From 1688d60177c409108173dd2c8f31a126eb519312 Mon Sep 17 00:00:00 2001
From: Florian Bezdeka <florian@bezdeka.de>
Date: Tue, 14 Jul 2020 18:20:31 +0200
Subject: [PATCH] kas-docker: Podman: Update podman flags to make non-isar
 builds working

The following flags were added:
  --userns=keep-id:
    By default podman maps the user that is executing the podman run
    command into the container as root user. That is not what the kas
    entrypoint inside the container expects. Using keep-id tells podman
    to use the expected 1:1 mapping. The entrypoint is able to create
    the build user as expected.

  --security-opt label=disable:
    This is for SELinux enabled systems only. When running on SELinux
    enabled systems the volumes assigned to the container would not be
    accessible at all. The alternative to disable the labeling would
    be passing the "z" or "Z" flag to all volumes (-v) which may be
    even more dangerous.

Signed-off-by: Florian Bezdeka <florian@bezdeka.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 kas-docker | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kas-docker b/kas-docker
index 773273f..0d2913e 100755
--- a/kas-docker
+++ b/kas-docker
@@ -93,6 +93,7 @@ docker)
 podman)
 	DOCKER_COMMAND="podman"
 	DOCKER_IMAGE="docker://${DOCKER_IMAGE}"
+	ENGINE_ARGS="--userns=keep-id --security-opt label=disable"
 	;;
 *)
 	echo "$0: unknown docker engine '${KAS_DOCKER_ENGINE}'" >&2
@@ -136,7 +137,7 @@ while [ $# -gt 0 ]; do
 		;;
 	--docker-args)
 		[ $# -gt 0 ] || usage
-		USER_ARGS=$2
+		ENGINE_ARGS="${ENGINE_ARGS} $2"
 		shift 2
 		;;
 	--ssh-dir)
@@ -317,6 +318,6 @@ if [ -z "${NO_PROXY_FROM_ENV+x}" ]; then
 	done
 fi
 
-trace ${DOCKER_COMMAND} run "$@" ${ISAR_ARGS} ${WITH_LOOP_DEV} ${USER_ARGS} \
+trace ${DOCKER_COMMAND} run "$@" ${ISAR_ARGS} ${WITH_LOOP_DEV} ${ENGINE_ARGS} \
 		 ${DOCKER_IMAGE} ${CMD} ${KAS_OPTIONS} ${KAS_FILES} \
 		 ${KAS_EXTRA_BITBAKE_ARGS}