Preserve sticky bit during image build

Enable docker buildkit so that sticky bits (for sudo, etc) are preserved
in the container image. They are dropped otherwise. This also requires
docker-ce, which the script will now alert you of if missing in your
environment.

Also remove override placeholders so they don't show up as patchset
changes after running image-builder in a local environment.

Change-Id: I80dfeb12ad6e8ebef71d1f7cf44ad39579ce0d6d

.gitignore

@@ -11,3 +11,5 @@ image-builder/config/*.iso
 image-builder/config/*.qcow2
 image-builder/config/*.md5sum
 image-builder/assets/playbooks/roles/multistrap/vars/main.yaml
+image-builder/assets/playbooks/roles/livecdcontent/vars/main.yaml
+image-builder/assets/playbooks/roles/osconfig/vars/main.yaml

image-builder/Makefile

@@ -52,15 +52,9 @@ images: build generate_iso package_qcow
 build:
 	set -ex
 	# Apply any user-defined rootfs overrides to playbooks
-	if [ -f $(WORKDIR)/rootfs/multistrap-vars.yaml ]; then
-	  cp $(WORKDIR)/rootfs/multistrap-vars.yaml assets/playbooks/roles/multistrap/vars/main.yaml
-	fi
-	if [ -f $(WORKDIR)/rootfs/osconfig-vars.yaml ]; then
-	  cp $(WORKDIR)/rootfs/osconfig-vars.yaml assets/playbooks/roles/osconfig/vars/main.yaml
-	fi
-	if [ -f $(WORKDIR)/rootfs/livecdcontent-vars.yaml ]; then
-	  cp $(WORKDIR)/rootfs/livecdcontent-vars.yaml assets/playbooks/roles/livecdcontent/vars/main.yaml
-	fi
+	cp $(WORKDIR)/rootfs/multistrap-vars.yaml assets/playbooks/roles/multistrap/vars/main.yaml
+	cp $(WORKDIR)/rootfs/osconfig-vars.yaml assets/playbooks/roles/osconfig/vars/main.yaml
+	cp $(WORKDIR)/rootfs/livecdcontent-vars.yaml assets/playbooks/roles/livecdcontent/vars/main.yaml
 ifneq ($(PROXY), )
 	sudo -E ./tools/docker_proxy.sh $(PROXY) $(NO_PROXY)
 	export http_proxy=$(PROXY)
@@ -72,7 +66,7 @@ ifneq ($(PROXY), )
 ifneq ($(SKIP_MULTISTRAP), true)
 	sudo -E ./tools/multistrap.sh $(WORKDIR)
 endif
-	sudo -E docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
+	sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
 	--label $(LABEL) \
 	--label "org.opencontainers.image.revision=$(COMMIT)" \
 	--label "org.opencontainers.image.created=\
@@ -88,15 +82,20 @@ else
 ifneq ($(SKIP_MULTISTRAP), true)
 	sudo -E ./tools/multistrap.sh $(WORKDIR)
 endif
-	sudo -E docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
+	sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(IMAGE) -f Dockerfile.$(DISTRO) . \
 	--label $(LABEL) \
 	--label "org.opencontainers.image.revision=$(COMMIT)" \
 	--label "org.opencontainers.image.created=\
 	$(shell date --rfc-3339=seconds --utc)" \
 	--label "org.opencontainers.image.title=$(IMAGE_NAME)"
 endif
+	imgId=`sudo docker images | grep 'image-builder ' | awk '{print $$3}'`
+	sudo -E DOCKER_BUILDKIT=1 docker run $$imgId ls -ltra /build/usr/bin/sudo > /tmp/sticky_result
+	sudo grep '^-rws' /tmp/sticky_result >& /dev/null || \
+		(echo Could not find sticky bit set on target image sudo binary. Are you using buildkit? && \
+		sudo cat /tmp/sticky_result && exit 1)
 ifeq ($(PUSH_IMAGE), true)
-	sudo -E docker push $(IMAGE)
+	sudo -E DOCKER_BUILDKIT=1 docker push $(IMAGE)
 endif
 
 cut_image:
@@ -138,14 +137,14 @@ package_qcow:
 	export IMAGE_TYPE=qcow
 	export EXPLICIT_DIRS=$(QCOW_CONF_DIRS)
 	sudo -E make cut_image
-	sudo -E docker -D -l debug build --tag $(QCOW_IMAGE) -f Dockerfile-qcow.$(DISTRO) $(WORKDIR) \
+	sudo -E DOCKER_BUILDKIT=1 docker -D -l debug build --tag $(QCOW_IMAGE) -f Dockerfile-qcow.$(DISTRO) $(WORKDIR) \
 	--label $(LABEL) \
 	--label "org.opencontainers.image.revision=$(COMMIT)" \
 	--label "org.opencontainers.image.created=\
 	$(shell date --rfc-3339=seconds --utc)" \
 	--label "org.opencontainers.image.title=$(QCOW_IMAGE_NAME)"
 ifeq ($(PUSH_IMAGE), true)
-	sudo -E docker push $(QCOW_IMAGE)
+	sudo -E DOCKER_BUILDKIT=1 docker push $(QCOW_IMAGE)
 endif
 
 tests:

image-builder/assets/playbooks/roles/livecdcontent/vars/main.yaml

@@ -1 +0,0 @@
-# This file will be overwritten by the container entrypoint with user-provided vars, if any are defined.

image-builder/assets/playbooks/roles/osconfig/vars/README.md

@@ -0,0 +1 @@
+

image-builder/assets/playbooks/roles/osconfig/vars/main.yaml

@@ -1 +0,0 @@
-# NOTE: This file will be *overwritten* by the container entrypoint with user-provided vars, if any are defined.

image-builder/tools/cut_image.sh

@@ -56,7 +56,10 @@ install_pkg libvirt-daemon-system
 install_pkg libvirt-clients
 install_pkg cloud-image-utils
 install_pkg ovmf
-type docker >& /dev/null || install_pkg docker.io
+type docker >& /dev/null || (echo "Error: You do not have docker installed in your environment." && exit 1)
+sudo docker version | grep Community >& /dev/null || (echo "Error: Could not find Community version of docker" && \
+	echo "You must uninstall docker.io and install docker-ce. For instructions, see https://docs.docker.com/engine/install/ubuntu/" && \
+	exit 1)
 
 if [ -d /sys/firmware/efi ]; then
   uefi_mount='--volume /sys/firmware/efi:/sys/firmware/efi:rw'

image-builder/tools/multistrap.sh

@@ -63,7 +63,10 @@ fi
 install_pkg efivar
 # required for building UEFI image
 sudo -E modprobe efivars
-type docker >& /dev/null || install_pkg docker.io
+type docker >& /dev/null || (echo "Error: You do not have docker installed in your environment." && exit 1)
+sudo docker version | grep Community >& /dev/null || (echo "Error: Could not find Community version of docker" && \
+	echo "You must uninstall docker.io and install docker-ce. For instructions, see https://docs.docker.com/engine/install/ubuntu/" && \
+	exit 1)
 install_pkg equivs
 install_pkg ca-certificates
 install_pkg build-essential