bkernel: add config for nspawn bind mount

We want to keep the old mock bind mount for non rawhide branches, but rawhide is using nspawn, so we want to add a directive there to pass '--bind' to it to correctly mount the pesign socket directory so kernels can be signed for secure boot. See https://github.com/rpm-software-management/mock/issues/140 Moving forward this could be fixed in mock, in which case we remove the nspawn args. Or it could be fixed by pesign moving the socket directory, in which case we remove nspawn args and adjust the old mock bind mount to the new location. For now, this works around the current crop of issues. Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2022-09-01 12:58:18 -07:00 · 2022-09-01 12:58:18 -07:00 · b6669bc5f6
commit b6669bc5f6
parent c6659c5a0f
1 changed files with 1 additions and 0 deletions
--- a/roles/bkernel/files/bkernel-site-defaults.cfg
+++ b/roles/bkernel/files/bkernel-site-defaults.cfg
@ -1,5 +1,6 @@
 # mount the pesign socket into the chroot
 config_opts['plugin_conf']['bind_mount_opts']['dirs'].append(('/var/run/pesign', '/var/run/pesign' ))
+config_opts['nspawn_args'] = ['--capability=cap_ipc_lock','--bind=/var/run/pesign']
 config_opts['plugin_conf']['package_state_enable'] = False
 config_opts['macros']['%bugurl'] = 'https://bugz.fedoraproject.org/%name'
 #config_opts['nosync'] = True