Removed bind mount of .ssh in runcontext

Previously the .ssh directory of the invoking user was bind mounted
into the build container. This behavior is now removed. The ssh keys
in the user's .ssh is however *copied* into the container if, and only
if, the RSYNC_CONNECT_PROG environment variable has been set as this
indicates the need to tunnel rsync traffic over (presumably) ssh. In
this case the keys may actually be needed.

In both cases the .ssh/config file will be updated with the
   StrictHostKeyChecking=no
option to prevent failure due to the ssh confirmation dialogue.

Change-Id: Ic2ecc9d7a9abfa796bdfa6aaa8cde0dcb632d76e
Signed-off-by: Stefan K. Berg <stefan.k.berg@ericsson.com>

1 files changed, 37 insertions, 13 deletions

diff --git a/fuel/build/docker/runcontext b/fuel/build/docker/runcontext
index a874fb8e9..f9065a01f 100755
--- a/fuel/build/docker/runcontext
+++ b/fuel/build/docker/runcontext
@@ -16,8 +16,9 @@ set -e
 #
 
 do_exit () {
-    CID=`cat $CID_FILE`
+    CID=`cat $CID_FILE </dev/null`
     rm -f $CID_FILE
+    rm -rf $CONTEXT_DIR
     set +e
     docker kill $CID > /dev/null 2>&1
     docker rm -f $CID > /dev/null 2>&1
@@ -29,24 +30,47 @@ do_exit () {
 # End of Exit handlers
 ############################################################################
 
-
 trap do_exit SIGINT SIGTERM EXIT
 
 context=$1
 shift
-GID=`id -g`
+USER_ID=`id -u`
 USER=`whoami`
-res=`docker build -q --force-rm -  <<EOF
+GROUP_ID=`id -g`
+
+GITROOT=`git rev-parse --show-toplevel`
+CID_FILE=`mktemp -u -t runcontext.XXXXXXXXXX`
+CONTEXT_DIR=`mktemp -d ${GITROOT}/.docker_contextXXXXXX`
+
+# If RSYNC_CONNECT_PROG is used, we need to copy all of
+# the SSH structure, should one of the keys need to be
+# used.
+if [ -n "$RSYNC_CONNECT_PROG" -a -x $HOME/.ssh ]; then
+    cp -rp $HOME/.ssh $CONTEXT_DIR
+    rm -f $CONTEXT_DIR/.ssh/known_hosts
+else
+    mkdir $CONTEXT_DIR/.ssh
+fi
+
+# Disable verification of unknown keys
+cat >> $CONTEXT_DIR/.ssh/config <<EOF
+StrictHostKeyChecking=no
+EOF
+
+cat > $CONTEXT_DIR/Dockerfile <<EOF
 FROM $context
 $(env | egrep -i 'proxy|rsync' | sed 's/^/ENV /' | sed 's/=/ /')
 RUN date || date
-RUN /root/setcontext $USER $UID $GID $HOME
-EOF`
-GITROOT=`git rev-parse --show-toplevel`
+COPY .ssh  $HOME/.ssh
+RUN chown -R $USER_ID:$GROUP_ID $HOME/.ssh
+RUN chown -R $USER_ID:$GROUP_ID $HOME
+RUN chmod 700 $HOME/.ssh
+RUN /root/setcontext $USER $USER_ID $GROUP_ID $HOME
+EOF
+
+res=`docker build -q --force-rm $CONTEXT_DIR`
 IID=`echo $res | sed 's/.* //'`
 
-CID_FILE=`mktemp -u -t runcontext.XXXXXXXXXX`
-
 # Handle proxy settings passed to the context
 if env | grep -iq .*proxy; then
     envfile="$(readlink -f $(dirname $0)/..)/environment.mk"
@@ -62,9 +86,9 @@ if env | grep -iq .*proxy; then
 
     # Make sure to add the Docker socket in no_proxy
     if [ -n "$my_no_proxy" ]; then
-	my_no_proxy+=",/var/run/docker.sock"
+        my_no_proxy+=",/var/run/docker.sock"
     else
-	my_no_proxy="/var/run/docker.sock"
+        my_no_proxy="/var/run/docker.sock"
     fi
 
     echo "Creating $envfile"
@@ -87,11 +111,11 @@ if [ -n "$CACHEBASE" ]; then
     fi
 fi
 
-RUN_CONTEXT_OPT="--cidfile $CID_FILE --privileged=true --rm -e HOME=$HOME -e CACHEDEBUG -e CACHETRANSPORT -e CACHEMAXAGE -e CACHEBASE -u $USER -w $PWD -v ${HOME}/.ssh:${HOME}/.ssh -v $GITROOT:$GITROOT $CACHEMOUNT"
+RUN_CONTEXT_OPT="--cidfile $CID_FILE --privileged=true --rm -e HOME=$HOME -e CACHEDEBUG -e CACHETRANSPORT -e CACHEMAXAGE -e CACHEBASE -u $USER_ID:$GROUP_ID -w $PWD -v $GITROOT:$GITROOT $CACHEMOUNT"
 
 # Passing "debug" puts up an interactive bash shell
 if [ "$1" == "debug" ]; then
-  echo command: docker run ${RUN_CONTEXT_OPT} $IID $@
+  echo command: docker run ${RUN_CONTEXT_OPT} $IID bash
   docker run -i -t ${RUN_CONTEXT_OPT} $IID bash
 else
   echo command: docker run ${RUN_CONTEXT_OPT} $IID $@