* sdk: Fix ephemeral key directory paths baked into container images
The SDK container build process was persisting temporary directory
paths for module signing keys into /home/sdk/.bashrc. This caused
all container instances to share the same ephemeral key location.
Fixed by:
- Runtime check in sdk_entry.sh to recreate stale temp directories
- Build-time cleanup in Dockerfiles to remove the variables
Each container instance now gets unique temporary directories.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
* sdk_entry: use persistent module signing keys for unofficial builds
For official builds (COREOS_OFFICIAL=1), continue using ephemeral
temporary directories for module signing keys.
For unofficial/development builds, use a persistent directory at
/mnt/host/source/.module-signing-keys to preserve keys across
container restarts.
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
---------
Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
This change temporarily disables the Gentoo sandbox when updating the
SDK to work around sandbox permission errors some pakage builds (like
e.g. GO) run into.
Fixes e.g.
```
Building Go cmd/dist using /usr/lib/go-bootstrap. (go1.5.3 linux/amd64)
* /var/tmp/portage/sys-apps/sandbox-2.12/work/sandbox-2.12/libsandbox/trace.c:do_peekstr():125: failure (Operation not permitted):
* ISE:do_peekstr:process_vm_readv(6863, 0x00007ffe4a502180{0x00007f01abd3e010, 0x570}, 1, 0x00007ffe4a502190{0x000000c820012a90, 0x570}, 1, 0) failed: Operation not permitted
* ERROR: dev-lang/go-1.17.8::coreos failed (compile phase):
```
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
This change introduces update_sdk_container_image, a script to generate
a new SDK container image based on an existing SDK container. The
script is meant to be used for minor / patch level SDK changes (like
test suite updates).
Signed-off-by: Thilo Fromm <thilo@kinvolk.io>
