Skip to content

Commit 57841c4

Browse files
committed
rebase: update steps to untag old packages
1 parent 69b48f1 commit 57841c4

1 file changed

Lines changed: 19 additions & 12 deletions

File tree

.github/ISSUE_TEMPLATE/rebase.md

Lines changed: 19 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -13,16 +13,22 @@
1313

1414
### Untag old packages
1515

16-
`koji untag` N-2 packages from the pool (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are GC'ed). For example the following snippet finds all RPMs signed by the Fedora 32 key and untags them. Use this process:
16+
`koji untag` packages from the pool that are not signed by any "active" release key (at some point we'll have GC in place to do this for us, but for now we must remember to do this manually or otherwise distRepo will fail once the signed packages are GC'ed). Active releases are N-1 and N. If branching for N+1 has already occurred, N+1 is also considered active. Use this process:
1717

18-
- [ ] Find the key short hash. Usually found [here](https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/backend/templates/pungi.rpm.conf.j2). Then:
18+
- [ ] First, coordinate with releng to let them know you'll be untagging N-2 packages and that you'll need them to update `tag2distrepo.keys` on the `coreos-pool` tag promptly afterward (to drop the N-2 key). This minimizes the window where the key list is out of sync with what's tagged. Check the current state with:
19+
- `koji taginfo coreos-pool`
20+
21+
- [ ] Find the key short hashes for all active releases. Usually found [here](https://pagure.io/fedora-infra/ansible/blob/main/f/roles/bodhi2/backend/templates/pungi.rpm.conf.j2). Then build the untaglist of packages not signed by any active key:
1922

2023
```
21-
f32key=12c944d0
22-
key=$f32key
24+
fN2key=<N-2 key hash> # the key being removed
25+
fN1key=<N-1 key hash> # active
26+
fNkey=<N key hash> # active
27+
fNp1key=<N+1 key hash> # active if branching has already occurred
28+
2329
echo > untaglist # create or empty out file
2430
for build in $(koji list-tagged --quiet coreos-pool | cut -f1 -d' '); do
25-
if koji buildinfo $build | grep -i $key 1>/dev/null; then
31+
if ! koji buildinfo $build | grep -iE "($fN1key|$fNkey|$fNp1key)" 1>/dev/null; then
2632
echo "Adding $build to untag list"
2733
echo "${build}" >> untaglist
2834
fi
@@ -31,18 +37,19 @@ done
3137

3238
Now we have a list of builds to untag. But we need a few more sanity checks.
3339

34-
- [ ] Make sure none of the builds are used in `N` based FCOS. Check by running:
40+
- [ ] Check the current `testing-devel` image for packages signed with the N-2 key:
3541

3642
```
37-
f32key=12c944d0
38-
key=$f32key
39-
podman run -it --rm quay.io/fedora/fedora-coreos:testing-devel rpm -qai | grep -i -B 9 $key
43+
fN2key=<N-2 key hash>
44+
podman run -it --rm quay.io/fedora/fedora-coreos:testing-devel rpm -qai | grep -i -B 9 $fN2key
4045
podman rmi quay.io/fedora/fedora-coreos:testing-devel
4146
```
4247

43-
If there are any RPMs signed by the old key they'll need to be investigated. Maybe they shouldn't be used any longer. Or maybe they're still needed. One example of this is the shim RPM where the same build could be used for many Fedora releases. In this case you'll need to untag the RPM from `coreos-pool`, run a `koji distrepo`, which will remove that RPM from the repo metadata, and then re-tag it into the pool. The RPM in the repo will now be signed with a newer signing key.
48+
If there are any packages in the output, there are two possible cases:
4449

50+
1. **The package is signed by multiple keys** including an older one. This is OK, but add it to the untaglist anyway so it gets retagged into `coreos-pool` with a newer key/signature. You'll need to untag the RPM from `coreos-pool`, run a `koji distrepo` (which will remove that RPM from the repo metadata), and then re-tag it into the pool. The RPM in the repo will now be signed with a newer signing key.
4551

52+
2. **The package is only signed by an older (non-active) key**. This needs investigation. Something in the compose may be pulling in a stale package (dep issue?). It should not be untagged until the root cause is understood.
4653

4754
- [ ] After verifying the list looks good, untag:
4855

@@ -53,9 +60,9 @@ cat untaglist | xargs -L50 koji untag-build -v coreos-pool
5360

5461
- [ ] Now that untagging is done, give a heads up to rpm-ostree developers that N-2 packages have been untagged and that they may need to update their CI compose tests to freeze on a newer FCOS commit.
5562

56-
- [ ] Remove the N-2 signing key from the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the 33/34/35 keys. You'll most likely have to get someone from releng to run the second command (`edit-tag`).
63+
- [ ] Remove the N-2 signing key from the tag info for the coreos-pool tag. The following commands view the current settings and then update the list to the N-1/N/N+1 keys. You'll most likely have to get someone from releng to run the second command (`edit-tag`).
5764
- `koji taginfo coreos-pool`
58-
- `koji edit-tag coreos-pool -x tag2distrepo.keys="9570ff31 45719a39 9867c58f"`
65+
- `koji edit-tag coreos-pool -x tag2distrepo.keys="<N-1 key> <N key> <N+1 key>"`
5966

6067
## At Branching
6168

0 commit comments

Comments
 (0)