From b6669bc5f619344f212977f1e534316ffcd48245 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 1 Sep 2022 12:58:18 -0700
Subject: [PATCH] bkernel: add config for nspawn bind mount

We want to keep the old mock bind mount for non rawhide branches, but
rawhide is using nspawn, so we want to add a directive there to pass
'--bind' to it to correctly mount the pesign socket directory so kernels
can be signed for secure boot.

See https://github.com/rpm-software-management/mock/issues/140

Moving forward this could be fixed in mock, in which case we remove the
nspawn args. Or it could be fixed by pesign moving the socket directory,
in which case we remove nspawn args and adjust the old mock bind mount
to the new location. For now, this works around the current crop of
issues.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 roles/bkernel/files/bkernel-site-defaults.cfg | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/bkernel/files/bkernel-site-defaults.cfg b/roles/bkernel/files/bkernel-site-defaults.cfg
index 5a26c23346..988af48f8d 100644
--- a/roles/bkernel/files/bkernel-site-defaults.cfg
+++ b/roles/bkernel/files/bkernel-site-defaults.cfg
@@ -1,5 +1,6 @@
 # mount the pesign socket into the chroot
 config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' ))
+config_opts['nspawn_args'] = ['--capability=cap_ipc_lock','--bind=/var/run/pesign']
 config_opts['plugin_conf']['package_state_enable'] = False
 config_opts['macros']['%bugurl'] = 'https://bugz.fedoraproject.org/%name'
 #config_opts['nosync'] = True