Obs User Guide
Obs User Guide
https://documentation.suse.com
Copyright © 2006– 2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Docu-
mentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright
notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation
License”.
For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the prop-
erty of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates.
Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. However, this does not
guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable
for possible errors or the consequences thereof.
Contents
2 Feedback xv
I FIRST STEPS 1
1 Beginnerʼs Guide 2
1.1 Target Audience 2
iv User Guide
II CONCEPTS 21
2.6 SimpleImage 25
2.7 AppImage 25
2.8 Flatpak 25
2.9 mkosi 28
III SETUP 30
3.3 Usage 33
Getting Help 33 • Using osc for the First Time 33 • Overview of Brief
Examples 33
4 Build Configuration 37
4.1 About the Build Configuration 37
v User Guide
IV USAGE 51
6 Local Building 62
6.1 Generic Local Build Options 62
vi User Guide
Reporting 89 • Workflow Runs 89 • Errors 92 • Equivalence
Table 92
10 Notifications 112
10.1 Notifications Configuration 112
ix User Guide
16 Bootstrapping 186
16.1 The Issue 186
VI REFERENCE 195
x User Guide
22.3 Download on Demand Repositories (DoD) 204
Motivation 204 • XML Document Hierarchy 204 • The
Daemon 204 • The download Element 205 • The master
Subelement 205 • The pubkey Subelement 205 • Repository Types 206
xi User Guide
27 Supported Formats 224
27.1 Spec File Specials (RPM) 224
29.2 Adding Image Templates to/Removing Image Templates from the Official
Image Template Page 234
36 Authorization 271
36.1 OBS Authorization Methods 271
Default Mode 271 • Proxy Mode 271 • LDAP Mode 271
Glossary 277
1 Available Documentation
The following documentation is available for OBS:
2 Feedback
Several feedback channels are available:
Bug Reports
To report bugs for Open Build Service, go to https://bugzilla.opensuse.org/ , log in, and
click New.
xv Available Documentation
Mail
For feedback on the documentation of this product, you can also send a mail to doc-
[email protected] . Make sure to include the document title, the product version and the
publication date of the documentation. To report errors or suggest enhancements, provide
a concise description of the problem and refer to the respective section number and page
(or URL).
3 Documentation Conventions
The following notices and typographical conventions are used in this documentation:
Alt , Alt – F1 : a key to press or a key combination; keys are shown in uppercase as on
a keyboard
Commands that must be run with root privileges. Often you can also prefix these com-
mands with the sudo command to run them as non-privileged user.
root # command
geeko > sudo command
Notices
To learn how to validate and generate the OBS documentation, see the le README .
To submit changes, use GitHub pull requests:
It is even possible to host instance-specific content in the official Git repository, but it needs to
be tagged correctly. For example, parts of this documentation are tagged as <para os="open-
suse"> . In this case, the paragraph will only become visible when creating the openSUSE ver-
sion of a guide.
1 Beginnerʼs Guide 2
1 Beginnerʼs Guide
Copyright © 2006– 2024 SUSE LLC and contributors. All rights reserved.
Permission is granted to copy, distribute and/or modify this document under the terms of
the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the
Invariant Section being this copyright notice and license. A copy of the license version 1.2 is
included in the section entitled “GNU Free Documentation License”.
For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trade-
marks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote
trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.
All information found in this book has been compiled with utmost attention to detail. How-
ever, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors
nor the translators shall be held liable for possible errors or the consequences thereof.
This guide describes basic workflows for working with packages on Open Build Ser-
vice. This includes checking out an upstream package from a public source code
repository, creating patches, branching a repository, and more.
2 Target Audience
1.2.1 Build Recipe
To create a package in OBS, you need a build recipe which contains the following information:
Metadata. The package name and the description are mandatory. Other data such as the
version, the license, the upstream URL is optional.
Requirements. Packages depend on other packages to function properly. There are two
types of requirements: build requirements and installation requirements.
Build requirements are dependencies which are needed during the build process in OBS.
For example, a C++ program needs a C++ compiler.
Installation requirements are dependencies which are needed when installing the final
package.
A Package List. To successfully install and remove a package and all its contents, the
package manager needs to know which les and directories belong to which package.
For RPM-based operating systems such as openSUSE, SUSE Linux Enterprise, or Red Hat Enter-
prise Linux, all the information above is included in a le with the le extension .spec .
3 Build Recipe
The schematic in Figure 1.1, “Conceptual Overview of Open Build Service” shows the components in
context.
Command
Hermes Installer
Web UI Line Your Client
Web UI (YaST,etc.)
Client
Storage
Software Requirements
Install the osc command line tool from your preferred distributions or from the OBS
project openSUSE:Tools :
For SUSE related systems, install the osc package with the zypper command (re-
place DISTRIBUTION with your distribution):
As an alternative, you can use the AppImage le . An AppImage le is a packaged ap-
plication which can run on many distributions. Download the le from https://down-
load.opensuse.org/repositories/openSUSE:/Tools/AppImage/ , save it in your ~/bin
directory, and make the le executable.
Hardware Requirements
Make sure you have a minimum of 1 GB of free disk space. The osc command builds all
packages locally under /var/tmp/oscbuild and caches downloaded packages under /
var/tmp/osbuild-packagecache .
Since Git is used throughout this guide, and many OBS concepts are modeled after their
Subversion (SVN) equivalents, you have a working knowledge of version control systems
such as Git and Subversion (SVN).
You are using the openSUSE Build Service at https://build.opensuse.org . If you are using
another OBS instance, some commands may differ.
You are running an RPM-based operating system like openSUSE or SUSE Linux Enterprise.
You are using a customized system as shown in Section 1.5, “Configuring Your System for OBS”.
A user on a local machine (you) called geeko . This user builds packages on their own
machine.
An OBS user called obsgeeko with home home:obsgeeko on the Open Build Service. This
user is the same as the system user geeko , that is, you.
An OBS user obstux and their home home:obstux on Open Build Service. This user acts
as a collaborator.
Section 1.6, “Setting Up Your Home Project for the First Time”
Setting up a home project using the OBS Web UI.
To allow all users in the osc group to build packages without entering the root password,
do as follows.
1. Log in as root and create a new group osc . This group will contain all users which are
allowed to build packages:
2. Add users to your newly created group osc which are allowed to build packages:
4. Add the following lines to create a command alias that can be executed only by the osc
group:
5. Log out of your system and log in again to apply the changes.
If you run the command for the rst time, you will be prompted to enter your OBS user
name and OBS password.
checkout_no_colon = 1
This will use an alternate layout when checking out a project. For example, setting the
option above and checking out the home project will generate the home/obsgeeko di-
rectory structure instead of the single home:obsgeeko directory.
However, this guide uses the default configuration with colons.
2. Click the Your Home Project link in the Places menu on the left.
3. Click the Repositories tab, then the Add from a Distribution link.
5. Click the Overview tab to see the available build targets on the right side.
To create a package from the upstream repository, follow the steps below.
1. Set up your home project as shown in Section 1.6, “Setting Up Your Home Project for the First
Time”.
2. In the terminal, choose or create a directory on a local partition that has enough space
to hold the package sources.
5. Get the source code from the upstream repository and save it in home:obsgeeko/my-
first-obs-package .
Download a TAR archive of the sources. You do not have to unpack it yet.
In our example, the upstream repository is hosted on GitHub and you can use the following
URL: https://github.com/obs-example/my-first-obs-package/releases . If there is no pub-
lished release, click the Clone or download button and download the latest sources using
the Download ZIP link.
6. Create the build recipe. This le contains metadata and build instructions.
In this example, we are building an RPM for openSUSE. For RPM-based distributions, we
create a spec le. The skeleton of such a spec le looks like this:
#
# spec file for package my-first-obs-package
#
# -- Copyright omitted --
Name: my-first-obs-package 1
Version: 0.1.0 1
Release: 0 1
License: GPL-3.0 1
Group: Documentation 1
Url: https://github.com/obs-example/my-first-obs-package 1
Source: my-first-obs-package-%{version}.tar.gz 1
BuildRequires: gcc 2
BuildRequires: cmake 2
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description 3
This tool frobnicates the bar with the foo when choosing the baz.
%prep 4
%setup -q -n %{name}-%{version}
%build 5
%install 6
%files 7
%defattr(-,root,root,-)
%changelog 8
1 The Header. Metadata like package name, version, release, license, the RPM group,
a brief summary, the upstream URL, and the name of the source le.
2 Build Requirements. Lists package dependencies that are required for building. The
listed packages are downloaded and installed before building the package.
3 The Description Section. Describes the purpose of the package and gives a compre-
hensive explanation.
4 The Preparation Section. Prepares the sources for building. This usually includes
unpacking them with the %setup macro and patching them using the %patch macro.
(For more information about patching, see Section 1.8, “Patching Source Code”.)
5 The Build Section. Contains commands or RPM macros for building the package.
6 The Install Section. Contains commands or RPM macros which create directories or
copy les to the installation location.
7 The Files Section. Lists all les and directories which belong to the package. Docu-
mentation-related les are marked with %doc , and they are automatically installed
in the default documentation directory.
8 The Changelog Section. This section is usually empty. Instead, OBS searches for a le
with the extension .changes . If such a le exists in the project directory, it will be
automatically included as a changelog. The changelog le itself contains a high level
overview of the history of the package.
This command opens a text le with the following content in the default editor:
-------------------------------------------------------------------
Fri Aug 23 12:31:41 UTC 2017 - [email protected]
project directory
├── my-first-obs-package-0.1.0.tar.gz
├── my-first-obs-package.changes
└── my-first-obs-package.spec
The option --local-package is used here, because the package is not yet submitted to
OBS.
The default build target is set in the osc configuration le ~/.oscrc using the variable
build_repository . On openSUSE Build Service this is usually openSUSE Tumbleweed.
To build the package for another build target, use the following command:
10. Check whether your build was successful. If everything was ne, commit the les to your
package to your home project on OBS:
If you encounter build errors, use the osc buildlog command to review them, as de-
scribed below.
To watch the current build of a specific build target, use the buildlog (alias bl ) subcommand
inside your working directory:
You Do Not Have Permission to Commit Upstream. Often, you cannot commit changes
directly to the upstream repository. If you send changes to the upstream repository, they
may be integrated late or even be rejected.
Patch les allow making changes while keeping source code clean while insulating your
package from upstream's release cycle, coding style, and internal workings.
Improve Security and Traceability. Untouched source code in OBS is easier to check for
changes than a modified one. The check is usually done with a checksum (MD5 or SHA).
We assume that you already have a project as described in Section 1.7, “Creating a New Package
Within Your Home Project”. The project directory should look similar to this:
project directory
├── my-first-obs-package-0.1.0.tar.gz
├── my-first-obs-package.changes
└── my-first-obs-package.spec
In our case, we want to modify the source code under src/main.cpp to change the greeting
message.
If you have downloaded the archive from GitHub, the archive contains a directory
in the form NAME-VERSION . In our case, unpacking the downloaded archive results
in the my-first-obs-package-0.1.0/ directory.
int main()
{
- std::cout<<"Hello OBS!\n";
+ std::cout<<"Hello Alice!\n";
return 0;
}
3. Open your spec le and add the following line in the header under the Source line like
this:
Source: my-first-obs-package-%{version}.tar.gz
Patch0: my-first-obs-package_main.diff
%prep
%setup -q -n %{name}-%{version}
%patch0
If you are dealing with a lot of patches, you might nd the quilt tool useful. For more infor-
mation about quilt , see https://savannah.nongnu.org/projects/quilt .
To modify the source code, building it, trying the effect of the changes, and submitting
back changes to the original project. Usually, you use this workflow when you do not have
write permissions for a project.
Let us assume that there is a user obsgeeko who has created a package home:obsgeeko/my-
first-obs-package on OBS. Now, a second user, obstux , would like to submit a code change
request to that package.
User obstux has to perform the following steps:
1. In the terminal, choose or create a directory on a local partition with enough free space.
16 Branching a Package
6. Review the build log:
7. Make sure all included and removed les are added to the OBS repository:
Used without any options, the submitreq command submits back to the package where
you branched from. Note that with the submit request, you submit a specific version of
the source. Later changes do not get automatically fetched by default.
If there are multiple packages in a branch, all packages will be submitted together. To
avoid that, specify the names of the source and destination projects and the package name:
User obstux has finished the task now and the submit request is assigned to obsgeeko . User
obsgeeko can now either accept or decline the submit request (“SR”). Also, as long as the SR
remains open, obstux can also supersede it with a new request.
Accept the Submit Request. The changes from user obstux will be integrated into the
home:obsgeeko project. The accepted submit request will be closed. To make further
changes, obstux needs to create a new submit request.
Decline the Submit Request. The changes from user obstux are not integrated into the
home:obsgeeko project.
17 Branching a Package
Reasons for declining a submit requires can be build errors or style issues. The reviewer
usually gives a reason when declining the submit request. User obstux can then 1) correct
their submission using a new submit request that supersedes the previous one, 2) disagree
and reopen the request, or 3) accept the decline and revoke the request.
Supersede the Submit Request. As long as the SR is still open (and this includes the case
when it has been declined), obstux can continue making changes in their local checkout
and, at any time, issue a new submit request using the above workflow. At submission time,
OBS will detect the existing (previous) SR and ask the submitter whether they would like
to supersede it. If obstux answers "yes" here, the new SR will supersede the previous one.
Alternatively, by answering "no" to the supersede question, a second SR will be created
alongside the previous one.
Note
If preferred, the below steps can also be performed using the OBS GUI. Requests can be
managed under the Tasks tab.
2. Find the correct submit request. If you know the correct number you can use:
18 Branching a Package
If the submit request has been accepted, the changes will be integrated into the home project
home:obsgeeko .
If the submit request has been declined, you can x the issues and resubmit the package. When
creating a new submit request, osc will prompt to supersede the previous request.
However, this is only true for the home project itself and manually created subprojects, but not
for subprojects created as a result of branching a package. Branched projects are not published by
default. If you need the build results, download the binaries manually with osc getbinaries .
For example, if you have enabled the openSUSE Tumbleweed distribution, all packages for
openSUSE Tumbleweed will be published at https://download.opensuse.org/reposito-
ries/home:/obsgeeko/openSUSE_Tumbleweed . This download repository is used as an installa-
tion source for Zypper or YaST.
To install the my-first-obs-package package from your home project, use the following steps:
2. Copy the desired URL of your preferred distribution. In our case, that is the line containing
openSUSE_Tumbleweed .
To update the package again, run Step 4. You do not need to execute Step 1, as the repository
is already configured in your system.
osc diff
Generates a di, comparing local changes against the remote OBS project.
osc list
Shows source or binaries on an OBS server.
osc prjresults
Shows project-wide build results.
osc status
Shows the status of les in your working directory
RPM package format, used for all RPM-based distributions like openSUSE, SUSE Linux
Enterprise, Fedora, and others.
preinstallimage
SimpleImage format
If no build recipe format and binary format are specified in the project configuration, OBS tries
to deduce them from the preinstall list, which includes the name of the used package manager.
This means that you need to manually configure the kiwi build recipe, as an RPM package
format will select spec builds as default. This configuration is done by adding a Type line to
the project configuration.
22 About Formats
2.2 RPM: Spec
RPM (RPM Package Manager) is used on openSUSE, SUSE Linux Enterprise, Red Hat, Fedora,
and other distributions. For building RPMs you need:
.spec
the spec le for each package containing metadata and build instructions. OBS parses the
spec le's BuildRequires lines to get a list of package dependencies. OBS uses this infor-
mation to both build the packages in the correct order and also for setting up the build
environment. The parser understands most of RPMs macro handling, so it is possible to use
architecture specific BuildRequires, conditional builds and other advanced RPM features.
.changes
the le which contains the changelog.
debian.control
The le contains the meta information for the package like the build dependencies or some
description.
debian.rules
This le describes the build section of the DEB building process. There are the configure
and make compile commands including other DEB building sections.
PACKAGE.dsc
In this le you describe the package names of each subpackage and their dependency level.
Unlike RPM, the release numbers are not increased automatically during build unless the
keyword DEBTRANSFORM-RELEASE is added to the le.
23 RPM: Spec
2.4 Arch: pkg
Pkg les is used on Arch Linux and its derivatives. For building Pkg you need:
PKGBUILD
It contains the build description and the source tarball. The le PKGBUILD does not have
macros like %{buildroot} . It contains variables, for example, makedepends=(PACKAGE1,
PACKAGE2) . These variables are parsed by OBS and uses them as dependencies. On Arch
Linux you typically build packages without subpackage. They are no *-dev or *-devel
packages.
my_image.kiwi
Contains the image configuration in XML format. Full XML schema documentation can be
found https://osinside.github.io/kiwi/image_description.html .
config.sh (optional)
configuration script that runs at the end of the installation, but before package scripts have
run.
root/
directory that contains les that will be applied to the built image after package installa-
tion. This can also be an archived and compressed directory, usually named root.tar.gz .
Note
OBS only accepts KIWI configuration les with a .kiwi suffix. Other naming schemes
KIWI supports like config.xml , are ignored in OBS.
For more information about building images with KIWI, see the https://osinside.github.io/ki-
wi/building_images.html .
24 Arch: pkg
2.6 SimpleImage
This format can be used to get simple rootfs tarball or squashfs image. It does not contain a
bootloader or a kernel. For advanced features, use KIWI. Use SimpleImage for simple rootfs
tarball/squashfs image of any distribution that is supported by OBS but does not have anything
fancier than that.
For building a SimpleImage, you need a simpleimage le. Be aware of the following points:
RPM macros are not supported, but $SRCDIR shell variable is available.
Name: example-image
Version: 1.0
BuildRequire: emacs
#!BuildIgnore: gcc-c++
%build
# Set root password
passwd << EOF
opensuse
opensuse
EOF
# Enable ssh
systemctl enable sshd
2.7 AppImage
2.8 Flatpak
The Flatpak (https://flatpak.org/) format can be used to generate desktop apps for Linux.
For building an installable Flatpak bundle, you need a flatpak.yaml manifest le. See Flatpak
Manifests (https://docs.flatpak.org/en/latest/manifests.html) for the full documentation.
25 SimpleImage
Also some project and package configuration is necessary.
QUICK START
MANIFEST FORMAT
Input format is YAML (https://yaml.org) . Although flatpak also accepts JSON, we are using
YAML in Open Build Service, because we have a special additional eld in form of a YAML
comment.
You can use JSON, as it is a subset of YAML. But be aware that flatpak accepts non-standard
// comments, while Open Build Service does not.
#!BuildVersion - Use this eld to specify the version of your app so the .flatpak le
will be versioned. Flatpak manifests do not have a version eld.
The base images for Freedesktop, GNOME, KDE are maintained in the OBS:Flatpak (https://
build.opensuse.org/project/show/OBS:Flatpak) repository in form of rpm packages. They are
generated by installing the images from Flathub (https://flathub.org/) and packing the directo-
ries into a tar archive.
######################################################
# Flatpak manifest example for Open Build Service
# https://docs.flatpak.org/en/latest/manifests.html
# Input should be YAML, even though the file can have
# a .json suffix (JSON is a subset of YAML).
# Don't use '//' comments!
######################################################
# Special OBS field because flatpak does not have a version field
# Default will be '0' if the field is missing.
#!BuildVersion: 3.14.15
---
26 Flatpak
app-id: org.gnome.Mahjongg
runtime: org.gnome.Platform
sdk: org.gnome.Sdk
runtime-version: '3.36'
command: gnome-mahjongg
finish-args:
- --share=ipc
- --socket=fallback-x11
- --socket=wayland
- --device=dri
- --metadata=X-DConf=migrate-path=/org/gnome/Mahjongg/
cleanup:
- "/share/man"
modules:
- name: gnome-mahjongg
buildsystem: meson
sources:
- type: archive
# Source archives should be put into the OBS package, but you can
# keep the original URL from where it was downloaded here.
url: https://download.gnome.org/sources/gnome-mahjongg/3.36/gnome-
mahjongg-3.36.2.tar.xz
Type: flatpak
Support: kmod-compat kernel-default perl-YAML-LibYAML
<project name="Your:Project:Name">
<title>Title</title>
<description>Description</description>
<repository name="openSUSE_Leap_15.2">
<path project="OBS:Flatpak" repository="openSUSE_Leap_15.2"/>
<arch>x86_64</arch>
</repository>
<repository name="openSUSE_Leap_15.1">
27 Flatpak
<path project="OBS:Flatpak" repository="openSUSE_Leap_15.1"/>
<arch>x86_64</arch>
</repository>
</project>
2.9 mkosi
Mkosi (https://github.com/systemd/mkosi/) allows building images for rpm, arch, deb and gen-
too based distributions, on any architecture that supports UEFI. Images built with mkosi will
follow the Discoverable Partitions Specification (https://systemd.io/DISCOVERABLE_PARTITIONS/)
and will be bootable on baremetal (UEFI), virtual machines (UEFI), containers via sys-
temd-nspawn, (https://www.freedesktop.org/software/systemd/man/systemd-nspawn.html) or
as Portable Services (https://systemd.io/PORTABLE_SERVICES/) in systemd.
For building an image in mkosi you need the mkosi.my_image recipe le. This le contains the
image configuration in INI format. All available options can be found in the Mkosi documentation
(https://github.com/systemd/mkosi/blob/main/mkosi.md) .
Note
Ensure to set Type: mkosi in the repository's prjconf where the image builds are
enabled on OBS.
EXAMPLE 2.5: MKOSI MINIMAL BUILD RECIPE (mkosi.suse) FOR A TUMBLEWEED IMAGE
[Distribution]
Distribution=opensuse
Release=tumbleweed
[Output]
Format=gpt_ext4
[Content]
Password=
Autologin=yes
Packages=
patterns-base-minimal_base
28 mkosi
Substitute: integritysetup
Substitute: veritysetup
Prefer: openSUSE-release-appliance-custom python310-cryptography
%endif
<project name="Your:Project:Name">
<title>Title</title>
<description>Description</description>
<repository name="suse">
<path project="openSUSE:Factory" repository="snapshot"/>
<arch>x86_64</arch>
</repository>
</project>
29 mkosi
III Setup
4 Build Configuration 37
3 osc, the Command Line Tool
apiurl (string)
Used to access the Open Build Service (OBS) API server. This is needed if you work with
different OBS server (for example, a public and a private one). If you have to distinguish
different servers, you can also use the -A option. Usually, it is good practice to create an
alias like this:
extra-pkgs (list)
Contains a space-separated list of package. These extra packages are installed when you
build packages locally. Useful when you need an additional editor inside the build envi-
ronment, for example vim .
build_repository (string)
Sets the default platform when omitted in osc build .
exclude_glob (list)
Contains a list of space separated le names to ignore. For example, *.bak to ignore all
backup les.
checkout_no_colon (bool)
Separates projects and subprojects in directories and subdirectories instead of creating a
single directory. For example, setting the option and checking out the home project will
lead to a directory structure home/obsgeeko instead of the single directory home:obs-
geeko .
use_keyring (bool)
Use the default keyring instead of saving the password in the OBS configuration le. For
KDE the KWallet is used, for GNOME it is Seahorse.
cafile (string)
Provide set of trusted CA certificates for HTTPs requests. Expects CAs in a sin-
gle le containing a bundle of CA certificates in PEM format. More details can be
found in OpenSSL documentation (https://www.openssl.org/docs/manmaster/man3/SSL_C-
TX_load_verify_locations.html) .
capath (string)
Provide set of trusted CA certificates for HTTPs requests. Expects a directory containing CA
certificates in PEM format. More details can be found in OpenSSL documentation (https://
www.openssl.org/docs/manmaster/man3/SSL_CTX_load_verify_locations.html) .
32 Configuring osc
3.3 Usage
Use a Password Manager. Set the option use_keyring to 1 after you have created a
configuration le for the rst time. Remove your credentials sections from your configu-
ration le. The next time osc asks for your username and password, it will store it in the
password manager instead of the configuration le.
If you prefer your current password manager, set the option use_keyring to 1 after you have
authenticated it.
33 Usage
osc ls Apache flood #list files of package of a project
osc ls shows you a list of projects on OBS. Which OBS instance it shows depends on the
option apiurl in the configuration le. By default, the openSUSE Build Server is used. If
you need another server, use the -A option as shown in Section 3.2, “Configuring osc”.
Checkout Content
osc up
osc up [directory]
osc up * # from within a project dir, update all packages
osc up # from within a project dir, update all packages AND check out
all newly added packages
osc log
osc st
osc st [directory]
If an update cannot be merged automatically, a le is in 'C' (conflict) state, and conflicts are
marked with special lines. After manually resolving the problem, use osc resolved FILE .
Add all New Files in Local Copy and Removes all Disappeared files
osc addremove
osc results
osc results [platform]
Show the URLs of .repo Files which are Packages Sources for Package Managers
osc repos
Show Metadata
(The project configuration may well be empty. It is needed in special cases only.)
Update Package Metadata on OBS with Metadata Taken from Spec File
Resolve dependency problems like when there are multiple providers for a dependency:
The build configuration can be stored in multiple places. Inside of OBS it can be stored only
once per project. However, it is possible to define exceptions via if-conditions, for example
per repository name or architecture. At the project level, the build configuration is sometimes
referred to as the "project config", or "prjconf" for short. At build time, the configuration gets
merged according to the repository path configuration defined in the project metadata. This
resulting configuration can be requested using osc buildconfig . To view or edit the build
configuration in projects, use one of the following methods
With osc . Use osc meta prjconf in your working directory of your project.
Via git/scmsync. Store a le called '_config' in a git repository used via the scmsync mech-
anism for a project.
keyword: arguments
Use the conditionals (%if or %ifarch) if a line should only be used in some condition.
Many keywords, like `Require` or `BuildFlags`, do not replace existing data, but add to it. This
means you can have multiple `BuildFlags` lines instead of having one line with all the ags
you need.
An exclamation mark `!` can be prepended to the argument to remove an existing entry from
the data.
In the following list, the placeholder PACKAGES indicates a package base name (or names). When
specifying multiple packages, separate their base names with spaces. For example, as a package
name you need the base name like gcc but not the full name as in gcc-1.2.3.i386.rpm .
The following list contains a list of allowed keywords in the build configuration (prjconf):
BuildEngine: ENGINE
Use an alternative build engine. Examples are `mock` (for Fedora and Red Hat) and `de-
bootstrap` (for Debian), `debbuild` (to build debian packages with spec les), `podman`
(container builds). Here is an example config for `debbuild`:
Type: spec
Repotype: debian
Binarytype: deb
BuildFlags: FLAG:VALUE
The BuildFlags keyword defines ags for the build process. The following values for
FLAG are usable.
allowrootforbuild
Allow any package build to use root user for building. This still needs a marker inside
of the build description to enable it.
vmfstype:TYPE
Defines a specific le system when building inside of a VM. Possible values are ext2 ,
ext3 , ext4 , btrfs , xfs , reiserfs (v3).
vmfsoptions:OPTION
Sets options for le system creation. Currently only the `nodirindex` option is sup-
ported, which disables directory indexing for ext le systems. This makes le order-
ing inside of directories reproducible but may have a negative performance impact.
vmfsoptions:nodirindex
kiwiprofile:PROFILE
Selects the profiles to build in kiwi appliance builds.
logidlelimit:SECONDS
Build jobs which do not create any output are aborted after some time. This ag can
be used to modify the limit.
excludebuild:PACKAGE
Exclude a package from building. If a package builds multiple flavors, the corre-
sponding flavor can be specified via the `package:flavor` syntax.
onlybuild:PACKAGE
DANGER: this may remove many build results when introduced the rst time! It can
be used to maintain a whitelist of packages to be built. All other packages will turn
to excluded state and get removed if available.
useccache:PACKAGE
Configure usage of ccache when building the specified package.
ccachetype:TYPE
Defines the ccache implementation, possible values are: ccache, sccache
setvcs
Add the SCM URL to binary results when the package sources are managed via the
scmsync mechanic. The url is written into the VCS tag of rpms when enabling this
functionality.
nodisturl
Skip the embedding of DISTURL tag into binaries. Please note that this might also
break other features like binary tracking. So never do this for maintained binaries.
sbom:FORMAT
OBS 2.11 can produce and publish additional SBOM (Software Bill Of Material) meta
data by enabling this ag. This is currently supported for container and kiwi images
builds and includes only data from installed rpm packages. Supported formats are
spdx and cyclonedx.
slsaversion:VERSION
OBS 2.11 is producing slsa provenance les in version 0 by default at build time,
when enabled. It is possible to switch to v1 by specifing slsaversion:v1 as buildflag.
container-compression-format:FORMAT
Sets a compression format for container layers. Possible values are gzip, zstd, zst-
d:chunked. Every value other than gzip is only supported by podman and buildah.
container-build-format:FORMAT
For podman container builds, it specifies the container config format. Possible values
are 'docker' and 'oci'. The default is 'docker'. The 'docker' format allows a few exten-
sions like ONBUILD, SHELL, DOMAINNAME, COMMENT, HEALTHCHECK amongst
others.
Conflict: PACKAGE_A:PACKAGE_B
Specify a synthetic conflict between two given packages.
ExpandFlags: FLAG
Flags which modify the behaviour during dependency resolution.
preinstallexpand
Preinstall also all dependencies of a preinstalled package. This may increase the
amount of preinstalled packages a lot.
dorecommends
Try to install all recommended packages. Packages with dependency conflicts are
ignored.
ignoreconflicts
Ignore defined conflicts of packages. By default these are reported as unresolvable.
This switch may be useful when packages get not installed in the build environment,
but getting processed afterwards. That tool, e.g. some image building tool, must be
able to handle the situation (e.g. by just using a subset of the packages).
kiwi-nobasepackages
Do not put the require/support/preinstall packages in the repositories offered to the
kiwi build tool. This should have been the default.
keepfilerequires
Dependencies on les are only fulfilled if matching FileProvides are specified in the
build configuration (prjconf). If those are missing, the dependency results in an "un-
resolvable" state for directly required les or in silent breaking of the dependency for
indirectly required les. With this option, all le requires are honoured by default
and lead to "unresolvable" if there are no matching FileProvides defined.
HostArch: HOST_ARCH
This is used for cross builds. It defines the host architecture used for building, while the
scheduler architecture remains the target architecture.
Ignore: ORIGIN_PACKAGE:PACKAGE_OR_DEPENDENCY
Ignore a dependency coming from ORIGIN_PACKAGE. See the previous section for more
details.
Keep: PACKAGES
To eliminate build cycles the to-be-built package are not installed by default, even when it
is required. Keep can be used to overwrite this behavior. It is usually needed for packages
like make that are used to build itself. Preinstalled packages are automatically kept, as the
package installation program needs to work all the time.
Order: PACKAG_A:PACKAGE_B
The build script takes care about the installation order if they are defined via dependencies
inside of the packages. However, there might be dependency loops (reported during setup
of the build system) or missing dependencies. The Order statement can be used then to
give a hint where to break the loop.
The package in PACKAGE_A will get installed before the package in PACKAGE_B .
Patterntype: TYPE
Defines the pattern format. Valid values are: none (default), ymp, comps. Multiple types
can be specified.
Prefer: PACKAGES
In case multiple packages satisfy a dependency, the OBS system will complain about that
situation. This is unlike like most package managing tools, which just pick one of the
package. Because one of OBS' goal is to provide reproducible builds, it reports an error
in this case instead of choosing a random package. The Prefer: tag lists packages to be
preferred in case a choice exists. When the package name is prefixed with a dash, this is
treated as a de-prefer.
Preinstall: PACKAGE
This is used to specify packages needed to run the package installation program. These
packages are unpacked so that the native installation program can be used to install the
build environment. Included scripts are not executed during this phase. However, these
packages will be re-installed later on including script execution.
PublishFlags: FLAG
Flags which modify the behaviour during repository generation.
RegistryURL: URL
Define a url for the downloading of containers.
Repotype: TYPE[:OPTIONS]
Defines the repository format for published repositories. Read on for permissible values
(repository types). The syntax of the OPTIONS parameter depends on the repository type,
and is also described below.
This is the list of repository types. Multiple values can be combined in the same line,
separated by spaces.
rpm-md
rpm-md repository data is generated as invented by YUM originaly.
hdlist2
Mandriva repository format
debian
Debian repository format
arch
Arch Linux repository format
vagrant
Vagrant image repository format
staticlinks
Additional links to build results excluding version and build numbers are created.
zyppservice
Generate zypp service les, publishing all used repository pathes to the zypp client.
helm
Helm repository metadata
checksumsfile
Checksums le with signatures of repository content
ymp
YaST single install ymp le generation. Zypp services should be used instead.
comps
Generate comps les, Fedora style patterns
This is the list of repository options to modify the way the repository type is generated:
sha256
rpm-md repository data is generated using SHA-256 checksums. This is the default.
sha512
rpm-md repository data is generated using SHA-512 checksums.
legacy
rpm-md repository data is generated using SHA-1 checksums. Considered to be unsafe
and not anymore recommended.
filelists-ext
rpm-md repository provides additional lelist-ext provides
compression-zstd
rpm-md repository data is compressed using zstd instead of gz
deltainfo
rpm-md repository provides additional rpm delta informations for incremental rpm
updates.
splitdebug:SUFFIX
A second repository is generated where all debuginfo and debugsource packages get
moved to. The specified SUFFIX is added to the repository name. For example:
rsyncable
rpm-md repository gets recompressed using rsyncable format.
rawsig
checksumsfile repository provides binary signatures instead of ascii signatures
RepoURL: [TYPE@]URL
Define a url for the downloading of repository packages. Supported types are currently
`arch`, `debian`, `hdlist2`, `rpmmd`, `suse`. If the type is not specified, it is guessed from
the build type.
Required: PACKAGE
Specify a package that always is installed for package builds. A change in one of these
packages triggers a new build.
Runscripts: PACKAGES
Defines the scripts of preinstalled packages which needs to be executed directly after the
preinstall phase, but before installing the remaining packages.
Target: TARGET_ARCH
Defines the target architecture. This can be used to build for i686 on i586 schedulers for
example. Please note that on rpm based systems just the architecture needs to be specified,
but on debian systems the gnu triplet, for example arm-linux-gnueabihf.
Target: GNU_TRIPLET
Defines the target architecture. This can be used to build for i686 on i586 schedulers for
example. Please note that on rpm based systems just the architecture needs to be specified,
but on debian systems the gnu triplet, for example arm-linux-gnueabihf.
Type: TYPE
Build recipe type. This is the format of the le which provides the build description. This
gets usually autodetected, but in some rare cases it can be set here to either one of these:
spec, dsc, kiwi, livebuild, arch, preinstallimage, mkosi.
Defines the build recipe format. Valid values are currently: none, spec, dsc, arch, kiwi,
preinstallimage. If no type is specified, OBS deduces a type from the binary type.
VMInstall: PACKAGE
Like Preinstall , but these packages get only installed when a virtual machine like Xen
or KVM is used for building. Usually packages like mount are listed here.
This will always enable ccache when a direct build depdency to gcc-c++ is required.
It is also possible to set the type, eg:
Macros: Macro Definitions. Macros defined after a Macros: line are exported into the
.rpmmacros le of the build root. As such, these macro definitions can be used in a spec
le. The section may be closed via a :Macros line. This is sometimes required to avoid
parse errors, for example when the macro definitions are inside an %if-%endif statement.
The Macros: section is always verbatim: any condition to activate it must be outside of
the Macros: tags. Macros defined in this section are used by Open Build Service for build
dependency resolution and are also available at build time. Any definition here is also
overwriting definitions provided by any packages.
DistMacro. The DistMacro can be used to define a macro for build dependency resolution.
It is intended to be used when a distribution defines relevant macros inside of any of their
packages. These macros are hidden by default to the Open Build Service dependency re-
solver. Use this directive to make it known to Open Build Service. Unlike Macros:, Dist-
Macro won't overwrite any existing and possibly changed definition at build time.
%define Macro Definitions. Macro definitions starting with a %define line are used dur-
ing the build configuration parsing only. These definitions are not available inside the
build root or during parsing of build recipes. Typical use cases are macros inside of %if
statements inside of the build configuration or macros in any Support, Require or Substi-
tute line.
%define _with_pulseaudio 1
then the macro %_with_pulseaudio will expand to 1 only inside the build configuration.
Macros:
# add your macro definitions
:Macros
%_hardened_build 0
6 Local Building 62
10 Notifications 112
11 Moderation 120
5 Basic OBS Workflow
You have an account on an Open Build Service instance. To create an account, use the
Web UI.
You have installed osc as described in Section 3.1, “Installing and Configuring”.
You have configured osc as described in Section 3.3.2, “Using osc for the First Time”.
For example, on the openSUSE Build Service, build targets will include distribu-
tions such as openSUSE:Tumbleweed , openSUSE:Leap:VERSION , openSUSE:Tools ,
openSUSE:Templates .
<project name="home:obsgeeko">
<title>obsgeeko's Home Project</title>
<description>A description of the project.</description>
<person userid="obsgeeko" role="bugowner"/>
<!-- contains other OBS users -->
<debuginfo>
<enable repository="openSUSE_Factory"/>
</debuginfo>
3. To add build targets, use the repository element. For example, on openSUSE Build
Service, you can add the build targets openSUSE Tumbleweed for x86 and x86-64 with:
<repository name="openSUSE_Tumbleweed">
<path project="openSUSE:Tumbleweed" repository="standard"/>
<arch>i586</arch>
<arch>x86_64</arch>
</repository>
4. Add more repository elements as needed. Insert the information from Step 1 into the
project attribute.
On openSUSE Build Service, you can normally use the attribute repository with the
value standard . For example, to add openSUSE Leap as a build target, create an entry
like:
<repository name="openSUSE_Leap_42.3">
<path project="openSUSE:Leap:42.3" repository="standard"/>
<arch>i586</arch>
<arch>x86_64</arch>
</repository>
After a while, the defined build targets show up in your home project.
1. Open a shell. Choose or create a directory on your system in a partition that has enough
space to hold the package sources.
2. Prepare your working directory. These steps only have to be performed once:
4. Create a spec le which contains metadata and build instructions. For more information
about spec les, see https://rpm-packaging-guide.github.io .
a. To create a new changelog le or to update an existing changelog le with osc , use:
-------------------------------------------------------------------
Fri Aug 23 08:42:42 UTC 2017 - [email protected]
Bug and Security Fixes. If a bug was xed, mention the bug number. Most
projects have policies or conventions for abbreviating bug numbers, so there
is no need to add a long URL.
For example, in openSUSE Build Service, boo# is used for bugs on https://
bugzilla.opensuse.org and fate# is used for features on https://fate.open-
suse.org .
7. Build the package for a specific distribution and architecture, for example, openSUSE
Tumbleweed for x86-64:
If you encounter problems, see Section 5.3, “Investigating the Local Build Process”.
8. Check if your build was successful. If everything was ne, commit the les to your package
to your home project on OBS:
To delete a le in your working directory, merely deleting it from the local filesystem ( rm FILE )
is not sufficient, since osc , like any other Source Code Control System, will just complain that
the le is missing. If you really want to delete a le, use the command:
PROCEDURE 5.3: PROCEDURE FOR MOVING A FILE WITHIN A LOCALLY CHECKED-OUT OBS PACKAGE
4. And, finally:
However, this command will print the complete build log which could be difficult to spot the
errors. Use the buildlogtail subcommand to show only the end of the log le:
.build.log
Contains the log.
.build.command
Contains the command which is used to build the package. For RPM-like systems it is
rpmbuild -ba PACKAGE.spec .
.build.packages
Contains the path to all object les.
/home/abuild/
└── rpmbuild
├── BUILD 1
├── BUILDROOT 2
├── OTHER 3
├── RPMS 4
│ ├── i386
│ ├── noarch
│ └── x86_64
├── SOURCES 5
└── SRPMS 7
1 Contains directory named after the package name. In spec les, the name of the package
directory is referenced using the %buildroot macro.
2 If the build process was unable to create a package, this directory contains all les and
directories which are installed in the target system through the %install section of the
spec le.
If the package has been successfully built, this directory will be emptied.
3 Usually contains the le rpmlint.log .
4 If the build was successful, stores binary RPMs into subdirectories of architecture (for ex-
ample, noarch or x86_64 ).
5 All source les from the working copy will be copied here.
6
Name: foo-example
Version: 1.0.0
BuildRequires: bar
Requires: zool >= 1.5.6
1. Open a terminal.
3. Search for repository elements. For example, to allow usage packages from devel:lan-
guages:python in a openSUSE Tumbleweed project, extend the repository element
with:
<repository name="openSUSE_Tumbleweed">
<path project="devel:languages:python" repository="openSUSE_Factory"/>
<path project="openSUSE:Factory" repository="standard"/>
<arch>x86_64</arch>
</repository>
5. If necessary, repeat Step 3 and Step 4 to add path elements to repository elements of
other distributions or releases.
An “aggregate” package is a pointer to an OBS package. Such package and the result of it are
referenced int another project. “Aggregating” is used in the following situations:
Packages that are needed for building are only available in a different project.
Build results (binaries) of the aggregated package are copied into the target's package
repository.
For example, to aggregate the package python-lxml from devel:language:python into your
home project, use the following command:
The next time you update your working directory, the python-lxml contains the _aggregate
le.
The source code needs changes, but the source either cannot be changed in the original
package or doing so is impractical or inconvenient to change the source.
For example, to link the package python-lxml from devel:language:python into your home
project, use the following command:
In contrast to aggregating, the checkout contains all the les from the linked repository. To
reduce it to a single le (like with aggregating), “unexpand” it in the working directory like this:
This gives you a _link le similar to the _aggregate le. You can use the --expand-link
option in the up subcommand to revert to the previous state.
61 Manage Group
6 Local Building
Every build that happens on the server can also be executed locally in the same en-
vironment using the osc tool. All you need is to check out the source code and run
osc build to run the build recipe. The following explains it for RPM format, but it
works for any. osc will download needed binaries and execute the local build.
the original source archive. Instead of that the package may contain a _service le which
describes how to create it, for example by downloading it or building it from a SCM repos-
itory. It can also be used to create the build description le. Find more details about it in
the source service chapter.
optional patches which changes the original source code to x problems regarding security,
the build process, or other issues
other les which do not fall into one of the previous categories
In the typical case of source packages locally checked out from an OBS server, this is already
the case. To build an existing package, the general procedure is as follows:
1. If you have not done so yet, set up your project as shown in Section 5.1, “Setting Up Your
Home Project”.
2. In the terminal, choose or create a directory on a local partition that has enough space
to hold the package sources.
5. The simplest way to run a build is just to call the osc build command. osc will try to
detect your installed OS and build for it if possible.
However, you may also manually specify the build target. For example openSUSE Tum-
bleweed for x86_64, you want to create the RPM package:
6. It will download the required dependencies and execute the build script. Therefore it needs
to ask for root permissions in most cases.
Successful Build
/var/tmp/build-root/openSUSE_Tumbleweed-x86_64/home/abuild/rpmbuild/
SRPMS/PACKAGE-VERSION-0.src.rpm
/var/tmp/build-root/openSUSE_Tumbleweed-x86_64/home/abuild/rpmbuild/RPMS/
noarch/PACKAGE-VERSION-0.noarch.rpm
Unsuccessful Build
[ 8s] venus failed "build PACKAGE.spec" at Fri Sep 1 11:58:55 UTC 2017.
[ 8s]
You can also build locally in KVM (if your hardware supports it) by running
Another important virtualization mode is qemu. This can be used to build for a foreign
hardware architecture even when the distribution is not prepared for the qemu user land
emulator. However, this qemu system emulator approach will be much slower.
You may want to jump inside of a the build environment for debugging purposes. This can
be done via the following command:
Server-side generated les are easy to identify and are not modifiable by the user. This way,
other users can trust them to be generated in the documented way without modifications.
Source services are runnable on server and client side in the same way.
Source services are safe. A source checkout and service run never harms the system of a
user.
Source services avoid unnecessary commits. This means there are no time-dependent
changes. In case the package already contains the same le, the newly generated le is
dropped.
Source services running local or inside the build environment can get created, added and
used by everybody.
Source services running in default or server side mode must be installed by the adminis-
trator of the OBS server.
The use of a source service can be defined per package or project wide.
For using source services you need (refer to Example 7.1, “Structure of a _service File”):
A service element which uses the specific service with optional parameters.
<services> 1
</service>
</services>
Default After each commit Before local build Generated les are prefixed with _ser-
vice:
Default Mode
The default mode of a service is to always run after each commit on the server side and
locally before every local build.
trylocal Mode
This mode is running the service locally. The result is committed as standard les and not
named with a _service: prefix. Additionally, the service runs on the server by default.
Usually the service should detect that the result is the same and skip the generated les.
In case they differ, they are generated and added on the server.
localonly Mode
This mode is running the service locally. The result gets committed as standard les and
not named with _service: prefix. The service is never running on the server side. It is
also not possible to trigger it manually.
serveronly Mode
The serveronly mode is running the service on the server only. This can be useful, when
the service is not available or can not work on developer workstations.
manual Mode,
disabled Mode
The manual mode is neither running the service locally nor on the server side by default.
It can be used to temporarily disable the service but keeping the definition as part of the
service definition. Or it can be used to define the way how to generate the sources and
doing so by manually calling osc service rundisabled . The result will get committed as
standard les again. NOTE: it did only exist as "disabled" before OBS 2.11, but "manual" is
the better matching alias name for its usage. The osc client may do have different behaviour
in future between manual and disabled.
Per Package. Useful when the packager wants to validate whether the downloaded sources
are really from the original maintainer.
Per Project. Useful for applying project-wide policies which cannot be skipped for any
package.
By comparing checksums and metadata of the les in your repository with checksums and
metadata as recorded by the maintainer.
Alternatively, you can download the sources from a trusted location again and verify that
they did not change.
The _service le contains a list of services which get called in the listed order. Each service
can define a list of parameters and a mode. The project wide services get called after the per
package defined services.
The _service le is in XML format and looks like this:
<services>
<service name="download_files" mode="trylocal" />
<service name="verify_file">
<param name="file">krabber-1.0.tar.gz</param>
<param name="verifier">sha256</param>
<param
name="checksum">7f535a96a834b31ba2201a90c4d365990785dead92be02d4cf846713be938b78</param>
</service>
</services>
With the example above, the services above are executed in the following order:
1. Downloads the le via the download_files service using the URL from the Spec le.
When using osc, the downloaded le gets committed as part of the commit.
https://YOUR_INSTANCE/trigger/runservice
and the Secret Token. Hit the Add webhook button and you are good. You may specify project
and package via CGI parameters in case you created a wildcard token:
https://YOUR_INSTANCE/trigger/runservice?project=PROJECT&package=PACKAGE
https://YOUR_INSTANCE/trigger/webhook?id=$TOKEN_ID
and ll the secret box with your token string. Please note that github requires that you must
also define the token id as part of the webhook string. All other settings can stay untouched and
just hit the Add webhook button.
8.1.1 Introduction
With this integration, you can take advantage of source code management (SCM) systems like
GitHub, GitLab or Gitea to manage your packages sources. Then, you can integrate those sources
with OBS to run different workflows, for instance, to build a package and report back the result
to the SCM.
In the following sections, you will nd the instructions to set up the integration between SCMs
and OBS.
This chapter talks in GitHub jargon to simplify the text. As constantly mentioning all the names
for the same things, e.g. Pull Requests/Merge Requests, is tiresome and confusing. However, every
aspect has its correspondence in GitLab and Gitea. Refer to Section 8.1.10, “Equivalence Table” for
clarification of terminology.
8.1.2 Prerequisites
Before you start, you need to
GitLab: api
Gitea: repo
You can create the OBS token via WebUI in Profile > Manage Your Tokens.
You can also use osc for this:
Example of response:
<status code="ok">
<summary>Ok</summary>
<data name="token">long_ascii_salad</data>
<data name="id">12345</data>
72 Token Authentication
</status>
Make sure you replace long_ascii_salad with your real GitHub personal access token created in
Section 8.1.4.1, “How to Authenticate OBS with SCMs”
Warning
Don't forget to keep your token secret to prevent someone else from triggering operations
in your name!
If you suspect your OBS token secret was leaked, you can regenerate the secret or delete the
whole token to secure it again:
a) Regenerate the token secret
Through the WebUI in Profile > Manage Your Tokens > Edit > Regenerate Token.
b) Delete the token
You can always delete your token via WebUI, in Profile > Manage Your Tokens, or with these
commands:
osc token --delete $token_id # remove the token with the given id
Then you can create a new one as explained in Section 8.1.4.2, “How to Authenticate SCMs with OBS”
and replace it wherever you use it.
8.1.5 Webhooks
Once OBS and GitHub are allowed to speak to each other, they can start talking via webhooks.
73 Webhooks
This is the list of SCM events supported by the existing workflows in OBS:
Pushes
Tag Pushes
In addition, the Pull request events contain a eld called action. OBS supports a different subset
of Pull request event actions, depending on the SCM. For GitHub and Gitea, the following set
of actions is supported:
closed
opened
reopened
synchronize
synchronized
For Gitlab's Merge request events, the following actions are supported:
close
merge
open
reopen
update
Refer to the Equivalence Table for more details or read more about
GitHub events (https://docs.github.com/en/developers/webhooks-and-events/webhooks/web-
hook-events-and-payloads) , GitLab events (https://docs.gitlab.com/ee/user/project/integra-
tions/webhook_events.html) and Gitea events (https://docs.gitea.io/en-us/webhooks/) .
Go to the project you want to set the integration on, then under Settings > Webhooks.
74 Webhooks
FIGURE 8.1: WEBHOOKS ON GITHUB.
Secret: uvwxyz. Replace uvwxyz with the OBS token secret string previously obtained.
Go to the project you want to set the integration on, under the Settings > Webhooks.
75 Webhooks
FIGURE 8.2: WEBHOOKS ON GITLAB.
Secret Token: uvwxyz Replace uvwxyz with the OBS token secret string previously ob-
tained.
Go to the repository you want to set the integration on, then under Settings > Webhooks.
76 Webhooks
FIGURE 8.3: WEBHOOKS ON GITEA.
Secret: uvwxyz. Replace uvwxyz with the OBS token secret string previously obtained.
rebuild_master:
77 OBS Workflows
steps:
- rebuild_package:
project: home:Admin
package: ctris
filters:
event: push
You can also define multiple workflows, each one needs an unique name. The following example
contains two workflows: main_workflow and rebuild_master.
main_workflow:
steps:
- branch_package:
source_project: OBS:Server:Unstable
source_package: obs-server
target_project: OBS:Server:Unstable:CI
filters:
event: pull_request
rebuild_master:
steps:
- rebuild_package:
project: home:Admin
package: ctris
filters:
event: push
branches:
only:
- master
By default the configuration le is fetched from the repository's target branch under .obs/work-
flows.yml. You can of course adjust that by editing the token configuration in OBS. The following
options are available:
Path for Workflows Configuration File allows you to adjust the path to be different than the
default .obs/workflows.yml in the code repository.
URL to Workflows Configuration File allows you to use a le that is hosted in a different
place than the code repository.
78 OBS Workflows
FIGURE 8.4: CONFIGURATION FILE LOCATION OPTIONS IN EDIT TOKEN
We support the following steps (the keys used in the configuration le appears surrounded with
parenthesis):
Warning
The user the token belongs to needs to have permissions to branch a package, link pack-
ages, configure repositories/architectures, rebuild packages and trigger services of a pack-
age.
79 OBS Workflows
8.1.6.2.1 Branch a Package in a Project
Given we have a source package called ctris coming from a source project called games, and
a target project called home:jane, this step will branch that package onto the target project,
keeping in mind that:
With a push event for tags, it will go to e.g.: home:jane/ctris-release_1. release_1 being the
name of the tag that triggered the event.
workflow:
steps:
- branch_package:
source_project: games
source_package: ctris
target_project: home:jane
Branching a package into a project that did not exist before, for instance for a pull request event,
will branch the package and set up the same repositories that the source project has. If you
want to skip this and set up repositories yourself, with the configure_repositories step, set the
add_repositories key to anything else than enabled.
The submit request step is the equivalent of the osc submitrequest command.
The requirements to run a submit request step are:
There has to be some changes between the source package and the target package.
80 OBS Workflows
After the previous requirements are met, keep in mind that:
With a pull request open event, push event, or tag_push event, it will create the submit
request.
When more commits are added to the pull request, it will supersede the request it previ-
ously created with a new request.
workflow:
steps:
- submit_request:
source_project: games
source_package: ctris
target_project: home:jane_doe
target_package: ctris # (optional, uses source_package if
not set)
description: 'Check out this cool package' # (optional, uses the commit/pull
request message if not set)
home:jane:github:jane:gcc:PR-1/gcc for a pull request event. PR-1 being the pull request
number.
home:jane/gcc-release_1 with a push event for tags. release_1 being the name of the tag that
triggered the event.
workflow:
81 OBS Workflows
steps:
- link_package:
source_project: devel
source_package: gcc
target_project: home:jane
Note
If you rely on Using Source Services to run, for instance to pick up changes from a PR with
the obs_scm service, you can't make use of this step. Package links do not run the services.
Use the branch_package step instead.
Given a project called home:jane, the step will configure a number of repositories and architec-
tures for:
a list of paths, each having a target project (e.g: openSUSE:Factory) and target repository
(e.g: snapshot)
a list of architectures to be defined for each repository. e.g.: x86_64 and i586
workflow:
steps:
- configure_repositories:
project: home:jane
repositories:
- name: openSUSE_Tumbleweed
paths:
82 OBS Workflows
- target_project: openSUSE:Factory
target_repository: snapshot
- target_project: openSUSE:Tumbleweed
target_repository: standard
architectures:
- x86_64
- i586
- name: openSUSE_Leap_15.2
paths:
- target_project: openSUSE:Leap:15.2
target_repository: standard
architectures:
- x86_64
Given a project called home:Admin and a package ctris, the step will rebuild the package home:Ad-
min/ctris.
This is an example of a configuration le with a rebuild package step.
workflow:
steps:
- rebuild_package:
project: home:Admin
package: ctris
There are OBS-wide defaults for each ag type. This step is only necessary if you want to diverge
from the defaults (see Valid flag types).
Providing the type build, the status enable and the project home:Admin, OBS will enable all builds:
workflow:
steps:
83 OBS Workflows
- set_flags:
flags:
- type: build
status: enable
project: home:Admin
- type: publish
status: disable
project: home:Admin
The type, status and project keys are always required. Optional keys are also available to limit
the ag to a package, repository or architecture.
The project, package, repository and architecture should exist before a ag is set for them. They
can be created in steps preceding a set_ags step, although this isn't necessary as long as they
exist.
The type has to be one of the following values:
workflow:
84 OBS Workflows
steps:
- set_flags:
flags:
- type: build
status: disable
project: home:Admin
package: ctris
repository: openSUSE_Tumbleweed
architecture: x86_64
Given a project called home:Admin and a package ctris, the step will trigger services of the
package home:Admin/ctris.
Be sure to have a _service (https://openbuildservice.org/help/manuals/obs-user-guide/cha.ob-
s.source_service.html) le in the package home:Admin/ctris.
This is an example of a configuration le with a trigger services step:
workflow:
steps:
- trigger_services:
project: home:Admin
package: ctris
8.1.6.3 Filters
You can customize when workflows run by declaring branch or Event filters. They will make
workflows run or not for specific branches/events.
You can define them in the configuration le .obs/workflows.yml. Here's an example:
workflow:
steps:
- branch_package:
source_project: home:jane_doe
source_package: ctris
target_project: games
filters:
event: pull_request
branches:
only:
- master
85 OBS Workflows
- staging
Some steps can affect a group of elements (branches) You can use filter delimiters like only and
ignore to specify which elements should be affected, or not, by the step.
The available filters delimiters are:
ignore: the step affects all the elements except those in the list.
Note
only has precedence over ignore, so if both are defined, ignore is not considered.
This is an example to run a workflow only for the target branches master:
workflow:
steps:
- rebuild_package:
project: games
package: ctris
filters:
branches:
only:
- master
This is an example to run a workflow for all the target branches except for the branch staging:
workflow:
steps:
- rebuild_package:
project: games
package: ctris
filters:
branches:
ignore:
- staging
86 OBS Workflows
8.1.6.3.2 Event Filter
Setting an event filter will run the workflow only for this event. The event filter doesn't ac-
cept multiple events. Documentation on the SCM events can be found here: Section 8.1.5.1, “SCM
Events”.
merge_request is an alias for the 'pull_request' event. Introduced with workflow version
1.1 (also see Section 8.3.1, “Workflow Version Table”). .
The following is an example to run a workflow only for a pull request event:
workflow:
steps:
- branch_package:
source_project: games
source_package: ctris
target_project: home:jane_doe
filters:
event: pull_request
Matches target branches based on their names and runs a workflow only for those branches.
This is an example to run a workflow for all target branches, except master and final:
workflow:
steps:
- branch_package:
source_project: home:jane_doe
source_package: ctris
target_project: games
filters:
branches:
ignore:
- master
- final
87 OBS Workflows
Learn more about Filters Delimiters: only and ignore.
Note
tag_push events are not supported by the branches filter.
With placeholder variables, workflows are now dynamic. Whenever a webhook event comes
in, OBS downloads the workflows le and parses it. This is when the placeholder variables are
replaced by the data they refer to in the webhook event payload.
Here's a list of supported placeholder variables and their mapping:
%{SCM_PR_NUMBER}: The number of the pull/merge request from which the webhook
event originates. This placeholder variable should be defined in workflows running only
for pull request webhook events.
%{SCM_COMMIT_SHA}: The SHA of the commit from which the webhook event originates.
# The test_build workflow will branch a package based on the SCM repository name from
which the webhook event came from.
test_build:
steps:
- branch_package:
source_project: games
source_package: %{SCM_REPOSITORY_NAME}
target_project: games:CI
filters:
event: pull_request
For a more in-depth example in combination with configuration le location, refer to Sec-
tion 8.4.6, “Using a Custom Configuration File URL in Combination with Placeholder Variables”.
88 OBS Workflows
8.1.7 Status Reporting
Once all the steps in the workflow are done, OBS will report the build results back to GitHub.
OBS will show detailed package build status for each distribution and architecture you have set
up in the configuration le.
Moreover, if your package builds several multibuild flavors, the status will have the flavor
(https://openbuildservice.org/help/manuals/obs-user-guide/cha.obs.multibuild.html) name ap-
pended to the package name:
Note
Due to a limitation, the initial "pending" build status of packages with multibuild flavors
is not reported. The build status for those flavors will however still be reported when
the build finishes.
89 Status Reporting
FIGURE 8.7: TOKENS LIST
From the list of workflow runs, you can get information like:
Click on each workflow run to get detailed information about it. OBS records the request received
from the SCM,
90 Workflow Runs
FIGURE 8.9: WORKFLOW RUNS - REQUEST
and the artifacts used or generated during the run of each workflow.
91 Workflow Runs
These records will help with debugging workflows. If an error occurs in any of the workflow
steps, the workflow run will record error messages. And reading the artifacts will help to un-
derstand what happened behind the scenes.
8.1.9 Errors
TABLE 8.1: COMMON ERRORS
Error Reason
No build result updates are displayed in your Make sure there are repositories defined on
PR/MR your source project. Another reason can be
that the build did not start because your
package is "unresolvable" or "broken".
The project in OBS doesn't get updated with For certain steps you need to set up a _ser-
the latest changes in the SCM. vice le. Follow the obs-service-tar_scm
(https://github.com/openSUSE/obs-ser-
vice-tar_scm#user-documentation) docu-
mentation.
PR MR PR
92 Errors
GitHub GitLab Gitea
Pull requests (in webhook Merge request events (in Pull Request (in webhook
configuration) webhook configuration) configuration)
Pushes (in webhook configu- Push events (in webhook Push (in webhook configura-
ration) configuration) tion)
SCM branch_pack-
sub- link_pack- re- trig- config- set_ags
event age step mit_re- age step build_pack-ger_ser- ure_repos- step
and ac- quest age step vices itories
tion step step step
Pull Re- The Create a The The The ser- The The ags
quest submit
%{source_project}/ %{source_project}/ vices of
%{project}/ reposito- will be
opened request
%{source_pack- %{source_pack-
%{pack- ries will
%{project}/ config-
age} from age} will age} will %{pack- be con- ured
will be be linked be re-
%{source_project}/ age} will figured for the
branched into
%{source_pack- build. be trig- for the %{tar-
to age} to %{tar- The build gered. %{tar- get_project}:PR-%{SC
%{tar- %{tar- results The build get_project}:PR-%{SCM_PR_NUM-
get_project}:PR-%{SCM_PR_NUM- BER}/%{pack-
get_project}:PR-%{SCM_PR_NUM-
get_project}/%{tar- will be
BER}/%{source_pack- results BER} age} .
get_pack- age} The
BER}/%{source_pack- report- will be project. Nothing
age} The age} . %{SCM_COM-ed back report- Nothing will be
%{SCM_COM-The re- MIT_SHA} to the ed back will be report-
MIT_SHA} quest will be %{SCM_COM-to the report- ed to the
will be status updat- MIT_SHA} %{SCM_COM-ed to the SCM.
updated changes ed in the as com- MIT_SHA} SCM.
in the le will be scmsync mit sta- as com-
report-
_branch_re- attribute tus.
Pull Re- The Super- The The The ser- The The ags
quest up- %{SCM_COM-sede the vices of
%{SCM_COM-%{project}/ reposito- will be
dated MIT_SHA} request it MIT_SHA} %{pack- ries will
%{project}/ config-
will be previous- will be age} will %{pack- be con- ured
Pull Re- The The sub- The This This This This
quest project mit re- project event is event is event is event is
closed %{tar- quest will %{tar- ignored. ignored. ignored. ignored.
be re-
get_project}:PR-%{SCM_PR_NUM-
get_project}:PR-%{SCM_PR_NUM-
BER} will voked. BER} will
be delet- be delet-
ed. ed.
Push The Create a The The The ser- The The ags
submit
%{source_project}/ %{source_project}/ vices of
%{project}/ reposito- will be
request
%{source_pack- %{source_pack-
%{pack- ries will
%{project}/ config-
age} from age} will age} will %{pack- be con- ured
will be be linked be re-
%{source_project}/ age} will figured for the
branched into
%{source_pack- build. be trig- for the %{project}/
to age} to %{tar- The build gered. .
%{project}%{pack-
%{tar- %{tar- results The build
get_project}/%{source_pack- Nothing age} .
get_project}/%{source_pack-
get_project}/%{tar- will be
age}-%{SCM_COM- results will be Nothing
age}-%{SCM_COM-
get_pack- MIT_SHA} report- will be report- will be
MIT_SHA} age} . The build ed back report- ed to the report-
The build The re- results to the ed back SCM. ed to the
results quest of the %{SCM_COM-to the SCM.
of the status linked MIT_SHA} %{SCM_COM-
branched changes package as com- MIT_SHA}
package will be will be mit sta- as com-
will be report- report- tus. mit sta-
report- ed to the ed to the tus.
ed to the %{SCM_COM-%{SCM_COM-
%{SCM_COM-MIT_SHA} MIT_SHA}
MIT_SHA} as com- as com-
as com- mit sta- mit sta-
mit sta- tus. tus.
tus.
Tag Push The Create a The The The ser- The The ags
submit
%{source_project}/ %{source_project}/ vices of
%{project}/ reposito- will be
request
%{source_pack- %{source_pack-
%{pack- ries will
%{project}/ config-
age} from age} will age} will %{pack- be con- ured
will be be linked be re-
%{source_project}/ age} will figured for the
branched into
%{source_pack- build. be trig- for the %{project}/
to age} to %{tar- Nothing gered. .
%{project}%{pack-
%{tar- %{tar- will be Nothing
get_project}/%{source_pack- Nothing age} .
get_project}/%{source_pack-
get_project}/%{tar- report-
age}-%{TAG_NAME} will be will be Nothing
get_pack- Nothing
age}-%{TAG_NAME} ed to the report- report- will be
Nothing age} . will be SCM. ed to the ed to the report-
will be report- SCM. SCM. ed to the
report- ed to the SCM.
ed to the SCM.
SCM.
version: '1.0'
workflow:
steps:
- link_package:
source_project: GNOME:Factory
source_package: gnome-shell
Version Changes
A project in OBS that you own, it will be the target project. Let's say: home:jane:playground.
A package in OBS that you want to test build, it will be the source package inside the source
project. E.g.: GNOME:Factory/gnome-shell.
A repository in GitHub with the source code that will receive the pull requests, e.g.: https://
github.com/GNOME/gnome-shell.
The required tokens to allow OBS and GitHub talk each other as explained in Section 8.1.4,
“Token Authentication”
The required webhooks so GitHub notifies OBS of any event as explained in Section 8.1.5,
“Webhooks”
8.4.2.1 Branch
If you decide to branch the package for the test build, the configuration le should be something
like this:
workflow:
steps:
- branch_package:
source_project: GNOME:Factory
source_package: gnome-shell
target_project: home:jane:playground
filters:
event: pull_request
Whenever someone opens a new pull request in the repository, OBS will branch the source
package onto the target project, trigger the build, and report the results in the pull request's status
checks.
Keep in mind that, when OBS branches a package, it copies the repositories from the source
project to the target project, so everything is ready to start building.
Once the pull request is accepted or closed, the branched package will be deleted.
Read SCM/CI Workflow Integration Setup and, specifically, the workflow steps (Section 8.1.6.2, “OBS
Workflow Steps”).
If you prefer to link the package for the test build, the configuration le should be something
like this:
workflow:
steps:
- link_package:
source_project: GNOME:Factory
source_package: gnome-shell
target_project: home:jane:playground
- configure_repositories:
project: home:jane:playground
repositories:
- name: openSUSE_Tumbleweed
paths:
- target_project: openSUSE:Factory
target_repository: snapshot
architectures:
- x86_64
- i586
- name: openSUSE_Leap_15.2
paths:
- target_project: openSUSE:Leap:15.2
target_repository: standard
architectures:
- x86_64
filters:
event: pull_request
Whenever someone opens a new pull request in the repository, OBS will create a target package
linked to the source package.
Unlike the branching, in this case the repositories are not copied to the target project. That is
why you need to set up the configure_repositories step giving you the flexibility to decide which
repositories are you interested in.
Read SCM/CI Workflow Integration Setup and, specifically, the workflow steps (Section 8.1.6.2, “OBS
Workflow Steps”).
The required tokens to allow OBS and GitHub talk each other as explained in Section 8.1.4,
“Token Authentication”
The required webhooks so GitHub notifies OBS of any event as explained in Section 8.1.5,
“Webhooks”
The source code synchronization setup with the OBS SCM Service.
workflow:
steps:
- rebuild_package:
project: home:jane
package: rust
filters:
event: push
workflow:
steps:
- branch_package:
source_project: home:jane_doe
source_package: rust
target_project: home:jane_doe:CI
- set_flags:
flags:
- type: build
status: disable
project: home:jane_doe:CI
package: rust
8.4.5 Create Package on OBS for Every Software Release With Git
Tags
You have a software project for which you mark releases with Git tags. For every release, you
want to create a package on OBS. This can be automated in a workflow with the branch_package
step and the tag_push event filter. Once the workflow is in place, every tag you push to your
SCM repository will branch a package on OBS and create, then build a package for the source
code associated to the tag's commit. This way, your users can always install a versioned release
of your software project. You can also link one of those versioned releases to another project
on OBS if you need it as a dependency.
After the usual setup for OBS workflows with tokens and webhooks (see Section 8.1, “SCM/CI
Workflow Integration Setup”), you will need:
A package in OBS that you own, and for which you want to create releases. It will be the
source package (e.g.: home:jane/my_package) and it will contain a _service le. When this
package is branched by the branch_package step, the branched package name will end with
the name of the tag which was pushed (e.g.: my_package-1.0).
A project in OBS that you own, and which will contain all packages created by the
branch_package step. It will be the target project (e.g.: home:jane:releases).
A SCM repository for your software project with the source code and spec le in which
you will create Git tags to mark releases, e.g.: https://github.com/jane/my_package.
workflow:
steps:
- branch_package:
source_project: home:jane
source_package: my_package
target_project: home:jane:releases
filters:
event: tag_push
<?xml version="1.0"?>
<services>
103 Create Package on OBS for Every Software Release With Git Tags
<service name="obs_scm">
<param name="versionformat">@PARENT_TAG@</param>
<param name="url">https://github.com/jane/my_package.git</param>
<param name="scm">git</param>
<param name="revision">@PARENT_TAG@</param>
<param name="extract">my_package.spec</param>
</service>
<service name="set_version"/>
<service name="tar" mode="buildtime"/>
</services>
For the spec le in your SCM repository, pay attention to this:
The Source0 directive is based on values you provided to the obs_scm service in the _service
le and it should be like this: my_package-%{version}.tar.
The rst part is the SCM repository name (e.g: my_package). The second part is the version
macro which will be expanded to match what you defined in the versionformat of the
obs_scm service in the _service le. The third part is the archive extension (.tar) since a
tarball was created by the tar service.
Under the %prep directive, you might have to update the %setup directive if your source
package name doesn't match the name of your SCM repository. Here's how, with my_pack-
age being the SCM repository name:
%prep
104 Create Package on OBS for Every Software Release With Git Tags
%setup -q -n my_package-%version
workflow:
steps:
- branch_package:
source_project: "test-project"
source_package: "gnome-shell"
target_project: "test-target-project"
filters:
event: pull_request
workflow:
steps:
- branch_package:
source_project: "test-project"
source_package: "%{SCM_REPOSITORY_NAME}"
target_project: "test-target-project"
filters:
event: pull_request
It will perform just as well as it did before, however now this configuration can be applied to
any other OBS package in the test-project and SCM repository combination assuming they have
the same name.
From here the only thing left to do would be to host this le somewhere where OBS can access
it, creating a workflow token and the corresponding webhooks (following the setup instructions
at Section 8.1.4, “Token Authentication”) for every SCM repository you want this configuration le
to apply to, making sure you set the correct configuration url (see Section 8.1.6.1, “Configuration
File Location”).
105 Using a Custom Configuration File URL in Combination with Placeholder Variables
There are many other ways to use these two features in parallel, make sure to read Section 8.1.6.4,
“Placeholder Variables” and Section 8.1.6.1, “Configuration File Location” to get some inspiration on
how you can use them in your project.
106 Using a Custom Configuration File URL in Combination with Placeholder Variables
9 Staging Workflow
<staging_projects>
<staging_project name="openSUSE:Factory:Staging:A"/>
<staging_project name="openSUSE:Factory:Staging:B"/>
</staging_projects>
The returned XML can include more information by adding any combination of this three para-
meters: requests, status and history. This example combines requests and status:
<staging_projects>
<staging_project name="openSUSE:Factory:Staging:A" state="unacceptable">
<staged_requests count="6">
<request id="368" type="submit" creator="scp" state="review" package="amet"
superseded_by="" updated="2020-04-29T17:39:36Z"/>
<request id="369" type="submit" creator="scp" state="declined" package="aut_0"
superseded_by="" updated="2020-04-29T17:41:45Z"/>
<request id="371" type="submit" creator="scp" state="review" package="dolor"
superseded_by="" updated="2020-04-29T18:07:51Z"/>
</staged_requests>
<untracked_requests count="0"/>
<obsolete_requests count="2">
<request id="369" type="submit" creator="scp" state="declined" package="aut_0"
superseded_by="" updated="2020-04-29T17:41:45Z"/>
</obsolete_requests>
<missing_reviews count="4">
<staging_project name="openSUSE:Factory:Staging:A"/>
The returned XML can include more information by adding any combination of this three para-
meters: requests, status and history. This example combines status and history:
<staged_requests>
<request id="368" type="submit" creator="scp" state="review" package="amet"
superseded_by="" updated="2020-04-29T17:39:36Z"/>
<request id="369" type="submit" creator="scp" state="declined" package="aut_0"
superseded_by="" updated="2020-04-29T17:41:45Z"/>
<request id="371" type="submit" creator="scp" state="review" package="dolor"
superseded_by="" updated="2020-04-29T18:07:51Z"/>
</staged_requests>
The "Notifications" page is the place that keeps you up-to-date with your daily OBS work. There,
you can see notifications of events that happen in OBS and are important for you.
You can configure them in detail to receive just what is of your interest. Not only that, with
the web UI interface, you can easily filter your notifications and mark them as read, improving
your OBS workflow experience.
On this page, you can configure under which conditions you receive each type of notification
(email, RSS, web). Mark the "web" checkboxes to configure what notifications you will receive
in the web UI.
You can get web notifications from events happening to projects and packages where the group
you belong to is an owner. Just mark the "web" checkbox in the groups your are interested in.
Another way is to mark it directly on the related element (for example the associated request)
through the little toolbar that appears on top. You will be redirected back to your notifications
page afterwards.
If you received a lot of notifications and don't want to mark them one by one, there are two ways
to speed up the process. You can use the checkboxes on the left to select individual notifications
and click on the "Mark selected as 'Read'" button.
In case you exceed 300 notifications you have the possibility to use the button "Mark all as
'Read" that will appear on the right side to mark all notifications of the chosen filter as read.
Should you ever mark a notification as read by accident, you can simply revert this by selecting
the "read" filter on the right side and using the equivalent elements, used to mark them as read,
in order to bring them back to your unread notifications.
Unread: All unread notifications, so notifications which you haven't marked as read, will
be displayed when selecting this filter.
Read: All notifications which you have marked as read will be displayed when selecting
this filter.
Comments: All unread notifications related to comments will be displayed when selecting
this filter.
Requests: All unread notifications related to requests will be displayed when selecting this
filter.
Incoming Requests: All unread notifications related to incoming requests, so requests which
someone submitted to a project/package you are involved in, will be displayed when se-
lecting this filter.
Outgoing Requests: All unread notifications related to outgoing requests, so requests which
you submitted to a project/package, will be displayed when selecting this filter.
Projects: All unread notifications related to a project will be displayed when selecting a
project filter. Each project with at least one unread notification has its own project filter.
Groups: All unread notifications related to a group will be displayed when selecting a group
filter. Each group with at least one unread notification has its own group filter.
10.6 API
Every user can check their unread notifications by querying:
118 API
<state>new</state>
<when/>
<event_type>review_wanted</event_type>
</notification>
<notification id="25">
<title>test 2</title>
<who>User 2</who>
<event_type>comment_for_package</event_type>
<when/>
</notification>
</notifications>
For more informtion regarding the notifications API endpoints, check out our New API Docu-
mentation (https://api.opensuse.org/apidocs/#/Notifications/get_my_notifications) .
119 API
11 Moderation
As a platform where a lot of social interaction happens, OBS is not free of spam, harmful content
or other outcomes of user misconduct. Therefore, OBS provides features which help any user
report problematic content and help moderators to act accordingly. Those features are described
below, and they are helpful for admins, sta members, moderators and users.
Admins are responsible for making the Conde of Conduct visible to everyone. They should add
the text on Configuration > Code of Conduct to make it appear on the footer. It allows markdown.
Comments
Projects
Packages
Requests
Users
Once the element is reported, moderators will act accordingly. The following sections describe
how they should proceed.
You can read all the editions of a comment to better judge if the user misbehaved at some point.
Use the arrow next to the comment date for that.
hide the comment: click on the Moderate button next to it to replace the original text with
a standard message;
Most of these actions are reversible. Read section Section 11.4, “Reverting Moderator's Actions”.
16 Bootstrapping 186
This chapter explains and shows how you could use OBS Web UI. We will show and use OBS
Web UI based on http://build.opensuse.org . You need to make an account rst to follow this
chapter contents.
To proceed, you'll need to log in and authenticate with your username and your password. Click
on Login and enter the data in the upper right corner.
After successful authentication, you'll end up on the start page again - with new options visible.
We'll go through most of them in detail, but rst lets create your home: in the next step.
Note
Maintainers of upper projects can always modify the subprojects. Apart from that all
projects are separated and have no influence on each other.
Now, let's visit the main monitor page by clicking on "Status Monitor". You see here the status of
the services, some graphs and graphics are showing the currently running and completed jobs
and the overall load.
Now let's create a link to a package and add a repository to build against. A link is basically a
pointer to sources of an already existing package. By "repository" we mean container of built
binary packages like Debian_8 or openSUSE_13.2. Let's follow these steps:
2. Add repository.
and for
- we'll leave "Name of linked package in target project" empty. This is shown on the next picture:
Proceed with "Create Branch" and you'll be redirected to your home again. You'll see a new
package "ood" and a notice about the branch being added.
Wonderful, we've added a pointer to the sources! Now we need to add a repository, so the
builder knows the target-distribution to build packages for. How to add a repository to a project
is documented at Section 12.6.1, “Adding a repository”.
Click the “succeeded” message, then you will see the build log as below.
Note
Published repositories are marked with the OBS truck
Now click Go to download repository. Note that publishing the repository might take a while.
Before the binary repository is published, you will receive a 404 error. When the binaries are
available, you will see something like this:
Your RPMs can be found in the subdirectories, and the .repo le is suitable for use with zypper,
yum or other repository-friendly package management tools.
Note
If you could not nd a repository that ts your needs, you might want to switch to the
expert mode. Click on the "Expert mode" link right to the button. This page allows you to
search and select a repository of any project available in OBS and add it to your projects
repository list.
This will take you back to your home: project. The build repository might be disabled: if so, click
on the cogwheel to enable it. Congratulations, it is configured. On a heavily loaded server, it can
sometimes take a few minutes for your changes to become effective, but your linked package
will automatically begin building.
The minimal set of elds you have to enter are architecture, repository type and the URL that
provides the binary packages. Detailed information about the data you can enter here can be
found at Section 22.3, “Download on Demand Repositories (DoD)”. Press "Save" to create the repos-
itory.
When the repository got added you are able to edit, delete or add additional DoD repository
sources.
Within that project create a new package. That will be your actual image template.
Click on the "Edit KIWI" link and you will be redirected to the Editor.
Packages: Displays the packages of the package group with type image.
Basic Mode: Adding the name of a project will provide a list with the repositories from
that project.
Expert Mode: This mode provides you with a set of customizable parameters for creating
a repository.
Prefer License: The repository providing this attribute will be used primarily to install
the license tarball if found on that repository.
Image Include: Specifies whether the given repository should be configured as a repos-
itory in the image.
To use the configuration of the current project check the Use project repositories checkbox.
Note
This option will remove the other repositories from your kiwi le.
Note
The package groups shown in the editor are only those with type image and the packages
will be added in this kind of package group. If it didn't exist previously, the KIWI Editor
creates a package group with type image for you.
However, the workflow is not always that easy. Apart from managing individual packages, Build
Service provides many other functionalities and it even allows us to release entire distributions.
In a very simplistic way, we can say a distribution is just a Build Service project with thousands
of packages inside. Packages that have been selected to be installed together as part of the
distribution.
When dealing with such a big project, many people request changes in many different packages
all the time. They have to be reviewed, adjusted and tested (built) before being accepted. As
you can imagine, it becomes nonviable to review the packages one by one. Even if the main-
tainers check that a package is not broken and merge it, it can break everything else for conflicts
with other packages. To deal with these situations, Build Service provides what we call Staging
Workflow.
The idea behind the Staging Workflow is testing the requests incrementally by batches. First,
a copy of the original project is created, it is called Staging Project and is going to act as a
playground. The Staging Managers select some of the requests they consider to be belonging
together and assign the corresponding packages to the Staging Project. This way, the groups of
packages are going to be tested (built) in one go. Once the Staging Project gets built, the changes
can be merged to the original project.
The Staging Managers can create as many Staging Projects as they require and can assign dif-
ferent selections of requests to each of them. It is still tedious solving the conflicts that appear
between them, but being able to test a lot of packages in parallel is much more efficient than
doing the same package by package.
Staging Project: Shows the Staging Project name, its overall state (see legend), and the
overall build progress of the packages within the project.
Problems: Shows build problems of packages within the project and status problems
reported to the Build Service's Status API by external services like openQA.
Info section:
Ready: List of requests that were in the backlog and have an accepted review.
By clicking on the delete icon on the Staging Workflow index page, we are able to delete a
Staging Workflow.
By selecting the associated Staging Projects in the appearing modal window, we are able to
delete them as well. If not selected, they will remain as regular subprojects.
From the configuration page it is possible to delete a Staging Project, create one from scratch or
create a copy of an existent one. But also to change the Managers Group of the Staging Workflow.
Note
Changing the Managers Group of a Staging Workflow will automatically unassign the old
group and assign the new group to the related Staging Projects.
It is possible to create a Staging Project from a template. Inside Staging Workflow's configuration
page, simply choose the Staging Project you want to copy from (the template), click on its Copy
icon and add a new name. The Staging Project copy is processed in the background, so there
might be a delay before it shows up.
All the actions performed on requests that are assigned to the Staging Project are tracked. They
are listed in the 'History' section.
Sometimes it can be useful to exclude a request and don't let it be available in the Backlog.
This can prevent the staging project from being assigned with requests we are sure are causing
conflicts, have some missing dependencies or have to wait for other request to be accepted.
By clicking on the 'Excluded' link on the 'Infos' section, it is possible to exclude requests or bring
back already excluded ones.
By default, Open Build Service will strip the maintainer info and now make it part of your own
project. To clarify, when we speak of a project, it can mean just one package or a complete set
of packages with their own build dependencies.
Application development usually happens in SCM systems like git, subversion, mercurial and
alike. These external sources can be used directly in OBS via source services. OBS will always
keep a copy of the sources to guarantee that the build sources are still available even when the
external SCM server disappears or get altered.
The web interface is creating as well a _service le when adding an URL to a SCM system.
<services>
<service name="obs_scm">
<param name="url">https://github.com/FreeCAD/FreeCAD.git</param>
<param name="scm">git</param>
</service>
commands.
<services>
<service name="obs_scm">
<param name="url">https://github.com/FreeCAD/FreeCAD.git</param>
<param name="scm">git</param>
</service>
...
%define build_tar_ball 0
...
%if %{build_tar_ball}
Source0: %{name}-%version.tar.xz
%else
Source0: _service
%endif
...
%prep
%if %{build_tar_ball}
%setup -q
%else
%setup -q -n %_sourcedir/%name-%version -T -D
%endif
This chapter covers main step of using OBS to publish binaries of your project for multiple
distributions.
Let's assume that you have found project suitable for your program. Some projects already have
something like STABLE and UNSTABLE subprojects. So you can use these, if you discuss it with
maintainers of these project. Other way is to ask somebody from the maintainers of the project to
create either these subprojects (if they do not exist) or something similar. Always try to discuss
it with the maintainers of the project. They might have good ideas, suggestions and may help
you in various ways.
If you want to support multiple version, you would need more projects than just two as suggested
in previous section. These special projects should contain versions they are supposed to support
in their name. If you are creating them under some project you are sharing with other packages,
having you package name in the name of projects is a good idea as well.
GNOME is a good example: There is the GNOME project and many subprojects. Among them
are, for example, GNOME:STABLE:2.30, GNOME:STABLE:2.32, and GNOME:STABLE:3.0. These
projects hold different stable versions of GNOME with latest fixes.
Note
The following sections discuss feature available only in openSUSE Build Service—a freely
available instances of OBS.
For a nice download page for your software published on openSUSE Build Service, use the
openSUSE download page. You can include it for example using either iframe or object
on newer websites. An example of download page can be following one http://software.open-
suse.org/download.html?project=openSUSE:Tools&package=osc . You can see how it looks like
in Figure 15.1, “openSUSE download page for package from OBS”. It contains links to the packages
and instructions how to install them.
URL always has to start with http://software.opensuse.org/download.html? .You can attach any
number of & -separated parameters. But at least two of them - project and package - are required.
All parameters with descriptions can be found in Table 15.1, “Parameters for Download Page”.
TABLE 15.1: PARAMETERS FOR DOWNLOAD PAGE
parameter description
15.4.1 Examples
Now we will take a look at how to include the download page into your project pages. As an
example, we will use the osc client from the openSUSE:Tools project. To demonstrate the colors
change, we will use theme that would match Midnight Commander.
First we will start with recent web page supporting new standards. On such a website, we would
use object to include download code:
<object type="text/html"
data="http://software.opensuse.org/download.html?
project=openSUSE:Tools&package=osc&bcolor=004&acolor=ff0&fcolor=fff&hcolor=0ff"
width="100%" height="100%">
<param name="src"
value="http://software.opensuse.org/download.html?
project=openSUSE:Tools&package=osc&bcolor=004&acolor=ff0&fcolor=fff&hcolor=0ff" />
Your browser doesn't support objects, please continue to the
<a href="http://software.opensuse.org/download.html?
project=openSUSE:Tools&package=osc&bcolor=004&acolor=ff0&fcolor=fff&hcolor=0ff">
download page</a>
</object>
If you are using PHP on your server, you can make it easier by using following code:
<?php
$url = "http://software.opensuse.org/download.html?
project=openSUSE:Tools&package=osc&bcolor=004&acolor=ff0&fcolor=fff&hcolor=0ff";
echo '
<object type="text/html"
data="' . $url . '"
width="100%" height="100%">
<param name="src"
value="' . $url . '" />
Your browser doesn't support objects, please continue to the
<a href="' . $url . '">download page</a>
</object>
';
?>
184 Examples
If you are running some legacy website, you might have to use iframe :
<iframe src="http://software.opensuse.org/download.html?
project=openSUSE:Tools&package=osc&bcolor=004&acolor=ff0&fcolor=fff&hcolor=0ff"/>
185 Examples
16 Bootstrapping
This chapter explains Boot strapping. In this chapter, You would learn how you could have other
OBS projects and packages to your local OBS instance after your OBS install. There are some
useful OSC commands examples and OBS working mechanism explanation in this chapter also.
Basically this chapter is a copy from Build Service portal. For information about OBS bootstrap-
ping on the Build Service portal, see https://en.opensuse.org/openSUSE:Build_Service_private_in-
stance_boot_strapping .
The osc copypac (I assume that you have installed the osc package on your workstation) has an
option -t which enables copying towards a remote target OBS instance. osc help and osc help
command will advise on how to use these. First you need to import the project configuration.
$ export PROJECT=MeeGo-test:0.1
$ osc -A http://api-url-source-obs meta prjconf $PROJECT > my_project.conf
$ osc -A http://api-url-target-obs meta prjconf -F my_project.conf $PROJECT
Then import the project. As you might have some Links in the project that you import, it is a
good idea to keep the source and target project names identical.
If you have access only to the repositories of your source reference target, then your life will
be a bit more difficult. My advice would be to recheck if you nd you cannot get a login on a
public OBS service - such as provided by openSUSE or MeeGo - before proceeding this way. You
will not be able to import the project config and you will have to create it by hand. This is too
long to be covered in this HowTo. For more explanation about Build Service project config, see
http://en.opensuse.org/openSUSE:Build_Service_prjconf .
Then you need to download all your rpm source on to a local machine and import it into your
project with the command.
$ osc importsrcpkg
16.2.2.3 Bootstrapping
To initiate the build process, we will copy the rpm binary from the source OBS of the source
project. These binary RPMs, from which we will remove any reference to release and version,
will be used to trigger the rst build. The OBS appliance will recompile all the RPMs until
all RPMs in the project have been compiled only with packages compiled from their source
code. Some base packages (e.g. tool chains) will be compiled several times during that process.
Alternatively, you can at rst build against a target which is similar to the base that you need
# rcobsscheduler stop
* Add binaries to the :full directory of the Project ssh onto the OBS server. Now go to the project’s
build directory, and create a directory called “:full”. Note : standard is the default name of your
Build repository as defined in your project. It might change depending on who created the initial
build repo.
# cd /obs/build/$PROJECT/standard/i586
This directory structure should already exist. If not, there is a problem (note that /obs is
link and the target may vary with your implementation). Now create the “:full” directory. $
mkdir :full Copy over all the binary RPMs of the project you are trying to build from scratch.
These RPMs should have the release and version numbers stripped from them. e.g. alsa-util-
s-1.0.22-2.7.i586.rpm -- should be – alsa-utils.rpm Note : If the original project has a :full di-
rectory you can copy from there to avoid the issue of stripping version and release numbers. *
Add binaries to the :full directory of the Project. Change all user/group privileges under /srv/
obs/build/ to “obsrun”
If you leave root as owner of :full, it will still build but the scheduler will fail (almost silently)
to upgrade :full with the latest built packages. Except in very special cases, it is very unlikely
that you want to do so. * Start the OBS scheduler
# rcobsscheduler start
* Force the obs to reindex your new :full directory. It will send an event to the scheduler which
will create a le named :full.solv
At that time you should see your project restarting to build. If that would not be the case. *
check that your les in your target :full directory are all own by the user obsrun. The following
command should not return any le name.
* Force the obs to reindex your new :full directory. It will create a le named :full.solv
* Check that your rpm are valid (e.g. not damaged during transfer)
#cd /obs/build/$PROJECT/standard/i586:full
#for I in `ls *.rpm` ; do rpm -qlp $I >/dev/null; if [ $? -ne 0 ] ;then echo $I >>../
error.lst ; fi ; done
#cat ../error.lst (must be empty, all rpm in error needs re-installation)
* Still not working, get a look in the log les in the directory /obs/log. You can start by having a
look at /obs/log/scheduler_TARGET_ARCH.log and search from the end for the string "expand-
ing dependencies". You will nd from there why the scheduler fails.
#tail -f /obs/log/scheduler_i586.log
All the commands above only change your local working copy. To submit your changes to the
buildservice you have to commit them (osc ci -m [message]). The status command also displays
the state of the packages
osc st
192
20 Common Questions and Solutions
This currently an unsorted list of asked questions.
Still a significant bandwidth is needed compared to the size of the edited le.
The generated les have the _service: prefix in check out (but not during build).
A checkout may still need the size limit switch when last commit contained the large les.
36 Authorization 271
The OBS Backend manages the source les and build jobs of the OBS.
Source Server
Maintains the source repository and project/package configurations. It provides an HTTP
interface, which is the only interface for the Front-end and It may forward requests to
further back-end services.
The Source Server keeps track of all sources that are available for building. It takes care
of le deduplication so that every source le is stored only once. This is done by keeping
track of the MD5 hashes of the les in combination with the le names. All revisions of
committed sources are stored and will not be deleted. This guarantees the ability to get
the source for every delivered binary package.
Each OBS installation has one Source Server only. It maintains the "sources", "trees" and
"projects" directories.
Scheduler
A scheduler calculates the need for build jobs. It detects changes in sources, project con-
figurations or in binaries used in the build environment. It is responsible for starting jobs
in the right order and integrating the built binary packages. Each OBS installation has one
scheduler per available architecture and partition. It maintains the content of the "build"
directory.
Dispatcher
The dispatcher takes a job (created by the scheduler) and assigns it to a free worker.
It also checks possible build constraints to verify that the worker qualifies for the job.
It only notifies a worker about a job; the worker downloads the needed resources itself
afterwards. Each OBS installation has one dispatcher per partition, one of which is the
master dispatcher.
The dispatcher tries to assign jobs fairly between the project repositories. For this the
dispatcher maintains a load per project repository (similar to the Unix system load) of
used build time. The dispatcher assigned jobs to build clients from the repository with
the lowest load (thereby increasing its load). It is possible to tweak this mechanism via
dispatching priorities assigned to the repositories via the /build/_dispatchprios API call
or via the dispatch_adjust map in the BSConfig.pm configuration le. See the dispatch
priorities in reference guide for more details.
Publisher
The publisher processes publish events from the scheduler for finished repositories. It
merges the build result of all architectures into a defined directory structure, creates the
needed metadata, and may sync it to a download server. It maintains the content of the
"repos" directory on the back-end. Each OBS installation has one publisher per partition.
Signer
The signer handles signing events and calls an external tool to execute the signing. Each
OBS installation usually has one signer per partition and also on the source server instal-
lation.
Worker
The workers register with the repository servers. They receive build jobs from the dispatch-
er. Afterwards they download sources from the source server and the needed binaries from
the repository server(s). They build the package using the build script and send the result
back to the repository server. A worker can run on the same host as the other services, but
most OBS installations have dedicated hardware for the workers.
4. communication between the back-end and the stage server to publish build results
The user uses the front-end (via tools like osc ) to communicate with the Open Build Service. The
front-end is providing a web interface and also an API. The front-end is implemented as a Ruby
on Rails application. All communication happens via the HTTP protocol (usually encrypted,
meaning HTTPS is used).
The communication between the front-end and the back-end also uses the HTTP protocol, using
the back-end source server as the gateway to most other back-end components.
1. The new source le is uploaded with an HTTP PUT operation to the front-end. The front-
end authenticates and checks the permissions of the user.
2. If the user has appropriate permissions, the new le will be sent to the back-end source
server via an HTTP PUT request. The source server stores the changed source under re-
vision control.
It then checks whether this change makes source service runs necessary. If so, the source
service server is informed via an HTTP PUT request of the _service le to run the
requested services.
3. The source service server runs all required source services. For example, it could down-
load the requested revision from a Git server. After running all services, it delivers the final
sources back to the source server, which then stores these under revision control.
4. The source server then notifies the schedulers for each hardware architecture required
about the change of the package via an event.
5. The scheduler then recalculates package and project state. If all build requirements are
fulfilled, a build job is created and added to the job pool.
6. The dispatcher is notified and selects a free worker which meets the build constraints for
the job and sends the job to it.
7. The worker downloads the sources from the source server and all required binary pack-
ages from the repository server. The package then will be built.
The worker is monitored by the warden service to detect any worker crashes.
8. If the build succeeds, the build results (including build logs) are uploaded to the scheduler.
If requested, the signer signs the packages.
9. The scheduler recalculates the project status, checking whether dependent packages need
to be rebuilt. If not, it requests the publisher to publish the build results.
10. The publisher will create an updated version of the output repository and request the
signer to sign the repository metadata.
We describe here the high-level concepts: how Open Build Service is designed, manages its
content and is supposed to work.
An ACL list of users and groups connected with a role. The maintainer role defines the
list of users permitted to commit changes to the project.
A number of ags controlling the build and publishing process and possible read access
protections.
A list of repositories to be created. This list defines what other repositories should be used,
which architectures shall be built and build job scheduling parameters.
The following ags can be used to control the behavior of a package or project. Most of them
can also be limited to specified repositories or architectures.
publish can be used to enable or disable publishing the build result as repository. This
happens after an entire repository has finished building for an architecture. A publish also
gets triggered when the publish ag is enabled after a repository finishes the build. Default
is enabled.
debuginfo can be used to modify the build process to create debuginfo data along with the
package build for later debugging purposes. Changing this ag does not trigger rebuilds,
it just affects the next build. Default is disabled.
useforbuild is used to control if a built result shall be copied to the build pool. This
means it will get used for other builds in their build environment. When this is disabled,
the build has no influence on builds of other packages using this repository. In case a
previous build exists the old binaries will be used. Disabling this ag also means that "wipe"
commands to remove binary les will have no effect on the build pool. Changing this ag
does not trigger rebuilds, it just affects the next build. Default is enabled.
access ag can be used to hide an entire project. This includes binaries and sources. It
can only be used at project creation time and can just be enabled (making it public again)
afterwards. This ag can only be used on projects. Default is enabled.
sourceaccess ag can be used to hide the sources, but still show the existence of a project
or package. This also includes debug packages in case the distribution is supporting this
correctly. This ag can only be used at package creation time. There is no code yet which
checks for possible references to this package. Default is enabled.
downloadbinary permission still exists like before. However, unlike "access" and
"sourceaccess" this is not a security feature. It is just a convenience feature, which makes it
impossible to get the binaries via the API directly. But it is still possible to get the binaries
via build time in any case. Default is enabled.
The build configuration is used to tell the OBS how to set up the build environment, and is
explained in Chapter 4, Build Configuration.
22.3.1 Motivation
In a DoD repository external software repositories can be configured which are used for depen-
dency resolution and where packages will be downloaded at build time. A DoD repository has
some main advantages in comparison to binary import projects:
simple to configure in project meta with no for shell access to repo servers
In download repotypes where package checksums can be verified (e.g. susetags, rpmmd and
deb), we recommend that you use a mirror server URL in <download> in order to reduce traffic
on the master server and configure a <master> with an https url and a sslfingerprint in
order to avoid man in the middle attacks by peer verification.
arch
url
repotype
susetags
rpmmd
deb
This option could be defined by any valid URL (HTTP and HTTPS) to the origin of the repository
but it is strongly recommended to use https with a sslfingerprint to bs_dodup possibility to
verify its peer in order to avoid man-in-the-middle attacks. The download URL can be a mirror
as we validate package checksums found in repo data.
You can easily query the SSL fingerprint of a remote server with the following command:
Example:
<project name="My::SuSE::CD">
[...]
<repository name="standard">
<download arch="x86_64" url="http://mirror.example.org/path/to/iso"
repotype="susetags" />
<download arch="i586" url="http://mirror.example.org/path/to/iso"
repotype="susetags" />
<arch>x86_64</arch>
<arch>i586</arch>
</repository>
</project>
Example:
<project name="Fedora:Rawhide">
[...]
<repository name="standard">
<download arch="x86_64" url="http://mirror.example.org/fedora/rawhide/x86_64/os"
repotype="rpmmd">
<master url="https://master.example.org/whereever/fedora/rawhide/x86_64/os"
sslfingerprint="sha256:0a64..0303"/>
</download>
<download arch="i586" url="http://mirror.example.org/fedora/rawhide/i386/os"
repotype="rpmmd">
<master url="https://master.example.org/whereever/fedora/rawhide/i386/os"
sslfingerprint="sha256:0a64..0303"/>
</download>
<arch>x86_64</arch>
<arch>i586</arch>
</repository>
</project>
Apt supports two repository types, at repositories and distribution repositories.
The download url syntax for them is:
<baseurl>/<distribution>/<components>
<at_url>/.[/<components>]
<project name="Debian:8">
[...]
<repository name="ga">
<download arch="x86_64" url="http://ftp.de.debian.org/debian/jessie/main"
repotype="deb">
<pubkey>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
[...]
</pubkey>
</download>
<download arch="i586" url="http://ftp.de.debian.org/debian/jessie/main"
repotype="deb">
<pubkey>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
[...]
</pubkey>
</download>
<arch>x86_64</arch>
<arch>i586</arch>
</repository>
</project>
Be aware that there is currently no way to verify the origin of repository for Arch.
Example:
<project name="Arch:Core">
[...]
<repository name="standard">
<download arch="x86_64" url="http://ftp5.gwdg.de/pub/linux/archlinux/core/os/x86_64"
repotype="arch"/>
<download arch="i586" url="http://ftp5.gwdg.de/pub/linux/archlinux/core/os/i686"
repotype="arch"/>
<arch>x86_64</arch>
<arch>i586</arch>
</repository>
</project>
Example:
<project name="Mageia:5">
[...]
<repository name="standard">
<download arch="x86_64" url="http://mirror.example.org/Mageia/distrib/5/x86_64/media/
core/release" repotype="mdk"/>
<download arch="i586" url="http://mirror.example.org/mirrors/Mageia/distrib/5/i586/
media/core/release" repotype="mdk"/>
<arch>x86_64</arch>
<arch>i586</arch>
</repository>
</project>
22.4.1 Motivation
This chapter makes some recommendations how upstream resources can be integrated into the
build process. SCM stands for source control management. git, subversion or CVS are concrete
implementations of an SCM. The OBS itself comes also with an own SCM, but this is only intend-
ed to manage the les needed for packaging. However, you can add references to external SCM
systems. The source service system will mirror the sources and provide it to the build systems.
OBS makes sure that you can access the sources of all builds also in the future, even when the
upstream server delivers different or no content at all anymore. Using external SCM references
has the following advantages:
It is documented where a source comes from and how to create the archive.
Working on the upstream sources can be done directly in local checkouts and changes can
be tested via local builds before pushing to the SCM server.
The sources can be stored incrementally and need less storage on the server.
<services>
<service name="obs_scm">
<param name="url">git://...</param>
<param name="scm">git</param>
</service>
<service name="tar" mode="buildtime"/>
<service name="recompress" mode="buildtime">
<param name="file">*.tar</param>
<param name="compression">xz</param>
</service>
<service name="set_version" mode="buildtime" />
</services>
obs_scm : mirrors the source. It stores it as a cpio archive, but for the build process this
looks like a directory. It also stores additional information from the metadata to a le with
obsinfo suffix.
set_version : reads the version from the obsinfo le and adapts the build descriptions
to it.
Note that only the rst service ( obs_scm ) runs on the OBS server. The other services run during
the build process. They can also be replaced by any user by providing alternative implementa-
tions of them, or by writing their own service from scratch.
The build process creates new binaries from sources, binaries, and config. This process may
run on the OBS server side or on a local workstation. Each package build is created in a fresh
environment. This is done to ensure that the environment is reproducible.
chroot
Xen
KVM
Qemu
In the preinstall phase, the OBS Worker creates a small base system from the packages declared
to be preinstalled (le system, coreutils, binutils, rpm/debutils, etc.). The tools installed in this
phase must only provide the minimum functionality necessary to allow installing further pack-
ages. In addition it copies all necessary build requirements and the source into the base system.
How the build continues depends on the quality and the type of your build recipe. In most cases,
the source code will be compiled now and then be packed into the chosen package format.
To improve package quality, on RPM-based distributions there are additional checks provided
via packages. A common toolchain for handling checks is for example rpmlint .
You need to go to the right OBS instance as this is not handled automatically yet.
Containers are workloads which embed all necessary les to make the workload independent
of the running host OS. This includes (but is not limited to) libraries, executables and shared
resource les.
SimpleImage
SimpleImage is a special format which uses the rpm spec le syntax and just packages
the resulting install root as tar ball or squashfs image. The format is just using the Buil-
dRequires tags from a le called simpleimage , it supports also rpm macro handling to
allow for exceptions depending on the build environment.
Docker
Docker images can be built either via the KIWI tool or from Dockerfile build descriptions.
AppImage
The desktop-oriented AppImage format is currently only created as a side effect of an RPM
build. Open Build Service (OBS) supports signing and publishing the .AppImage les, the
rest is handled via wrapper packages which converts an RPM (or DEB package) into an
AppImage le. Own build rules can provided via a Recipe le, fallback code will be used
if no Recipe le is available.
Snap
The Snap format is supported natively. However, external resources are only supported
via source services and therefore not all build types are supported. Snapcraft only works
with Ubuntu-based base systems. (Code to support RPM-based distributions exists as well
but has not been merged upstream yet.)
Livebuild
Livebuild is the Debian livebuild support for ISO images.
Mkosi
Mkosi (https://github.com/systemd/mkosi/) allows building images for rpm, arch, deb, and
gentoo based distributions, see Section 2.9, “mkosi” for further details.
$BASE : URL/IP under which the Open Build Service instance is reachable
$PROJECT : The name of the project where the image is build, with all colons replaced
with forward slashes.
$REPOSITORY : The name of the repository where the containers are published.
$IMAGE_NAME : The name of this container image. It defaults to the name of the package
from which the container is build. Alternatively, a different image name can be specified in
the build recipe, e.g. via the containerconfig element in a KIWI le (see the kiwi docu-
mentation (https://osinside.github.io/kiwi/building_images/build_container_image.html?high-
light=containerconfig) for further details).
$TAG : The image tag. This defaults to latest with alternatives being provided in a similar
fashion as the image's name.
---
docker:
REGISTRY_URL:
sigstore: REGISTRY_URL/sigstore
Replace REGISTRY_URL with the appropriate URL to your instance of Open Build Service
(for example, registry.opensuse.org ).
Add the following object into the key transports in the le /etc/containers/poli-
cy.json :
EXAMPLE 24.2: POLICY.JSON
"docker": {
"REGISTRY_URL": [
{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "PATH_TO_PUBLIC_KEY"
}
]
}
{
"default": [
{
"type": "insecureAcceptAnything"
}
Save the public key of the project where your image is build under PATH_TO_PUBLIC_KEY
(you can choose any location to which you have read access, only ensure that you specify
it in /etc/containers/policy.json as well).
Podman will from now on automatically fetch the published signatures from the backend and
verify them before storing the images locally.
BuildFlags: setvcs
26.1.1 Introduction
The SCM bridge allows the sources of a single package or an entire project to be stored and
maintained in any trusted SCM repositories. However, git is currently the only supported SCM
system.
This allows to manage all packaging-relevant source changes in an external SCM repository
using the native tooling of the SCM (e.g. git). It is recommended to have this SCM server on the
same trust level as the OBS instance as it becomes the authoritative source. However, any SCM
server reachable via network could be used.
osc can still be used to checkout sources. This will create an SCM repository, so any modification
needs to be done using the native SCM tooling (e.g. git). osc can still be used for local building
and checking server side build results.
Be aware that any source modification mechanics, submit requests or link behaviour may work
differently or not at all. For example you can not use automatic package source merging via
_link les anymore. This means also that workflows inside of OBS are not working anymore
or are limited. A submit or release request would still work with a scmsync (source control
management system sync) source, but the user would always need to manually specify the target.
Functionality for when an entire project is managed via scmsync is even more limited.
Furthermore it is recommended to configure a global notification hook in the SCM server to
allow OBS to follow the sources automatically.
<scmsync>https://gitlab.com/some/repository</scmsync>
The repository is cloned including all subdirectories and submodules. However the build de-
scriptions need to be placed in the top-level directory.
<scmsync>https://gitlab.com/some/repository?onlybuild=glibc&onlybuild=kernel</scmsync>
Git VCS history: is not included for server side builds by default to save storage space. It
can be included by adding a keepmeta=1 CGI parameter to the URL. This is not needed
for local building when using osc.
Git LFS les: are included by default. They can be excluded by adding a lfs=0 CGI para-
meter to the URL.
Architecture specific remote assets can be selected by adding an arch=ARCH CGI para-
meter to the URL.
As an example, for the subdirectory case the URL would look like this:
<scmsync>https://gitlab.com/some/repository?subdir=MY_SUBDIRECTORY</scmsync>
<scmsync>https://gitlab.com/some/repository#MY_REVISION</scmsync>
This allows to set up multiple projects building for different branches. It is possible to use branch-
es for implementing CI workflows. For example a submission test building just a subset, a clean
build and a final reviewed build.
# osc create-pbuild-config
creates the _config and _pbuild les for a given repository and architecture. The _config le
is used by OBS as well as by the build configuration (prjconf). The additional _pbuild le is
analogous to the OBS project meta, but is not yet honored by OBS. Still, it can be included in
the git tree for pbuild users.
/source/PROJECT/PACKAGE?cmd=fork&scmsync=NEW_SCM_URL
Open Build Service is by design format agnostic, but it needs format specific support to be able
to parse build descriptions and running the build. This chapter is focusing on describing Open
Build Service specics of a format. Either limitations or extensions of Open Build Service builds.
A le with the extension .changes can be used to document the package history, but it
is not required.
OBS-specific RPM macros which are set are: %_project and %_repository
#!ForceMultiVersion can be used to avoid resetting the build counter reset on version
update. This is handled automatically in most cases. Explicitly adding this instruction is
only needed when it is not possible to detect whether there are subpackages defining
their own version. This can be the case when the subpackages are created dynamically
via external rpm macros.
#!BcntSyncTag: STRING defines the build counter sync tag in a spec le. It is used when
the bcntsynctag element tag is not defined in package meta. Also it can depend on archi-
tecture, repository or flavor for example.
#!BuildRequires: STRING Requires a build dependency. Usually the rpm native Buil-
dRequires is the better way to define this. Use this tag only when the dependency should
only exist when using the build script or OBS.
#!needsrootforbuild The build will be executed by root user. Please note that this must
be permitted either by the OBS admin (via the BSConfig.pm configuration) or enabled in
via build configuration rule. Also osc requires an additional parameter for local build (--
userootforbuild).
#!needsbinariesforbuild All package les are usually removed before starting the
build (after finishing to setup the build environment). This marker keeps them also during
build.
repositories which are used must use either a URL which starts with the OBS download
prefix or they must be written in obs://PROJECT/REPOSITORY syntax.
OBS extends kiwi functionality with following options. These covers cases which would need
explicit command line commands, so they are covered via the tags to have them in a reproducible
way.
An exclusive architecture list to build for can be defined with an xml comment OBS-
ExclusiveArch: ARCH_LIST
An excluded architecture list to skip builds can be defined with an xml comment OBS-
ExcludeArch: ARCH_LIST
Packages get picked usually in a xed order from the most important repository in OBS.
This happens independently of the version number of the packages. Set the xml comment
OBS-UnorderedRepos to disable the repository order handling and to have a more sim-
ilar behavior as with plain package manager builds. Note: this can result into switching
repositories between builds and is therefore less reproducible.
Container builds can specify a specific repository which shall be used for searching the
base container. Use the XML comment OBS-Imagerepo:$REPOSITORY_URL for this. The
repository URL may be in obs://$PROJECT/$REPOSITORY style.
Container builds can specify additional tags via OBS-AddTag:$TAG (KIWI limits it to one
tag) in obs://$PROJECT/$REPOSITORY style.
The tag #!UnorderedRepos will disable the repository prioritization for build dependen-
cies. This behavior is similar to plain Docker tooling. It introduces the risk that with each
build another repository is prioritized or that dependency problems of newer package ver-
sions are hidden.
#!BuildTag: TAG to define one or multiple tags to be used for the container.
#!BuildName: NAME Report back a defined NAME. Otherwise it gets derived from the
rst tag, replacing all / and : with - characters.
#!ArchExclusiveLine: ARCH_LIST The next line will only be considered by the sched-
uler the listed architectures. The line will still get executed on all architectures during the
build.
#!ArchExcludedLine: ARCH_LIST The next line will not be considered by the scheduler
on the listed architectures. The line will still get executed on all architectures during the
build.
#!Milestone: MILESTONE This defines a milestone name (for example, Beta1 ) which
will be applied during release operations. The candidate will receive its final tag then.
#!NoSquash disables the squashing of all layers created during the build to a single layer.
Without this, every RUN line is an additional layer.
The OBS comes with a generic request system where one party can ask another to complete a
certain action. This can be, for example, taking source changes, granting maintainer rights or
deleting a package. Requests are also used deal with more complex workflows.
A request is an object in the database. It can be accessed via the /request API route. osc and
the web interface can show and process these requests. There are also interfaces to show the
requests which should be handled for a certain user.
state: The state tells if the request still needs to processed or has been handled already
and how.
actions: these are the changes which will be applied when accepting the request.
reviewer: reviewer can be added automatically at request creation time or manually by any
involved party. Usually all of them should approve the request before it will be accepted.
However, the target can ignore that and accept anyway optionally.
accept_at: the request will get accepted automatically after the given time. Such a request
can only be created when having write permissions in the target. Automatic cleanup re-
quests created by Admin user are using this.
Requests can only be accepted or rejected in their entirety. Therefore, it can make sense to have
multiple actions in one request if changes should be applied in one transaction. For example,
submitting a new package and removing an old instance: Do either both or nothing. This implies
that the person accepting the request must have write access in all targets or they will not be
allowed to accept the request.
28.1.1.1 submit
A submit action will transfer sources from one package to another package. Usually a submit
request will refer to a specific revision in the source, but it does not have to. If no revision
is specified, then the current revision at the time of acceptance will be used. This should be
avoided when relying on complex reviews during the request process. Hence, it is recommended
to identify a specific version in your submitrequest ( osc submitrequest -r 42 ... ).
The submit action can support options to update the source or even to remove the source. Tools
like osc are applying the cleanup rule by default when submitting from a default user home
branch project.
28.1.1.2 release
Is used to release a finished build. Sources and binaries are copied without a rebuild (The target
project should have build disabled). A release target needs to be defined with trigger="man-
ual" .
28.1.1.3 delete
28.1.1.4 add_role
An add_role requests a specific role for a given user or group to the target. For example, one
could use this to ask for maintainer rights, or to become a default reviewer.
set_bugowner is similar to add_role, but removes all other bugowner roles in the target. This
happens to have a unique identifier to be used when assigning bug reports in external tools
like Bugzilla.
28.1.1.6 change_devel
28.1.1.7 maintenance_incident
Official request to open a maintenance incident for official support products. These requests are
created by developers who want to start an official maintenance process. Details are described
in the maintenance chapter. A new maintenance incident project is created and package sources
get copied there when accepting it. All sources of all actions in one request will be merged into
the same maintenance incident project.
28.1.1.8 maintenance_release
Is used to release a maintenance update. Sources and binaries are copied without a rebuild. Open
Build Service also creates a unique update identifier. Details can be found in the maintenance
chapter.
28.1.1.9 group
Deprecated. Was never in a released OBS version. It is not allowed to be used anymore.
new: The default value for newly created requests. Everybody involved in the specified
targets can see the request and accept or decline it.
accepted: The request has been accepted and the changes applied. history les have a
reference to this request.
revoked: The submitter has taken back their request. The request is considered to be in-
active now.
superseded: This request is obsolete due to a new request. The request is considered to be
inactive now. The superseding request is linked in this request.
review: There are still open reviews inside of the request. Nobody has declined it yet. The
request is not yet visible to the target by default. The state will change automatically to
new when all reviewers accept.
28.1.3 Reviewers
Reviews can be done by users, groups, projects or packages. Review by project or package means
that any maintainer of them is asked for reviews. This is handy to avoid the need to figure
who actually is a maintainer of a certain package. Also, new maintainers of a package will see
requests in case the old maintainer did not handle them.
Reviewers can be added manually by anyone involved in a request. This can be used to hand
over a review. In that situation the new reviewer needs to be added and the original reviewer's
own review needs to be accepted. The request becomes declined when any of the reviewers are
declining the request.
Project and package objects can have users or groups with a reviewer role. They are added
automatically to a request as reviewer when a request is created which has them as target. In
case the project and package do specify reviewers, all of them are added to the request.
232 Reviewers
28.1.4 Request creation
The API is doing a number of checks at request creation time. In case a target is not specified it
tries to set it according to the linked package. If an entire project is specified as source it expands
it to all packages inside. This means it is replacing one action with multiple. When using the
addrevision parameter it does also add the current revision of the package source to the action.
This makes it easy to create new requests with little logic in the client.
di: does not modify the request, just shows source modifications wanted by the request
changestate: to change the state of the request, for example to accept it.
Image templates are pre-configured image configurations. The image templates page (https://
build.opensuse.org/image_templates) provides a list of these templates. Users can clone these
templates and further configure them as they like.
Note
For more information about KIWI images, see Section 2.5, “KIWI Appliance”.
30.1 Overview
A package source may contain multiple build description les. They can be used depending on
the base distribution, the repository name or for different configurations. These mechanics can
be also combined.
The right build description le gets picked by filtering. The build will not start when either no
le matches or multiple candidates exist. The filtering happens with the following steps:
1. Based on the package build format of the based distributions. RPM-based distributions will
use spec les for example.
2. Based on the le name of the le before the suffix. It is not important as long as just one
le exists, but it has to match when multiple les exist. The name is defined by the build
container name, which is either defined in a _multibuild directive le or is the source
package name.
3. Specific les can be created to be built for a specific repository. Append the reposito-
ry name of the build container behind the package name with a -. For example hel-
lo-openSUSE_13.2.spec .
Multibuild packages are defined with the _multibuild directive le in the package sources.
The _multibuild le is an xml le. For example:
<multibuild>
236 Overview
<flavor>kernel-source</flavor>
<flavor>kernel-obs-build</flavor>
</multibuild>
Build description les are needed for each of them for each package (for example, ker-
nel-source.spec or kernel-obs-build.dsc) inside of the sources. There will be another build in case
there is also a matching le for the source package container name, otherwise it will turn into
an “excluded” state. Dockerfile based build descriptions may provide own build descriptions for
each flavor via Dockerfile.FLAVOR suffixed les.
This chapter explains the setup and workflow of a maintenance update in the openSUSE way.
However, this should not be limited to openSUSE distribution projects but be usable anywhere
(the entire workflow or just parts of it).
The goal of the OBS maintenance process is to publish updates for a frozen project, in this
example an entire distribution. These updates need to be approved by a maintenance team and
the published result must contain documentation about the changes and be applicable in the
easiest way by the users. The result is a package repository with additional information about
the solved problems and defined groups of packages to achieve that. Binary delta data can also
be generated to reduce the needed download size for the clients.
Technically this results in a frozen software repository containing the original package distrib-
ution and an additional update repository with a subset of updated packages that will be pre-
ferred by the package manager thus superseding the packages from the original distribution.
openSUSE:11.4 is the GA Project in this example. It is locked and not changing anymore.
openSUSE:11.4:Update is the Update Project to release official updates for the locked
openSUSE:11.4 project. Thus it links to the openSUSE:11.4 project, inheriting all package
sources from there.
It is recommended to lock the GA Project by the project maintainer by using the osc lock
[PROJECT] command
The Update Project has to have the <link project="[PROJECT]"/> element in the project
meta configuration.
It is very useful to define groups of bugowners, maintainers and reviewers and to make
use of bots for further quality assurance tasks.
<maintains project="[PROJECT]"/>
elements. It is very useful to define groups of maintainers and reviewers and to make use
of review bots to enforce desired quality properties here.
In a simple setup as described before, create the maintenance branch from the package of the
Update Project as the GA Project can never be changed anymore.
NOTE: both branch commands do support the --noaccess parameter, which will create a hidden
project. This may be used when a not yet publicly known security issue is get xed.
Afterwards the user needs to do the needed modifications. Packages will be built and can be
tested. Afterwards they may add information about the purpose of this maintenance update via
If the source changes contain references to issue trackers (like Bugzilla, CVE or FATE) these will
be added to the _patchinfo le.
The server will create a full maintenance channel now, in case the user wants to test this as
well. After the user has tested, they have to create a maintenancerequest to ask the maintenance
team to accept this as an official update incident:
osc maintenancerequest
On accepting this request all sources of the entire project will get copied to the incident project
and be rebuild. The origin project gets usually removed (based on the request cleanup options).
The following example is submitting two packages (kdelibs4 and kdebase4) from the project
KDE:Devel project as update for openSUSE:12.1
To document the expected work the creation of a patchinfo package is needed. This can be
done via
osc patchinfo [PROJECT]
It is important to add Bugzilla entries inside of the _patchinfo le. As long these are open Bugzilla
entries, the bug assignee will see this patchinfo on their "my work" Web UI and osc views, so
they knows that work is expected from them.
osc releaserequest
1. Incident project container is created. This is always a sub project to the maintenance
project. A unique ID (counter) is used as subproject name. Build is disabled by default
project wide.
Package sources get added based on given package and attribute name from all ex-
isting project instances. The package name is extended by the source project name
to allow multiple instances of same package in one project. Source revision links are
using the xsrcmd5 to avoid that other releases will affect this package instance.
Build repositories are added if missing. All repositories from all projects where the
package sources gets branched from are used. The build ags in the package instances
gets switched on for these.
5. OBS server is building packages according to the sources and update information according
to the patchinfo data.
6. one or more release requests get created. It does also set the project to "freeze" state by
default, this means no source changes are possible anymore and all running builds get
canceled.
7. Usually the request is in review state with defined reviewers from the release project. All
reviewers need to review the state in the incident project.
8. Request changes into state "new" when all reviewers accepted the release request.
9. The release happens on accepting the request by the maintainers of the release project.
All package sources and binaries get copied into a package container where the pack-
age name gets extended by the incident number.
A main package gets created or updated, it just contains a link to the current incident
package. For example, glibc points to glibc.42. The purpose of this main package is
to have a place to refer to the current sources of a package.
The updateinfo.xml gets updated with the existing or now created unique updateinfo
ID.
The server will update the repository based on all existing binaries.
10. OPTIONAL: A maintenance coordinator may remove the release by removing the package
instances inside the release project. The source link has to be xed manually. (We may
offer a function for this).
Adding again the condition=maintenance attribute to the release target which re-
quires a re-release.
NOTE: The step 1 and 2 may be done via accepting an incident request instead.
A developer can see the work to be done by them via searching for patchinfos with open
Bugzilla entries:
A maintenance coordinator can see requests for doing a maintenance release via searching
for open requests with maintenance_incident action against the maintenance project. They
are visible in the Web UI request page of that project or via
A maintenance coordinator can see open incidents via searching for incidents project repos-
itories which have a release target with maintenance trigger. Note: this search result is
showing all repositories of a matching project.
/search/project?match=(repository/releasetarget/@trigger='maintenance')
A maintenance coordinator can see updates which currently are reviewed (for example
by a QA team) via
A maintenance coordinator can see updates ready to release via searching for open requests
with maintenance_release action.
This example shows the setup where selected binary packages get released also to a defined
channel. The openSUSE:11.4:SecurityChannel project contains a _channel definition inside of
the channel package. This one gets branched as well into the incident in case a matching channel
does exist. Also, the additional repository gets added. The resulting binaries will be transfer via
a release request to the code stream project (openSUSE:11.4:Update) and the special channel
project.
publish time, aka the time when the repository gets published by OBS. This is not the same
time as when the release action got invoked.
build time
supportstatus, meta information about the level of support which is granted for the binary
at the time of releasing it.
Please visit the before mentioned links to get details and several examples of how to use these
API endpoints.
The sources of a package defined which dependencies are required at build time. For ex-
ample, BuildRequires lines in spec les defined which other packages must get installed
to build a package
The project configuration of the package defines repositories and architectures to build for.
In case other repositories are used as a base the configuration from there is also considered.
Constraints regarding the worker are considered. A package may require certain amount of
resources or specific features to build. Check the constraints chapter for details. However,
apart from this the build should be independent of the specific worker where the job gets
dispatched to.
# Example <repository
name="standard" rebuild="transitive" block="all" linkedbuild="off"> [...]
</repository>
transitive
The default behavior, do a clean build of all dependant packages
direct
Just build the package with changed sources and direct dependant packages. But not in-
direct dependant packages.
local
Just build packages with changed sources.
Note
Note: You can run into dependency problems in case you select direct or local without
noticing this in the build state. Your packages might not even be installable or have
random runtime errors (like not starting up or crashing applications), even when they
claim to be "succeeded". Also, you cannot be sure that you will be able to re-build them
later. So never do an official shipment with this setting of a release. This knob is exposed
to allow deliberate suppression of the strictly reproducible builds (for example, to limit
burning CPU unnecessarily).
all
The default behavior, do not start the build if a dependant package is currently building.
never
Never set a package to blocked.
Note
When using something other than “all” you will have to deal with the following problems:
Your packages will get built more often, take more resources on the server side. As
a result the dispatcher will rate your repository down.
off
DEFAULT: do not build packages from project links
localdep
only build project linked packages if they depend on a local package result.
alldirect
build all packages from the linked projects. Indirectly linked projects get not build.
all
build all packages from direct and indirect linked projects
Build constraints provide a way for the user to specify build worker parameters that the Build
Service will use to decide which build workers are "qualified" to undertake a given build.
They are intended to be used for defining known, hard requirements for successfully building a
given package (for example, disk space, memory, or certain CPU functionality).
Since the _statistics le is a build artifact produced by every successful build, it is always
included among the build artifacts downloaded by osc getbinaries .
GET /build/{project_name}/{repository_name}/{architecture_name}/{package_name}/
_statistics
Important
When reviewing the build statistics, it's important to be aware that the numbers can vary
significantly from build to build depending on build parallelism (e.g. make -j ).
hardware:disk:size unit=G
The string hardware:disk:size in this example means "size, a subqualifier of disk, which is it-
self a subqualifier of hardware", and unit=G means "the value is expressed in units of Gigabytes.
For a full treatment of constraint syntax, see Section 34.4, “Constraint syntax”.
The QUALIFIER syntax is the same as used in RPM spec les, documented in Section 34.4, “Con-
straint syntax”. Within the project configuration, individual Constraint lines can be enclosed
in guards to make a constraint apply only to certain architectures or repositories. For example:
or
Important
Constraints set in project configuration affect not only the project itself, but also all
projects that build against it.
For a full treatment of constraint syntax, see Section 34.4, “Constraint syntax”.
<?xml version="1.0"?>
<constraints>
<hardware>
<physicalmemory>
<size unit="M">2000</size>
</physicalmemory>
<disk>
<size unit="G">5</size>
</disk>
</hardware>
<sandbox>kvm</sandbox>
<hostlabel exclude="true">SLOW_CPU</hostlabel>
</constraints>
For details on constraint qualifiers and how to specify them in a _constraints le, see Sec-
tion 34.4, “Constraint syntax”.
The # character at the beginning of the line causes the build recipe parser (RPM, Docker, pod-
man) to ignore the whole line, but in combination with the ! character signifies an OBS-specific
directive that is picked up by a pre-processor within the OBS back-end.
Instead of specifying subqualifiers by nesting directives like in XML, colons are used. For ex-
ample:
In this example, "linux:version:min" is the constraint qualifier and "3.0" is the value.
As described for project-scoped conditionals, above, #!BuildConstraint lines can be guarded
with various conditionals to limit their effect to certain architectures or, e.g., multibuild flavors.
Important
Be careful when setting build constraints. The idea is to use them to express minimum
values for the various parameters, below which builds are likely to fail. If you set a con-
straint too high, you risk reducing the pool of compliant build workers down to a very
Important
By default, constraints applied to build workers regardless of architecture. However, you
may only be interested in certain architectures and not in others. See Section 34.6, “Checking
Constraints with osc” for how to get architecture-specific information on which workers
satisfy your constraints.
Note
When specifying constraints using XML syntax, attribute values must be enclosed in dou-
ble-quotes ( unit="G" , exclude="true" , etc.), while in project configurations and build
recipes the values must be given without quotes ( unit=G , exclude=true ).
34.4.1 hostlabel
The "hostlabel" qualifier is any string which can be assigned to build workers when starting the
bs_worker process. Since its intended use is to restrict a build to specific workers, it should
only be used after consultation with OBS administrators who have detailed knowledge of the
build farm, and ideally as a negative definition, using the exclude=true attribute. Even then,
keep in mind that hostlabel settings are not portable, since the always specific to a given OBS
instance and should therefore only be used as a last resort in situations that cannot be addressed
by any of the other qualifiers.
<constraints exclude="false">
<hostlabel>benchmark_runner</hostlabel>
</constraints>
34.4.2 sandbox
Defines the "sandbox" which is used for the build. The "sandbox" is the virtual environment in
which the build takes place: each build worker is configured with a xed sandbox type.
The configuration of this build constraint is typically left to OBS administrators, and there is
usually no reason for a project or package maintainer to set it.
Example for _constraints le:
<constraints>
<sandbox exclude="true">kvm</sandbox>
</constraints>
34.4.3 linux
This is a category of constraints specific to the Linux kernel, applied to the kernel running on
the build worker.
261 sandbox
34.4.3.1 version
<constraints>
<linux><version>
<min>3.0</min>
<max>4.0</max>
</version></linux>
</constraints>
34.4.3.1.1 min
34.4.3.1.2 max
34.4.3.2 flavor
A specific kernel flavor, such as default or smp (corresponding to the kernel packages kernel-de-
fault and kernel-smp, respectively).
Example for _constraints le:
<constraints>
<linux>
<flavor>default</flavor>
</linux>
262 linux
</constraints>
34.4.4 hardware
To specify that build workers must meet certain minimum hardware specifications or possess
certain hardware features.
34.4.4.1 cpu
To require a specific CPU feature.
34.4.4.1.1 flag
CPU features which are provided by the hardware. On Linux, these can be found in /proc/
cpuinfo . The ag element may be used multiple times to require multiple CPU features.
<constraints>
<hardware><cpu>
<flag>mmx</flag>
<flag>sse2</flag>
</cpu></hardware>
</constraints>
263 hardware
EL0 is a special ag that that can be used on hardware that only supports level-0 exceptions,
such as certain armv8l systems. This means that VMs or 32-bit kernels are not supported but
userland is supported. This ag can be used to block builds on such hardware if no 64-bit kernel
is available for a project.
Example for project configuration:
Additional ags are also reported for effective architecture level of the CPU. This includes the
following ags:
power7
power8
power9
x86-64-v2
x86-64-v3
x86-64-v4
34.4.4.2 processors
<constraints>
<hardware>
<processors>4</processors>
</hardware>
</constraints>
Constraint: hardware:processors 4
264 hardware
Example for RPM spec le or Dockerfile:
#!BuildConstraint: hardware:processors 4
34.4.4.3 jobs
Each build worker is configured with a given default for the JOBS environment variable, which
expresses how many parallel build processes the worker should be able to sustain. To require a
minimal number of pre-confiured parallel jobs for the build, use this qualifier.
Note
This specifies the number of parallel jobs the build tooling should use, so even though it
is under hardware it is not actually a hardware requirement.
<constraints>
<hardware>
<jobs>4</jobs>
</hardware>
</constraints>
Constraint: hardware:jobs 4
#!BuildConstraint: hardware:jobs 4
34.4.4.4 disk
Hard disk specific constraints.
34.4.4.4.1 size
To specify a minimum amount of free disk space, below which a build on the worker will not
be attempted.
265 hardware
Example for _constraints le:
<constraints>
<hardware>
<disk>
<size unit="G">4</size>
</disk>
</hardware>
</constraints>
34.4.4.5 memory
To specify a minimum amount of RAM memory that the worker must be equipped with.
34.4.4.5.1 size
<constraints>
<hardware>
<memory>
<size unit="M">1400</size>
</memory>
</hardware>
</constraints>
266 hardware
34.4.4.6 physicalmemory
Memory specific.
34.4.4.6.1 size
To require a minimal memory size. Swap space is not taken into account here.
Example for _constraints le:
<constraints>
<hardware>
<physicalmemory>
<size unit="M">1400</size>
</physicalmemory>
</hardware>
</constraints>
In this case, all four compliant workers are down. The notification helps the user understand
why the build is not starting. The dispatch details can also be retrieved using the OBS API or,
e.g., using the command osc results -v ).
Either you give a repository and an arch or osc will check the constraints for all repository /
arch pairs for the package. A few examples:
If no le is given it takes the local _constraints le. If this le does not exist or the --ignore-le
switch is set only the project constraints are used.
Name: base
BuildRequires: bash
#!BuildIgnore: brp-trim-desktopfiles
270
36 Authorization
osc token
The best way to create a token is bind it to a specific package. The advantage is that the operation
is limited to that package, so less bad things can happen when the token leaks.
Also, you do not need to specify the package at execution time. But keep in mind that such form
only works when you run it on an as checkout of a package. Both commands below do the same
thing but in a different way:
A token can be registered as generic token, means allowing to execute all source services in
OBS if the user has permissions. You can create such a token by skipping project/package on
creation command:
In this case, you are forced to specify project/package along with the token. On the other hand,
you are not limited from where you execute it. Again, two examples doing same thing:
.changes File
In OBS, a le with the le extension .changes to store changelog information.
See also Changelog.
API
API stands for application programming interface. It lets your product or service communi-
cate with other products and services without having to know how they’re implemented.
The OBS API is located here: https://api.opensuse.org .
The documentation for the API is located here: https://api.opensuse.org/apidocs .
AppImage
An application and its dependencies packaged as a single le which can run on many distri-
butions without unpacking or installing.
Appliance
An image built and preconfigured for a specific purpose. Appliances usually consist of a
combination of an application (for example, a Web server), its configuration, and an oper-
ating system (for example, SUSE Linux Enterprise Server). Appliances can be copied as-is
onto a hard disk, an SSD, or started as a virtual machine (deployed).
See also Operating System Image, Image (Image File).
Attribute
Attributes can be added to projects or packages to add meta information or to trigger actions.
For example, you can use the attribute OBS:AutoCleanup to delete a project after a certain
amount of time.
277
Formats of binary packages include RPM and DEB. In the OBS context, binary packages are
sometimes also called binaries.
See also Container, Operating System Image, Source Package, Deb, RPM, KIWI, Archive (Archive
File).
Branch
Personal copy of another repository that lives on your home project. A branch allows you
to make changes without affecting the original repository. You can either delete the branch
or merge it into the original repository with a submit request.
See also Submit Request.
Bug
Issue that documents incorrect or undesirable behaviour
Bugowner
In OBS, Bugowner is a user role which can be set for a project or a package. However, ideally,
set this role for individual packages only. Users with this role can only read data but they
are responsible for reacting to bug reports.
See also Maintainer.
Build
Generating ready-to-publish binaries, usually for a specific distribution and architecture.
Build Log
Output of the build process of a certain package.
See also Build.
Build Recipe
Generic term for a recipe le for creating a package. A build recipe includes metadata,
instructions, requirements, and changelogs. For RPM-based systems like SUSE, a .spec le
is used and contains all the previous points. Debian-based systems use a debian directory
which splits all the information.
See also Spec File.
Build Requirement
Package requirements that are needed to create or build a specific package.
See also Installation Requirement, Build Recipe.
278
Build Result
The current state of a package. Example of a build result could be succeeded, failed, blocked,
etc.
Build Root
Directory where the osc command copies, patches, builds, and create packages. By default,
the build root is located in /var/tmp/build-root/BUILD_TARGET .
See also Build Target.
Build Target
Specific operating systems and architecture to build for.
Changelog
Listing of a high-level overview sorted by date. An entry of a changelog can contain infor-
mation about version updates, bug and security fixes, incompatible changes, or changes re-
lated to the distribution.
See also .changes File.
Commit
A record of a change to one or more les. Each record contains the revision, the author, the
date and time, a commit checksum, an optional request number, and a log message.
See also Revision.
Container
An image le that contains a deployable version of software and metadata. Dependencies of
the main software are also included, such as additional libraries.
Unlike operating system images, containers do not include an operating system. Unlike bi-
nary packages, containers are deployed and not installed. Formats of containers include Ap-
pImage, Docker, Snap, and Flatpak.
See also Binary Package (Binary), Operating System Image, Image (Image File).
Deb
A package format created and used by the Debian distribution.
See also Package, RPM.
Decision
Decision made by a moderator (Cleared or Favor) when they receive a report of problematic
content or user.
279
Dependency
See Requirement.
Devel Project
A set of related packages that share certain features. For example, the devel project dev-
el:languages:python stores all packages related to the Python programming language.
See also Home Project, Project.
Diff
See Patch.
DISTURL
The DISTURL is a unique identifier of a source and its build setup. It is written usually written
inside of the build result to be able to identify the origin. A DISTURL is structured as obs://
OBS_NAME/PROJECT/REPOSITORY/REVISION-PACKAGE . It can be shown for example via
Docker
Docker is a lightweight virtualization solution to run multiple virtual units (containers) si-
multaneously on a single control host.
See also Container.
Download Repository
An area containing built packages available for download and installation through Zypper
or YaST. The download repository belongs to a project and is specific to a distribution. An
example of a download repository could be http://download.opensuse.org/reposito-
ries/PROJECT/openSUSE_Tumbleweed/ .
EULA
End User License Agreement. For software that needs a special license (usually non-open
source) which the user needs to agree to before installing.
Fix
See Patch.
280
Flags
A set of switches that determine the state of package or repository. This includes building,
publishing, and generating debug information.
GA Project
The GA (general availability) project builds an initial release of a product. It gets frozen after
releasing the product. All further updates get released via the Update Project of this project.
GPG Key
An encryption key pair that in the context of OBS is used to verify the owner of the repository
and packages.
Home Project
Working area in OBS for uploading and building packages. Each home project starts with
home:USERNAME .
See also Project.
Image Description
Specification to define an appliance built by KIWI. The image description is a collection
of les directly used by KIWI ( config.xml and *.kiwi ), scripts, or configuration data to
customize certain parts of the KIWI build process.
See also KIWI.
Incident
Describes a specific problem and the required updates. If the problem exists for multiple code
streams, one incident covers all of them. An incident is started by creating a maintenance
incident project and the update get built here.
Installation Requirement
Package requirements that are needed when the package is installed.
KIWI
A tool to build operating system images. It can create images for Linux supported hardware
platforms or for virtualization systems.
See also Image (Image File).
281
License
Written contract to specify permissions for use and distribution of software.
See also Project.
Link
A concept that defines a relationship between a source and a target repository.
See also Project.
Maintainer
In OBS, Maintainer is a user role which can be set for a project or a package. Users that have
this role in a project can add, modify, and remove packages and subprojects, accept submit
requests, and change metadata.
See also Bugowner.
Maintenance Project
A project without sources and binaries, defined by the maintenance team. Incidents are
created as sub projects of this project.
See also Incident.
OBS Package
OBS packages contain the sources that are necessary to build one or more binary packages
or containers. The content of OBS packages varies. In general, there is always a source le
(such as a TAR archive of the upstream sources) and a build recipe.
To build an RPM package in OBS, you need a spec le as your build recipe, for example. An
OBS package can also contain other les, such as a change log and patches.
OBS packages, unlike the name “package” suggests, do not consist of a single le. Instead,
they are directories of a version-controlled repository. However, unlike most directories,
they cannot contain subdirectories. (You can use subdirectories to simplify your work with
the checked-out package but you cannot submit these directories.)
282
Operating System Image
An image le that contains an operating system. The operating system can be either instal-
lable or deployable. Depending on their purpose, operating system images are classified into:
Product Image, Appliance, Virtual Machine Image
Formats of operating system images include ISO, Virtual Disk, and PXE Root File System.
See also Binary Package (Binary), Image (Image File), KIWI.
osc
A command line tool to work with OBS instances. The acronym osc stands for openSUSE
commander. osc works similarly to SVN or Git.
See also Open Build Service (OBS), https://github.com/openSUSE/osc .
Overlay File
A directory structure with les and subdirectories used by KIWI. This directory structure is
packaged as a le ( root.tar.gz ) or stored below a directory (named root ). The contents
of the directory structure is copied over the existing le system (overlaid) of the appliance
root. This includes permissions and attributes as a supplement.
See also Appliance, KIWI.
Package
OBS handles very different types of software package:
Source Package, OBS Package, Binary Package (Binary)
See also Container.
Package Repository
A place where installable packages are available. This can be either from a media like CD,
DVD, or from a remote online repository.
Official repositories can divided into oss software (licensed under an open source license)
and non-oss (for software released under other. non-open source licenses). Additionally,
there are update source, and debug repositories as well.
Package Requirement
See Requirement.
Patch
Textual differences between two versions of a le.
See also Patch File.
283
Patch File
A le that contains a patch with the le extension .diff or .patch .
See also Patch.
Product Image
An image that allows installing an operating system, usually from a removable medium,
such as a USB disk or a DVD onto a hard disk or SSD.
Live images are a special case of operating system images. They can be run directly a USB
disk or DVD and are often but not always installable.
See also Operating System Image, Image (Image File).
Project
Unit which defines access control, repositories, architectures, and a set of packages contain-
ing sources.
Project Configuration
Settings to define the setup of the build system, usually to switch on or o certain features
during the build or to handle circular dependencies.
See also Project.
Publishing
Finished process when a package is successfully built and available in the download repos-
itory.
See also Download Repository.
Release Project
A release project is hosting a release repository which is not building any packages ever. It
is only used to copy sources and binaries to this project on a release event.
Repo File
A le with the name PROJECT.repo . inside the download repository. The le contains in-
formation about the name of the repository, the repository type, and references to the down-
load repository and the GPG key.
See also Download Repository.
Repository
A distribution-specific area that holds dependencies required for building a package.
See also Download Repository.
284
Requirement
In the OBS context, package requirements that are needed to create, build, or install a pack-
age.
See also Build Requirement, Installation Requirement.
Revision
A unique numeric identifier of a commit.
See also Commit.
RPM
A package format. It stands for recursive acronym RPM Package Manager. Mainly used by
SUSE, Red Hat, u.a.
See also Deb, Package.
Sandbox
Isolated region of a host system which runs either a virtual machine or a change root envi-
ronment.
See also Build Root.
Service File
An XML le that contains metadata required for building a package. This includes version
information, upstream source repository, and actions.
Source
Original form, mostly written in a computer language.
See also Package.
Source Link
See Link.
Source Package
Source packages contain content similar to an OBS package but they are packaged in an
archive le. They are also meant to allow building a single binary package or container
format only. However, source packages allow rebuilding outside of an Open Build Service
context.
An example of source packages are SRPMs which contain the source for accompanying RPM
binary packages.
See also Binary Package (Binary), Archive (Archive File).
285
Source Service
A tool to validate, generate, or modify a source in a trustable way.
See also Source.
Spec File
A le that contains metadata and build instructions. Metadata includes a general package
description and dependencies required for building and installing the package.
See also Build Recipe, Patch, Source.
Submit Request
Asking for integrating changes from a branched project.
Subproject
A child of a parent project.
See also Devel Project, Home Project, Project.
Target
A specific distribution and architecture, for example, openSUSE Tumbleweed for x86-64.
Also referenced as build target.
Update Project
A project which provides official updates for the products generated in the GA Project. The
update project usually links sources and repositories against the GA Project.
See also Release Project, GA Project.
Watchlist
A list of repositories that the user is interested in, available in the OBS Web UI.
286
Working Copy
See Working Directory.
Working Directory
A directory on your local machine as a result from a osc checkout call for working and
building before submitting your changes to an OBS instance.
Zypper
A command line package manager to access repositories, solve dependencies, install pack-
ages, and more.
287
A GNU Licenses
Activities other than copying, distribution and modification are not covered by this License;
This appendix contains the GNU General Pub- they are outside its scope. The act of running the Program is not restricted, and the output
from the Program is covered only if its contents constitute a work based on the Program
lic License version 2 and the GNU Free Docu- (independent of having been made by running the Program). Whether that is true depends
on what the Program does.
mentation License version 1.2.
1. You may copy and distribute verbatim copies of the Program’s source code as you receive
GNU General Public License it, in any medium, provided that you conspicuously and appropriately publish on each copy
Version 2, June 1991 an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that
Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place - Suite 330, Boston,
MA 02111-1307, USA refer to this License and to the absence of any warranty; and give any other recipients of the
Everyone is permitted to copy and distribute verbatim copies of this license document, but
Program a copy of this License along with the Program.
changing it is not allowed.
You may charge a fee for the physical act of transferring a copy, and you may at your option
Preamble offer warranty protection in exchange for a fee.
The licenses for most software are designed to take away your freedom to share and change it. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a
By contrast, the GNU General Public License is intended to guarantee your freedom to share
and change free software--to make sure the software is free for all its users. This General Public work based on the Program, and copy and distribute such modifications or work under the
License applies to most of the Free Software Foundation’s software and to any other program
whose authors commit to using it. (Some other Free Software Foundation software is covered terms of Section 1 above, provided that you also meet all of these conditions:
by the GNU Library General Public License instead.) You can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our General Public
a). You must cause the modified les to carry prominent notices stating that you changed
Licenses are designed to make sure that you have the freedom to distribute copies of free
software (and charge for this service if you wish), that you receive source code or can get it
the les and the date of any change.
if you want it, that you can change the software or use pieces of it in new free programs; and
that you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to deny you these rights b). You must cause any work that you distribute or publish, that in whole or in part contains
or to ask you to surrender the rights. These restrictions translate to certain responsibilities for
you if you distribute copies of the software, or if you modify it. or is derived from the Program or any part thereof, to be licensed as a whole at no charge to
For example, if you distribute copies of such a program, whether gratis or for a fee, you must
all third parties under the terms of this License.
give the recipients all the rights that you have. You must make sure that they, too, receive or
can get the source code. And you must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2) offer you this license c). If the modified program normally reads commands interactively when run, you must
which gives you legal permission to copy, distribute and/or modify the software.
Also, for each author’s protection and ours, we want to make certain that everyone under- cause it, when started running for such interactive use in the most ordinary way, to print or
stands that there is no warranty for this free software. If the software is modified by someone
else and passed on, we want its recipients to know that what they have is not the original, so display an announcement including an appropriate copyright notice and a notice that there
that any problems introduced by others will not reflect on the original authors’ reputations.
Finally, any free program is threatened constantly by software patents. We wish to avoid the is no warranty (or else, saying that you provide a warranty) and that users may redistribute
danger that redistributors of a free program will individually obtain patent licenses, in effect
making the program proprietary. To prevent this, we have made it clear that any patent must the program under these conditions, and telling the user how to view a copy of this License.
ment, your work based on the Program is not required to print an announcement.)
GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR
These requirements apply to the modified work as a whole. If identifiable sections of that
COPYING, DISTRIBUTION AND MODIFICATION work are not derived from the Program, and can be reasonably considered independent and
separate works in themselves, then this License, and its terms, do not apply to those sections
when you distribute them as separate works. But when you distribute the same sections as
0. This License applies to any program or other work which contains a notice placed by the
part of a whole which is a work based on the Program, the distribution of the whole must be
on the terms of this License, whose permissions for other licensees extend to the entire whole,
copyright holder saying it may be distributed under the terms of this General Public License.
and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your rights to work written
The “Program”, below, refers to any such program or work, and a “work based on the Pro-
entirely by you; rather, the intent is to exercise the right to control the distribution of deriv-
ative or collective works based on the Program.
gram” means either the Program or any derivative work under copyright law: that is to say,
In addition, mere aggregation of another work not based on the Program with the Program
(or with a work based on the Program) on a volume of a storage or distribution medium does
a work containing the Program or a portion of it, either verbatim or with modifications and/
not bring the other work under the scope of this License.
288
a). Accompany it with the complete corresponding machine-readable source code, which agreement or otherwise) that contradict the conditions of this License, they do not excuse you
must be distributed under the terms of Sections 1 and 2 above on a medium customarily used from the conditions of this License. If you cannot distribute so as to satisfy simultaneously
for software interchange; or, your obligations under this License and any other pertinent obligations, then as a consequence
you may not distribute the Program at all. For example, if a patent license would not permit
b). Accompany it with a written offer, valid for at least three years, to give any third party,
royalty-free redistribution of the Program by all those who receive copies directly or indirectly
for a charge no more than your cost of physically performing source distribution, a complete
through you, then the only way you could satisfy both it and this License would be to refrain
machine-readable copy of the corresponding source code, to be distributed under the terms
4. You may not copy, modify, sublicense, or distribute the Program except as expressly pro- such case, this License incorporates the limitation as if written in the body of this License.
vided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the
9. The Free Software Foundation may publish revised and/or new versions of the General
Program is void, and will automatically terminate your rights under this License. However,
Public License from time to time. Such new versions will be similar in spirit to the present
parties who have received copies, or rights, from you under this License will not have their
version, but may differ in detail to address new problems or concerns.
licenses terminated so long as such parties remain in full compliance. Each version is given a distinguishing version number. If the Program specifies a version
number of this License which applies to it and “any later version”, you have the option of
following the terms and conditions either of that version or of any later version published
5. You are not required to accept this License, since you have not signed it. However, nothing
by the Free Software Foundation. If the Program does not specify a version number of this
License, you may choose any version ever published by the Free Software Foundation.
else grants you permission to modify or distribute the Program or its derivative works. These
10. If you wish to incorporate parts of the Program into other free programs whose distribu-
actions are prohibited by law if you do not accept this License. Therefore, by modifying or
tion conditions are different, write to the author to ask for permission. For software which
distributing the Program (or any work based on the Program), you indicate your acceptance
is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we
of this License to do so, and all its terms and conditions for copying, distributing or modifying
sometimes make exceptions for this. Our decision will be guided by the two goals of preserv-
the Program or works based on it.
ing the free status of all derivatives of our free software and of promoting the sharing and
6. Each time you redistribute the Program (or any work based on the Program), the recipient
reuse of software generally.
automatically receives a license from the original licensor to copy, distribute or modify the
Program subject to these terms and conditions. You may not impose any further restrictions NO WARRANTY
on the recipients’ exercise of the rights granted herein. You are not responsible for enforcing
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRAN-
7. If, as a consequence of a court judgment or allegation of patent infringement or for any other WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER
reason (not limited to patent issues), conditions are imposed on you (whether by court order, PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER
289
interest in the program `Gnomovision’
EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES (which makes passes at compilers) written
by James Hacker.
This General Public License does not permit incorporating your program into proprietary
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
programs. If your program is a subroutine library, you may consider it more useful to permit
linking proprietary applications with the library. If this is what you want to do, use the GNU
REPAIR OR CORRECTION.
Lesser General Public License (http://www.fsf.org/licenses/lgpl.html) instead of this License.
AGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES Everyone is permitted to copy and distribute verbatim copies of this license document, but
changing it is not allowed.
ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT
PREAMBLE
LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUS-
The purpose of this License is to make a manual, textbook, or other functional and useful
TAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH document “free” in the sense of freedom: to assure everyone the effective freedom to copy
and redistribute it, with or without modifying it, either commercially or noncommercially.
ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED Secondarily, this License preserves for the author and publisher a way to get credit for their
work, while not being considered responsible for modifications made by others.
OF THE POSSIBILITY OF SUCH DAMAGES. This License is a kind of “copyleft”, which means that derivative works of the document must
themselves be free in the same sense. It complements the GNU General Public License, which
is a copyleft license designed for free software.
END OF TERMS AND CONDITIONS We have designed this License in order to use it for manuals for free software, because free
software needs free documentation: a free program should come with manuals providing the
same freedoms that the software does. But this License is not limited to software manuals; it
How to Apply These Terms to Your New Programs can be used for any textual work, regardless of subject matter or whether it is published as a
printed book. We recommend this License principally for works whose purpose is instruction
If you develop a new program, and you want it to be of the greatest possible use to the public, or reference.
the best way to achieve this is to make it free software which everyone can redistribute and
change under these terms.
APPLICABILITY AND DEFINITIONS
To do so, attach the following notices to the program. It is safest to attach them to the start
of each source le to most effectively convey the exclusion of warranty; and each le should This License applies to any manual or other work, in any medium, that contains a notice placed
have at least the “copyright” line and a pointer to where the full notice is found. by the copyright holder saying it can be distributed under the terms of this License. Such a
notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under
one line to give the program’s name and an idea of what it does.
Copyright (C) yyyy name of author the conditions stated herein. The “Document”, below, refers to any such manual or work. Any
member of the public is a licensee, and is addressed as “you”. You accept the license if you
This program is free software; you can redistribute it and/or copy, modify or distribute the work in a way requiring permission under copyright law.
modify it under the terms of the GNU General Public License
A “Modified Version” of the Document means any work containing the Document or a portion
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version. of it, either copied verbatim, or with modifications and/or translated into another language.
A “Secondary Section” is a named appendix or a front-matter section of the Document that
This program is distributed in the hope that it will be useful, deals exclusively with the relationship of the publishers or authors of the Document to the
but WITHOUT ANY WARRANTY; without even the implied warranty of
Document’s overall subject (or to related matters) and contains nothing that could fall directly
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a matter
You should have received a copy of the GNU General Public License of historical connection with the subject or with related matters, or of legal, commercial,
along with this program; if not, write to the Free Software philosophical, ethical or political position regarding them.
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
The “Invariant Sections” are certain Secondary Sections whose titles are designated, as being
Also add information on how to contact you by electronic and paper mail. those of Invariant Sections, in the notice that says that the Document is released under this
License. If a section does not t the above definition of Secondary then it is not allowed to be
If the program is interactive, make it output a short notice like this when it starts in an in-
designated as Invariant. The Document may contain zero Invariant Sections. If the Document
teractive mode:
does not identify any Invariant Sections then there are none.
Gnomovision version 69, Copyright (C) year name of author The “Cover Texts” are certain short passages of text that are listed, as Front-Cover Texts or
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
Back-Cover Texts, in the notice that says that the Document is released under this License. A
type `show w’. This is free software, and you are welcome
to redistribute it under certain conditions; type `show c’
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words.
for details. A “Transparent” copy of the Document means a machine-readable copy, represented in a for-
mat whose specification is available to the general public, that is suitable for revising the doc-
The hypothetical commands `show w’ and `show c’ should show the appropriate parts of the
ument straightforwardly with generic text editors or (for images composed of pixels) generic
General Public License. Of course, the commands you use may be called something other than
paint programs or (for drawings) some widely available drawing editor, and that is suitable
`show w’ and `show c’; they could even be mouse-clicks or menu items--whatever suits your
for input to text formatters or for automatic translation to a variety of formats suitable for
program.
input to text formatters. A copy made in an otherwise Transparent le format whose markup,
You should also get your employer (if you work as a programmer) or your school, if any, to or absence of markup, has been arranged to thwart or discourage subsequent modification
sign a “copyright disclaimer” for the program, if necessary. Here is a sample; alter the names: by readers is not Transparent. An image format is not Transparent if used for any substantial
amount of text. A copy that is not “Transparent” is called “Opaque”.
Yoyodyne, Inc., hereby disclaims all copyright
290
Examples of suitable formats for Transparent copies include plain ASCII without markup, Tex-
MODIFICATIONS
info input format, LaTeX input format, SGML or XML using a publicly available DTD, and stan-
dard-conforming simple HTML, PostScript or PDF designed for human modification. Examples You may copy and distribute a Modified Version of the Document under the conditions of
of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary sections 2 and 3 above, provided that you release the Modified Version under precisely this
formats that can be read and edited only by proprietary word processors, SGML or XML for License, with the Modified Version filling the role of the Document, thus licensing distribution
which the DTD and/or processing tools are not generally available, and the machine-generat- and modification of the Modified Version to whoever possesses a copy of it. In addition, you
ed HTML, PostScript or PDF produced by some word processors for output purposes only. must do these things in the Modified Version:
The “Title Page” means, for a printed book, the title page itself, plus such following pages
as are needed to hold, legibly, the material this License requires to appear in the title page.
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the Document,
For works in formats which do not have any title page as such, “Title Page” means the text
near the most prominent appearance of the work’s title, preceding the beginning of the body
and from those of previous versions (which should, if there were any, be listed in the History
of the text.
A section “Entitled XYZ” means a named subunit of the Document whose title either is precise- section of the Document). You may use the same title as a previous version if the original
ly XYZ or contains XYZ in parentheses following text that translates XYZ in another language.
(Here XYZ stands for a specific section name mentioned below, such as “Acknowledgements”, publisher of that version gives permission.
“Dedications”, “Endorsements”, or “History”.) To “Preserve the Title” of such a section when
you modify the Document means that it remains a section “Entitled XYZ” according to this
definition. B. List on the Title Page, as authors, one or more persons or entities responsible for authorship
The Document may include Warranty Disclaimers next to the notice which states that this
License applies to the Document. These Warranty Disclaimers are considered to be included of the modifications in the Modified Version, together with at least ve of the principal authors
by reference in this License, but only as regards disclaiming warranties: any other implication
that these Warranty Disclaimers may have is void and has no effect on the meaning of this of the Document (all of its principal authors, if it has fewer than ve), unless they release
License.
you from this requirement.
VERBATIM COPYING
C. State on the Title page the name of the publisher of the Modified Version, as the publisher.
You may copy and distribute the Document in any medium, either commercially or noncom-
mercially, provided that this License, the copyright notices, and the license notice saying this
License applies to the Document are reproduced in all copies, and that you add no other con- D. Preserve all the copyright notices of the Document.
ditions whatsoever to those of this License. You may not use technical measures to obstruct
or control the reading or further copying of the copies you make or distribute. However, you
may accept compensation in exchange for copies. If you distribute a large enough number of E. Add an appropriate copyright notice for your modifications adjacent to the other copyright
copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly notices.
display copies.
F. Include, immediately after the copyright notices, a license notice giving the public permis-
COPYING IN QUANTITY
sion to use the Modified Version under the terms of this License, in the form shown in the
If you publish printed copies (or copies in media that commonly have printed covers) of the
Document, numbering more than 100, and the Document’s license notice requires Cover Texts, Addendum below.
you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The front cover G. Preserve in that license notice the full lists of Invariant Sections and required Cover Texts
must present the full title with all words of the title equally prominent and visible. You may
add other material on the covers in addition. Copying with changes limited to the covers, as given in the Document’s license notice.
long as they preserve the title of the Document and satisfy these conditions, can be treated
as verbatim copying in other respects.
H. Include an unaltered copy of this License.
If the required texts for either cover are too voluminous to t legibly, you should put the
rst ones listed (as many as t reasonably) on the actual cover, and continue the rest onto
adjacent pages.
I. Preserve the section Entitled “History”, Preserve its Title, and add to it an item stating at
If you publish or distribute Opaque copies of the Document numbering more than 100, you
must either include a machine-readable Transparent copy along with each Opaque copy, or least the title, year, new authors, and publisher of the Modified Version as given on the Title
state in or with each Opaque copy a computer-network location from which the general net-
work-using public has access to download using public-standard network protocols a complete Page. If there is no section Entitled “History” in the Document, create one stating the title,
Transparent copy of the Document, free of added material. If you use the latter option, you
must take reasonably prudent steps, when you begin distribution of Opaque copies in quanti- year, authors, and publisher of the Document as given on its Title Page, then add an item
ty, to ensure that this Transparent copy will remain thus accessible at the stated location until
at least one year after the last time you distribute an Opaque copy (directly or through your describing the Modified Version as stated in the previous sentence.
agents or retailers) of that edition to the public.
It is requested, but not required, that you contact the authors of the Document well before
redistributing any large number of copies, to give them a chance to provide you with an J. Preserve the network location, if any, given in the Document for public access to a Trans-
updated version of the Document.
parent copy of the Document, and likewise the network locations given in the Document for
previous versions it was based on. These may be placed in the “History” section. You may
omit a network location for a work that was published at least four years before the Document
291
K. For any section Entitled “Acknowledgements” or “Dedications”, Preserve the Title of the AGGREGATION WITH INDEPENDENT WORKS
section, and preserve in the section all the substance and tone of each of the contributor A compilation of the Document or its derivatives with other separate and independent docu-
ments or works, in or on a volume of a storage or distribution medium, is called an “aggre-
acknowledgements and/or dedications given therein. gate” if the copyright resulting from the compilation is not used to limit the legal rights of the
compilation’s users beyond what the individual works permit. When the Document is included
in an aggregate, this License does not apply to the other works in the aggregate which are not
L. Preserve all the Invariant Sections of the Document, unaltered in their text and in their themselves derivative works of the Document.
If the Cover Text requirement of section 3 is applicable to these copies of the Document, then
titles. Section numbers or the equivalent are not considered part of the section titles. if the Document is less than one half of the entire aggregate, the Document’s Cover Texts
may be placed on covers that bracket the Document within the aggregate, or the electronic
equivalent of covers if the Document is in electronic form. Otherwise they must appear on
M. Delete any section Entitled “Endorsements”. Such a section may not be included in the
printed covers that bracket the whole aggregate.
Modified Version.
TRANSLATION
N. Do not retitle any existing section to be Entitled “Endorsements” or to conflict in title with Translation is considered a kind of modification, so you may distribute translations of the
Document under the terms of section 4. Replacing Invariant Sections with translations requires
any Invariant Section. special permission from their copyright holders, but you may include translations of some
or all Invariant Sections in addition to the original versions of these Invariant Sections. You
may include a translation of this License, and all the license notices in the Document, and
O. Preserve any Warranty Disclaimers. any Warranty Disclaimers, provided that you also include the original English version of this
License and the original versions of those notices and disclaimers. In case of a disagreement
If the Modified Version includes new front-matter sections or appendices that qualify as Se-
between the translation and the original version of this License or a notice or disclaimer, the
condary Sections and contain no material copied from the Document, you may at your option
original version will prevail.
designate some or all of these sections as invariant. To do this, add their titles to the list of
Invariant Sections in the Modified Version’s license notice. These titles must be distinct from If a section in the Document is Entitled “Acknowledgements”, “Dedications”, or “History”,
any other section titles. the requirement (section 4) to Preserve its Title (section 1) will typically require changing
the actual title.
You may add a section Entitled “Endorsements”, provided it contains nothing but endorse-
ments of your Modified Version by various parties--for example, statements of peer review
or that the text has been approved by an organization as the authoritative definition of a TERMINATION
standard.
You may add a passage of up to ve words as a Front-Cover Text, and a passage of up to 25 You may not copy, modify, sublicense, or distribute the Document except as expressly pro-
words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only vided for under this License. Any other attempt to copy, modify, sublicense or distribute the
one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through Document is void, and will automatically terminate your rights under this License. However,
arrangements made by) any one entity. If the Document already includes a cover text for the parties who have received copies, or rights, from you under this License will not have their
same cover, previously added by you or by arrangement made by the same entity you are licenses terminated so long as such parties remain in full compliance.
acting on behalf of, you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one. FUTURE REVISIONS OF THIS LICENSE
The author(s) and publisher(s) of the Document do not by this License give permission to use
their names for publicity for or to assert or imply endorsement of any Modified Version. The Free Software Foundation may publish new, revised versions of the GNU Free Documen-
tation License from time to time. Such new versions will be similar in spirit to the present ver-
sion, but may differ in detail to address new problems or concerns. See http://www.gnu.org/
COMBINING DOCUMENTS copyleft/.
You may combine the Document with other documents released under this License, under Each version of the License is given a distinguishing version number. If the Document specifies
the terms defined in section 4 above for modified versions, provided that you include in the that a particular numbered version of this License “or any later version” applies to it, you
combination all of the Invariant Sections of all of the original documents, unmodified, and have the option of following the terms and conditions either of that specified version or of
list them all as Invariant Sections of your combined work in its license notice, and that you any later version that has been published (not as a draft) by the Free Software Foundation. If
preserve all their Warranty Disclaimers. the Document does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation.
The combined work need only contain one copy of this License, and multiple identical Invari-
ant Sections may be replaced with a single copy. If there are multiple Invariant Sections with
the same name but different contents, make the title of each such section unique by adding ADDENDUM: How to use this License for your documents
at the end of it, in parentheses, the name of the original author or publisher of that section if
known, or else a unique number. Make the same adjustment to the section titles in the list of To use this License in a document you have written, include a copy of the License in the
Invariant Sections in the license notice of the combined work. document and put the following copyright and license notices just after the title page:
In the combination, you must combine any sections Entitled “History” in the various original
Copyright (c) YEAR YOUR NAME.
documents, forming one section Entitled “History”; likewise combine any sections Entitled Permission is granted to copy, distribute and/or modify this document
“Acknowledgements”, and any sections Entitled “Dedications”. You must delete all sections under the terms of the GNU Free Documentation License, Version 1.2
Entitled “Endorsements”. or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled “GNU
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the
You may make a collection consisting of the Document and other documents released under
“with...Texts.” line with this:
this License, and replace the individual copies of this License in the various documents with a
single copy that is included in the collection, provided that you follow the rules of this License with the Invariant Sections being LIST THEIR TITLES, with the
for verbatim copying of each of the documents in all other respects. Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
You may extract a single document from such a collection, and distribute it individually under If you have Invariant Sections without Cover Texts, or some other combination of the three,
this License, provided you insert a copy of this License into the extracted document, and follow merge those two alternatives to suit the situation.
this License in all other respects regarding verbatim copying of that document.
If your document contains nontrivial examples of program code, we recommend releasing
these examples in parallel under your choice of free software license, such as the GNU General
Public License, to permit their use in free software.
292