Blame docs/buildsys/koji-cbs.md

12bb45
# Community Build Service (https://cbs.centos.org)
27db0d
27db0d
That infra is hosted in RDU2c (Community Cage) DC, with kojihub being publicly reachable, and kojid/builders restricted to internal vlan/zone (no default route)
27db0d
It does *not* build any official CentOS Linux/Stream package used in the distribution, but is used to let community members build additional packages that can be built against/for CentOS Linux/Stream releases.
27db0d
27db0d
27db0d
## Authentication
27db0d
6d98f4
The whole CBS/koji infra is using the centralized [Authentication service](../infra/authentication.md) so both the infra components (services/nodes) and the users are authenticated with TLS certificates.
27db0d
6d98f4
That means that for each node, we need a valid [TLS cert signed by IPA](../security/tls.md#ipadogtag-central-authentication).
27db0d
27db0d
Same rule applies for `users` : they need to be authenticated with valid TLS certificated signed by same CA but we'll consider two kind of users:
27db0d
6d98f4
  * service account[s]: used to run services (not real users) so can be [created](../security/tls.md#tls-service-account) by infra team
6d98f4
  * real users: they can use instructions to create their [own TLS cert](../infra/authentication.md#tlsx509-authentication)
27db0d
27db0d
## Koji tags structure
27db0d
6d98f4
When the Special Interest Groups ([SIG](https://wiki.centos.org/SpecialInterestGroup) in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji [tags](https://docs.pagure.org/koji/HOWTO/#package-organization) that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific [GPG key](koji-cbs-sigs.md#security-gpg-key-for-packages-signing))
27db0d
27db0d
The proposed and agreed levels are :
27db0d
27db0d
  * candidate: just used to build initially a package, test that it build and minimal CI tests
27db0d
    * pushed to external mirror : no
27db0d
    * signed with gpg key: no
27db0d
  * testing: based on SIG decision than can `tag-build` pkg in -testing for more external tests
27db0d
    * pushed to external mirrors: yes (https://buildlogs.centos.org)
27db0d
    * signed gith gpg key: no
27db0d
  * release: consider stable and tested enough by SIG so ready for public consumption
27db0d
    * pushed to external mirrors: yes (all mirrors)
27db0d
    * signed with gpg key: yes
3d7ba5
3d7ba5
## CBS buildsys tag inheritance
3d7ba5
3d7ba5
All build targets, depending on distro/release/version, will depend on a `buildsys` tag, that is special and inherited by all SIGs.
3d7ba5
3d7ba5
The idea is to have some pkgs needed by all builds to be present there and so available by default/inheritance in all tags for the buildroots.
3d7ba5
3d7ba5
For example, we use [centpkg-minimal](https://git.centos.org/rpms/centpkg-minimal) which contains the needed wrapper script to retrieve automatically sources from the lookaside, and so needed when submitting a build to cbs. 
3d7ba5
Koji will first git clone/pull from upstream git url and then use `get_sources.sh` (from centpkg-minimal pkg, automatically installed in the buildroot) to retrieve source and the rebuild a srpm (a `buildSRPMFromSCM` koji task for every build)
3d7ba5
3d7ba5
See for example the buildsys9s-release tag, inherited by all SIG tags for CentOS Stream 9 builds : 
3d7ba5
3d7ba5
```
3d7ba5
cbs list-tagged buildsys9s-release
3d7ba5
Build                                     Tag                   Built by
3d7ba5
----------------------------------------  --------------------  ----------------
3d7ba5
buildsys-macros-el9s-1.0-2.el9            buildsys9s-release    cbs-koji
3d7ba5
centpkg-minimal-2.0.0-3.el9               buildsys9s-release    cbs-koji
3d7ba5
centpkg-minimal-2.0.0-4.el9s              buildsys9s-release    arrfab
3d7ba5
3d7ba5
```