zbm-builder.sh: add mount-options argument, document use

A new `-M` option for `zbm-builder.sh` provides a means to specify mount
options for the `/build` and (if specified) `/zbm` volumes in the build
container. Using, for example, `-M z` allows images to be built on hosts
with SELinux enabled.

This change is documented, along with extra considerations for building
Dracut-based images in containers when SELinux is enabled on the host.

Signed-off-by: Andrew Gunnerson <accounts+github@chiller3.com>

Closes: #433.

docs/guides/general/container-building.rst

@@ -118,6 +118,18 @@ The default behavior of ``zbm-builder.sh`` will:
   2. If ``./config.yaml`` exists, inform the builder to use that custom configuration instead of the default
   3. Run the internal build script to produce output in the ``./build`` subdirectory
 
+.. note::
+
+  Building on hosts with SELinux enabled may require that volumes mounted by the build container be properly labeled.
+  This can be accomplished by specifying the argument ``-M z`` to ``zbm-builder.sh``. This will persistently relabel the
+  build directory and, if specified, the ZFSBootMenu source directory. As an alternative to conf, it may be possible to
+  disable SELinux entirely by invoking ``zbm-builder.sh`` with the argument ``-O --security-opt=label=disable``.
+
+  When Dracut is used to build an image under the constraints of SELinux, ``zbm-builder.sh`` should additionally be
+  invoked with the argument ``-O --env=DRACUT_NO_XATTR=1`` to prevent Dracut from setting extended attributes on
+  temporary files it creates within the container. Without this option, Dracut may try, but fail, to set the
+  ``security.selinux`` attribute on files.
+
 Custom ZFSBootMenu Hooks
 ~~~~~~~~~~~~~~~~~~~~~~~~
 
@@ -174,3 +186,6 @@ command-line options that are described in the output of ``zbm-builder.sh -h``.
 
 Before adjusting these command-line options, seek a thorough understanding of the
 :zbm:`image build process <releng/docker/README.md>` and the command sequence of ``zbm-builder.sh`` itself.
+
+..
+  vim: softtabstop=2 shiftwidth=2 textwidth=120

zbm-builder.sh

@@ -40,6 +40,18 @@ OPTIONS:
 
   -d Force use of docker instead of podman
 
+  -M <argument>
+     Provide a comma-separated list of options to use for volume
+     mounts of the build directory and (if specified) ZFSBootMenu
+     source tree within the build container. For example, specify
+
+       zbm-builder -M z
+
+     to label the volumes for use with SELinux.
+
+     NOTE: An 'ro' option is always added to the volume mounted from
+     the ZFSBootMenu source tree.
+
   -O <argument>
      Provide an option to 'podman run' or 'docker run'; if the
      argument accepts one or more options, use a form with no spaces
@@ -76,6 +88,7 @@ EOF
 
 SKIP_HOSTID=
 REMOVE_HOST_FILES=
+MOUNT_FLAGS=
 
 # By default, use the latest upstream build container image
 BUILD_IMG="ghcr.io/zbm-dev/zbm-builder:latest"
@@ -101,7 +114,7 @@ else
   PODMAN="docker"
 fi
 
-CMDOPTS="b:dhi:l:c:O:HR"
+CMDOPTS="b:dhi:l:c:M:O:HR"
 
 # First pass to get build directory and configuration file
 while getopts "${CMDOPTS}" opt; do
@@ -156,6 +169,9 @@ while getopts "${CMDOPTS}" opt; do
     l)
       BUILD_REPO="${OPTARG}"
       ;;
+    M)
+      MOUNT_FLAGS="${OPTARG}"
+      ;;
     O)
       RUNTIME_ARGS+=( "${OPTARG}" )
       ;;
@@ -181,7 +197,7 @@ if ! command -v "${PODMAN}" >/dev/null 2>&1; then
 fi
 
 # Always mount a build directory at /build
-RUNTIME_ARGS+=( "-v" "${BUILD_DIRECTORY}:/build" )
+RUNTIME_ARGS+=( "-v" "${BUILD_DIRECTORY}:/build${MOUNT_FLAGS:+:${MOUNT_FLAGS}}" )
 
 # Only mount a local repo at /zbm if specified
 if [ -n "${BUILD_REPO}" ]; then
@@ -190,7 +206,7 @@ if [ -n "${BUILD_REPO}" ]; then
     exit 1
   fi
 
-  RUNTIME_ARGS+=( "-v" "${BUILD_REPO}:/zbm:ro" )
+  RUNTIME_ARGS+=( "-v" "${BUILD_REPO}:/zbm:ro${MOUNT_FLAGS:+,${MOUNT_FLAGS}}" )
 fi
 
 # Remove existing hostid