busbey commented on a change in pull request #1620:
URL: https://github.com/apache/hbase/pull/1620#discussion_r426321658
##########
File path: dev-support/create-release/do-release-docker.sh
##########
@@ -151,21 +200,53 @@ GIT_NAME=$GIT_NAME
GIT_EMAIL=$GIT_EMAIL
GPG_KEY=$GPG_KEY
ASF_PASSWORD=$ASF_PASSWORD
-GPG_PASSPHRASE=$GPG_PASSPHRASE
RELEASE_STEP=$RELEASE_STEP
RELEASE_STEP=$RELEASE_STEP
API_DIFF_TAG=$API_DIFF_TAG
EOF
-JAVA_VOL=
+JAVA_MOUNT=()
if [ -n "$JAVA" ]; then
echo "JAVA_HOME=/opt/hbase-java" >> "$ENVFILE"
- JAVA_VOL="--volume $JAVA:/opt/hbase-java"
+ JAVA_MOUNT=(--mount "type=bind,src=${JAVA},dest=/opt/hbase-java,readonly")
+fi
+
+GPG_PROXY_MOUNT=()
+if [ "${HOST_OS}" == "DARWIN" ]; then
+ GPG_PROXY_MOUNT=(--mount
"type=volume,src=gpgagent,dst=/home/${USER}/.gnupg/")
+ echo "Setting up GPG agent proxy container needed on OS X."
+ echo " we should clean this up for you. If that fails the container ID
is below and in " \
+ "gpg-proxy.cid"
+ #TODO the key pair used should be configurable
+ docker run --rm -p 62222:22 \
+ --detach --cidfile "${WORKDIR}/gpg-proxy.cid" \
+ --mount \
+
"type=bind,src=${HOME}/.ssh/id_rsa.pub,dst=/home/${USER}/.ssh/authorized_keys,readonly"
\
+ "${GPG_PROXY_MOUNT[@]}" \
+ "org.apache.hbase/gpg-agent-proxy:${IMGTAG}"
+ echo "Launching ssh reverse tunnel from the container to gpg agent."
+ echo " we should clean this up for you. If that fails the PID is in
gpg-proxy.ssh.pid"
+ ssh -p 62222 -R "/home/${USER}/.gnupg/S.gpg-agent:$(gpgconf --list-dir
agent-extra-socket)" \
+ -i "${HOME}/.ssh/id_rsa" -N -n localhost &
+ echo $! > "${WORKDIR}/gpg-proxy.ssh.pid"
+else
+ # TODO this presumes we are still trying to make a local gpg-agent available
to the container.
+ # add an option so that we can run the buid on a remote machine and get
the forwarded
+ # gpg-agent in the container. Should look like the side-car container
mount above.
+ # it is important not to do that for a local linux agent because we
only want the container
+ # to get access to the restricted extra socket on our local gpg-agent.
+ GPG_PROXY_MOUNT=(--mount \
+ "type=bind,src=$(gpgconf --list-dir
agent-extra-socket),dst=/home/${USER}/.gnupg/S.gpg-agent")
Review comment:
yeah. I think I can make this less complicated by giving docs on how to
proxy your gpg-agent to a remote host. gonna work through that next now that I
have local execution on my mac working.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
