Le sam. 22 janv. 2022, 05:04, < infrastructure-request@lists.fedoraproject.org> a écrit :
Send infrastructure mailing list submissions to infrastructure@lists.fedoraproject.org
To subscribe or unsubscribe via email, send a message with subject or body 'help' to infrastructure-request@lists.fedoraproject.org
You can reach the person managing the list at infrastructure-owner@lists.fedoraproject.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of infrastructure digest..."
Today's Topics:
- CPE Weekly Update - Week of January 17th-22nd (Vipul Siddharth)
- RE: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal) (Roberto Sassu)
Date: Fri, 21 Jan 2022 19:46:41 +0530 From: Vipul Siddharth siddharthvipul1@gmail.com Subject: CPE Weekly Update - Week of January 17th-22nd To: Fedora Infrastructure infrastructure@lists.fedoraproject.org, centos-devel@centos.org, Development discussions related to Fedora devel@lists.fedoraproject.org Message-ID: < CA+Bo6C0h4C8hoLXikcsQdhEywEcM5FmpRkwo0tiryqz2jbM6bg@mail.gmail.com> Content-Type: text/plain; charset="UTF-8"
Hi everyone,
This is a weekly report from the CPE (Community Platform Engineering) Team. If you have any questions or feedback, please respond to this report or contact us on #redhat-cpe channel on libera.chat (https://libera.chat/).
We (CPE team) will be joining Fedora Social Hour on Jan 27th. Looking forward to seeing a lot of you! ( https://discussion.fedoraproject.org/t/join-us-for-fedora-social-hour-every-... )
If you wish to read this in form of a blog post, check the post on Fedora community blog: ( https://communityblog.fedoraproject.org/cpe-weekly-update-week-of-january-17... )
# Highlights of the week
## Infrastructure & Release Engineering Goal of this initiative
Purpose of this team is to take care of day to day business regarding CentOS and Fedora Infrastructure and Fedora release engineering work. It’s responsible for services running in Fedora and CentOS infrastructure and preparing things for the new Fedora release (mirrors, mass branching, new namespaces etc.). The ARC (which is a subset of the team) investigates possible initiatives that CPE might take on.
Update
### Fedora Infra
- All koji builders/hubs upgraded to F35 and ready for mass rebuild ( 🤞 )
- Additional s390x disk space appeared, so added 10 more s390x builders.
- Fixed IPA issue with certs ( known upgrade bug)
- Difficult container builds failing issue solved.
### CentOS Infra including CentOS CI
- CentOS Linux 8 EOL plan
- Hardware issues (storage box, 64 compute nodes for CI infra)
- Kmods SIG DuD discussion (koji plugin vs external script)
- CI storage for ocp/openshift migration completed and working
faster/better !
- CentOS CI tenants Survey (for the upcoming DC move)
### Release Engineering
- Mass rebuild starts today
- Several rawhide issues fixed and composes have been good the last few
days.
## CentOS Stream Goal of this initiative
This initiative is working on CentOS Stream/Emerging RHEL to make this new distribution a reality. The goal of this initiative is to prepare the ecosystem for the new CentOS Stream.
Updates
- The NFV repo was added to CentOS Stream 8, work is happening now on
the repo files in centos-release
- Module branching work is ongoing
- Libffi is causing some interesting breakage in ELN
- GCC bugs in ELN
- Koji/brew Inheritance discussions are still happening
- Testing Content Resolver with production data before deployment
## Datanommer/Datagrepper V.2 Goal of this initiative
The datanommer and datagrepper stacks are currently relying on fedmsg which we want to deprecate. These two applications need to be ported off fedmsg to fedora-messaging. As these applications are 'old-timers' in the fedora infrastructure, we would also like to look at optimizing the database or potentially redesigning it to better suit the current infrastructure needs. For a phase two, we would like to focus on a DB overhaul.
Updates
- It’s done! Data is migrated, the new code is now running in prod.
## CentOS Duffy CI Goal of this initiative
Duffy is a system within CentOS CI Infra which allows tenants to provision and access bare metal resources of multiple architectures for the purposes of CI testing. We need to add the ability to checkout VMs in CentOS CI in Duffy. We have OpenNebula hypervisor available, and have started developing playbooks which can be used to create VMs using the OpenNebula API, but due to the current state of how Duffy is deployed, we are blocked with new dev work to add the VM checkout functionality.
Updates
- Legacy API
- Node Pools & Ansible Backend
## Image builder for Fedora IoT Goal of this initiative
Integration of Image builder as a service with Fedora infra to allow Fedora IoT migrate their pipeline to Fedora infra.
Updates
- Officially kicked off this week
- Fact finding at the moment
- Met with Peter Robinson and team from Fedora IoT
- Need to figure out a way to run their pipeline
- At least 1 koji plugin to be written + deployed
- Meeting with Image Builder team tomorrow
- They are currently blocked by auth, development underway
- Need to get an idea of their API and what they expect from us
## Bodhi Goal of this initiative
This initiative is to separate Bodhi into multiple sub packages, fix integration and unit tests in CI, fix dependency management, and automate part of the release process. Read ARC team findings in detail at: https://fedora-arc.readthedocs.io/en/latest/bodhi/index.html
Updates
- splitting the codebase into separate python packages
- migrating from CentOS CI to Zuul
## EPEL Goal of this initiative
Extra Packages for Enterprise Linux (or EPEL) is a Fedora Special Interest Group that creates, maintains, and manages a high quality set of additional packages for Enterprise Linux, including, but not limited to, Red Hat Enterprise Linux (RHEL), CentOS and Scientific Linux (SL), Oracle Linux (OL).
EPEL packages are usually based on their Fedora counterparts and will never conflict with or replace packages in the base Enterprise Linux distributions. EPEL uses much of the same infrastructure as Fedora, including buildsystem, bugzilla instance, updates manager, mirror manager and more.
Updates
- epel9 up to 1346 source packages (increase of 188 from last week)
- Two talks submitted and accepted for the February CentOS Dojo
- State of EPEL
- EPEL Packaging Hackfest
Kindest regards,
Vipul Siddharth He/His/Him On behalf of the CPE team
Date: Fri, 21 Jan 2022 16:08:04 +0000 From: Roberto Sassu roberto.sassu@huawei.com Subject: RE: F36 Change: Enable fs-verity in RPM (System-Wide Change proposal) To: Development discussions related to Fedora devel@lists.fedoraproject.org Cc: "infrastructure@lists.fedoraproject.org" infrastructure@lists.fedoraproject.org Message-ID: 357929364e1944958ade6098401ef2ce@huawei.com Content-Type: text/plain; charset="utf-8"
Hi everyone
(note for the infrastructure mailing list: please check if the changes I'm proposing could be tested in the Fedora infrastructure, like Copr)
I made the first version of the rpm extension to sign fsverity digests with a GPG key. The patch set (with some bug fixes) is available here:
https://github.com/robertosassu/rpm/commits/fsverity-gpg-v1
I tested it locally with my own GPG key. I took an existing Fedora 34 package and signed it with rpmsign:
$ usr/bin/rpmsign --define "%_gpg_name testhost testhost@test.test" \ --define "%_file_signing_key _GPG_" \ --define "%_file_signing_cert _GPG_" \ --addsign --signverity tmux-3.1c-2.fc34.x86_64.rpm
I then checked that the package has now fsverity signatures:
$ usr/bin/rpm -qp tmux-3.1c-2.fc34.x86_64.rpm \ --queryformat '[%{RPMTAG_FILENAMES} %{RPMTAG_VERITYSIGNATURES}\n]' [...] /usr/bin/tmux iQHHBAABCgAxFiEEEiFa0dGZVYzTrIN+rxtXRMfK0McFAmHq0+4THHRlc3Rob3N0 QHRlc3QudGVzdAAKCRCvG1dEx8rQx81nC/42NW9xJx3rcTiR6/5oL55GPkan+OIq t2dW1clJUOrxOGVy/5JQTQf0MQXA7gzH1yPgcrskkahjSfWlp4pt7oOw3rukUyaO zVZxue4XE6XESYtolczK4VEhpc8lbm4hj0e4NCg/dKri/+L5wIdJvmqWNeCfl7uZ [...]
In a VM I tried to install the modified package. The root filesystem is ext4 and has the fsverity feature enabled.
The fsverity rpm plugin is also enabled and hasn't been modified to work with the new PGP signatures.
The kernel includes the patch set I recently sent to the kernel mailing lists to add support for PGP keys and signatures:
https://lore.kernel.org/linux-integrity/20220111180318.591029-1-roberto.sass...
and another patch that calls verify_pgp_signature() in fs/verity/signature.c.
The first installation attempt fails, due to the missing key in the .fs-verity keyring:
# usr/bin/rpm -Uhvi ../tmux-3.1c-2.fc34.x86_64.rpm --debug [...] D: Plugin: calling hook fsm_file_prepare in fsverity plugin D: applying signature: [...] D: failed to enable verity (errno 126) for /usr/bin/tmux;61ead62d
Then, I added the required GPG key to the .fs-verity keyring:
# cat /mnt/repos/linux/certs/pubring.gpg | keyctl padd asymmetric test %keyring:.fs-verity 76292211
The key is now loaded:
# keyctl show %keyring:.fs-verity Keyring 66741466 --a-swrv 0 0 keyring: .fs-verity 76292211 --als--v 0 0 _ asymmetric: test
I retried the tmux installation:
# usr/bin/rpm -Uhvi ../tmux-3.1c-2.fc34.x86_64.rpm --debug [...] D: Plugin: calling hook fsm_file_prepare in fsverity plugin D: applying signature: [...] D: fsverity enabled signature for: path /usr/bin/tmux;61ead713 dest /usr/bin/tmux
This time the installation is successful, which means that the PGP signature has been successfully verified.
Roberto
HUAWEI TECHNOLOGIES Duesseldorf GmbH, HRB 56063 Managing Director: Li Peng, Zhong Ronghua
Subject: Digest Footer
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
End of infrastructure Digest, Vol 187, Issue 10
infrastructure@lists.fedoraproject.org