On 11/18/18 10:07 AM, Neal Gompa wrote:
On Sat, Nov 17, 2018 at 2:37 PM John Florian
<jflorian(a)doubledog.org> > wrote: >> >> On 11/17/18 12:40 PM, Neal
Gompa wrote: >>> On Sat, Nov
17, 2018 at 10:42 AM John Florian >>>
<jflorian(a)doubledog.org> wrote:
>>> On 11/16/18 9:38 PM, Neal Gompa wrote:
>>>>> On Fri, Nov 16, 2018
at 8:02 PM John Florian
>>>>> <jflorian(a)doubledog.org> wrote: >>>>>> On
10/31/18 6:29 PM, Ken Dreyer wrote: >>>>>>> Hi folks,
>>>>>>> >>>>>>>
I'm working on some native Ansible modules to manage Koji
>>>>>>>
resources. >>>>>>> >>>>>>>
https://github.com/ktdreyer/koji-ansible
>>>>>> >>>>>>> (This is not
about installing Koji, it's just a way to
>>>>>> declaratively define things within Koji, where you might
>>>>>>>
normally use the koji CLI.) >>>>>>
Since we're on the subject, I should
mention that I have a >>>>>> pretty complete Puppet module[1] for
managing my entire >>>>>> Koji installation. The documentation is only
sufficient if >>>>>> you're already familiar with Koji deployments
and
Puppet, >>>>>> but otherwise should look quite familiar.
>>>>>> >>>>>>
[1]
https://github.com/jflorian/doubledog-koji >>>>>>
>>>>> This is
neat! Does your puppet module support configuring >>>>> Koji with
Kerberos auth as an alternative to SSL cert auth? >>>>>
>>>>> >>>>> >>>>
Not ATM, but I've been intending to add that support. It >>>> should be
quite easy, but it's just a matter of finding time. >>>> I have two Koji
deployments: the day job and at home. Home is >>>> the only one where I
have the opportunity to explore and play >>>> and once I've worked out
the kinks I sneak it into work as it's >>>> generally an overall
improvement. My home setup is never what >>>> I want though for my time
is torn in a thousand different >>>> directions and that's just the IT
side of my life. That all >>>> said, I'm easily manipulated to sway my
priorities! ;-) >>>> >>> There are three reasons for my interest:
>>>
>> * I'm trying to find a good method for building a
self-contained >>>
Koji appliance image that will set up Koji systems
properly. I've >>>
not found a good Ansible playbook for doing this, so I'm >>> considering
using Puppet for this instead. >>> >>> * I'm trying to find a good
module/manifest for setting up Koji >>> for Mageia that supports
Kerberos and configuring stuff properly. >>> Mageia infrastructure is
managed with Puppet, so it's ideal to >>> have a good module for that.
The other manifests/modules I've >>> found so far are either horribly
underdocumented (at which point >>> I don't know how to use them) or
lack the necessary capability to >>> set up a Fedora-like Koji system.
>> >>> * One of the places I'd like to set up Koji
uses Puppet as well,
>> so it works out well if there's a complete module that can be >>>
leveraged. >>> >>> >> I think my module would be a great
starting point
then. Once I >> started using Puppet, I went all in so that all my
servers and >> workstations are 100% managed from a minimal install. It
was >> shortly after the RH bought Ansible and Fedora went that way, but
I >> was too deep already, though I very much like Ansible, if not >>
actually prefer it. I know Puppet deep enough to know where the >> warts
are and there's quite a few. >> >> Anyway, my Koji setup mimics
Fedora's
in many ways because that was >> the example I had to learn from ... and
it wasn't all that long ago >> they did x509 auth too. So, if you
interested, I'd love to team up >> and knock in the Kerberos support
because I've seen plenty of >> evidence of how active you are in FOSS
and I'm always trying to >> give back more myself. Consider me inspired.
I think you'll find >> my module docs good but not excellent ... they
really would benefit >> from some examples, but as you know there's a
lot of ways a Koji >> deployment can be put together. Still, an
all-in-one setup for >> small sites is probably the best example because
bigger sites are >> going to know how/where they want to be different. I
think my >> module is flexible enough for just about any use case -- I'd
aimed >> for that with the auth parts being the one exception because if
I'm >> not using it, I'm not testing it. >> >> I also have a
Sigul
module for signing at >>
https://github.com/jflorian/doubledog-sigul. >>
> I'm rather new to the Puppet thing, but I'll help
however I can. >
But, yeah I'm interested. And it's awesome there's a
sigul module > too,
since that'd really be part of any useful Koji setup anyway. :) > >
Well, if you understand how Koji needs Kerberos to be set up then we can
definitely do this. I'm ok with Kerberos but far from expert level. I
have Kerberos for system auth and my greatest feat thus far is
Kerberizing my httpd setup so I get transparent auth for my Wikimedia
site. I can grok Koji using Kerberos for user auth but
component-to-component (e.g., web-to-hub) is where I'm a bit lost.
Admittedly, I've not looked at this at all in detail yet -- this is just
from the what I know and speculation vantage point.
I've created
https://github.com/jflorian/doubledog-koji/issues/1 so we
can hash the rest of this out there.
--
John Florian