Hey,
just my two cents: It's possible to run the builders completely without NFS. I use "topurl=" instead of "topdir=" in kojid.conf. The URL is http://kojihub.domain.tld/kojimnt where kojimnt is apache aliased to the /mnt/koji on kojihub. Regen repos has to be run on kojihub in thatcase. It's the only one in the createrepo channel.
As for the NFS problem: Smells so much like Selinux. Maybe on the server-side? Do you use NFS4 ?
HTH Andreas
On Thu, Apr 12, 2012 at 17:40, Moray Henderson < Moray.Henderson@ict-software.org> wrote:
Is this the right place for questions on local koji installations?
Fresh setup of koji on CentOS 6.2. I've got hub, web and builder all talking to each other, external repositories defined for the build tag and build groups set up.
/mnt/koji is an nfs mount with root squashed to uid 48 (apache). I've tested that I can write to the subdirectories as root and the owner comes out as apache. The directory looks like
# ll -R koji koji: total 16 drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 packages drwxr-xr-x 3 apache apache 4096 Apr 12 15:20 repos drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 scratch drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 work
koji/packages: total 0
koji/repos: total 0
koji/scratch: total 0
koji/work: total 0
The Koji/ExternalRepoServerBootstrap document says "Wait for the repo to regenerate, and you should now be able to run a build successfully." However, Koji-web lists the newRepo task as failed with result "<type 'exceptions.OSError'>: [Errno 13] Permission denied: '/mnt/koji/repos'". On the builder, kojid.log reports:
2012-04-12 14:20:31,067 [INFO] koji.build: Starting up 2012-04-12 14:20:34,363 [INFO] koji.TaskManager: Attempting to take task 176 2012-04-12 14:20:36,275 [INFO] koji.TaskManager: pids: {176: 17925} 2012-04-12 14:20:36,855 [WARNING] koji.TaskManager: FAULT: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/koji/daemon.py", line 1114, in runTask response = (handler.run(),) File "/usr/lib/python2.6/site-packages/koji/tasks.py", line 146, in run return self.handler(*self.params,**self.opts) File "/usr/sbin/kojid", line 2491, in handler repo_id, event_id = self.session.host.repoInit(tinfo['id'], **kwargs) File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1510, in __call__ return self.__func(self.__name,args,opts) File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1760, in _callMethod raise err Fault: <Fault 1: "<type 'exceptions.OSError'>: [Errno 13] Permission denied: '/mnt/koji/repos'">
2012-04-12 14:20:37,110 [INFO] koji.TaskManager: open task: {'waiting': None, 'id': 176, 'weight': 0.10000000000000001}
I've looked into the code, but my python is not up to debugging that. It's not an SELinux problem (I tried permissive mode) and /mnt/koji is mounted read-write on the builder even though the documentation says that's not necessary. Can someone point me in the right direction?
Moray. "To err is human; to purr, feline."
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
Ah. Silly me - it was an SELinux problem. I was fooled by the fact that the traceback and 'Permission denied' error occurred in kojid.log into thinking that the problem was on the kojid side. After attempting to trace the code
repo_id, event_id = self.session.host.repoInit(tinfo['id'], **kwargs)
and finding that session doesn't have a host method or attribute and repoInit doesn't exist anywhere in kojid, I searched every file on both systems for repoInit and found it in /usr/share/koji-hub/kojihub.py - with corresponding error messages in /var/log/httpd/error_log. I also discovered the hub option KojiTraceback = extended, which helped.
The problem code was
File "/usr/share/koji-hub/kojihub.py", line 2060, in repo_init
os.makedirs(repodir) #should not already exist
and after a setenforce 0 on the hub it started to work. I was sure I had checked the AVC log, but perhaps that was before I had nfs working. Now it shows:
[root@kojihub ~] # aureport --avc -ts recent
AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
1. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir getattr system_u:object_r:nfs_t:s0 denied 494
2. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 4 dir search system_u:object_r:nfs_t:s0 denied 493
3. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir write system_u:object_r:nfs_t:s0 denied 495
4. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir add_name system_u:object_r:nfs_t:s0 denied 495
5. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 83 dir create unconfined_u:object_r:nfs_t:s0 denied 495
6. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file create unconfined_u:object_r:nfs_t:s0 denied 496
7. 04/13/2012 14:23:36 httpd unconfined_u:system_r:httpd_t:s0 2 file open system_u:object_r:nfs_t:s0 denied 496
Perhaps Koji/ServerHowTo could have a note for beginners that if the hub's /mnt/koji is on nfs you need to beat SELinux into submission. Unfortunately my current nfs server doesn't have proper SELinux support. I may have to rearrange some disk space.
Moray.
"To err is human; to purr, feline."
From: Andreas Mack [mailto:andreas.mack@gmail.com] Sent: 13 April 2012 12:19 To: Discussion of Fedora build system Subject: Re: newRepo Permission denied: '/mnt/koji/repos'
Hey,
just my two cents: It's possible to run the builders completely without NFS. I use "topurl=" instead of "topdir=" in kojid.conf. The URL is http://kojihub.domain.tld/kojimnt where kojimnt is apache aliased to the /mnt/koji on kojihub. Regen repos has to be run on kojihub in thatcase. It's the only one in the createrepo channel.
As for the NFS problem: Smells so much like Selinux. Maybe on the server-side? Do you use NFS4 ?
HTH
Andreas
On Thu, Apr 12, 2012 at 17:40, Moray Henderson Moray.Henderson@ict-software.org wrote:
Is this the right place for questions on local koji installations?
Fresh setup of koji on CentOS 6.2. I've got hub, web and builder all talking to each other, external repositories defined for the build tag and build groups set up.
/mnt/koji is an nfs mount with root squashed to uid 48 (apache). I've tested that I can write to the subdirectories as root and the owner comes out as apache. The directory looks like
# ll -R koji koji: total 16 drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 packages drwxr-xr-x 3 apache apache 4096 Apr 12 15:20 repos drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 scratch drwxr-xr-x 2 apache apache 4096 Apr 12 11:13 work
koji/packages: total 0
koji/repos: total 0
koji/scratch: total 0
koji/work: total 0
The Koji/ExternalRepoServerBootstrap document says "Wait for the repo to regenerate, and you should now be able to run a build successfully." However, Koji-web lists the newRepo task as failed with result "<type 'exceptions.OSError'>: [Errno 13] Permission denied: '/mnt/koji/repos'". On the builder, kojid.log reports:
2012-04-12 14:20:31,067 [INFO] koji.build: Starting up 2012-04-12 14:20:34,363 [INFO] koji.TaskManager: Attempting to take task 176 2012-04-12 14:20:36,275 [INFO] koji.TaskManager: pids: {176: 17925} 2012-04-12 14:20:36,855 [WARNING] koji.TaskManager: FAULT: Traceback (most recent call last): File "/usr/lib/python2.6/site-packages/koji/daemon.py", line 1114, in runTask response = (handler.run(),) File "/usr/lib/python2.6/site-packages/koji/tasks.py", line 146, in run return self.handler(*self.params,**self.opts) File "/usr/sbin/kojid", line 2491, in handler repo_id, event_id = self.session.host.repoInit(tinfo['id'], **kwargs) File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1510, in __call__ return self.__func(self.__name,args,opts) File "/usr/lib/python2.6/site-packages/koji/__init__.py", line 1760, in _callMethod raise err Fault: <Fault 1: "<type 'exceptions.OSError'>: [Errno 13] Permission denied: '/mnt/koji/repos'">
2012-04-12 14:20:37,110 [INFO] koji.TaskManager: open task: {'waiting': None, 'id': 176, 'weight': 0.10000000000000001}
I've looked into the code, but my python is not up to debugging that. It's not an SELinux problem (I tried permissive mode) and /mnt/koji is mounted read-write on the builder even though the documentation says that's not necessary. Can someone point me in the right direction?
Moray. "To err is human; to purr, feline."
-- buildsys mailing list buildsys@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/buildsys
On 04/13/2012 07:19 AM, Andreas Mack wrote:
Hey,
just my two cents: It's possible to run the builders completely without NFS. I use "topurl=" instead of "topdir=" in kojid.conf. The URL is http://kojihub.domain.tld/kojimnt where kojimnt is apache aliased to the /mnt/koji on kojihub. Regen repos has to be run on kojihub in thatcase. It's the only one in the createrepo channel.
Yeah, createrepo is the only part that strictly requires /mnt/koji on the builders (and only ro access).
Note that running regen repos "on kojihub" means running a kojid instance on the same host that kojihub is running on. When I do this (generally only in test setups) I usually set that kojid instance up to only be in the createrepo channel.
buildsys@lists.fedoraproject.org
-
Andreas Mack -
Mike McLean -
Moray Henderson