_service.db.2 Executable file
View File

Binary file not shown.

18
mbs/etc/module-build-service/yum.conf Executable file
View File

@@ -0,0 +1,18 @@
[main]
keepcache=1
debuglevel=2
reposdir=/dev/null
logfile=/var/log/yum.log
retries=20
obsoletes=1
gpgcheck=0
assumeyes=1
syslog_ident=mock
syslog_device=
install_weak_deps=0
metadata_expire=3600
mdpolicy=group:primary
module_platform_id=$module_platform_id
# repos

25
mbs/etc/pki/koji_ca_cert.crt Executable file
View File

@@ -0,0 +1,25 @@
-----BEGIN CERTIFICATE-----
MIIELjCCAxagAwIBAgIUHdcaXR8tFKmRSia/UV76WozhHW0wDQYJKoZIhvcNAQEL
BQAwZTELMAkGA1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0Jl
aWppbmcxDTALBgNVBAoTBExlYXAxDzANBgNVBAsTBmtvamlDQTESMBAGA1UEAxMJ
bGVhcC5ob3N0MB4XDTI0MDkxMjE2MTUwN1oXDTM0MDkxMDE2MTUwN1owZTELMAkG
A1UEBhMCQ04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxDTAL
BgNVBAoTBExlYXAxDzANBgNVBAsTBmtvamlDQTESMBAGA1UEAxMJbGVhcC5ob3N0
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6/fyyFDFQG4tNMVyoHE2
cRKBm4Xpwo+h2tMIDDhZX1fjXIWw13p/d7z5sU58eG3RUdSW3zipJkQbFqyOPMPt
Ix04pOTr0uNtHjr8bJL+APvWv64aKHzLEM+Zifs9RI7X/LFm62CvnjiLrklPuR1z
BrkSPufjtGWuvTKQzk20UXxHEIgtI+1IsQYI9sf14lHvSK2vbs9UdGC6xRmVbTcS
Fk/AlsHkVVJSsfnFWAjut/pz8UbKo7oH8yhEQkM+tjrWiE/hY1rQhqGKeGw1bQW4
UkzEOB7ylVzAkK6H7uRiPzwp4D1yXAC9bmvpy0Vjc9PH29OFoYMoE+W12AG5JIC6
6wIDAQABo4HVMIHSMB0GA1UdDgQWBBRCQDrgLau1HJVnzVrpEKyV5emFFDCBogYD
VR0jBIGaMIGXgBRCQDrgLau1HJVnzVrpEKyV5emFFKFppGcwZTELMAkGA1UEBhMC
Q04xEDAOBgNVBAgTB0JlaWppbmcxEDAOBgNVBAcTB0JlaWppbmcxDTALBgNVBAoT
BExlYXAxDzANBgNVBAsTBmtvamlDQTESMBAGA1UEAxMJbGVhcC5ob3N0ghQd1xpd
Hy0UqZFKJr9RXvpajOEdbTAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IB
AQAJE6oON+chOPPFea1b4FdRKhORO5i/Raehvma09q++keKb2VvrrBXv4q3zx+nm
GvkbZCwNeyJBcT2MP4ZY5TLCO7jYvWlTWk9piTBn/dXFhNWEE/Sf5+GJUy+bImca
If9t4E7Gv0HaksbKKTVmUmoO1xaA64DtSWQ4cPmNOizIeFUZqcuxkxBIp3GYFuqD
BNuCl+ElrIa5naotfhgAKCP+YTL9k9OMdzbC1ERFeu4DqN7mu9dyQQ/bGV5DP+TQ
mL8C7MaS1/g0E3I3rnA6zBkctGtxPTzb/2/Nk3OhAYXWiwlMoJZZFk5O0W7lvpoG
MVV8DOJyV/Y9v/fhiwrLtGJc
-----END CERTIFICATE-----

113
mbs/etc/pki/mbs.pem Executable file
View File

@@ -0,0 +1,113 @@
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 7 (0x7)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=Beijing, L=Beijing, O=Leap, OU=kojiCA, CN=leap.host
Validity
Not Before: Sep 12 16:19:53 2024 GMT
Not After : Sep 10 16:19:53 2034 GMT
Subject: C=CN, ST=Beijing, O=Leap, OU=user, CN=mbs
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dc:cb:19:32:81:30:4b:65:10:af:24:da:d7:f4:
25:85:15:fb:d3:6d:43:76:77:5e:7b:c1:61:e6:b5:
94:f1:5e:1c:9c:ec:cd:73:17:49:ed:99:7a:04:59:
29:0d:54:c7:7f:64:fb:cd:69:b6:c0:32:0e:a6:b6:
3b:1f:94:ef:6c:56:31:9a:0b:3c:52:10:cb:ab:4d:
13:ac:70:1f:a5:3b:48:58:2f:d9:5e:81:19:2a:5f:
9a:a7:d5:59:f4:64:4e:bf:75:b3:b1:73:65:ce:9c:
74:a6:ae:65:7e:20:15:47:98:0c:00:0f:5e:64:28:
1a:1a:93:ef:79:e3:87:2b:e1:2c:24:7e:16:ef:4e:
e2:50:99:3e:71:9f:9f:5f:8e:0d:61:3d:80:b3:fb:
1c:d6:f6:5d:bb:02:84:a2:36:95:10:5b:83:81:4a:
ef:ba:e0:e4:b5:f0:d4:9e:1d:43:24:8d:b2:af:58:
0e:51:5d:91:67:c3:b6:d0:ec:c0:c6:6d:85:a8:7b:
3f:c3:76:ee:24:45:49:41:60:46:86:08:38:8b:62:
03:b7:6e:11:d6:ae:00:e0:eb:b3:cf:76:6e:91:68:
dd:29:db:d0:e0:03:11:42:1b:df:75:58:70:63:36:
63:c5:38:51:ec:c8:2f:fc:22:b6:da:3b:cd:c8:b7:
9c:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
13:91:17:5C:C4:FE:0C:5B:49:91:12:53:B8:72:29:35:44:24:6C:B7
X509v3 Authority Key Identifier:
keyid:42:40:3A:E0:2D:AB:B5:1C:95:67:CD:5A:E9:10:AC:95:E5:E9:85:14
DirName:/C=CN/ST=Beijing/L=Beijing/O=Leap/OU=kojiCA/CN=leap.host
serial:1D:D7:1A:5D:1F:2D:14:A9:91:4A:26:BF:51:5E:FA:5A:8C:E1:1D:6D
Signature Algorithm: sha256WithRSAEncryption
5a:49:34:e4:ed:ed:f1:ab:d5:bb:72:61:0d:d8:1b:13:65:75:
18:3c:90:be:5e:bf:84:15:5d:c6:be:4e:59:b0:61:f4:0d:c3:
ad:17:d6:c3:61:e5:83:b2:f5:3b:5a:4e:fd:0f:0f:ce:99:74:
2a:87:1e:80:be:b3:e6:fc:d1:d1:94:e6:e9:3b:ef:be:88:00:
f2:29:f9:1f:1f:42:fb:63:8c:66:39:63:28:b4:fa:19:51:b2:
22:36:e2:1f:f5:c1:6b:00:9f:66:86:c6:92:18:3e:b5:dd:ea:
a3:b1:e5:30:55:b2:17:f3:5c:9b:6b:8a:bf:81:77:bf:44:93:
d7:34:5b:cb:81:23:8a:06:b1:06:bc:98:de:8f:f0:8e:24:46:
b5:f9:c2:2e:05:24:e0:7b:4b:48:27:dd:59:1e:89:87:4b:b2:
ac:de:49:bd:69:3b:d8:30:d7:44:aa:a1:2a:66:14:3a:28:70:
00:e9:2f:19:27:2b:db:f4:b3:fe:0a:8e:c3:2f:c0:7e:94:b9:
f8:ff:1d:e3:be:89:50:fe:e8:2d:f0:a5:e2:5f:1c:dd:ff:13:
38:47:77:04:49:5c:8f:35:e4:db:42:5b:a1:e8:d5:f1:cf:28:
dc:fd:1f:41:77:b0:cd:54:db:6f:49:db:43:f2:95:d9:be:9b:
96:af:eb:af
-----BEGIN CERTIFICATE-----
MIIELTCCAxWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBlMQswCQYDVQQGEwJDTjEQ
MA4GA1UECBMHQmVpamluZzEQMA4GA1UEBxMHQmVpamluZzENMAsGA1UEChMETGVh
cDEPMA0GA1UECxMGa29qaUNBMRIwEAYDVQQDEwlsZWFwLmhvc3QwHhcNMjQwOTEy
MTYxOTUzWhcNMzQwOTEwMTYxOTUzWjBLMQswCQYDVQQGEwJDTjEQMA4GA1UECBMH
QmVpamluZzENMAsGA1UEChMETGVhcDENMAsGA1UECxMEdXNlcjEMMAoGA1UEAxMD
bWJzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3MsZMoEwS2UQryTa
1/QlhRX7021Ddndee8Fh5rWU8V4cnOzNcxdJ7Zl6BFkpDVTHf2T7zWm2wDIOprY7
H5TvbFYxmgs8UhDLq00TrHAfpTtIWC/ZXoEZKl+ap9VZ9GROv3WzsXNlzpx0pq5l
fiAVR5gMAA9eZCgaGpPveeOHK+EsJH4W707iUJk+cZ+fX44NYT2As/sc1vZduwKE
ojaVEFuDgUrvuuDktfDUnh1DJI2yr1gOUV2RZ8O20OzAxm2FqHs/w3buJEVJQWBG
hgg4i2IDt24R1q4A4Ouzz3ZukWjdKdvQ4AMRQhvfdVhwYzZjxThR7Mgv/CK22jvN
yLecrQIDAQABo4IBADCB/TAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUE5EXXMT+DFtJkRJT
uHIpNUQkbLcwgaIGA1UdIwSBmjCBl4AUQkA64C2rtRyVZ81a6RCsleXphRShaaRn
MGUxCzAJBgNVBAYTAkNOMRAwDgYDVQQIEwdCZWlqaW5nMRAwDgYDVQQHEwdCZWlq
aW5nMQ0wCwYDVQQKEwRMZWFwMQ8wDQYDVQQLEwZrb2ppQ0ExEjAQBgNVBAMTCWxl
YXAuaG9zdIIUHdcaXR8tFKmRSia/UV76WozhHW0wDQYJKoZIhvcNAQELBQADggEB
AFpJNOTt7fGr1btyYQ3YGxNldRg8kL5ev4QVXca+TlmwYfQNw60X1sNh5YOy9Tta
Tv0PD86ZdCqHHoC+s+b80dGU5uk7776IAPIp+R8fQvtjjGY5Yyi0+hlRsiI24h/1
wWsAn2aGxpIYPrXd6qOx5TBVshfzXJtrir+Bd79Ek9c0W8uBI4oGsQa8mN6P8I4k
RrX5wi4FJOB7S0gn3VkeiYdLsqzeSb1pO9gw10SqoSpmFDoocADpLxknK9v0s/4K
jsMvwH6Uufj/HeO+iVD+6C3wpeJfHN3/EzhHdwRJXI815NtCW6Ho1fHPKNz9H0F3
sM1U229J20Pyldm+m5av668=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEA3MsZMoEwS2UQryTa1/QlhRX7021Ddndee8Fh5rWU8V4cnOzN
cxdJ7Zl6BFkpDVTHf2T7zWm2wDIOprY7H5TvbFYxmgs8UhDLq00TrHAfpTtIWC/Z
XoEZKl+ap9VZ9GROv3WzsXNlzpx0pq5lfiAVR5gMAA9eZCgaGpPveeOHK+EsJH4W
707iUJk+cZ+fX44NYT2As/sc1vZduwKEojaVEFuDgUrvuuDktfDUnh1DJI2yr1gO
UV2RZ8O20OzAxm2FqHs/w3buJEVJQWBGhgg4i2IDt24R1q4A4Ouzz3ZukWjdKdvQ
4AMRQhvfdVhwYzZjxThR7Mgv/CK22jvNyLecrQIDAQABAoIBAQCiiWzKLipURlkq
5fGoqlV4jH9u3G+eZS+L4QdmJGQ57zMXHof74rgMjkAxtUUwSCn4kWmAhQMAp5j7
hwktLaG3Whh3sy+7phuYxkvmVEAnjeWq7caR+G2DMRAT306yR6lk7ovS5QWcPLbv
AVE7sPiZVMf4v1eYWaEl0aOoUiPu2x1rwpTE+juIXpQBi2f5ox1SGcbE5TUGBLrr
73OA6U/DFak4g9pH9CdH/trWwFyfMgeuNFF7/pjuXvx8jcDAM5qC9pi4lrTpa6mg
hxJF+7G5gJ1FrGkSR3N9pBzZXxt1LNRCh0EJM/O+ZIlCtNnDAwrvtxG0iUVmR4ZY
upEuQ+jNAoGBAO/OfFA4SxDxtGjiL6TN6JsbqFci2EDlAKy15YaUQa5gmhN7RYC+
P8qhUEd74Ey63SQBY6XopvvKwKWmsx9o5/lT60zXXqxpwcEOfrOfGGZZ7u9NRDbT
Z7akjbYAiIXiXgmS+UdfhFqE6T2czZR7vyzgXxp+Z9gm+ZJgFnjfaopPAoGBAOuz
7s8TGCCh2lTG6CF4BEDb3v0pIkEyo4/J6NGrztScgfJazHzqsR7FQBA3UviMXixV
DcdXa3LFzTLiH147G9gJcO+BCJnE6TcmbHXt/+Uu5TqeQFbmQdmRVpYsuQstnbTd
Q6eHDxIUOV4gUGyRtQWbAFvGl8XDvZ5e9l3WW3ZDAoGBAIVgwG3R0ZacCO7pFvy/
9ecHbAsC+2qktEpbZU0D+sAlRK0fPBoONubZ8A/CS5ABwuu6xhTKIM4dCCdaX3hR
3ewkC9SSWTrmG3joOfpnu6d5z9ZTkGQ6Ew5X2eXnyAdHT2xdzb4v1yqNkDjPlNxI
M52fMeZHdjSYAOmz/eu+v8ArAoGBAN9VpQhNHWV+NzRxLG7aG52hOI9EtJJ2ewi5
1oMlelt22KJdarlKX/26BVPYOCQOTQVQqjeiG8uqpR57qCFPfLidaYdnClE5hYme
PNMZaoksgEOkw24Ty31t+09cnRF8bZx8s6g/jwYgZ6NKlynoflALaLGNYS4gpME1
VdfgTtWlAoGAYDWkUksy4i/ZaBXWjfBAJw2lNzO+79iimMPd3xJ2QYqKES4rIXfm
+18CVIIKFT3TL8PBKGRiwA0/txzt5lwGHitheHUzewCFJFFQjjKzQWcUSC+RQ/vB
d4BAhcgPhpJGwzLCr7W4WQnwVeEagKMxrX0VMiU++R3Pxtr2wwbnz1Q=
-----END RSA PRIVATE KEY-----

85
mbs/etc/rpkg/fedpkg.conf Normal file
View File

@@ -0,0 +1,85 @@
[fedpkg]
lookaside = https://git.centos.org/repo/pkgs
lookasidehash = sha512
lookaside_cgi = https://git.centos.org/repo/pkgs/upload.cgi
gitbaseurl = ssh://%(user)s@git.centos.org/%(repo)s
anongiturl = https://git.centos.org/%(repo)s.git
branchre = f\d$|f\d\d$|el\d$|olpc\d$|rawhide$
kojiprofile = koji
build_client = koji
clone_config_rpms =
bz.default-tracker bugzilla.redhat.com
bz.default-product Fedora
bz.default-version rawhide
bz.default-component %(repo)s
sendemail.to %(repo)s-owner@fedoraproject.org
clone_config_modules =
bz.default-tracker bugzilla.redhat.com
bz.default-product Fedora Modules
bz.default-version rawhide
bz.default-component %(repo)s
sendemail.to module-%(repo)s-owner@fedoraproject.org
clone_config_container =
bz.default-tracker bugzilla.redhat.com
bz.default-product Fedora Container Images
bz.default-version rawhide
bz.default-component %(repo)s
sendemail.to container-%(repo)s-owner@fedoraproject.org
distgit_namespaced = True
distgit_namespaces = rpms container modules flatpaks
lookaside_namespaced = True
kerberos_realms = FEDORAPROJECT.ORG
oidc_id_provider = http://192.168.68.86:8080/realms/master/protocol/openid-connect/
oidc_client_id = fedpkg
oidc_client_secret = notsecret
oidc_scopes = openid,https://id.fedoraproject.org/scope/groups,https://mbs.fedoraproject.org/oidc/submit-build,https://src.fedoraproject.org/push
git_excludes =
i386/
i686/
x86_64/
ppc/
ppc64/
ia64/
mips/
arm/
noarch/
/*.src.rpm
/build*.log
/.build-*.log
results/
results_*/
clog
results_dir=root
[fedpkg.bodhi]
# This is for the bodhi-client 2.x, that do not require an option to switch to
# different instance. Instead, --staging is available to switch to the stage
# bodhi, and production is used without providing --staging.
staging = False
releases_service = https://bodhi.fedoraproject.org/releases/%(release)s
[fedpkg.mbs]
auth_method = oidc
api_url = http://127.0.0.1/module-build-service/1/
#api_url = http://mbs.leap.host:8443/module-build-service/1/
oidc_id_provider = http://192.168.68.86:8080/realms/master/protocol/openid-connect/
oidc_client_id = module_build_service
oidc_client_secret = b8hjG9hI05CPceq83wDudu7t9fQpoJXo
oidc_scopes = openid,groups,username
[fedpkg.bugzilla]
url = https://bugzilla.redhat.com/
[fedpkg.pagure]
url = https://pagure.io/
token =
[fedpkg.pdc]
url = https://pdc.fedoraproject.org/
[fedpkg.greenwave]
url = https://greenwave.fedoraproject.org/
[fedpkg.distgit]
apibaseurl = https://src.fedoraproject.org
token =

42
mbs/etc/supervisord.d/fedmsg-hub.ini Normal file
View File

@@ -0,0 +1,42 @@
# 项目名称
[program:fedmsg-hub]
# 执行项目之前,需要切换到哪个用户
user=fedmsg
# 执行项目前需要cd到哪个目录下
# directory=/opt/bin
# 命令中可能需要的环境变量信息
#environment=PYTHON_HOME="/root/anaconda/bin/"
# 如果命令本身是多进程那么需要设置stopasgroup否则只会杀死命令的主进程
stopasgroup=true
# 执行命令,以后台形式
command=/usr/bin/fedmsg-hub-3
# 开启supervisor就启动
autostart=true
# 发现关闭了就重启
autorestart=true
# 观察时间如果观察时间内该项目的pid消失了就说明失败了
startsecs=10
# 重启次数
startetries=3
# 错误信息和正常信息分开存储
redirect_stderr=true
# 错误信息保存路径
stderr_logfile=/app/log/fedmsg/fedmsg-hub_stderr.log
# 正常信息保存路径
stdout_logfile=/app/log/fedmsg/fedmsg-hub_stdout.log
# 单个正常信息日志文件大小
stdout_logfile_maxbytes=20MB
# stdout日志文件备份数量
stdout_logfile_backups=20
priority=60

36
mbs/etc/supervisord.d/fedmsg-relay.ini Normal file
View File

@@ -0,0 +1,36 @@
# 项目名称
[program:fedmsg-relay]
# 执行项目之前,需要切换到哪个用户
user=fedmsg
# 执行项目前需要cd到哪个目录下
# directory=/opt/bin
# 命令中可能需要的环境变量信息
#environment=PYTHON_HOME="/root/anaconda/bin/"
# 如果命令本身是多进程那么需要设置stopasgroup否则只会杀死命令的主进程
stopasgroup=true
# 执行命令,以后台形式
command=/usr/bin/fedmsg-relay-3
# 开启supervisor就启动
autostart=true
# 发现关闭了就重启
autorestart=true
# 观察时间如果观察时间内该项目的pid消失了就说明失败了
startsecs=10
# 重启次数
startetries=3
# 错误信息和正常信息分开存储
redirect_stderr=true
# 错误信息保存路径
stderr_logfile=/app/log/fedmsg/fedmsg-relay_stderr.log
# 正常信息保存路径
stdout_logfile=/app/log/fedmsg/fedmsg-relay_stdout.log
# 单个正常信息日志文件大小
stdout_logfile_maxbytes=20MB
# stdout日志文件备份数量
stdout_logfile_backups=20
priority=62

48
mbs/etc/supervisord.d/httpd.ini Normal file
View File

@@ -0,0 +1,48 @@
# 项目名称
[program:httpd]
# 执行项目之前,需要切换到哪个用户
#username=root
# 执行项目前需要cd到哪个目录下
# 命令中可能需要的环境变量信息
#environment=PYTHON_HOME="/root/anaconda/bin/"
# 如果命令本身是多进程那么需要设置stopasgroup否则只会杀死命令的主进程
stopasgroup=true
# 执行命令,以后台形式
command=httpd -c "ErrorLog /dev/stdout" -DFOREGROUND
# 开启supervisor就启动
autostart=true
# 发现关闭了就重启
autorestart=true
# 观察时间如果观察时间内该项目的pid消失了就说明失败了
startsecs=10
# 重启次数
startetries=3
# loglevel
# 错误信息和正常信息分开存储
redirect_stderr=true
# 错误信息保存路径
stderr_logfile=/app/log/httpd/httpd_stderr.log
# 正常信息保存路径
stdout_logfile=/app/log/httpd/httpd_stdout.log
# 单个正常信息日志文件大小
stdout_logfile_maxbytes=20MB
# stdout日志文件备份数量
stdout_logfile_backups=20
# 优先级越高表示程序最后启动并首先关闭
priority=67

36
mbs/etc/supervisord.d/mbs-poller.ini Normal file
View File

@@ -0,0 +1,36 @@
# 项目名称
[program:mbs-poller]
# 执行项目之前,需要切换到哪个用户
user=fedmsg
# 执行项目前需要cd到哪个目录下
#directory=/opt/bin
# 命令中可能需要的环境变量信息
#environment=PYTHON_HOME="/root/anaconda/bin/"
# 如果命令本身是多进程那么需要设置stopasgroup否则只会杀死命令的主进程
stopasgroup=true
# 执行命令,以后台形式
command=/usr/bin/celery -A module_build_service.scheduler.celery_app beat --loglevel=debug --pidfile /var/run/fedmsg/mbs-scheduler.pid -s /var/run/fedmsg/mbs-scheduler.db
#command=/usr/bin/celery -A module_build_service.scheduler.celery_app beat --loglevel=debug --pidfile /var/run/fedmsg/mbs-scheduler.pid -s /var/run/fedmsg/mbs-scheduler.db --logfile=/var/log/mbs/mbs-poller.log
# 开启supervisor就启动
autostart=true
# 发现关闭了就重启
autorestart=true
# 观察时间如果观察时间内该项目的pid消失了就说明失败了
startsecs=10
# 重启次数
startetries=3
# 错误信息和正常信息分开存储
redirect_stderr=true
# 错误信息保存路径
stderr_logfile=/app/log/mbs-poller/mbs_poller.err
# 正常信息保存路径
stdout_logfile=/app/log/mbs-poller/mbs_poller.info
# 单个正常信息日志文件大小
stdout_logfile_maxbytes=20MB
# stdout日志文件备份数量
stdout_logfile_backups=20
# 优先级越高表示程序最后启动并首先关闭
priority=70

44
mbs/etc/supervisord.d/mbs-worker.ini Normal file
View File

@@ -0,0 +1,44 @@
# 项目名称
[program:mbs-worker]
# 执行项目之前,需要切换到哪个用户
user=fedmsg
# 执行项目前需要cd到哪个目录下
#directory=/opt/bin
# 命令中可能需要的环境变量信息
#environment=PYTHON_HOME="/root/anaconda/bin/"
# 如果命令本身是多进程那么需要设置stopasgroup否则只会杀死命令的主进程i
#stopasgroup=true
process_name=%(program_name)s_%(process_num)s
numprocs=4
startsecs=30
# 执行命令,以后台形式
command=/usr/bin/celery -A module_build_service.scheduler.celery_app worker -n mbs-worker-%(process_num)s -Q mbs-default,mbs-%(process_num)s --loglevel=debug --max-tasks-per-child=10
#command=/usr/bin/celery -A module_build_service.scheduler.celery_app worker -n mbs-worker-%(process_num)s -Q mbs-default,mbs-%(process_num)s --loglevel=debug --max-tasks-per-child=10 --logfile=/var/log/mbs/mbs_worker_%(process_num)s.log
#command=/usr/bin/celery -A module_build_service.scheduler.celery_app worker -n mbs-worker-%(process_num)s -Q mbs-default,mbs-%(process_num)s --loglevel=debug --max-tasks-per-child=10 --logfile=/var/log/mbs/mbs_worker_%(process_num)s.log
# 开启supervisor就启动
autostart=true
# 发现关闭了就重启
autorestart=true
# 观察时间如果观察时间内该项目的pid消失了就说明失败了
startsecs=10
# 启动后等待 10 秒
startsecs=10
# 重启次数
startetries=3
# 错误信息和正常信息分开存储
redirect_stderr=true
# 错误信息保存路径
stderr_logfile=/app/log/mbs-worker/mbs_worker_%(process_num)s.err
# 正常信息保存路径
stdout_logfile=/app/log/mbs-worker/mbs_worker_%(process_num)s.info
# 单个正常信息日志文件大小
stdout_logfile_maxbytes=20MB
# stdout日志文件备份数量
stdout_logfile_backups=20
# 优先级越高表示程序最后启动并首先关闭
priority=72

19
mbs/etc/supervisord.d/rabbitmq.ini Normal file
View File

@@ -0,0 +1,19 @@
[program:rabbitmq_server]
command=/usr/sbin/rabbitmq-server
autostart=true
autorestart=true
user=rabbitmq
stdout_logfile=/app/log/rabbitmq/rabbitmq_server.log
stderr_logfile=/app/log/rabbitmq/rabbitmq_server.err
environment=HOME="/var/lib/rabbitmq"
priority=50
[program:rabbitmq_vhost]
command=/bin/bash -c "sleep 5;/ensure_vhost.sh"
autostart=true
autorestart=false
#startsecs=10
user=rabbitmq
stdout_logfile=/app/log/rabbitmq/rabbitmq_vhost.log
stderr_logfile=/app/log/rabbitmq/rabbitmq_vhost.err
priority=51

239
mbs/pydist/module_build_service/web/auth.py Normal file
View File

@@ -0,0 +1,239 @@
# -*- coding: utf-8 -*-
# SPDX-License-Identifier: MIT
"""Auth system based on the client certificate and FAS account"""
from __future__ import absolute_import
import json
import ssl
from dogpile.cache import make_region
from flask import g
import requests
from module_build_service import app
from module_build_service.common import conf, log
from module_build_service.common.errors import Unauthorized, Forbidden
try:
import ldap3
except ImportError:
log.warning("ldap3 import not found. ldap/krb disabled.")
client_secrets = None
region = make_region().configure("dogpile.cache.memory")
def _json_loads(content):
if not isinstance(content, str):
content = content.decode("utf-8")
return json.loads(content)
def _load_secrets():
global client_secrets
if client_secrets:
return
if "OIDC_CLIENT_SECRETS" not in app.config:
raise Forbidden("OIDC_CLIENT_SECRETS must be set in server config.")
secrets = _json_loads(open(app.config["OIDC_CLIENT_SECRETS"], "r").read())
client_secrets = list(secrets.values())[0]
def _get_token_info(token):
"""
Asks the token_introspection_uri for the validity of a token.
"""
if not client_secrets:
return None
request = {
"token": token,
# "token_type_hint": "Bearer",
"token_type_hint": None,
"client_id": client_secrets["client_id"],
"client_secret": client_secrets["client_secret"],
}
headers = {"Content-type": "application/x-www-form-urlencoded"}
resp = requests.post(client_secrets["token_introspection_uri"], data=request, headers=headers)
return resp.json()
def _get_user_info(token):
"""
Asks the userinfo_uri for more information on a user.
"""
if not client_secrets:
return None
headers = {"authorization": "Bearer " + token}
resp = requests.get(client_secrets["userinfo_uri"], headers=headers)
return resp.json()
def get_user_oidc(request):
"""
Returns the client's username and groups based on the OIDC token provided.
"""
_load_secrets()
if "authorization" not in request.headers:
raise Unauthorized("No 'authorization' header found.")
header = request.headers["authorization"].strip()
prefix = "Bearer "
if not header.startswith(prefix):
raise Unauthorized("Authorization headers must start with %r" % prefix)
token = header[len(prefix):].strip()
try:
data = _get_token_info(token)
except Exception as e:
error = "Cannot verify OIDC token: %s" % str(e)
log.exception(error)
raise Exception(error)
if not data or "active" not in data or not data["active"]:
raise Unauthorized("OIDC token invalid or expired.")
if "OIDC_REQUIRED_SCOPE" not in app.config:
raise Forbidden("OIDC_REQUIRED_SCOPE must be set in server config.")
presented_scopes = data["scope"].split(" ")
required_scopes = [
"openid",
# "https://id.fedoraproject.org/scope/groups",
"groups"
# app.config["OIDC_REQUIRED_SCOPE"],
]
for scope in required_scopes:
if scope not in presented_scopes:
raise Unauthorized("Required OIDC scope %r not present: %r" % (scope, presented_scopes))
try:
extended_data = _get_user_info(token)
except Exception:
error = "OpenIDC auth error: Cannot determine the user's groups"
log.exception(error)
raise Unauthorized(error)
username = data["username"]
# If the user is part of the whitelist, then the group membership check is skipped
if username in conf.allowed_users:
groups = set()
else:
try:
groups = set(extended_data["groups"])
except Exception:
error = "Could not find groups in UserInfo from OIDC"
log.exception("%s (extended_data: %s)", error, extended_data)
raise Unauthorized(error)
return username, groups
def get_user_kerberos(request):
remote_name = request.environ.get("REMOTE_USER")
if not remote_name:
# When Kerberos authentication is enabled, MBS expects the
# authentication is done by a specific Apache module which sets
# REMOTE_USER properly.
raise Unauthorized("No REMOTE_USER is set.")
try:
username, realm = remote_name.split("@")
except ValueError:
raise Unauthorized("Value of REMOTE_NAME is not in format username@REALM")
# Currently, MBS does not handle the realm to authorize user. Just keep it
# here for any possible further use.
# If the user is part of the whitelist, then the group membership check is skipped
if username in conf.allowed_users:
groups = []
else:
groups = get_ldap_group_membership(username)
return username, set(groups)
@region.cache_on_arguments()
def get_ldap_group_membership(uid):
""" Small wrapper on getting the group membership so that we can use caching
:param uid: a string of the uid of the user
:return: a list of groups the user is a member of
"""
ldap_con = Ldap()
return ldap_con.get_user_membership(uid)
class Ldap(object):
""" A class that handles LDAP connections and queries
"""
connection = None
base_dn = None
def __init__(self):
if not conf.ldap_uri:
raise Forbidden("LDAP_URI must be set in server config.")
if conf.ldap_groups_dn:
self.base_dn = conf.ldap_groups_dn
else:
raise Forbidden("LDAP_GROUPS_DN must be set in server config.")
if conf.ldap_uri.startswith("ldaps://"):
tls = ldap3.Tls(
ca_certs_file="/etc/pki/tls/certs/ca-bundle.crt", validate=ssl.CERT_REQUIRED)
server = ldap3.Server(conf.ldap_uri, use_ssl=True, tls=tls)
else:
server = ldap3.Server(conf.ldap_uri)
self.connection = ldap3.Connection(server)
try:
self.connection.open()
except ldap3.core.exceptions.LDAPSocketOpenError as error:
log.error(
'The connection to "{0}" failed. The following error was raised: {1}'.format(
conf.ldap_uri, str(error)))
raise Forbidden(
"The connection to the LDAP server failed. Group membership couldn't be obtained.")
def get_user_membership(self, uid):
""" Gets the group membership of a user
:param uid: a string of the uid of the user
:return: a list of common names of the posixGroups the user is a member of
"""
ldap_filter = "(memberUid={0})".format(uid)
# Only get the groups in the base container/OU
self.connection.search(
self.base_dn, ldap_filter, search_scope=ldap3.LEVEL, attributes=["cn"])
groups = self.connection.response
try:
return [group["attributes"]["cn"][0] for group in groups]
except KeyError:
log.exception(
"The LDAP groups could not be determined based on the search results "
'of "{0}"'.format(str(groups)))
return []
def get_user(request):
""" Authenticates the user and returns the username and group name
:param request: a Flask request
:return: a tuple with a string representing the user name and a set with the user's group
membership such as ('mprahl', {'factory2', 'devel'})
"""
if conf.no_auth is True:
log.debug("Authorization is disabled.")
return "anonymous", {"packager"}
if "user" not in g and "groups" not in g:
get_user_func_name = "get_user_{0}".format(conf.auth_method)
get_user_func = globals().get(get_user_func_name)
if not get_user_func:
raise RuntimeError('The function "{0}" is not implemented'.format(get_user_func_name))
g.user, g.groups = get_user_func(request)
return g.user, g.groups

4582
mbs/pydist/pyrpkg/__init__.py Normal file
View File

File diff suppressed because it is too large Load Diff

35
mbs/readme.md Normal file
View File

@@ -0,0 +1,35 @@
fedmsg supervisor httpd module-build-service python-psycopg2 python-memcached python-distro python3-libsemanage openssl mod_ssl rabbitmq-server mod_wsgi python3-mod_wsgi sqlite
rm /etc/fedmsg.d/{module_build_service.py mbs-logging.py}
cp config.py /etc/module-build-service/config.py owner=root group=fedmsg mode=0640
cp koji.conf /etc/module-build-service/koji.conf owner=root group=fedmsg mode=0644
openssl req -newkey rsa:2048 -nodes -keyout /etc/pki/tls/private/localhost.key -x509 -days 365 -out /etc/pki/tls/certs/localhost.crt -subj "/CN=localhost"
53 request = {
54 "token": token,
55 # "token_type_hint": "Bearer",
56 "token_type_hint": None,
57 "client_id": client_secrets["client_id"],
58 "client_secret": client_secrets["client_secret"],
59 }
108
presented_scopes = data["scope"].split(" ")
required_scopes = [
"openid",
# "https://id.fedoraproject.org/scope/groups",
"groups"
# app.config["OIDC_REQUIRED_SCOPE"],
]
/usr/lib/python3.10/site-packages/pyrpkg/__init__.py
mapping = {'Token': 'token', 'Authorization': 'auth'}
#mapping = {'Token': 'Token', 'Authorization': 'Authorization'}

BIN
mbs/src/module-build-service-3.9.2-1.fc36.noarch.rpm Normal file
View File

Binary file not shown.

BIN
mbs/src/module-build-service-3.9.2-1.fc36.src.rpm Normal file
View File

Binary file not shown.

23
postgres/docker-compose.yml Normal file
View File

@@ -0,0 +1,23 @@
---
services:
db:
image: postgres:11.8-alpine
restart: always
container_name: mbs-postgres
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: Kylin123
POSTGRES_DB: koji
volumes:
# - ./pagure-data-20241118-0030.sql:/docker-entrypoint-initdb.d/pagure-data-20241118-0030.sql
- ./data:/var/lib/postgresql/data
ports:
- "5432:5432"
networks:
- mbs-net
networks:
mbs-net:
driver: bridge
external: true

320325
postgres/pagure-data-20241118-0030.sql Executable file
View File

File diff suppressed because one or more lines are too long

36
postgres/readme.md Normal file
View File

@@ -0,0 +1,36 @@
## 导入数据库
准备的数据库需要注释2行
```
16:
--CREATE ROLE postgres;
72:
-- CREATE DATABASE koji WITH TEMPLATE = template0 ENCODING = 'UTF8' LC_COLLATE = 'C' LC_CTYPE = 'C';
```
方法一
初始化数据库
```
docker run --name temp_postgres -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=Kylin123 -e POSTGRES_DB=koji -v ./data:/var/lib/postgresql/data -d postgres:11.8
```
查看日志
```
docker logs temp_postgres
```
导入数据库
```
docker exec -i temp_postgres psql -U postgres -d koji < /path/to/dist_pagure242_2014.sql
```
```
docker stop temp_postgres
docker rm temp_postgres
方案二
```
docker run --rm --name temp_postgre -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=Kylin123 -e POSTGRES_DB=koji -v ./pagure-data-20241118-0030.sql:/docker-entrypoint-initdb.d/pagure-data-20241118-0030.sql -v ./data:/var/lib/postgresql/data postgres:11.8-alpine
```