|
 |
12bb45 |
# Community Build Service (https://cbs.centos.org)
|
|
|
27db0d |
|
|
|
27db0d |
That infra is hosted in RDU2c (Community Cage) DC, with kojihub being publicly reachable, and kojid/builders restricted to internal vlan/zone (no default route)
|
|
|
27db0d |
It does *not* build any official CentOS Linux/Stream package used in the distribution, but is used to let community members build additional packages that can be built against/for CentOS Linux/Stream releases.
|
|
|
27db0d |
|
|
|
27db0d |
|
|
|
27db0d |
## Authentication
|
|
|
27db0d |
|
|
|
27db0d |
The whole CBS/koji infra is using the centralized [Authentication service](/infra/authentication/) so both the infra components (services/nodes) and the users are authenticated with TLS certificates.
|
|
|
27db0d |
|
|
|
27db0d |
That means that for each node, we need a valid [TLS cert signed by IPA](/security/tls/#ipadogtag-central-authentication).
|
|
|
27db0d |
|
|
|
27db0d |
Same rule applies for `users` : they need to be authenticated with valid TLS certificated signed by same CA but we'll consider two kind of users:
|
|
|
27db0d |
|
|
|
27db0d |
* service account[s]: used to run services (not real users) so can be [created](/security/tls/#tls-service-account) by infra team
|
|
|
27db0d |
* real users: they can use instructions to create their [own TLS cert](/infra/authentication/#tlsx509-authentication)
|
|
|
27db0d |
|
|
|
27db0d |
## Koji tags structure
|
|
|
27db0d |
|
|
|
27db0d |
When the Special Interest Groups ([SIG](https://wiki.centos.org/SpecialInterestGroup) in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji [tags](https://docs.pagure.org/koji/HOWTO/#package-organization) that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific [GPG key](/koji-cbs-sigs/#security-gpg-key-for-packages-signing))
|
|
|
27db0d |
|
|
|
27db0d |
The proposed and agreed levels are :
|
|
|
27db0d |
|
|
|
27db0d |
* candidate: just used to build initially a package, test that it build and minimal CI tests
|
|
|
27db0d |
* pushed to external mirror : no
|
|
|
27db0d |
* signed with gpg key: no
|
|
|
27db0d |
* testing: based on SIG decision than can `tag-build` pkg in -testing for more external tests
|
|
|
27db0d |
* pushed to external mirrors: yes (https://buildlogs.centos.org)
|
|
|
27db0d |
* signed gith gpg key: no
|
|
|
27db0d |
* release: consider stable and tested enough by SIG so ready for public consumption
|
|
|
27db0d |
* pushed to external mirrors: yes (all mirrors)
|
|
|
27db0d |
* signed with gpg key: yes
|