| Message ID | 20250925065433.4180883-1-cedric.hombourger@siemens.com |
|---|---|
| Headers | show
Return-Path: <isar-users+bncBDB6LLF7YUBRBNOO2PDAMGQERYHLXGY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
Thu, 25 Sep 2025 08:55:02 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-pj1-f61.google.com (mail-pj1-f61.google.com
[209.85.216.61])
by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
58P6t0ld002365
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
for <iupwgm@isar-build.org>; Thu, 25 Sep 2025 08:55:01 +0200
Received: by mail-pj1-f61.google.com with SMTP id
98e67ed59e1d1-33428befc08sf1321962a91.2
for <iupwgm@isar-build.org>; Wed, 24 Sep 2025 23:55:01 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1758783295; cv=pass;
d=google.com; s=arc-20240605;
b=BwabX+Y9j5btFjLyhy0UA6Ic7MBL7llApRXv+PZdB5lKYwIed7DSGfRBDIsfKJx9Ob
bgA+JSmwv+2NoAyTkjGN/b5lcXvqXi4lm4Mi7VODPiWB7SJT8jOCpW9e0Ab9thKUrsCM
q5HeRL+Uby6sFeZp0hhXoH8R/Ae/MQ6EI6DY7N8xvUh5eMerfyIdgSCF11ioxY5/Juz8
M9HkjdmfkHAS2qB+A1/0CU+MzVm547WD8JW7JCnMyTxNN0MtAOpzgjG8LQ2OWk/BgKTC
F8OkPRiGATABaGsY3iBKU45K7C8NJqwWCisz0CtzToOVzQFD55emJiboACRArW+pj7im
Kojg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=08/Ca0V6Y7+rI15jRWfJltWp+WZdM7fpTsDhpVYoPR8=;
fh=gtTQCod3hxxaBYyj5zLHKuPNSLH19VjZLdG9Xuwf2fM=;
b=QqgAdxvZgOSK4H9BCN6k/mXoHIjcAduRRzwjYIsOXtJpQ7sNulMGil/94KPdy6VAP/
Let6Ihn7Ju8mEgs+4Lf/ax2fQ0NVj6hDsm1yTktTaSw7v3U2qcRPXD/Roi8T8xgEe7s6
MA03tyzUL5SOVe7LmKY+mJ5D2htf4/+peD6OoecJXUj7VSO/l0LyQHAGgFonl1bVmATu
QmwG5iNIzeXhVpMIqiWtMWqATjy4qXCCCWvmDrQW++U3GzfLz60e3oOnFt0uAouETFls
ar2y8zEv5aVpR9p70MC1IDFIWo30b0ZqkFdXzkqBdRE4uToQvkvU09lQ4lWzkdAWY0h7
YvtQ==;
darn=isar-build.org
ARC-Authentication-Results: i=2; gmr-mx.google.com;
dkim=pass header.i=@siemens.com header.s=fm1 header.b="XkOUxEd/";
spf=pass (google.com: domain of
fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com
designates 185.136.64.225 as permitted sender)
smtp.mailfrom=fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=googlegroups.com; s=20230601; t=1758783295; x=1759388095;
darn=isar-build.org;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:feedback-id
:mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject
:date:message-id:reply-to;
bh=08/Ca0V6Y7+rI15jRWfJltWp+WZdM7fpTsDhpVYoPR8=;
b=kr6+v9IO3+bUJuU1JBz1fAsO1/FQrvsMukn/ChW8Viw4pjZW9OhSC7pQcTHSJHj+LP
hQLah++OkPN1GK88U4LwMYUMkSqStwVH/IJg/0Gnmsk5kbrpnu4IKA/Ip8kO6sOFnCch
fZ9h4Abx4Lezt9EEk9VCxXX1rIDLFCTRlaD5+W2dijTT49DYUSPR8wUd7QtdmBSoQhEU
l8pXzYourzY3IQf8WJj4wZ9TrMRBeqA3x0yHa26sftqKNaRBKG/x3qB11qZComTcUxgN
WTfrkNqQVMCjg4eO+qnDy3U1eLaYNsp/6UUkqzYkjiDiVTymcPY7FVXrcowXCUbu+jj0
FYow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1758783295; x=1759388095;
h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
:x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
:x-original-authentication-results:x-original-sender:feedback-id
:mime-version:message-id:date:subject:cc:to:from:x-beenthere
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=08/Ca0V6Y7+rI15jRWfJltWp+WZdM7fpTsDhpVYoPR8=;
b=N11gaqBp9izmLMM1SUg2bQAUR5yxh6XzkvCh5cScHTqRPn01ALf2yox1TlkFPF4/FC
q7pe+YwyMDYLDmM1k0tDlORalT4gSRoNpSCGNBvf5TKuZr642Lyaq8TTP7teh73L1am6
+XW8botYXtyRWPrSEdhsBKZ1fhkmyTXwZIJnMIQJpSyc+cJzq0ITkobLWFqaFmQrlAWF
o6ThWdSuESEAlc+G/YI8nb+YisO5qzGRuV/ciDNhYqohc+baQj/QJlTXFRlGRc73ryYD
pbrjFCzoyYFgbjoGFFDj1Bje8kN7uAGnaoN/uzkY941hpgJZb7qX7OBaU+ecJdsNhG/E
TwyA==
X-Forwarded-Encrypted: i=2;
AJvYcCUOFxKTP9Wwqs80p+igYJvuoj05d5Ytc7MFk7QjEIxNjnjX2pGY0AYBdzR1EDzjowHWiME1p20=@isar-build.org
X-Gm-Message-State: AOJu0YxxS8y9rZFORfzVjr6/8tq1tgKPQbOUDifC+IC2HMULSrQ+MpU/
WJxK+4u2yD0K8wSurMjgjgcLviFtXf9kglxvMRw89sRGlXGg+gz3q84o
X-Google-Smtp-Source:
AGHT+IFtrMa2z/Uxu+H3ZA69WCBNSkCQUXoxTaOcbmJSLSoVrIkXLXZQijH/Dj8OXrsxUaMf4qmw8A==
X-Received: by 2002:a17:90b:538e:b0:32e:18b2:5a45 with SMTP id
98e67ed59e1d1-3342a20b94dmr2540441a91.5.1758783294866;
Wed, 24 Sep 2025 23:54:54 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com;
h="ARHlJd5bBqmNejRl/vCMkTcwmZSgncPTsJcupu8b965ddCbsRQ=="
Received: by 2002:a17:90b:4ac5:b0:32e:43ae:a453 with SMTP id
98e67ed59e1d1-3342a46b148ls715825a91.0.-pod-prod-06-us; Wed, 24 Sep 2025
23:54:44 -0700 (PDT)
X-Received: by 2002:a17:90b:1809:b0:32e:6fae:ba53 with SMTP id
98e67ed59e1d1-3342a20bdd9mr2733937a91.8.1758783284414;
Wed, 24 Sep 2025 23:54:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1758783284; cv=none;
d=google.com; s=arc-20240605;
b=SxUK9NZwSO3wwdaurvEBXZH/KgKjK4gMFfo7QKA7hdoxnC9pmoKSvwJ7SxD0RwXmFn
HmYjtkX5gIZi1swVhA8nknMlkhGMv8rfpagD8jRNMCr8mjWprgmRZRZR3Nk/iDbg9Adv
Tpe1xB2dNt39aYZTd5aoTp1A6Klrcw1KA3rb0bI2P7kqJ1P228yi2cjLgjSgJR35tXhD
fV/9CrzBFD56SRp9kKXT/H9MaUeUFLuXzZn9K0wuwSvPyMW8sLo36nkE/pQPhuQgCyoN
mbm14IsrivFG+iBfNPIefILk289kpCrefJkld0yOMWEbjncVlAwvEmzSKATt0RHxqJ5F
M0RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=feedback-id:content-transfer-encoding:mime-version:message-id:date
:subject:cc:to:from:dkim-signature;
bh=yxQOdxi+GJ2vZx2tdncaRSaSCHhlURMpV+33koZIozY=;
fh=1z37pEVhqwMLlkT4FDzOga7XBsM6Rzv6sXOq0pipxqo=;
b=ZDGWDTWnmxSthzPLvcpEN3c+SVr+2w11mr0IveiTQKbr7mmx2TinUdI9xn4KYzdE3P
/d+IdQ0kiqNQ9DGnwfI0gNnMSZlDdXeHzdnR1/W33MnKKF+5dRilxqtCSM9CTkAPXMD1
rsrgbdezU474fM82cEiz/BOawWv258jUxxPMUa61+TRazYyNgKj5NA9ojajMgyFHVQ+G
9E9PIZC9xmfYPnZ8dp1dSukPBXDJXCtpqafvwIEOC0qYqyJRe2VDJQ/ocJF9P9dg+qvo
Uu8Hn67sKXZbFT9HuSQUjFM0g6P2nucDNrx3Arsp74XMc02cGYFXDxS72yfCc8fp8/VI
SuwQ==;
dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
dkim=pass header.i=@siemens.com header.s=fm1 header.b="XkOUxEd/";
spf=pass (google.com: domain of
fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com
designates 185.136.64.225 as permitted sender)
smtp.mailfrom=fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-64-225.siemens.flowmailer.net
(mta-64-225.siemens.flowmailer.net. [185.136.64.225])
by gmr-mx.google.com with ESMTPS id
98e67ed59e1d1-3342a2bd92dsi83296a91.0.2025.09.24.23.54.44
for <isar-users@googlegroups.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
Wed, 24 Sep 2025 23:54:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of
fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com
designates 185.136.64.225 as permitted sender) client-ip=185.136.64.225;
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id
20250925065442e763ffe25c000207ea
for <isar-users@googlegroups.com>;
Thu, 25 Sep 2025 08:54:42 +0200
From: "'Cedric Hombourger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: Cedric Hombourger <cedric.hombourger@siemens.com>
Subject: [PATCH v4 0/4] non-privileged commands in chroot
Date: Thu, 25 Sep 2025 08:54:20 +0200
Message-ID: <20250925065433.4180883-1-cedric.hombourger@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1212295:519-21489:flowmailer
X-Original-Sender: cedric.hombourger@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass
header.i=@siemens.com header.s=fm1 header.b="XkOUxEd/"; spf=pass
(google.com: domain of
fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com
designates 185.136.64.225 as permitted sender)
smtp.mailfrom=fm-1212295-20250925065442e763ffe25c000207ea-r_w649@rts-flowmailer.siemens.com;
dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Cedric Hombourger <cedric.hombourger@siemens.com>
Reply-To: Cedric Hombourger <cedric.hombourger@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
<mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
<mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
<mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe:
<mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
<https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
|
| Series |
non-privileged commands in chroot
|
expand
|
When building root filesystems for foreign architectures with package source caching enabled, apt operations are executed within the rootfs through QEMU emulation. This results in significantly degraded performance, particularly when downloading source packages sequentially. This patch series introduces a new wrapper function that enables native command execution against a rootfs while preserving special mount points (such as /isar-apt). The approach: - Improves build performance for foreign architecture builds - Maintains filesystem isolation using bubblewrap - Preserves access to special mount points required by isar Additional notes: - rootfs_cmd may be used to run commands from the host root file-system: use with extreme care to avoid host contamination problems. - mmdebstrap already calls apt-get of the host to download packages (in other words, a build of a bookworm image from a trixie host will result in mmdebstrap (from trixie), call apt-get (from trixie) to download bookworm packages. This is the behavior we have before and after these changes. - With these changes and when caching of Debian source packages is enabled/requested, Isar will use apt-get of the host to download source packages (it will however do this from a bubblewrap'ed environment to avoid a non-required privilege elevation; Isar has many but we need to start from somewhere). Testing: - Tested against 9e62337953fbb8371c846c44e8a99d62a8d220ba - Basic smoke tests performed successfully (citest.py -t fast) - Performance improvements observed in source package acquisition - Tested with various foreign architecture configurations Dependencies: - Adds bubblewrap as a new host tool requirement - Uses kas-container 4.8.0 or later (see [1]) Changes since v3 patch: - drop image-postproc-extension patches (refactoring and use of rootfs_cmd). They are not strictly needed and were only meant to provide another potential use of rootfs_cmd. - Rebase changes to RECIPE-API-CHANGELOG.md and added a few extra words about the motivation. Changes since v2 patch: - rootfs_install_pkgs_download will no longer use sudo to run apt-get install --download-only. This was added to further demonstrate/test rootfs_cmd in existing Isar code. Changes since v1 patch: - Rebase (resolve RECIPE-API-CHANGELOG.md merge conflicts) - Prefix rootfs variable in rootfs_cmd with bwrap to avoid clashes Changes since RFC patch: - Let caller decide where to bind-mount the rootfs to - Make the rootfs argument optional - Support 32-bit rootfs (no lib64 there) Test Results (avocado started from a kas-container version 4.8.1): (01/22) citest.py:DevTest.test_dev: STARTED (01/22) citest.py:DevTest.test_dev: PASS (1132.17 s) (02/22) citest.py:DevTest.test_dev_apps: STARTED (02/22) citest.py:DevTest.test_dev_apps: PASS (845.24 s) (03/22) citest.py:DevTest.test_dev_rebuild: STARTED (03/22) citest.py:DevTest.test_dev_rebuild: PASS (689.53 s) (04/22) citest.py:DevTest.test_dev_run_amd64_bookworm: STARTED (04/22) citest.py:DevTest.test_dev_run_amd64_bookworm: PASS (53.79 s) (05/22) citest.py:DevTest.test_dev_run_arm64_bookworm: STARTED (05/22) citest.py:DevTest.test_dev_run_arm64_bookworm: PASS (32.64 s) (06/22) citest.py:DevTest.test_dev_run_arm_bookworm: STARTED (06/22) citest.py:DevTest.test_dev_run_arm_bookworm: PASS (34.15 s) (07/22) citest.py:CrossTest.test_cross: STARTED (07/22) citest.py:CrossTest.test_cross: PASS (488.24 s) (08/22) citest.py:CrossTest.test_cross_debsrc: STARTED (08/22) citest.py:CrossTest.test_cross_debsrc: PASS (1409.06 s) (09/22) citest.py:CrossTest.test_cross_trixie: STARTED (09/22) citest.py:CrossTest.test_cross_trixie: PASS (216.54 s) (10/22) citest.py:CrossTest.test_cross_kselftest: STARTED (10/22) citest.py:CrossTest.test_cross_kselftest: PASS (340.48 s) (11/22) citest.py:CrossTest.test_cross_rpi: STARTED (11/22) citest.py:CrossTest.test_cross_rpi: PASS (1053.48 s) (12/22) citest.py:VmBootTestFast.test_arm_bullseye: STARTED (12/22) citest.py:VmBootTestFast.test_arm_bullseye: PASS (41.03 s) (13/22) citest.py:VmBootTestFast.test_arm_bullseye_example_module: STARTED (13/22) citest.py:VmBootTestFast.test_arm_bullseye_example_module: PASS (7.07 s) (14/22) citest.py:VmBootTestFast.test_arm_bullseye_getty_target: STARTED (14/22) citest.py:VmBootTestFast.test_arm_bullseye_getty_target: PASS (7.82 s) (15/22) citest.py:VmBootTestFast.test_arm_buster: STARTED (15/22) citest.py:VmBootTestFast.test_arm_buster: PASS (37.54 s) (16/22) citest.py:VmBootTestFast.test_arm_buster_getty_target: STARTED (16/22) citest.py:VmBootTestFast.test_arm_buster_getty_target: PASS (6.79 s) (17/22) citest.py:VmBootTestFast.test_arm_buster_example_module: STARTED (17/22) citest.py:VmBootTestFast.test_arm_buster_example_module: PASS (7.57 s) (18/22) citest.py:VmBootTestFast.test_arm_bookworm: STARTED (18/22) citest.py:VmBootTestFast.test_arm_bookworm: PASS (49.58 s) (19/22) citest.py:VmBootTestFast.test_arm_bookworm_example_module: STARTED (19/22) citest.py:VmBootTestFast.test_arm_bookworm_example_module: PASS (8.06 s) (20/22) citest.py:VmBootTestFast.test_arm_bookworm_getty_target: STARTED (20/22) citest.py:VmBootTestFast.test_arm_bookworm_getty_target: PASS (8.18 s) (21/22) citest.py:VmBootTestFast.test_amd64_trixie: STARTED (21/22) citest.py:VmBootTestFast.test_amd64_trixie: PASS (37.14 s) (22/22) citest.py:VmBootTestFast.test_arm64_trixie: STARTED (22/22) citest.py:VmBootTestFast.test_arm64_trixie: PASS (41.79 s) RESULTS : PASS 22 | ERROR 0 | FAIL 0 | SKIP 0 | WARN 0 | INTERRUPT 0 | CANCEL 0 JOB TIME : 6585.87 s cedric.hombourger@siemens.com (4): rootfs: introduce wrapper to run commands against a rootfs deb-dl-dir: optimize caching of source packages using apt natively bootstrap: create lock for downloads/deb without sudo rootfs: do not get elevated privileges when downloading packages RECIPE-API-CHANGELOG.md | 8 ++ doc/user_manual.md | 1 + meta/classes/deb-dl-dir.bbclass | 58 ++++++------- meta/classes/rootfs.bbclass | 83 ++++++++++++++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 4 + 5 files changed, 120 insertions(+), 34 deletions(-)