koji.ActionNotAllowed: policy violation (package_list)
Since the blocking works well for fedora tags, it might be a problem with additional permission(s) needed for blocking for epel? Unfortunately I have no idea which it would be from these:
Permission name Description ----------------------------------------------------------------------- admin Full administrator access. Perform all actions. appliance Create appliance builds - deprecated. atomic autosign build coreos-continuous customchannel dist-repo Create a dist-repo. docs draft-promoter The permission required in the default "draft_promotion" hub policy rule to promote draft build. eln epel-override fedora-override host Add, remove, enable, disable hosts and channels. image Start image tasks. image-import Import image archives. infra livecd Start livecd tasks. livemedia maven-import Import maven archives. openh264 pkglist repo Manage repos: newRepo, repoExpire, repoDelete, repoProblem. runroot secure-boot sign Import RPM signatures and write signed RPMs. tag Manage packages in tags: add, block, remove, and clone tags. target Add, edit, and remove targets. win-admin The default hub policy rule for "vm" requires this permission to trigger Windows builds. win-import Import win archives.
The toddlers user in koji is toddlers/os-control01.iad2.fedoraproject.org for production andtoddlers/os-control01.stg.iad2.fedoraproject.org for staging
toddlers/os-control01.iad2.fedoraproject.org
toddlers/os-control01.stg.iad2.fedoraproject.org
As of now, for stg and prod users have permission pkglist
pkglist
Packages retired on epel branches will not get blocked in koji.
As JamesR suggested, we might need the tag permission.
tag
Metadata Update from @patrikp: - Issue assigned to patrikp
When I run: $ koji taginfo f41 I get: Required permission: 'admin'
$ koji taginfo f41
Required permission: 'admin'
But for the EPEL tags (epel9, epel10.0) I get: Required permission: 'autosign'
Required permission: 'autosign'
I'll bring this up in tomorrow's releng weekly meeting.
The toddler user does not have admin permission, but the koji.packageListBlock works anyways :confused:
admin
koji.packageListBlock
lenkaseg@fedora:~$ koji list-permissions --user=toddlers/os-control01.iad2.fedoraproject.org Permission name ------------------ pkglist
Metadata Update from @phsmoura: - Issue tagged with: medium-gain, medium-trouble, ops
I was perusing the configs located at fedora-infra/ansible/roles/koji_hub/templates/hub.conf.j2 and I don't see any references to epel anything in the has_perm pkglist section:
fedora-infra/ansible/roles/koji_hub/templates/hub.conf.j2
has_perm pkglist
# Policy for manipulating package lists for tags. package_list = # Removing packages is almost always a mistake, so deny it. # Admins can still override this with --force, if necessary. match action remove :: deny # Admins can do pretty much everything. has_perm admin :: allow # People with pkglist permission can manage package lists in # active f$N and epel$N tags. has_perm pkglist :: { # Rawhide adding, unblocking and blocking is allowed. tag f{{FedoraRawhideNumber}} && match action add unblock block :: allow # In branched blocking is allowed only before final freeze. tag f{{FedoraBranchedNumber}} && match action add unblock {{ 'block' if not Frozen or FedoraBranchedBodhi != 'postbeta' else '' }} :: allow # Stable releases: only adding and unblocking is allowed. tag f{{FedoraCycleNumber}} f{{FedoraPreviousCycleNumber}} && match action add unblock :: allow } ...
Should something like tag epel{{EpelBranchedNumber}} be referenced here as well?
tag epel{{EpelBranchedNumber}}
@rcallicotte Thanks for looking into this! Yep, it seems that could be it.
It seems like the Koji hub policy changes are what's needed. @carlwgeorge and @rcallicotte graciously offered to open a PR to include EPEL. Thanks!
https://pagure.io/fedora-infra/ansible/pull-request/2297
Thanks for the fix! @rcallicotte
Would there be some action needed to make it work, like running the koji-hub playbook? @patrikp
There was a request to block a package on epel9 today, which resulted in an error again:
2024-10-05 13:54:01,376 - [INFO toddlers.plugins.koji_block_retired] Blocking package nwg-panel, tag: epel9 2024-10-05 13:54:01,393 - [ERROR toddlers.plugins.koji_block_retired] Failed to block retired package nwg-panel on branch epel9: policy violation (package_list) Traceback (most recent call last): File "/code/toddlers/plugins/koji_block_retired.py", line 143, in process_block_retired self.koji_session.packageListBlock(taginfo=tag_name, pkginfo=repo) File "/usr/lib/python3.12/site-packages/koji/__init__.py", line 2536, in __call__ return self.__func(self.__name, args, opts) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/koji/__init__.py", line 3120, in _renew_expired_session return func(self, *args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3.12/site-packages/koji/__init__.py", line 3199, in _callMethod raise err koji.ActionNotAllowed: policy violation (package_list)
Seems like it happened after the merge?
@lenkaseg I just ran the playbook. :thumbsup:
FYI, I did run the playbook after merging it... so not sure whats going on there.
Waiting with closing this issue until I see at least one of the epel packages get blocked in koji by the koji_block_retired toddler. Currently the toddler is disabled because of the freeze.
koji_block_retired
I'm now testing the blocking of packages in koji staging, and the epel tags still don't block, with the same error. I still didn't try on prod, so not sure if in prod it works. @rcallicotte Would this fix both prod and staging? https://pagure.io/fedora-infra/ansible/c/fb9a032a89a8f8be9938687383a84f6959eeb61f
Apparently it's not only for epel tags, the koji blocking is not happening on fedora tags as well for staging:
staging
2024-10-28 16:57:41,868 - [INFO toddlers.plugins.koji_block_retired] Blocking package csound, tag: f42 2024-10-28 16:57:41,886 - [ERROR toddlers.plugins.koji_block_retired] policy violation (package_list), recreating koji_session and trying again 2024-10-28 16:57:46,937 - [ERROR toddlers.plugins.koji_block_retired] Unable to create koji ClientSession for call packageListBlock: policy violation (package_list)
It's a bit weird, because I saw it working some time ago. Did something change?
On Monday, October 28, 2024 12:13:20=E2=80=AFPM CDT Lenka Segura wrote:
lenkaseg added a new comment to an issue you are following: It's a bit weird, because I saw it working some time ago. Did something change? =20 To reply, visit the link below or just reply to this email https://pagure.io/releng/issue/12382
Hello Lenka,
To my knowledge nothing has changed from when the PR was merged. I reached= =20 out to some folks in the koji matrix channel and Tomas Kopecek mentioned th= at=20 it may be possible to run a dev container and run the following API call to= =20 validate the policy:
evaluatePolicy(policy_name, data)
The difficult part here is that its hard to validation test this kind of po= licy=20 configuration unless you have a spare koji hub sitting around. I am,=20 unfortunately, very swaped at work in the meantime. I will be returning fr= om =20 PTO on Nov 5th. I will try to set up this test container instance to check= =20 the policy side.
So, one thing that changed: I did a prod->staging koji sync a while back...
Did we add some other permissions to the stg user? What perms does the prod vs stag user have in koji?
Thanks for looking at it @rcallicotte! Turns out somehow the pkglistperm was removed from the koji user toddlers/os-control01.iad2.fedoraproject.org (and the stg equivalent). When @humaton re-added the perms, the blocking now happens as it should. Not sure how exactly the perm removal happened, if it was some process we don't know about or a mistake, who knows. But now it works!
Ok, the blocking happens for both fedora and epel tags, thanks again to @rcallicotte for solving the epel perms and I'm closing this issue.
Metadata Update from @lenkaseg: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.