Quoting Adam Miller (2015-07-02 16:46:37)
Hello all,
I've been doing some digging into OpenShift V3[0], OSBS[1], and
the Containerbuild plugin for koji[2] for the sake of the proposed
Layered Image Build Service Change[3] and I was left with a few
questions that I was hoping some subject matter experts on the various
topics could fill in for me.
- How is security between OSBS and Koji handled for the Koji plugin?
- These systems are disjoint and have to communicate somehow.
Koji builders use https when they talk to OpenShift's REST API. We use Kerberos
there, but cert based authentication can be used also (actually, any
authentication).
- Are there any docs on how to deploy OSBS on top of a pre-existing
OpenShift V3 Environment? (The current OSBS deploy docs and ansible
are only single-node)
We no longer use all-in-one, instead we use proper master/node setup. Therefore
you can use multi-node setup very easily.
As I'm thinking about it now, I can't figure out any issues with using existing
OpenShift v3 deployment: all you need to have there is:
* build image
* k8s secret [5] if you want to push to pulp registry
- Is there any sort of OSBS Administration guide?
OpenShift team has a very detailed documentation [6].
- Once this is setup, how do we admin it? Users that need to be
created, maintenance, database trimming, etc.
User administration [7]. OpenShift doesn't have relational database [8].
- Method to keep atomic-reactor buildroot image updated?
This is something we haven't really discussed yet. For now we are doing ad-hoc
rebuilds. I guess that you could create a cronjob and rebuild the image
periodically. Once OSBS will be capable of doing chain rebuilds, this will be
very easy to automate.
- How to know/detect/determine that the atomic-reactor buildroot
image needs updating?
Good question. I assume that one indicator could be base image being rebuilt.
Also, atomic-reactor update could be the reason to update.
- Is there a timeline for OSBS update to OpenShift V3 1.0.0?
(current
upstream OSBS OpenShift version at the time of the writing is quite
old - v0.5.2)
Short answer is: we are working on it. I think that our codebase should already
suport v1 API. Martin Milata can comment on this way more.
- How would someone go about configuration for internal vs external
docker registry to be used with OSBS?
Could you please elaborate? I'm not totally sure about the question.
- The ContainerBuild Koji plugin is hardcoding koji_hub_path
- Is there a reason/motivation behind this?
- Can this be a configuration parameter?
- How does OSBS and the Koji plugin negotiate authentication/authorization?
- What users within OSBS/OpenShift map to Koji users? (Do they at all?)
- Where does the responsibility for user mapping exists? (just defer to koji?)
- How to determine what users are allowed to build and/or build for
what koji tags?
- Is is possible to use OSBS against the new Atomic Enterprise[4]
instead of OpenShift V3?
I think so. I'm not sure what version of OpenShift is used in Enterprise but I'm
assuming this shouldn't be a problem.
- Main motivation/curiosity is that for the build system we
don't
really need a giant portion of what OpenShift offers and the
maintenance, administrative overhead and security aspects are of
concern. (This is mostly an idle curiosity, I'm not advocating for one
over the other but I wanted to bring it up).
Chain rebuilds will be nice feature to get from OpenShift. Also, OpenShift has
very sweet web interface [9].
On the other hand, I totally understand your concerns. Maybe having some
automation on top of atomic-reactor could be more suitable.
[5]
https://github.com/DBuildService/osbs-client/blob/master/docs/secret.md
[6]
https://docs.openshift.org/latest/admin_guide/overview.html
[7]
https://docs.openshift.org/latest/admin_guide/manage_authorization_policy...
[8]
https://docs.openshift.org/latest/architecture/infrastructure_components/...
[9]
https://docs.openshift.org/latest/architecture/infrastructure_components/...
~~
Tomáš Tomeček
Software Engineer
Developer Experience
UTC+2 (CEST)