flatpak container builds have started to fail with the following error. The last successful build I could find was a week ago, https://koji.fedoraproject.org/koji/buildinfo?buildID=2208992 so it must be something that has changed during that time.
[kalev@collie flatpak-runtime]$ fedpkg flatpak-build Created task: 102001515 Task info: https://koji.fedoraproject.org/koji/taskinfo?taskID=102001515 Watching tasks (this may be safely interrupted)... 102001515 buildContainer (noarch): free 102001515 buildContainer (noarch): free -> FAILED: BuildError: src.fedoraproject.org:/flatpaks/flatpak-runtime.git is not in the list of allowed SCMs 0 free 0 open 0 done 1 failed 102001515 buildContainer (noarch) failed
This is almost surely due to the permissions changes I made friday. We moved koji policy from builders to hub...
but I guess something isn't right with the flatpak perms. I am not sure what yet. :(
CC: @tkopecek any idea here?
we do have:
match scm_host pkgs.fedoraproject.org :: { bool scratch :: allow fedpkg sources match scm_repository /rpms/* :: allow fedpkg sources match scm_repository /modules/* :: allow fedpkg sources match scm_repository /containers/* :: allow fedpkg sources match scm_repository /flatpaks/* :: allow fedpkg sources }
But do flatpak builds use something other than fedpkg sources?
Flatpak builds never use fedpkg sources. Container builds shouldn't either, so that should be checked as well. (Neither do module builds for that matter, but those happen mostly through MBS and are still working.)
It is coming with src.fedoraproject.org. It could be added as
match scm_host pkgs.fedoraproject.org src.fedoraproject.org :: {
if it is for all types, or completely separate test:
match scm_host src.fedoraproject.org && match scm_repository /flatpaks/* :: allow fedpkg sources
Sorry, I didn't include the full context there. We DO allow src.fedoraproject.org (in fact pkgs is likely not used anymore).
We do have:
build_from_scm = match scm_host src.fedoraproject.org :: { bool scratch :: allow fedpkg sources match scm_repository /rpms/* :: allow fedpkg sources match scm_repository /modules/* :: allow fedpkg sources match scm_repository /containers/* :: allow fedpkg sources match scm_repository /flatpaks/* :: allow fedpkg sources
allow fedpkg sources isn't sufficent here for some reason. ;)
Problem is that the koji-containerbuild plugin on the builders simply doens't have support for defining this by hub policy.
Needs:
https://github.com/containerbuildsystem/koji-containerbuild/commit/15254e0d2a5a429638893f5596caceb1209fa2e7
and maybe:
https://github.com/containerbuildsystem/koji-containerbuild/commit/c42102306a797f277efe6136dc4bca4efe90d101
I'll try to sort out a backport. ( @kevin tells me that the builders have koji-containerbuild-0.13.0-4.fc38.noarch)
Metadata Update from @kevin: - Issue priority set to: Waiting on Assignee (was: Needs Review) - Issue tagged with: medium-gain, medium-trouble, ops
Thanks for digging into this @otaylor
I can tweak the hub config and help build/deploy the patched containerbuild.
I think https://koji.fedoraproject.org/koji/taskinfo?taskID=102073658 should work. (scratch build, don't have perms to do a non-scratch build from SRPM)
Looks reasonable. I'll build and deploy it here and we can test.
ok. It should be all deployed now... some kojid's are waiting to restart, but they are the ones doing builds. New flatpak builds should go to already reloaded idle hosts.
Can someone try a build?
https://koji.fedoraproject.org/koji/taskinfo?taskID=102075684
Seems to have worked?
Yes, seems to be working now.
Metadata Update from @zlopez: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.