Koji 1.19.0 Release notes

Migrating from Koji 1.18

For details on migrating see Migrating to Koji 1.19

Security Fixes

GSSAPI authentication checks kerberos principal

When using GSSAPI authentication the user’s kerberos principal will be checked for their username to avoid a potential username and kerberos principal mismatch.

Client Changes

Add user edit

A new edit-user command and API call was added, allowing for user rename, and changing, adding, or removing the kerberos principal of a user.

Add remove group

A new remove-group command was added, allowing the removal of a group from a tag. It uses the existing groupListRemove API call.

Query builds per chunks in prune-signed-builds

For bigger installations querying all builds can cause the hub to run out of memory. prune-signed-builds now queries these in 50k chunks.

Show inheritance flags in list-tag-inheritance output

While not often used, tag inheritance can be modified with a few different options (e.g. maxdepth). These options are shown in the taginfo display, but not the list-tag-inheritance display. This change adds basic indicators to the latter.

Return usage information in make-task

make-task now returns usage information if no arguments are provided.

Clarify clone-tag usage

The clone-tag help text now clarifies that the destination tag will be created if it does not already exist.

Add option check for list-signed

The list-signed command will now fail if no options are provided.

Library Changes

Consolidate config reading style

Changes have been made to make configuration handling more consistent.

With this new implementation:

  • read_config_files is extended with a strict option and directory support

  • ConfigParser is used for all invokings except kojixmlrpc and kojid

  • RawConfigParser is used for kojid

list_archive_files handles multi-type builds

If list_archive_files is provided a build with multiple archive types it now correctly handles them instead of failing.

Disallow archive imports that don’t match build type

The importArchive call now refuses to proceed if the build does not have the given type.

Add listCG RPC

listCGs has been added to list new content generator records.

The purpose of this change is to make it easier for administrators to determine what content generators are present and what user accounts have access to those.

Add method to cancel CG reservations

The new CGRefundBuild call allows CGs to cancel build reservations, such as in the case of a failing build.

Allow ClientSession objects to get cleaned up by the garbage collector

This change ensures koji.ClientSession objects are destroyed once their requests are complete.

Add missing package list check

The host.tagBuild method was missing a check to ensure the package was actually listed in the destination tag. This should now be checked as expected.

Increase buildReferences SQL performance

The performance for build_references has been improved.

ensuredir does not duplicate directories

koji.ensuredir no longer creates duplicate directories if provided a path ending in a forward slash.

Warn users if buildroot uses yum instead of dnf

This change sets the mock config dnf_warning to True for buildroots using yum.

Tag permission can be used for tagBuildBypass and untagBuildBypass

The tag permission can now be used in place of admin to call tagBuildBypass and untagBuildBypass. Admin is still required to use the --force option.

Rework update of reserved builds

This change reworks and simplifies the code that updates reserved build entries for cg imports. It removes redundancy with checks in prep_build and avoids duplicate *BuildStateChange callbacks.

Use correct top limit for randint

The top limit for randint has been set to 255 from 256 to prevent generate_token from creating unneccesarily long tokens.

Add strict option to getRPMFile

getRPMFile now has a strict option, failing when the RPM or filename does not exist.

Stricter groupListRemove

groupListRemove now returns an error if the provided group does not exist for the tag.

Clarified docs for build.extra.source

The usage for build.extra.source has now been clarified in the getBuild call.

Use bytes for debug string

This change fixes debug output for Python 3.

Removed host.repoAddRPM call

The host.repoAddRPM call has been removed because it was unused and broken.

Web UI Changes

Made difference between Builds and Tags sections more clear

The search page results for packages now has a clearer delineation between builds and tags.

Builder Changes

Use preferred arch when builder provides multiple

When using ExclusiveArch for noarch builds the build task will now use the arch specified instead of randomly picking from the arches the builder provides.

This change adds a preferred_arch parameter to find_arch.

Log insufficient disk space location

When kojid fails due to insufficient disk space, the directory which needs more disk space is now included as part of the log message.

Allow builder to attempt krb if gssapi is available

kojid will now use requests_kebreros for kerberos authentication when available.

Add support for new mock exit codes

kojid now expects mock exit code 10 for failed builds (previously 1).

Fix kickstart uploads for Python 3

This change fixes the file handling of kickstarts for Python 3.

System Changes

Package ownership changes do not trigger repo regens

Changing tag or package owners no longer cause repo regeneration. A new tag_package_owners table has been added for this purpose.

Support multiple realms by kerberos auth

This change adds a new table user_krb_principals which tracks a list of krb_principals for each user instead of the previous one-to-one mapping. In addition:

  • all APIs related to user or krb principals are changed

  • userinfo of getUser will contain a new list krb_principals
    • krb_principals will contain all available principals if krb_princs=True

  • there is a new hub option AllowedKrbRealms to indicate which realms are allowed

  • there is a new client option krb_server_realm to allow krbV login to set server realm
    • Previously same as client principal realm before, supported by all clients

  • QueryProcessor has a new queryOpt group, which is used to generate GROUP BY section
    • By default, this feature is disabled by arg enable_group=False

Added cronjob for sessions table maintenance

The sessions table is now periodically cleaned up via script (handled by cron by default). Without this the sessions table can grow large enough to affect Koji performance.

Added basic email template for koji-gc

The email message koji-gc uses has been moved to /etc/koji-gc/email.tpl for easier customization.

Add all permissions to database

Permissions previously missing from schema have been added, including dist-repo, host, image-import, sign, tag, and target.

Add new CoreOS artifact types

This change adds the new CoreOS artifact types iso-compressed, vhd-compressed, vhdx-compressed, and vmdk-compressed to the database.

Enforce unique content generator names in database

Set a uniqueness constraint on the content generator name in the database. Prior to this change, we were only enforcing this in the hub application layer. Configure this in postgres for safety.

Fix typo preventing VM builds

This change fixes the options passed to verifyChecksum which was preventing VM builds.

Fix verifyChecksum for non-output files

verifyChecksum now accepts files under the build requires path as well as the output path. Other paths can be added as needed.

Set f30+ python-devel default

When installed on a Fedora 30+ host with Python 2 support, Koji will now require python2-devel instead of python-devel.

Handle sys.exc_clear for Python 3

The method sys.exc_clear does not exist in Python 3, so it has been escaped for those instances.

Remove deprecated koji.util.relpath

koji.util.relpath was deprecated in 1.16 and has been removed from 1.19.

Remove deprecated BuildRoot.uploadDir

BuildRoot.uploadDir was deprecated in 1.18 and has been removed from 1.19.

Remove deprecated koji_cli.lib_unique_path

koji_cli.lib_unique_path was deprecated in 1.17 and has been removed from 1.19.

Deprecation of sha1_constructor and md5_constructor

sha1_constructor and md5_constructor have been deprecated in favor of hashlib.