From patchwork Mon May 19 11:57:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "cedric.hombourger@siemens.com" X-Patchwork-Id: 4213 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 19 May 2025 13:58:24 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wr1-f56.google.com (mail-wr1-f56.google.com [209.85.221.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 54JBwNEZ018159 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 May 2025 13:58:23 +0200 Received: by mail-wr1-f56.google.com with SMTP id ffacd0b85a97d-3a361c82d9dsf317941f8f.2 for ; Mon, 19 May 2025 04:58:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747655898; cv=pass; d=google.com; s=arc-20240605; b=W/fd3mccCWtvim5AGaqH5cJYGCii8CVBPjDYWB7kGKqYbILYjJxlibCRamVlEy9bu9 dMtJJ9Spb/3iTu4ZXQyBcK0NZrhQMJHJftJppht60we23SM/K9OGgttth6yZ5Bc8C5ha nTUV4me8ij6QaT91qUk8UF6cUnJBCwmqcdPFGvIn3IUzFbRcJv7xqgQqXGWdLgcTtZaH LX4JtVth7Wfvy+cLd45Qyyto1QC+ymrzUgGHTMlvLfPxgxrCaiTAhV+2mmvWoJ3N+cK6 O/i2yhUeFyXJYTIyGyfQRMNGvFnPQBgkbjeU0ynUwIhvisEdA6sKxuhjTRLdgCULJljs R/DA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; fh=1jPMFMLTcRntOqEoIxWLeUiGU08tDcFOzcZsYUk0ZxY=; b=B0MBq+XDzw+DsG/p0Wb9K/+UEaGAhLnIh5IMm75GevWRX9njX9xL9DjBwwiOawgxoK V7pROpSDdE+REVIqywBS45LRMLwIoCO4HLa4HunFKYePxPoNpYZcTr2Dc+/1rSGBPUkO xS3WfTSMjrhfFQkmg9CKZNEtsOffEkKlRYAsBil7kjwoCNym+fESD3v8uODzT5bx80lI hkCoZY6BFGn72YUIVX7vTpQ65VQU/Os0hie0ToBULR7y/W8cbVmKeEweeYgEyCGRyPZr hAnZajF4EB8wHlXg1gEbAp3a/hAgQHL2tV2z8kRrFZ7eGJGZ7rFGfJbQ5LUJ9ysRF0am J1BA==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1747655898; x=1748260698; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; b=uc6wH+gbnvLFFXNqe7kqbzOvl3tIibDUms30OMvZr/uViMVBZNciCycqG+NVmfkXGc 0QCvXwrURC7msSjodb6qUiUdkMVQvQICWEK7NDs/FnAI7rKUgxPr86OpNDt99/EGDy58 IcLsKhCsJ7/CWKvsVn2sfzOIE9b/vHF7gRHt26/4XbUsaZnHz7zQebhYgl5ULHNtYmPQ tVPi2z0XueJ9g7yad347jIPk8OhdWVSRTzATJ2+2vNdkprnBMEWi3vDIStZHKxsu6ZDP 2sXd1bRUq5qclVp08NHSszpSpH7RCzSecH8jb8TicTORZHtNiIha7q1OGgSbMEhs3rCp 8/gw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747655898; x=1748260698; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; b=VJjRRh9BTsXmnlGQf2lIybyTl1DGCsXyF6OSY5Ft2VY3O7rL9vsADCcY1c2KMWwX6O aCanaR81872QwJxUYi2Sxb1+CbDpUdwlfgjknP+uwLwOzO0uomhYym9iYL7cpFxwhjlr +BwnzigqQmYFasM4k94J6MBhmEqeNWWKc4DZQ8i090x670AMkjOlRuJruDgM90KXvuzh rYct8sRaFHOgOgtrirzD3+2hBaVBwZSREkio9F8VkgyKdJ2iUCDMjirFY5Zcp6CIIOXo QgO6JfUL2fqTBFYD4KtQxW6zmduHAnP4rxGvCFNe7BUgsQAU2xkGfBdDyGKv3EK7E6mI 9/lA== X-Forwarded-Encrypted: i=2; AJvYcCVy8PLfIi+Q6yKx2XnQvYah4BWhvx8zUuIHeq6wXGI8tPfAWLEVJR109BCnIjsvAyAV7+bxaDU=@isar-build.org X-Gm-Message-State: AOJu0YxtqFVdw1XHgGPLQVcKZwe2Py+p5WBGo7Wqu7tzU9Hm8KKvTSHO crgwm7XXTDepp8jKMoezaIpIUk041cxvmcZVUOVOcgahuIIIITQwvFK4 X-Google-Smtp-Source: AGHT+IHUw5v7AyFjyi5Yep1Zvrb48USsFtqFyV+eVZ5nQ5OySTkrGsWMq/LFcnIm1pwppMXWgHbupg== X-Received: by 2002:a05:600c:4f8e:b0:442:fac9:5e2f with SMTP id 5b1f17b1804b1-442fd60e7c3mr42044035e9.2.1747655897096; Mon, 19 May 2025 04:58:17 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AVT/gBHzziOtJEX+H4eD8+DW7a0BoBrnFsJAbdfseM5jahC4IQ== Received: by 2002:a05:600c:3d0b:b0:43b:c5a5:513c with SMTP id 5b1f17b1804b1-442f8782f41ls1496185e9.1.-pod-prod-02-eu; Mon, 19 May 2025 04:58:14 -0700 (PDT) X-Received: by 2002:a05:600c:64cf:b0:442:e9eb:cba2 with SMTP id 5b1f17b1804b1-442fd5a1054mr137531295e9.0.1747655894412; Mon, 19 May 2025 04:58:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747655894; cv=none; d=google.com; s=arc-20240605; b=QKCaG9Il58/ylSBG50fhY5grN7Vyo2xGhitDhthRLHVbNfgpoBUiK0tAYmraM2MORr n8qGouFb0cM7BvMOdGR4z+IEP/y/XANEzmJ2PIyz1OpfGyiTdEgHTpQx/SnBCW5cfOGt YBmczCXEz+MKZ1hivI0ih3tOSUDcl8E0bIa1NXgDgTNtRkm5N1OG0DdK9KoCVeiqs7d+ Y1UwJgrmcYPt3MWGyjc0MPYaxQLTFrlRm6JsGZNAD3H5iRQVC17iRKmHwBURRBYwnke/ a+77trhpim5iZZ1/e3Q7zC//07NebPfD32XR1hRN5NjCS6hft9yJWynPR8Zbyj0E1XV5 g1oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=Rxqy/i9jmF3n8GI1f+kCRds2Kzmz6AV6tgyliaVoNgY=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=PtRm6I+UYES+zvSktYRghYs05N7F7ccPGILNuWFy6tyFODy65zTW3JB0Ncqr8exdch KwbdHSVAts8HXXSl2CXEef8N7H/AY9rSnnMxZwmYpz7nsFlOFkp1q65JXvUXZN8DuGup uE50mlwQrsf4mrSlyrcd3wBtkuWawaEMfYnarKtGPI5ptQNtmUrAASJThW4u86HicImm dMr2GpkCfwpUBH4sxoxr0Vd8UAe6/QHUXPSQaAYNZ1gJQSdOEo2sQbl/5vNBm/vnT12U qbstuyDC0MfIkgwfUy7HivBqEmnC7SMapYR+jXZRbIElBDhvcJOAz/Wx7wg911ulHQ31 N6Sw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-442fb685038si2353755e9.0.2025.05.19.04.58.14 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 May 2025 04:58:14 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250519115813d3ffc491885eb7773e for ; Mon, 19 May 2025 13:58:13 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: "cedric.hombourger@siemens.com" To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH 1/4] rootfs: introduce wrapper to run commands against a rootfs Date: Mon, 19 May 2025 13:57:47 +0200 Message-Id: <20250519115750.3195300-2-cedric.hombourger@siemens.com> In-Reply-To: <20250519115750.3195300-1-cedric.hombourger@siemens.com> References: <20250515150727.1764989-2-cedric.hombourger@siemens.com> <20250519115750.3195300-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger Tested-by: Felix Moessbauer --- RECIPE-API-CHANGELOG.md | 6 ++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 66 +++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index a4cf1338..725737b2 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be controlled by adding to the Changes in next --------------- + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot`. diff --git a/doc/user_manual.md b/doc/user_manual.md index 0dc317c3..3cf1a9aa 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..5b96b414 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,72 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_args="${bwrap_args} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${rootfs}" ]; then + rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO'