Infrastructure Projects

Fedora Infrastructure Projects

Let’s collaborate to shape a robust and efficient infrastructure that aligns with the evolving needs of the Fedora Project.


Install and configure ARA in OpenShift with its hook in our ansible repo.


  • Deploy and configure Keycloak and IPA-tuura in staging OpenShift and configure them with our IPA servers.
  • Import OAuth2 configuration from Ipsilon
  • Configure the mapping of IPA attributes to OIDC attributes in IPA-tuura
  • Test with test-auth
  • Check how the mapping of AWS groups could be done in IPA-tuura
  • Follow the implementation of Kerberos auth in IPA-tuura


It’s unrealistic to hope that the rewrite will be ready before RHEL7 goes EOL. We’ll have to do with the current implementation for a while still.

Docs: current implementation.



  • Port the consumer to Fedora Messaging


@abompard is currently working on this

  • Rework the scripts
  • Deploy to Openshift
  • Sanitize the codebase
  • Maybe make it usable by other distributions??


It’s currently a static page built in OpenShift by a cron job every hour.

Rewrite with a more dynamic tech, and proper libraries.


The problem with the current Toddlers:

  • a message that crashes a toddler prevents it from getting processed by all the toddlers that come after it
  • if one toddler consumes a lot, other toddler pods can be added but they multiply all the toddlers, not only the one that needs scaling
  • it conceptually re-implements a queue system, except it’s in a for loop:
    • messages are stored in memory during processing
    • topic matching is done in Python
  • Convert toddlers to Fedora Messaging consumers so that a crashing toddler does not block the others
  • Each consumer will be a pod in a single Openshift project
  • The pod can have as many replica as needed
  • Each consumer will have separate queues and only be subscribed to what they actually need.

The gitforge problem

Fedora project is currently using pagure as its base for git repositories as well as for distgit implementation. While pagure is getting some traction now, there are other healthy open-source implementations of a git forge.

Added engineering

@abompard Does it make sense to talk about ARA in a thread like this?

Hmm it may become confusing over time when replies to different projects accumulate after one another. Maybe a link to a separate Discourse thread? Not sure.

The code that is currently running in staging Openshift is here in GitHub.

And this is the result:

Yeah, I had high hopes that nested discussions would be solved by early 21st century.

We might think about a hackathon/meetup at devconfcz2024, this seems doable over the weekend with the possibility of engagement with a wider audience.

I think it would be nice to also have on all infrastructure projects a “Login with Kerberos”, like COPR. That way a packager who is already logged in with Kerberos to use fedpkg doesn’t need to login again with OIDC in Bodhi to submit their updates.

BTW, any progress in hardware 2FA (like yubikey) support in noggin?

In theory, it should already be the case, as Ipsilon is supposed to support Kerberos auth. So it would be redirecting from Bodhi → Ipsilon → Kerberos auth → Bodhi and it should be transparent.

That’s dependant on support in IPA and Ipsilon. Support in IPA is either coming or already there, support in Ipsilon is probably never going to happen, but it’s likely to land in Keycloak at some point. This would be one of the reasons to switch to it.

Alright, so I made a wiki page: Infrastructure/Projects - Fedora Project Wiki. As always with wiki pages, it just needs to be kept up-to-date… I’ll try to do that.

This thread can be used to discuss the page and the general idea of grouping and advertising infra projects. New project suggestions should be made in new threads, but I suppose this one can be used as well if unsure.


I think it might be good to add ‘kerneltest to python3/fedora-messaging’
(which is currently on rhel7 and needs to be done before rhel7 eol)?