Configure our docker dev setup to use krb for koji.

Our code in `module_build_service/builder.py` can already do kerberos
authentication with koji.  This commit changes our docker development
tools to use that instead of ssl authentication.

Relates to #111.

CONTRIBUTING.rst

@@ -4,9 +4,15 @@ Development
 We have two mechanisms for quickly setting up a development environment.  `docker-compose` and `vagrant`.
 
 In order to to setup a development environment, it is required that you have
-your FAS (Fedora Account System) certificates generated and located in your
-home directory. For more information on these certificates, visit the `Koji
-documentation <https://fedoraproject.org/wiki/Using_the_Koji_build_system#Fedora_Certificates>`_.
+your Fedora kerberos credentials generated in a *special location*.  Run the
+following::
+
+    $ KRB5CCNAME=FILE:/var/tmp/krbcc kinit YOUR_USERNAME@FEDORAPROJECT.ORG
+
+If you have problems in later steps with kerberos reading those credentials
+inside the `scheduler` container, you should check that `/var/tmp/krbcc` exists
+on your machine and that *it is not a directory*.  Try removing it with `$ sudo
+rm -rf /var/tmp/krbcc` and running `kinit` again.
 
 Docker
 ------

Dockerfile

@@ -13,6 +13,7 @@ RUN dnf install -y \
         fedmsg-relay \
         python-mock \
         git \
+        krb5-workstation \
         # Troubleshooting tools
         telnet \
         nc \
@@ -24,7 +25,5 @@ WORKDIR /opt/module_build_service/
 COPY ./requirements.txt /opt/module_build_service/
 RUN pip install --user -r ./requirements.txt
 
-COPY koji.conf /etc/module_build_service/
-COPY copr.conf /etc/module_build_service/
-
-COPY . /opt/module_build_service/
+RUN ln -s /opt/module_build_service/koji.conf /etc/module_build_service/koji.conf \
+ && ln -s /opt/module_build_service/copr.conf /etc/module_build_service/copr.conf

docker-compose.yml

@@ -16,12 +16,16 @@ services:
     command: python2 /opt/module_build_service/module_build_service_daemon.py
     links:
       - fedmsg-relay
+    environment:
+      # Check /var/tmp/krbcc and make sure that it is not a directory.  If it
+      # is, then delete it with 'sudo rm -rf /var/tmp/krbcc'.
+      # Initialize the file before running 'docker-compose up' with:
+      # $ KRB5CCNAME=FILE:/var/tmp/krbcc kinit YOUR_USERNAME@FEDORAPROJECT.ORG
+      - KRB5CCNAME=FILE:/var/tmp/krbcc
     volumes:
       # module_build_service sources are bind-mounted, so you don't have to rebuild
       - ./:/opt/module_build_service/:z
-      - ~/.fedora.cert:/root/.fedora.cert:z   # koji credentials are mounted inside
-      - ~/.fedora-server-ca.cert:/root/.fedora-server-ca.cert:z
-      - ~/.fedora-upload-ca.cert:/root/.fedora-upload-ca.cert:z
+      - /var/tmp/krbcc:/var/tmp/krbcc:Z
 
   frontend:
     build: .

koji.conf

@@ -19,13 +19,5 @@ topurl = http://kojipkgs.fedoraproject.org/
 ;the service name of the principal being used by the hub
 ;krbservice = host
 
-;configuration for SSL authentication
-authtype = ssl
-;client certificate
-cert = ~/.fedora.cert
-
-;certificate of the CA that issued the client certificate
-ca = ~/.fedora-server-ca.cert
-
-;certificate of the CA that issued the HTTP server certificate
-serverca = ~/.fedora-server-ca.cert
+;configuration for Kerberos authentication
+authtype = kerberos