All images are now also available on github's new container registry.
Refer to that as default, both in kas-docker as well as in the user
manual. The latter can benefit from some refreshment at this chance.
Automatic deployment via CI will be switched separately.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This is a bit tricky because the only posix shell compliant way is to
use the positional parameters list. However, that is already in use for
collecting docker arguments. But we can do the following:
Keep the extra args from the kas-docker command line in the list after
having parsed and removed all other kas-docker args. Save the number of
arguments we keep this way, then append the usual container engine args.
Before calling the engine, rotate the extra args from the front of the
positional parameters list to the back.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
When trying to run kas-docker with --isar on podman the build fails
with some "exec format" errors when the target has a different
architecture than the host. The reason is that /proc/sys/fs/binfmt_misc
is not mounted as expected inside the container.
The way the /proc filesystem is mounted seems to differ between podman
and docker. See [1] for the podman issue tracker. This is a temporary
fix and should be removed when the upstream issue was resolved.
[1] https://github.com/containers/podman/issues/4725
Signed-off-by: Florian Bezdeka <florian@bezdeka.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The --permissive and --cap-add options are conflicting for podman.
--permissive tells podman to enable all capabilities so additional
--cap-add options are not allowed / supported.
Signed-off-by: Florian Bezdeka <florian@bezdeka.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The following flags were added:
--userns=keep-id:
By default podman maps the user that is executing the podman run
command into the container as root user. That is not what the kas
entrypoint inside the container expects. Using keep-id tells podman
to use the expected 1:1 mapping. The entrypoint is able to create
the build user as expected.
--security-opt label=disable:
This is for SELinux enabled systems only. When running on SELinux
enabled systems the volumes assigned to the container would not be
accessible at all. The alternative to disable the labeling would
be passing the "z" or "Z" flag to all volumes (-v) which may be
even more dangerous.
Signed-off-by: Florian Bezdeka <florian@bezdeka.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
kas-docker uses sh shell, which doesnot support pattern substitution
like bash. Replace Bash like pattern substitution with sed.
Signed-off-by: Vijai Kumar K <Vijaikumar_Kanagarajan@mentor.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
On many modern Linux systems, docker no longer works because they only
have cgroups v2 support. To use kas in a container on these systems,
one can resort to using podman. Add support for this alternative docker
engine to kas-docker.
Now, kas-docker searches for the first available engine in "docker,
podman" or, if the KAS_DOCKER_ENGINE environment variable is set, will
force the specified engine.
Signed-off-by: Harald Seiler <hws@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
In case SHELL is `/usr/bin/bash`, `/usr/bin/zsh` or something else that
is not available in the kas docker container, fall back to `/bin/bash`.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This used to be required in older Isar versions (prio to commit
8b8a339cfaa4) for one configuration. It may still be required by
downstream layers, though it can be avoided. To overcome this
potential need to enter the host's root password without breaking those
cases, keep the feature but make it explicit (--with-loop-dev option).
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
While this works from kas perspective, some build recipes will no like
to be run with ID 0 and may either fail loudly or subtly. Better warn
when a user applies sudo on kas-docker or otherwise runs it from a root
shell.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The `--aws-dir` parameter for the kas-docker script allows to specify a
AWScli config directory which will then be mounted to `/etc/skel/.aws`
and copied by kas into the internal home directory using the `AWS_*`
environment variables.
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Resolves "SC2145: Argument mixes string and array". Harmless here, but
the result looks nicer anyway.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This requires consistent quoting of related variables. Furthermore, the
eval in trace() has to be removed, and along with it the additional
single-tick quotes of some parameters.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This will allow passing of all docker arguments in a properly quoted
way. More of them will need that in order to support paths with spaces.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The SHELL variable we pass can neither contain spaces nor newlines - we
check for supported values. Simplify the related assignment.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This aligns us with bitbake. Moreover, -c/--cmd is easier to tell apart
from --target. Keep --task for backward compatibility.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
By default, we pull latest when running kas-docker. That may not be
desired in all cases, e.g. testing different image revisions or nailing
down those used in a build. Allow to override the default via the
environment variable KAS_IMAGE_VERSION.
For now, we stick with the default "latest", but we may also hard-code
the last release here at some later point.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Other values will cause the container to fail because the shell binary
is missing. This avoids non-obvious failures when the host SHELL is
configured differently.
Reported-by: Phillipp von Rotenhan <phillipp.von_rotenhan.ext@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Allow kas-docker to use proxy configuration of docker client instead of
inheriting proxy configuration from the current environment.
Signed-off-by: Hosgor, Tolga (CT RDA DS EU TR MTS) <tolga.hosgor@siemens.com>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
Analogously to bitbake's PREMIRRORS, this allows to define alternative
sources for repo URLs specified in kas files.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
We need to double-quote the content of the variables in order to
preserve newlines.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
Required to control oe-git-proxy exceptions.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Signed-off-by: Daniel Wagner <daniel.wagner@siemens.com>
Ensure that all file elements of the kas file parameter are properly
canonicalized and mapped onto the container volume. This is important
when kas-docker is called using relative paths while PWD is not the
repository root.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This is complex, not just because we are passing the arguments to the
trace function, but already because they need to be protected in their
structure when unrolling them at the top level. The trick seems to be
using the argument list via set and "$@" to preserve the individual
words. Due to the trace indirection, we additionally need the single
quotes around the variable values.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This commit enables passing the Docker container a directory containing
SSH configuration and optionally SSH identities and list of known SSH
hosts. Basically what you might expect to find in the ~/.ssh directory
of the container.
Signed-off-by: Silvano Cirujano Cuesta <silvano.cirujano-cuesta@siemens.com>
Suggested-by: Henning Schild <henning.schild@siemens.com>
I understood the message:
Setting up loop device requires root privileges
as suggestion that I should start this script as root and hit
^C before `sudo` could prompt for my password.
This patch removes that line and adds a sudo prompt to elaborate on why
root permissions are needed and what is done with them. It also adds a
check if this was unsuccessful and suggests to the user to do it
themselves. This will also be shown if sudo is not installed.
Signed-off-by: Claudius Heine <ch@denx.de>
This ensures that both UID and GID of the builder user inside the
container is aligned with the caller of kas-docker - or that of "docker
run" when "-e GROUP_ID=..." is specified.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
The usage of 'echo -e' for printing the usage message is not POSIX
conform and is not being supported in the default shell of Debian
(dash).
As the 'Rationale' of the POSIX 'printf' documentation states, it was
created "due to irreconcilable differences in the various versions of
echo extant" and it should provide better compatibility throughout
different shells.
Signed-off-by: Silvano Cirujano Cuesta <silvano.cirujano-cuesta@siemens.com>
This shall help to standardize the way how to run kas inside a docker
container on a kas file that is locally available. The pattern is
- checkout repo with kas file(s)
- go to directory where the build output should go into
- call "kas-docker build /path/to/kas.yml"
As building Isar images both require a specific docker image (that
could be changed, though) as well as additional privileges (that needs
to be changed in Isar one day), the option "--isar" selects that mode.
And because the output of an Isar build generally contains root-owned
files, the clean command is added which use docker privileges to clean
the build folder, avoiding a "sudo".
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
