| Message ID | 20260609085346.3949936-1-amikan@ilbers.de |
|---|---|
| State | New |
| Headers | show |
| Series | kas: Support kas build system selection | expand |
09.06.2026 11:53, Anton Mikanovich wrote: > This adds yaml Kconfig options that allow to choose kas build system > from the following list: > > --isar-rootless > --isar-privileged > > After moving to rootless kas container previously used "--isar" option > turns deprecated and should be replaced by "--isar-privileged". > > Signed-off-by: Anton Mikanovich <amikan@ilbers.de> This commit supposed to be a part of "add support to build isar unprivileged" patchset to keep privileged kas building for backward compatibility.
On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote: > This adds yaml Kconfig options that allow to choose kas build system > from the following list: > > --isar-rootless > --isar-privileged > > After moving to rootless kas container previously used "--isar" option > turns deprecated and should be replaced by "--isar-privileged". > > Signed-off-by: Anton Mikanovich <amikan@ilbers.de> > --- > Kconfig | 3 ++- > kas/opt/Kconfig | 20 ++++++++++++++++++++ > 2 files changed, 22 insertions(+), 1 deletion(-) > > diff --git a/Kconfig b/Kconfig > index 66dd4112..cfea1902 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -1,5 +1,5 @@ > # This software is a part of Isar. > -# Copyright (C) 2023 ilbers GmbH > +# Copyright (C) 2023-2026 ilbers GmbH > # > # SPDX-License-Identifier: MIT > # > @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN > > config KAS_BUILD_SYSTEM > string > + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > default "isar-rootless" Note, that this will only work on re-execution of kas, i.e. you need to save the config and then run kas build. Running kas menu + build does not work, as it is in the wrong container / execution mode. Felix > > source "kas/machine/Kconfig" > diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig > index ac9b2f55..1bea49b8 100644 > --- a/kas/opt/Kconfig > +++ b/kas/opt/Kconfig > @@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR > > endmenu > > + > +menu "Kas build system" > + > +choice > + prompt "Kas build system" > + default KAS_BUILD_SYSTEM_ISAR_ROOTLESS > + help > + Rootless build mode is using unshare syscall to avoid security issues. > + Otherwize privileged mode with sudo permissions still can be used. > + > +config KAS_BUILD_SYSTEM_ISAR_ROOTLESS > + bool "Rootless (--isar-rootless)" > + > +config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > + bool "Privileged (--isar-privileged)" > + > +endchoice > + > +endmenu > + > config KAS_IMAGE_FSTYPES > string "Additional image fstypes" > default "" > -- > 2.34.1 > > -- > You received this message because you are subscribed to the Google Groups "isar-users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. > To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260609085346.3949936-1-amikan%40ilbers.de.
09.06.2026 14:01, MOESSBAUER, Felix wrote: > On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote: >> config KAS_BUILD_SYSTEM >> string >> + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED >> default "isar-rootless" > Note, that this will only work on re-execution of kas, i.e. you need to > save the config and then run kas build. Running kas menu + build does > not work, as it is in the wrong container / execution mode. > > Felix In this case previously set "--isar" value will be used, which is still supported but results in warning by kas. Is it a big problem?
On Tue, 2026-06-09 at 14:07 +0300, Anton Mikanovich wrote: > 09.06.2026 14:01, MOESSBAUER, Felix wrote: > > On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote: > > > config KAS_BUILD_SYSTEM > > > string > > > + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > > > default "isar-rootless" > > Note, that this will only work on re-execution of kas, i.e. you need to > > save the config and then run kas build. Running kas menu + build does > > not work, as it is in the wrong container / execution mode. > > > > Felix > In this case previously set "--isar" value will be used, which is still > supported but results in warning by kas. > Is it a big problem? Well... --isar and --isar-privileged are the same. We should anyways use --isar to still support older kas releases (in fact we don't even have a kas release which supports --isar-privileged yet). The bigger issue is that kas-container --isar-rootless only affects how the container is started, but not how the build is started. The build is started based on the build_system entry in the config.yaml file, whereby rootless mode sets the ISAR_ROOTLESS=1 variable in the local config. kas-container also reads the build_system value from the KConfig or .config.yml and starts the container accordingly. By that, we have to treat the build system mode (rootless or privileged) as INPUT to kas menu instead of a KConfig option of the menu. My proposal is to just keep the build_system as "isar" in both the KConfig and isar.yaml for now (at least until we have a kas version that supports both). Later on, we can model the switching. Best regards, Felix
On Tue, 2026-06-09 at 11:01 +0000, 'MOESSBAUER, Felix' via isar-users wrote: > On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote: > > This adds yaml Kconfig options that allow to choose kas build system > > from the following list: > > > > --isar-rootless > > --isar-privileged > > > > After moving to rootless kas container previously used "--isar" option > > turns deprecated and should be replaced by "--isar-privileged". > > > > Signed-off-by: Anton Mikanovich <amikan@ilbers.de> > > --- > > Kconfig | 3 ++- > > kas/opt/Kconfig | 20 ++++++++++++++++++++ > > 2 files changed, 22 insertions(+), 1 deletion(-) > > > > diff --git a/Kconfig b/Kconfig > > index 66dd4112..cfea1902 100644 > > --- a/Kconfig > > +++ b/Kconfig > > @@ -1,5 +1,5 @@ > > # This software is a part of Isar. > > -# Copyright (C) 2023 ilbers GmbH > > +# Copyright (C) 2023-2026 ilbers GmbH > > # > > # SPDX-License-Identifier: MIT > > # > > @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN > > > > config KAS_BUILD_SYSTEM > > string > > + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > > default "isar-rootless" PS: kas-container is not able to parse this. We must use a trivial KAS_BUILD_SYSTEM definition. [1] https://github.com/siemens/kas/blob/c9e4f67a1a8a7310f81519954370241bba4981c2/kas-container#L568 Felix
On 09.06.26 10:53, Anton Mikanovich wrote: > This adds yaml Kconfig options that allow to choose kas build system > from the following list: > > --isar-rootless > --isar-privileged > > After moving to rootless kas container previously used "--isar" option > turns deprecated and should be replaced by "--isar-privileged". > > Signed-off-by: Anton Mikanovich <amikan@ilbers.de> > --- > Kconfig | 3 ++- > kas/opt/Kconfig | 20 ++++++++++++++++++++ > 2 files changed, 22 insertions(+), 1 deletion(-) > > diff --git a/Kconfig b/Kconfig > index 66dd4112..cfea1902 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -1,5 +1,5 @@ > # This software is a part of Isar. > -# Copyright (C) 2023 ilbers GmbH > +# Copyright (C) 2023-2026 ilbers GmbH > # > # SPDX-License-Identifier: MIT > # > @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN > > config KAS_BUILD_SYSTEM > string > + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > default "isar-rootless" > > source "kas/machine/Kconfig" > diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig > index ac9b2f55..1bea49b8 100644 > --- a/kas/opt/Kconfig > +++ b/kas/opt/Kconfig > @@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR > > endmenu > > + > +menu "Kas build system" > + > +choice > + prompt "Kas build system" > + default KAS_BUILD_SYSTEM_ISAR_ROOTLESS > + help > + Rootless build mode is using unshare syscall to avoid security issues. > + Otherwize privileged mode with sudo permissions still can be used. > + > +config KAS_BUILD_SYSTEM_ISAR_ROOTLESS > + bool "Rootless (--isar-rootless)" > + > +config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED > + bool "Privileged (--isar-privileged)" > + > +endchoice > + > +endmenu > + > config KAS_IMAGE_FSTYPES > string "Additional image fstypes" > default "" As Felix already pointed out, this will not work. I would recommend to stick with privileged builds until there is at least a kas release which comes with the required support. Then, Isar could switch its default over to rootless, leaving privileged mode only via command line selection for CI purposes. Jan
diff --git a/Kconfig b/Kconfig index 66dd4112..cfea1902 100644 --- a/Kconfig +++ b/Kconfig @@ -1,5 +1,5 @@ # This software is a part of Isar. -# Copyright (C) 2023 ilbers GmbH +# Copyright (C) 2023-2026 ilbers GmbH # # SPDX-License-Identifier: MIT # @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN config KAS_BUILD_SYSTEM string + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED default "isar-rootless" source "kas/machine/Kconfig" diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig index ac9b2f55..1bea49b8 100644 --- a/kas/opt/Kconfig +++ b/kas/opt/Kconfig @@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR endmenu + +menu "Kas build system" + +choice + prompt "Kas build system" + default KAS_BUILD_SYSTEM_ISAR_ROOTLESS + help + Rootless build mode is using unshare syscall to avoid security issues. + Otherwize privileged mode with sudo permissions still can be used. + +config KAS_BUILD_SYSTEM_ISAR_ROOTLESS + bool "Rootless (--isar-rootless)" + +config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED + bool "Privileged (--isar-privileged)" + +endchoice + +endmenu + config KAS_IMAGE_FSTYPES string "Additional image fstypes" default ""
This adds yaml Kconfig options that allow to choose kas build system from the following list: --isar-rootless --isar-privileged After moving to rootless kas container previously used "--isar" option turns deprecated and should be replaced by "--isar-privileged". Signed-off-by: Anton Mikanovich <amikan@ilbers.de> --- Kconfig | 3 ++- kas/opt/Kconfig | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-)