[RFC,v2,11/19] add support for fully rootless builds

diff --git a/Kconfig b/Kconfig
index 683c0da5..5ef2bfcb 100644
--- a/Kconfig
+++ b/Kconfig
@@ -14,7 +14,7 @@  config KAS_INCLUDE_MAIN
 
 config KAS_BUILD_SYSTEM
 	string
-	default "isar"
+	default "isar-rootless"
 
 source "kas/machine/Kconfig"
 source "kas/distro/Kconfig"
diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 31c61789..59ea3110 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -990,3 +990,28 @@  rootless builds. For that, the deployment of images happens in two steps:
 
 Conversion commands need to follow this strategy as well, but can read the image
 (prior to conversion) from `${IMAGE_FILE_CHROOT}`.
+
+### Rootless isar execution
+
+Isar is able to run without the need for `sudo` in an environment that
+allows unprivileged users to unshare the kernels `user namespace`. Further,
+a sufficiently large set of sub ids needs to be configured in `/etc/subuid` / `etc/subgid`.
+This range should be `> 65536`, but smaller ranges might work as well, depending on the
+ids used in the rootfs.
+
+A simple check if rootless is supported can be done by running:
+
+```bash
+mmdebstrap --unshare-helper /bin/echo "rootless supported" || echo "rootless not supported"
+```
+
+To enable rootless builds, set the bitbake variable `ISAR_ROOTLESS = "1"`.
+This internally switches the chroot mode from `schroot` to `unshare`.
+
+When using kas, the `build_system` needs to be set to `isar-rootless`, but the final
+interfaces still need to be clarified. Further, kas patches are needed (for details,
+check the kas mailing list).
+
+Note, that the following features are not supported yet in rootless mode:
+
+- devshell
diff --git a/doc/user_manual.md b/doc/user_manual.md
index 7520854b..77a37e9b 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -74,6 +74,7 @@  Building `debian-trixie` requires host system >= bookworm.
 Install the following packages:
 ```
 apt install \
+  acl \
   binfmt-support \
   bubblewrap \
   bzip2 \
@@ -88,6 +89,7 @@  apt install \
   qemu-user-static \
   reprepro \
   sudo \
+  uidmap \
   unzip \
   xz-utils \
   git-buildpackage \
diff --git a/kas/isar.yaml b/kas/isar.yaml
index 16ce8b42..3cfc4f96 100644
--- a/kas/isar.yaml
+++ b/kas/isar.yaml
@@ -4,7 +4,7 @@ 
 header:
   version: 14
 
-build_system: isar
+build_system: isar-rootless
 
 repos:
   isar:
diff --git a/meta/classes-global/base.bbclass b/meta/classes-global/base.bbclass
index 730fd0b4..3806542b 100644
--- a/meta/classes-global/base.bbclass
+++ b/meta/classes-global/base.bbclass
@@ -389,7 +389,28 @@  do_unpack[prefuncs] += "deprecation_checking"
 # shall be used outside of this class.
 
 def insert_isar_mounts(d, rootfs, mounts):
+    """
+    In unshare mode, all mounts must be created after unsharing the
+    mount namespace. As needs to happen within the unshared session,
+    we implement it as a code generator. Note, that the random and urandom
+    mounts are needed for DDI images.
+    """
     lines = []
+    to_touch = ['/dev/null', '/dev/random', '/dev/urandom']
+    to_mkdir = ['/dev/pts', '/dev/shm']
+    if d.getVar('ISAR_CHROOT_MODE') == 'unshare':
+        lines.append('touch ' + ' '.join(['{}/{}'.format(rootfs, f) for f in to_touch]))
+        lines.append('mkdir -p ' + ' '.join(['{}/{}'.format(rootfs, f) for f in to_mkdir]))
+        lines.append('mount -o bind,private,mode=666 /dev/null {}/dev/null'.format(rootfs))
+        lines.append('mount -t devpts -o noexec,nosuid,uid=5,mode=620,ptmxmode=666 none {}/dev/pts'.format(rootfs))
+        lines.append('( cd {}/dev; ln -sf pts/ptmx . )'.format(rootfs))
+        lines.append('mount -t tmpfs none {}/dev/shm'.format(rootfs))
+        lines.append('mount -o bind /dev/random {}/dev/random'.format(rootfs))
+        lines.append('mount -o bind /dev/urandom {}/dev/urandom'.format(rootfs))
+        lines.append('mount -t proc none {}/proc'.format(rootfs))
+        # we do not unshare the network namespace, so we cannot create a sysfs, hence bind-mount
+        lines.append('mount -o rbind /sys {}/sys'.format(rootfs))
+
     for m in mounts.split():
         host, inner = m.split(':') if ':' in m else (m, m)
         inner_full = os.path.join(rootfs, inner[1:])
@@ -398,7 +419,18 @@  def insert_isar_mounts(d, rootfs, mounts):
     return '\n'.join(lines)
 
 def insert_isar_umounts(d, rootfs, mounts):
+    """
+    In unshare mount we don't unmount the system mounts but just
+    remove the mountpoints.
+    """
     lines = []
+    to_unlink = ['/dev/null', '/dev/random', '/dev/urandom', '/dev/ptmx']
+    to_rmdir = ['/dev/pts', '/dev/shm']
+    if d.getVar('ISAR_CHROOT_MODE') == 'unshare':
+        lines.append('rm -f ' + ' '.join(['{}/{}'.format(rootfs, f) for f in to_unlink]))
+        for d in ['{}/{}'.format(rootfs, _d) for _d in to_rmdir]:
+            lines.append('[ -d {} ] && rmdir {}'.format(d, d))
+
     for m in mounts.split():
         host, inner = m.split(':') if ':' in m else (m, m)
         mp = '{}/{}'.format(rootfs, inner)
@@ -406,11 +438,52 @@  def insert_isar_umounts(d, rootfs, mounts):
         lines.append('[ -d {} ] && rmdir --ignore-fail-on-non-empty {}'.format(mp, mp))
     return '\n'.join(lines)
 
+def get_subid_range(idmap, d):
+    with open(idmap, 'r') as f:
+        entries = f.readlines()
+    for e in entries:
+        user, base, cnt = e.split(':')
+        if user == os.getuid() or user == os.getlogin():
+            return int(base), int(cnt)
+    bb.error("No sub-id range specified in %s" % idmap)
+
 def run_privileged_cmd(d):
-    cmd = 'sudo -E'
+    """
+    In unshare mode we need to map the rootfs uid/gid range into the
+    subuid/subgid range of the parent namespace. As we usually only
+    get 65534 ids, we cannot map the whole range, as two ids are already
+    used by the calling environment (root and builder user). Hence, map
+    as much as we can but also map the highest id (nobody / nogroup) as
+    these are used within the rootfs. It would be easier to use
+    mmdebstrap --unshare-helper as command (which is also internally used
+    by sbuild), but this only maps linear ranges, hence it cannot map the
+    nobody / nogroup on the default subid range. By that, we have to avoid
+    the nobody / nogroup when building packages in this case.
+    """
+    if d.getVar('ISAR_CHROOT_MODE') == 'unshare':
+        nobody_id = 65534
+        uid_base, uid_cnt = get_subid_range('/etc/subuid', d)
+        uid_cnt -= 2
+        nobody_subid = uid_base + uid_cnt
+        gid_base, gid_cnt = get_subid_range('/etc/subgid', d)
+        gid_cnt -= 2
+        nogroup_subid = gid_base + gid_cnt
+        cmd = 'unshare --mount --mount-proc --user --pid' \
+              ' --kill-child' \
+              ' --setuid 0 --setgid 0 --fork' \
+              f' --map-users  0:{uid_base}:{uid_cnt}' \
+              f' --map-groups 0:{gid_base}:{gid_cnt}'
+        if uid_cnt < nobody_id:
+            cmd += f' --map-users  {nobody_id}:{nobody_subid}:1'
+        if gid_cnt < nobody_id:
+            cmd += f' --map-groups {nobody_id}:{nogroup_subid}:1'
+    else:
+        cmd = 'sudo -E'
     bb.debug(1, "privileged cmd: %s" % cmd)
     return cmd
 
+UNSHARE_SUBUID_BASE  := "${@get_subid_range('/etc/subuid', d)[0] if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else '0'}"
+# store in variable to only compute once and make available to fetcher
 RUN_PRIVILEGED_CMD := "${@run_privileged_cmd(d)}"
 
 run_privileged() {
@@ -422,13 +495,24 @@  run_privileged_heredoc() {
 }
 
 # create a directory that is suitable to be the
-# parent of a rootfs
+# parent of a rootfs. In unshare mode, we further need to
+# give the inner user the right to create a directory there.
+# This is needed, as the inner user needs to extract the
+# rootfs tarball and owns the '.' dir.
 create_chroot_parent_dir() {
     mkdir -p "$@"
+    if [ "${ISAR_CHROOT_MODE}" = "unshare" ]; then
+        setfacl -m u:${UNSHARE_SUBUID_BASE}:rwX "$@"
+    fi
 }
 
 run_in_chroot() {
     rootfs="$1"
     shift
-    ${RUN_PRIVILEGED_CMD} chroot "$rootfs" "$@"
+
+    rootfs=$rootfs run_privileged_heredoc <<'EORIC' "$@"
+        set -e
+        ${@insert_isar_mounts(d, '$rootfs', '')}
+        chroot "$rootfs" "$@"
+EORIC
 }
diff --git a/meta/classes-recipe/deb-dl-dir.bbclass b/meta/classes-recipe/deb-dl-dir.bbclass
index 05a16585..dc83edad 100644
--- a/meta/classes-recipe/deb-dl-dir.bbclass
+++ b/meta/classes-recipe/deb-dl-dir.bbclass
@@ -121,8 +121,13 @@  deb_dl_dir_import() {
 
     # let our unprivileged user place downloaded packages in /var/cache/apt/archives/
     run_privileged_heredoc << '    EOSUDO'
-        mkdir -p "${rootfs}"/var/cache/apt/archives/partial/
-        chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/
+        if [ "${ISAR_CHROOT_MODE}" = "unshare" ]; then
+            mkdir -p "${rootfs}"/var/cache/apt/archives
+            chmod 777 "${rootfs}"/var/cache/apt/archives
+        else
+            mkdir -p "${rootfs}"/var/cache/apt/archives/partial/
+            chown -R ${uid}:${gid} "${rootfs}"/var/cache/apt/archives/
+        fi
     EOSUDO
 
     # nothing to copy if download directory does not exist just yet
diff --git a/meta/classes-recipe/dpkg-base.bbclass b/meta/classes-recipe/dpkg-base.bbclass
index b3f4caad..0b8c6fba 100644
--- a/meta/classes-recipe/dpkg-base.bbclass
+++ b/meta/classes-recipe/dpkg-base.bbclass
@@ -168,12 +168,24 @@  dpkg_schroot_create_configs() {
 EOSUDO
 }
 
+dpkg_chroot_prepare() {
+    if [ "${ISAR_CHROOT_MODE}" = "schroot" ]; then
+        dpkg_schroot_create_configs
+    fi
+}
+
+dpkg_chroot_finalize() {
+    if [ "${ISAR_CHROOT_MODE}" = "schroot" ]; then
+        schroot_delete_configs
+    fi
+}
+
 python do_dpkg_build() {
-    bb.build.exec_func('dpkg_schroot_create_configs', d)
+    bb.build.exec_func('dpkg_chroot_prepare', d)
     try:
         bb.build.exec_func("dpkg_runbuild", d)
     finally:
-        bb.build.exec_func('schroot_delete_configs', d)
+        bb.build.exec_func('dpkg_chroot_finalize', d)
 }
 do_dpkg_build[network] = "${TASK_USE_NETWORK_AND_SUDO}"
 
diff --git a/meta/classes-recipe/dpkg.bbclass b/meta/classes-recipe/dpkg.bbclass
index 8d7ff092..9fda58af 100644
--- a/meta/classes-recipe/dpkg.bbclass
+++ b/meta/classes-recipe/dpkg.bbclass
@@ -78,6 +78,7 @@  dpkg_runbuild() {
         distro="${HOST_BASE_DISTRO}-${BASE_DISTRO_CODENAME}"
     fi
 
+    create_chroot_parent_dir ${WORKDIR}
     deb_dl_dir_import "${WORKDIR}/rootfs" "${distro}"
 
     deb_dir="/var/cache/apt/archives"
@@ -85,7 +86,10 @@  dpkg_runbuild() {
     ext_deb_dir="${ext_root}${deb_dir}"
 
     if [ ${USE_CCACHE} -eq 1 ]; then
-        schroot_configure_ccache
+        ${ISAR_CHROOT_MODE}_configure_ccache
+    fi
+    if [ "${ISAR_CHROOT_MODE}" = "unshare" ]; then
+        sbuild_add_unshare_mounts
     fi
 
     profiles="${@ isar_deb_build_profiles(d)}"
@@ -110,12 +114,13 @@  dpkg_runbuild() {
     DSC_FILE=$(find ${WORKDIR} -maxdepth 1 -name "${DEBIAN_SOURCE}_*.dsc" -print)
 
     sbuild -A -n -c ${SBUILD_CHROOT} \
+        --chroot-mode=${ISAR_CHROOT_MODE} \
         --host=${PACKAGE_ARCH} --build=${BUILD_ARCH} ${profiles} \
         --no-run-lintian --no-run-piuparts --no-run-autopkgtest --resolve-alternatives \
         --bd-uninstallable-explainer=apt \
         --no-apt-update --apt-distupgrade \
         --chroot-setup-commands="echo \"Package: *\nPin: release n=${DEBDISTRONAME}\nPin-Priority: 1000\" > /etc/apt/preferences.d/isar-apt" \
-        --chroot-setup-commands="echo \"APT::Get::allow-downgrades 1;\" > /etc/apt/apt.conf.d/50isar-apt" \
+        --chroot-setup-commands="echo \"APT::Get::allow-downgrades 1;${@'\nAPT::Sandbox::User root;' if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''}\" > /etc/apt/apt.conf.d/50isar-apt" \
         --chroot-setup-commands="rm -f /var/log/dpkg.log" \
         --chroot-setup-commands="mkdir -p ${deb_dir}" \
         --chroot-setup-commands="find ${ext_deb_dir} -maxdepth 1 -name '*.deb' -exec ln -t ${deb_dir}/ -sf {} +" \
@@ -125,7 +130,10 @@  dpkg_runbuild() {
         --finished-build-commands="cp /var/log/dpkg.log ${ext_root}/dpkg_partial.log" \
         --build-path="" --build-dir=${WORKDIR} --dist="${DEBDISTRONAME}" ${DSC_FILE}
 
-    sbuild_dpkg_log_export "${WORKDIR}/rootfs/dpkg_partial.log"
+    # TODO: unclear if needed under unshare
+    if [ "${ISAR_CHROOT_MODE}" = "schroot" ]; then
+        sbuild_dpkg_log_export "${WORKDIR}/rootfs/dpkg_partial.log"
+    fi
     deb_dl_dir_export "${WORKDIR}/rootfs" "${distro}"
 
     # Cleanup apt artifacts
diff --git a/meta/classes-recipe/image-locales-extension.bbclass b/meta/classes-recipe/image-locales-extension.bbclass
index c1e8c175..bdaa55fb 100644
--- a/meta/classes-recipe/image-locales-extension.bbclass
+++ b/meta/classes-recipe/image-locales-extension.bbclass
@@ -29,8 +29,12 @@  ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
 image_install_localepurge_download[weight] = "40"
 image_install_localepurge_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
 image_install_localepurge_download() {
-    run_in_chroot '${ROOTFSDIR}' \
+    run_privileged_heredoc <<'EOF'
+    set -e
+    ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), d.getVar('ROOTFS_MOUNTS') if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else '')}
+    chroot ${ROOTFSDIR} \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} -oDebug::NoLocking=1 --download-only localepurge
+EOF
 }
 
 ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
@@ -62,6 +66,9 @@  __EOF__
     # Install configuration into image:
     run_privileged_heredoc <<'EOSUDO'
         set -e
+
+        ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), '')}
+
         localepurge_state='i'
         if chroot '${ROOTFSDIR}' dpkg -s localepurge 2>/dev/null >&2
         then
diff --git a/meta/classes-recipe/image-tools-extension.bbclass b/meta/classes-recipe/image-tools-extension.bbclass
index 2eac3619..bae5c31e 100644
--- a/meta/classes-recipe/image-tools-extension.bbclass
+++ b/meta/classes-recipe/image-tools-extension.bbclass
@@ -16,6 +16,9 @@  do_image_tools[depends] += " \
 SCHROOT_MOUNTS = "${WORKDIR}:${PP_WORK} ${IMAGE_ROOTFS}:${PP_ROOTFS} ${DEPLOY_DIR_IMAGE}:${PP_DEPLOY}"
 SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt"
 
+# only used on unshare
+ROOTFS_IMAGETOOLS ?= "${WORKDIR}/rootfs-imgtools-${BB_CURRENTTASK}"
+
 imager_run() {
     IMAGE_STAGE_DIR=$(dirname $IMAGE_STAGE_HOST)
     create_chroot_parent_dir $IMAGE_STAGE_DIR
@@ -114,3 +117,82 @@  generate_imager_sbom() {
             --timestamp $TIMESTAMP ${SBOM_DEBSBOM_EXTRA_ARGS} \
     < ${WORKDIR}/imager.manifest
 }
+
+imager_run_unshare() {
+    exec 3<&0
+
+    # ignore everything before '--'. If the remaining list is empty,
+    # assume a here document is passed via stdin
+    while [ "$#" -gt 0 ]; do
+        case "$1" in
+        --) shift 1; break ;;
+        *) shift 1 ;;
+        esac
+    done
+
+    if [ "$#" -eq 0 ]; then
+        set -- "$@" '/bin/bash' '-s'
+    fi
+
+    local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}"
+
+    create_chroot_parent_dir $(realpath -m "${ROOTFS_IMAGETOOLS}/..")
+
+    run_privileged_heredoc <<'EOF'
+    set -e
+    mkdir -p ${ROOTFS_IMAGETOOLS}
+    tar -xf "${SBUILD_CHROOT}" -C "${ROOTFS_IMAGETOOLS}"
+    mkdir -p ${ROOTFS_IMAGETOOLS}/isar-apt
+    cp -rL /etc/resolv.conf "${ROOTFS_IMAGETOOLS}/etc"
+EOF
+
+    # setting up error handler
+    imager_cleanup() {
+        run_privileged rm -rf ${ROOTFS_IMAGETOOLS}
+    }
+    trap 'exit 1' INT HUP QUIT TERM ALRM USR1
+    trap 'imager_cleanup' EXIT
+
+    if [ -n "${local_install}" ]; then
+        echo "Installing imager deps: ${local_install}"
+
+        distro="${BASE_DISTRO}-${BASE_DISTRO_CODENAME}"
+        if [ ${ISAR_CROSS_COMPILE} -eq 1 ]; then
+            distro="${HOST_BASE_DISTRO}-${BASE_DISTRO_CODENAME}"
+        fi
+
+        E="${@ isar_export_proxies(d)}"
+        deb_dl_dir_import ${ROOTFS_IMAGETOOLS} ${distro}
+        ${SCRIPTSDIR}/lockrun.py -r -f "${REPO_ISAR_DIR}/isar.lock" -s <<'EOAPT'
+        local_install=$local_install ${@run_privileged_cmd(d)} /bin/bash -s <<'EOF'
+            set -e
+            ${@insert_isar_mounts(d, d.getVar('ROOTFS_IMAGETOOLS'), d.getVar('SCHROOT_MOUNTS'))}
+            chroot ${ROOTFS_IMAGETOOLS} apt-get update \
+                -o Dir::Etc::SourceList='sources.list.d/isar-apt.list' \
+                -o Dir::Etc::SourceParts='-' \
+                -o APT::Get::List-Cleanup='0'
+            chroot ${ROOTFS_IMAGETOOLS} apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y \
+                --allow-unauthenticated --allow-downgrades --download-only install \
+                $local_install
+EOF
+EOAPT
+
+        deb_dl_dir_export ${ROOTFS_IMAGETOOLS} ${distro}
+        local_install=$local_install run_privileged_heredoc <<'EOF'
+            set -e
+            ${@insert_isar_mounts(d, d.getVar('ROOTFS_IMAGETOOLS'), d.getVar('SCHROOT_MOUNTS'))}
+            chroot ${ROOTFS_IMAGETOOLS} apt-get -o Debug::pkgProblemResolver=yes --no-install-recommends -y \
+                --allow-unauthenticated --allow-downgrades install \
+                $local_install
+EOF
+    fi
+
+    run_privileged_heredoc <<'EOF' "$@"
+        set -e
+        mkdir -p ${ROOTFS_IMAGETOOLS}/${SCRIPTSDIR}
+        ${@insert_isar_mounts(d, d.getVar('ROOTFS_IMAGETOOLS'), d.getVar('SCHROOT_MOUNTS'))}
+        chroot ${ROOTFS_IMAGETOOLS} "$@" <&3
+EOF
+
+    run_privileged rm -rf ${ROOTFS_IMAGETOOLS}
+}
diff --git a/meta/classes-recipe/rootfs.bbclass b/meta/classes-recipe/rootfs.bbclass
index 1cd492c6..7570942a 100644
--- a/meta/classes-recipe/rootfs.bbclass
+++ b/meta/classes-recipe/rootfs.bbclass
@@ -145,7 +145,12 @@  rootfs_cmd() {
 }
 
 rootfs_do_mounts[weight] = "3"
-rootfs_do_mounts() {
+python rootfs_do_mounts() {
+    if d.getVar('ISAR_CHROOT_MODE') == 'schroot':
+        bb.build.exec_func('rootfs_do_mounts_priv', d)
+}
+
+rootfs_do_mounts_priv() {
     run_privileged_heredoc <<'EOSUDO'
         set -e
         mountpoint -q '${ROOTFSDIR}/dev' || \
@@ -168,7 +173,13 @@  rootfs_do_mounts() {
 EOSUDO
 }
 
-rootfs_do_umounts() {
+python rootfs_do_umounts() {
+    # unconditionally run the unmount code as this ignores missing
+    # mountpoints but also does the cleanup of the directories
+    bb.build.exec_func('rootfs_do_umounts_priv', d)
+}
+
+rootfs_do_umounts_priv() {
     run_privileged_heredoc <<'EOSUDO'
         set -e
 
@@ -215,7 +226,12 @@  ROOTFS_EXTRA_IMPORTED := "${@rootfs_extra_import(d)}"
 
 rootfs_prepare[weight] = "25"
 rootfs_prepare(){
-    run_privileged tar -xf "${BOOTSTRAP_SRC}" -C "${ROOTFSDIR}" --exclude="./dev/console"
+    create_chroot_parent_dir $(realpath "${ROOTFSDIR}/..")
+    rm -rf ${ROOTFSDIR}
+    run_privileged_heredoc << 'EOF'
+        mkdir -p ${ROOTFSDIR}
+        tar -xf "${BOOTSTRAP_SRC}" -C "${ROOTFSDIR}" --exclude="./dev/console"
+EOF
 
     # setup chroot
     run_privileged "${ROOTFSDIR}/chroot-setup.sh" "setup" "${ROOTFSDIR}"
@@ -285,10 +301,14 @@  rootfs_install_pkgs_update[weight] = "5"
 rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
 rootfs_install_pkgs_update[network] = "${TASK_USE_NETWORK_AND_SUDO}"
 rootfs_install_pkgs_update() {
-    run_in_chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
-        -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
-        -o Dir::Etc::SourceParts="-" \
-        -o APT::Get::List-Cleanup="0"
+    run_privileged_heredoc <<'EOF'
+        set -e
+        ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), d.getVar('ROOTFS_MOUNTS')) if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''}
+        chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
+            -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
+            -o Dir::Etc::SourceParts="-" \
+            -o APT::Get::List-Cleanup="0"
+EOF
 }
 
 ROOTFS_INSTALL_COMMAND += "rootfs_install_resolvconf"
@@ -316,9 +336,12 @@  rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
 rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK}"
 rootfs_install_pkgs_download() {
     # download packages using apt in a non-privileged namespace
-    rootfs_cmd --bind "${ROOTFSDIR}/var/cache/apt/archives" /var/cache/apt/archives \
-               ${ROOTFSDIR} \
-               -- /usr/bin/apt-get ${ROOTFS_APT_ARGS} -oDebug::NoLocking=1 --download-only ${ROOTFS_PACKAGES}
+    run_privileged_heredoc <<'EOF'
+    set -e
+    ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), d.getVar('ROOTFS_MOUNTS')) if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''}
+    chroot ${ROOTFSDIR} \
+        /usr/bin/apt-get ${ROOTFS_APT_ARGS} -oDebug::NoLocking=1 --download-only ${ROOTFS_PACKAGES}
+EOF
 }
 
 ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT ??= ""
@@ -345,8 +368,12 @@  rootfs_install_pkgs_install[weight] = "8000"
 rootfs_install_pkgs_install[progress] = "custom:rootfs_progress.PkgsInstallProgressHandler"
 rootfs_install_pkgs_install[network] = "${TASK_USE_SUDO}"
 rootfs_install_pkgs_install() {
-    run_in_chroot "${ROOTFSDIR}" \
+    run_privileged_heredoc <<'EOF'
+    set -e
+    ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), d.getVar('ROOTFS_MOUNTS')) if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''}
+    chroot "${ROOTFSDIR}" \
         /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
+EOF
 }
 
 ROOTFS_INSTALL_COMMAND += "rootfs_restore_initrd_tooling"
@@ -636,7 +663,7 @@  rootfs_install_sstate_prepare() {
     # tar --one-file-system will cross bind-mounts to the same filesystem,
     # so we use some mount magic to prevent that
     mkdir -p ${WORKDIR}/mnt/rootfs
-    run_privileged_here <<'EOF' 3> rootfs.tar
+    run_privileged_heredoc <<'EOF' 3> rootfs.tar
         mount -o bind,private '${ROOTFSDIR}' '${WORKDIR}/mnt/rootfs' -o ro
         lopts="--one-file-system --exclude=var/cache/apt/archives"
         tar -C ${WORKDIR}/mnt/rootfs -cpS $lopts ${SSTATE_TAR_ATTR_FLAGS} . >&3
@@ -650,8 +677,11 @@  rootfs_install_sstate_finalize() {
     # - after building the rootfs, the tar won't be there, but we also don't need to unpack
     # - after restoring from cache, there will be a tar which we unpack and then delete
     if [ -f rootfs.tar ]; then
+        create_chroot_parent_dir $(realpath -m "${ROOTFSDIR}/..")
+        run_privileged_heredoc <<'EOF'
         mkdir -p ${ROOTFSDIR}
-        run_privileged tar -C ${ROOTFSDIR} -xp ${SSTATE_TAR_ATTR_FLAGS} < rootfs.tar
+        tar -C ${ROOTFSDIR} -xp ${SSTATE_TAR_ATTR_FLAGS} -f rootfs.tar
+EOF
         rm rootfs.tar
     fi
 }
diff --git a/meta/classes-recipe/sbuild.bbclass b/meta/classes-recipe/sbuild.bbclass
index ea0c5841..ded311da 100644
--- a/meta/classes-recipe/sbuild.bbclass
+++ b/meta/classes-recipe/sbuild.bbclass
@@ -7,7 +7,8 @@  SCHROOT_MOUNTS ?= ""
 
 inherit crossvars
 
-SBUILD_CHROOT ?= "${DEBDISTRONAME}-${SCHROOT_USER}-${ISAR_BUILD_UUID}-${@os.getpid()}"
+SBUILD_CHROOT:unshare ?= "${SCHROOT_DIR}.tar.zst"
+SBUILD_CHROOT:schroot ?= "${DEBDISTRONAME}-${SCHROOT_USER}-${ISAR_BUILD_UUID}-${@os.getpid()}"
 
 SBUILD_CONF_DIR ?= "${SCHROOT_CONF}/${SBUILD_CHROOT}"
 SCHROOT_CONF_FILE ?= "${SCHROOT_CONF}/chroot.d/${SBUILD_CHROOT}"
@@ -144,6 +145,13 @@  END
 EOSUDO
 }
 
+unshare_configure_ccache() {
+    # ccache must be below /build for file permissions to work properly
+    cat <<'EOF' >> ${SBUILD_CONFIG}
+$path = "/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games";
+EOF
+}
+
 sbuild_dpkg_log_export() {
     export dpkg_partial_log="${1}"
 
@@ -152,3 +160,19 @@  sbuild_dpkg_log_export() {
     cat ${dpkg_partial_log} >> ${SCHROOT_DIR}/tmp/dpkg_common.log
     )  9>"${SCHROOT_DIR}/tmp/dpkg_common.log.lock"
 }
+
+# additional mounts managed by sbuild
+sbuild_add_unshare_mounts() {
+    mkdir -p "${CCACHE_DIR}"
+    # sbuild id from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110942
+    setfacl -m u:${UNSHARE_SUBUID_BASE}:rwX -m u:${@int(d.getVar('UNSHARE_SUBUID_BASE')) + 999}:rwx "${CCACHE_DIR}"
+
+    cat <<'EOF' >> ${SBUILD_CONFIG}
+$unshare_bind_mounts = [
+    { directory => '${WORKDIR}/rootfs', mountpoint => '${PP}/rootfs' },
+    { directory => '${WORKDIR}/isar-apt/${DISTRO}-${DISTRO_ARCH}/apt/${DISTRO}', mountpoint => '/isar-apt' },
+    { directory => '${REPO_BASE_DIR}', mountpoint => '/base-apt' },
+    { directory => "${CCACHE_DIR}", mountpoint => "/ccache" }
+];
+EOF
+}
diff --git a/meta/classes-recipe/sdk.bbclass b/meta/classes-recipe/sdk.bbclass
index 074f5ef8..6086e9ce 100644
--- a/meta/classes-recipe/sdk.bbclass
+++ b/meta/classes-recipe/sdk.bbclass
@@ -74,13 +74,17 @@  rootfs_configure_isar_apt_dir() {
 
 ROOTFS_POSTPROCESS_COMMAND:prepend:class-sdk = "sdkchroot_configscript "
 sdkchroot_configscript () {
-    run_in_chroot ${ROOTFSDIR} /configscript.sh ${DISTRO_ARCH}
+    run_privileged_heredoc <<'EOF'
+        set -e
+        ${@insert_isar_mounts(d, d.getVar('ROOTFSDIR'), d.getVar('ROOTFS_MOUNTS')) if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''}
+        cp -rL /etc/resolv.conf '${ROOTFSDIR}/etc'
+        chroot ${ROOTFSDIR} /configscript.sh ${DISTRO_ARCH}
+EOF
 }
 
 ROOTFS_POSTPROCESS_COMMAND:append:class-sdk = " sdkchroot_finalize"
 sdkchroot_finalize() {
-
-    rootfs_do_umounts
+    rootfs_do_umounts_priv
 
     # Remove setup scripts
     run_privileged rm -f ${ROOTFSDIR}/chroot-setup.sh ${ROOTFSDIR}/configscript.sh
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 0f84e715..1c3a6f4a 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -72,7 +72,7 @@  KERNEL_FILE:arm64 ?= "vmlinux"
 
 MACHINEOVERRIDES ?= "${MACHINE}"
 DISTROOVERRIDES ?= "${DISTRO}"
-OVERRIDES = "${PACKAGE_ARCH}:${MACHINEOVERRIDES}:${DISTROOVERRIDES}:${BASE_DISTRO_CODENAME}:forcevariable"
+OVERRIDES = "${PACKAGE_ARCH}:${MACHINEOVERRIDES}:${DISTROOVERRIDES}:${BASE_DISTRO_CODENAME}:${ISAR_CHROOT_MODE}:forcevariable"
 FILESOVERRIDES = "${PACKAGE_ARCH}:${MACHINE}"
 
 # Setting default QEMU_ARCH variables for different DISTRO_ARCH:
@@ -151,6 +151,10 @@  ISAR_APT_RETRIES ??= "${@'10' if bb.utils.to_boolean(d.getVar('ISAR_USE_APT_SNAP
 ISAR_APT_DELAY_MAX ??= "${@'600' if bb.utils.to_boolean(d.getVar('ISAR_USE_APT_SNAPSHOT')) else ''}"
 ISAR_APT_SNAPSHOT_TIMESTAMP ??= "${SOURCE_DATE_EPOCH}"
 
+# Rootless build execution
+ISAR_ROOTLESS ??= "0"
+ISAR_CHROOT_MODE ??= "${@'unshare' if bb.utils.to_boolean(d.getVar('ISAR_ROOTLESS')) else 'schroot'}"
+
 # Default parallelism and resource usage for xz
 XZ_MEMLIMIT ?= "50%"
 XZ_THREADS ?= "${@oe.utils.cpu_count(at_least=2)}"
@@ -206,6 +210,7 @@  CCACHE_DEBUG ?= "0"
 # Variables for tasks marking
 # Long term TODO: get rid of sudo marked tasks
 TASK_USE_NETWORK = "1"
+# nested namespacing requires this as well
 TASK_USE_SUDO = "1"
 TASK_USE_NETWORK_AND_SUDO = "1"
 
diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
index 8ca295b7..c90bc59c 100644
--- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
+++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc
@@ -178,6 +178,8 @@  do_bootstrap() {
                          umount \$1/$base_apt_tmp && rm ${WORKDIR}/mmtmpdir && \
                          umount $base_apt_tmp && rm -rf --one-file-system $base_apt_tmp"
     else
+        # prepare dl_dir for access from both sides (local and rootfs)
+        create_chroot_parent_dir ${WORKDIR}/dl_dir
         deb_dl_dir_import "${WORKDIR}/dl_dir" "${BOOTSTRAP_BASE_DISTRO}-${BASE_DISTRO_CODENAME}"
 
         bootstrap_list="${WORKDIR}/sources.list.d/bootstrap.list"
@@ -197,6 +199,7 @@  do_bootstrap() {
                                  -o Dir::State="$1/var/lib/apt" \
                                  -o Dir::Etc="$1/etc/apt" \
                                  -o Dir::Cache="$1/var/cache/apt" \
+                                 ${@'-o APT::Sandbox::User=root' if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''} \
                                  -o Apt::Architecture="${BOOTSTRAP_DISTRO_ARCH}" \
                                  ${@get_apt_opts(d, '-o')}'
         extra_essential="$extra_essential && $syncout"
@@ -214,13 +217,14 @@  do_bootstrap() {
 
     # Cleanup mounts if fails
     trap 'exit 1' INT HUP QUIT TERM ALRM USR1
-    trap 'bootstrap_cleanup' EXIT
+    trap ${@'true' if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else 'bootstrap_cleanup'} EXIT
 
     # Create lock file so that it is owned by the user running the build (not root)
     mkdir -p ${DEBDIR}
     touch ${DEB_DL_LOCK}
 
-    run_privileged TMPDIR="${BOOTSTRAP_TMPDIR}" mmdebstrap $bootstrap_args \
+    ${@'' if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else 'run_privileged'} \
+    TMPDIR="${BOOTSTRAP_TMPDIR}" mmdebstrap $bootstrap_args \
                    $arch_param \
                    --mode=unshare \
                    ${MMHOOKS} \
@@ -239,6 +243,7 @@  do_bootstrap() {
                    --customize-hook='sed -i "/en_US.UTF-8 UTF-8/s/^#//g" "$1/etc/locale.gen"' \
                    --customize-hook='chroot "$1" /usr/sbin/locale-gen' \
                    --customize-hook='chroot "$1" /usr/bin/apt-get -y clean' \
+                   ${@'--skip=output/dev' if d.getVar('ISAR_CHROOT_MODE') == 'unshare' else ''} \
                    --skip=cleanup/apt \
                    --skip=download/empty \
                    ${@get_apt_opts(d, '--aptopt')} \
@@ -252,7 +257,8 @@  do_bootstrap() {
 
     if [ "${ISAR_USE_CACHED_BASE_REPO}" != "1" ]; then
         deb_dl_dir_export "${WORKDIR}/dl_dir" "${BOOTSTRAP_BASE_DISTRO}-${BASE_DISTRO_CODENAME}"
-        run_privileged rm -rf --one-file-system "${WORKDIR}/dl_dir"
+        run_privileged find ${WORKDIR}/dl_dir -maxdepth 1 -mindepth 1 -exec rm -rf --one-file-system "{}" \;
+        rmdir ${WORKDIR}/dl_dir
     fi
 }
 addtask bootstrap before do_build after do_generate_keyrings
diff --git a/meta/recipes-devtools/sbuild-chroot/sbuild-chroot.inc b/meta/recipes-devtools/sbuild-chroot/sbuild-chroot.inc
index 61d37760..7a778d8c 100644
--- a/meta/recipes-devtools/sbuild-chroot/sbuild-chroot.inc
+++ b/meta/recipes-devtools/sbuild-chroot/sbuild-chroot.inc
@@ -66,8 +66,28 @@  ROOTFS_POSTPROCESS_COMMAND:remove = "rootfs_cleanup_base_apt"
 
 DEPLOY_SCHROOT = "${@d.getVar('SCHROOT_' + d.getVar('SBUILD_VARIANT').upper() + '_DIR')}${SBUILD_SCHROOT_SUFFIX}"
 
-do_sbuildchroot_deploy[dirs] = "${DEPLOY_DIR}/schroot-${SBUILD_VARIANT}"
-do_sbuildchroot_deploy() {
+sbuildchroot_deploy_tree() {
     ln -Tfsr "${ROOTFSDIR}" "${DEPLOY_SCHROOT}"
 }
+sbuildchroot_deploy_tar() {
+    lopts="--one-file-system --exclude=var/cache/apt/archives --exclude=isar-apt"
+    # we cannot use pzstd, as this results in a different magic
+    # (zstd skippable frame) which is not detected by sbuild
+    # https://salsa.debian.org/debian/sbuild/-/blob/d975d388a98627a0d7d112791e441c27a6d529df/lib/Sbuild/ChrootUnshare.pm#L608
+    ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
+    run_privileged \
+        tar -C ${ROOTFSDIR} -cpS $lopts ${ROOTFS_TAR_ATTR_FLAGS} . \
+            | $ZSTD > ${DEPLOY_SCHROOT}.tar.zst
+    # cleanup extracted rootfs
+    run_privileged rm -rf ${ROOTFSDIR}
+}
+
+do_sbuildchroot_deploy[network] = "${TASK_USE_SUDO}"
+do_sbuildchroot_deploy[dirs] += "${DEPLOY_DIR}/schroot-${SBUILD_VARIANT}"
+python do_sbuildchroot_deploy() {
+    if d.getVar('ISAR_CHROOT_MODE') == 'unshare':
+        bb.build.exec_func('sbuildchroot_deploy_tar', d)
+    else:
+        bb.build.exec_func('sbuildchroot_deploy_tree', d)
+}
 addtask sbuildchroot_deploy before do_build after do_rootfs