Tools like wget and git can read credentials from $HOME/.netrc for
servers that require authentication. Allow users to pass in a .netrc
file into the kas home dir to support i.e. bitbake https fetching with
auth.
Signed-off-by: Henning Schild <henning.schild@siemens.com>
[Jan: style fix in command-line.rst]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Starting with podman 4.1 the --userns=keep-id flag is no longer ignored
for privileged containers leading to an error when trying to start up
such a container (in our case: for ISAR builds):
Error: keep-id is only supported in rootless mode
To address that we have to move the --userns=keep-id part to a non-ISAR
specific path.
Reported-by: Wadim Klincov <wadim@klincov.com>
Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The option mounts the SSH_AUTH_SOCK ssh agent socket, and sets the
environment variable in the container.
Signed-off-by: Anders Montonen <Anders.Montonen@iki.fi>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When doing interactive development via kas shell it is often desirable
to keep the user's customized configuration. The new --preserve-env
argument has been added to support this scenario via an opt in flag.
This flag is blocked when not running from a TTY or via kas-container
and kas issues a warning to the user about potential unintended side
effects when invoked.
Signed-off-by: Ryan Fairfax <rfairfax@linux.microsoft.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
If used in a podman environment, it's important to pass the http proxy
information down through sudo. This does not happen by default. We also
want to pass the entire environment down to avoid missing any other
environment variable.
Signed-off-by: Tobias Schmidl <tobiasschmidl@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Upcoming support of sbuild in Isar requires some additional tools
to be preinstalled.
Also, `builder` user should be in `sbuild` group.
Additionally, to use external volume for schroot overlay because
the 'upper' overlayfs layer of sbuild can't be based on another
overlayfs filesystem that happens in case of using Docker.
Signed-off-by: Uladzimir Bely <ubely@ilbers.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
If both --isar is provide and build_system is set, enable_isar_mode will
be called twice that leads to KAS_CONTAINER_COMMAND gaining two "sudo" -
harmless but unneeded.
Reported-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
To complete the set of clean tasks that OE and Isar offer, add
cleansstate to purge SSTATE_DIR and cleanall also delete DL_DIR.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This helps reaping zombies if processes do not perform proper cleanups.
Known to stumble is bazel so far, see
https://github.com/bazelbuild/bazel/issues/13823. But as the overhead of
an init service is negligible and problems around this are hard to
debug, we better add this option by default.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
We were using the host PID namespace as workaround for problems related
to binfmt and its missing namespace support. As it turns out after
running a bunch of tests this is no longer necessary.
This patch "reverts" 6b025e4910 ("kas-docker: Podman: Fixing isar builds
failing with exec format errors").
Test matrix:
kas layer podman 3.4.4 podman 3.0.1 podman 3.4.4
on Fedora 35 on Debian 11 on Debian 11
(podman from testing)
xenomai-images
ISAR_CROSS_COMPILE = 1 OK OK OK
ISAR_CROSS_COMPILE = 0 OK OK OK
iot-2000 OK FAIL [1] FAIL [1]
[1] The iot-2000 layer is not ISAR based, so we do not run in privileged
mode for such builds which seems to make a difference when using the
--userns=keep-id argument. As it works on Fedora and the error message
indicates "creating of systemd unit failed" it might by systemd related.
podman run --rm -t -i --userns=keep-id debian:buster-slim
Fedora: OK
Debian: Fail
Error: OCI runtime error: error creating systemd unit
`libpod-<snip>.scope`: got `failed`
Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Check if KAS_REPO_REF_DIR exists to avoid an error during
the execution of readlink.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
If KAS_WORK_DIR is set in the executing shell
and does not exists kas-container fails silently
during readlink -f on KAS_BUILD_DIR if the default
"${KAS_WORK_DIR}/build" is used.
Create KAS_WORK_DIR to ensure the subsequent
code execution.
This can be tested by setting KAS_WORK_DIR, e.g.
```
KAS_WORK_DIR="$(pwd)/kas_work" kas-container ...
```
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
For this script, this is almost straightforward - except that we need to
extract the static KAS_BUILD_SYSTEM config setting from the selected
Kconfig file so that the correct container image and mode is chosen.
Two new dependencies need to be added to the container image. While
python3-newt can come from Debian, kconfiglib only exists as Python
package. To make sure we are not pulling any other packages via pip,
install kconfiglib upfront. It has no own dependencies, thus can use
--no-deps as well.
Finally, the container-entrypoint needs to be updated to make it aware
of the new plugin.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Make the configuration file on the command line optional and fall back
to trying to open the generated .config.yaml instead. This allows the
sequence
kas menu -> save & exit
kas build
kas shell
kas ...
and also makes rebuilding the self-configured image simpler.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Set KAS_WORK_DIR instead. This will be needed for running build/shell
with the implicit kas configuration file .config.yaml.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Since dabda7617f, all elements of KAS_FILES are already absolute.
Therefore, a single replacement rule is sufficient to translate them to
paths for the container.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
kas-container support for KAS_REPO_REF_DIR was broken. The path provided
by the env variable was the path on the local machine, not in the
container.
Signed-off-by: Rotem Bar <rotemb@hailo.ai>
[Jan: massaged commit log]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This options allows to specify a git credential store file, which is
then mounted into the container and used by kas as a
git-credential-helper.
Signed-off-by: Claudius Heine <ch@denx.de>
[Jan: remove debug echo]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
There are situation that the user have a local customized container images
with tools installed that are not provided in the default kas container.
- For a local container the user can tag it and use the existing variables:
docker tag local-container my/container:1.0
export KAS_CONTAINER_IMAGE_PATH=my
export KAS_CONTAINER_IMAGE_NAME=container
export KAS_IMAGE_VERSION=1.0
- This patch improve the user interface by allowing to set a custom image
with just a single environment variable.
export KAS_CONTAINER_IMAGE=local-container
Signed-off-by: Jose Quaresma <quaresma.jose@gmail.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
There are some bitbake commands like `recipetool` that allows to easily
create new or append to existing recipes. This of course only works if
the main repository that is worked with is writeable.
However it is mounted into the container only as read-only.
This patch mounts the repository writeable when the `shell` command is use
and read-only in case of the `build` command.
It also adds `--repo-ro` and `--repo-rw` to allow overwriting the
default behaviour.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Perform link resolution unconditionally to account for cases when the
default paths are links. Use default values to simplify the assignments.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This variable can override default build path `${KAS_WORK_DIR}/build`.
Signed-off-by: Peter Hatina <peter@hatina.eu>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This script is deployed in many copies, give people a way to identify
which one they have cached/installed.
Signed-off-by: Henning Schild <henning.schild@siemens.com>
[Jan: simplify and use basename for the program]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
There is one actual change where code gets touched, the rest are just
comments to satisfy shellcheck.
All the lines with the ignores should be reviewed later, there might be
problems behind the findings.
Signed-off-by: Henning Schild <henning.schild@siemens.com>
[Jan: add one more SC2086 suppression]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Yet another special dance needed to preserve argument boundaries while
moving them around: This trick enables
kas-container shell kas.yml --command "echo it works."
by keeping the command argument separate and injecting it via
appropriate quoting into the argument array.
Closes: #42
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This allows to pre-select the build system, specifically avoiding
confusion when kas-container is accidentally not called with --isar for
an isar config. For that, build_system needs to be defined in the
lop-level config file passed to kas-container.
Theoretically, this also allows to combine layers which have both
oe-init-build-env and isar-init-build-env scripts.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Currently kas-container did not allow to set the `-d` parameter of kas,
this patch changes that and allows to set it via the `-d` or `-v`
parameter of kas-container.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
kas itself has a `-d` parameter that allows to print debug information,
while kas-container has the `-v` parameter. Since the `-d` parameter of
kas was first, rename the `-v` parameter of kas-container to fit kas.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The current default causes spurious pulls even when the image is already
locally available, at least with podman 2.0.x. Looking through podman
how-tos, none mentions that this prefix is required, and the
image_default_transport in containers.con is generally "docker://". So
it's safe to drop it for better default behavior.
If a custom local setup deviate, users can still override
KAS_CONTAINER_IMAGE_PATH, prepending what is desired.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This patch introduces new and improved ways to overwrite kas-container
variables that specify which image should be used.
`KAS_CONTAINER_IMAGE_PREFIX`: can be used to overwrite image sources.
For instance if podman is used, the default value `docker://` is used as
a prefix. But it still allows to overwrite it, by setting a custom
variable.
`KAS_CONTAINER_IMAGE_PATH`: can be used to customize the image source
path.
`KAS_CONTAINER_IMAGE_NAME`: can be set to change the container image
name. For instance if `--isar` is used, the default value is
`kas-isar`, as with `KAS_CONTAINER_IMAGE_PREFIX` this default value can
still be overwritten by setting a custom value.
And last `KAS_IMAGE_VERSION`: It was possible to overwrite this value
before this patch and its still possible. The default value is the
current release version. Setting it for instance to `latest`, would
allow to used the most recent version of the image.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Some variables used by the `kas-container` script have rather generic
terms, that might be used in bitbake recipes. This change prefixes all
variables with `KAS_` to avoid those possible variable name conflicts.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>