Koji 1.15 Release Notes¶
Koji 1.15.1 is a security update for Koji 1.15
Migrating from the previous release¶
For details on migrating see Migrating to Koji 1.15
Display license Info¶
rpminfo command now displays the
License field from the rpm.
Keytabs for GSSAPI authentication¶
Previously keytabs were only supported by the older kerberos auth method, which is not available on Python 3. Now the gssapi method supports them as well.
Add krb_canon_host option¶
This release adds a
krb_canon_host option that tells Koji clients
to use the dns canonical hostname for kerberos auth.
This option allows kerberos authentication to work in situations where the hub is accessed via a cname, but the hub’s credentials are under its canonical hostname.
If specified, this option takes precedence over the older
krb_rdns. That option caused Koji clients to perform a
reverse name lookup for kerberos auth.
When configuring kojiweb (in web.conf), the option is named
Both options only affect the older kerberos authentication path, and not gssapi.
Watch-task return code¶
watch-task command would return a non-zero exit status
if any subtask failed, even if this did not cause the parent task to fail.
Now that we have cases where subtasks are optional, this no longer makes sense. The exit code is now based solely on the results of the top level tasks it is asked to watch.
New runroot options¶
runroot command now supports options similar to the various build commands. These new
--nowait Do not wait on task --watch Watch task instead of printing runroot.log --quiet Do not print the task information
New watch-logs options¶
watch-logs command now supports the following new options:
--mine Watch logs for all your tasks --follow Follow spawned child tasks
Web UI changes¶
Archive component display¶
Previously, the web UI only displayed component lists for image builds. However, new build types can also have component lists.
Now the interface will display components for any archive that has them.
Display license Info¶
rpminfo page now displays the
License field from the rpm.
Show suid bit¶
The web UI will now display the setuid bit when displaying rpm/archive file contents.
Alternate tmpdir for mock chroots¶
Recent versions of mock (1.4+) default to
use_nspawn=True, which results
in /tmp being a fresh tmpfs mount on every run. This means the /tmp
directory no longer persists outside of the mock invocation.
Now, the builder will use /builddir/tmp instead of /tmp for persistent data.
Store git commit hash¶
In Koji, for builds from an SCM, the source is specified as an scm url. For git urls, the revision in that url can be anything that git will recognize, including:
a sha1 ref
an abbreviated sha1 ref
a branch name
With this change:
the revision is replaced with the full sha1 ref for git urls
the scm url is stored in build.source
the original scm url is saved in build.extra
Previously, this source url was not properly stored for rpm builds. It appeared in the task parameters, but the build.source field remained blank. If a symbolic git ref (e.g. HEAD) was given in the url, the underlying sha1 value was only recorded in the task logs.
Volume policy support¶
Koji has for many years had the ability to split its storage across multiple volumes. However, there is no automatic process for placing builds onto volumes other than the primary. To do so often requires a lot of manual work from an admin.
adds a volume policy check to the key import pathways
adds an applyVolumePolicy call to apply the policy to existing builds
The hub consults the volume policy at various points to determine where a build should live. This allows admins to make rules like:
all kernel builds go to the volume named kstore
all builds built from the epel-7-build tag go to the volume named epel7
all builds from the osbs content generator go to the volume named osbs
The default policy places all builds on the default volume.
See also: Storage Volumes
Messagebus plugin changes¶
There are two notable changes to the messagebus plugin this release:
Similar to the current behavior of the protonmsg plugin, messages are queued
up during hub calls and only sent out during the
This avoids sending messages about failed calls, which can be confusing to message consumers (e.g. build state change messages about a build that does not exist because it failed to import).
The plugin now looks for a boolean
test_mode option. If it is true, then
the messages are still queued up, but not actually sent. This makes it
possible to enable the plugin in test environments without having to set up a
separate message bus.
Protonmsg plugin changes¶
There are two changes to how the protonmsg plugin handles rpmsign events:
The arch of the rpm is included in messages
The message are omitted when the sigkey is empty
No notifications for disabled users or hosts¶
Koji will no longer send out email notifications to disabled users or to users corresponding to a host.
Replace pycurl with requests¶
All uses of the pycurl library have been replaced with calls to python-requests, so pycurl is no longer required.
Drop importBuildInPlace call¶
importBuildInPlace call has been dropped.
This call was an artifact of a particular bootstrap event that happened a long time ago. It was never really documented or recommended for use.