From patchwork Thu Feb 26 16:28:25 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Felix Moessbauer <felix.moessbauer@siemens.com>
X-Patchwork-Id: 347
Return-Path: <isar-users+bncBCYIZ4M3XAKRBSHJQHGQMGQEYHTID5Y@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Thu, 26 Feb 2026 17:29:06 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-yx1-f58.google.com (mail-yx1-f58.google.com
 [74.125.224.58])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id
 61QGT2fe009310
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupwgm@isar-build.org>; Thu, 26 Feb 2026 17:29:03 +0100
Received: by mail-yx1-f58.google.com with SMTP id
 956f58d0204a3-649146aff11sf134036d50.1
        for <iupwgm@isar-build.org>; Thu, 26 Feb 2026 08:29:03 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1772123337; cv=pass;
        d=google.com; s=arc-20240605;
        b=P1O+UiubkfgRvZadusgpzLgRU8cRBkL1uydHdUYp0rx/EKXlGZhJRehqroLY9K+jRb
         qw27l40nMi40EV2lhgoqNnp0+w2Q+5WgKx6UjpxaQgKhH0vHamcYB66hLPyKB+oi9d5q
         18GKQMbIrFgCQRFGT8sYz9JcgE/MUFJwNWdqrm2E9IIAOmtGYMVpH1wtpkR81WGBV75p
         rw1MqRV0hglaXmbXz/vWueIGo5rTom4Fx0o5q5a5Ksuj+cggZAcUq/W9/RbtqYhw8+Yq
         DGUKhMvVFUFnNPjZzsF9BltKXcfIJUwUlnMw1l1Ephvmmyu8ut9HvCWO6P6dEpst6SK7
         OlZw==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=9olqEAizxH/H5wcUTSWq/Jvgr/4jg4tTAXO7UiLp114=;
        fh=eLtJU/cVK0BSOW0hQ2qxXTNgAERToNSwLPiBuK1STpk=;
        b=WeaeSUCHjhL0BXkKNI8MdpizpSiDeb5ErflLZxkxRH2LEENUhts4TzaU9IyCShn/XL
         GqbSqC6znYFDK7kPjZBR61maZRuu3wcR/3axM0ExwXbKvwQ7M47HZHlTjkiFXDYOMneB
         RBqQMTfo7Jo6NbBt0CVUF2ny+e7VFGoql1YcJEb0gqqHOVKgwmsMcObaucGKGKHeydur
         x8HwqH1W6WrZjCy3Ylcfhm2AO6/912kBM3gf/Cjq/5VVaTni6j6Y5WIq+EhEppGiSSH3
         1+SVZmPvZF15Oz2wf/Zsw9Sr14Fw21yNodNaMYDsEEAva7rMIpTPOhvRu0lsH9eZc2Zl
         Y9og==;
        darn=isar-build.org
ARC-Authentication-Results: i=3; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b="EUDAN/Ue";
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass
 dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of felix.moessbauer@siemens.com designates
 2a01:111:f403:c20f::7 as permitted sender)
 smtp.mailfrom=felix.moessbauer@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1772123337; x=1772728137;
 darn=isar-build.org;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=9olqEAizxH/H5wcUTSWq/Jvgr/4jg4tTAXO7UiLp114=;
        b=rsyT7LjK357/CahA6lBqc4nDew2qBZYVxAh4AfpkfoCw68ODWmBvdE4dyjFAYhdtQ6
         ozMD2SZhWytU6z6L+ToPPgDEbRRceRXZbFi5I5L1jqIL42AQnAsvYynV2mm4wdFAz+sy
         xDrcvCH0+HGEkIqFwtsvJT5sjYB4E+PjuYGPGlWnlZbJ253rY+ycBXic2fnH8OguMxEy
         1GpdeSxiLp7ZIEcIMfxYO4yTtoz4EAXqm6E2VmeXVxHa+RCXU6VbUiDKlJPMMg9mMSAH
         vrBlZzTRoLeZ51ws666E/fdkdhf7OJ8aKxrzBegema+8iXwrjE8Gjae/nAoHG6rTke6H
         8WvA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1772123337; x=1772728137;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=9olqEAizxH/H5wcUTSWq/Jvgr/4jg4tTAXO7UiLp114=;
        b=Lyaya1Aixs1dqFULjBj1F3/RumFagzuHRioqo1qk03GZo4mTgcEoqsk84guNj2cnuD
         whWuLGRu/vUaGZUzHItD+Xj/Z2nwFEEB4HzIerzKPNv57cbqfe1sxn6TlXmwPASHGx6l
         Rus9nKKDICzIETRCI7ff+l1lzHLnSRs0X24x05tWFDJ9Tjd1SijDassVs79e8eH+7J6P
         6WBRdtcgjIzy2v/2jOtRqA3VPLSdq5V8IPusCUJUB6CguCHRCqMiUMBz3lKP4USQzcrP
         GfBC9U+b2UiDGweOVNtsRNNOEkIm2JrRt3dYqpubYjEOEXZvW86v8wJLmuMD77z8bx6u
         lz4A==
X-Forwarded-Encrypted: i=3;
 AJvYcCVcf7AVbUgl4au2vvFxotZlkon4Lo1/2e7sXcCkZ0I5fuiChBu1sTrwX/rKh52vTyLyM2CS4Fg=@isar-build.org
X-Gm-Message-State: AOJu0Yx7RvXwKsCoseVdpn2Z0sANx7/efFAIlhr44FUL2PaCJ09Ij7S8
	p3COzaNZAtn4CbJyc8yJXYNqOq8z93HkClYr6J46HfojXWx15mjkYDTi
X-Received: by 2002:a05:690e:b86:b0:64c:aaa5:ebb3 with SMTP id
 956f58d0204a3-64caaa5fb1fmr3978562d50.2.1772123336887;
        Thu, 26 Feb 2026 08:28:56 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com;
 h="AV1CL+G/thzs6hALfR1ikjR3C/PmljLNQ5d0MUHOO/wTTvsAsQ=="
Received: by 2002:a53:d789:0:b0:63f:a0cf:c5f1 with SMTP id
 956f58d0204a3-64caaa388efls1912129d50.2.-pod-prod-04-us;
 Thu, 26 Feb 2026 08:28:55 -0800 (PST)
X-Received: by 2002:a05:6122:32c4:b0:566:963a:1648 with SMTP id
 71dfb90a1353d-56a8bc912a7mr2850085e0c.16.1772123335753;
        Thu, 26 Feb 2026 08:28:55 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1772123335; cv=pass;
        d=google.com; s=arc-20240605;
        b=glPMtP+d+zTS2pCKtjEUYU1Ytbvg4UM70z5j/WtkIWy+jOuYDe1lq+7pNeHflVyL0y
         Tiv+YYmaZYgZD7SpE90eB8p5HlNLCcO5Azam7Px6SBcxGZeoLOOTN7ud3S/OKA8oydCM
         Tx2UYJ+3fN9kg2YSruH+LnKCoYeaTdzKfFfYA3vdqJyucAuLBPuS5JRKXsuOg0XPcZcE
         iOEvFk5yirpkAwmw4FzbJjIDcqZdzQ36Aoh0AdPYSKjTATxcip9TXc4Yb6bK60tnTS7S
         HEWJA8+9AJI/SMJJbLVpzckMcgmmevaw4E7Wol6GnlDzIosZ/ZkJd5kGlU/R/yLWeaDI
         gCug==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20240605;
        h=mime-version:content-transfer-encoding:message-id:date:subject:cc
         :to:from:dkim-signature;
        bh=EPF3UdMFYvnzvbkKS8I9aD9RbldidNGMpvB739Ac7fY=;
        fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=;
        b=ZSWUmmoc8n81TUrzMaDbVDljLi8w7nk5tVcabP/cB1BqSn9e3uoFyDqs7Y0pk0YwgA
         OT8CJS8F7OJmlMgEzPbEla/K6ylPtaABZFjHE7u3FAONS+6ELw30M7yCv7C3AdPJuyY2
         e/dFjjsAYaB5WrwNX81snGpbdprGqAzEVfgm12WoFD8Opl+0eam9yvWvA3D079cmaT7L
         3qHhGgcdWCKBxcHs2tqbChelOE/d5cKUDmJlQaEjcHNZZ43BaHUEGq8oLwHnjMktDffC
         4AZBasrOZvmKPnBlzzflPphfgAqZh9LMj05K+q1cmqT1wyqZEZ5qBX9fb5NZpuhM7zbL
         /K2Q==;
        dara=google.com
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b="EUDAN/Ue";
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass
 dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of felix.moessbauer@siemens.com designates
 2a01:111:f403:c20f::7 as permitted sender)
 smtp.mailfrom=felix.moessbauer@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from OSPPR02CU001.outbound.protection.outlook.com
 (mail-norwayeastazlp170130007.outbound.protection.outlook.com.
 [2a01:111:f403:c20f::7])
        by gmr-mx.google.com with ESMTPS id
 71dfb90a1353d-56a91b89cb9si84014e0c.1.2026.02.26.08.28.55
        for <isar-users@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 26 Feb 2026 08:28:55 -0800 (PST)
Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com
 designates 2a01:111:f403:c20f::7 as permitted sender)
 client-ip=2a01:111:f403:c20f::7;
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=RyvovSSyyFxEBoDLt0bhBPSA+ItoPMhnTRsMyg31VI0eEb1mlgtRJeGfZCBj8Lx5rLsY1koFYA2xqK8gGGYGXXJszGzxHuJ5kpE7AYy+Yxh1VDaymyxLegnMvw9tPbtuwXw8COBZ0orQzTZYQQGDfaeNnO2u7hHvTHxqQUuTfwfj9GpOiDpZTFBFVndT7ZqdfBr2vQuygA8dZnajX91ePJjKR2ePLDVInw3sv6FT29wyQ5iNmhMw0ggvQvFWrYpO+dmndG4nG1Ci1jQ7IWFSChdTqn27FJxmWo2gguNkupKsX7nHezbffJmsjBVlzevq0eV5f+ClYw4cGKrOS4Kkgg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=EPF3UdMFYvnzvbkKS8I9aD9RbldidNGMpvB739Ac7fY=;
 b=jZ4TaCeDrl2U/yGOuYS2/mlyJ9Byc5H6AnHAHV38jgFPks71cwESvXSq6yA7DAp5L4PwrzCF2ki5re9reO4Bk3py7GOC1PkHUvUqjjJwCGzz1f1SX+KkDn7j/Rdlg11Wm6grKahWRm9tMA/Ami3a8MyA8NF4jd6ZSzWq0jnJrRRwt56TCEYIeOx3hMIVavuESp9hnRKW6YemJkEnvCSue93R6jWZYzZpsQM2qVKo5cTUDnokgsLo+UECvBeQ89e7Ekp09ZA7DrM6YMF2BqaELP+fyWsRMj8BkfCcM88Zr17/+W7pYQ41IgRKKkNIxL9HSoakDOGl7y0B4T+3qYVBBg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com;
 dkim=pass header.d=siemens.com; arc=none
Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13)
 by DU0PR10MB9297.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:59a::13) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.23; Thu, 26 Feb
 2026 16:28:53 +0000
Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9654.014; Thu, 26 Feb 2026
 16:28:53 +0000
X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users"
 <isar-users@googlegroups.com>
From: Felix Moessbauer <felix.moessbauer@siemens.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com,
        Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [PATCH v1 00/16] add support to build isar unprivileged
Date: Thu, 26 Feb 2026 17:28:25 +0100
Message-ID: <20260226162843.1642329-1-felix.moessbauer@siemens.com>
X-Mailer: git-send-email 2.51.0
X-ClientProxiedBy: FR4P281CA0218.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:e4::12) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:47f::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|DU0PR10MB9297:EE_
X-MS-Office365-Filtering-Correlation-Id: 0438b27b-e965-4eb1-fd25-08de7554210b
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
 BCL:0;ARA:13230040|10070799003|1800799024|366016|376014|7142099003;
X-Microsoft-Antispam-Message-Info: 
 wS2BFOWXAzEbSMxk2WKui5KNyJxYYHENkGyh/bZPek1P3c38WajVVmhYMkFSX9ku3jzbAR7sEDlHNH3nQniZ6Wuto4d9rqzXRVkcw9S+UycVwwYQclq1Z+OxUJhT+w7dvu8UQhLbHx4mK84NQTPwQHwpSdnK/Y1g7NOYkdRzE6lgeV8Equ0EJtSvSSodT7nX2OUgBPIofgeqGFtSSm+MhAslv1HwrtUTpm2X6AGVLF3A5AEho0Ump2GYtvuf130JfLL15jK/tqCYYrAqj+UPIDh/yN19pQHNj/xyRs5NeLjrRAUQ60dsbu5+3TQjxrXDM1oyGwz82GBCW5MVXnKIj0SBr7K5gNHHQJLiazm7UfDlyNrLm4A7iaTcnBFCCu5HgOmp2zTkow962LF84oCAfEDWBYDovpQsXYEpYRhnNYdcs45Fxqe72ZZ3SPW1cdpsO1VfdGoi9P8b/fxKBFcSGRq93OmiuYloDg09XtZdFzGZKxquQ8n6LROCAMU/9GA+jgKGRvN/wofJkJhosjl1KONXZ4AaYuZqlniknVMQ7OUNKWe5OzcrUQAn3v7+Cqv77SUUv69p5Rjtv4G1LxaAo0jmwIbHqgDx3onAvSPBO9yBwnImOsXfd0dCNZPxQx4NrI9j2lktDuEQgz0UkaXT8R5VrLczDni5XOnSFUz7ldgOcarVcGZqDYxEnWjM4rWR
X-Forefront-Antispam-Report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(1800799024)(366016)(376014)(7142099003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2
X-MS-Exchange-AntiSpam-MessageData-0: 
 D/xfeYCbobXd/pm/4Y8mmS9Y/kUzzYXG7oTV2vQhxav9RGXXXlfn7W0xGz52U+MFMIJ2K4NTDXMKdUpnSTd8nirIGwpmFQLhG08ZWT8GI2UHQavS4YgH9pZs3OOXZUXFtNyq80GGgpfPwtUwur7oCcD3d7JVYEpaxlrw/CjcSnTsXXDcvtwh1WRT8SxBuHTZwqL1vfajMVYA6pYEuNgyFAsFBix0LHaGTGO7lOIzSdlQ0TTbwhuK8XnveThvbOddmLAMMVbdCRwl/YqOGCfnfXPuEwfFpTUT+dg1LcwzoOUhvMlbBohlV43/cttXSGCWiG2douflfvmtFPP5w3ujet46yIc1ILk3bzcP58chrmby8xVQ/UnOKk1gFiKOdEytm2AIndPfjHNLyuTibDtuMnLFrsHRCfkiXM/GGhDLqqBk/iCtVCXI66MxKc45tq2FDJJXwhlIB5Pn4utUDA6JljNgpQxOY/XoC5Yth/sSjSew+WTOtB0yi4pkew3cqi0eayCBl7CvP0BrhZ6OS9SeiTjbgp0OpREefsV3eQrhSaX7ZmZTRHpAn5gURXOSqTZ9KaUKASXW3zHP0F2riHO9X71IwekTVhA7hFfVmPIvhnMTv0WrPRXelGhk065jA51J4G7d2gVMju3ZBQti3XpLNwkFnojk5Yiu3jFmOzpBJ3cz9wy4Srp8MMqF7cZEBfG3iymlQ0gvI14N7WgSiYNcDhLwrKiA2XtjI//VGW5q/2Wuugf0tD9m9I9rmyNrbHgZhMMu/F/kUSxg3N4NRzNEqzJnyQry4ZXrU9oAmGumfssI8p5w+Ke3jN/mFK+e9t/S8qOPwdDI4jNhFi07ncXy8kfPzqfuxJN0DhwCf/yH5PK0vfH1uJKMkqMWVx9AaW74sZQc8YBsFz/ndaG0TDhFRpX3x9VmO4CQ3iETa+qV4YamcgzYGCXBvpaVpZarSp9tYXBbvk3vasp+vPiFgC8RVbt/sJN8zANwaeiUbQX965yA5QpnNngvd7vw8YfNRxJl42/JYUsvOa+msOf4iHu3e5/G0BmkbHrosQ/+Hr9+Jqa0q0BE0WdMAzybcrGSKgNes4MtNw5daZaR5pG023s7rXBq7iAX8P/tp2N1BK8EL9761pYj1BjGtXQiAVFSBD68xkPDfCagns/KT7tCeQfO7wVQEGtSIGH8Z9M+jqj6oijRQBCY2HBCXZLVI3AI6ErS+mywxebLTgIUJ/WPBRQhJX2gAsVr/D3PL6jMo/R9+at2rVq1h/lB5q26GVV3mD9kOkhO0q1EzsBV2ii0qpJDhF1Xfuoj6ZwrFmXzxY/4xEeu5fPnltJNjcK4KHwZcvq9ilfXwoaBqb8r91vtqulRXVm0IscFAuRAYGYE+IcDzk05zF1KYtncWk4tGmpynY/rZSo7GSPpZ+EXGnOxeJzyXhQlH6jJA+TWZ8sjbimSt/Dx4tZkiD316i30qw44Qz1HzPWFDltgm1VHK2QdT3tnrrijXyPqpa/Cuh1fJULYLsn3CnAjYO2yxsbavFuwIFgo8xb0jHZuwpwaAKHq0XhCG/yv/VD9rusicaQXDxR/WhPSLLF2iXfhCffzGk1cD8FaZXeLwdBrWDb4B8HOcRR3/M9TB9h1P9bTdWHJPH6KALv13YNTo3wHC3uWcLmtr+/eN2zZ41pK4wLET1MkfW19eeSFS31Nm4Wu12nI1F8yRdXpPacZ3ijGSzvQiQJ5hQdCZoLF6NcKOxkE6VFsK5mcP0s9AnvWLIm6pF1/Rn3gcCL6ej5BYvr0Smxy/GY2dV+BRDPSnZZA
X-MS-Exchange-AntiSpam-MessageData-1: /Lz17t5RclBG7PDPEtpJTvHarE9Pg20U80I=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 0438b27b-e965-4eb1-fd25-08de7554210b
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Feb 2026 16:28:52.9135
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 
 ixtN/hgTkqWm/QpIba7m54FTHEnnnohkgIIYDRKQcfXAQuZKQIb1yTcXB26mDximmHj6QNms66JjRoxtwkCg7dE3PEMDl6WEOYMM5CFlFU4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR10MB9297
X-Original-Sender: felix.moessbauer@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=selector2 header.b="EUDAN/Ue";       arc=pass
 (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass
 fromdomain=siemens.com);       spf=pass (google.com: domain of
 felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted
 sender) smtp.mailfrom=felix.moessbauer@siemens.com;       dmarc=pass
 (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Felix Moessbauer <felix.moessbauer@siemens.com>
Reply-To: Felix Moessbauer <felix.moessbauer@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com;
 contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>,
 <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>,
 <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>,
 <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: 
 <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
	RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=

[ follow up of RFC v2 "add support to build isar unprivileged" ]

Dear isar-users,

currently isar requires password-less sudo and an environment
where mounting file systems is possible. This has proven problematic
for security reasons, both when running in a privileged container or
locally.

To solve this, we implement fully rootless builds that rely on the
unshare syscall which allows us to avoid sudo and instead operate in
temporary kernel namespaces as a user that is just privileged within
that namespace. This comes with some challenges regarding the handling
of mounts (they are cleared when leaving the namespace), as well as
cross namespace deployments (the outer user might not be able to access
the inner data). For that, we rework the handling of mounts and artifact
passing to make it compatible with both chroot modes (schroot and
unshare).

Note, that this series can be tested on a custom kas-container build
provided in [1]. Hints how to migrate downstream layers are provided
in the API changelog.

Changes since RFC 2:

- rebased onto next
- fix usage of root_cleandirs
- simplify file permission handling by mapping caller user to
  root inside the namespace. By that, in most cases no changes
  to the imager are needed anymore.
- implement support for devshell under rootless
- switch to getpass.getuser() to query user (needed for dynamically
  created / remapped kas builder user)
- rework mapping to be more similar to mapping used by mmdebstrap
- sbuild: only copy-out of dpkg.log on schroot (unclear if needed
  on unshare. To be clarified)
- imager-sbom: ensure sbom is extracted before entering the chroot

Changes since RFC 1:

- switch build_type to isar-rootless in isar.yaml (Note: switch back
  if testing locally in a unprepared kas container)
- complete overhaul of the mounting in unshared namespaces
  - fixes the systemd presetting
  - fixes hangs when pulling from snapshot mirrors
- rename the run_privileged_here to run_privileged_heredoc to clarify its intention
- add support for
  - dpkg-source with do_fetch_common_source
  - vm images
  - container images
  - discoverable disk images
- add helper script to clean build dir in unprivileged mode
- reduce clutter we leave after finishing a build
- fix issues when running in a privileged environment without sub user ids
- bugfixes

Still missing is the support for the devshell. Further, the rootless build dir
must not reside in a git worktree (a normal git dir is fine). This is probably a
bug in combination with kas-container.

[1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg

Best regards,
Felix Moessbauer
Siemens AG

Felix Moessbauer (15):
  refactor bootstrap: store rootfs tar with user permissions
  deb-dl-dir: export without root privileges
  download debs without locking
  introduce wrappers for privileged execution
  bootstrap: move cleanup trap to function
  rootfs: rework sstate caching of rootfs artifact
  rootfs_generate_initramfs: rework deployment to avoid chowning
  use bitbake function to generate mounting scripts
  apt-fetcher: prepare for chroot specific fetching
  add support for fully rootless builds
  add helper script to clean artifacts in build dir
  apt-fetcher: implement support for unshare backend
  dpkg-source: implement multiarch support for unshare backend
  use copy of sbom-chroot for sbom creation
  add support for devshell on unshare backend

 Kconfig                                       |   2 +-
 RECIPE-API-CHANGELOG.md                       |  42 ++++
 doc/user_manual.md                            |   2 +
 kas/isar.yaml                                 |   2 +-
 meta/classes-global/base.bbclass              | 122 ++++++++++-
 meta/classes-recipe/deb-dl-dir.bbclass        |  20 +-
 meta/classes-recipe/dpkg-base.bbclass         |  94 ++++++--
 meta/classes-recipe/dpkg-source.bbclass       |  40 +++-
 meta/classes-recipe/dpkg.bbclass              |  17 +-
 .../image-account-extension.bbclass           |   4 +-
 .../image-locales-extension.bbclass           |  13 +-
 .../image-postproc-extension.bbclass          |  30 +--
 .../image-tools-extension.bbclass             |  87 +++++++-
 meta/classes-recipe/image.bbclass             |  21 +-
 .../imagetypes_container.bbclass              |  28 +--
 meta/classes-recipe/imagetypes_wic.bbclass    |  10 +-
 meta/classes-recipe/rootfs.bbclass            | 202 +++++++++---------
 meta/classes-recipe/sbuild.bbclass            |  34 ++-
 meta/classes-recipe/sdk.bbclass               |  22 +-
 meta/classes/sbom.bbclass                     |  28 ++-
 meta/conf/bitbake.conf                        |   7 +-
 meta/lib/aptsrc_fetcher.py                    |  87 +++++++-
 .../isar-mmdebstrap/isar-mmdebstrap.inc       |  46 ++--
 .../sbom-chroot/sbom-chroot.bb                |  11 +-
 .../sbuild-chroot/sbuild-chroot.inc           |  24 ++-
 scripts/isar-clean-builddir                   |  73 +++++++
 .../unittests/test_image_account_extension.py |   9 +-
 27 files changed, 840 insertions(+), 237 deletions(-)
 create mode 100755 scripts/isar-clean-builddir