From patchwork Wed Feb 18 11:58:23 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 4871 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 18 Feb 2026 12:59:06 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pj1-f59.google.com (mail-pj1-f59.google.com [209.85.216.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61IBx33D023386 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 18 Feb 2026 12:59:05 +0100 Received: by mail-pj1-f59.google.com with SMTP id 98e67ed59e1d1-3545dbb7ee6sf4015346a91.3 for ; Wed, 18 Feb 2026 03:59:05 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771415938; cv=pass; d=google.com; s=arc-20240605; b=YIQJp8VG53QforO894uGrJ2zmSSEg4/WAOSykiR05K69EZOLjU721ASV30UPDZpsAX A9H15XmBRzOfovUdOuyTyca+9hCcFnlCY26lavE6jSRdrtu6JpbyN7DYN/x/LS/6s2pb vodg3kEovtAqz9+I5IHw4zO7yKHdIY+RJkPfvW1Yo5wpoHrd7YLG0QsIY7EWJYXisrnm Hpm1VX2lWpV61nBzud7SYD2QXYAaBMAcNnf0Po+/4WyGij88EjzHgiBeQlHW6SoPTSSk ASqw5cY4je8HQ1caqAwEVjpVAcoFe5GwaT/sRU1ppIuAfUBqYuzZKp/s9XOnkuXdH6zZ Mftg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=3QRyzhHRsSI5GqJyQ4rsG6LiJjMiQfzfLKBG1mW+GW4=; fh=IcL9tQmqXJxXUVGIJKsI2nMtA1JWeqU0DysuMBoyyww=; b=bkKisPx3/nLx0TkgNwGMs1HpJdBxCp/W9PBBGhg4nGfHHhzfgKbeR9DFx2I6UuNSpn O9BwKMJXhRoc/0pYdky5lCuC/sFJaeq7AMuk1DzBfxyRkun8+zyucjxDFrFlVrJDklt4 lNiKuobsn4n2Vlnn1DR+fDhEzpwnzEgpkl9j63LnUzL145Sp1nHuvlYWL7pjvmK4niq9 ZaFYtyeblWMWAiEBbs2Wh9y1+XkgvfOnDYuL0Nz7tVKDI/LpcygaP408BfWxDFR17ywJ +tJBr7kL/I+JsupPRDTbpI2ie5AXP5s/PN85AyQHtsKuzulvMiA7MDHNHcRMSu4Xc0jZ Ww1w==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=odwMnbCM; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771415938; x=1772020738; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=3QRyzhHRsSI5GqJyQ4rsG6LiJjMiQfzfLKBG1mW+GW4=; b=XRhN8SFlJIrLiHepF9YYN1chXRD3b9y+BfekaVug5L8pdIPckr93IimvhNKzIppAqU vaqWCjp9m4na0Srb/2yk2pQBhHVuqhQ1wPOvGh9gmbhnb7T/oS8IOikNosm5sxI6Qly1 Ke3o8V8XgNlBQrBMhGOPJNjMjdcYiyyQH1dOFJWvLt5hDfwClD/0TXr9o8CZ8E5qqwNR oBlWQ8Es0It4EQ5oXRyyBhncXaX1LdYSwgFwNzo/kdtVNtWR/SFzWPGKvtl59bY7eaub Vc+rMeMg22VipYz8abAc+qr7hZSfNZHIK+1WEbQIUGEqxkx2aZQJy6/JNSbl3oV/lFg8 hbPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771415938; x=1772020738; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3QRyzhHRsSI5GqJyQ4rsG6LiJjMiQfzfLKBG1mW+GW4=; b=VB8auyOmFXkKXzc2Nr4rqSS8pQpEUndnN8Dfgm3G1DO6yTAxsoQUI180VnHdT+Rnqw EesT0GYUbL5x1oL6+cPrUODDktr+IhfglTjRyVUuh6fmqRNLe2nTHu1rbBPyjHPeLpHs X/1ob5fzeMsxqd0gFYGk3UZ7dbz9t4bVAKZzJS+vzUaxChpwZKsF7Ky2K3wMXjD6ttn+ 2hKVYtB02W1/vmTV0gvx/v5l193UBHT4UdoaXVKEyoRtMoccOzFYoj5LfWCpLgcHIF9u o1e06HRfWxgBaKowGNPwNmbcokzayidufnb/e5zLlT9PN2DEWg1zXSin4v5GyZR2lpLK RuDg== X-Forwarded-Encrypted: i=3; AJvYcCVHnv43EdGDLrb2tKbeuq3j7MPh8B8U8SV+wa21M7WW3nteS0+QkUiqHiNAozBooM/Rf8vDnJc=@isar-build.org X-Gm-Message-State: AOJu0YzvG0IqejROWj5F2PhQnmNmIaXisILuVuMAFMe9peZUpqycgCuO cI2s3MoL6A3pZxtV/VfgL93R9U6CYrVspY18LCJDqewMlNFb7wwVW6ws X-Received: by 2002:a17:902:ebca:b0:2a0:ccef:a5d3 with SMTP id d9443c01a7336-2ad50e73893mr14666645ad.3.1771415937781; Wed, 18 Feb 2026 03:58:57 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+GsS/M/YlF0ojave9SKEi9k5saCzf5Ju14Um4rnVve6mQ==" Received: by 2002:a17:902:ea11:b0:298:e5:d986 with SMTP id d9443c01a7336-2ab3c3f9143ls72586555ad.1.-pod-prod-09-us; Wed, 18 Feb 2026 03:58:56 -0800 (PST) X-Received: by 2002:a05:6a20:939a:b0:38e:9e4c:ed5c with SMTP id adf61e73a8af0-394fc31b47bmr1623665637.52.1771415936224; Wed, 18 Feb 2026 03:58:56 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771415936; cv=pass; d=google.com; s=arc-20240605; b=KfdM1LeMc3YJ7vcuIzYWQjDIH4n37KN44FqVvcugcAFWt8ndKnHLWtyqEiZDxYsLkG RJwUrwdL2U+KgmdBv1rGMI1s+W/JRqL/0SLDeax2xbxaOKP0QEfwSWTw9ln3x86wPD8I y7WVLpJHwgCHjtJ1RJN9Ohm71PONl+ONSKZQbwKKB6joyNnKTf2v91C9uDYaolFr3R17 EzB43gg5od5ZicK0EOKaL01A6HCSn7zrwqyRQJeP/hz4cv65asNNz5v1bTp3so/5CPXr Wo2zJILDOjj/zRqwrGnKNVdRYpyPauUHpw3VBpfNboH7SAxLf8IsUDp86lZFAj9DRGr7 KkLg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=2XG2eCUOtCOrzbKfNpEnjSFGtVrEIHbyuUjORFK5tOg=; fh=dWFKumMb31C26+PJa6vcB2ftw6NwdNo52k0UEVGombI=; b=O51riz4tBivWQnBXVc1ieVxK0uiqlsWPgqFLSJIk+Gym/A5q3hAS/Ntt9WsXJyEPzK 1uTuZnz/a3mQOqRzNQ95TGOugXa3mOgXnLjS4mtXxH/dvbBqL+LDmwAh7WC3BjRb7K7z N82fkaatopPVJc1UI74nJ0Eh2GrD0nBzHm+qjjYEp+DzhDQjffClrmIpcsJIMKoole0A 9VD28LfTq6IBFgG/Bp8LYF5boJ2QhI3Lvsh4Zm7XDZnQf1tf2hDwKClFuNyGY1GROZ2O wc2jvOKfW3GeUFVRcsJO8lIOy890PsrYjVYxyLURdW7vwpgCDdldJ+ZbdiNCiVWM64Rn Wreg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=odwMnbCM; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c201::3]) by gmr-mx.google.com with ESMTPS id 41be03b00d2f7-c6e52fcefacsi385310a12.1.2026.02.18.03.58.55 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Feb 2026 03:58:56 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=klazA5gTHmiUyyfkxPt3CHUkrgzbnrq0QEN5qIw5gS/8alYTUcvVipvhd1fTWUZwtUVsuKAhnEtfPSk9wloAI8d1Dko3EOfDTWlNa3N2rw7JI1zP0IJ6Aceb2GEmU3bCiy5Zz2yetTCHUhR5y7NYJK9HOkMSOIBMY7Umlk+Ft2wfWhMX28XA1lCctmVvsbb5gT0aYp15yAfOyn8QlmbVoOL1YUJQLZB+Eg3YrMxjNpV7Z56zLxILCE+ut5FPYQIE2bjiBCNzw37gGvNfMR5fbqMQWGAv2xT0ImMXyMe9agloKCckKVH3nNUvBrmGI2bofEn6o3QhV/cvS+HjRZmtcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2XG2eCUOtCOrzbKfNpEnjSFGtVrEIHbyuUjORFK5tOg=; b=b1fzZVix2iOEs5WOOGoDXtMg29mru/usndop7qDT5+k7d5azIJsAloVm81mwro1UZd4BFEQmYRm7h6RR1idom2nozCmwcncaCFEf0KHzZnPQ5koQt5YkuClY0ufuk4w8xKCDsDxwySPFkpBWpgFOl5zof1drgIntCM0iHpLMJdWsoFx2zNLPDmxFE40lSxVfqsZLgg8RvNdoLHyPKjRH4pr6cFe4zccMndg4SL0XyqlXwuZhorz0Ddox+12GjpHtTK0cN9HaSSfMBklL7Y/MygWQ7x4nS4SJyK+cWKe74ddwO/cu/Y0kDJi8uMJzCXdQGjJVSq05CFDWyVJreWTMeQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by FRWPR10MB9395.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:d10:1a1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.13; Wed, 18 Feb 2026 11:58:53 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9632.010; Wed, 18 Feb 2026 11:58:53 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [RFC 08/12] wic: rework image deploy logic to deploy under correct user Date: Wed, 18 Feb 2026 12:58:23 +0100 Message-ID: <20260218115827.3947145-9-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260218115827.3947145-1-felix.moessbauer@siemens.com> References: <20260218115827.3947145-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: CH5P220CA0022.NAMP220.PROD.OUTLOOK.COM (2603:10b6:610:1ef::28) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|FRWPR10MB9395:EE_ X-MS-Office365-Filtering-Correlation-Id: 4d097a88-723f-4d2f-4597-08de6ee51612 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016; X-Microsoft-Antispam-Message-Info: /1ctVyqSl9/ltmm5ljd4CGfJ1UNY7pQ84JkrW+YgnNnaUP3myeLqjntRDUMkRgolOEzvZbykbuEWNZsEFiV/qxl/cxxGn80qEKyToYTP/txSQ/+DZouF+xiWpSXwxpBd+j4ZaErE3ExMuJnK/mz46TMiBWovOBID7qK6EQ/+rDkIcdWQZHN5120hApddqKjXaMBgcL5zaXVu/KW5YuSCfvZT9nGM9sVc3QwpK+3lmbcamUpdz2XIBZBRjsE1ijb8rkp/AZnJGPUL7xfNZ6dgg4/tWINbs/K9SV5jYXLes+yF6eB/espKjEtiOOj76jbtE4bQ5/oyySmQ+JEs5q5rKIBMrzR6p4MNQqMwr/C9hmfkEYzp/mABDZ87hAJ/5xXwRo7vVwp89MO+geaspfb+6e2GnsmB6A6pcrnBqQ0KOsfy27asIG+OAA3ZGK0/v/jGIwUIHhvkcBWdJyeA5w9tXFaFFHhrGwihmHcll2tfvMmSG8cvqjNViUKulkLSBEql/HaMzasaBDssLpymWamrObnzPNyiMzUnBkZCnSPbNpA/ygxLxOsD5lZ+V9Qtev361AMDHedYM+nLAVS1tlD/ZbihCeITMqKZoWFiJ8q1YrkBIoXx9795jxdvocavqK3TLTdKDwGlUAaaSyjd6XcMSpEOwaVxYWIo6tZ+8M3ES1Q4mPmURAI9XVYQcIEhPn2bes8W198qmhErphYnWpqsGww1YZ8ivnrFA+IgEJ7tNjLRbVtR/koOew4WNCkv2H7XKqrtn8q4YtFUAnvqh7rK1w3QsjUV5bE/rC3PdomZ02chfDqi7IaTJEiJgjq910HfgajkusF/8+4mJ0cCqKt39o35L9cbcbSlu8SlCIW5b6bjjOqibDsTkIvAGpYA39ey9EwGWN/0uNl1ay8vW06U+6HE7zGB+Oqx/tT8L4qsWsxHpwy/2U3yXQhnYcjdaY9TbUnO9hQbroQjjJUnbfvmyjHG2nhNeMrOGY9328YaQKrFHjxKvp1oOWQHCPxKKoASMLUA/iGWELbVYKbGSGtrJ08BxbrrH2TIXTZbPRRh5nfj5ygUhNaJxTwcz85/QwA6OefRKpw6W7n5uFumX6uIOQQ3poW791Yj+Lh+qQFoKr7tk91gSCnWZBehYss7OLO7/Eicnn4iz7fMbVSj1muUaScfVsE+eiUWoLela6dvKJWvwdrG8PwmzzMaQnX0U2g10Dg6V5HAKq497YJKajal/4y2/lkJb7o9NA4MpX9Qd12dqKmUKOWWrhLfgVsLZG9yXmp96dQDHdz2NPckPquHyQ30MboJldJ5BCg/++b435+pNnhhvKMdg36SZXCBFXyv5bt8WbJ8Xk6AgBeiI990pmJ9X+iLpYg20Us6xkefhm6pecUIZ3rzOd3k5NTy8f1MB9d59BgjwXXNq1yBd2scpTCi0cNWxi6MUyjellsT7XtInNIC9Z83zd5ARiAJ7OEczxbvIU0fP5gCsSq6EXQIe4XiXYBJ/YXpwfKvTZLbCOrUAyrJprQKkvaotkGGylzXFOg+G3FwcQrQyePpYhriAV72Y2ZBTy3VC6TuM8uc+zM= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: 8E7JTpxMCAElK50/jhSgQA4LnrvXij0DMQgYwxqg+9YCBpAIyi1a0fHAjtnB7HlytopoFLryi9LPSVCLg0a8teBiRlU2gEsuRVpH968Bxss+GzBozNnHxK9RuXK0rFsKTBlwJwBmL7jdfipJ/b69kV0SVmqop+uaHdvz4v16Gd8H+wpDg04zzSSL+rvshOrMDLWa4FPxVa2o/KQbMyKngB8rQcEyxa7V68lPdWJSRAhvoxdj3KhsXhULm7xsUEterSQsAo28vB0iI1UuN3uumIBuD+9gDlgfYPV/qN0swE98HTvNGC/A30gtAOcFHcJUnzmUP5FjX0N4cbeRL6Y9XNwnr637yNVURTZEcOH5+dSdz+ZS1jhoiwdFk4OupJ34bzXioZh0Qf6JfLegykOcn2xiYsdi4SKsIG2aeI98/WOIeLzC6Vc24pjhUH9ZLXhvFfVBj9bAJ9MeXtE0ISZ8yRjAirgf7ndd8O/tgNnY2aLyEx1zvw+ko8MfLIHa9usC21uNHIbX97+pGUjArMRXOVz3qW+DTV3+N1gV42tBDixP3ynShFWwkBltr8RGFWy4+cClAxeBi/0PSnguPgjNkXACIqDjTwHECRyBZV+dFt+vAJbSlwq5nACRwc+A6wgDKoURiKXj5/CkxhK7FAvX901ZhYWGlRNYxZKdqcMWrXwgLQbHic48KGRQIM3LnfLrjGVaRuD6w3wlUEUDNMFO5EWQeuZ+8hLwNYlocMjzF/HabVLmW1VXU/whVhZDc7d9/mhqB5HJfxXBFQc2FKVHLDj6Ck7H61b3dKzgR3m0NNIJ0aesHvLgRIfugWOXmAQpjzok3CuGPbMbUTB8p/RpYPIpfs7ocFOuaVzs/la2Q81GVyY9KS8TnxNbSfV0EgVf4E8zuF/yWIumx5N7Jsmeb17eWOUGSm5QUutE17D3EfZrjdthWwjjqRuWbgzq57CjcJy9yc+LG3w7JHmdMV+SVduoS78n3O0xdp2V9T/COBz59O5AWB+IP0b7n82BOeaJ6R6DehXYLyoBFRLxOMrbDuQQH7Hvz8NkOfgAnKFU8gRm/WpV3rabcYrXPnwhXRhW4fLlE+ptwQ7lz+gbzSmBt694VAhJvy6B98aCHYLJtizZrsRFr3/Mf5FaZzBc2FSzLB+RdC4pO1RUMpU1FseuA3LxqX/+B4ofb/X7Ntsixfe76rnakXVmAllRJ3j8p5ah4x01H7zcL3eJ3Fm6rK3jvaez2hnghNPfBX8BAyQKYo/qCrNP4cERMnprnej9+w5vDz6SoDn8pcIWJ5gAo8XsNTro933+suk0YNDx6vaTfMgXt9GEYq7Hnkob9aIMQwxjOdrivZjMmXjVHAy3evm4eSs0pn1hjNY1reN8oZRTCjwYzDxwDwohdP8n91U/xTJ26RW0PvHwfRqGvJ/NG0Pd7MTHqH1Z+6c/MSNbwlbFTsjZLMT9A2iAm24ufKmMvwEKd+IOZYyS0NbIyW3egTBL6tYuIldyXUEiGjcfClJTKotf2VojpbJWVctdG5EBPtWFOzjSjBJOnQJdLXFIUfIhxQdhOKbhoRzQfjIBjZ+aK98zZWVQTCNVQgDniGcka61127pgwuWJaVRLnG6xWLVGeiIfl80lg04prkshmPpIiBMoLpvkL7WO6MTfmRsyC92BpqgMs8mSE6O8aG4iKKGUOPFcbNKJzUeIRzMopQHVToMYgswIa389svqEle52E6xKa4xhYZjRh4rHWVp9LFMRstlORHttfmHsW72t5gA3JsU= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 4d097a88-723f-4d2f-4597-08de6ee51612 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2026 11:58:53.2534 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uLNgURIKbBOLHCF0zX0pcxEfndKl+5+fLq255XliMS4V6Aa61I93qPy+uLGSKqva72CRrTh1LozvDzKEW5IWyGP21DzcoJXoFbb8eyHuojI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: FRWPR10MB9395 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=odwMnbCM; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= We previously deployed the image file as root and then chowned the deployed files to the calling user. Hereby the chown command itself requires to be run under root, which is not possible on rootless. As a preparation for rootless, we rework the deploy logic to deploy the files under the calling user. For that, we deploy to a temporary directory within workdir that is writeable from inside the chroot and then copy out under the calling user. Signed-off-by: Felix Moessbauer --- RECIPE-API-CHANGELOG.md | 12 +++++ .../image-tools-extension.bbclass | 11 +++++ meta/classes-recipe/image.bbclass | 10 +++- meta/classes-recipe/imagetypes.bbclass | 47 +++++++++++-------- meta/classes-recipe/imagetypes_wic.bbclass | 10 ++-- meta/classes-recipe/squashfs.bbclass | 2 +- 6 files changed, 66 insertions(+), 26 deletions(-) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index bc40a403..f80630a0 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -978,3 +978,15 @@ specifies the rootfs path. Using these helpers instead of direct `sudo` invocations centralizes platform-specific privileged execution logic in `base.bbclass`. Direct use of `sudo` is discouraged in downstream layers. + +### Changes to image types + +The way different image types are handled has changed to be be compatible with +rootless builds. For that, the deployment of images happens in two steps: + +1. generate the image in the `${IMAGE_STAGE_CHROOT}` +2. the `imager_run` or `${SUDO_CHROOT}` command takes care of deploying the image + into the `${DEPLOY_DIR_IMAGE}` + +Conversion commands need to follow this strategy as well, but can read the image +(prior to conversion) from `${IMAGE_FILE_CHROOT}`. diff --git a/meta/classes-recipe/image-tools-extension.bbclass b/meta/classes-recipe/image-tools-extension.bbclass index e88557f6..2eac3619 100644 --- a/meta/classes-recipe/image-tools-extension.bbclass +++ b/meta/classes-recipe/image-tools-extension.bbclass @@ -17,6 +17,17 @@ SCHROOT_MOUNTS = "${WORKDIR}:${PP_WORK} ${IMAGE_ROOTFS}:${PP_ROOTFS} ${DEPLOY_DI SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt" imager_run() { + IMAGE_STAGE_DIR=$(dirname $IMAGE_STAGE_HOST) + create_chroot_parent_dir $IMAGE_STAGE_DIR + imager_run_${ISAR_CHROOT_MODE} "$@" + + # copy locally deployed files with correct permissions to deploy dir + find $IMAGE_STAGE_DIR -type f -exec cp {} ${DEPLOY_DIR_IMAGE} \; + # on error keep the files for investigation + run_privileged rm -rf $IMAGE_STAGE_DIR +} + +imager_run_schroot() { local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" diff --git a/meta/classes-recipe/image.bbclass b/meta/classes-recipe/image.bbclass index ca449ec5..e0e19adf 100644 --- a/meta/classes-recipe/image.bbclass +++ b/meta/classes-recipe/image.bbclass @@ -180,8 +180,14 @@ IMGCLASSES += "${IMAGE_CLASSES}" inherit ${IMGCLASSES} # convenience variables to be used by CMDs +# Note, that the variables are only valid within the type specific task itself +# but not in transitively called shell functions IMAGE_FILE_HOST = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${type}" +# view (only for reading) the image in the deploy dir (useful for conversion commands) IMAGE_FILE_CHROOT = "${PP_DEPLOY}/${IMAGE_FULLNAME}.${type}" +# staging location for copy-out (should only be written to from chroot) +IMAGE_STAGE_HOST = "${WORKDIR}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" +IMAGE_STAGE_CHROOT = "${PP_WORK}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" SUDO_CHROOT = "imager_run -d ${PP_ROOTFS} -u root --" # hook up IMAGE_CMD_* @@ -262,8 +268,8 @@ python() { image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean) if image_cmd: localdata.setVar('type', bt) + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(localdata.expand(image_cmd)) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}')) else: bb.fatal("No IMAGE_CMD for %s" % bt) vardeps.add('IMAGE_CMD:' + bt_clean) @@ -292,8 +298,8 @@ python() { localdata.setVar('type', t) cmd = '\t' + localdata.getVar('CONVERSION_CMD:' + c) if cmd not in cmds: + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(cmd) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}.%s' % c)) vardeps.add('CONVERSION_CMD:' + c) for dep in (localdata.getVar('CONVERSION_DEPS:' + c) or '').split(): conversion_install.add(dep) diff --git a/meta/classes-recipe/imagetypes.bbclass b/meta/classes-recipe/imagetypes.bbclass index f802c11c..78b89393 100644 --- a/meta/classes-recipe/imagetypes.bbclass +++ b/meta/classes-recipe/imagetypes.bbclass @@ -9,7 +9,7 @@ TAR_TRANSFORM = "--transform='s|rootfs|.|'" TAR_OPTIONS:append = " ${TAR_TRANSFORM}" IMAGE_CMD:tar() { ${SUDO_CHROOT} tar ${TAR_OPTIONS} -cvSf \ - ${IMAGE_FILE_CHROOT} --one-file-system -C ${PP} rootfs + ${IMAGE_STAGE_CHROOT} --one-file-system -C ${PP} rootfs } # image type: ext4 @@ -38,10 +38,11 @@ do_image_ext4[prefuncs] = "set_mke2fs_args" IMAGE_CMD:ext4() { export E2FSPROGS_FAKE_TIME="${SOURCE_DATE_EPOCH}" - truncate -s ${ROOTFS_SIZE}K '${IMAGE_FILE_HOST}' - - ${SUDO_CHROOT} /sbin/mke2fs ${MKE2FS_ARGS} \ - -F -d '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /bin/bash -s <<'EOF' + set -e + truncate -s ${ROOTFS_SIZE}K '${IMAGE_STAGE_CHROOT}' + /sbin/mke2fs ${MKE2FS_ARGS} -F -d '${PP_ROOTFS}' '${IMAGE_STAGE_CHROOT}' +EOF } # image type: cpio @@ -49,10 +50,12 @@ IMAGER_INSTALL:cpio += "cpio" CPIO_IMAGE_FORMAT ?= "newc" IMAGE_CMD:cpio() { - ${SUDO_CHROOT} \ - sh -c "cd ${PP_ROOTFS}; /usr/bin/find . | \ - /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ - ${IMAGE_FILE_CHROOT}" + imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER' + set -e + cd '${PP_ROOTFS}'; /usr/bin/find . | \ + /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ + '${IMAGE_STAGE_CHROOT}' +EOIMAGER } # image type: fit @@ -72,8 +75,9 @@ IMAGE_CMD:fit() { die "FIT_IMAGE_SOURCE does not contain fitimage source file" fi - ${SUDO_CHROOT} /usr/bin/mkimage ${MKIMAGE_ARGS} \ - -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/bin/mkimage \ + ${MKIMAGE_ARGS} -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' \ + '${IMAGE_STAGE_CHROOT}' } IMAGE_CMD:fit[depends] = "${PN}:do_transform_template" @@ -90,8 +94,9 @@ THIS_ISAR_CROSS_COMPILE := "${ISAR_CROSS_COMPILE}" ISAR_CROSS_COMPILE:armhf = "${@bb.utils.contains('IMAGE_BASETYPES', 'ubifs', '1', '${THIS_ISAR_CROSS_COMPILE}', d)}" IMAGE_CMD:ubifs() { - ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs ${MKUBIFS_ARGS} \ - -r '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs \ + ${MKUBIFS_ARGS} -r '${PP_ROOTFS}' \ + '${IMAGE_FILE_CHROOT}' } # image type: ubi @@ -108,22 +113,26 @@ IMAGE_CMD:ubi() { die "UBINIZE_CFG does not contain ubinize config file." fi - ${SUDO_CHROOT} /usr/sbin/ubinize ${UBINIZE_ARGS} \ - -o '${IMAGE_FILE_CHROOT}' '${PP_WORK}/${UBINIZE_CFG}' + ${SUDO_CHROOT} /usr/sbin/ubinize \ + ${UBINIZE_ARGS} -o '${IMAGE_STAGE_CHROOT}' \ + '${PP_WORK}/${UBINIZE_CFG}' } IMAGE_CMD:ubi[depends] = "${PN}:do_transform_template" # image conversions IMAGE_CONVERSIONS = "gz xz zst zck" -CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.gz'" +# image conversions +IMAGE_CONVERSIONS = "gz xz zst zck" + +CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.gz'" CONVERSION_DEPS:gz = "gzip" -CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.xz'" +CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.xz'" CONVERSION_DEPS:xz = "xz-utils" -CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.zst'" +CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.zst'" CONVERSION_DEPS:zst = "zstd" -CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_FILE_CHROOT}'" +CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_STAGE_CHROOT}'" CONVERSION_DEPS:zck = "zchunk" diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass index 63974a3e..ebf3ce8e 100644 --- a/meta/classes-recipe/imagetypes_wic.bbclass +++ b/meta/classes-recipe/imagetypes_wic.bbclass @@ -145,6 +145,9 @@ check_for_wic_warnings() { do_image_wic[file-checksums] += "${WKS_FILE_CHECKSUM}" IMAGE_CMD:wic() { + # variable is type specific, hence capture here and + # forward to functions via export + export IMAGE_STAGE_CHROOT="${IMAGE_STAGE_CHROOT}" generate_wic_image check_for_wic_warnings } @@ -181,20 +184,19 @@ generate_wic_image() { -e "${IMAGE_BASENAME}" ${WIC_CREATE_EXTRA_ARGS} WIC_DIRECT=$(ls -t -1 /tmp/${IMAGE_FULLNAME}.wic/*.direct | head -1) - mv -f ${WIC_DIRECT} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic - mv -f ${WIC_DIRECT}.bmap ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic.bmap + mv -f ${WIC_DIRECT} $IMAGE_STAGE_CHROOT + mv -f ${WIC_DIRECT}.bmap $IMAGE_STAGE_CHROOT.bmap # deploy partition files if requested (ending with .p) if [ "${WIC_DEPLOY_PARTITIONS}" -eq "1" ]; then # locate *.direct.p partition files find "/tmp/${IMAGE_FULLNAME}.wic/" -type f -regextype sed -regex ".*\.direct.*\.p[0-9]\{1,\}" | while read f; do suffix=$(basename $f | sed 's/.*\.direct\(.*\)/\1/') - mv -f ${f} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic${suffix} + mv -f ${f} $IMAGE_STAGE_CHROOT${suffix} done fi EOIMAGER run_privileged chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true - run_privileged chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"* rm -rf ${IMAGE_ROOTFS}/../pseudo cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \ diff --git a/meta/classes-recipe/squashfs.bbclass b/meta/classes-recipe/squashfs.bbclass index 9cd7ed3d..8330ffb5 100644 --- a/meta/classes-recipe/squashfs.bbclass +++ b/meta/classes-recipe/squashfs.bbclass @@ -42,6 +42,6 @@ IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" IMAGE_CMD:squashfs() { ${SUDO_CHROOT} /bin/mksquashfs \ - '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ + '${SQUASHFS_CONTENT}' '${IMAGE_STAGE_CHROOT}' \ -noappend ${SQUASHFS_CREATION_LIMITS} ${SQUASHFS_CREATION_ARGS} }