Pass more proxy vars into the chroot, rework sudoers.d maintenance.

In particular, put the sudoers.d setup into one script (making
updates to it easier in the future if necessary), and
centralize the proxied vars into a const in common.sh.

Thanks to Kevin McCray/Josh Triplett/Alexander Kanevsky for
pointing out the missing proxy variables, and fixes/cleanup.

BUG=None
TEST=https_proxy=blah cros_sdk -- bash -c 'echo $https_proxy'
TEST=build_packages behind a proxy.
TEST=cros_sdk --replace && \
     RSYNC_PROXY=blah cros_sdk -- bash -c 'echo $RSYNC_PROXY'

Change-Id: I3165882dfd9c8b52d25c2b26d7ff9242c84c91bd
Reviewed-on: https://gerrit.chromium.org/gerrit/31185
Tested-by: Brian Harring <ferringb@chromium.org>
Reviewed-by: Josh Triplett <josh@joshtriplett.org>
Reviewed-by: Mike Frysinger <vapier@chromium.org>
Commit-Ready: Josh Triplett <josh@joshtriplett.org>

chroot_version_hooks.d/45_rewrite_sudoers.d

@@ -0,0 +1,41 @@
+# Copyright (c) 2012 The Chromium OS Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Note that this script is invoked by make_chroot in addition
+# to normal upgrade pathways.
+
+if [ "$(id -u)" != 0 ]; then
+  # Note that since we're screwing w/ sudo variables, this script
+  # explicitly bounces up to root for everything it does- that way
+  # if anyone introduces a temp depriving in the sudo setup, it can't break
+  # mid upgrade.
+  exec sudo bash -e "${VERSION_HOOKS_DIR}/45_rewrite_sudoers.d" \
+    / "${USER}" "${ENVIRONMENT_WHITELIST[@]}"
+  exit 1
+fi
+
+# Reaching here means we're root.
+
+if [ $# -lt 2 ]; then
+  echo "Invoked with wrong number of args; expected root USER [variables]*"
+  exit 1
+fi
+
+root=$1
+username=$2
+shift
+shift
+set -- "${@}" CROS_WORKON_SRCROOT PORTAGE_USERNAME
+
+cat > "${root}/etc/sudoers.d/90_cros" <<EOF
+Defaults env_keep += "${*}"
+%adm ALL=(ALL) ALL
+root ALL=(ALL) ALL
+${username} ALL=NOPASSWD: ALL
+EOF
+
+chmod 0440 "${root}/etc/sudoers.d/90_cros"
+chown root:root "${root}/etc/sudoers.d/90_cros"
+
+exit 0

common.sh

@@ -299,6 +299,20 @@ DEFAULT_FAST=${FLAGS_TRUE}
 # Directory to store built images.  Should be set by sourcing script when used.
 BUILD_DIR=
 
+# List of variables to proxy into the chroot from the host, and to
+# have sudo export if existent.
+# Anytime this list is modified, to make that change active a new
+# chroot_version_hooks.d upgrade script that symlinks to 45_rewrite_sudoers.d
+# is required.
+ENVIRONMENT_WHITELIST=(
+  CHROMEOS_OFFICIAL
+  {http{,s},ftp,all,no}_proxy
+  RSYNC_PROXY
+  GIT_{PROXY_COMMAND,SSH}
+  SSH_AGENT_PID
+  SSH_AUTH_SOCK
+)
+
 # Standard filenames
 CHROMEOS_BASE_IMAGE_NAME="chromiumos_base_image.bin"
 CHROMEOS_IMAGE_NAME="chromiumos_image.bin"

run_chroot_version_hooks

@@ -25,7 +25,7 @@ DEFINE_boolean skipfirst "${FLAGS_FALSE}" \
 FLAGS "$@" || exit 1
 
 VERSION_FILE=/etc/cros_chroot_version
-UPGRADE_D="$(dirname ${0})/chroot_version_hooks.d"
+VERSION_HOOKS_DIR="$(dirname "$(readlink -f "${0}")")/chroot_version_hooks.d"
 
 update_version() {
   sudo touch ${VERSION_FILE}
@@ -55,9 +55,8 @@ fi
 # Versions must be -n sorted, that is, the first continuous sequence
 # of numbers is what counts. 12_ is before 111_, etc.
 LATEST_VERSION=$(
-  ls "${UPGRADE_D}" | grep "^[0-9]*_" | \
-  sort -n | tail -n 1 | cut -f1 -d'_'
-)
+  cd "${VERSION_HOOKS_DIR}"
+  ls [0-9]*_* | cut -d_ -f1 | sort -rn | head -n1)
 
 if [ "${FLAGS_force_latest}" == "${FLAGS_TRUE}" ]; then
   update_version "${LATEST_VERSION}"
@@ -71,7 +70,7 @@ if ! [ -f "${VERSION_FILE}" ]; then
   update_version 0
 fi
 
-CHROOT_VERSION=$(cat "${VERSION_FILE}")
+CHROOT_VERSION=$(<"${VERSION_FILE}")
 # Check if version is a number.
 if ! [ "${CHROOT_VERSION}" -ge "0" ] &> /dev/null; then
   error "Your chroot version file ${VERSION_FILE} is bogus: ${CHROOT_VERSION}"
@@ -108,7 +107,7 @@ fi
 if [ "${LATEST_VERSION}" -gt "${CHROOT_VERSION}" ]; then
   info "Old chroot version (${CHROOT_VERSION}) found, running upgrade hooks"
 
-  pushd "${UPGRADE_D}" 1> /dev/null
+  pushd "${VERSION_HOOKS_DIR}" 1> /dev/null
   for n in $(seq "$(expr ${CHROOT_VERSION} + 1)" "${LATEST_VERSION}"); do
     hook=(${n}_*)
 
@@ -138,9 +137,9 @@ if [ "${LATEST_VERSION}" -gt "${CHROOT_VERSION}" ]; then
     # NOTE: We source the upgrade scripts because:
     # 1) We can impose set -something on them.
     # 2) They can reuse local variables and functions (fe. from common.sh)
-    # Side effect is that the scripts have to be internally enclosed in
-    # a code block, otherwise simply running "exit" in any of them would
-    # terminate the master script, so we call it in a subshell.
+    # 3) They're allowed to use VERSION_HOOKS_DIR and VERSION_FILE.
+    # Note that the upgrade scripts have to be subshelled to protect ourselves,
+    # else a script running exit would stop the upgrade process entirely.
     if ! ( source ${hook} ); then
       error "Fatal: failed to upgrade ${n}!"
       exit 1

sdk_lib/enter_chroot.sh

@@ -570,30 +570,20 @@ setup_env
 
 CHROOT_PASSTHRU=(
   "BUILDBOT_BUILD=$FLAGS_build_number"
-  "CHROMEOS_OFFICIAL=$CHROMEOS_OFFICIAL"
   "CHROMEOS_RELEASE_APPID=${CHROMEOS_RELEASE_APPID:-{DEV-BUILD}}"
-
-  # Set CHROMEOS_VERSION_TRACK, CHROMEOS_VERSION_AUSERVER,
-  # CHROMEOS_VERSION_DEVSERVER as environment variables to override the default
-  # assumptions (local AU server). These are used in cros_set_lsb_release, and
-  # are used by external Chromium OS builders.
-
-  "CHROMEOS_VERSION_TRACK=${CHROMEOS_VERSION_TRACK}"
-  "CHROMEOS_VERSION_AUSERVER=${CHROMEOS_VERSION_AUSERVER}"
-  "CHROMEOS_VERSION_DEVSERVER=${CHROMEOS_VERSION_DEVSERVER}"
   "EXTERNAL_TRUNK_PATH=${FLAGS_trunk}"
-  "SSH_AGENT_PID=${SSH_AGENT_PID}"
-  "SSH_AUTH_SOCK=${SSH_AUTH_SOCK}"
 )
 
-# Some vars we want to keep.
-KEEP_VARS="USE GCC_GITHASH"
-# Pass proxy variables into the environment.
-PROXY_VARS="http_proxy ftp_proxy all_proxy GIT_PROXY_COMMAND GIT_SSH"
-for type in ${KEEP_VARS} ${PROXY_VARS}; do
-  if [ -n "${!type}" ]; then
-    CHROOT_PASSTHRU+=( "${type}=${!type}" )
-  fi
+# Add the standard proxied variables, and a few we specifically
+# export for script usage; USE/GCC_GITHASH are for ebuilds/portage,
+# CHROMEOS_VERSION_* is for cros_set_lsb_release and local AU server
+# (builders export this for marking reasons).
+KEEP_VARS=(
+  CHROMEOS_VERSION_{TRACK,AUSERVER,DEVSERVER}
+  USE GCC_GITHASH
+)
+for var in "${ENVIRONMENT_WHITELIST[@]}" "${KEEP_VARS[@]}"; do
+  [ "${!var+set}" = "set" ] && CHROOT_PASSTHRU+=( "${var}=${!var}" )
 done
 
 # Run command or interactive shell.  Also include the non-chrooted path to

sdk_lib/make_chroot.sh

@@ -172,17 +172,11 @@ init_setup () {
    # the user's already typed in one sudo password...)
    # Make sure the sudoers.d subdir exists as older stage3 base images lack it.
    sudo mkdir -p "${FLAGS_chroot}/etc/sudoers.d"
-   sudo_clobber "${FLAGS_chroot}/etc/sudoers.d/90_cros" <<EOF
-Defaults env_keep += CROS_WORKON_SRCROOT
-Defaults env_keep += CHROMEOS_OFFICIAL
-Defaults env_keep += PORTAGE_USERNAME
-Defaults env_keep += http_proxy
-Defaults env_keep += ftp_proxy
-Defaults env_keep += all_proxy
-%adm ALL=(ALL) ALL
-root ALL=(ALL) ALL
-$USER ALL=NOPASSWD: ALL
-EOF
+
+   # Use the standardized upgrade script to setup proxied vars.
+   sudo bash -e "${SCRIPT_ROOT}/chroot_version_hooks.d/45_rewrite_sudoers.d" \
+     "${FLAGS_chroot}" "${USER}" "${ENVIRONMENT_WHITELIST[@]}"
+
    sudo find "${FLAGS_chroot}/etc/"sudoers* -type f -exec chmod 0440 {} +
    # Fix bad group for some.
    sudo chown -R root:root "${FLAGS_chroot}/etc/"sudoers*