#!/bin/sh
#
# kas - setup tool for bitbake based projects
#
# Copyright (c) Siemens AG, 2018-2025
#
# Authors:
#  Jan Kiszka <jan.kiszka@siemens.com>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.

set -e

KAS_CONTAINER_SCRIPT_VERSION="5.0"
KAS_IMAGE_VERSION_DEFAULT="${KAS_CONTAINER_SCRIPT_VERSION}"
KAS_CONTAINER_IMAGE_DISTRO_DEFAULT=""
KAS_CONTAINER_IMAGE_PATH_DEFAULT="ghcr.io/siemens/kas"
KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas"
KAS_CONTAINER_SELF_NAME="$(basename "$0")"

# usage [exit_code]
usage()
{
	EXIT_CODE="$1"
	SELF="${KAS_CONTAINER_SELF_NAME}"

	printf "%b" "Usage: ${SELF} [OPTIONS] { build | shell } [KASOPTIONS] [KASFILE]\n"
	printf "%b" "       ${SELF} [OPTIONS] { checkout | dump | lock } [KASOPTIONS] [KASFILE]\n"
	printf "%b" "       ${SELF} [OPTIONS] { diff } [KASOPTIONS] config1 config2\n"
	printf "%b" "       ${SELF} [OPTIONS] for-all-repos [KASOPTIONS] [KASFILE] COMMAND\n"
	printf "%b" "       ${SELF} [OPTIONS] { clean | cleansstate | cleanall | purge} [KASFILE]\n"
	printf "%b" "       ${SELF} [OPTIONS] menu [KCONFIG]\n"
	printf "%b" "\nPositional arguments:\n"
	printf "%b" "build\t\t\tCheck out repositories and build target.\n"
	printf "%b" "checkout\t\tCheck out repositories but do not build.\n"
	printf "%b" "dump\t\t\tCheck out repositories and write flat version\n"
	printf "%b" "    \t\t\tof config to stdout.\n"
	printf "%b" "lock\t\t\tCreate and update kas project lockfiles\n"
	printf "%b" "shell\t\t\tRun a shell in the build environment.\n"
	printf "%b" "for-all-repos\t\tRun specified command in each repository.\n"
	printf "%b" "clean\t\t\tClean build artifacts, keep sstate cache and " \
		    "downloads.\n"
	printf "%b" "cleansstate\t\tClean build artifacts and sstate cache, " \
		    "keep downloads.\n"
	printf "%b" "cleanall\t\tClean build artifacts, sstate cache and " \
		    "downloads.\n"
	printf "%b" "purge\t\t\tRemove all data managed by kas. Run with '--dry-run'\n"
	printf "%b" "     \t\t\tto check what would be removed\n"
	printf "%b" "menu\t\t\tProvide configuration menu and trigger " \
		    "configured build.\n"
	printf "%b" "\nOptional arguments:\n"
	printf "%b" "--isar\t\t\tUse kas-isar container to build Isar image. To force\n"
	printf "%b" "      \t\t\tthe use of run0 over sudo, set KAS_SUDO_CMD=run0.\n"
	printf "%b" "--with-loop-dev		Pass a loop device to the " \
		    "container. Only required if\n"
	printf "%b" "\t\t\tloop-mounting is used by recipes.\n"
	printf "%b" "--runtime-args\t\tAdditional arguments to pass to the " \
			"container runtime\n"
	printf "%b" "\t\t\tfor running the build.\n"
	printf "%b" "-l, --log-level\t\tSet log level (default=info).\n"
	printf "%b" "--version\t\tprint program version.\n"
	printf "%b" "--ssh-dir\t\tDirectory containing SSH configurations.\n"
	printf "%b" "\t\t\tAvoid \$HOME/.ssh unless you fully trust the " \
		    "container.\n"
	printf "%b" "--ssh-agent\t\tForward ssh-agent socket to the container.\n"
	printf "%b" "--aws-dir\t\tDirectory containing AWScli configuration.\n"
	printf "%b" "--git-credential-store\tFile path to the git credential " \
		    "store\n"
	printf "%b" "--no-proxy-from-env\tDo not inherit proxy settings from " \
		    "environment.\n"
	printf "%b" "--repo-ro\t\tMount current repository read-only\n" \
		    "\t\t\t(default for build command)\n"
	printf "%b" "--repo-rw\t\tMount current repository writable\n" \
		    "\t\t\t(default for shell command)\n"
	printf "%b" "-h, --help\t\tShow this help message and exit.\n"
	printf "%b" "\n"
	printf "%b" "You can force the use of podman over docker using " \
		    "KAS_CONTAINER_ENGINE=podman.\n"

	exit "${EXIT_CODE:-1}"
}

fatal_error()
{
	echo "${KAS_CONTAINER_SELF_NAME}: Error: $*" >&2
	exit 1
}

warning()
{
	echo "${KAS_CONTAINER_SELF_NAME}: Warning: $*" >&2
}

debug(){
	if [ -n "${KAS_VERBOSE}" ]; then
		echo "${KAS_CONTAINER_SELF_NAME}: Debug: $*" >&2
	fi
}

trace()
{
	[ -n "${KAS_VERBOSE}" ] && echo "+ $*" >&2
	"$@"
}

prepare_sudo_cmd()
{
	if [ -z "${KAS_SUDO_CMD}" ]; then
		# Try to auto-detect a privileged executor
		if command -v sudo >/dev/null; then
			KAS_SUDO_CMD="sudo"
		elif command -v run0 >/dev/null; then
			KAS_SUDO_CMD="run0"
		else
			fatal_error "No privileged executor found, need sudo or run0."
		fi
	fi

	case "$KAS_SUDO_CMD" in
		sudo) _KAS_SUDO_CMD="sudo --preserve-env";;
		run0) _KAS_SUDO_CMD="run0 --background= --unit=kas-container@$$";;
		*) fatal_error "Unsupported KAS_SUDO_CMD ('${KAS_SUDO_CMD}'), use sudo or run0.";;
	esac
}

enable_isar_mode()
{
	if [ -n "${ISAR_MODE}" ]; then
		return
	fi
	ISAR_MODE=1

	KAS_CONTAINER_IMAGE_NAME_DEFAULT="kas-isar"
	KAS_ISAR_ARGS="--privileged"

	if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then
		prepare_sudo_cmd
		# sudo is needed for a privileged podman container
		KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
		# preserved user PATH may lack sbin needed by privileged podman
		export PATH="${PATH}:/usr/sbin"
	elif [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then
		prepare_sudo_cmd
		export DOCKER_HOST="${DOCKER_HOST:-unix:///var/run/docker.sock}"
		debug "kas-isar does not support rootless docker. Using system docker"
		# force use of well-known system docker socket
		KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
		KAS_DOCKER_ROOTLESS=0
	fi
}

enable_oe_mode()
{
	if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then
		# The container entry point expects that the current userid
		# calling "podman run" has a 1:1 mapping
		KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --userns=keep-id"
	fi
}

enable_unpriv_userns_docker()
{
	if [ -f /etc/os-release ] && grep -q 'NAME="Ubuntu"' /etc/os-release &&
	   [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ] &&
	   [ "$(cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns)" = "1" ]; then
		if [ -f /etc/apparmor.d/rootlesskit ]; then
			debug "AppArmor restricts unprivileged userns, using \"rootlesskit\" profile"
			KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt apparmor=rootlesskit"
		else
			warning "AppArmor restricts unprivileged userns but no suitable apparmor " \
			        "profile found. Consider setting apparmor_restrict_unprivileged_userns=0"
		fi
	fi
}

# Params: NAME CREATE_MODE
check_and_expand()
{
	eval _varval=\"\$"$1"\"
	[ -z "$_varval" ] && return
	case "$2" in
	required)
		[ ! -d "$_varval" ] && fatal_error "Variable $1 set, but \"$_varval\" is not a directory."
		;;
	create)
		[ ! -d "$_varval" ] && trace mkdir "$_varval"
		;;
	createrec)
		trace mkdir -p "$_varval"
		;;
	esac
	realpath -e "$_varval"
}

# Params: FILE
# Returns: root repo dir of file
repo_path_of_file()
{
	_DIR="$(dirname "$1")"
	_REPO_DIR=$(git -C "${_DIR}" rev-parse --show-toplevel 2>/dev/null) \
		|| _REPO_DIR=$(hg --cwd "${_DIR}" root 2>/dev/null) \
		|| _REPO_DIR=${_DIR}
	echo "$_REPO_DIR"
}

# Params: ARG
process_file_arg()
{
	_KAS_FILES=
	_KAS_FIRST_FILE=
	_KAS_REPO_DIR=
	# SC2086: Double quote to prevent globbing and word splitting.
	# shellcheck disable=2086
	for FILE in $(IFS=':'; echo $ARG); do
		if ! KAS_REAL_FILE="$(realpath -qe "$FILE")"; then
			fatal_error "configuration file '${FILE}' not found"
		fi
		if [ -z "${_KAS_FILES}" ]; then
			_KAS_FIRST_FILE="${KAS_REAL_FILE}"
			_KAS_FILES="${KAS_REAL_FILE}"
			_KAS_REPO_DIR=$(repo_path_of_file "${_KAS_FIRST_FILE}")
		else
			_KAS_FILES="${_KAS_FILES}:${KAS_REAL_FILE}"
		fi
	done
	KAS_FILES="${KAS_FILES} ${_KAS_FILES}"
	KAS_FIRST_FILES="${KAS_FIRST_FILES} ${_KAS_FIRST_FILE}"
	KAS_REPO_DIRS="${KAS_REPO_DIRS} ${_KAS_REPO_DIR}"
}

# Params: NAME CONTAINER_PATH MODE
# If the dir is not below KAS_WORK_DIR, the dir is mounted into the container.
forward_dir()
{
	eval _varval=\"\$"$1"\"
	[ -z "$_varval" ] && return
	FW_DIR_REL=$(realpath -q --relative-base="${KAS_WORK_DIR}" "$_varval")
	if [ "${FW_DIR_REL}" = "$_varval" ]; then
		KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -v ${FW_DIR_REL}:$2:$3 -e $1=$2"
	else
		KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e $1=/work/${FW_DIR_REL}"
	fi
}

check_docker_rootless()
{
	KAS_DOCKER_ROOTLESS=0
	if [ "$(docker context show)" = "rootless" ]; then
		KAS_DOCKER_ROOTLESS=1
	fi
}

enable_docker_rootless()
{
	warning "Rootless docker used, only limited functionality available."
	if [ "${KAS_WORK_DIR}" = "${KAS_REPO_DIR}" ]; then
		warning "On docker rootless a exclusive KAS_WORK_DIR should be used" \
		        "as kas temporarily changes the ownership of this directory."
	fi
	if [ "${KAS_REPO_MOUNT_OPT}" = "rw" ]; then
		fatal_error "Docker rootless requires read-only repo."
	fi
	KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} -e KAS_DOCKER_ROOTLESS=1"
}

KAS_GIT_OVERLAY_FILE=""
kas_container_cleanup()
{
	if [ -f "${KAS_GIT_OVERLAY_FILE}" ]; then
		trace rm -f "${KAS_GIT_OVERLAY_FILE}"
	fi
}
trap kas_container_cleanup EXIT INT TERM

set_container_image_var()
{
	KAS_IMAGE_VERSION="${KAS_IMAGE_VERSION:-${KAS_IMAGE_VERSION_DEFAULT}}"
	KAS_CONTAINER_IMAGE_DISTRO="${KAS_CONTAINER_IMAGE_DISTRO:-${KAS_CONTAINER_IMAGE_DISTRO_DEFAULT}}"
	KAS_CONTAINER_IMAGE_NAME="${KAS_CONTAINER_IMAGE_NAME:-${KAS_CONTAINER_IMAGE_NAME_DEFAULT}}"
	KAS_CONTAINER_IMAGE_PATH="${KAS_CONTAINER_IMAGE_PATH:-${KAS_CONTAINER_IMAGE_PATH_DEFAULT}}"
	KAS_CONTAINER_IMAGE_DEFAULT="${KAS_CONTAINER_IMAGE_PATH}/${KAS_CONTAINER_IMAGE_NAME}:${KAS_IMAGE_VERSION}"
	KAS_CONTAINER_IMAGE="${KAS_CONTAINER_IMAGE:-${KAS_CONTAINER_IMAGE_DEFAULT}}"
	if [ -n "${KAS_CONTAINER_IMAGE_DISTRO}" ]; then
		KAS_CONTAINER_IMAGE="${KAS_CONTAINER_IMAGE}-${KAS_CONTAINER_IMAGE_DISTRO}"
	fi
}

# SC2034: DIR appears unused (ignore, as they are used inside eval)
# shellcheck disable=2034
setup_kas_dirs()
{
	KAS_WORK_DIR="${KAS_WORK_DIR:-$(pwd)}"
	KAS_WORK_DIR="$(check_and_expand KAS_WORK_DIR required)"
	KAS_BUILD_DIR="$(check_and_expand KAS_BUILD_DIR create)"
	KAS_REPO_REF_DIR="$(check_and_expand KAS_REPO_REF_DIR required)"
	DL_DIR="$(check_and_expand DL_DIR createrec)"
	SSTATE_DIR="$(check_and_expand SSTATE_DIR createrec)"
	KAS_BUILDTOOLS_DIR="$(check_and_expand KAS_BUILDTOOLS_DIR createrec)"
}
setup_kas_dirs

KAS_CONTAINER_ENGINE="${KAS_CONTAINER_ENGINE:-${KAS_DOCKER_ENGINE}}"
if [ -z "${KAS_CONTAINER_ENGINE}" ]; then
	# Try to auto-detect a container engine
	if command -v docker >/dev/null; then
		case $(docker -v 2>/dev/null) in
		podman*)
			# The docker command is an alias for podman
			KAS_CONTAINER_ENGINE=podman
			;;
		Docker*)
			# The docker command is the real docker
			KAS_CONTAINER_ENGINE=docker
			;;
		*)
			# The docker command is an unknown engine
			fatal_error "docker command found, but unknown engine detected"
		esac
	elif command -v podman >/dev/null; then
		KAS_CONTAINER_ENGINE=podman
	else
		fatal_error "no container engine found, need docker or podman"
	fi
fi

KAS_RUNTIME_ARGS="--log-driver=none --user=root"

case "${KAS_CONTAINER_ENGINE}" in
docker)
	KAS_CONTAINER_COMMAND="docker"
	enable_unpriv_userns_docker
	check_docker_rootless
	;;
podman)
	KAS_CONTAINER_COMMAND="podman"
	KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} --security-opt label=disable"
	;;
*)
	fatal_error "unknown container engine '${KAS_CONTAINER_ENGINE}'"
	;;
esac

# parse kas-container options
while [ $# -gt 0 ]; do
	case "$1" in
	--isar)
		enable_isar_mode
		shift 1
		;;
	--with-loop-dev)
		if ! KAS_LOOP_DEV=$(/sbin/losetup -f 2>/dev/null); then
			if [ "$(id -u)" -eq 0 ]; then
				fatal_error "loop device not available!"
			fi
			prepare_sudo_cmd
			if ! [ "$KAS_SUDO_CMD" = "sudo" ]; then
				fatal_error '--with-loop-dev requires sudo for device setup.'
			fi
			sudo_command="/sbin/losetup -f"
			sudo_message="[sudo] enter password to setup loop"
			sudo_message="$sudo_message devices by calling"
			sudo_message="$sudo_message '$sudo_command': "
			# SC2086: Double quote to prevent globbing and word splitting.
			# shellcheck disable=2086
			if ! KAS_LOOP_DEV=$(sudo -p "$sudo_message" $sudo_command \
				2>/dev/null); then
				fatal_error "loop device setup unsuccessful!" \
				            "try calling '$sudo_command' with root" \
				            "permissions manually."
			fi
		fi
		KAS_WITH_LOOP_DEV="--device ${KAS_LOOP_DEV}"
		shift 1
		;;
	--runtime-args|--docker-args)
		[ $# -gt 0 ] || usage
		KAS_RUNTIME_ARGS="${KAS_RUNTIME_ARGS} $2"
		shift 2
		;;
	--ssh-dir)
		[ $# -gt 2 ] || usage
		KAS_SSH_DIR="$2"
		shift 2
		;;
	--ssh-agent)
		if [ -z "${SSH_AUTH_SOCK}" ]; then
			fatal_error "no SSH agent running"
		fi
		KAS_SSH_AUTH_SOCK=$(realpath -e "$SSH_AUTH_SOCK")
		shift 1
		;;
	--aws-dir)
		[ $# -gt 2 ] || usage
		KAS_AWS_DIR="$2"
		shift 2
		;;
	--git-credential-store)
		[ $# -gt 2 ] || usage
		KAS_GIT_CREDENTIAL_STORE="$2"
		shift 2
		;;
	--no-proxy-from-env)
		KAS_NO_PROXY_FROM_ENV=1
		shift 1
		;;
	--repo-ro)
		KAS_REPO_MOUNT_OPT="ro"
		shift 1
		;;
	--repo-rw)
		KAS_REPO_MOUNT_OPT="rw"
		shift 1
		;;
	-l | --log-level)
		if [ "$2" = "debug" ]; then
			KAS_VERBOSE=1
		fi
		KAS_OPTIONS_DIRECT="${KAS_OPTIONS_DIRECT} -l $2"
		shift 2
		;;
	--version)
		echo "${KAS_CONTAINER_SELF_NAME} $KAS_IMAGE_VERSION_DEFAULT"
		exit 0
		;;
	-h | --help)
		usage 0
		;;
	--*)
		usage
		;;
	clean|cleansstate|cleanall|purge)
		KAS_REPO_MOUNT_OPT_DEFAULT="ro"
		KAS_CMD=$1
		shift 1
		break
		;;
	shell|lock)
		KAS_REPO_MOUNT_OPT_DEFAULT="rw"
		KAS_CMD=$1
		shift 1
		break
		;;
	build|checkout|for-all-repos|menu)
		KAS_REPO_MOUNT_OPT_DEFAULT="ro"
		KAS_CMD=$1
		shift 1
		break
		;;
	diff)
		KAS_REPO_MOUNT_OPT_DEFAULT="ro"
		KAS_CMD=$1
		shift 1
		break
		;;
	dump)
		if printf '%s\0' "$@" | grep -xqz -- '--inplace\|-i'; then
			KAS_REPO_MOUNT_OPT_DEFAULT="rw"
		else
			KAS_REPO_MOUNT_OPT_DEFAULT="ro"
		fi
		KAS_CMD=$1
		shift 1
		break
		;;
	*)
		usage
		;;
	esac
done

[ -n "${KAS_CMD}" ] || usage

KAS_EXTRA_BITBAKE_ARGS=0
KAS_FILES=

# parse kas sub-command options
while [ $# -gt 0 ] && [ $KAS_EXTRA_BITBAKE_ARGS -eq 0 ]; do
	case "$1" in
	--format|--indent|--provenance|--skip|--target|--task)
		KAS_OPTIONS="${KAS_OPTIONS} $1 $2"
		shift 1
		shift 1 || KAS_OPTIONS="--help"
		;;
	-c|--cmd|--command)
		KAS_BITBAKE_C_OPTION_ARGS="$2"
		shift 1
		shift 1 || KAS_OPTIONS="--help"
		;;
	-E|--preserve-env)
		fatal_error "$1 is not supported with ${KAS_CONTAINER_SELF_NAME}"
		;;
	--)
		KAS_EXTRA_BITBAKE_ARGS=$#
		;;
	-*)
		KAS_OPTIONS="${KAS_OPTIONS} $1"
		shift 1
		;;
	*)
		ARG="$1"
		shift 1
		if [ "$KAS_CMD" = "for-all-repos" ]; then
			if [ $# -gt 0 ]; then
				KAS_REPO_CMD="$1"
				shift 1
			else
				KAS_REPO_CMD="$ARG"
				unset ARG
			fi
		fi
		process_file_arg "$ARG"
		;;
	esac
done

if [ -n "${KAS_FIRST_FILES}" ]; then
	KAS_REPO_DIR=$(echo "${KAS_REPO_DIRS}" | awk '{print $1}')
else
	KAS_REPO_DIR=$(pwd)
fi

SOURCE_DIR_HOST=$(
	grep -e "^_source_dir_host: " "${KAS_WORK_DIR}/.config.yaml" 2>/dev/null | \
	sed 's/_source_dir_host:[ ]\+//')
if [ -n "${SOURCE_DIR_HOST}" ]; then
	KAS_REPO_DIR="${SOURCE_DIR_HOST}"
fi

if [ "${KAS_CMD}" = "menu" ]; then
	if [ -z "${KAS_FIRST_FILES}" ]; then
		KAS_FIRST_FILES="Kconfig"
	fi

	# When using the menu plugin, we need to track the KAS_REPO_DIR outside
	# of the container to later allow a simple `kas-container build`. For
	# that, we tell the kas menu plugin via an env-var about the location
	# on the host. This data is then added to the .config.yaml where it can
	# be evaluated by the next invocation of kas-container.

	KAS_REPO_DIR=$(check_and_expand KAS_REPO_DIR required)
	if ! [ "${KAS_REPO_DIR}" = "${KAS_WORK_DIR}" ]; then
		set -- "$@" -e _KAS_REPO_DIR_HOST="${KAS_REPO_DIR}"
	fi

	if [ "$(echo "${KAS_FIRST_FILES}" | wc -w)" -ne "1" ]; then
		fatal_error "menu plugin only supports a single Kconfig file"
	fi
	BUILD_SYSTEM=$(tr '\n' '\f' 2>/dev/null < "${KAS_FIRST_FILES}" | \
		sed -e 's/\(.*\fconfig KAS_BUILD_SYSTEM\f\(.*\)\|.*\)/\2/' \
		    -e 's/\f\([[:alpha:]].*\|$\)//' \
		    -e 's/.*default \"\(.*\)\".*/\1/')
else
	if [ -z "${KAS_FIRST_FILES}" ]; then
		KAS_FIRST_FILES="${KAS_WORK_DIR}/.config.yaml"
	fi

	# We only get the first build system and let kas check if mixed
	_KAS_FIRST_FILE=$(echo "${KAS_FIRST_FILES}" | awk '{print $1}')
	BUILD_SYSTEM=$(grep -e "^build_system: " "${_KAS_FIRST_FILE}" 2>/dev/null | \
		sed 's/build_system:[ ]\+//')
fi

if [ "${BUILD_SYSTEM}" = "isar" ]; then
	enable_isar_mode
elif [ -z "${ISAR_MODE}" ]; then
	enable_oe_mode
fi

# clean can be executed without config, hence manually forward the build system
if [ "${ISAR_MODE}" = "1" ] && echo "${KAS_CMD}" | grep -qe "^clean\|purge"; then
	KAS_OPTIONS="${KAS_OPTIONS} --isar"
fi

set_container_image_var

if [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then
	KAS_REPO_MOUNT_OPT_DEFAULT="ro"
fi
KAS_REPO_MOUNT_OPT="${KAS_REPO_MOUNT_OPT:-${KAS_REPO_MOUNT_OPT_DEFAULT}}"

if [ "$(id -u)" -eq 0 ] && [ "${KAS_ALLOW_ROOT}" != "yes" ] ; then
	fatal_error "Running as root - may break certain recipes." \
	            "Better give a regular user docker access. Set" \
	            "KAS_ALLOW_ROOT=yes to override."
fi

if [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then
	enable_docker_rootless
fi

if [ "${KAS_CMD}" = "diff" ]; then
	if [ "$(echo "${KAS_FILES}" | wc -w)" -eq "2" ]; then
		_KAS_REPO_DIR1="$(echo "${KAS_REPO_DIRS}" | awk '{print $1}')"
		_KAS_REPO_DIR2="$(echo "${KAS_REPO_DIRS}" | awk '{print $2}')"
		_KAS_FILES1="$(echo "${KAS_FILES}" | awk '{print $1}' | sed 's|'"${_KAS_REPO_DIR1}"'/|/repo/|g')"
		_KAS_FILES2="$(echo "${KAS_FILES}" | awk '{print $2}' | sed 's|'"${_KAS_REPO_DIR2}"'/|/repo2/|g')"
		KAS_FILES="${_KAS_FILES1} ${_KAS_FILES2}"
		set -- "$@" -v "${_KAS_REPO_DIR2}:/repo2:${KAS_REPO_MOUNT_OPT}"
	fi
else
	KAS_FILES="$(echo "${KAS_FILES}" | sed 's|'"${KAS_REPO_DIR}"'/|/repo/|g')"
fi
set -- "$@" -v "${KAS_REPO_DIR}:/repo:${KAS_REPO_MOUNT_OPT}" \
	-v "${KAS_WORK_DIR}":/work:rw -e KAS_WORK_DIR=/work \
	--workdir=/repo \
	-e KAS_CONTAINER_SCRIPT_VERSION="${KAS_CONTAINER_SCRIPT_VERSION}" \
	-e USER_ID="$(id -u)" -e GROUP_ID="$(id -g)" --rm --init

forward_dir KAS_BUILD_DIR "/build" "rw"
forward_dir DL_DIR "/downloads" "rw"
forward_dir KAS_REPO_REF_DIR "/repo-ref" "rw"
forward_dir SSTATE_DIR "/sstate" "rw"
forward_dir KAS_BUILDTOOLS_DIR "/buildtools" "rw"

if git_com_dir=$(git -C "${KAS_REPO_DIR}" rev-parse --git-common-dir 2>/dev/null) \
	&& [ "$git_com_dir" != "$(git -C "${KAS_REPO_DIR}" rev-parse --git-dir)" ]; then
	# If (it's a git repo) and the common dir isn't the git-dir, it is shared worktree and
	# we have to mount the common dir in the container to make git work
	# The mount path inside the container is different from the host path. Hence, we over-mount
	# the .git file to point to the correct path.
	KAS_GIT_OVERLAY_FILE=$(mktemp)
	sed "s|gitdir: ${git_com_dir}/|gitdir: /repo-common/|" "${KAS_REPO_DIR}/.git" > "${KAS_GIT_OVERLAY_FILE}"
	set -- "$@" -v "${git_com_dir}:/repo-common:${KAS_REPO_MOUNT_OPT}" \
		-v "${KAS_GIT_OVERLAY_FILE}:/repo/.git:ro"
	# if the workdir is the same as the repo dir, it is the same shared worktree
	if [ "${KAS_WORK_DIR}" = "${KAS_REPO_DIR}" ]; then
		set -- "$@" -v "${KAS_GIT_OVERLAY_FILE}:/work/.git:ro"
	fi
fi

KAS_SSH_DIR="$(check_and_expand KAS_SSH_DIR required)"
if [ -n "${KAS_SSH_DIR}" ] ; then
	set -- "$@" -v "${KAS_SSH_DIR}":/var/kas/userdata/.ssh:ro
fi

if [ -n "${KAS_SSH_AUTH_SOCK}" ]; then
	if [ ! -S "${KAS_SSH_AUTH_SOCK}" ]; then
		fatal_error "passed SSH_AUTH_SOCK '${KAS_SSH_AUTH_SOCK}' is not a socket"
	fi
	set -- "$@" -v "${KAS_SSH_AUTH_SOCK}":/ssh-agent/ssh-auth-sock \
		-e SSH_AUTH_SOCK=/ssh-agent/ssh-auth-sock
fi

KAS_AWS_DIR="$(check_and_expand KAS_AWS_DIR required)"
if [ -n "${KAS_AWS_DIR}" ] ; then
	set -- "$@" -v "${KAS_AWS_DIR}":/var/kas/userdata/.aws:ro \
		-e AWS_CONFIG_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/config}" \
		-e AWS_SHARED_CREDENTIALS_FILE="${AWS_SHARED_CREDENTIALS_FILE:-/var/kas/userdata/.aws/credentials}"
fi
if [ -n "${AWS_WEB_IDENTITY_TOKEN_FILE}" ] ; then
	if [ ! -f "${AWS_WEB_IDENTITY_TOKEN_FILE}" ]; then
		echo "Passed AWS_WEB_IDENTITY_TOKEN_FILE '${AWS_WEB_IDENTITY_TOKEN_FILE}' is not a file"
		exit 1
	fi
	set -- "$@" -v "$(realpath -e "${AWS_WEB_IDENTITY_TOKEN_FILE}")":/var/kas/userdata/.aws/web_identity_token:ro \
		-e AWS_WEB_IDENTITY_TOKEN_FILE="${AWS_CONFIG_FILE:-/var/kas/userdata/.aws/web_identity_token}" \
		-e AWS_ROLE_ARN="${AWS_ROLE_ARN}"
fi

KAS_GIT_CREDENTIAL_HELPER_DEFAULT=""

if [ -n "${KAS_GIT_CREDENTIAL_STORE}" ] ; then
	if [ ! -f "${KAS_GIT_CREDENTIAL_STORE}" ]; then
		fatal_error "passed KAS_GIT_CREDENTIAL_STORE '${KAS_GIT_CREDENTIAL_STORE}' is not a file"
	fi
	KAS_GIT_CREDENTIAL_HELPER_DEFAULT="store --file=/var/kas/userdata/.git-credentials"
	set -- "$@" -v "$(realpath -e "${KAS_GIT_CREDENTIAL_STORE}")":/var/kas/userdata/.git-credentials:ro
fi

GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER:-${KAS_GIT_CREDENTIAL_HELPER_DEFAULT}}"

if [ -n "${GIT_CREDENTIAL_HELPER}" ] ; then
	set -- "$@" -e GIT_CREDENTIAL_HELPER="${GIT_CREDENTIAL_HELPER}"
fi

if [ -f "${NETRC_FILE}" ]; then
	set -- "$@" -v "$(realpath -e "${NETRC_FILE}")":/var/kas/userdata/.netrc:ro \
		-e NETRC_FILE="/var/kas/userdata/.netrc"
fi

if [ -f "${NPMRC_FILE}" ]; then
	set -- "$@" -v "$(realpath -e "${NPMRC_FILE}")":/var/kas/userdata/.npmrc:ro \
		-e NPMRC_FILE="/var/kas/userdata/.npmrc"
fi

if [ -f "${GITCONFIG_FILE}" ]; then
	set -- "$@" -v "$(realpath -e "${GITCONFIG_FILE}")":/var/kas/userdata/.gitconfig:ro \
		-e GITCONFIG_FILE="/var/kas/userdata/.gitconfig"
fi

if [ -f "${REGISTRY_AUTH_FILE}" ]; then
	set -- "$@" -v "$(realpath -e "${REGISTRY_AUTH_FILE}")":/var/kas/userdata/.docker/config.json:ro \
		-e REGISTRY_AUTH_FILE="/var/kas/userdata/.docker/config.json"
fi

if [ -t 1 ]; then
	set -- "$@" -t -i
fi

if [ -n "${SSTATE_MIRRORS}" ]; then
	if echo "${SSTATE_MIRRORS}" | grep -q "file:///"; then
		warning "SSTATE_MIRRORS contains a local path." \
		        "Make sure to make this path available inside the container."
	fi
	set -- "$@" -e "SSTATE_MIRRORS=${SSTATE_MIRRORS}"
fi

# propagate timezone information to entrypoint (requires systemd 239)
if command -v timedatectl >/dev/null; then
	set -- "$@" -e "KAS_HOST_TZ=$(timedatectl show -p Timezone --value 2>/dev/null)"
fi

for var in TERM KAS_DISTRO KAS_MACHINE KAS_TARGET KAS_TASK KAS_CLONE_DEPTH \
           KAS_PREMIRRORS DISTRO_APT_PREMIRRORS BB_NUMBER_THREADS PARALLEL_MAKE \
           GIT_CREDENTIAL_USEHTTPPATH \
           TZ; do
	if [ -n "$(eval echo \$${var})" ]; then
		set -- "$@" -e "${var}=$(eval echo \"\$${var}\")"
	fi
done

# propagate only supported SHELL settings
case "$SHELL" in
/bin/sh|/bin/bash|/bin/dash)
	set -- "$@" -e "SHELL=$SHELL"
	;;
*)
	set -- "$@" -e "SHELL=/bin/bash"
	;;
esac

if [ -z "${KAS_NO_PROXY_FROM_ENV+x}" ]; then
	for var in http_proxy https_proxy ftp_proxy no_proxy NO_PROXY; do
		if [ -n "$(eval echo \$${var})" ]; then
			set -- "$@" -e "${var}=$(eval echo \$${var})"
		fi
	done
fi

# SC2086: Double quote to prevent globbing and word splitting.
# shellcheck disable=2086
set -- "$@" ${KAS_ISAR_ARGS} ${KAS_WITH_LOOP_DEV} ${KAS_RUNTIME_ARGS} \
    ${KAS_CONTAINER_IMAGE} ${KAS_OPTIONS_DIRECT} ${KAS_CMD} ${KAS_OPTIONS}
if [ -n "${KAS_BITBAKE_C_OPTION_ARGS}" ]; then
	set -- "$@" -c "${KAS_BITBAKE_C_OPTION_ARGS}"
fi
# SC2086: Double quote to prevent globbing and word splitting.
# shellcheck disable=2086
set -- "$@" ${KAS_FILES}
if [ "$KAS_CMD" = "for-all-repos" ]; then
	set -- "$@" "${KAS_REPO_CMD}"
fi

# rotate any extra bitbake args from the front to the end of the argument list
while [ $KAS_EXTRA_BITBAKE_ARGS -gt 0 ]; do
	arg="$1"
	shift 1
	set -- "$@" "$arg"
	KAS_EXTRA_BITBAKE_ARGS=$((KAS_EXTRA_BITBAKE_ARGS - 1))
done

# shellcheck disable=SC2086
trace ${KAS_CONTAINER_COMMAND} run "$@"
