Merge pull request #2036 from tlaurion/bugfix-qemu_kvm

docker_*.sh: add kvm support, X11 authentication, update README.md instructions. Bump docker image to v.0.2.7 with pinned hash under CircleCI.

Also fixes things tested in dev cycles:
- DO_WITH_DEBUG calls to tpm increment (was preventing TPM password prompt output.
- Adds wait_for_sub_devices function to poll for detection of usb devices before testing gpg --card-status

Author: tlaurion

.circleci/config.yml

@@ -48,7 +48,8 @@ commands:
 jobs:
   prep_env:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.5
+      # Docker image: tlaurion/heads-dev-env:v0.2.7
+      - image: tlaurion/heads-dev-env@sha256:5f890f3d1b6b57f9e567191695df003a2ee880f084f5dfe7a5633e3e8f937479
     resource_class: large
     working_directory: ~/heads
     steps:
@@ -123,7 +124,8 @@ jobs:
 
   build_and_persist:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.5
+      # Docker image: tlaurion/heads-dev-env:v0.2.7
+      - image: tlaurion/heads-dev-env@sha256:5f890f3d1b6b57f9e567191695df003a2ee880f084f5dfe7a5633e3e8f937479
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -151,7 +153,8 @@ jobs:
 
   build:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.5
+      # Docker image: tlaurion/heads-dev-env:v0.2.7
+      - image: tlaurion/heads-dev-env@sha256:5f890f3d1b6b57f9e567191695df003a2ee880f084f5dfe7a5633e3e8f937479
     resource_class: large
     working_directory: ~/heads
     parameters:
@@ -172,7 +175,8 @@ jobs:
 
   save_cache:
     docker:
-      - image: tlaurion/heads-dev-env:v0.2.5
+      # Docker image: tlaurion/heads-dev-env:v0.2.7
+      - image: tlaurion/heads-dev-env@sha256:5f890f3d1b6b57f9e567191695df003a2ee880f084f5dfe7a5633e3e8f937479
     resource_class: large
     working_directory: ~/heads
     steps:

README.md

@@ -0,0 +1,13 @@
+# Optional: pin the Docker image used by ./docker_repro.sh to an immutable digest
+# This file is read by docker_repro.sh if DOCKER_REPRO_DIGEST is not set in the
+# environment. The first non-empty, non-comment line is used as the digest value.
+# Acceptable formats are:
+#  - sha256:<64-hex>
+#  - sha256-<64-hex>  (will be normalized to sha256:<hex>)
+#  - <64-hex>         (will be normalized to sha256:<hex>)
+# Example:
+# sha256:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+
+# Place the digest on the first non-comment line below (remove the leading '#')
+# Version: v0.2.7
+sha256:5f890f3d1b6b57f9e567191695df003a2ee880f084f5dfe7a5633e3e8f937479

docker/DOCKER_REPRO_DIGEST

@@ -0,0 +1,53 @@
+#!/bin/bash
+# Helper to compare local Docker image digest with remote docker.io
+# Usage: ./docker/check_reproducibility.sh [local_image] [remote_image]
+# Example:
+#   ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:latest
+
+set -euo pipefail
+
+usage() {
+  cat <<'USAGE' >&2
+Usage: $0 [local_image] [remote_image]
+
+Compare a local Docker image digest with a remote docker.io image.
+
+Arguments:
+  local_image   Local image to check (default: linuxboot/heads:dev-env)
+  remote_image  Remote docker.io image to compare against (default: ${HEADS_MAINTAINER_DOCKER_IMAGE}:latest, where HEADS_MAINTAINER_DOCKER_IMAGE defaults to tlaurion/heads-dev-env)
+
+Environment:
+  HEADS_MAINTAINER_DOCKER_IMAGE  Override the canonical maintainer's image repository (default: tlaurion/heads-dev-env)
+
+Examples:
+  ./docker/check_reproducibility.sh
+  ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:latest
+  ./docker/check_reproducibility.sh linuxboot/heads:dev-env tlaurion/heads-dev-env:v0.2.7
+  HEADS_MAINTAINER_DOCKER_IMAGE="myuser/heads-dev-env" ./docker/check_reproducibility.sh
+
+Requirements:
+  - docker CLI (required; to inspect local images and perform pulls)
+  - Recommended (optional): `skopeo` (preferred for manifest inspection without pulling), `jq` + `curl` (fallback to query Docker Hub API). If these are missing the script will fall back to `docker pull` which may download large image layers.
+  - Network access (to pull remote images or query registries)
+
+USAGE
+}
+
+if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+echo "=== Docker Image Reproducibility Check ===" >&2
+# Source shared helpers and delegate to centralized reproducibility checker
+# shellcheck source=docker/common.sh
+source "$(dirname "$0")/common.sh"
+# Ensure docker is available
+require_docker || exit $?
+# Resolve local and remote images (remote uses shared defaulting logic)
+local_image="${1:-linuxboot/heads:dev-env}"
+remote_image=$(resolve_repro_remote_image "${2:-}")
+# Delegate to the refactored checker which prefers image ID / config digest comparison
+compare_image_reproducibility "${local_image}" "${remote_image}"
+exit $? 
+