Koji 1.19.0 Release notes¶
Migrating from Koji 1.18¶
For details on migrating see Migrating to Koji 1.19
Security Fixes¶
GSSAPI authentication checks kerberos principal
When using GSSAPI authentication the user’s kerberos principal will be checked for their username to avoid a potential username and kerberos principal mismatch.
Client Changes¶
Add user edit
A new edit-user command and API call was added, allowing for user rename,
and changing, adding, or removing the kerberos principal of a user.
Add remove group
A new remove-group command was added, allowing the removal of a group
from a tag. It uses the existing groupListRemove API call.
Query builds per chunks in prune-signed-builds
For bigger installations querying all builds can cause the hub to run out of memory.
prune-signed-builds now queries these in 50k chunks.
Show inheritance flags in list-tag-inheritance output
While not often used, tag inheritance can be modified with a few different options (e.g. maxdepth).
These options are shown in the taginfo display, but not the list-tag-inheritance display.
This change adds basic indicators to the latter.
Return usage information in make-task
make-task now returns usage information if no arguments are provided.
Clarify clone-tag usage
The clone-tag help text now clarifies that the destination tag will be created
if it does not already exist.
Add option check for list-signed
The list-signed command will now fail if no options are provided.
Library Changes¶
Consolidate config reading style
Changes have been made to make configuration handling more consistent.
With this new implementation:
read_config_filesis extended with a strict option and directory supportConfigParseris used for all invokings except kojixmlrpc andkojidRawConfigParseris used forkojid
list_archive_files handles multi-type builds
If list_archive_files is provided a build with multiple archive types it now correctly
handles them instead of failing.
Disallow archive imports that don’t match build type
The importArchive call now refuses to proceed if the build does not have the given type.
Add listCG RPC
listCGs has been added to list new content generator records.
The purpose of this change is to make it easier for administrators to determine what content generators are present and what user accounts have access to those.
Add method to cancel CG reservations
The new CGRefundBuild call allows CGs to cancel build reservations, such as in the case
of a failing build.
Allow ClientSession objects to get cleaned up by the garbage collector
This change ensures koji.ClientSession objects are destroyed once their requests are complete.
Add missing package list check
The host.tagBuild method was missing a check to ensure the package was actually listed in the
destination tag. This should now be checked as expected.
Increase buildReferences SQL performance
The performance for build_references has been improved.
ensuredir does not duplicate directories
koji.ensuredir no longer creates duplicate directories if provided a path ending in a
forward slash.
Warn users if buildroot uses yum instead of dnf
This change sets the mock config dnf_warning to True for buildroots using yum.
Tag permission can be used for tagBuildBypass and untagBuildBypass
The tag permission can now be used in place of admin to call tagBuildBypass
and untagBuildBypass. Admin is still required to use the --force option.
Rework update of reserved builds
This change reworks and simplifies the code that updates reserved build entries for cg imports.
It removes redundancy with checks in prep_build and avoids duplicate *BuildStateChange
callbacks.
Use correct top limit for randint
The top limit for randint has been set to 255 from 256 to prevent generate_token from
creating unneccesarily long tokens.
Add strict option to getRPMFile
getRPMFile now has a strict option, failing when the RPM or filename does not exist.
Stricter groupListRemove
groupListRemove now returns an error if the provided group does not exist for the tag.
Clarified docs for build.extra.source
The usage for build.extra.source has now been clarified in the getBuild call.
Use bytes for debug string
This change fixes debug output for Python 3.
Removed host.repoAddRPM call
The host.repoAddRPM call has been removed because it was unused and broken.
Web UI Changes¶
Made difference between Builds and Tags sections more clear
The search page results for packages now has a clearer delineation between builds and tags.
Builder Changes¶
Use preferred arch when builder provides multiple
When using ExclusiveArch for noarch builds the build task will now use the arch specified instead of randomly picking from the arches the builder provides.
This change adds a preferred_arch parameter to find_arch.
Log insufficient disk space location
When kojid fails due to insufficient disk space, the directory which needs more
disk space is now included as part of the log message.
Allow builder to attempt krb if gssapi is available
kojid will now use requests_kebreros for kerberos authentication when available.
Add support for new mock exit codes
kojid now expects mock exit code 10 for failed builds (previously 1).
Fix kickstart uploads for Python 3
This change fixes the file handling of kickstarts for Python 3.
System Changes¶
Package ownership changes do not trigger repo regens
Changing tag or package owners no longer cause repo regeneration. A new
tag_package_owners table has been added for this purpose.
Support multiple realms by kerberos auth
This change adds a new table user_krb_principals which tracks a list of krb_principals
for each user instead of the previous one-to-one mapping. In addition:
all APIs related to user or krb principals are changed
userinfoofgetUserwill contain a new listkrb_principalskrb_principalswill contain all available principals ifkrb_princs=True
there is a new hub option
AllowedKrbRealmsto indicate which realms are allowed- there is a new client option
krb_server_realmto allow krbV login to set server realm Previously same as client principal realm before, supported by all clients
- there is a new client option
QueryProcessorhas a new queryOptgroup, which is used to generateGROUP BYsectionBy default, this feature is disabled by arg
enable_group=False
Added cronjob for sessions table maintenance
The sessions table is now periodically cleaned up via script (handled by cron by default). Without this the sessions table can grow large enough to affect Koji performance.
Added basic email template for koji-gc
The email message koji-gc uses has been moved to /etc/koji-gc/email.tpl for
easier customization.
Add all permissions to database
Permissions previously missing from schema have been added, including dist-repo, host,
image-import, sign, tag, and target.
Add new CoreOS artifact types
This change adds the new CoreOS artifact types iso-compressed, vhd-compressed,
vhdx-compressed, and vmdk-compressed to the database.
Enforce unique content generator names in database
Set a uniqueness constraint on the content generator name in the database. Prior to this change, we were only enforcing this in the hub application layer. Configure this in postgres for safety.
Fix typo preventing VM builds
This change fixes the options passed to verifyChecksum which was preventing VM builds.
Fix verifyChecksum for non-output files
verifyChecksum now accepts files under the build requires path as well as the output path.
Other paths can be added as needed.
Set f30+ python-devel default
When installed on a Fedora 30+ host with Python 2 support, Koji will now require
python2-devel instead of python-devel.
Handle sys.exc_clear for Python 3
The method sys.exc_clear does not exist in Python 3, so it has been escaped for those instances.
Remove deprecated koji.util.relpath
koji.util.relpath was deprecated in 1.16 and has been removed from 1.19.
Remove deprecated BuildRoot.uploadDir
BuildRoot.uploadDir was deprecated in 1.18 and has been removed from 1.19.
Remove deprecated koji_cli.lib_unique_path
koji_cli.lib_unique_path was deprecated in 1.17 and has been removed from 1.19.
Deprecation of sha1_constructor and md5_constructor
sha1_constructor and md5_constructor have been deprecated in favor of hashlib.