Skip to content

Community Build Service (

Community Build Service (

That infra is hosted in RDU2c (Community Cage) DC, with kojihub being publicly reachable, and kojid/builders restricted to internal vlan/zone (no default route) It does not build any official CentOS Linux/Stream package used in the distribution, but is used to let community members build additional packages that can be built against/for CentOS Linux/Stream releases.


The whole CBS/koji infra is using the centralized Authentication service so both the infra components (services/nodes) and the users are authenticated with TLS certificates.

That means that for each node, we need a valid TLS cert signed by IPA.

Same rule applies for users : they need to be authenticated with valid TLS certificated signed by same CA but we'll consider two kind of users:

  • service account[s]: used to run services (not real users) so can be created by infra team
  • real users: they can use instructions to create their own TLS cert
Koji tags structure

When the Special Interest Groups (SIG in short) wanted to start building , the idea discussed on the centos-devel list (back in 2014) was to create some koji tags that would let people build/test/promote their packages that would then be pushed to the external mirrors CDN (while being signed with a specific GPG key)

The proposed and agreed levels are :

  • candidate: just used to build initially a package, test that it build and minimal CI tests
    • pushed to external mirror : no
    • signed with gpg key: no
  • testing: based on SIG decision than can tag-build pkg in -testing for more external tests
    • pushed to external mirrors: yes (
    • signed gith gpg key: no
  • release: consider stable and tested enough by SIG so ready for public consumption
    • pushed to external mirrors: yes (all mirrors)
    • signed with gpg key: yes
CBS buildsys tag inheritance

All build targets, depending on distro/release/version, will depend on a buildsys tag, that is special and inherited by all SIGs.

The idea is to have some pkgs needed by all builds to be present there and so available by default/inheritance in all tags for the buildroots.

For example, we use centpkg-minimal which contains the needed wrapper script to retrieve automatically sources from the lookaside, and so needed when submitting a build to cbs. Koji will first git clone/pull from upstream git url and then use (from centpkg-minimal pkg, automatically installed in the buildroot) to retrieve source and the rebuild a srpm (a buildSRPMFromSCM koji task for every build)

See for example the buildsys9s-release tag, inherited by all SIG tags for CentOS Stream 9 builds :

cbs list-tagged buildsys9s-release
Build                                     Tag                   Built by
----------------------------------------  --------------------  ----------------
buildsys-macros-el9s-1.0-2.el9            buildsys9s-release    cbs-koji
centpkg-minimal-2.0.0-3.el9               buildsys9s-release    cbs-koji
centpkg-minimal-2.0.0-4.el9s              buildsys9s-release    arrfab