tdawson / centos / sig-guide

Forked from centos/sig-guide 7 months ago
Blob Blame History Raw
# Delivery

Here is a quick overview of the Delivery process , from storing sources in git, building on koji/cbs and then pushing packages out


## Promoting to testing

By default, packages built on cbs are just tagged to `candidate` tag and stay in cbs/koji.

If you want your packages to get pushed to the [buildlogs]( mirror pool, you can tag packages to `testing`

!!! warning
    Worth knowing that while packages are served over https, and repositories metatdata signed, the packages *aren't* signed with gpg key at this time ! Also good to know that only classical pkgs are pushed out, so no src.rpm nor debuginfo packages are sent to testing network 

If you want to tag multiple specific packages/versions to `testing`, you can proceed with one koji/cbs call :

cbs tag-build <sig_name>-<project>-<version>-testing <pkg1>-1.0.1 <pkg2>-2.3.4 <and_so_on>

This will trigger a message on the mqtt-based message bus and intercepted by the isolated machine processing requests. At this stage it will : 

  * call koji for a `distRepo` tasks (preparing a usable repository with your packages) and wait for it to finish
  * sign repomd.xml file once repositories are all processed for all architectures
  * push that to the `buildlogs` CDN

In the next minutes, your up2date repository will appear under /centos/ on the [buildlogs]( nodes and so following the tag convention : 

├── <architecture>
│   ├── <project>-<version>
│   │   ├── Packages
│   │   └── repodata


As []( has its own specific cdn, you can point your users willing to test your packages directly to such url (in your .repo, see below)

## Promoting to release and mirrors

Once you're satisfied with your package[s] quality (after some testing/feedback, up2you to decide when/how), you can proceed with next step, aka pushing to mirror network.

Same process as for `testing` except that it's now `release` tag : 

cbs tag-build <sig_name>-<project>-<version>-release <pkg1>-1.0.1 <pkg2>-2.3.4 <and_so_on>

This will trigger a message on the mqtt-based message bus and intercepted by the isolated machine processing requests. At this stage it will : 

  * verify which packages need to be signed with the [dedicated gpg key]( for the `SIG` 
  * download , sign and import back into koji signed packages
  * call koji for a `distRepo` tasks (preparing a usable repository with your packages) and wait for it to finish
  * sign repomd.xml file once repositories are all processed for all architectures (with dedicated gpg key)
  * push various packages to mirrors, depending on the CentOS Version (see below) :

### CentOS Linux 7 and CentOS Stream 8

The packages will appear on the existing mirror network, divided into three categories :

  * 'normal' rpm packages (that people will download/install) => pushed to []( (and picked up by external mirrors too)
  * debuginfo rpm packages => pushed to [](
  * src.rpm packages => pushed to [Vault](

### CentOS stream 9 and above

Starting from CentOS Stream 9, all packages will be pushed out in one simple directory.
All packages will be appearing on [](, under the SIGs directory (separated from distro content, for a clear distinction about distro versus SIGs generated content)

This is how it would look like for Stream 9 : 

├── <architecture>
│   └── <project>-<version>
│       ├── debug
│       │   └── repodata
│       ├── Packages
│       └── repodata


## Consuming rpms packages through .repo definition

When packages are signed and pushed to mirror network, they are automatically (for the `release` level) checked by the mirror crawler[s] and so you don't need to point your users to either or

Instead you can point to the correct `mirrorlist` or `metalink` url instead, depending on the CentOS Linux/Stream version : 

### CentOS Linux 7 and CentOS Stream 8

You can call by specifying the repo name, archictecture and centos version like this : 


Example for the configmanagement sig producing the ansible (project) 29 (version) repo : 

 curl ''

### CentOS Stream 9 and above

Starting from CentOS Stream 9 , mirrors are now added in [Fedora Mirrormanager]( so you have to call metalink= instead of mirrorlist=

As MirrorManager has already plenty of fedora/epel repositories to track, the reponame to use to query mirrormanager for metalink is more complex than for previous setup.

The logic goes like this and notice the difference for `source` and `debuginfo` packages in the metalink uris:

# packages
# source packages (.src.rpm)
# debuginfo packages

You can also always query MirrorManagers to see which metalinks/repositories it already knows about if you're unsure.
Here is an example for the `infra` SIG producing the `infra` project with version `common`: 

curl '' -s | grep infra
# repo=centos-infra-sig-infra-common-9-stream&arch=aarch64
# repo=centos-infra-sig-infra-common-9-stream&arch=ppc64le
# repo=centos-infra-sig-infra-common-9-stream&arch=x86_64
# repo=centos-infra-sig-infra-common-debug-9-stream&arch=aarch64
# repo=centos-infra-sig-infra-common-debug-9-stream&arch=ppc64le
# repo=centos-infra-sig-infra-common-debug-9-stream&arch=x86_64
# repo=centos-infra-sig-infra-common-source-9-stream&arch=source


### centos-release-<sig> package

To make it convenient for end-users to add both the .repo files used by dnf/yum to automatically find new repositories, and also to ship the dedicated rpm gpg public key to verify the gpg integrity of the shipped packages, SIGs can build and ship a `centos-release-<sig>` package.

Worth knowing that such packages have to be built through specific cbs tags (see below) and not *your* SIG tag.
Indeed, SIGs content aren't "trusted" by default (at the rpm gpg level) but 8-strea/9-stream will start distributing the rpm gpg public key that will sign these specific centos-release-* packages, and so end-users will be able to `dnf install centos-release-<blah>` directly.

Once done, end-users will be able to download/consume your repositories.

To do so, you can create first an [infra ticket]( to create a project under the /rpms/ namespace on (in case it doesn't exist yet)

How should you name your 'centos-release' package ? Basically following the centos-release-<project> naming convention (see for example the [`openstack` project](, built by the Cloud SIG, and having multiple <versions> , each version for each supported centos distribution being a different branch)

At the minimum, your git project for your centos-release package should look like : 

├── .centos-release-<project>.metadata
│   ├── CentOS-SIG-<project>.repo
│   └── RPM-GPG-KEY-CentOS-SIG-<name>
    └── centos-release-<project>.spec


You can then proceed as [described previously]( to push to git and then [submit a build]( against specific tags (verify through `cbs list-permissions --mine` that you can build/tag to specific 'extras' tags. If not, see with your SIG group chair/sponsor

!!! important
    Don't submit your build to your own SIG tag : instead use the dedicated `extras<8s,9s>-extras-common-release` tag, that each SIG chair will be able to build for