mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2025-12-22 17:52:12 +01:00
Code Issues Packages Projects Releases Wiki Activity
flatcar-scripts/sdk_lib/Dockerfile.sdk-build
Daniel f05097d82f
Fix kernel module signing with ephemeral keys for official builds (#3493) 
* sdk: Fix ephemeral key directory paths baked into container images

The SDK container build process was persisting temporary directory
paths for module signing keys into /home/sdk/.bashrc. This caused
all container instances to share the same ephemeral key location.

Fixed by:
- Runtime check in sdk_entry.sh to recreate stale temp directories
- Build-time cleanup in Dockerfiles to remove the variables

Each container instance now gets unique temporary directories.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>

* sdk_entry: use persistent module signing keys for unofficial builds

For official builds (COREOS_OFFICIAL=1), continue using ephemeral
temporary directories for module signing keys.

For unofficial/development builds, use a persistent directory at
/mnt/host/source/.module-signing-keys to preserve keys across
container restarts.

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>

---------

Signed-off-by: Daniel Zatovic <daniel.zatovic@gmail.com>
2025-11-20 09:56:49 +01:00

25 lines
1.0 KiB
Docker
Raw Blame History

ARG VERSION=9999.99.99-version-missing
FROM flatcar-sdk-import:${VERSION}
ARG BINHOST
ARG OFFICIAL=0
# mark build as official where appropriate
RUN echo "export COREOS_OFFICIAL=$OFFICIAL" > /mnt/host/source/.env
RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --binhost="${BINHOST}/arm64-usr"
RUN /home/sdk/sdk_entry.sh ./setup_board --board="arm64-usr" --regen_configs
RUN /home/sdk/sdk_entry.sh ./build_packages --board="arm64-usr" --only_resolve_circular_deps
RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --binhost="${BINHOST}/amd64-usr"
RUN /home/sdk/sdk_entry.sh ./setup_board --board="amd64-usr" --regen_configs
RUN /home/sdk/sdk_entry.sh ./build_packages --board="amd64-usr" --only_resolve_circular_deps
RUN rm /mnt/host/source/.env
RUN rm -rf /home/sdk/toolchain-pkgs
# Clean up ephemeral key directory variables that were added during build
RUN sed -i -e '/export MODULE_SIGNING_KEY_DIR=/d' \
-e '/export MODULES_SIGN_KEY=/d' \
-e '/export MODULES_SIGN_CERT=/d' /home/sdk/.bashrc
Reference in New Issue View Git Blame Copy Permalink