Mass Branching

Description

At each alpha freeze we branch the pending release away from devel/ which allows rawhide (currently F41) to move on while the pending release goes into bugfix and polish mode.

You will find below the list of steps to follow to branch a new Fedora release.

Mass resigning

When we branch off of rawhide, the branched release packages are already signed by the F{release} key, but we need to resign everything in rawhide for the new F+1 key. ie, When we branch f39 off rawhide, all it’s packages are already signed by the f39 key, but we need to resign everything with the f40 key for rawhide.

  • Add a new config for the new key to robosignatory. Something like:

            [[consumer_config.koji_instances.primary.tags]]
            from = "f39"
            to = "f39"
            key = "{{ (env == 'production')|ternary('fedora-40', 'testkey') }}"
            keyid = "{{ (env == 'production')|ternary('a15B79cc', 'd300e724') }}"
            {% if env == "production" %}
            file_signing_key = "fedora-40-ima"
            {% endif %}

This allows robosignatory to sign packages in the f39 tag with the f40 key. * git clone https://pagure.io/releng * confirm the new key fingerprint is in scripts/sigulsign_unsigned.py * run sigulsign_unsigned.py to gather list of packages to sign:

./sigulsign_unsigned.py --just-list --tag f39 fedora-40 | grep src | sed -e 's|.src||' > unsigned-packages

You should get a list of all the source packages by name. * copy unsigned-packages list to autosign01 * on autosign01 run in a tmux session:

sudo -su robosignatory
passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
(enter the autosign passphrase)
keyctl add user "sigul:autosign" "${passphrase}" @s
for i in `cat unsigned-packages`
do
  echo $i;
  robosignatory sign-tag primary $i f39;
  sleep 1;
done

This will iterate over all packages and sign them with the new f40 key. Once complete, re-run the ./sigulsign_unsigned.py command to confirm all are signed. On branching day, remove the robosignatory config for this resigning.

Send announcement

One day before the mass branching, we send out announcemt because during mass branching, new koji builds for rawhide are disabled.

Disable rawhide builds in koji

We need to configure outage in koji. Look at this PR

Cancel all running build for rawhide

List all running tasks and select onle those relevant for current branching.

$ koji list-builds --state=0 --type=rpm | grep fc40 | awk '{print $1}'

Cancel each of those tasks

$ koji cancel <build>

Repos to branch

All the following listed repos needs updating, including adding a new branch for branched release and updating rawhide branch with new release values.

PDC

The "product-release" needs to be created in PDC.

In the scripts/pdc/ directory, run:

$ python create-product-release.py fedora $TOKEN Fedora $NEW_VERSION

On pdc-backend01.stg (for testing) or pdc-backend01 (for production) clone (or update an existing one) the releng repo:

$ git clone https://pagure.io/releng.git

In the scripts/pdc/ directory, run (see the --help of the script for information on how to run it):

$ python create-new-release-branches.py ... --createfile
The --createfile argument is necessary, that file is needed for the next step.

Due to memory leak issue in pdc, we need to set the config in /etc/pdc.d/fedora.json:

{
  "fedora":
    {
      "host": "http://pdc-web02.iad2.fedoraproject.org/rest_api/v1/",
      "develop": false,
      "ssl-verify": false
    }
}

dist-git

Now that pdc has the new release and each package has been branched in pdc we need to update dist-git in two steps:

  • Create the new branch in git

  • Update the gitolite.conf to allow user to push to this new branch

For both of these actions you will need the file generated by pdc above.

Create the git branches

On pkgs01.stg (for testing) or pkgs02 (for production), run:

$ sudo -u pagure python /usr/local/bin/mass-branching-git.py <new branch name> <input file>

Where <new branch name> will be like f41 and the <input file> the path to the file generated by pdc above.

Ansible

Apps in ansible need to be updated to be aware of a new branch.

Bodhi

Bodhi needs to be updated to add new release. This needs to be done in bodhi2 role in infra ansible repo. This change includes, updating koji-sync-listener.py, new-updates-sync, pungi configs for rpm updates, bodhi templates.

  • roles/bodhi2/backend/files/new-updates-sync

  • roles/bodhi2/backend/tasks/main.yml

  • roles/bodhi2/backend/templates/pungi.rpm.conf.j2

  • roles/bodhi2/backend/templates/koji_sync_listener.toml

Please check these files from the commit for your reference.

Enable Branched Compose

We need to enable the branched compose. This is done in releng role of infra ansbile repo.

Please check the file roles/releng/files/branched from the commit for your reference.

Fedora Branched

  1. Set FedoraBranched variable to True in infra ansible repo.

  2. Set FedoraBranchedBodhi variable to preenable in infra ansible repo.

Please check the file FedoraBranched.yaml and FedoraBranchedBodhi.yaml from the commit for your reference.

Koji hub

Update the koji hub config to allow side tags for new koji rawhide (currently f41) tag.

Please check the file roles/koji_hub/templates/hub.conf.j2 from the commit for your reference.

Robosignatory

Robosignatory has two parts, which can be found in robosignatory role in infra ansible repo.:

  1. Disable branched signing, so that we can freeze branched until we get a compose.

  2. Adding new release.

Please check the file roles/robosignatory/templates/robosignatory.toml.j2 from the commit for your reference.

Push the changes

When done editing the files, commit, push and apply them via the corresponding ansible playbook:

$ sudo rbac-playbook groups/koji-hub.yml
$ sudo rbac-playbook groups/releng-compose.yml
$ sudo rbac-playbook groups/bodhi-backend.yml
$ sudo rbac-playbook openshift-apps/greenwave.yml
$ sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/$ groups/proxies.yml -t pkgdb2
$ sudo rbac-playbook groups/mbs.yml -t mbs

Ask someone in fedora infra to run the robosignatory playbook.

Koji

The koji build system needs to have some tag/target work done to handle builds from the new branch and to update where builds from rawhide go.

Fedora Release

The fedora-release package needs to be updated in Rawhide and Branched.

Changes to fedora-release.spec in the rawhide branch:

(can also check this commit for reference)

  1. Increment %define dist_version to 41:

    %define dist_version 41
  2. Increment Version: and reset Release::

    Version:        41
    Release:        0.1%{?eln:.eln%{eln}}
  3. Add a %changelog entry:

    %changelog
    * Day Mon DD YYYY Name  - 41-0.1
    - Setup for rawhide being F41

Changes to fedora-release.spec in the branched (currently 40) branch:

(can also check this commit for reference)

  1. Adjust release_name and unset is_rawhide:

    %define release_name Forty
    %define is_rawhide 0
  2. Verify the correct number for dist_version and Version::

    %define dist_version 40
    Version:        40
  3. Bump Release::

    Release:        0.4%{?eln:.eln%{eln}}
  4. Add a %changelog entry:

    %changelog
    * Day Mon DD YYYY Name  - 40-0.4
    - Branching F40 from rawhide

Fedora Repos

The fedora-repos package needs to be updated in Rawhide, Branched, and also in all stable release branches (in order to receive new GPG keys and updated symlinks).

Changes to the rawhide branch (mostly in fedora-repos.spec):

(can also check this commit for reference)

  1. Generate and add a Rawhide+1 which is 42 GPG key file, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-42-primary
  2. Update the archmap file and define architectures for Rawhide+1:

    fedora-{rawhide+1}-primary: x86_64 armhfp aarch64 ppc64le s390x
  3. Increment %global rawhide_release:

    %global rawhide_release 41
  4. Bump Version: and reset Release::

    Version:        41
    Release:        0.1%{?eln:.eln%{eln}}
  5. Add a %changelog entry:

    %changelog
    * Day Mon DD YYYY Name  - 41-0.1
    - Setup for rawhide being F41

Changes to the branched branch (mostly in fedora-repos.spec):

(can also check this commit for reference)

  1. Copy the Rawhide+1 which is 42 GPG key file from the rawhide branch, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-42-primary
  2. Copy the archmap file from the rawhide branch.

  3. Update %global rawhide_release:

     %global rawhide_release 41
  4. Enable updates_testing_enabled:

    %global updates_testing_enabled 1
  5. Bump Release:

    Release:        0.3%{?eln:.eln%{eln}} +
  6. Add a %changelog entry:

    %changelog
    *Day Mon DD YYYY Name  - 40-0.3 +
    - Update Rawhide definition, enable updates-testing for Branched +

Build fedora-release and fedora-repos packages for Branched release before enabling the Rawhide gating.

Changes to the stable branches (mostly in fedora-repos.spec):

  1. Copy the Rawhide+1 GPG key which is 42 file from the rawhide branch, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-42-primary
  2. Copy the archmap file from the rawhide branch.

  3. Update %global rawhide_release:

     %global rawhide_release 41
  4. Bump Release::

    Release:        0.3%{?eln:.eln%{eln}}
  5. Add a %changelog entry:

    %changelog
    *Day Mon DD YYYY Name  - 39-0.3
    - Update Rawhide definition

Bodhi

Linking Empty Repos

We need to link empty repos so that new-updates-sync wont complain about missing repos. The following commands should be run on bodhi-backend01.phx2.fedoraproject.org

$ sudo ln -s /mnt/koji/compose/updates/empty-repo/ /mnt/koji/compose/updates/f40-updates
$ sudo ln -s /mnt/koji/compose/updates/empty-repo/ /mnt/koji/compose/updates/f40-updates-testing

Creating Empty Repos

To create empty repos on the master mirror, run create_emtpy_repos.sh from pagure releng repo. This should be run on bodhi-backend01.phx2.fedoraproject.org

$ sudo -u ftpsync sh scripts/branching/create_empty_repos.sh 40

Please verify the repo permissions that are created under /pub/fedora/linux/development/<fedora_release_number> and /pub/fedora-secondary/development/<fedora_release_number>. They should be owned by ftpsync:ftpsync

Creating rawhide release

To create a rawhide release in bodhi, you need to run:

$ bodhi releases create \
  --name "F41" --long-name "Fedora 41" \
  --id-prefix FEDORA --version 41 --branch f41 \
  --dist-tag f41 \
  --stable-tag f41 \
  --testing-tag f41-updates-testing \
  --candidate-tag f41-updates-candidate \
  --pending-stable-tag f41-updates-pending \
  --pending-testing-tag f41-updates-testing-pending \
  --pending-signing-tag f41-signing-pending \
  --state pending \
  --override-tag f41-override \
  -create-automatic-updates \
  --not-composed-by-bodhi

To create a container release for rawhide in bodhi, you need to run:

$ bodhi releases create \
  --name "F41C" --long-name "Fedora 41 Containers" \
  --id-prefix FEDORA-CONTAINER --version 41 --branch f41 \
  --dist-tag f41-container \
  --stable-tag f41-container-updates \
  --testing-tag f41-container-updates-testing \
  --candidate-tag f41-container-updates-candidate \
  --pending-stable-tag f41-container-updates-pending \
  --pending-testing-tag f41-container-updates-testing-pending \
  --state pending \
  --override-tag f41-container-override

To create a flatpak release for branched in bodhi, you need to run:

$ bodhi releases create \
  --name "F40F" --long-name "Fedora 40 Flatpaks" \
  --id-prefix FEDORA-FLATPAK --version 40 --branch f40 \
  --dist-tag f40-flatpak \
  --stable-tag f40-flatpak-updates \
  --testing-tag f40-flatpak-updates-testing \
  --candidate-tag f40-flatpak-updates-candidate \
  --pending-stable-tag f40-flatpak-updates-pending \
  --pending-testing-tag f40-flatpak-updates-testing-pending \
  --state pending \
  --override-tag f40-flatpak-override

You need to run the bodhi openshift playbook, so that UI will know about the new release. Then, you need to restart fm-consumer@config.service and bodhi-celery.service services on bodhi-backend01.phx2.fedoraproject.org:

$ sudo rbac-playbook openshift-apps/bodhi.yml
$ sudo systemctl restart fm-consumer@config.service bodhi-celery.service

Build fedora-release, fedora-repos package for rawhide after enabling the rawhide gating

Update rawhide koji repo

We need to point the rawhide buildroot repo to the newly created rawhide buildroot. This way kojira doesn’t make a newrepo for rawhide target as often as fxx-build (new rawhide buildroot).

Run the following commands from any of the compose boxes:

$ cd /mnt/koji/repos/rawhide
$ rm -f latest
$ ln -s ../f41-build/latest ./latest

Update block_retired.py script

block_retired.py script in releng repo should be updated with rawhide release and also branched release should be added to the script.

Please look at this block_retired.py commit as an example.

Updating MirrorManager

We need to update the mirrormanager so that it will point rawhide to the new rawhide release.

Please follow the instructions in the fedora infra ticket to update the database of mirrormanager.

Enable autosigning on branched release

Once the branched compose is composed, we need to re-enable robosignatory on branched release

Add the new rawhide key to eln pungi config. For example, look at this pungi eln config commit

Change the trigger notification for DistroBuildSync to the new Rawhide version. For example, look at this commit.

Branch new rawhide in Koschei

Branch new fedora rawhide in koschei.

Fedora Container Base Image

In order to enable builds for Container Base Images via the Fedora Layered Image Build System we will need to import a new image for Rawhide as well as for the new fedora:rawhide and fedora:$41 tags.

Check for the latest successful Rawhide Base Image composed image here.

On compose-x86-01.phx2 run:

# Update this to be the correct URL for your image
$ BASEIMAGE_URL="https://kojipkgs.fedoraproject.org//packages/Fedora-Docker-Base/Rawhide/20170310.n.0/images/Fedora-Docker-Base-Rawhide-20170310.n.0.x86_64.tar.xz"

# Update this to whatever version number Rawhide now points to
$ RAWHIDE="27"

# Load the latest, find it's image name
$ sudo docker load < <(curl -s "${BASEIMAGE_URL}")
$ sudo docker images | grep base-rawhide
fedora-docker-base-rawhide-20170310.n.0.x86_64      latest      ffd832a990ca        5 hours ago     201.8 MB

# Tag everything
$ sudo docker tag fedora-docker-base-rawhide-20170310.n.0.x86_64 candidate-registry.fedoraproject.org/fedora:rawhide
$ sudo docker tag fedora-docker-base-rawhide-20170310.n.0.x86_64 candidate-registry.fedoraproject.org/fedora:$41
$ sudo docker tag fedora-docker-base-rawhide-20170310.n.0.x86_64 registry.fedoraproject.org/fedora:rawhide
$ sudo docker tag fedora-docker-base-rawhide-20170310.n.0.x86_64 registry.fedoraproject.org/fedora:$41

# Push the images
$ sudo docker push candidate-registry.fedoraproject.org/fedora:rawhide
$ sudo docker push candidate-registry.fedoraproject.org/fedora:$41
$ sudo docker push registry.fedoraproject.org/fedora:rawhide
$ sudo docker push registry.fedoraproject.org/fedora:$41

# Clean up after ourselves
$ sudo docker rmi fedora-docker-base-rawhide-20170310.n.0.x86_64
Untagged: fedora-docker-base-rawhide-20170310.n.0.x86_64:latest
$ for i in $(sudo docker images -q -f 'dangling=true'); do sudo docker rmi $i; done

Update sync script

In releng repository update script.

And set current_rawhide variable.

Toddlers

Add new SLA to the toddlers App

Use this PR for reference and add new version to the config.

Consider Before Running

FIXME: Need some love here