This patch fixes a regression introduced in 492b2c5. As the builder user
is no longer created in the entrypoint, the data from the home skeleton
is also not copied anymore. This breaks the ssh config (including
known_hosts) when using kas-container with --ssh-dir, as the ssh dir is
mounted into the skeleton, but not copied to the builders home.
With this patch, we now explicitly copy the .ssh folder into the builder
users home, in case it is mounted from the host.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Dockerfile and container-entrypoint were missing that header.
Furthermore, the leading comment in Dockerfile got out-of-date, and we
should rather add section marker for the kas and kas-isar targets.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This is for the sake of the gitlab-ci runner which does not properly
aligns the ownership of the repo it checks out with the UID:GID of
our builder user. Reason not yet understood and hard to debug (logging
of the runner is incomplete).
Work around this issue by disabling safe.directory checks in case the
container is called without kas-container as wrapper (means, when it is
called without setting "--user=root"). This preserves git's checks for
the common interactive case, the more critical one.
Reported-by: Ross Burton <ross@burtonini.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Already create the builder user/group during container image build and
only align the IDs in the entrypoint if started with a non-zero USER_ID.
The primary gain is code simplification because this removes some
dynamics from the entrypoint.
As this refactoring avoids that gitlab-ci runners start the container as
root, it was also supposed to resolve the mismatch between the owner of
the checked-out repo and builder user. Unfortunately, this does not work
yet, and the reason is still unclear.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Leave the isar-only commands commented-out in the container-entrypoint
and simply remove the comment when building kas-isar. This is simpler,
more readable and also more robust against changes of the entrypoint
file.
While at it, avoid a separate layer for modifying container-entrypoint.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This patch adds support to use the dump plugin in kas-container.
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
For this script, this is almost straightforward - except that we need to
extract the static KAS_BUILD_SYSTEM config setting from the selected
Kconfig file so that the correct container image and mode is chosen.
Two new dependencies need to be added to the container image. While
python3-newt can come from Debian, kconfiglib only exists as Python
package. To make sure we are not pulling any other packages via pip,
install kconfiglib upfront. It has no own dependencies, thus can use
--no-deps as well.
Finally, the container-entrypoint needs to be updated to make it aware
of the new plugin.
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
