| Message ID | 20250519115750.3195300-2-cedric.hombourger@siemens.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | non-privileged commands in chroot | expand |
On Mon, 2025-05-19 at 13:57 +0200, Cedric Hombourger wrote: > "sudo chroot" is used in several places to run commands inside rootfs > directories constructed by Isar. There are cases where a command > could > be used without elevated privileges as long as special folders such > as > /isar-apt are mounted (they are often referenced as /isar-apt in > configuration files found in the target rootfs). For such cases, > bubblewrap may be used to create a non-privileged namespace (either > in a bare/native environment or within a docker/podman container) > where the command will be executed as if chroot had been used. The > rootfs may also be the host root file-system: this should however > be used with care to avoid host contamination problems (note: Isar > already relies on a number of host tools). Hi, this looks promising. I gave it a try on some of our internal layers (arm64) in a custom kas container under podman. I'm wondering if this could also be used to run the apt in do_rootfs_install natively (maybe in combination with dpkg --root). Tested-by: Felix Moessbauer <felix.moessbauer@siemens.com> Felix > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > --- > RECIPE-API-CHANGELOG.md | 6 ++++ > doc/user_manual.md | 1 + > meta/classes/rootfs.bbclass | 66 > +++++++++++++++++++++++++++++++++++++ > 3 files changed, 73 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index a4cf1338..725737b2 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be > controlled by adding to the > > Changes in next > --------------- > + > +### Require bubblewrap to run non-privileged commands with bind- > mounts > + > +Isar occasionally needs to run commands within root file-systems > that it > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may > be > +used in Isar classes instead of `sudo chroot`. > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 0dc317c3..3cf1a9aa 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -75,6 +75,7 @@ Install the following packages: > ``` > apt install \ > binfmt-support \ > + bubblewrap \ > bzip2 \ > mmdebstrap \ > arch-test \ > diff --git a/meta/classes/rootfs.bbclass > b/meta/classes/rootfs.bbclass > index 5f877962..5b96b414 100644 > --- a/meta/classes/rootfs.bbclass > +++ b/meta/classes/rootfs.bbclass > @@ -34,6 +34,72 @@ export LANG = "C" > export LANGUAGE = "C" > export LC_ALL = "C" > > +# Execute a command against a rootfs and with isar-apt bind-mounted. > +# Additional mounts may be specified using --bind <source> <target> > and a > +# custom directory for the command to be executed with --chdir > <dir>. The > +# command is assumed to follow the special "--" argument. This would > replace > +# "sudo chroot" calls especially when a native command may be used > instead of > +# chroot'ed command and without elevated privileges (the command > will likely > +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If > the > +# optional rootfs argument is omitted, the host rootfs will be used > (e.g. to > +# run native commands): this should be used with care. > +# > +# Usage: rootfs_cmd [options] [rootfs] -- command > +# > +rootfs_cmd() { > + set -- "$@" > + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" > + rootfs="" > + > + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do > + case "${1}" in > + --bind) > + if [ "${#}" -lt "3" ]; then > + bbfatal "--bind requires two arguments" > + fi > + bwrap_args="${bwrap_args} --bind ${2} ${3}" > + shift 3 > + ;; > + --chdir) > + if [ "${#}" -lt "2" ]; then > + bbfatal "${1} requires an argument" > + fi > + bwrap_args="${bwrap_args} ${1} ${2}" > + shift 2 > + ;; > + -*) > + bbfatal "${1} is not a supported option!" > + ;; > + *) > + if [ -z "${rootfs}" ]; then > + rootfs="${1}" > + shift > + else > + bbfatal "unexpected argument '${1}'" > + fi > + ;; > + esac > + done > + > + if [ -n "${rootfs}" ]; then > + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" > + fi > + > + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then > + bbfatal "no command specified (missing --)" > + fi > + shift # remove "--", command and its arguments follows > + > + for ro_d in bin etc lib lib64 sys usr var; do > + [ -d ${rootfs}/${ro_d} ] || continue > + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} > /${ro_d}" > + done > + > + bwrap --unshare-user --unshare-pid ${bwrap_args} \ > + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ > + -- "${@}" > +} > + > rootfs_do_mounts[weight] = "3" > rootfs_do_mounts() { > sudo -s <<'EOSUDO'
On Thu, 2025-05-22 at 14:32 +0000, Moessbauer, Felix (FT RPD CED OES- DE) wrote: > On Mon, 2025-05-19 at 13:57 +0200, Cedric Hombourger wrote: > > "sudo chroot" is used in several places to run commands inside > > rootfs > > directories constructed by Isar. There are cases where a command > > could > > be used without elevated privileges as long as special folders such > > as > > /isar-apt are mounted (they are often referenced as /isar-apt in > > configuration files found in the target rootfs). For such cases, > > bubblewrap may be used to create a non-privileged namespace (either > > in a bare/native environment or within a docker/podman container) > > where the command will be executed as if chroot had been used. The > > rootfs may also be the host root file-system: this should however > > be used with care to avoid host contamination problems (note: Isar > > already relies on a number of host tools). > > Hi, this looks promising. I gave it a try on some of our internal > layers (arm64) in a custom kas container under podman. > > I'm wondering if this could also be used to run the apt in > do_rootfs_install natively (maybe in combination with dpkg --root). > > Tested-by: Felix Moessbauer <felix.moessbauer@siemens.com> Dear maintainers, can we move forward with these changes or are there any concerns that need to be addressed? Thank you! > > Felix > > > > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > > --- > > RECIPE-API-CHANGELOG.md | 6 ++++ > > doc/user_manual.md | 1 + > > meta/classes/rootfs.bbclass | 66 > > +++++++++++++++++++++++++++++++++++++ > > 3 files changed, 73 insertions(+) > > > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > > index a4cf1338..725737b2 100644 > > --- a/RECIPE-API-CHANGELOG.md > > +++ b/RECIPE-API-CHANGELOG.md > > @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be > > controlled by adding to the > > > > Changes in next > > --------------- > > + > > +### Require bubblewrap to run non-privileged commands with bind- > > mounts > > + > > +Isar occasionally needs to run commands within root file-systems > > that it > > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap > > may > > be > > +used in Isar classes instead of `sudo chroot`. > > diff --git a/doc/user_manual.md b/doc/user_manual.md > > index 0dc317c3..3cf1a9aa 100644 > > --- a/doc/user_manual.md > > +++ b/doc/user_manual.md > > @@ -75,6 +75,7 @@ Install the following packages: > > ``` > > apt install \ > > binfmt-support \ > > + bubblewrap \ > > bzip2 \ > > mmdebstrap \ > > arch-test \ > > diff --git a/meta/classes/rootfs.bbclass > > b/meta/classes/rootfs.bbclass > > index 5f877962..5b96b414 100644 > > --- a/meta/classes/rootfs.bbclass > > +++ b/meta/classes/rootfs.bbclass > > @@ -34,6 +34,72 @@ export LANG = "C" > > export LANGUAGE = "C" > > export LC_ALL = "C" > > > > +# Execute a command against a rootfs and with isar-apt bind- > > mounted. > > +# Additional mounts may be specified using --bind <source> > > <target> > > and a > > +# custom directory for the command to be executed with --chdir > > <dir>. The > > +# command is assumed to follow the special "--" argument. This > > would > > replace > > +# "sudo chroot" calls especially when a native command may be used > > instead of > > +# chroot'ed command and without elevated privileges (the command > > will likely > > +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). > > If > > the > > +# optional rootfs argument is omitted, the host rootfs will be > > used > > (e.g. to > > +# run native commands): this should be used with care. > > +# > > +# Usage: rootfs_cmd [options] [rootfs] -- command > > +# > > +rootfs_cmd() { > > + set -- "$@" > > + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" > > + rootfs="" > > + > > + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do > > + case "${1}" in > > + --bind) > > + if [ "${#}" -lt "3" ]; then > > + bbfatal "--bind requires two arguments" > > + fi > > + bwrap_args="${bwrap_args} --bind ${2} ${3}" > > + shift 3 > > + ;; > > + --chdir) > > + if [ "${#}" -lt "2" ]; then > > + bbfatal "${1} requires an argument" > > + fi > > + bwrap_args="${bwrap_args} ${1} ${2}" > > + shift 2 > > + ;; > > + -*) > > + bbfatal "${1} is not a supported option!" > > + ;; > > + *) > > + if [ -z "${rootfs}" ]; then > > + rootfs="${1}" > > + shift > > + else > > + bbfatal "unexpected argument '${1}'" > > + fi > > + ;; > > + esac > > + done > > + > > + if [ -n "${rootfs}" ]; then > > + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" > > + fi > > + > > + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then > > + bbfatal "no command specified (missing --)" > > + fi > > + shift # remove "--", command and its arguments follows > > + > > + for ro_d in bin etc lib lib64 sys usr var; do > > + [ -d ${rootfs}/${ro_d} ] || continue > > + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} > > /${ro_d}" > > + done > > + > > + bwrap --unshare-user --unshare-pid ${bwrap_args} \ > > + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ > > + -- "${@}" > > +} > > + > > rootfs_do_mounts[weight] = "3" > > rootfs_do_mounts() { > > sudo -s <<'EOSUDO' >
On Thu, 2025-06-05 at 06:42 +0000, Hombourger, Cedric (FT FDS CES LX) wrote: > On Thu, 2025-05-22 at 14:32 +0000, Moessbauer, Felix (FT RPD CED OES- > DE) wrote: > > On Mon, 2025-05-19 at 13:57 +0200, Cedric Hombourger wrote: > > > "sudo chroot" is used in several places to run commands inside > > > rootfs > > > directories constructed by Isar. There are cases where a command > > > could > > > be used without elevated privileges as long as special folders > > > such > > > as > > > /isar-apt are mounted (they are often referenced as /isar-apt in > > > configuration files found in the target rootfs). For such cases, > > > bubblewrap may be used to create a non-privileged namespace > > > (either > > > in a bare/native environment or within a docker/podman container) > > > where the command will be executed as if chroot had been used. > > > The > > > rootfs may also be the host root file-system: this should however > > > be used with care to avoid host contamination problems (note: > > > Isar > > > already relies on a number of host tools). > > > > Hi, this looks promising. I gave it a try on some of our internal > > layers (arm64) in a custom kas container under podman. > > > > I'm wondering if this could also be used to run the apt in > > do_rootfs_install natively (maybe in combination with dpkg --root). > > > > Tested-by: Felix Moessbauer <felix.moessbauer@siemens.com> > > Dear maintainers, can we move forward with these changes or are there > any concerns that need to be addressed? If we decide to integrate this (which I vote for!), we should also add the bubblewrap package to the upcoming kas 4.8 release (putting Jan in CC). Felix > > Thank you! > > > > > Felix > > > > > > > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > > > --- > > > RECIPE-API-CHANGELOG.md | 6 ++++ > > > doc/user_manual.md | 1 + > > > meta/classes/rootfs.bbclass | 66 > > > +++++++++++++++++++++++++++++++++++++ > > > 3 files changed, 73 insertions(+) > > > > > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > > > index a4cf1338..725737b2 100644 > > > --- a/RECIPE-API-CHANGELOG.md > > > +++ b/RECIPE-API-CHANGELOG.md > > > @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be > > > controlled by adding to the > > > > > > Changes in next > > > --------------- > > > + > > > +### Require bubblewrap to run non-privileged commands with bind- > > > mounts > > > + > > > +Isar occasionally needs to run commands within root file-systems > > > that it > > > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap > > > may > > > be > > > +used in Isar classes instead of `sudo chroot`. > > > diff --git a/doc/user_manual.md b/doc/user_manual.md > > > index 0dc317c3..3cf1a9aa 100644 > > > --- a/doc/user_manual.md > > > +++ b/doc/user_manual.md > > > @@ -75,6 +75,7 @@ Install the following packages: > > > ``` > > > apt install \ > > > binfmt-support \ > > > + bubblewrap \ > > > bzip2 \ > > > mmdebstrap \ > > > arch-test \ > > > diff --git a/meta/classes/rootfs.bbclass > > > b/meta/classes/rootfs.bbclass > > > index 5f877962..5b96b414 100644 > > > --- a/meta/classes/rootfs.bbclass > > > +++ b/meta/classes/rootfs.bbclass > > > @@ -34,6 +34,72 @@ export LANG = "C" > > > export LANGUAGE = "C" > > > export LC_ALL = "C" > > > > > > +# Execute a command against a rootfs and with isar-apt bind- > > > mounted. > > > +# Additional mounts may be specified using --bind <source> > > > <target> > > > and a > > > +# custom directory for the command to be executed with --chdir > > > <dir>. The > > > +# command is assumed to follow the special "--" argument. This > > > would > > > replace > > > +# "sudo chroot" calls especially when a native command may be > > > used > > > instead of > > > +# chroot'ed command and without elevated privileges (the command > > > will likely > > > +# take the rootfs as argument; e.g. apt-get -o > > > Dir=${ROOTFSDIR}). > > > If > > > the > > > +# optional rootfs argument is omitted, the host rootfs will be > > > used > > > (e.g. to > > > +# run native commands): this should be used with care. > > > +# > > > +# Usage: rootfs_cmd [options] [rootfs] -- command > > > +# > > > +rootfs_cmd() { > > > + set -- "$@" > > > + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" > > > + rootfs="" > > > + > > > + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do > > > + case "${1}" in > > > + --bind) > > > + if [ "${#}" -lt "3" ]; then > > > + bbfatal "--bind requires two arguments" > > > + fi > > > + bwrap_args="${bwrap_args} --bind ${2} ${3}" > > > + shift 3 > > > + ;; > > > + --chdir) > > > + if [ "${#}" -lt "2" ]; then > > > + bbfatal "${1} requires an argument" > > > + fi > > > + bwrap_args="${bwrap_args} ${1} ${2}" > > > + shift 2 > > > + ;; > > > + -*) > > > + bbfatal "${1} is not a supported option!" > > > + ;; > > > + *) > > > + if [ -z "${rootfs}" ]; then > > > + rootfs="${1}" > > > + shift > > > + else > > > + bbfatal "unexpected argument '${1}'" > > > + fi > > > + ;; > > > + esac > > > + done > > > + > > > + if [ -n "${rootfs}" ]; then > > > + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" > > > + fi > > > + > > > + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then > > > + bbfatal "no command specified (missing --)" > > > + fi > > > + shift # remove "--", command and its arguments follows > > > + > > > + for ro_d in bin etc lib lib64 sys usr var; do > > > + [ -d ${rootfs}/${ro_d} ] || continue > > > + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} > > > /${ro_d}" > > > + done > > > + > > > + bwrap --unshare-user --unshare-pid ${bwrap_args} \ > > > + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ > > > + -- "${@}" > > > +} > > > + > > > rootfs_do_mounts[weight] = "3" > > > rootfs_do_mounts() { > > > sudo -s <<'EOSUDO' > > > > -- > Cedric Hombourger > Siemens AG > www.siemens.com
On 2025-06-05 12:20, 'MOESSBAUER, Felix' via isar-users wrote: > If we decide to integrate this (which I vote for!), we should also add > the bubblewrap package to the upcoming kas 4.8 release (putting Jan in > CC). Yes, that was also my question. We'll check the patches once more and provide feedback. @Felix, would you then like to update kas first? This would need to be touched when we'll continue working on sudo removal. @Cedric, could this be meaningfully tested in a testcase? With kind regards, Baurzhan
On 19.05.25 13:57, 'Cedric Hombourger' via isar-users wrote: > "sudo chroot" is used in several places to run commands inside rootfs > directories constructed by Isar. There are cases where a command could > be used without elevated privileges as long as special folders such as > /isar-apt are mounted (they are often referenced as /isar-apt in > configuration files found in the target rootfs). For such cases, > bubblewrap may be used to create a non-privileged namespace (either > in a bare/native environment or within a docker/podman container) > where the command will be executed as if chroot had been used. The > rootfs may also be the host root file-system: this should however > be used with care to avoid host contamination problems (note: Isar > already relies on a number of host tools). > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > --- > RECIPE-API-CHANGELOG.md | 6 ++++ > doc/user_manual.md | 1 + > meta/classes/rootfs.bbclass | 66 +++++++++++++++++++++++++++++++++++++ > 3 files changed, 73 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index a4cf1338..725737b2 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be controlled by adding to the > > Changes in next > --------------- > + > +### Require bubblewrap to run non-privileged commands with bind-mounts > + > +Isar occasionally needs to run commands within root file-systems that it > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be > +used in Isar classes instead of `sudo chroot`. > diff --git a/doc/user_manual.md b/doc/user_manual.md > index 0dc317c3..3cf1a9aa 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -75,6 +75,7 @@ Install the following packages: > ``` > apt install \ > binfmt-support \ > + bubblewrap \ Does the bubblewrap (and kernel features) of bullseye suffice here, or is that a bookworm+ thing? How about buster (still listed as host)? Jan
On Thu, 2025-06-05 at 15:57 +0200, Jan Kiszka wrote: > On 19.05.25 13:57, 'Cedric Hombourger' via isar-users wrote: > > "sudo chroot" is used in several places to run commands inside > > rootfs > > directories constructed by Isar. There are cases where a command > > could > > be used without elevated privileges as long as special folders such > > as > > /isar-apt are mounted (they are often referenced as /isar-apt in > > configuration files found in the target rootfs). For such cases, > > bubblewrap may be used to create a non-privileged namespace (either > > in a bare/native environment or within a docker/podman container) > > where the command will be executed as if chroot had been used. The > > rootfs may also be the host root file-system: this should however > > be used with care to avoid host contamination problems (note: Isar > > already relies on a number of host tools). > > > > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> > > --- > > RECIPE-API-CHANGELOG.md | 6 ++++ > > doc/user_manual.md | 1 + > > meta/classes/rootfs.bbclass | 66 > > +++++++++++++++++++++++++++++++++++++ > > 3 files changed, 73 insertions(+) > > > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > > index a4cf1338..725737b2 100644 > > --- a/RECIPE-API-CHANGELOG.md > > +++ b/RECIPE-API-CHANGELOG.md > > @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be > > controlled by adding to the > > > > Changes in next > > --------------- > > + > > +### Require bubblewrap to run non-privileged commands with bind- > > mounts > > + > > +Isar occasionally needs to run commands within root file-systems > > that it > > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap > > may be > > +used in Isar classes instead of `sudo chroot`. > > diff --git a/doc/user_manual.md b/doc/user_manual.md > > index 0dc317c3..3cf1a9aa 100644 > > --- a/doc/user_manual.md > > +++ b/doc/user_manual.md > > @@ -75,6 +75,7 @@ Install the following packages: > > ``` > > apt install \ > > binfmt-support \ > > + bubblewrap \ > > Does the bubblewrap (and kernel features) of bullseye suffice here, > or > is that a bookworm+ thing? How about buster (still listed as host)? bubblewrap has been around for ages: these older distros did support flatpak. buster included. https://packages.debian.org/buster/bubblewrap > > Jan >
On Thu, 2025-06-05 at 14:43 +0200, Baurzhan Ismagulov wrote: > On 2025-06-05 12:20, 'MOESSBAUER, Felix' via isar-users wrote: > > If we decide to integrate this (which I vote for!), we should also > > add > > the bubblewrap package to the upcoming kas 4.8 release (putting Jan > > in > > CC). > > Yes, that was also my question. We'll check the patches once more and > provide > feedback. @Felix, would you then like to update kas first? > > This would need to be touched when we'll continue working on sudo > removal. > @Cedric, could this be meaningfully tested in a testcase? this is tested via caching of Debian source packages but also via the systemd version check. Are you seeking explicit tests for this new internal API? I am asking as I was under the impression that our tests focus on blackbox tests and not so much whitebox tests > > With kind regards, > Baurzhan
On 06.06.25 08:02, Hombourger, Cedric (FT FDS CES LX) wrote: > On Thu, 2025-06-05 at 15:57 +0200, Jan Kiszka wrote: >> On 19.05.25 13:57, 'Cedric Hombourger' via isar-users wrote: >>> "sudo chroot" is used in several places to run commands inside >>> rootfs >>> directories constructed by Isar. There are cases where a command >>> could >>> be used without elevated privileges as long as special folders such >>> as >>> /isar-apt are mounted (they are often referenced as /isar-apt in >>> configuration files found in the target rootfs). For such cases, >>> bubblewrap may be used to create a non-privileged namespace (either >>> in a bare/native environment or within a docker/podman container) >>> where the command will be executed as if chroot had been used. The >>> rootfs may also be the host root file-system: this should however >>> be used with care to avoid host contamination problems (note: Isar >>> already relies on a number of host tools). >>> >>> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> >>> --- >>> RECIPE-API-CHANGELOG.md | 6 ++++ >>> doc/user_manual.md | 1 + >>> meta/classes/rootfs.bbclass | 66 >>> +++++++++++++++++++++++++++++++++++++ >>> 3 files changed, 73 insertions(+) >>> >>> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md >>> index a4cf1338..725737b2 100644 >>> --- a/RECIPE-API-CHANGELOG.md >>> +++ b/RECIPE-API-CHANGELOG.md >>> @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be >>> controlled by adding to the >>> >>> Changes in next >>> --------------- >>> + >>> +### Require bubblewrap to run non-privileged commands with bind- >>> mounts >>> + >>> +Isar occasionally needs to run commands within root file-systems >>> that it >>> +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap >>> may be >>> +used in Isar classes instead of `sudo chroot`. >>> diff --git a/doc/user_manual.md b/doc/user_manual.md >>> index 0dc317c3..3cf1a9aa 100644 >>> --- a/doc/user_manual.md >>> +++ b/doc/user_manual.md >>> @@ -75,6 +75,7 @@ Install the following packages: >>> ``` >>> apt install \ >>> binfmt-support \ >>> + bubblewrap \ >> >> Does the bubblewrap (and kernel features) of bullseye suffice here, >> or >> is that a bookworm+ thing? How about buster (still listed as host)? > > bubblewrap has been around for ages: these older distros did support > flatpak. buster included. > > https://packages.debian.org/buster/bubblewrap > Then I suppose our CI would catch any nasty difference in our usage compared to those standard use cases, right? Jan
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index a4cf1338..725737b2 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be controlled by adding to the Changes in next --------------- + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot`. diff --git a/doc/user_manual.md b/doc/user_manual.md index 0dc317c3..3cf1a9aa 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..5b96b414 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,72 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind <source> <target> and a +# custom directory for the command to be executed with --chdir <dir>. The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_args="${bwrap_args} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${rootfs}" ]; then + rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO'
"sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com> --- RECIPE-API-CHANGELOG.md | 6 ++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 66 +++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+)