So, instead we need to user the kojibuilder user on the acl. That should
match up to the mockbuild user in the chroot.
Hopefully.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We need also to allow pesign to the dir/socket so it can start and then
we need kojibuilder access to the socket too.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
We have to use acls here because the mock chroot has it's own user/group
files and it dynamically adds users, but if we use acls it will look up
the user and do the right thing because the name is the same.
(Hopefully)
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This used to get set in pesignd when it started, but upstream has
dropped that because it's more of a local config issue.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
It is better to keep the Mock's default for `nspawn_args`, and just
append to them (mock can change that configuration option dynamically).
Complements: b6669bc5f6
We want to keep the old mock bind mount for non rawhide branches, but
rawhide is using nspawn, so we want to add a directive there to pass
'--bind' to it to correctly mount the pesign socket directory so kernels
can be signed for secure boot.
See https://github.com/rpm-software-management/mock/issues/140
Moving forward this could be fixed in mock, in which case we remove the
nspawn args. Or it could be fixed by pesign moving the socket directory,
in which case we remove nspawn args and adjust the old mock bind mount
to the new location. For now, this works around the current crop of
issues.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This caused a bit of trouble since I disabled nosync in the kojibuilder
role. I think applied that with -t site-defaults, which updated
everything, _including_ bkernel machines. Sadly, bkernel machines have
additional config in site-defaults to allow for secure boot signing and
this was lost. So, make sure only the bkernel role changes site-defaults
on bkernel machines and also drop nosync from it's private config.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
Put all the rules in the kojibuilder file so we can just nuke the phx2
part later and not have to move groups around, etc.
Also, nuke the old unused bkernel network template.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
