Clean up credentials and temporary folders

industrial_ci/scripts/rerun_ci

@@ -71,7 +71,7 @@ if docker image inspect "$DOCKER_COMMIT" &> /dev/null; then
   force_env+=("DOCKER_IMAGE=$DOCKER_COMMIT"  "DOCKER_PULL=false")
 fi
 
-env -i "${keep_env[@]}" "$script_dir/run_ci" "$repo_dir" DOCKER_COMMIT_CREDENTIALS=false "$@" "${force_env[@]}" || ret=$?
+env -i "${keep_env[@]}" "$script_dir/run_ci" "$repo_dir" "$@" "${force_env[@]}" || ret=$?
 
 echo "Please do not forget to clean-up: docker rmi $DOCKER_COMMIT"
 

industrial_ci/src/ci_main.sh

@@ -24,6 +24,7 @@ set -e # exit script on errors
 [[ "${BASH_VERSINFO[0]}_${BASH_VERSINFO[1]}" < "4_4" ]] || set -u
 
 export ICI_SRC_PATH; ICI_SRC_PATH="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"  # The path on CI service (e.g. Travis CI) to industrial_ci src dir.
+ _CLEANUP=""
 
 # shellcheck source=industrial_ci/src/env.sh
 source "${ICI_SRC_PATH}/env.sh"

industrial_ci/src/deprecated.sh

@@ -90,3 +90,5 @@ if [ "${DOCKER_PULL:-true}" = true ]; then
 else
   ici_removed_hook prepare_docker_image "Hook 'prepare_docker_image' got removed."
 fi
+
+ici_mark_deprecated DOCKER_COMMIT_CREDENTIALS "Credentials will be copied, but never committed!"

industrial_ci/src/env.sh

@@ -68,4 +68,3 @@ export TARGET_CMAKE_ARGS=${TARGET_CMAKE_ARGS:-}
 
 export UPSTREAM_CMAKE_ARGS=${UPSTREAM_CMAKE_ARGS:-}
 export UPSTREAM_WORKSPACE=${UPSTREAM_WORKSPACE:-}
-

industrial_ci/src/isolation/docker.sh

@@ -17,7 +17,7 @@
 
 export DOCKER_COMMIT=${DOCKER_COMMIT:-}
 export DOCKER_COMMIT_MSG=${DOCKER_COMMIT_MSG:-}
-export DOCKER_COMMIT_CREDENTIALS=${DOCKER_COMMIT_CREDENTIALS:-}
+export DOCKER_CREDENTIALS=${DOCKER_CREDENTIALS-.docker .ssh .subversion}
 export DOCKER_PULL=${DOCKER_PULL:-true}
 
 # ici_forward_mount VARNAME/FILE rw/ro [PATH]
@@ -78,7 +78,7 @@ function ici_isolate() {
       # $BASEDIR is most-likely contained in $TARGET_REPO_PATH
       # copy target repo to temporary folder first
       local tmp_src
-      tmp_src=$(mktemp -d)
+      ici_make_temp_dir tmp_src
       cp -a "$TARGET_REPO_PATH" "$tmp_src/"
       export TARGET_REPO_PATH;
       TARGET_REPO_PATH="$tmp_src/$(basename "$TARGET_REPO_PATH")"
@@ -120,53 +120,63 @@ function ici_isolate() {
 #   (None)
 #######################################
 function ici_run_cmd_in_docker() {
-  local commit_image=$DOCKER_COMMIT
-  DOCKER_COMMIT=
+  local credentials=()
+  ici_parse_env_array credentials DOCKER_CREDENTIALS
+  local to_copy=()
+  local cleanup=""
+
+  for d in "${credentials[@]}"; do
+    if [ -d "$HOME/$d" ]; then
+      to_copy+=(~/"$d")
+      # shellcheck disable=SC2088
+      cleanup=$(ici_join_array : "$cleanup" "~/$d")
+    fi
+  done
 
+  local opts=(--env-file "${ICI_SRC_PATH}/isolation/docker.env")
+  if [ -z "$DOCKER_COMMIT" ]; then
+    opts+=(--rm)
+  else
+    opts+=(-e "_CLEANUP=$cleanup")
+  fi
 
   local cid
-  cid=$(docker create --env-file "${ICI_SRC_PATH}/isolation/docker.env" "$@")
+  cid=$(docker create "${opts[@]}" "$@")
 
   # detect user inside container
   local image
   image=$(docker inspect --format='{{.Config.Image}}' "$cid")
-  docker_uid=$(docker run --rm --entrypoint '' "$image" id -u)
-  docker_gid=$(docker run --rm --entrypoint '' "$image" id -g)
+  local docker_query=()
+  # shellcheck disable=SC2016
+  IFS=" " read -r -a docker_query <<< "$(docker run --rm --entrypoint '/bin/sh' "$image" -c 'echo "$(id -u) $(id -g) $HOME"')"
 
   # pass common credentials to container
-  if [ "$DOCKER_COMMIT_CREDENTIALS" != false ]; then
-    for d in .docker .ssh .subversion; do
-      if [ -d "$HOME/$d" ]; then
-        if [ -z "$commit_image" ] || [ "$DOCKER_COMMIT_CREDENTIALS" = true ]; then
-          docker_cp "$HOME/$d" "$cid:/root/"
-        else
-          ici_warn "Will not bundle'$d' unless 'DOCKER_COMMIT_CREDENTIALS=true'"
-        fi
-      fi
-    done
-  fi
+  for d in "${to_copy[@]}"; do
+    ici_warn "Copy credentials: $d"
+    docker_cp "$d" "$cid:${docker_query[*]:2}/" "${docker_query[0]}" "${docker_query[1]}"
+  done
 
   docker start -a "$cid" &
-  trap 'docker kill $cid' INT
+  trap 'docker kill --signal=SIGTERM $cid' INT
   local ret=0
   wait %% || ret=$?
   trap - INT
-  if [ -n "$commit_image" ]; then
-    echo "Committing container to tag: '$commit_image'"
+  if [ -n "$DOCKER_COMMIT" ]; then
+    echo "Committing container to tag: '$DOCKER_COMMIT'"
     local msg=()
     if [ -n "$DOCKER_COMMIT_MSG" ]; then
       msg=(-m "$DOCKER_COMMIT_MSG")
     fi
-    ici_quiet docker commit "${msg[@]}" "$cid" "$commit_image"
+    ici_quiet docker commit "${msg[@]}" "$cid" "$DOCKER_COMMIT"
+    ici_quiet docker rm "$cid"
   fi
-  ici_quiet docker rm "$cid"
   return $ret
 }
 
 # work-around for https://github.com/moby/moby/issues/34096
 # ensures that copied files are owned by the target user
 function docker_cp {
   set -o pipefail
-  tar --numeric-owner --owner="${docker_uid:-root}" --group="${docker_gid:-root}" -c -f - -C "$(dirname "$1")" "$(basename "$1")" | docker cp - "$2"
+  tar --numeric-owner --owner="${3:-root}" --group="${4:-root}" -c -f - -C "$(dirname "$1")" "$(basename "$1")" | docker cp - "$2"
   set +o pipefail
 }

industrial_ci/src/run.sh

@@ -22,6 +22,7 @@
 
 set -e # exit script on errors
 [[ "${BASH_VERSINFO[0]}_${BASH_VERSINFO[1]}" < "4_4" ]] || set -u
+_CLEANUP=${_CLEANUP-}
 
 # shellcheck source=industrial_ci/src/env.sh
 source "${ICI_SRC_PATH}/env.sh"

industrial_ci/src/tests/clang_format_check.sh

@@ -21,7 +21,8 @@ function prepare_clang_format_check() {
 
 function run_clang_format_check() {
   local err=0
-  local path; path=$(mktemp -d)
+  local path
+  ici_make_temp_dir path
 
   # Check whether a specific version of clang-format is desired
   local clang_format_executable="clang-format${CLANG_FORMAT_VERSION:+-$CLANG_FORMAT_VERSION}"

industrial_ci/src/util.sh

@@ -192,8 +192,17 @@ function ici_exit {
     local exit_code=${1:-$?}  # If 1st arg is not passed, set last error code.
     trap - EXIT # Reset signal handler since the shell is about to exit.
 
+    local cleanup=()
+    # shellcheck disable=SC2016
+    IFS=: command eval 'cleanup=(${_CLEANUP})'
+    for c in "${cleanup[@]}"; do
+      ici_warn Cleaning up "${c/#\~/$HOME}"
+      rm -rf "${c/#\~/$HOME}"
+    done
+
     # end fold if needed
     if [ -n "$ICI_FOLD_NAME" ]; then
+        local color_wrap=${ANSI_GREEN}
         if [ "$exit_code" -ne "0" ]; then color_wrap=${ANSI_RED}; fi  # Red color for errors
         ici_time_end "$color_wrap" "$exit_code"
     fi
@@ -388,6 +397,28 @@ function ici_source_builder {
   ici_source_component BUILDER builders
 }
 
+function ici_join_array {
+  local sep=$1
+  shift
+  local res=""
+  for elem in "$@"; do
+    if [ -n "$elem" ]; then
+      res+="$sep$elem"
+    fi
+  done
+  echo "${res#$sep}"
+}
+
+function ici_cleanup_later {
+  _CLEANUP=$(ici_join_array : "$_CLEANUP" "$@")
+}
+
+function ici_make_temp_dir {
+  local -n ici_make_temp_dir_res=$1;
+  ici_make_temp_dir_res=$(mktemp -d)
+  ici_cleanup_later "$ici_make_temp_dir_res"
+}
+
 # shellcheck disable=SC1090
 
 ici_source_component _FOLDING_TYPE folding