Home » Monthly archive

July 2009

New Fedora 11 Re-Spin in testing (+ anaconda updates)

Fedora Unity has a new Fedora 11 Re-Spin in testing, again with some updates to anaconda. That's what I wanted to talk about in this blog post;

Given the recent storage rewrite done in Fedora 11's development cycle, there's bound to be a number of bugs logged against anaconda -because of this storage rewrite. For these bugs to be resolved, the anaconda developers change code and commit to "master" which is then released to rawhide as a new build. As such, there's a bunch of patches in rawhide anaconda resolve F-11 bugs and that we (you?, me?, Fedora Unity?) would like to see in F-11 anaconda -because we remix and respin including the updates repository or because we've been experiencing one of these particular bugs.

The anaconda developers have done a great job by rewriting the entire storage layer in just under 4 or 5 months or so, and I've heard from a lot of people that their problems with previous Fedora releases where resolved. Also know that a rewrite like this is to be expected to show some cracks and to get a few bugs because of it. There's absolutely nothing wrong with that.

I've not written a single line of code related to the fixes I applied to the f11-branch of anaconda, and instead could just walk through the Bugzilla list for anaconda and choose the bugs and choose the appropriate git commits from rawhide and cherry-pick them into the f11-branch. Job done ;-)

The builds I had done for an updated anaconda were wrong once or twice, obviously because of me, when apparently I forgot or missed a commit or two, or did something else wrong, and this is where the Fedora Unity Test Team is so very valuable in this process. We decide we want to do a Re-Spin, wait for me to do whatever foo I do, test the Re-Spin and if *anything* is wrong, send me back to the drawing board.

The anaconda team is also willing to take the set of cherry-picks that I've done, possibly briefly review them (they probably will), possibly include other patches from other people (we've seen s390x specific patches go into updates to anaconda before as well), and release an update for F-11!

<o/  <o/  <o/

\o> \o> \o>

So here's the list of cherry-picks: http://git.kanarip.com/?p=anaconda;a=shortlog;h=f11-branch (14 cherry-picked commits and 4 updated translations after 11.5.0.59-1 which is the Fedora 11 GA version)

As you can see the only commits I do myself are bumping the version number ;-))

Let's hope this new Re-Spin passes testing for a change, since I've released 3 Re-Spins to the Fedora Unity Test Team in one week, and I'd regret it if this one fails because of another mistake I've made!

Feature Proposal: Extended Life Cycle (2)

As you may know the Feature Proposal to extend the life cycle of Fedora with security updates only, appropriately proposed on July 4th, has been reviewed by the Fedora Engineering Steering Committee, and was ruled "Not a Feature". A decision on this was relayed to the Fedora Project Board, who has discussed it, but not made their ruling yet.

In 8 days (July 28th), Feature Freeze hits the Fedora 12 development cycle, and that is also the milestone when the Extended Life Cycle plans would have to be approved -in the lose, general term of the word-, so that we can actually start work on getting everything ready before Fedora 12 goes End-of-Support.

Meanwhile, I would like to ask you that if you are interested, you enlist at the Wiki page:

https://fedoraproject.org/wiki/Features/Extended_Life_Cycle#Interested_P...

Please also indicate whether you are just interested (as a consumer maybe?) and whether willing and/or able to participate (as a packager, pusher, signer, advocate, ambassador, tracker, manager or in selling this feature to the corporate world?).

Revisor Ohloh Analysis

Ohloh provides a widget for projects that estimates it's production costs if some company would want to hire a team and re-invent the markup and code that make up a project. According to this analysis, Revisor is worth $9.5M ;-)

Note that the code alone would cost just under a million, but it would also cost 18 person years (!).

Setting up the PostgreSQL Server and Database

Install the postgresql-server package:

# yum install postgresql-server

Then, initialize the server, and start the postgres service:

# service postgres initdb
# service postgres start

Add a koji user account, and remove it's password:

# useradd koji
# passwd -d koji

Set up postgres by adding a koji user, initialize the database for koji:

# su - postgres
$ createuser koji
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb -O koji koji
$ logout
# su - koji
$ psql koji koji < /usr/share/doc/koji*/docs/schema.sql
$ exit

asdasd

HOWTO: Installing, Configuring and Managing Koji

This book explains how to install, configure and manage Koji, the RPM Package build system, using SSL Certificate authentication.

First of all, let's go over the components that Koji has to offer:

  • koji
    The client side program.
  • koji-builder
    The daemon on a building host, that communicates with the Koji Hub
  • koji-hub
    The Hub. Pretty essential piece of infrastructure in this setup ;-)
  • koji-web
    The web interface.
  • koji-utils
    Utilities, with (amongst others) kojira and koji-gc.

Creating the SSL CA and necessary certificates

Like I said before, we're going to have all the Koji components authenticate to other Koji components using SSL certificates. Likewise, users are going to use certificates to authenticate themselves to Koji.

To generate the CA, create some temporary directory and a ssl.cnf file containing the following:

HOME                    = .
RANDFILE                = .rand

[ca] 
default_ca              = ca_default

[ca_default] 
dir                     = .
certs                   = $dir/certs
crl_dir                 = $dir/crl
database                = $dir/index.txt
new_certs_dir           = $dir/newcerts
certificate             = $dir/organisation_ca_cert.pem
private_key             = $dir/private/organisation_ca_key.pem
serial                  = $dir/serial
crl                     = $dir/organisation_crl.pem
x509_extensions         = usr_cert
name_opt                = ca_default
cert_opt                = ca_default
default_days            = 3650
default_crl_days        = 30
default_md              = md5
preserve                = no
policy                  = policy_match

[policy_match] 
countryName             = match
stateOrProvinceName     = match
organizationName        = match
organizationalUnitName  = optional
commonName              = supplied
emailAddress            = optional

[req] 
default_bits            = 1024
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions         = v3_ca # The extentions to add to the self signed cert
string_mask             = MASK:0x2002

[req_distinguished_name] 
countryName                     = Country Name (2 letter code)
countryName_default             = NL
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Utrecht
localityName                    = Locality Name (eg, city)
localityName_default            = Utrecht
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = kanarip.com
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Koji Infrastructure
commonName                      = Common Name (eg, your name or your server\'s hostname)
commonName_max                  = 64
emailAddress                    = Email Address
emailAddress_default            = emailaddress@kanarip.com
emailAddress_max                = 64

[req_attributes] 
challengePassword               = A challenge password
challengePassword_min           = 4
challengePassword_max           = 20
unstructuredName                = An optional company name

[usr_cert] 
basicConstraints                = CA:FALSE
nsComment                       = "OpenSSL Generated Certificate"
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid,issuer:always

[v3_ca] 
subjectKeyIdentifier            = hash
authorityKeyIdentifier          = keyid:always,issuer:always
basicConstraints                = CA:true

Edit the contents of this file where necessary; you'll probably want your own organisation name rather then organisation or kanarip.com.

Generate the CA Certificate

To generate the CA certificate, do:

$ mkdir {certs,private}
$ touch index.txt
$ echo 01 > serial
$ export caname=koji
$ openssl genrsa -out private/${caname}_ca_cert.key 2048
$ openssl req -config ssl.cnf -new -x509 -days 3650 -key private/${caname}_ca_cert.key -out ${caname}_ca_cert.crt -extensions v3_ca

Now that you've generated the CA certificate, it's time to generate the service certificates;

$ for service in kojiweb kojira kojihub; do
    openssl genrsa -out certs/${service}.key 2048
    openssl req -config ssl.cnf -new -nodes -out certs/${service}.csr -key certs/${service}.key
    openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt -out certs/${service}.crt -outdir certs -infiles certs/${service}.csr
    cat certs/${service}.crt certs/${service}.key > ${service}.pem
done

You might also want a kojiadmin user certificate for the Koji Administrator, and a personal certificate for using Koji:

$ for user in kojiadmin kanarip; do
    openssl genra -out certs/${user}.key 2048
    openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key certs/${user}.key
    openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt -out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
    cat certs/${user}.crt certs/${user}.key > ${user}.pem
done

While I have a kojiadmin user account, you may just want a different Koji configuration file (in ~/.koji/admin-config?).

Fedora Feature Proposal: Extended Life Cycle

Just now, I've built a feature proposal for Fedora 12, mysteriously called Extended Life Cycle.

If you're interested, full details are at: https://fedoraproject.org/wiki/Features/Extended_Life_Cycle

Having posted a message to fedora-devel-list@redhat.com with similar content, and knowing of the opinion of various people towards the late Fedora Legacy project or past initiatives to revive Fedora Legacy, I'm expecting some people to provide useless "feedback" similar to how a recent discussion on whether the Desktop spin should continue to be named the Desktop spin or GNOME spin went south almost instantly.

Amazingly enough though, at least feedback is actually quite useful:

"Is it that time of the year again?" - Ralf Ertzinger

I don't know Ralf, my clock doesn't tell me. Apparently you think it is though, and so luckily now I have some reference as to what time of year it could be, thanks!

"Didn't we have this discussion 8 months ago?" - Brian Pepple

I recall some initiative to revive Fedora Legacy being burned down to the ground but not a discussion.

To be continued...

I have *no* opinion on this

In a very, very large thread, I often find myself stumbling through the enormous amount of messages that;

- say absolutely nothing on the subject at hand and just wander off into the distance arguing in ways that would have made Greek philosophers freaking jealous,

- express an opinion that it does not matter (well, you know what, apparently it does matter to someone),

- continue on and on and on saying it *doesn't* matter (here applies the same as above),

- express their concern about how much noise is made about a given subject (often the same people that express over and over and over again that the topic doesn't really matter),

and so, for the record, I just wanted to say;

I HAVE NO OPINION ON THIS SUBJECT


(even though I might be in a position to say something about it, being the Spins SIG team lead and all that)