From 70ec4b369f9db63a51ed49705ec00871d1ee0d35 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 28 Oct 2016 15:42:39 -0400 Subject: [PATCH] Configure our docker dev setup to use krb for koji. Our code in `module_build_service/builder.py` can already do kerberos authentication with koji. This commit changes our docker development tools to use that instead of ssl authentication. Relates to #111. --- CONTRIBUTING.rst | 12 +++++++++--- Dockerfile | 7 +++---- docker-compose.yml | 10 +++++++--- koji.conf | 12 ++---------- 4 files changed, 21 insertions(+), 20 deletions(-) diff --git a/CONTRIBUTING.rst b/CONTRIBUTING.rst index 95976384..5c032194 100644 --- a/CONTRIBUTING.rst +++ b/CONTRIBUTING.rst @@ -4,9 +4,15 @@ Development We have two mechanisms for quickly setting up a development environment. `docker-compose` and `vagrant`. In order to to setup a development environment, it is required that you have -your FAS (Fedora Account System) certificates generated and located in your -home directory. For more information on these certificates, visit the `Koji -documentation `_. +your Fedora kerberos credentials generated in a *special location*. Run the +following:: + + $ KRB5CCNAME=FILE:/var/tmp/krbcc kinit YOUR_USERNAME@FEDORAPROJECT.ORG + +If you have problems in later steps with kerberos reading those credentials +inside the `scheduler` container, you should check that `/var/tmp/krbcc` exists +on your machine and that *it is not a directory*. Try removing it with `$ sudo +rm -rf /var/tmp/krbcc` and running `kinit` again. Docker ------ diff --git a/Dockerfile b/Dockerfile index 7701d8de..07174807 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,6 +13,7 @@ RUN dnf install -y \ fedmsg-relay \ python-mock \ git \ + krb5-workstation \ # Troubleshooting tools telnet \ nc \ @@ -24,7 +25,5 @@ WORKDIR /opt/module_build_service/ COPY ./requirements.txt /opt/module_build_service/ RUN pip install --user -r ./requirements.txt -COPY koji.conf /etc/module_build_service/ -COPY copr.conf /etc/module_build_service/ - -COPY . /opt/module_build_service/ +RUN ln -s /opt/module_build_service/koji.conf /etc/module_build_service/koji.conf \ + && ln -s /opt/module_build_service/copr.conf /etc/module_build_service/copr.conf diff --git a/docker-compose.yml b/docker-compose.yml index 0d51a40d..e0603d6d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -16,12 +16,16 @@ services: command: python2 /opt/module_build_service/module_build_service_daemon.py links: - fedmsg-relay + environment: + # Check /var/tmp/krbcc and make sure that it is not a directory. If it + # is, then delete it with 'sudo rm -rf /var/tmp/krbcc'. + # Initialize the file before running 'docker-compose up' with: + # $ KRB5CCNAME=FILE:/var/tmp/krbcc kinit YOUR_USERNAME@FEDORAPROJECT.ORG + - KRB5CCNAME=FILE:/var/tmp/krbcc volumes: # module_build_service sources are bind-mounted, so you don't have to rebuild - ./:/opt/module_build_service/:z - - ~/.fedora.cert:/root/.fedora.cert:z # koji credentials are mounted inside - - ~/.fedora-server-ca.cert:/root/.fedora-server-ca.cert:z - - ~/.fedora-upload-ca.cert:/root/.fedora-upload-ca.cert:z + - /var/tmp/krbcc:/var/tmp/krbcc:Z frontend: build: . diff --git a/koji.conf b/koji.conf index 67c385d7..7ca2e552 100644 --- a/koji.conf +++ b/koji.conf @@ -19,13 +19,5 @@ topurl = http://kojipkgs.fedoraproject.org/ ;the service name of the principal being used by the hub ;krbservice = host -;configuration for SSL authentication -authtype = ssl -;client certificate -cert = ~/.fedora.cert - -;certificate of the CA that issued the client certificate -ca = ~/.fedora-server-ca.cert - -;certificate of the CA that issued the HTTP server certificate -serverca = ~/.fedora-server-ca.cert +;configuration for Kerberos authentication +authtype = kerberos