Koji 1.19.0 Release notes¶
Migrating from Koji 1.18¶
For details on migrating see Migrating to Koji 1.19
Security Fixes¶
GSSAPI authentication checks kerberos principal
When using GSSAPI authentication the user’s kerberos principal will be checked for their username to avoid a potential username and kerberos principal mismatch.
Client Changes¶
Add user edit
A new edit-user
command and API call was added, allowing for user rename,
and changing, adding, or removing the kerberos principal of a user.
Add remove group
A new remove-group
command was added, allowing the removal of a group
from a tag. It uses the existing groupListRemove
API call.
Query builds per chunks in prune-signed-builds
For bigger installations querying all builds can cause the hub to run out of memory.
prune-signed-builds
now queries these in 50k chunks.
Show inheritance flags in list-tag-inheritance output
While not often used, tag inheritance can be modified with a few different options (e.g. maxdepth).
These options are shown in the taginfo
display, but not the list-tag-inheritance
display.
This change adds basic indicators to the latter.
Return usage information in make-task
make-task
now returns usage information if no arguments are provided.
Clarify clone-tag usage
The clone-tag
help text now clarifies that the destination tag will be created
if it does not already exist.
Add option check for list-signed
The list-signed
command will now fail if no options are provided.
Library Changes¶
Consolidate config reading style
Changes have been made to make configuration handling more consistent.
With this new implementation:
read_config_files
is extended with a strict option and directory supportConfigParser
is used for all invokings except kojixmlrpc andkojid
RawConfigParser
is used forkojid
list_archive_files handles multi-type builds
If list_archive_files
is provided a build with multiple archive types it now correctly
handles them instead of failing.
Disallow archive imports that don’t match build type
The importArchive
call now refuses to proceed if the build does not have the given type.
Add listCG RPC
listCGs
has been added to list new content generator records.
The purpose of this change is to make it easier for administrators to determine what content generators are present and what user accounts have access to those.
Add method to cancel CG reservations
The new CGRefundBuild
call allows CGs to cancel build reservations, such as in the case
of a failing build.
Allow ClientSession objects to get cleaned up by the garbage collector
This change ensures koji.ClientSession
objects are destroyed once their requests are complete.
Add missing package list check
The host.tagBuild
method was missing a check to ensure the package was actually listed in the
destination tag. This should now be checked as expected.
Increase buildReferences SQL performance
The performance for build_references
has been improved.
ensuredir does not duplicate directories
koji.ensuredir
no longer creates duplicate directories if provided a path ending in a
forward slash.
Warn users if buildroot uses yum instead of dnf
This change sets the mock config dnf_warning
to True for buildroots using yum.
Tag permission can be used for tagBuildBypass and untagBuildBypass
The tag
permission can now be used in place of admin to call tagBuildBypass
and untagBuildBypass
. Admin is still required to use the --force
option.
Rework update of reserved builds
This change reworks and simplifies the code that updates reserved build entries for cg imports.
It removes redundancy with checks in prep_build
and avoids duplicate *BuildStateChange
callbacks.
Use correct top limit for randint
The top limit for randint
has been set to 255 from 256 to prevent generate_token
from
creating unneccesarily long tokens.
Add strict option to getRPMFile
getRPMFile
now has a strict
option, failing when the RPM or filename does not exist.
Stricter groupListRemove
groupListRemove
now returns an error if the provided group does not exist for the tag.
Clarified docs for build.extra.source
The usage for build.extra.source
has now been clarified in the getBuild
call.
Use bytes for debug string
This change fixes debug output for Python 3.
Removed host.repoAddRPM call
The host.repoAddRPM
call has been removed because it was unused and broken.
Web UI Changes¶
Made difference between Builds and Tags sections more clear
The search page results for packages now has a clearer delineation between builds and tags.
Builder Changes¶
Use preferred arch when builder provides multiple
When using ExclusiveArch for noarch builds the build task will now use the arch specified instead of randomly picking from the arches the builder provides.
This change adds a preferred_arch
parameter to find_arch
.
Log insufficient disk space location
When kojid
fails due to insufficient disk space, the directory which needs more
disk space is now included as part of the log message.
Allow builder to attempt krb if gssapi is available
kojid
will now use requests_kebreros
for kerberos authentication when available.
Add support for new mock exit codes
kojid
now expects mock exit code 10 for failed builds (previously 1).
Fix kickstart uploads for Python 3
This change fixes the file handling of kickstarts for Python 3.
System Changes¶
Package ownership changes do not trigger repo regens
Changing tag or package owners no longer cause repo regeneration. A new
tag_package_owners
table has been added for this purpose.
Support multiple realms by kerberos auth
This change adds a new table user_krb_principals
which tracks a list of krb_principals
for each user instead of the previous one-to-one mapping. In addition:
all APIs related to user or krb principals are changed
userinfo
ofgetUser
will contain a new listkrb_principals
krb_principals
will contain all available principals ifkrb_princs=True
there is a new hub option
AllowedKrbRealms
to indicate which realms are allowed- there is a new client option
krb_server_realm
to allow krbV login to set server realm Previously same as client principal realm before, supported by all clients
- there is a new client option
QueryProcessor
has a new queryOptgroup
, which is used to generateGROUP BY
sectionBy default, this feature is disabled by arg
enable_group=False
Added cronjob for sessions table maintenance
The sessions table is now periodically cleaned up via script (handled by cron by default). Without this the sessions table can grow large enough to affect Koji performance.
Added basic email template for koji-gc
The email message koji-gc uses has been moved to /etc/koji-gc/email.tpl
for
easier customization.
Add all permissions to database
Permissions previously missing from schema have been added, including dist-repo
, host
,
image-import
, sign
, tag
, and target
.
Add new CoreOS artifact types
This change adds the new CoreOS artifact types iso-compressed
, vhd-compressed
,
vhdx-compressed
, and vmdk-compressed
to the database.
Enforce unique content generator names in database
Set a uniqueness constraint on the content generator name in the database. Prior to this change, we were only enforcing this in the hub application layer. Configure this in postgres for safety.
Fix typo preventing VM builds
This change fixes the options passed to verifyChecksum
which was preventing VM builds.
Fix verifyChecksum for non-output files
verifyChecksum
now accepts files under the build requires path as well as the output path.
Other paths can be added as needed.
Set f30+ python-devel default
When installed on a Fedora 30+ host with Python 2 support, Koji will now require
python2-devel
instead of python-devel
.
Handle sys.exc_clear for Python 3
The method sys.exc_clear
does not exist in Python 3, so it has been escaped for those instances.
Remove deprecated koji.util.relpath
koji.util.relpath
was deprecated in 1.16 and has been removed from 1.19.
Remove deprecated BuildRoot.uploadDir
BuildRoot.uploadDir
was deprecated in 1.18 and has been removed from 1.19.
Remove deprecated koji_cli.lib_unique_path
koji_cli.lib_unique_path
was deprecated in 1.17 and has been removed from 1.19.
Deprecation of sha1_constructor and md5_constructor
sha1_constructor
and md5_constructor
have been deprecated in favor of hashlib
.