When a real build is downloaded, Koji can provide a checksum via API.
This commit adds verification of that checksum.
A mismatch will abort the compose. If Koji doesn't provide a checksum
for the particular sigkey, no checking will happen.
Nothing is still checked for scratch builds and images.
This patch requires Koji 1.32. When talking to an older version, there
is no checking done.
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
With this patch, Pungi can be configured with a local directory to be
used as a cache for RPMs, and it will download packages from Koji over
HTTP instead of reading them from filesystem directly.
The files from the cache can then be hardlink as usual.
There is locking in place to avoid different composes running at the
same time to step on each other.
This is now supported for RPMs only, be it real builds or scratch
builds.
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
It's not a great name anymore though, because it will fail the compose
if any input package is missing, no matter whether it's from comps,
prepopulate or additional_packages.
JIRA: RHELCMP-12484
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
This patch adds an additional field `options` to scm_dict, which can be
used to provide additional information to the backends.
It implements a single new option for GitWrapper. This option allows
setting a custom git credentials wrapper. This can be useful if Pungi
needs to get files from a git repository that requires authentication.
The helper can be as simple as this (assuming the username is already
provided in the url):
#!/bin/sh
echo password=i-am-secret
The helper would need to be referenced by an absolute path from the
pungi configuration, or prefixed with ! to have git interpret it as a
shell script and look it up in PATH.
See https://git-scm.com/docs/gitcredentials for more details.
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
JIRA: RHELCMP-11808
Copying ExcludeArch/ExclusiveArch from source rpm to noarch is an easy
option to block shipping that particular noarch package from a certain
architecture. However, there is no way to bypass it, and it is rather
confusing and not discoverable.
An alternative way to remove an unwanted package is to use the good old
`filter_packages`, which has enough granularity to remove pretty much
anything from anywhere. The only downside is that it requires a change
in configuration, so it can't be done by a packager directly from a spec
file.
When we decide to break backwards compatibility, this option should be
removed and the entire ExcludeArch/ExclusiveArch inheritance removed
completely.
JIRA: ENGCMP-2606
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
The `koji-osbuild` plugin supports additional formats for the `repo`
property since v4 [1]. Specifically, a repo can be specified as a
dictionary with `baseurl` key and `package_sets` list containing
specific package set names, that the repository should be used for.
Extend the configuration schema to reflect the plugin change.
Extend the documentation to cover the new repository format.
Extend an existing unit test to specify additional repository using the
added format.
[1] https://github.com/osbuild/koji-osbuild/pull/82
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
The `koji-osbuild` Hub schema has been relaxed a bit in the latest
release (v11). Adjust the schema in Pungi to reflect changes in
`koji-osbuild`.
For more information on the changes in `koji-osbuild`, see:
https://github.com/osbuild/koji-osbuild/pull/108
Signed-off-by: Tomáš Hozza <thozza@redhat.com>
Since version 9, the `koji-osbuild` plugin supports specifying upload
options as part of a Koji build. This enables one to upload the built
image directly to the cloud environment as part of the image build in
Koji.
Extend the configuration schema with `upload_options`.
Extend the documentation and describe valid `upload_options` values.
Add a unit test testing a scenario when `upload_options` are specified.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
Modify the osbuild configuration schema to accept only an array with a
single value as the `image_types`, in addition to a single string. The
single string was supported by the schema also before, but this fact was
not mentioned in the documentation, nor it was supported by the
`koji-osbuild` plugin of version lower than `9`.
Update the documentation accordingly.
Add unit test for invalid configuration containing more than one image
type.
Signed-off-by: Tomas Hozza <thozza@redhat.com>
In order to start building Fedora IoT images with osbuild, we need to be able
to pass ostree options from pungi to the koji's osbuildImage task.
This commit adds support for it via new configuration options: ostree_url,
ostree_url and ostree_parent.
A test was added to cover these new options and they are were also added
into the documentation.
JIRA: COMPOSER-1702
Merges: https://pagure.io/pungi/pull-request/1624
Signed-off-by: Ondřej Budai <ondrej@budai.cz>
Explain the use-case for this setting, and use the active voice to
explain what actions Pungi performs relative to other tools.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
Mention the corresponding "gather" or "repoclosure" backend settings in
the documentation for each setting.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
Contrast the additional_packages setting with the comps_file setting.
Explain what happens when a user lists a package in additional_packages
but Pungi cannot find it.
Give an example of composing all builds in a Koji tag.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
Reword the signed_packages_retries and signed_packages_wait
configuration option documentation to use the active voice. This makes
it easier to understand who is doing what in a signing workflow.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
Explain how to discover the API documentation about the buildContainer
method, so users can discover more about how "scratch" and "priority"
work.
Signed-off-by: Ken Dreyer <kdreyer@redhat.com>
The name brings a different expectation than how it actually worked.
This patch makes the code work similarly to the expectation.
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>
If packages are appearing quickly in Koji, and signing them is triggered
by automation, there may be a delay between the package being signed and
compose running. In such case it may be preferable to wait for the
signed copy rather than fail the compose.
JIRA: RHELCMP-3932
Signed-off-by: Lubomír Sedlář <lsedlar@redhat.com>