#!/bin/sh # # kas - setup tool for bitbake based projects # # Copyright (c) Siemens AG, 2018-2025 # # Authors: # Jan Kiszka # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to deal # in the Software without restriction, including without limitation the rights # to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be # included in all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # SOFTWARE. set -e KAS_CONTAINER_SCRIPT_VERSION="5.3" KAS_IMAGE_VERSION_DEFAULT="${KAS_CONTAINER_SCRIPT_VERSION}" KAS_CONTAINER_IMAGE_DISTRO_DEFAULT="" KAS_CONTAINER_IMAGE_PATH_DEFAULT="ghcr.io/siemens/kas" KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas" KAS_CONTAINER_SELF_NAME="$(basename "$0")" # usage [exit_code] usage() { EXIT_CODE="$1" SELF="${KAS_CONTAINER_SELF_NAME}" printf "%b" "Usage: ${SELF} [OPTIONS] { build | shell } [KASOPTIONS] [KASFILE]\n" printf "%b" " ${SELF} [OPTIONS] { checkout | dump | lock } [KASOPTIONS] [KASFILE]\n" printf "%b" " ${SELF} [OPTIONS] { diff } [KASOPTIONS] config1 config2\n" printf "%b" " ${SELF} [OPTIONS] for-all-repos [KASOPTIONS] [KASFILE] COMMAND\n" printf "%b" " ${SELF} [OPTIONS] { clean | cleansstate | cleanall | purge} [KASFILE]\n" printf "%b" " ${SELF} [OPTIONS] menu [KCONFIG]\n" printf "%b" "\nPositional arguments:\n" printf "%b" "build\t\t\tCheck out repositories and build target.\n" printf "%b" "checkout\t\tCheck out repositories but do not build.\n" printf "%b" "diff\t\t\tCompare two kas configurations.\n" printf "%b" "dump\t\t\tCheck out repositories and write flat version\n" printf "%b" " \t\t\tof config to stdout.\n" printf "%b" "lock\t\t\tCreate and update kas project lockfiles.\n" printf "%b" "shell\t\t\tRun a shell in the build environment.\n" printf "%b" "for-all-repos\t\tRun specified command in each repository.\n" printf "%b" "clean\t\t\tClean build artifacts, keep sstate cache and " \ "downloads.\n" printf "%b" "cleansstate\t\tClean build artifacts and sstate cache, " \ "keep downloads.\n" printf "%b" "cleanall\t\tClean build artifacts, sstate cache and " \ "downloads.\n" printf "%b" "purge\t\t\tRemove all data managed by kas. Run with '--dry-run'\n" printf "%b" " \t\t\tto check what would be removed.\n" printf "%b" "menu\t\t\tProvide configuration menu and trigger " \ "configured build.\n" printf "%b" "\nOptional arguments:\n" printf "%b" "--isar-privileged\tRun an Isar build in privileged mode. " \ "To force the use\n" printf "%b" "\t\t\tof run0 over sudo, set KAS_SUDO_CMD=run0.\n" printf "%b" "--isar-rootless\t\tRun an Isar build in rootless mode.\n" printf "%b" "--runtime-args\t\tAdditional arguments to pass to the " \ "container runtime.\n" printf "%b" "\t\t\tfor running the build.\n" printf "%b" "-l, --log-level\t\tSet log level (default=info).\n" printf "%b" "--version\t\tPrint program version.\n" printf "%b" "--ssh-dir\t\tDirectory containing SSH configurations.\n" printf "%b" "\t\t\tAvoid \$HOME/.ssh unless you fully trust the " \ "container.\n" printf "%b" "--ssh-agent\t\tForward ssh-agent socket to the container.\n" printf "%b" "--aws-dir\t\tDirectory containing AWScli configuration.\n" printf "%b" "\t\t\tAvoid \$HOME/.aws unless you fully trust the " \ "container.\n" printf "%b" "--git-credential-store\tFile path to the git credential " \ "store.\n" printf "%b" "--git-credential-socket\tPath to the git credential cache " \ "socket.\n" printf "%b" "--no-proxy-from-env\tDo not inherit proxy settings from " \ "environment.\n" printf "%b" "--repo-ro\t\tMount current repository read-only\n" \ "\t\t\t(default for build command).\n" printf "%b" "--repo-rw\t\tMount current repository writable\n" \ "\t\t\t(default for shell command).\n" printf "%b" "-h, --help\t\tShow this help message and exit.\n" printf "%b" "\n" printf "%b" "You can force the use of podman over docker using " \ "KAS_CONTAINER_ENGINE=podman.\n" exit "${EXIT_CODE:-1}" } fatal_error() { echo "${KAS_CONTAINER_SELF_NAME}: Error: $*" >&2 exit 1 } warning() { echo "${KAS_CONTAINER_SELF_NAME}: Warning: $*" >&2 } debug(){ if [ -n "${KAS_VERBOSE}" ]; then echo "${KAS_CONTAINER_SELF_NAME}: Debug: $*" >&2 fi } trace() { [ -n "${KAS_VERBOSE}" ] && echo "+ $*" >&2 "$@" } prepare_sudo_cmd() { if [ -z "${KAS_SUDO_CMD}" ]; then # Try to auto-detect a privileged executor if command -v sudo >/dev/null; then KAS_SUDO_CMD="sudo" elif command -v run0 >/dev/null; then KAS_SUDO_CMD="run0" else fatal_error "No privileged executor found, need sudo or run0." fi fi case "$KAS_SUDO_CMD" in sudo) _KAS_SUDO_CMD="sudo --preserve-env";; run0) _KAS_SUDO_CMD="run0 --background= --unit=kas-container@$$";; *) fatal_error "Unsupported KAS_SUDO_CMD ('${KAS_SUDO_CMD}'), use sudo or run0.";; esac } enable_isar_mode() { KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar" KAS_ISAR_ARGS="--privileged" if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then prepare_sudo_cmd # sudo is needed for a privileged podman container KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}" # preserved user PATH may lack sbin needed by privileged podman export PATH="${PATH}:/usr/sbin" elif [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then prepare_sudo_cmd DOCKER_HOST_DEFAULT="$(docker context inspect default --format '{{.Endpoints.docker.Host}}')" export DOCKER_HOST="${DOCKER_HOST:-$DOCKER_HOST_DEFAULT}" debug "kas-isar does not support rootless docker. Using system docker in $DOCKER_HOST" # force use of well-known system docker socket KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}" KAS_DOCKER_ROOTLESS=0 fi } enable_isar_rootless_mode() { KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar" # Use --privileged to pass the ambient capabilities into the container. # When calling from the user session (podman or docker-rootless), this # is fundamentally different from the system docker run --privileged if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --userns=keep-id --privileged" elif [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then KAS_ISAR_ARGS="--privileged" else # we don't need --privileged, but we need to run with SYS_ADMIN # to be able to unshare. KAS_ISAR_ARGS=" \ --security-opt seccomp=unconfined \ --security-opt apparmor=unconfined \ --security-opt systempaths=unconfined \ --cap-add=SYS_ADMIN \ " fi } enable_oe_mode() { if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then # The container entry point expects that the current userid # calling "podman run" has a 1:1 mapping KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --userns=keep-id" fi BUILD_SYSTEM="openembedded" } enable_unpriv_userns_docker() { if [ -f /etc/os-release ] && grep -q 'NAME="Ubuntu"' /etc/os-release && [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] && [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then if [ -f /etc/apparmor.d/rootlesskit ]; then debug "AppArmor restricts unprivileged userns, using \"rootlesskit\" profile" KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt apparmor=rootlesskit" else warning "AppArmor restricts unprivileged userns but no suitable apparmor " \ "profile found. Consider setting apparmor_restrict_unprivileged_userns=0" fi fi } # Params: NAME CREATE_MODE check_and_expand() { eval _varval=\"\$"$1"\" [ -z "$_varval" ] && return case "$2" in required) [ ! -d "$_varval" ] && fatal_error "Variable $1 set, but \"$_varval\" is not a directory." ;; create) [ ! -d "$_varval" ] && trace mkdir "$_varval" ;; createrec) trace mkdir -p "$_varval" ;; esac realpath -e "$_varval" } # SC2034: DIR appears unused (ignore, as they are used inside eval) # shellcheck disable=2034 setup_kas_dirs() { KAS_WORK_DIR="${KAS_WORK_DIR:-$(pwd)}" KAS_WORK_DIR="$(check_and_expand KAS_WORK_DIR required)" KAS_BUILD_DIR="$(check_and_expand KAS_BUILD_DIR create)" KAS_REPO_REF_DIR="$(check_and_expand KAS_REPO_REF_DIR required)" DL_DIR="$(check_and_expand DL_DIR createrec)" SSTATE_DIR="$(check_and_expand SSTATE_DIR createrec)" KAS_BUILDTOOLS_DIR="$(check_and_expand KAS_BUILDTOOLS_DIR createrec)" } # Params: FILE # Returns: root repo dir of file repo_path_of_file() { _DIR="$(dirname "$1")" _REPO_DIR=$(git -C "${_DIR}" rev-parse --show-toplevel 2>/dev/null) \ || _REPO_DIR=$(hg --cwd "${_DIR}" root 2>/dev/null) \ || _REPO_DIR=${_DIR} echo "$_REPO_DIR" } # Params: ARG process_file_arg() { _KAS_FILES= _KAS_FIRST_FILE= _KAS_REPO_DIR= # SC2086: Double quote to prevent globbing and word splitting. # shellcheck disable=2086 for FILE in $(IFS=':'; echo $ARG); do if ! KAS_REAL_FILE="$(realpath -qe "$FILE")"; then fatal_error "configuration file '${FILE}' not found" fi if [ -z "${_KAS_FILES}" ]; then _KAS_FIRST_FILE="${KAS_REAL_FILE}" _KAS_FILES="${KAS_REAL_FILE}" _KAS_REPO_DIR=$(repo_path_of_file "${_KAS_FIRST_FILE}") else _KAS_FILES="${_KAS_FILES}:${KAS_REAL_FILE}" fi done KAS_FILES="${KAS_FILES} ${_KAS_FILES}" KAS_FIRST_FILES="${KAS_FIRST_FILES} ${_KAS_FIRST_FILE}" KAS_REPO_DIRS="${KAS_REPO_DIRS} ${_KAS_REPO_DIR}" } # Params: NAME CONTAINER_PATH MODE # If the dir is not below KAS_WORK_DIR, the dir is mounted into the container. forward_dir() { eval _varval=\"\$"$1"\" [ -z "$_varval" ] && return FW_DIR_REL=$(realpath -q --relative-base="${KAS_WORK_DIR}" "$_varval") if [ "${FW_DIR_REL}" = "$_varval" ]; then KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -v ${FW_DIR_REL}:$2:$3 -e $1=$2" else KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e $1=/work/${FW_DIR_REL}" fi } check_docker_rootless() { KAS_DOCKER_ROOTLESS=0 if [ "$(docker context show)" = "rootless" ]; then KAS_DOCKER_ROOTLESS=1 fi } enable_docker_rootless() { warning "Rootless docker used, only limited functionality available." if [ "${KAS_WORK_DIR}" = "${KAS_REPO_DIR}" ]; then warning "On docker rootless a exclusive KAS_WORK_DIR should be used" \ "as kas temporarily changes the ownership of this directory." fi if [ "${KAS_REPO_MOUNT_OPT}" = "rw" ]; then fatal_error "Docker rootless requires read-only repo." fi KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_DOCKER_ROOTLESS=1" } set_container_image_var() { # if the image is explicitly set, use that if [ -n "${KAS_CONTAINER_IMAGE}" ]; then return fi KAS_IMAGE_VERSION="${KAS_IMAGE_VERSION:-${KAS_IMAGE_VERSION_DEFAULT}}" KAS_CONTAINER_IMAGE_DISTRO="${KAS_CONTAINER_IMAGE_DISTRO:-${KAS_CONTAINER_IMAGE_DISTRO_DEFAULT}}" KAS_CONTAINER_IMAGE_NAME="${KAS_CONTAINER_IMAGE_NAME:-${KAS_CONTAINER_IMAGE_NAME_DEFAULT}}" KAS_CONTAINER_IMAGE_PATH="${KAS_CONTAINER_IMAGE_PATH:-${KAS_CONTAINER_IMAGE_PATH_DEFAULT}}" KAS_CONTAINER_IMAGE="${KAS_CONTAINER_IMAGE_PATH}/${KAS_CONTAINER_IMAGE_NAME}:${KAS_IMAGE_VERSION}" if [ -n "${KAS_CONTAINER_IMAGE_DISTRO}" ]; then KAS_CONTAINER_IMAGE="${KAS_CONTAINER_IMAGE}-${KAS_CONTAINER_IMAGE_DISTRO}" fi } # parse kas-container options, leave build system empty to distinguish between # explicitly set via flag and implicitly via config. BUILD_SYSTEM="" KAS_OPTIONS_DIRECT="" while [ $# -gt 0 ]; do case "$1" in --isar | --isar-privileged) if [ "$1" = "--isar" ]; then warning "The semantic of '--isar' might change in the" \ "future. Please use '--isar-privileged' instead." fi BUILD_SYSTEM="isar-privileged" shift 1 ;; --isar-rootless) BUILD_SYSTEM="isar-rootless" shift 1 ;; --runtime-args | --docker-args) [ $# -gt 0 ] || usage KAS_EXTRA_RUNTIME_ARGS=" $2" shift 2 ;; --ssh-dir) [ $# -gt 2 ] || usage KAS_SSH_DIR="$2" shift 2 ;; --ssh-agent) if [ -z "${SSH_AUTH_SOCK}" ]; then fatal_error "no SSH agent running" fi KAS_SSH_AUTH_SOCK=$(realpath -e "$SSH_AUTH_SOCK") shift 1 ;; --aws-dir) [ $# -gt 2 ] || usage KAS_AWS_DIR="$2" shift 2 ;; --git-credential-store) [ $# -gt 2 ] || usage KAS_GIT_CREDENTIAL_STORE="$2" shift 2 ;; --git-credential-socket) [ $# -gt 2 ] || usage KAS_GIT_CREDENTIAL_SOCKET="$2" shift 2 ;; --no-proxy-from-env) KAS_NO_PROXY_FROM_ENV=1 shift 1 ;; --repo-ro) KAS_REPO_MOUNT_OPT="ro" shift 1 ;; --repo-rw) KAS_REPO_MOUNT_OPT="rw" shift 1 ;; -l | --log-level) if [ "$2" = "debug" ]; then KAS_VERBOSE=1 fi KAS_OPTIONS_DIRECT="${KAS_OPTIONS_DIRECT} -l $2" shift 2 ;; --version) echo "${KAS_CONTAINER_SELF_NAME} $KAS_IMAGE_VERSION_DEFAULT" exit 0 ;; -h | --help) usage 0 ;; --*) usage ;; clean | cleansstate | cleanall | purge) KAS_REPO_MOUNT_OPT_DEFAULT="ro" KAS_CMD=$1 shift 1 break ;; shell | lock) KAS_REPO_MOUNT_OPT_DEFAULT="rw" KAS_CMD=$1 shift 1 break ;; build | checkout | for-all-repos | menu) KAS_REPO_MOUNT_OPT_DEFAULT="ro" KAS_CMD=$1 shift 1 break ;; diff) KAS_REPO_MOUNT_OPT_DEFAULT="ro" KAS_CMD=$1 shift 1 break ;; dump) if printf '%s\0' "$@" | grep -xqz -- '--inplace\|-i'; then KAS_REPO_MOUNT_OPT_DEFAULT="rw" else KAS_REPO_MOUNT_OPT_DEFAULT="ro" fi KAS_CMD=$1 shift 1 break ;; *) usage ;; esac done KAS_CONTAINER_ENGINE="${KAS_CONTAINER_ENGINE:-${KAS_DOCKER_ENGINE}}" if [ -z "${KAS_CONTAINER_ENGINE}" ]; then # Try to auto-detect a container engine if command -v docker >/dev/null 2>&1 && docker -v 2>/dev/null | grep -q '^Docker'; then KAS_CONTAINER_ENGINE=docker elif command -v podman >/dev/null 2>&1; then KAS_CONTAINER_ENGINE=podman else fatal_error "no container engine found, need docker or podman" fi fi KAS_RUNTIME_ARGS="--log-driver=none --user=root" case "${KAS_CONTAINER_ENGINE}" in docker) KAS_CONTAINER_COMMAND="docker" enable_unpriv_userns_docker check_docker_rootless ;; podman) KAS_CONTAINER_COMMAND="podman" KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt label=disable" ;; *) fatal_error "unknown container engine '${KAS_CONTAINER_ENGINE}'" ;; esac setup_kas_dirs KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS}${KAS_EXTRA_RUNTIME_ARGS}" [ -n "${KAS_CMD}" ] || usage KAS_EXTRA_BITBAKE_ARGS=0 KAS_FILES= # parse kas sub-command options while [ $# -gt 0 ] && [ $KAS_EXTRA_BITBAKE_ARGS -eq 0 ]; do case "$1" in --format | --indent | --provenance | --skip | --target | --task) KAS_OPTIONS="${KAS_OPTIONS} $1 $2" shift 1 shift 1 || KAS_OPTIONS="--help" ;; -c | --cmd | --command) KAS_BITBAKE_C_OPTION_ARGS="$2" shift 1 shift 1 || KAS_OPTIONS="--help" ;; -E | --preserve-env) fatal_error "$1 is not supported with ${KAS_CONTAINER_SELF_NAME}" ;; --) KAS_EXTRA_BITBAKE_ARGS=$# ;; -*) KAS_OPTIONS="${KAS_OPTIONS} $1" shift 1 ;; *) ARG="$1" shift 1 if [ "$KAS_CMD" = "for-all-repos" ]; then if [ $# -gt 0 ]; then KAS_REPO_CMD="$1" shift 1 else KAS_REPO_CMD="$ARG" unset ARG fi fi process_file_arg "$ARG" ;; esac done if [ -n "${KAS_FIRST_FILES}" ]; then KAS_REPO_DIR=$(echo "${KAS_REPO_DIRS}" | awk '{print $1}') else KAS_REPO_DIR=$(pwd) fi SOURCE_DIR_HOST=$( grep -e "^_source_dir_host: " "${KAS_WORK_DIR}/.config.yaml" 2>/dev/null | \ sed 's/_source_dir_host:[ ]\+//') if [ -n "${SOURCE_DIR_HOST}" ]; then KAS_REPO_DIR="${SOURCE_DIR_HOST}" fi if [ "${KAS_CMD}" = "menu" ]; then if [ -z "${KAS_FIRST_FILES}" ]; then KAS_FIRST_FILES="Kconfig" fi # When using the menu plugin, we need to track the KAS_REPO_DIR outside # of the container to later allow a simple `kas-container build`. For # that, we tell the kas menu plugin via an env-var about the location # on the host. This data is then added to the .config.yaml where it can # be evaluated by the next invocation of kas-container. KAS_REPO_DIR=$(check_and_expand KAS_REPO_DIR required) if ! [ "${KAS_REPO_DIR}" = "${KAS_WORK_DIR}" ]; then set -- "$@" -e _KAS_REPO_DIR_HOST="${KAS_REPO_DIR}" fi if [ "$(echo "${KAS_FIRST_FILES}" | wc -w)" -ne "1" ]; then fatal_error "menu plugin only supports a single Kconfig file" fi BUILD_SYSTEM=${BUILD_SYSTEM:-$(tr '\n' '\f' 2>/dev/null < "${KAS_FIRST_FILES}" | sed -e 's/\(.*\fconfig KAS_BUILD_SYSTEM\f\(.*\)\|.*\)/\2/' \ -e 's/\f\([[:alpha:]].*\|$\)//' \ -e 's/.*default \"\(.*\)\".*/\1/')} else if [ -z "${KAS_FIRST_FILES}" ]; then KAS_FIRST_FILES="${KAS_WORK_DIR}/.config.yaml" fi # We only get the first build system and let kas check if mixed _KAS_FIRST_FILE=$(echo "${KAS_FIRST_FILES}" | awk '{print $1}') BUILD_SYSTEM=${BUILD_SYSTEM:-$(grep -e "^build_system: " "${_KAS_FIRST_FILE}" 2>/dev/null | sed 's/build_system:[ ]\+//')} fi if [ "${BUILD_SYSTEM}" = "isar" ] || [ "${BUILD_SYSTEM}" = "isar-privileged" ]; then enable_isar_mode elif [ "${BUILD_SYSTEM}" = "isar-rootless" ]; then enable_isar_rootless_mode else enable_oe_mode fi # clean can be executed without config, hence manually forward the build system case "${BUILD_SYSTEM}" in isar*) if echo "${KAS_CMD}" | grep -qe "^clean\|purge"; then KAS_OPTIONS="${KAS_OPTIONS} --${BUILD_SYSTEM}" fi ;; esac set_container_image_var if [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then KAS_REPO_MOUNT_OPT_DEFAULT="ro" fi KAS_REPO_MOUNT_OPT="${KAS_REPO_MOUNT_OPT:-${KAS_REPO_MOUNT_OPT_DEFAULT}}" if [ "$(id -u)" -eq 0 ] && [ "${KAS_ALLOW_ROOT}" != "yes" ] ; then fatal_error "Running as root - may break certain recipes." \ "Better give a regular user docker access. Set" \ "KAS_ALLOW_ROOT=yes to override." fi if [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then enable_docker_rootless fi if [ "${KAS_CMD}" = "diff" ]; then if [ "$(echo "${KAS_FILES}" | wc -w)" -eq "2" ]; then _KAS_REPO_DIR1="$(echo "${KAS_REPO_DIRS}" | awk '{print $1}')" _KAS_REPO_DIR2="$(echo "${KAS_REPO_DIRS}" | awk '{print $2}')" _KAS_FILES1="$(echo "${KAS_FILES}" | awk '{print $1}' | sed 's|'"${_KAS_REPO_DIR1}"'/|/repo/|g')" _KAS_FILES2="$(echo "${KAS_FILES}" | awk '{print $2}' | sed 's|'"${_KAS_REPO_DIR2}"'/|/repo2/|g')" KAS_FILES="${_KAS_FILES1} ${_KAS_FILES2}" set -- "$@" -v "${_KAS_REPO_DIR2}:/repo2:${KAS_REPO_MOUNT_OPT}" fi else KAS_FILES="$(echo "${KAS_FILES}" | sed 's|'"${KAS_REPO_DIR}"'/|/repo/|g')" fi set -- "$@" -v "${KAS_REPO_DIR}:/repo:${KAS_REPO_MOUNT_OPT}" \ -v "${KAS_WORK_DIR}":/work:rw -e KAS_WORK_DIR=/work \ --workdir=/repo \ -e KAS_CONTAINER_SCRIPT_VERSION="${KAS_CONTAINER_SCRIPT_VERSION}" \ -e USER_ID="$(id -u)" -e GROUP_ID="$(id -g)" --rm --init forward_dir KAS_BUILD_DIR "/build" "rw" forward_dir DL_DIR "/downloads" "rw" forward_dir KAS_REPO_REF_DIR "/repo-ref" "rw" forward_dir SSTATE_DIR "/sstate" "rw" forward_dir KAS_BUILDTOOLS_DIR "/buildtools" "rw" if git_com_dir=$(git -C "${KAS_REPO_DIR}" rev-parse --git-common-dir 2>/dev/null) \ && [ "$git_com_dir" != "$(git -C "${KAS_REPO_DIR}" rev-parse --git-dir)" ]; then KAS_GIT_OVERLAY_FILE="" kas_container_cleanup() { if [ -f "${KAS_GIT_OVERLAY_FILE}" ]; then trace rm -f "${KAS_GIT_OVERLAY_FILE}" fi } trap kas_container_cleanup EXIT INT TERM # If (it's a git repo) and the common dir isn't the git-dir, it is shared worktree and # we have to mount the common dir in the container to make git work # The mount path inside the container is different from the host path. Hence, we over-mount # the .git file to point to the correct path. KAS_GIT_OVERLAY_FILE=$(mktemp) sed "s|gitdir: ${git_com_dir}/|gitdir: /repo-common/|" "${KAS_REPO_DIR}/.git" > "${KAS_GIT_OVERLAY_FILE}" set -- "$@" -v "${git_com_dir}:/repo-common:${KAS_REPO_MOUNT_OPT}" \ -v "${KAS_GIT_OVERLAY_FILE}:/repo/.git:ro" # if the workdir is the same as the repo dir, it is the same shared worktree if [ "${KAS_WORK_DIR}" = "${KAS_REPO_DIR}" ]; then set -- "$@" -v "${KAS_GIT_OVERLAY_FILE}:/work/.git:ro" fi fi KAS_SSH_DIR="$(check_and_expand KAS_SSH_DIR required)" if [ -n "${KAS_SSH_DIR}" ] ; then set -- "$@" -v "${KAS_SSH_DIR}":/var/kas/userdata/.ssh:ro fi if [ -n "${KAS_SSH_AUTH_SOCK}" ]; then if [ ! -S "${KAS_SSH_AUTH_SOCK}" ]; then fatal_error "passed SSH_AUTH_SOCK '${KAS_SSH_AUTH_SOCK}' is not a socket" fi set -- "$@" -v "${KAS_SSH_AUTH_SOCK}":/ssh-agent/ssh-auth-sock \ -e SSH_AUTH_SOCK=/ssh-agent/ssh-auth-sock fi KAS_AWS_DIR="$(check_and_expand KAS_AWS_DIR required)" if [ -n "${KAS_AWS_DIR}" ] ; then set -- "$@" -v "${KAS_AWS_DIR}":/var/kas/userdata/.aws:ro \ -e AWS_CONFIG_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/config}" \ -e AWS_SHARED_CREDENTIALS_FILE="${AWS_SHARED_CREDENTIALS_FILE:-/var/kas/userdata/.aws/credentials}" fi if [ -n "${AWS_WEB_IDENTITY_TOKEN_FILE}" ] ; then if [ ! -f "${AWS_WEB_IDENTITY_TOKEN_FILE}" ]; then echo "Passed AWS_WEB_IDENTITY_TOKEN_FILE '${AWS_WEB_IDENTITY_TOKEN_FILE}' is not a file" exit 1 fi set -- "$@" -v "$(realpath -e "${AWS_WEB_IDENTITY_TOKEN_FILE}")":/var/kas/userdata/.aws/web_identity_token:ro \ -e AWS_WEB_IDENTITY_TOKEN_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/web_identity_token}" \ -e AWS_ROLE_ARN="${AWS_ROLE_ARN}" fi KAS_GIT_CREDENTIAL_HELPER_DEFAULT="" if [ -n "${KAS_GIT_CREDENTIAL_STORE}" ] ; then if [ ! -f "${KAS_GIT_CREDENTIAL_STORE}" ]; then fatal_error "passed KAS_GIT_CREDENTIAL_STORE '${KAS_GIT_CREDENTIAL_STORE}' is not a file" fi KAS_GIT_CREDENTIAL_HELPER_DEFAULT="store --file=/var/kas/userdata/.git-credentials" set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_STORE}")":/var/kas/userdata/.git-credentials:ro fi if [ -n "${KAS_GIT_CREDENTIAL_SOCKET}" ] ; then if [ ! -S "${KAS_GIT_CREDENTIAL_SOCKET}" ]; then fatal_error "passed KAS_GIT_CREDENTIAL_SOCKET '${KAS_GIT_CREDENTIAL_SOCKET}' is not a socket" fi KAS_GIT_CREDENTIAL_HELPER_DEFAULT="cache --socket=/var/kas/userdata/.git-cache-socket" set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_SOCKET}")":/var/kas/userdata/.git-cache-socket fi GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}" if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then set -- "$@" -e GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER}" fi if [ -f "${NETRC_FILE}" ]; then set -- "$@" -v "$(realpath -e "${NETRC_FILE}")":/var/kas/userdata/.netrc:ro \ -e NETRC_FILE="/var/kas/userdata/.netrc" fi if [ -f "${NPMRC_FILE}" ]; then set -- "$@" -v "$(realpath -e "${NPMRC_FILE}")":/var/kas/userdata/.npmrc:ro \ -e NPMRC_FILE="/var/kas/userdata/.npmrc" fi if [ -f "${GITCONFIG_FILE}" ]; then set -- "$@" -v "$(realpath -e "${GITCONFIG_FILE}")":/var/kas/userdata/.gitconfig:ro \ -e GITCONFIG_FILE="/var/kas/userdata/.gitconfig" fi if [ -f "${REGISTRY_AUTH_FILE}" ]; then set -- "$@" -v "$(realpath -e "${REGISTRY_AUTH_FILE}")":/var/kas/userdata/.docker/config.json:ro \ -e REGISTRY_AUTH_FILE="/var/kas/userdata/.docker/config.json" fi if [ -t 1 ]; then set -- "$@" -t -i fi if [ -n "${SSTATE_MIRRORS}" ]; then if echo "${SSTATE_MIRRORS}" | grep -q "file:///"; then warning "SSTATE_MIRRORS contains a local path." \ "Make sure to make this path available inside the container." fi set -- "$@" -e "SSTATE_MIRRORS=${SSTATE_MIRRORS}" fi # propagate timezone information to entrypoint (requires systemd 239) if command -v timedatectl >/dev/null; then set -- "$@" -e "KAS_HOST_TZ=$(timedatectl show -p Timezone --value 2>/dev/null)" fi for var in TERM KAS_DISTRO KAS_MACHINE KAS_TARGET KAS_TASK KAS_CLONE_DEPTH \ KAS_PREMIRRORS DISTRO_APT_PREMIRRORS BB_NUMBER_THREADS PARALLEL_MAKE \ GIT_CREDENTIAL_USEHTTPPATH \ TZ; do if [ -n "$(eval echo \$${var})" ]; then set -- "$@" -e "${var}=$(eval echo \"\$${var}\")" fi done # propagate only supported SHELL settings case "$SHELL" in /bin/sh | /bin/bash | /bin/dash) set -- "$@" -e "SHELL=$SHELL" ;; *) set -- "$@" -e "SHELL=/bin/bash" ;; esac if [ -z "${KAS_NO_PROXY_FROM_ENV+x}" ]; then for var in http_proxy https_proxy ftp_proxy no_proxy NO_PROXY; do if [ -n "$(eval echo \$${var})" ]; then set -- "$@" -e "${var}=$(eval echo \$${var})" fi done fi # SC2086: Double quote to prevent globbing and word splitting. # shellcheck disable=2086 set -- "$@" ${KAS_ISAR_ARGS} ${KAS_RUNTIME_ARGS} \ ${KAS_CONTAINER_IMAGE} ${KAS_OPTIONS_DIRECT} ${KAS_CMD} ${KAS_OPTIONS} if [ -n "${KAS_BITBAKE_C_OPTION_ARGS}" ]; then set -- "$@" -c "${KAS_BITBAKE_C_OPTION_ARGS}" fi # SC2086: Double quote to prevent globbing and word splitting. # shellcheck disable=2086 set -- "$@" ${KAS_FILES} if [ "$KAS_CMD" = "for-all-repos" ]; then set -- "$@" "${KAS_REPO_CMD}" fi # rotate any extra bitbake args from the front to the end of the argument list while [ $KAS_EXTRA_BITBAKE_ARGS -gt 0 ]; do arg="$1" shift 1 set -- "$@" "$arg" KAS_EXTRA_BITBAKE_ARGS=$((KAS_EXTRA_BITBAKE_ARGS - 1)) done # shellcheck disable=SC2086 trace ${KAS_CONTAINER_COMMAND} run "$@"