Skip to content

Commit

Permalink
README: update notes for moving to new Fedora Major
Browse files Browse the repository at this point in the history
  • Loading branch information
dustymabe authored and kelvinfan001 committed Dec 14, 2020
1 parent 3880e5f commit 6b57b01
Showing 1 changed file with 36 additions and 7 deletions.
43 changes: 36 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ Updating this repo:
Update server changes:

1. Set a new update barrier for N-2 on all streams.
In the barrier entry set a link to [the docs](https://docs.fedoraproject.org/en-US/fedora-coreos/update-barrier-signing-keys/).
See [discussion](https://github.com/coreos/fedora-coreos-tracker/issues/480#issuecomment-631724629).

CoreOS Installer changes:
Expand All @@ -111,12 +112,40 @@ CoreOS Installer changes:

Release engineering changes:

1. verify that the `f${releasever}-coreos-signing-pending` Koji tag has
been created (this should have already been done by releng scripts on
branching)
2. `koji untag` N-2 packages from the pool (at some point we'll have GC
1. Verify that a few tags have been created. These should have been created
by releng scripts on branching:

- `f${releasever}-coreos-signing-pending`
- `f${releasever}-coreos-continuous`

2. The tag info for the coreos-pool tag has the new release (N) and
next release (N+1) signing keys (just to stay ahead of the curve)
and removes the old release (N-2) signing key. The following commands
view the current settings and then update the list to 32/33/34 keys.
You'll most likely have to get someone from releng to run the second
command (`edit-tag`).

- `koji taginfo coreos-pool`
- `koji edit-tag coreos-pool -x tag2distrepo.keys="12c944d0 9570ff31 45719a39"`


3. `koji untag` N-2 packages from the pool (at some point we'll have GC
in place to do this for us, but for now we must remember to do this
manually or otherwise distRepo will fail once the signed packages are
GC'ed). For example:
- `koji list-tagged coreos-pool --quiet | grep fc30 | cut -f1 -d' ' | sort | uniq`
- Sanity-check the output, then pipe it to `xargs koji untag-build coreos-pool`
GC'ed). For example the following snippet finds all RPMs signed by the
Fedora 31 key and untags them.

```
f31key=3c3359c4
key=$f31key
untaglist=''
for build in $(koji list-tagged --quiet coreos-pool | cut -f1 -d' '); do
if koji buildinfo $build | grep $key 1>/dev/null; then
untaglist+="${build} "
echo "Adding $build to untag list"
fi
done

# After verifying the list looks good:
# - koji untag-build coreos-pool $untaglist
```

0 comments on commit 6b57b01

Please sign in to comment.