From patchwork Mon Jun 1 11:34:47 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 376 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 01 Jun 2026 13:35:28 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qk1-f191.google.com (mail-qk1-f191.google.com [209.85.222.191]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 651BZQD9024514 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 1 Jun 2026 13:35:27 +0200 Received: by mail-qk1-f191.google.com with SMTP id af79cd13be357-91550f1c6adsf255441185a.3 for ; Mon, 01 Jun 2026 04:35:27 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1780313721; cv=pass; d=google.com; s=arc-20240605; b=FJ8c5z8Z7MxxCLuq0rNB3kT+nBKATaREBAPs7C9RReMDCH781G6C8RaLPLH6PbFPvy SwsrBYIlNr3roabBXYDR3DMRxm3RLQVwRu1QnPlTQngzEIHM2mypTLqxUk776+BHYJiM ralXbSPbAlIzZAcAFWRU6d8y6ogODlsb7+toxvJLVcr+Dtrq3uW4BWnRs/EoWMiGa5ee +KOAmzhyTo8pZQYt3HNm3WzqwOKx2/9Ys2ZnsCRq2BZVbJBa1mpSPgfgti5dr/0LSYi7 1RZaHYxwOO1c+ZrKbdM0Kl/Ga24Hyf0tYw0sYysi9FA3ZATajxbrazWnO28OczGbZLdT NPNw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=xcIS1PByB/BTGxSFNMIk4xwWYqaayIVELSOfeFwB9BM=; fh=QmddTJDVv22wFrd4hXfEZRbCswNuy1HAksVH/1r6C84=; b=JbQu/NwczjWA8sFDaXdRvEon2pBi2cpmJQcswdfok+PLsirZ4EKBtDA9JinnqyPYxt S5Y2SKsdFLTSyy2WBv1d7nKpQ4MqjZez+9bsB0zrhyYlijk5Tr7Cm+rBJOhGWpsaUAdq kklNgvsg4Xw6G0mCmDjasH1CDO0dzFOz/5eMcqyNHVxBDfxM//budxXHZ3Qr1mCTEnz5 hlVF+E1wWhKOAfNjsl/THxp4IMGDlPAEa2AZXRFsy8aBi9iZO/pdjvkGq0NG5qiJfC6q 4zaW1KhH6yChhpmo9su8KVJl938eqGxFt8J37WmajZOikqcfxFB9f9QtxzBps4Nq59fO n24g==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ddSaKjIr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780313721; x=1780918521; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=xcIS1PByB/BTGxSFNMIk4xwWYqaayIVELSOfeFwB9BM=; b=k7U2QNd9fcCkcHVdllPfCQBqgGRosj0fpy9Gd1J07RB1g5o6w2f1MEs3//HqFNGFcc f0wiW+ES9EEfqkdMtFVOH6cszb1JDOpdsOAjHKah3rXsdjmv3GYhHRfgUoEjDSW61FTy 8gSWTNlLzsYOfB9mhmdY0Nj8xvil8whsR+m40BScd0XZ81mK80iXXeGrYgP8zmDKWA8b NPAgpB2w/XqftJbYKD9juVk2SgmRR6GWqfgUUI9YT/r1XfjFRgRz2RpOkOmy0zCVnKjg Ilrd5upNxNSoiDhZk0dOOLeKMV2vcTNXEM60z6VML35J9O7W/WkUVybj+xdwjdpn53Qa lhDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780313721; x=1780918521; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xcIS1PByB/BTGxSFNMIk4xwWYqaayIVELSOfeFwB9BM=; b=eK5gujDwEpfyln+d1vjtol2dU0LZ0OuQz5FIT3kg7Bh7oF4AMhRXvu2bRgKWdpYWTa p2+ZJkHuS0A18mhZVosPpiIOh4GscYYLA+6V479NiBHob1uv9z/YXxfW0I1qvnHQPvrE sV4Rvag0vafrt7ja1VunhBvrXBRAZDTUIS+CUWf7oG4GLB92aGd+c8ZilQ/yIrhy+lba GenY3XubhMAkZG6GgfY6u4cS0m8Bj3u72QXjDDd7W82FCxX9mBTpJd+ydmLmAzn6B7hS XG0xz1RAfJbE2R2mfYaOgCTmC7EValvAKXYr0OG7ZcIHe0p1FIfscGb8TyTXFYL8SFTe yj2A== X-Forwarded-Encrypted: i=3; AFNElJ/XHI+Ol5IjI3PZ8ocgW9Glg21FGhTc5ONW0ELUC3OKZyWB0FQC9qYW9q/SZKt0gKXPMS1shL0=@isar-build.org X-Gm-Message-State: AOJu0Yw3XRQr95+yZROyGIoTml3F1uOxUD+ZYwukFJere4Myc5r/OcQJ H1aNZyBLoL+t0YTKqwKDGA4jE9Qi/f6h5K9PsO4O0O3QIahDZvW0XkNg X-Received: by 2002:a05:620a:371b:b0:914:ca75:e8ba with SMTP id af79cd13be357-9153da487a1mr1643451385a.52.1780313721005; Mon, 01 Jun 2026 04:35:21 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AUV6zMP1e/osf1NY4JntQZ+09VMsNo1Bn8uGapFsuc4ktvEYCA==" Received: by 2002:a05:622a:148:b0:50e:5a4b:401c with SMTP id d75a77b69052e-5171ba80183ls108556301cf.0.-pod-prod-01-us; Mon, 01 Jun 2026 04:35:20 -0700 (PDT) X-Received: by 2002:a05:620a:284e:b0:914:be64:9dd1 with SMTP id af79cd13be357-9153db9b961mr1626938885a.61.1780313719775; Mon, 01 Jun 2026 04:35:19 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780313719; cv=pass; d=google.com; s=arc-20240605; b=N1Rwf58m+B6Iv8UlaG1sA3b9vfbPkmLnx5kmEBkgPscVe0Zw4BMyfCP6lnY7M2aQYo dVFxuIQfr28eMTtNuAG7U+39IaFwnHZ7W17jF4RyGmx78PZ/Am0MiQwqwzdcbqvD7iks i74u8tuFFx2oN5HaSmhCyzq3nO2wwptshF6Kx6Juy1mVg2zP+9asjUY2foJRiRQBKm6w rAdFQ0wHf9JAUZ3E5J6LXkwWbGT4MHOUkJBK1T9QtXIX8jBWUg+Z+LjG/a97vMpM5ZX5 2VklYRpigiWIuxtPHZ3FD4ecpamF5II4yFWBidas/xyEjJkESyLUx5/JMrlXgdglQuzU BxWg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=9HhJOFoC2eZxDKcNH3zyYTjJZ1/ntl79p5aJCJRh/RQ=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=U3MjUwYbz1xvGamKC78oia6XnA1Yk5laVbPTCotcdC9hapCVGksacGfBrduiEHKWiy pTk9MzCU+urh0J35LLVloQkeweuqFCDrEianF+I3HermVL/io/EIoj9ZoZFcz+6uM3lV QMVD6QmmTatxyDGEw7AwpkGaJd4RcLgyGvTYh4FHOt/vV2bp0cekHqjvGOpx5gkncg0I 35i5ctUWRwqVaT1pHkb1Vl7VkIPamQ/rpfwA8mQYCvYk2lSfAtRKCIDLb02JyJzig+QK +nuMqoZhliEK+v11fPri5XC/GAnO7mfeCkd06c2wK4wJVk4yaLOgz2jCOMAJYvo78Iju a13Q==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ddSaKjIr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from MRWPR03CU001.outbound.protection.outlook.com (mail-francesouthazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c207::3]) by gmr-mx.google.com with ESMTPS id af79cd13be357-915322aab8csi35638585a.0.2026.06.01.04.35.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 01 Jun 2026 04:35:19 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) client-ip=2a01:111:f403:c207::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=YRlO5ih2jT0Hja4rA2/+qA7N3u4obJ8FViD2ADSVnb3XH/c/FnHiV9F4xx0nHoHC+IvYqacqcVn3J3UJIan1bc3ZiZOrjQA/NnxDrz16QKTjC3s9+dkTXg+utppNkdWeN9ycr+sFA3loGl/jRgLfo2+ffs3h0M6CYI0WH1rQ00+RD4jc9qXu2jmIC3Z3CS/QIT+OA8pQDvG7j1+exdcgtzWoerfgk1+j6paXUow8NiRVDj7L5HptJqEQB+wd5bh0Uyrt5pgA/TuM0zS3DlGpaFIV4NYL6SGBWBRYnnNK8ztrjBq5u+/nSoUnQ03K4JEdkRn4Q82p59oz6LHNMv8SRw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9HhJOFoC2eZxDKcNH3zyYTjJZ1/ntl79p5aJCJRh/RQ=; b=bf3wKbwDuM0xfbvc8I3dQ6FVais5Uvt/FpKVJFr/dWrDHgrLGFj6Dl44ZbkPiXnINTdxpgpxZCzHYhGzXOVS8V+Y7JjCDXBg5F3hA5VSkVBYCpwK7zia2Vmx5gK6GNk8vog66VNCiFCLJWZkHONxKZIfMc3AW0WaeKe5NbLsXYHhJM2u0RMenuPdvu2dXaGxXMXGKc2WhpTsP8qbeVemCMc2KSKjfqN9mU55toCOba2UFqxoBHyEmAeXykeYXEgTJH8PNkPTzKh1+hx0JlfNKce5qzwG8Cdy8RPqUBwSzi3quelHJYsdCHAaVi9O8HRRgwi9aTZMGXNz0MglGQrUng== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:619::6) by VI0PR10MB9577.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:800:31d::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.71.15; Mon, 1 Jun 2026 11:35:14 +0000 Received: from AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM ([fe80::c0c1:ae4a:a803:8b8a]) by AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM ([fe80::c0c1:ae4a:a803:8b8a%7]) with mapi id 15.21.0071.015; Mon, 1 Jun 2026 11:35:14 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: Felix Moessbauer To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v4 00/17] add support to build isar unprivileged Date: Mon, 1 Jun 2026 13:34:47 +0200 Message-ID: <20260601113505.2898877-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.53.0 X-ClientProxiedBy: FR2P281CA0129.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:9e::16) To AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:619::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8PR10MB7254:EE_|VI0PR10MB9577:EE_ X-MS-Office365-Filtering-Correlation-Id: 17983423-7546-426f-83de-08debfd1d900 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|10070799003|366016|1800799024|55112099003|18002099003|56012099006|6133799003|11063799006; X-Microsoft-Antispam-Message-Info: M600F/yK4RnmDk1rnIR+MGHltoWc1NWlqYpww7pj3H8BAJ7KqH68gnxVpDiUvQ1e0uRdrDIkJc4zm53JyEJ6TKp33t6OjkrKjyt4APcAMNLOT1O6caPMEovyUYc71mg63O9/77+xaJK6bNuj0rz3prCSjdz2w1E7msgJC7ubRPrwnpI0/50dDBbsNgkE2az+kVx4L2Orkbbvs5hzqXnsX05zi/fN+4lmcnzolI0hYpCXRXFIQD4RzTm4AY/TnXsugo76TPPsdXUBr5gY0APybyCXJmtVB7TVzwn/7puj4Vd3hN60yCVlqsK/TyhZjihuteGeEQo/pcFjiz3x0r/02swCMTaDo942OKSPg6ZbiKHTUdIHXTJZIRXTTEQwFJKjBV6qgqjrapDyk3WrslsEFtPbbLaKYgieVRuwboeLLJSouvvOp4cUy58dA0Qtgg3ut5XWsJtAv2oTZ6lB7va3nDRsM5LbyrjlYhFc+3pBAnh4hB9cRBxAR6F5IA4Ew8uqePupljwyp4K2GRh/H4WznF/tyviizcuflZFenLP8lJwprZ3jSUWnNKOtp70ar94Gkb1nMTdJ4i3ErLv0ffOZt8AO6H6HIstM0XlrD6aJj0OgmxAgwDYH/6wvRPbpwE4nUGRyu+UgcxBPXwOi+lfIkQ== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(366016)(1800799024)(55112099003)(18002099003)(56012099006)(6133799003)(11063799006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: rB7bMpgTbIu/hn3/BN79fmsgOcVP+Hn0GhgCd5QyX8majlk/9pisFu2gKcfSeSMxAHlzusps1gxrAUuVbjOcSm22ilanS2g7g91OxsndNed2OT6LWPjOjjGhh60vmIz/waMLOZ1sD6YqEbnKRXDcHNzIPUvzLm39LMrJGpGJTzASiw4gqUEvnz8fQ/iYn7pIH4V2ytk+30egZsRRgkJYc7AoxHqg+J27LYkW7t4AkaEJU8bJmhep3ut5QQtr1V6QXnbtwZj12ChRSmMNyJGupEw9pIfWlMdTcHCnwi8KWi3r2OmKVVTNdHPhotZlzY7fsRRiNlgg5sPoybB9dWCntWrukkpNhtLZqwhZocQYkWB1hFalzR0gH8V17Cw4pzmq+BAlCa3a76O94mIv0A5NGP/KKDvHkBgvb5mfOoLBe/bHbwsND4wca3MXs8gxLO3bpIlguPElS/0LM06ht9LHdGCfKamHb/jLYxAPDAPlKkHDFtj7QblDBTv67Vl0LC8f1ScmflV9oOs/chBrJDJfA3+uK7ZVtP2k3Rx7B5dk5/ZzbwwxWUqTiokI7B1WbV1uO0Wtw1TcP+ziVerniqUr25L2UKw4Q8p0GH2odq0TUPz1ERRPV0tRNldah0lgaVDEOYkvaWy22vZmIddifCamzy+85h7aGiMrVzrZaW0DDi8eRu2NWRiKTqSABEexLZjG5wYs0aELrE88eItFhxAz42Zrievd7OuK+bcxS5TLGJ7pPUJrXU2vI69wGdxOo0orJoezQGSgvc78J0MhDjX5HIyQUCwj8ywQXuzKYk1fTQk5qAR9XV5GZARVZowne98YZQb7NREyC7B3t1V+DcrrWXI+KvqOqL5LETpngHM4htoLVrLZV/REvnwrL+fOdxlpp0KHLZU97hF+XBbWbuGAuy5IYpi0DRMvMt+bcIL28Q1eA2n89MUgAaQhYtH9UWRQU7/s10WZsDM+zdAxjV6gGsciVcx/GtmSKlgirMUS8LWDtGskqyLaKbu9+C5R1UFBOPxdnFcIbp9/eAnYzhbJlV5shCpUETrENPoD+RkrK8nR+MyTzw8FSoSHIb4dtIgYJ4U6datVarW8VltCA4OnJBWKsv1Z+lPRv7BUTuLGhOviVSvSeLDYbucIWzFtG0BygOK73N/isUSecVNTwcEhEGxX3ocf8VcQ7FJLhN13rkLHazrv2MlUbq3BjoNFssdy0049Kl5yLuC2cCxRG2iCA4+sHKFKah9U0iqXRl5/Q2P9dHaAAs2rxRlE4WB/TR6ot99vFp0KjGbFgh/2wmPFSpQYHWg+6uw3FiIu3L3f4J3gY7L4jZe89M4IF8pHmEVLgHAbUFLiFhax7ZVC86wnuk1n9mCnTqWmaZOlFLBDrenamiKdOeHiIAITXIftJqGCsU9uUk9T8Bm0hCvQw9YYZuTHPc1Y0peaZEF8eacaMDILnM1oiLJilyW3oRiZy66NTpgee/7r0LNYEFbqvgP7vDTaQd0MffvOQWeyqWaghZJUIyTP9NhQ391U6eE9/bcci/9CkxXyT8y8BX29t8QBhxjT6DKfGvajfZdVIoTyuMlY/T4C2ClIps/q+HcMx1tcCGn9gb+e6ao1aIeK6BfFySkmWAW23W02fZPnNTKjv7IEMKPTq4tvSp+1zvBhP/rGYw/qW0tYAcN2sV7V6FKbL3FLVZFju66a9tZtCGUznzpqHA2VPkUcWF35mXiVPIqECvLXi1SH5+Uyx2O+YyTyNr6ZAP+Ln4jnhDVphyZXt9bMMrr8qBoJowjaOHvO5F1o60o5xHRl X-MS-Exchange-AntiSpam-MessageData-1: 09jSsahjs36sm9234IN91SexxYIWaZVVTk0= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 17983423-7546-426f-83de-08debfd1d900 X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 01 Jun 2026 11:35:14.4794 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: E2N1BJoffWThuCJpBv5haf8xXgN+SkYMtCBapXM1FU98KRPkkQrrcgmppzb5m5yr8SxutSOWu/jvCIMIG/NNhDN6udXOlwjTZPayuiNtJDQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR10MB9577 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=ddSaKjIr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c207::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Dear isar-users, currently isar requires password-less sudo and an environment where mounting file systems is possible. This has proven problematic for security reasons, both when running in a privileged container or locally. To solve this, we implement fully rootless builds that rely on the unshare syscall which allows us to avoid sudo and instead operate in temporary kernel namespaces as a user that is just privileged within that namespace. This comes with some challenges regarding the handling of mounts (they are cleared when leaving the namespace), as well as cross namespace deployments (the outer user might not be able to access the inner data). For that, we rework the handling of mounts and artifact passing to make it compatible with both chroot modes (schroot and unshare). Note, that this series can be tested on a custom kas-container build provided in [1]. Hints how to migrate downstream layers are provided in the API changelog. Changes since PATCH v3: - fix dracut initrd build issue (p7) - testsuite: print if rootless mode is used in summary - testsuite: append newline after ISAR_ROOTLESS = "1" in ci config - run-tests.sh: catch -p rootless=1 flag and start container in rootless mode (requires a not-yet released kas-container, corresponding kas patches are currently under review) Changes since PATCH v2: - add support for cached base apt - rootfs sstate: do not rely on fd3 for copy out, as not always available - sbom: use local copy of sbom rootfs to not leave shared instance behind - testsuite: add parameter to run in rootless mode - rebased onto v1.0 Changes since PATCH v1: - fixed broken rebase onto next - fix root_cleandirs implementation NOTE: This requires the kas series (v3) from [1] for rootless building. Changes since RFC 2: - rebased onto next - fix usage of root_cleandirs - simplify file permission handling by mapping caller user to root inside the namespace. By that, in most cases no changes to the imager are needed anymore. - implement support for devshell under rootless - switch to getpass.getuser() to query user (needed for dynamically created / remapped kas builder user) - rework mapping to be more similar to mapping used by mmdebstrap - sbuild: only copy-out of dpkg.log on schroot (unclear if needed on unshare. To be clarified) - imager-sbom: ensure sbom is extracted before entering the chroot Changes since RFC 1: - switch build_type to isar-rootless in isar.yaml (Note: switch back if testing locally in a unprepared kas container) - complete overhaul of the mounting in unshared namespaces - fixes the systemd presetting - fixes hangs when pulling from snapshot mirrors - rename the run_privileged_here to run_privileged_heredoc to clarify its intention - add support for - dpkg-source with do_fetch_common_source - vm images - container images - discoverable disk images - add helper script to clean build dir in unprivileged mode - reduce clutter we leave after finishing a build - fix issues when running in a privileged environment without sub user ids - bugfixes Note, that the rootless build dir must not reside in a git worktree (a normal git dir is fine). This is probably a bug in combination with kas-container. [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg Best regards, Felix Moessbauer Siemens AG Felix Moessbauer (17): refactor bootstrap: store rootfs tar with user permissions deb-dl-dir: export without root privileges download debs without locking introduce wrappers for privileged execution bootstrap: move cleanup trap to function rootfs: rework sstate caching of rootfs artifact rootfs_generate_initramfs: rework deployment to avoid chowning use bitbake function to generate mounting scripts apt-fetcher: prepare for chroot specific fetching add support for fully rootless builds add helper script to clean artifacts in build dir apt-fetcher: implement support for unshare backend dpkg-source: implement multiarch support for unshare backend use copy of sbom-chroot for sbom creation add support for devshell on unshare backend testsuite: add parameter to run tests in rootless mode run-tests: add support for isar-rootless mode Kconfig | 2 +- RECIPE-API-CHANGELOG.md | 42 ++++ doc/user_manual.md | 2 + kas/isar.yaml | 2 +- meta/classes-global/base.bbclass | 124 ++++++++++- meta/classes-recipe/deb-dl-dir.bbclass | 24 ++- meta/classes-recipe/dpkg-base.bbclass | 94 ++++++-- meta/classes-recipe/dpkg-source.bbclass | 40 +++- meta/classes-recipe/dpkg.bbclass | 19 +- .../image-account-extension.bbclass | 4 +- .../image-locales-extension.bbclass | 13 +- .../image-postproc-extension.bbclass | 30 +-- .../image-tools-extension.bbclass | 114 +++++++++- meta/classes-recipe/image.bbclass | 21 +- .../imagetypes_container.bbclass | 28 +-- meta/classes-recipe/imagetypes_wic.bbclass | 10 +- meta/classes-recipe/rootfs.bbclass | 204 +++++++++--------- meta/classes-recipe/sbuild.bbclass | 34 ++- meta/classes-recipe/sdk.bbclass | 22 +- meta/classes/sbom.bbclass | 28 ++- meta/conf/bitbake.conf | 7 +- meta/lib/aptsrc_fetcher.py | 87 +++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 55 +++-- .../sbom-chroot/sbom-chroot.bb | 11 +- .../sbuild-chroot/sbuild-chroot.inc | 24 ++- scripts/isar-clean-builddir | 73 +++++++ scripts/run-tests.sh | 7 +- testsuite/cibuilder.py | 7 + .../unittests/test_image_account_extension.py | 9 +- 29 files changed, 890 insertions(+), 247 deletions(-) create mode 100755 scripts/isar-clean-builddir