Mass Branching

Description

At each release’s "branch point" we branch the pending release away from devel/ which allows rawhide (currently F44) to move on while the pending release goes into bugfix and polish mode.

You will find below the list of steps to follow to branch a new Fedora release.

Mass resigning

When we branch off of rawhide, the branched release packages are already signed by the F{release} key, but we need to resign everything in rawhide for the new F+1 key. ie, When we branch f44 off rawhide, all it’s packages are already signed by the f44 key, but we need to resign everything with the f45 key for rawhide.

  • Add a new config for the new key to robosignatory. Something like:

            [[consumer_config.koji_instances.primary.tags]]
            from = "f{rawhide}"
            to = "f{rawhide}"
            key = "{{ (env == 'production')|ternary('fedora-{rawhide_next}', 'testkey') }}"
            keyid = "{{ (env == 'production')|ternary('a15B79cc', 'd300e724') }}"
            {% if env == "production" %}
            file_signing_key = "fedora-{rawhide_next}-ima"
            {% endif %}

This allows robosignatory to sign packages in the f44 tag with the f45 key. * git clone https://pagure.io/releng * confirm the new key fingerprint is in scripts/sigulsign_unsigned.py * run sigulsign_unsigned.py to gather list of packages to sign:

./sigulsign_unsigned.py --just-list --tag f{rawhide} fedora-{rawhide_next} | grep src | sed -e 's|.src||' > unsigned-packages

You should get a list of all the source packages by name. * copy unsigned-packages list to autosign01 * on autosign01 run in a tmux session:

sudo -su robosignatory
passphrase=$(systemd-ask-password "Please enter passphrase for 'autosign' key: ")
(enter the autosign passphrase)
keyctl add user "sigul:autosign" "${passphrase}" @s
for i in `cat unsigned-packages`
do
  echo $i;
  robosignatory sign-tag primary $i f{rawhide};
  sleep 1;
done

This will iterate over all packages and sign them with the new f45 key. Once complete, re-run the ./sigulsign_unsigned.py command to confirm all are signed. On branching day, remove the robosignatory config for this resigning.

Send announcement

One day before the mass branching, we send out announcemt because during mass branching, new koji builds for rawhide are disabled.

Create Bugzilla Component

To ensure accurate tracking and management of issues for each Fedora release, a new Bugzilla component should be created for the branched version, as this step is currently not covered in the documentation. A user with access to the 'fedora-pm' Bugzilla group needs to perform the following actions:

  • Log in to Bugzilla.

  • Navigate to the "Administration" section.

  • Under "Components," locate "Fedora."

  • Select "Edit Versions" to view the existing components.

  • Add the new branched version to the list.

This process allows for proper issue categorization and ensures all bugs related to the new Fedora release are properly tracked.

Disable rawhide builds in koji

Previously, disabling all builds in Koji involved configuring an outage as demonstrated in this pull request. However, starting with the Fedora 41 release, the approach was refined to block external submissions in Koji by setting a custom IP restriction.

The recommended method to achieve this is by adding firewall rules to both koji01 and koji02 servers, effectively blocking connections from proxy01 and proxy10. This can be achieved with the following iptables commands:

iptables -I INPUT -m tcp -p tcp --dport 80 -s proxy01.rdu3.fedoraproject.org -j REJECT
iptables -I INPUT -m tcp -p tcp --dport 80 -s proxy10.rdu3.fedoraproject.org -j REJECT

These commands reject incoming traffic on port 80 from the specified proxies, preventing external submissions. Internal connections routed via proxy101 and proxy110 will continue to function as expected.

To reverse the firewall changes and allow external submissions again, use:

iptables -D INPUT -m tcp -p tcp --dport 80 -s proxy01.rdu3.fedoraproject.org -j REJECT
iptables -D INPUT -m tcp -p tcp --dport 80 -s proxy10.rdu3.fedoraproject.org -j REJECT

This change should be implemented on both koji01 and koji02 machine.

Cancel all running build for rawhide

List all running tasks and select onle those relevant for current branching.

$ koji list-builds --state=0 --type=rpm | grep fc43 | awk '{print $1}'

Cancel each of those tasks

$ koji cancel <build>

Repos that needs to be updated for branching

All the following listed repos needs updating, including adding a new branch for branched release and updating rawhide branch with new release values.

Releng Changes

As part of the mass branching process, changes were made to the find_unblocked_orphans.py script to align with the latest Fedora release versions.

Key Changes

  • Updated koji_tag to reference the new Fedora version:

  • Changed from f43 to f44.

  • Updated pagure_branch to reflect the new branching:

  • Changed from f{stable} to f43.

  • Ensured koji_hub references remain consistent across updates.

dist-git

Now we need to update dist-git in two steps:

  • Create the new branch in git

  • Update the gitolite.conf to allow users to push to this new branch

For both of these actions, we need a file listing all active packages. Previously, this was generated by PDC, but since PDC is decommissioned, we now use a script to fetch active packages by filtering out retired and never-imported ones.

Generate the Active Package List

This script should be run in the pkg machine, which can be accessed via SSH from batcave01.rdu3.fedoraproject.org.

$ ssh batcave01.rdu3.fedoraproject.org
$ sudo ssh pkgs01.rdu3.fedoraproject.org  # For production
$ sudo ssh pkgs01.stg.rdu3.fedoraproject.org  # For testing

Before running the script, you need to obtain the script from the Fedora RelEng repository. You can do this in one of two ways:

Option 1: Clone the RelEng repository

$ git clone https://pagure.io/releng.git
$ cd releng/scripts/branching
$ chmod +x get_all_active_packages_branching.sh

This will generate the file components_f43.txt, which contains all valid, active, and imported packages, prefixed with rpm/.

Create the git branches

On pkgs01.stg (for testing) or pkgs01 (for production), run:

$ sudo -u pagure python /usr/local/bin/mass-branching-git.py <new branch name> <input file>

Where <new branch name> will be like f44 and the <input file> the path to the file generated by pdc above.

Ansible

Apps in ansible need to be updated to be aware of a new branch.

Bodhi

Bodhi needs to be updated to add new release. This needs to be done in bodhi2 role in infra ansible repo. This change includes, updating koji-sync-listener.py, new-updates-sync, pungi configs for rpm updates, bodhi templates.

  • roles/bodhi2/backend/files/new-updates-sync

  • roles/bodhi2/backend/tasks/main.yml

  • roles/bodhi2/backend/templates/pungi.rpm.conf.j2

  • roles/bodhi2/backend/templates/koji_sync_listener.toml

Please check these files from the commit for your reference.

Also, set the EOL date for the new release to match the one in the Fedora schedule:

$ bodhi releases edit --name F43 --eol YYYY-MM-DD
$ bodhi releases edit --name F43C --eol YYYY-MM-DD
$ bodhi releases edit --name F43F --eol YYYY-MM-DD

Poddlers (formerly known as toddlers)

Add new SLA to the poddlers App

Use this PR for reference and add new version to the config.

  • Restart poddlers playbook and pod from OpenShift.

  • New Build Trigger:

    ```sh
oc -n poddlers get bc  # List existing build configs
oc -n poddlers start-build bc/<build_name>
```

Fedora Branched

  1. Set FedoraBranched to True.

  2. Set FedoraBranchedBodhi to preenable.

Please check the file FedoraBranched.yaml and FedoraBranchedBodhi.yaml from the commit for your reference.

Koji hub

Update the koji hub config to allow side tags for new koji rawhide (currently f44) tag.

Please check the file roles/koji_hub/templates/hub.conf.j2 from the commit for your reference.

Also, update the roles/koji_hub/templates/koji-gc.conf.j2 file to list the new release keys and retention.

Robosignatory

Robosignatory has two parts, which can be found in robosignatory role in infra ansible repo.:

  1. Disable branched signing, so that we can freeze branched until we get a compose.

  2. Adding new release.

Please check the file roles/robosignatory/templates/robosignatory.toml.j2 from the commit for your reference.

Push the changes

When done editing the files, commit, push and apply them via the corresponding ansible playbooks:

$ sudo rbac-playbook groups/koji-hub.yml
$ sudo rbac-playbook groups/releng-compose.yml
$ sudo rbac-playbook openshift-apps/bodhi.yml
$ sudo rbac-playbook groups/bodhi-backend.yml
$ sudo rbac-playbook openshift-apps/greenwave.yml
$ sudo -i ansible-playbook /srv/web/infra/ansible/playbooks/groups/proxies.yml -t pkgdb2

Avoid running the koji-hub.yaml playbook after turning off Koji builders to prevent overwriting manual changes.

Once you do the above, gating will be enabled on Rawhide updates under the new release number.

Ask someone in fedora infra to run the robosignatory playbook.

Koji

The koji build system needs to have some tag/target work done to handle builds from the new branch and to update where builds from rawhide go.

Run make-koji-release-tags script in pagure releng repo

Fedora Release

The fedora-release package needs to be updated in Rawhide and Branched.

Changes to fedora-release.spec in the rawhide branch:

(can also check this commit for reference)

  1. Increment %define dist_version to 44:

    %define dist_version 44

  2. Increment Version: and reset Release::

    Version:        44
Release:        0.1%{?eln:.eln%{eln}}

  3. Add a %changelog entry:

    %changelog
* Day Mon DD YYYY Name  - 44-0.1
- Setup for rawhide being F44

Changes to fedora-release.spec in the branched (currently 43) branch:

(can also check this commit for reference)

  1. Adjust release_name and unset is_rawhide:

    %define release_name Forty Three
%define is_rawhide 0

  2. Verify the correct number for dist_version and Version::

    %define dist_version 43
Version:        43

  3. Bump Release::

    Release:        0.4%{?eln:.eln%{eln}}

  4. Add a %changelog entry:

    %changelog
* Day Mon DD YYYY Name  - 43-0.4
- Branching F43 from rawhide

Fedora Repos

The fedora-repos package needs to be updated in Rawhide, Branched, and also in all stable release branches (in order to receive new GPG keys and updated symlinks).

Changes to the rawhide branch (mostly in fedora-repos.spec):

(can also check this commit for reference)

  1. Generate and add a Rawhide+1 which is 45 GPG key file, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-45-primary

  2. Update the archmap file and define architectures for Rawhide+1:

    fedora-45-primary: x86_64 armhfp aarch64 ppc64le s390x

  3. Increment %global rawhide_release:

    %global rawhide_release 44

  4. Bump Version: and reset Release::

    Version:        44
Release:        0.1%{?eln:.eln%{eln}}

  5. Add a %changelog entry:

    %changelog
* Day Mon DD YYYY Name  - 44-0.1
- Setup for rawhide being F44

Changes to the branched branch (mostly in fedora-repos.spec):

(can also check this commit for reference)

  1. Copy the Rawhide+1 which is 45 GPG key file from the rawhide branch, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-45-primary

  2. Copy the archmap file from the rawhide branch.

  3. Update %global rawhide_release:

     %global rawhide_release 44

  4. Enable updates_testing_enabled:

    %global updates_testing_enabled 1

  5. Bump Release:

    Release:        0.3%{?eln:.eln%{eln}} +

  6. Add a %changelog entry:

    %changelog
*Day Mon DD YYYY Name  - 43-0.3 +
- Update Rawhide definition, enable updates-testing for Branched +

Build fedora-release and fedora-repos packages for Branched release before enabling the Rawhide gating.

Consider using sidetags for fedora-release and fedora-repos updates; these updates should be bundled with updates to mock-core-configs and distribution-gpg-keys for a unified push.

Changes to the stable branches (mostly in fedora-repos.spec):

  1. Copy the Rawhide+1 GPG key which is 45 file from the rawhide branch, then add it to the spec file:

    Source57:       RPM-GPG-KEY-fedora-45-primary

  2. Copy the archmap file from the rawhide branch.

  3. Update %global rawhide_release:

     %global rawhide_release 44

  4. Bump Release::

    Release:        0.3%{?eln:.eln%{eln}}

  5. Add a %changelog entry:

    %changelog
*Day Mon DD YYYY Name  - 42-0.3
- Update Rawhide definition

Bodhi

Linking Empty Repos

We need to link empty repos so that new-updates-sync wont complain about missing repos. The following commands should be run on bodhi-backend01.phx2.fedoraproject.org

$ sudo ln -s /mnt/koji/compose/updates/empty-repo/ /mnt/koji/compose/updates/f43-updates
$ sudo ln -s /mnt/koji/compose/updates/empty-repo/ /mnt/koji/compose/updates/f43-updates-testing

Creating Empty Repos

To create empty repos on the master mirror, run create_empty_repos.sh from pagure releng repo. This should be run on bodhi-backend01.phx2.fedoraproject.org

$ sudo -u ftpsync sh scripts/branching/create_empty_repos.sh 43

Update the link in /mnt/koji/repos/rawhide/latest as per https://pagure.io/releng/issue/12255.

Please verify the repo permissions that are created under /pub/fedora/linux/development/<fedora_release_number> and /pub/fedora-secondary/development/<fedora_release_number>. They should be owned by ftpsync:ftpsync Check directory permissions (should be "0755") to ensure new composes synchronize correctly.

Creating rawhide release

To create a rawhide release in bodhi, you need to run:

$ bodhi releases create \
  --name "F44" --long-name "Fedora 44" \
  --id-prefix FEDORA --version 44 --branch f44 \
  --dist-tag f44 \
  --stable-tag f44 \
  --testing-tag f44-updates-testing \
  --candidate-tag f44-updates-candidate \
  --pending-stable-tag f44-updates-pending \
  --pending-testing-tag f44-updates-testing-pending \
  --pending-signing-tag f44-signing-pending \
  --state pending \
  --override-tag f44-override \
  -create-automatic-updates \
  --not-composed-by-bodhi

To create a container release for rawhide in bodhi, you need to run:

$ bodhi releases create \
  --name "F44C" --long-name "Fedora 44 Containers" \
  --id-prefix FEDORA-CONTAINER --version 44 --branch f44 \
  --dist-tag f44-container \
  --stable-tag f44-container-updates \
  --testing-tag f44-container-updates-testing \
  --candidate-tag f44-container-updates-candidate \
  --pending-stable-tag f44-container-updates-pending \
  --pending-testing-tag f44-container-updates-testing-pending \
  --state pending \
  --override-tag f44-container-override

To create a flatpak release for branched in bodhi, you need to run:

$ bodhi releases create \
  --name "F43F" --long-name "Fedora 43 Flatpaks" \
  --id-prefix FEDORA-FLATPAK --version 43 --branch f43 \
  --dist-tag f43-flatpak \
  --stable-tag f43-flatpak-updates \
  --testing-tag f43-flatpak-updates-testing \
  --candidate-tag f43-flatpak-updates-candidate \
  --pending-stable-tag f43-flatpak-updates-pending \
  --pending-testing-tag f43-flatpak-updates-testing-pending \
  --state pending \
  --override-tag f43-flatpak-override

You need to run the bodhi openshift playbook, so that UI will know about the new release. Then, you need to restart fm-consumer@config.service and bodhi-celery.service services on bodhi-backend01.phx2.fedoraproject.org:

$ sudo rbac-playbook openshift-apps/bodhi.yml
$ sudo systemctl restart fm-consumer@config.service bodhi-celery.service

Build fedora-release, fedora-repos package for rawhide after enabling the rawhide gating

Update rawhide koji repo

We need to point the rawhide buildroot repo to the newly created rawhide buildroot. This way kojira doesn’t make a newrepo for rawhide target as often as fxx-build (new rawhide buildroot).

Run the following commands from any of the compose boxes:

$ cd /mnt/koji/repos/rawhide
$ rm -f latest
$ ln -s ../f44-build/latest ./latest

Creating composes

Once the other changes are all done, we must create post-branching composes for both the new branched release and Rawhide as soon as possible. To do this, ssh into the appropriate compose host for the release (compose-branched01 or compose-rawhide01) and edit the cron job in /etc/cron.d, changing it to run on the next minute - so if it’s currently 14:27, change the first two numbers to 28 14. Once the compose has started, remember to change the numbers back to their normal values.

Updating MirrorManager

We need to update the mirrormanager so that it will point rawhide to the new rawhide release.

Please follow the instructions in the fedora infra ticket to update the database of mirrormanager, though note that none of the 'modular' repos exist any more.

Updating fedfind release metadata

We need to update the /srv/groups/qa/metadata/release.json file on fedorapeople (people01). It is used by fedfind as a source of truth about release numbers. openQA, fedora-image-uploader and various other will behave incorrectly if it is not updated. The new branched release number should be added to the branched list in this file - before the edit, the list should be empty. If you do not have access to edit this file, ask a member of the Quality team to do so.

Enable autosigning on branched release

Once the branched compose is composed, we need to re-enable robosignatory on branched release.

ELN related work

Add the new rawhide key to eln pungi config. For example, look at this pungi eln config commit

Change the trigger notification for DistroBuildSync to the new Rawhide version. For example, look at this commit.

Branch new rawhide in Koschei

Branch new fedora rawhide in koschei.

Temporarily disable the rawhide cron job during branching PRs to ensure a branched compose is created. Re-enable rawhide after this.

Consider Before Running

FIXME: Need some love here

Want to help? Learn how to contribute to Fedora Docs