Build Parameters

Environment vs User Parameters

atomic-reactor requires various parameters to build container images. These range from the Koji Hub URL to git commit. We can categorize them into environment and user parameters. The main difference between them is how they are reused. Environment parameters are shared by different build requests, while user parameters are unique to each build request.

Environment parameters are used for configuring usage of external services such as Koji, ODCS, SMTP, etc. They are also used for controlling some aspects of the container images built, for example, distribution scope, vendor, authoritative-registry, etc.

User parameters contain the unique information for a user’s build request: git repository, git branch, Koji target, etc. These should be reused for autorebuilds and are not affected by environment changes.

Reactor Configuration

As of Arrangement 6, environment configuration is provided to build containers in a way that is less coupled to the Build/BuildConfig objects. The pre-build plugin reactor_config determines and provides all environment configuration to other plugins.

Previously, the value of reactor_config was mounted into container as a secret. With Arrangement 6 it is supplied as a ConfigMap like:

apiVersion: v1
kind: ConfigMap
    "config.yaml": <encoded yaml>

For an orchestrator build, the ConfigMap is mapped via the downward API into the REACTOR_CONFIG environment variable in a build container. When the BuildConfig is instantiated, OpenShift selects the ConfigMap with name given in reactor-config-map, retrieves the contents of the key config.yaml, and sets it as the value of the REACTOR_CONFIG environment variable in the build container.

For worker builds, the REACTOR_CONFIG environment variable is defined as an inline value (via the reactor_config_override build parameter in osbs-client). To populate this parameter, the orchestrate_build plugin uses the reactor_config plugin to read the reactor configuration for the orchestrator build, using it as the basis of the reactor configuration for worker builds with the following modifications:

  • openshift section is replaced with worker specific values. These values can be read from the osbs-client Configuration object created for each worker cluster.
  • worker_token_secrets is completely removed. This section is intended for orchestrator builds only.

The schema definition config.json in atomic-reactor contains a description for each property.


version: 1

    - name: x86_64-worker-1
      max_concurrent_builds: 15
      enabled: True
    - name: x86_64-worker-2
      max_concurrent_builds: 6
      enabled: True

        ssl_certs_dir: /var/run/secrets/atomic-reactor/kojisecret
    use_fast_upload: false

        ssl_certs_dir: /var/run/secrets/atomic-reactor/odcssecret
    - keys: ['R123', 'R234']
      name: release
    - keys: ['B123', 'B234', 'R123', 'R234']
      name: beta
    - keys: []
      name: unsigned
    default_signing_intent: release

    send_to_submitter: True
    send_to_pkg_owner: True

arrangement_version: 6


    vendor: "Spam, Inc."
    distribution-scope: public

- [description, io.k8s.description]

        enable: True
    build_json_dir: /usr/share/osbs/

group_manifests: False

- platform: x86_64
  architecture: amd64

- v2

# Output registries (built images are pushed here)
- url:
    cfg_path: /var/run/secrets/atomic-reactor/v2-registry-dockercfg

# Default source registry (base images are pulled from here)

# Additional source registries
- url:
    cfg_path: /var/run/secrets/atomic-reactor/registries-secret

sources_command: "fedpkg sources"

- kojisecret
- odcssecret
- v2-registry-dockercfg
- client-config-secret

- x86-64-worker-1
- x86-64-worker-2

skip_koji_check_for_base_image: False

- name: HTTP_PROXY
  value: ""
  value: ""
- name: NO_PROXY
  value: localhost,

Atomic Reactor Plugins and Arrangement Version 6

Prior to Arrangement 6, atomic-reactor plugins received environment parameters as their own plugin parameters. Arrangement 6 was introduced to indicate that plugins should retrieve environment parameters from reactor_config instead. Plugin parameters that are really environment parameters have been made optional.

The osbs-client configuration reactor_config_map defines the name of the ConfigMap object holding reactor_config. This configuration option is mandatory for arrangement versions greater than or equal to 6. Previous osbs-client configuration reactor_config_secret is deprecated.

An osbs-client build parameter reactor_config_override allows reactor configuration to be passed in as a python dict. It is also validated against config.json schema. When both reactor_config_map and reactor_config_override are defined, reactor_config_override takes precedence. NOTE: reactor_config_override is a python dict, not a string of serialized data.

Creating Builds

osbs-client no longer renders the atomic-reactor plugin configuration at Build creation. Instead, the USER_PARAMS environment variable is set on the Build containing only user parameters as JSON. For example:

    "build_type": "orchestrator",
    "git_branch": "my-git-branch",
    "git_ref": "abc12",
    "git_uri": "git://",
    "is_auto": False,
    "isolated": False,
    "koji_task_id": "123456",
    "platforms": ["x86_64"],
    "scratch": False,
    "target": "my-koji-target",
    "user": "lcarva",
    "yum_repourls": ["", ""],

Rendering Plugins

Once the build is started, control is handed over to atomic-reactor. Its input plugin osv3 looks for the environment variable USER_PARAMS and uses the osbs-client method render_plugins_configuration to generate the plugin configuration on the fly. The generated plugin configuration contains the order in which plugins will run as well as user parameters.


Because the plugin configuration renders at build time (after Build object is created), we cannot select which secrets to mount in container build based on which plugins have been enabled. Instead, all the secrets that may be needed must be mounted. The reactor_config ConfigMap defines the full set of secrets it needs via its required_secrets list.

When orchestrator build starts worker builds, it uses the same set of secrets. This requires worker clusters to have the same set of secrets available. For example, if reactor_config defines:

- kojisecret

A secret named kojisecret must be available in orchestrator and worker clusters. The worker and orchestrator versions don’t need to have the same value. For instance, worker and orchestrator builds may use different authentication certificates.

Secrets needed for communication from orchestrator build to worker clusters are defined separately in worker_token_secrets. These are not passed along to worker builds.

Site Customization

The site customization configuration file is no longer read from the system creating the OpenShift Build (usually koji builder). Instead, this customization file must be stored and read from inside the builder image.