Open question for the meeting: Is this a rel-eng task at all? AFAIK just a FAS account is needed, maybe a bot account, but this can be handled by infrastructure.

as part of the moving into infra process we can generate a certificate, not before.

Thanks. We are working towards moving Koschei to infra, I'll let you know once we start formal process.

removing the meeting keyword. there is nothing to discuss here

Replying to [comment:3 mizdebsk]:

Thanks. We are working towards moving Koschei to infra, I'll let you know once we start formal process.

Can you please re-open the ticket, once this is done? IMHO there is no need to keep this ticket open if there is nothing that can be done right now.

Formal process for making Koschei an official fedora service has already been started. See: https://fedorahosted.org/fedora-infrastructure/ticket/4562 and https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014953.html

Replying to [comment:6 mizdebsk]:

Formal process for making Koschei an official fedora service has already been started. See: https://fedorahosted.org/fedora-infrastructure/ticket/4562 and https://lists.fedoraproject.org/pipermail/infrastructure/2014-October/014953.html

Thank you for the links. IMHO this can be tracked in the infra ticket for now. If for some reason the missing koji certificate is blocking the progress, then please re-open this ticket again.

Lack of Koji certificate is already blocking several things:

FMN. Currently it's not possible to filter Koji scratch builds done by Koschei. I would like to develop FMN rule that would notify users whenever Koschei finishes build of any of their package, but lack of dedicated Koji user for Koschei makes this impossible.

Dedicated channel. There have been complains that Koschei uses or may use excessive amount of resources (builders). Creating a Koji channel with just a few builders would help to make sure Koschei doesn't overload Koji, but this requires policy change and Koschei user.

Scratch builds from repo ID. There are technical reasons why it would be beneficial for Koschei to run scratch builds from specific repo ID. This again requires policy change and can't be done without dedicated Koji user for Koschei.

It is a hard requirement that everything be run inside of fedora infrastructure to get a cert. The cert needs to be deployed by ansible and will not be available to the developers of koschei.

It is true that koschei creates a lot of noise in koji, often making it impossible to see what is actually going on in koji, having a different cert will not change that.

Koschei does run on Fedora infrastructure (Fedora cloud) and uses Ansible for deployment (see below), it's just not yet official service, but the process to make it an official service has already been initiated.

Ansible playbook for Koschei: https://infrastructure.fedoraproject.org/cgit/ansible.git/tree/playbooks/hosts/koschei.cloud.fedoraproject.org.yml

Deployment of Koji certificate and private key has just been added to Koschei Ansible playbook ({{{playbooks/hosts/koschei.cloud.fedoraproject.org.yml}}}). Now it should be enough to put generated key and signed certificate in {{{/srv/private/ansible/files/koschei/koschei.pem}}} and they will be deployed by Ansible.

Certificate has been generated. Koschei has its [http://koji.fedoraproject.org/koji/userinfo?userID=koschei Koji user] now.