Community Build Service (https://cbs.centos.org)
Community Build Service (https://cbs.centos.org)¶
That infra is hosted in RDU2c (Community Cage) DC, with kojihub being publicly reachable, and kojid/builders restricted to internal vlan/zone (no default route) It does not build any official CentOS Linux/Stream package used in the distribution, but is used to let community members build additional packages that can be built against/for CentOS Linux/Stream releases.
The whole CBS/koji infra is using the centralized Authentication service so both the infra components (services/nodes) and the users are authenticated with TLS certificates.
That means that for each node, we need a valid TLS cert signed by IPA.
Same rule applies for
users : they need to be authenticated with valid TLS certificated signed by same CA but we'll consider two kind of users:
- service account[s]: used to run services (not real users) so can be created by infra team
- real users: they can use instructions to create their own TLS cert
Koji tags structure¶
When the Special Interest Groups (SIG in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji tags that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific GPG key)
The proposed and agreed levels are :
- candidate: just used to build initially a package, test that it build and minimal CI tests
- pushed to external mirror : no
- signed with gpg key: no
- testing: based on SIG decision than can
tag-buildpkg in -testing for more external tests
- pushed to external mirrors: yes (https://buildlogs.centos.org)
- signed gith gpg key: no
- release: consider stable and tested enough by SIG so ready for public consumption
- pushed to external mirrors: yes (all mirrors)
- signed with gpg key: yes