Commit Graph

13 Commits

Author SHA1 Message Date
Richard Weinberger
6df962506a container-entrypoint: Switch to POSIX shell
kas-container is carefully written to be POSIX shell compliant.
Let's do the same with container-entrypoint to be consistent.
While we're here, remove the only bashism used in container-entrypoint.

Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-04-20 22:01:31 +02:00
Felix Moessbauer
06fad464b5 kas-container: mount host paths below /var/kas
As we no longer create the builder user at runtime, placing data into
/etc/skel at runtime is semantically not correct anymore. Instead, we
bind mount host paths below /var/kas/userdata. By that, we now place
the data into a directory which is fully handled by us.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-27 16:29:50 +01:00
Felix Moessbauer
f971cd363b kas-container: copy host ssh config into home
This patch fixes a regression introduced in 492b2c5. As the builder user
is no longer created in the entrypoint, the data from the home skeleton
is also not copied anymore. This breaks the ssh config (including
known_hosts) when using kas-container with --ssh-dir, as the ssh dir is
mounted into the skeleton, but not copied to the builders home.

With this patch, we now explicitly copy the .ssh folder into the builder
users home, in case it is mounted from the host.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-27 16:29:45 +01:00
Jan Kiszka
a39d5a00c5 container: Add copyright headers and improve comments
Dockerfile and container-entrypoint were missing that header.

Furthermore, the leading comment in Dockerfile got out-of-date, and we
should rather add section marker for the kas and kas-isar targets.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-07 10:38:39 +01:00
Jan Kiszka
06aae60b65 container: Disable git safe.directory when running without kas-container
This is for the sake of the gitlab-ci runner which does not properly
aligns the ownership of the repo it checks out with the UID:GID of
our builder user. Reason not yet understood and hard to debug (logging
of the runner is incomplete).

Work around this issue by disabling safe.directory checks in case the
container is called without kas-container as wrapper (means, when it is
called without setting "--user=root"). This preserves git's checks for
the common interactive case, the more critical one.

Reported-by: Ross Burton <ross@burtonini.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-07 10:38:39 +01:00
Jan Kiszka
492b2c56ab container: Rework uid/gid alignment with caller
Already create the builder user/group during container image build and
only align the IDs in the entrypoint if started with a non-zero USER_ID.
The primary gain is code simplification because this removes some
dynamics from the entrypoint.

As this refactoring avoids that gitlab-ci runners start the container as
root, it was also supposed to resolve the mismatch between the owner of
the checked-out repo and builder user. Unfortunately, this does not work
yet, and the reason is still unclear.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-07 10:38:27 +01:00
Jan Kiszka
a596e2ac33 kas-isar: Rework isar-specific entrypoint setup
Leave the isar-only commands commented-out in the container-entrypoint
and simply remove the comment when building kas-isar. This is simpler,
more readable and also more robust against changes of the entrypoint
file.

While at it, avoid a separate layer for modifying container-entrypoint.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-06 10:30:04 +01:00
Felix Moessbauer
53369faf55 add support for the dump plugin in kas-container
This patch adds support to use the dump plugin in kas-container.

Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2022-12-13 14:39:14 +01:00
Jan Kiszka
df9b3af111 container-entrypoint: Address shellcheck findings
Reported-by: Marius Kriegerowski <marius.kriegerowski@gfz-potsdam.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2022-01-11 15:04:47 +01:00
Jan Kiszka
da62e0bfbd kas-container: Add support for menu plugin
For this script, this is almost straightforward - except that we need to
extract the static KAS_BUILD_SYSTEM config setting from the selected
Kconfig file so that the correct container image and mode is chosen.

Two new dependencies need to be added to the container image. While
python3-newt can come from Debian, kconfiglib only exists as Python
package. To make sure we are not pulling any other packages via pip,
install kconfiglib upfront. It has no own dependencies, thus can use
--no-deps as well.

Finally, the container-entrypoint needs to be updated to make it aware
of the new plugin.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2021-10-09 15:00:05 +02:00
Jan Kiszka
46eabc7be3 kas-container: Add support for checkout and for-all-repos
Allow invoking those two new sub-commands also via the container
interface.

Closes 
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2021-05-20 16:39:39 +02:00
Maximilian Schmidt
15aaf4677b Add support for rootless podman with userns keep-id
Running `./kas-container` as rootless podman container fails with:

```
groupadd: Permission denied.
groupadd: cannot lock /etc/group; try again later.
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.
```

This patch add a check whether the correct USER_ID is already in use.

Co-authored-by: Nicolas Riebesel <nicolas.riebesel@gmx.com>
Signed-off-by: Maximilian Schmidt <maximilian@schmidt.so>
[Jan: fixed indention]
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2021-01-20 08:16:36 +01:00
Claudius Heine
bb303ced8c rename docker-entrypoint to container-entrypoint
Signed-off-by: Claudius Heine <ch@denx.de>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2020-09-29 08:32:57 +02:00