From patchwork Wed Jun 25 19:37:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cedric Hombourger X-Patchwork-Id: 4241 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 21:39:47 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f185.google.com (mail-il1-f185.google.com [209.85.166.185]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PJdCxE007196 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 21:39:18 +0200 Received: by mail-il1-f185.google.com with SMTP id e9e14a558f8ab-3ddbec809acsf3090225ab.2 for ; Wed, 25 Jun 2025 12:39:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750880347; cv=pass; d=google.com; s=arc-20240605; b=Qogt4Ro5HKf7M53FgSdQb0zJMGEjGw9DsVCnSB9M9JVUImKiHme/OXoZFkAfhLnkMr 7/s7FKh+f4gKpCjfWEsOFiexIt5iS0Eao2BypOrx+Tk8coj3dTlMv98ACLnXPljO493+ BvT0z0IUsWWqdIb5nTfa7CqRseEbSJkiZBTBaroVTHI0PO2BWiIgLwFdf9VbsCwcfJ5t vCl2DydZ7j9NUNBLhO905md86NwuA4pUJBlvCQ+saUJHY64MF25QLeetH5iRv3HylFWH kkWAgJb9M26kblY3Nzc58nSDNQTCokTVR7OLw9Vgcau7nZrdQTl2AABPFFs+rXLAI+I7 yzhA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; fh=jP6sSg0L+6x/rfr8S8BB19b05DmHtwCeRp0M7fy9vNk=; b=NmwrpA5/qSUFw7HSlG8WiHeGxT8PabS2oCtqJHDCOp1XF4M04B/otYQBTOPPU1zwT+ yGewxh8IM6FCTRJicTLmOdnrYLFKjbu4vMdR7+0xmmCSh4xSoZXO9nJY+J+K39963/pb x/V/tPM4RSiYVGT2m0y3FTUqBXd+BNpZkCcmBzKX3ZWASzY/kV7BPmmatVKvvacc6OS/ gG/A5MbBzg8/DOZtv6ypZaPhQu/4vYmFFq3UzV/sLJE4GfvF+52PbxCtEuvDkBJYMreO MOEqbomM2weV+iNCGBXe/RwQvwIGgMSM92CwJRe+heVhBMgzOPCSGE7n0LPESf9mQ7xB R2+A==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750880347; x=1751485147; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; b=HM6MjvkQOdRfiacSYtaJ4yqN58VgweB2oMqCSbqSBiWLJNYg7E+g4kVVOvOQaIXFPs v76q4eLrdPkVvnzergoziDwmROPAh4d5UWTvpdHQvYtgtdtunD7PPPkWc8yUPMWwJcrj rKLFZxRSmRHY602+wcjXf7WsMTbwDEpvvXnHbnjCZf+7AgYWhtEr17jJXFA3K6ey1j6H RZuKd3V3DVUnMUXUM1aTJQJKWujIDcaCrWcIO2fymtTaNeuteExYfJk9vUq1zbXie1Wr faaYmXlelj4mAcWqhStzZ29JVRLwOVtUcom23N0EJFt6V53C5YEsXmfa5oxt0aMFxUVC gHTw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750880347; x=1751485147; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; b=v7NBEXCufraJWlZ/f0q4J04XLgF3zbEBZoCHdcsN4zSIrPz0fSM7djNiA/95GC9AQV 2N1Q7xX/nqUU+HpMrq1hdSzkojnWArbA2X6SwbsC61iljE5F2t0OHNq7+0XkSaT0FqGN MRciSoPKASao385N6LZSBckqQz8L+SAzcVKd4CGg6F+gxh+rxij7+OlVyxmWrCnR5aud 1LtAD1h9aEJUfzKyOQdcJNq5BhqneQclOPGudA2S8Nd9Ug8obqOoiIyQ94awSCenpRi0 +DSBdrttUgUSmUV4RKqCNYuBh+KOWJLehnrIIXrvrW9e3ozahIuzVgH4z5/OPDW0SVTy gWLw== X-Forwarded-Encrypted: i=2; AJvYcCXuf/EPOYl3SdIilY26TaKmZ6ygM5FaBE1HSKX/HsXNZTGwXHR7YlMOSig1JtBbOoLDVhELzm8=@isar-build.org X-Gm-Message-State: AOJu0YxHQYj7Nqxr3NdTPDNWVwveRRd5/welQ73LG4tAP8K6ZvdFWHPt sSvNdAUW/BsjpFpVbdI/BIvYsIBU3duAVBQf2TsZvludG+dGu+r48jNs X-Google-Smtp-Source: AGHT+IGjaJPpq017Hnt0Nw/bEOST+Og5OTskeS656L1o6FIwOrrO9f039B5TstkirTZWsRc/L9t64g== X-Received: by 2002:a05:6e02:160d:b0:3de:2102:f1d8 with SMTP id e9e14a558f8ab-3df32995f39mr65511025ab.18.1750880346841; Wed, 25 Jun 2025 12:39:06 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZeIeVx1/khP6kaTTHtMs1TKHhOpFgUIpBO7x7a+EU3ifw== Received: by 2002:a05:6e02:480d:b0:3dd:c3df:51e9 with SMTP id e9e14a558f8ab-3df3dc4bf42ls2729335ab.0.-pod-prod-04-us; Wed, 25 Jun 2025 12:39:05 -0700 (PDT) X-Received: by 2002:a05:6602:1352:b0:86d:5b7:5a42 with SMTP id ca18e2360f4ac-8766b893965mr724917839f.4.1750880345389; Wed, 25 Jun 2025 12:39:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750880345; cv=none; d=google.com; s=arc-20240605; b=YIBWrcFrb00IUu7ddrjH9rDGor5ieQ+Xbvl0H/dNYrhTpBUbrYd/RdcDr7TWbUYet9 p1VMWdzCE30GSoMKlLtz6MOchIMnOZj1CZOnKaFG6zI7OsBVwpmTVXw/BCEMfwzS41h5 2M7jxpB03M1qjE6FrSHPKyywlZRZs2hFaTkmjBiJWoPOZbtajZSS9EHJw7ys8xAth6AB WsFDaXxE/suvg3Rhrqo4qMCTAM7pWzgwZlMF1DF9mJcTJS/hMFx+66ulHZcXSGRYsNva 6clSDP8w2ZNNuHd0MLi+VErZ3QvhXe5zwMhb0tthcgk3W+Afv7y5Hg1zq6ANJ/snpSow r8sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=OZOIFSZNWArrSMK80unVSgo0USFgcB5pCwlqosZzoxI=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=e4i6msMox1UULHV+u2z3Q8SR+O0VKA5RmkM/wcLjl4o9+Pwm831M71/bRLSgysLeRx 91PKx1SG2XjU6MVuUH5mnQihl1NbFXvz7k/CiuPkciYGGRuni7OUEmQfJM17lBBSZLs2 1ZrKDO4injH8mYoBUinj6SBkWGo5xfoPJ1bhlPzKRrxGrbzeaONhzNf/jOfrxIQxLgmT z1GgUTckdi32fr1vRVqdNK2NkOg4WNZIC1TJq10T7YtzKfcOYGLRD8nyRhyLQzIW8ula UnKO2tE+W2k6brZ6p36oZcIzWCSjso6jyLd/hncU/vKO3nAd2hgwI9VGsSxhV3+1E987 nPzQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-8762b65da6esi50440639f.3.2025.06.25.12.39.05 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 12:39:05 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250625193902056005e860b7ac2a3e for ; Wed, 25 Jun 2025 21:39:02 +0200 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: Cedric Hombourger To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH v3 1/6] rootfs: introduce wrapper to run commands against a rootfs Date: Thu, 26 Jun 2025 03:37:43 +0800 Message-Id: <20250625193748.2681-2-cedric.hombourger@siemens.com> In-Reply-To: <20250625193748.2681-1-cedric.hombourger@siemens.com> References: <20250625193748.2681-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-2.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,T_SPF_TEMPERROR autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger --- RECIPE-API-CHANGELOG.md | 7 ++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 8468717d..18b90555 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -727,3 +727,10 @@ Changes in next This was never documented and never had practical relevance. `oci-archive` is the useful OCI image format that can be imported, e.g., by podman. + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot`. It is pre-installed in +kas-container version 4.8 (or later). diff --git a/doc/user_manual.md b/doc/user_manual.md index ca551a0d..a4fff34a 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..429494ae 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,73 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + bwrap_binds="" + bwrap_rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_binds="${bwrap_binds} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${bwrap_rootfs}" ]; then + bwrap_rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${bwrap_rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${bwrap_rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + ${bwrap_binds} -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO'