Questions about OSBS

Tomas Tomecek ttomecek at redhat.com
Fri Jul 3 07:39:56 UTC 2015 

Quoting Adam Miller (2015-07-02 16:46:37)
> Hello all,
>     I've been doing some digging into OpenShift V3[0], OSBS[1], and
> the Containerbuild plugin for koji[2] for the sake of the proposed
> Layered Image Build Service Change[3] and I was left with a few
> questions that I was hoping some subject matter experts on the various
> topics could fill in for me.
> 
> - How is security between OSBS and Koji handled for the Koji plugin?
>   - These systems are disjoint and have to communicate somehow.

Koji builders use https when they talk to OpenShift's REST API. We use Kerberos
there, but cert based authentication can be used also (actually, any
authentication).

> - Are there any docs on how to deploy OSBS on top of a pre-existing
> OpenShift V3 Environment? (The current OSBS deploy docs and ansible
> are only single-node)

We no longer use all-in-one, instead we use proper master/node setup. Therefore
you can use multi-node setup very easily.

As I'm thinking about it now, I can't figure out any issues with using existing
OpenShift v3 deployment: all you need to have there is:

 * build image
 * k8s secret [5] if you want to push to pulp registry

> - Is there any sort of OSBS Administration guide?

OpenShift team has a very detailed documentation [6].

>   - Once this is setup, how do we admin it? Users that need to be
> created, maintenance, database trimming, etc.

User administration [7]. OpenShift doesn't have relational database [8].

>   - Method to keep atomic-reactor buildroot image updated?

This is something we haven't really discussed yet. For now we are doing ad-hoc
rebuilds. I guess that you could create a cronjob and rebuild the image
periodically. Once OSBS will be capable of doing chain rebuilds, this will be
very easy to automate.

>   - How to know/detect/determine that the atomic-reactor buildroot
> image needs updating?

Good question. I assume that one indicator could be base image being rebuilt.
Also, atomic-reactor update could be the reason to update.

> - Is there a timeline for OSBS update to OpenShift V3 1.0.0? (current
> upstream OSBS OpenShift version at the time of the writing is quite
> old - v0.5.2)

Short answer is: we are working on it. I think that our codebase should already
suport v1 API. Martin Milata can comment on this way more.

> - How would someone go about configuration for internal vs external
> docker registry to be used with OSBS?

Could you please elaborate? I'm not totally sure about the question.

> - The ContainerBuild Koji plugin is hardcoding koji_hub_path
>   - Is there a reason/motivation behind this?
>   - Can this be a configuration parameter?
> 
> - How does OSBS and the Koji plugin negotiate authentication/authorization?
>   - What users within OSBS/OpenShift map to Koji users? (Do they at all?)
>   - Where does the responsibility for user mapping exists? (just defer to koji?)
>   - How to determine what users are allowed to build and/or build for
> what koji tags?
> 
> - Is is possible to use OSBS against the new Atomic Enterprise[4]
> instead of OpenShift V3?

I think so. I'm not sure what version of OpenShift is used in Enterprise but I'm
assuming this shouldn't be a problem.

>   - Main motivation/curiosity is that for the build system we don't
> really need a giant portion of what OpenShift offers and the
> maintenance, administrative overhead and security aspects are of
> concern. (This is mostly an idle curiosity, I'm not advocating for one
> over the other but I wanted to bring it up).

Chain rebuilds will be nice feature to get from OpenShift. Also, OpenShift has
very sweet web interface [9].

On the other hand, I totally understand your concerns. Maybe having some
automation on top of atomic-reactor could be more suitable.

> Thank you,
> -AdamM
> 
> [0] - https://github.com/openshift/origin
> [1] - https://github.com/DBuildService/osbs-client
> [2] - https://github.com/release-engineering/koji-containerbuild
> [3] - https://fedoraproject.org/wiki/Changes/Layered_Docker_Image_Build_Service
> [4] - https://github.com/projectatomic/atomic-enterprise
> _______________________________________________
> rel-eng mailing list
> rel-eng at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/rel-eng

[5] https://github.com/DBuildService/osbs-client/blob/master/docs/secret.md
[6] https://docs.openshift.org/latest/admin_guide/overview.html
[7] https://docs.openshift.org/latest/admin_guide/manage_authorization_policy.html
[8] https://docs.openshift.org/latest/architecture/infrastructure_components/kubernetes_infrastructure.html#master
[9] https://docs.openshift.org/latest/architecture/infrastructure_components/web_console.html

~~
Tomáš Tomeček
Software Engineer
Developer Experience
UTC+2 (CEST)

More information about the rel-eng mailing list