From patchwork Wed Jun 25 19:37:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cedric Hombourger X-Patchwork-Id: 273 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 21:39:36 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-oo1-f58.google.com (mail-oo1-f58.google.com [209.85.161.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PJdAET007175 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 21:39:16 +0200 Received: by mail-oo1-f58.google.com with SMTP id 006d021491bc7-60bf020e4a1sf261591eaf.0 for ; Wed, 25 Jun 2025 12:39:11 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750880345; cv=pass; d=google.com; s=arc-20240605; b=P1CxMg6R813ocZ4e9HHMtLXYtCkNLHNN7tBP4WIW0fil1QUWTj97jzU8hqkBaginMd RqqiFPkYVoew9tyj0XTLOsYb1PWdf0XtMAPeleIRvJA/HLu6YkKcR/8C/98RLBEBuCAh WK1tkdi02nW99Y6tWg+X/NCtYQq9vffCOCrjkvnV8rM3kZZh6vJ7YNsawceKKU7qF41q 2M3lC52S6Y366p/qNi1euDWnwEA07cdxD96H3KAJ4fqtBVmQ8PnVnFWsaVqndMHFd4sU /uUPEePc5RcTreGglKS4faFbT9y+pNf9F81nY+wGReGpZehsEmQJtPRgbJ1Izs4MQYmT Wnxg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=IPPK39Oj/9dVGlCJo3XB1dJjywqlcLflVuZpSqlLMd0=; fh=lb0PX0IHv/1VUzOUSypgBlfSpcFX7eyryx/qH8fMN9I=; b=k3NGjrvVmN9PlQ2frWDxqfLXVjWeCzWstpIilKwOwAhTx0atHZPD5ZC9vuTqhmdmbq qZXG/letN0AhnzijAuBScxGk+eBXE4TKnUoM+pymXYE9DKXVnrNg4WXHS9Aey5cJTQWA xPr3/11WnvjsPy2dJiJwg02BlDUfbib3T8JjMaHXjXrkdz89nXvid2hGGhZyrRAsfWUj aytplYaZNNjA0F+1HA4GQ+gLsDYbH/aPRVRAsLkA5H8wo2v52/2D4ll9d5XyuuNGAz2b cOpmAp3gVtb/pShKHlI2eIXEhob8izyt6tC2FDgKQitX89m4At+9G/zxLjUeQTLw0Rf9 uq6g==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b="Gv4z/KTb"; spf=pass (google.com: domain of fm-1212295-2025062519390021144cc28f800521c6-4cznus@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-2025062519390021144cc28f800521c6-4CZnus@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750880345; x=1751485145; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=IPPK39Oj/9dVGlCJo3XB1dJjywqlcLflVuZpSqlLMd0=; b=ZCuDe4x9SC94FHXGpj39GklZafDkhzJphXG0LPSpqe3udX4Pl4arF9HOLJqpHS43j+ a+OBQ12Y9WuOAVHV3Yhw4OyfZ7TClEGplfYZMafQ3dQBJTaBKdOy+n2rBcV3gnGZUpB/ F9fQdt4kxxojTQOkzkyWGv+FTguCCHEqkZYKdk15KgmKb9emPj89PG+3AdRKnkxr1U8U nz9euqYkiJHwBtKwVdpYmDFEjYn+MVnxuKKvxHUejMKHvbJUlH92br9HTVs0/U8H3NkF 8nYnLh7ZxHVBifpT2t/Iu/9musY40TsB//zxq+f4s0VT7BFMrIZodkKiynWYnx5RbO/v mZnA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750880345; x=1751485145; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IPPK39Oj/9dVGlCJo3XB1dJjywqlcLflVuZpSqlLMd0=; b=U6MDf44dEhwBISWfGnmsij2y6v9/ybS0uTxqtn+E3KmU3rrHNOWhzTtg1J1dK+UItE /xnA/PD4OGhm0Mv4hwpvnwDppFVW1Vf0gtfJr6vCrZ69KRTV3vGkyzkSa7DAkzYBkJLj qxms/jO+YQ1QpNKyA94iab9BKMBtqM3yqUd02Z2cEDCpg2NsizRdhI71BkctE8kHnbyE Y67B56gDVugl8EmExK4WITXvf3RjrzAfAhfmeL/72FcFnQxQFMsPksB2ggJmWWKht8Hh bAaGV0soyGAD1YzFgShCRGX1VU5O6d5H70SKI506acRMHMAexWganVRYCMMQxlhifJdw 1N/A== X-Forwarded-Encrypted: i=2; AJvYcCULVxVfR4soskSKH9wnF8CP4s9jFSCVk/fBWJbeTO7ah200QHCJLyN2SphFi5Zb6cL4nBhh5J8=@isar-build.org X-Gm-Message-State: AOJu0YwL4zdd9+xAx5dARNVga1oRqQhPi67Rv+JhudNqIXZeuyVsy2NJ oT5+lFGCPFimD60xlyMg6xYDWMgqv4CxoFUEjTJxAuIsgrH+D7VUA5ni X-Google-Smtp-Source: AGHT+IHEBi0OFm3Afzs2Je1d2hlUA90mYyhFtxjVguz3XP46+kgJpg3rbSknf0JFpj44alJobzzw4A== X-Received: by 2002:a05:6820:995:b0:611:a238:9e8f with SMTP id 006d021491bc7-611a238a277mr2222087eaf.0.1750880344940; Wed, 25 Jun 2025 12:39:04 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZcTtYPDvMTsyckLXYj4lpTXmcJJMIG+s4pWp84OEcWw2g== Received: by 2002:a05:6820:a102:b0:611:6776:43c5 with SMTP id 006d021491bc7-611ab1d539cls91276eaf.2.-pod-prod-09-us; Wed, 25 Jun 2025 12:39:03 -0700 (PDT) X-Received: by 2002:a05:6808:4f20:b0:403:3195:58cb with SMTP id 5614622812f47-40b05c15b91mr4031552b6e.28.1750880343412; Wed, 25 Jun 2025 12:39:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750880343; cv=none; d=google.com; s=arc-20240605; b=OEC8zxjIJVLPGlM9mfWQvuFdlxlnjaUuyyRcp93zt07lz//Jq9kJZUpHASh337wG58 L0eKxDhQQy2ff7jbmQztSGnA3n6ZGFlgDG+WY7hJX6FWzGfZBzHmhjZMFtfy3V5GZzck 4Rsg0Dn20g0UArOBfMpZExNsQRNQmaWwYkIMHnf4yJXMiHqw8l2IiCr3P75zy6blF/3A f19YiDoeJvvoNK3VNIKRRc4Kp381yQUJKJfk7483gOGXeTp6vBDLYRHTA8RqdRpl0gNQ MkI5vXMn0RgTHPnY/CijsfTyIAa+PHmq8o4zx4TFd1IU1fQpXXbECbTAGl9FqEvTAoBK DVvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=ELfWIYLHHk6Z+P3mWMds86DgqEr47THu/nBAeqv9Sbw=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=Y6JK5jyfOBrgJwYCkgOoVoAdu6phv7RH4mJ+NS/+e9Fp8wzbjceJWEFnaRKpjiSxcX 8HFlZ1H25WO9TltwQacS8QAnYXdgLiM/HBZRTqUx2NoZC4FMQYfIDxmNsu2MaeDHarrl CP/mi3F2Ahvs8mlPwEN4XJf4389dPC3ijwyYq/CHxsj0REJLEcj/QQeRCj4vXucBhY9v oxwrmjp/eP/f3zkuR4i+6p++OZhjH7CLz7PvR3Io4tvMdRQTBpMkWp0Gcx+D18gfVcep PwuSULWs6Mm7GqXBczGNxtYKpoRtAvTnmDQ5m34g9G8uurzCyZnHslNaJrmSCW12jTT/ 3d7w==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b="Gv4z/KTb"; spf=pass (google.com: domain of fm-1212295-2025062519390021144cc28f800521c6-4cznus@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-2025062519390021144cc28f800521c6-4CZnus@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-228.siemens.flowmailer.net (mta-65-228.siemens.flowmailer.net. [185.136.65.228]) by gmr-mx.google.com with ESMTPS id 5614622812f47-40ac6d458c8si636949b6e.5.2025.06.25.12.39.03 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 12:39:03 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-2025062519390021144cc28f800521c6-4cznus@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) client-ip=185.136.65.228; Received: by mta-65-228.siemens.flowmailer.net with ESMTPSA id 2025062519390021144cc28f800521c6 for ; Wed, 25 Jun 2025 21:39:00 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: Cedric Hombourger To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH v3 0/6] non-privileged commands in chroot Date: Thu, 26 Jun 2025 03:37:42 +0800 Message-Id: <20250625193748.2681-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b="Gv4z/KTb"; spf=pass (google.com: domain of fm-1212295-2025062519390021144cc28f800521c6-4cznus@rts-flowmailer.siemens.com designates 185.136.65.228 as permitted sender) smtp.mailfrom=fm-1212295-2025062519390021144cc28f800521c6-4CZnus@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= When building root filesystems for foreign architectures with package source caching enabled, apt operations are executed within the rootfs through QEMU emulation. This results in significantly degraded performance, particularly when downloading source packages sequentially. This patch series introduces a new wrapper function that enables native command execution against a rootfs while preserving special mount points (such as /isar-apt). The approach: - Improves build performance for foreign architecture builds - Maintains filesystem isolation using bubblewrap - Preserves access to special mount points required by isar Testing: - Basic smoke tests performed successfully (citest.py -t fast) - Performance improvements observed in source package acquisition - Tested with various foreign architecture configurations Dependencies: - Adds bubblewrap as a new host tool requirement - Uses kas-container 4.8.0 or later (see [1]) Changes since v2 patch: - rootfs_install_pkgs_download will no longer use sudo to run apt-get install --download-only. This was added to further demonstrate/test rootfs_cmd in existing Isar code. Changes since v1 patch: - Rebase (resolve RECIPE-API-CHANGELOG.md merge conflicts) - Prefix rootfs variable in rootfs_cmd with bwrap to avoid clashes Changes since RFC patch: - Let caller decide where to bind-mount the rootfs to - Make the rootfs argument optional - Support 32-bit rootfs (no lib64 there) (Re-)validated with "citest.py -t fast" (using kas-container 4.8.1): JOB ID : 2724be97c6711e046fbc2169823c293dc99cd97c JOB LOG : avocado/job-results/job-2025-06-25T15.51-2724be9/job.log (01/19) citest.py:DevTest.test_dev: STARTED (01/19) citest.py:DevTest.test_dev: PASS (1573.34 s) (02/19) citest.py:DevTest.test_dev_apps: STARTED (02/19) citest.py:DevTest.test_dev_apps: PASS (2158.85 s) (03/19) citest.py:DevTest.test_dev_rebuild: STARTED (03/19) citest.py:DevTest.test_dev_rebuild: PASS (349.73 s) (04/19) citest.py:DevTest.test_dev_run_amd64_bookworm: STARTED (04/19) citest.py:DevTest.test_dev_run_amd64_bookworm: PASS (77.79 s) (05/19) citest.py:DevTest.test_dev_run_arm64_bookworm: STARTED (05/19) citest.py:DevTest.test_dev_run_arm64_bookworm: PASS (55.12 s) (06/19) citest.py:DevTest.test_dev_run_arm_bookworm: STARTED (06/19) citest.py:DevTest.test_dev_run_arm_bookworm: PASS (58.94 s) (07/19) citest.py:CrossTest.test_cross: STARTED (07/19) citest.py:CrossTest.test_cross: PASS (1912.25 s) (08/19) citest.py:CrossTest.test_cross_debsrc: STARTED (08/19) citest.py:CrossTest.test_cross_debsrc: PASS (2933.62 s) (09/19) citest.py:CrossTest.test_cross_kselftest: STARTED (09/19) citest.py:CrossTest.test_cross_kselftest: PASS (2024.26 s) (10/19) citest.py:CrossTest.test_cross_rpi: STARTED (10/19) citest.py:CrossTest.test_cross_rpi: PASS (1543.77 s) (11/19) citest.py:VmBootTestFast.test_arm_bullseye: STARTED (11/19) citest.py:VmBootTestFast.test_arm_bullseye: PASS (64.33 s) (12/19) citest.py:VmBootTestFast.test_arm_bullseye_example_module: STARTED (12/19) citest.py:VmBootTestFast.test_arm_bullseye_example_module: PASS (12.72 s) (13/19) citest.py:VmBootTestFast.test_arm_bullseye_getty_target: STARTED (13/19) citest.py:VmBootTestFast.test_arm_bullseye_getty_target: PASS (10.18 s) (14/19) citest.py:VmBootTestFast.test_arm_buster: STARTED (14/19) citest.py:VmBootTestFast.test_arm_buster: PASS (57.01 s) (15/19) citest.py:VmBootTestFast.test_arm_buster_getty_target: STARTED (15/19) citest.py:VmBootTestFast.test_arm_buster_getty_target: PASS (9.73 s) (16/19) citest.py:VmBootTestFast.test_arm_buster_example_module: STARTED (16/19) citest.py:VmBootTestFast.test_arm_buster_example_module: PASS (10.39 s) (17/19) citest.py:VmBootTestFast.test_arm_bookworm: STARTED (17/19) citest.py:VmBootTestFast.test_arm_bookworm: PASS (82.93 s) (18/19) citest.py:VmBootTestFast.test_arm_bookworm_example_module: STARTED (18/19) citest.py:VmBootTestFast.test_arm_bookworm_example_module: PASS (30.40 s) (19/19) citest.py:VmBootTestFast.test_arm_bookworm_getty_target: STARTED (19/19) citest.py:VmBootTestFast.test_arm_bookworm_getty_target: PASS (11.59 s) RESULTS : PASS 19 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 13003.86 s Cedric Hombourger (5): rootfs: introduce wrapper to run commands against a rootfs deb-dl-dir: optimize caching of source packages using apt natively image-postproc-extension: refactor systemd version checks image-postproc-extension: extract systemd's version using rootfs_cmd bootstrap: create lock for downloads/deb without sudo rootfs: do not get elevated privileges when downloading packages RECIPE-API-CHANGELOG.md | 7 ++ doc/user_manual.md | 1 + meta/classes/deb-dl-dir.bbclass | 58 ++++++------- meta/classes/image-postproc-extension.bbclass | 12 +-- meta/classes/rootfs.bbclass | 83 ++++++++++++++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 4 + 6 files changed, 126 insertions(+), 39 deletions(-)