From patchwork Fri Feb 20 17:15:50 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Felix Moessbauer X-Patchwork-Id: 4890 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 20 Feb 2026 18:16:30 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f58.google.com (mail-oa1-f58.google.com [209.85.160.58]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61KHGRAn006033 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 20 Feb 2026 18:16:27 +0100 Received: by mail-oa1-f58.google.com with SMTP id 586e51a60fabf-40efa542b8asf22256249fac.2 for ; Fri, 20 Feb 2026 09:16:27 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771607781; cv=pass; d=google.com; s=arc-20240605; b=cr3g9C6/zjnm5M7sdEeRVtF8j8YMjKmP5oWL9gmL4WruG6eCTpfp7dEIH40UWEnFWy 9BP6MuHv2GkwH2ikcLqDdcV2sBoHJ+DsFqlcvYahVm7caOrqofS/2OYDeLTru+ywUUgL ppx6wxyuvKQJVthFY1f0FDpu1R/p1an9otxVbDwDtFFUsaQRwvXcWp4KIKCqvH0r8geI vKbu/xlXle33cZrLhaYQp7eg44LUctc/ZIFGpVa5yTC+AZ8TrEdRO94ZmZ7up6i268qC 10n2aQ+cnkfqvEvWaJRco+wjYjvf9JIeRoMGDTuvCE3aTBOxCrnDH0rW8HfQA6CmEWWe 7I/A== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; fh=2yoo6WO4yZtUvAi57PdwgkuD0e3/vgOYET2/2ffrqMc=; b=jLMsT8HA9ONvI/CyFUqwOCzjXJiPiaN7kVSXwiopjVzvFb3ZqxY3IrR6bqWFK3VLf1 qhXOehUgkMDQOrWp6xzFpIFJvrKU3Dg+KUgKNsysLmWZmRCcAbGG5ArSqYGjChv7InaK l9TBLLntQSpgvGXkCJkrYGOhVjEerraFWtqOaemlVCPIpflC2EXbkYYOj5s/joLYPJLA R5Tsu5bnMrhgBvA/C60ytfdwJn7bsPg39EgfzVgaEYHN6+ukKs4sBIBzTQBH4OrNMCWn D1S/lxh20A+uqr8vNgYABb78kJ5x8pCTM9nFjyUPpN5qDaEaAVfJLh8PjMg1sRK0gB7o L24Q==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771607781; x=1772212581; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; b=KNP3gUivLAdwbxBbiIRJlscg5GIbnKt5U+aY6ZI11hzPbc56y47iNNM913yRdog6rY 8vNlgTlOeSziUvq7ls/TR7ZrWaGbaNXDNn7x+Ii5vYbFOeaSS3qiXA5ZSOm5PbY/WZQ+ oEdc7xXssxi2rzWvyHj+p1qGJk6xsAWVnWjO8HVdUk8uEphct46qqRkFYN0v/WKnxjbF +Loa1M/EiN2sOY5h6O1e2q8qK+V7kheWlGSwTgpkNEe3eJ/H+N0o2GYT7hwd2FaFVTm5 FhtyAMvkYBwVWHgWVnUlH4UifMlp9reZw2nP842C8y5Weqy5TrCmwqSSQC/wcV1exsGL IbQQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771607781; x=1772212581; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; b=vocu+9pKBeqNntLM6WS/BkwajiemCzh+8CTG3QvHQGJG5ni3i9Hgq+m3695X3Y6+U+ jFPpg9Ee/wvrFJ/6aJ94R/VnjSgqatvtdMyJ8yovsG6cG+Xm3fEqqqYPmSMYThW3LbtF bDducM8E/fQrM656p2lcuv86vTNGaFZEZ4CL1C1NeiGqpaYuE6P3naz4IOUIRw8hrDFr EaFbdVzOaoVRoNJO5y2ecKkDMRbb4kNx9CIv4nPXaOQUCxsLZ0ss3z1NbZHzbScn1ZNU G3PODuj01u+tTYd9K7Ju1Dbyo3t0rop/49wV5pjsT2X0OMaXKulnhB3L4ns7/1niRILf ZsHQ== X-Forwarded-Encrypted: i=3; AJvYcCXvlkPvxmOZiJQPjoxjJCR8qEIHyUvVvuZ2PZACK36baHonZpCViAAlrPltmNboU9fa/wlpzMA=@isar-build.org X-Gm-Message-State: AOJu0YzClhMTPfu1e/wpl1Cd/SrK5oBjRgILxtKaK+MRzwtr9u4moJP3 CyKQC8E3Rx/ZMoSf1PXqcT9Axl/9bzT1lCuL2t8MPj0K3b1kneAuX36d X-Received: by 2002:a05:6870:8922:b0:349:de3c:bfc5 with SMTP id 586e51a60fabf-4157abcaf0emr207886fac.7.1771607781355; Fri, 20 Feb 2026 09:16:21 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+HNE88qmnEDogFvSVKtfxBJr5mIAQw1Ws5r9k9robqmYw==" Received: by 2002:a05:6870:420c:b0:40e:f703:9195 with SMTP id 586e51a60fabf-40ef703caf4ls5836748fac.0.-pod-prod-01-us; Fri, 20 Feb 2026 09:16:20 -0800 (PST) X-Received: by 2002:a05:6808:c1bb:b0:45f:13fe:4a3d with SMTP id 5614622812f47-4644612e148mr371849b6e.7.1771607780457; Fri, 20 Feb 2026 09:16:20 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771607780; cv=pass; d=google.com; s=arc-20240605; b=LlcBI/Q6SsygEZiNUXtpv/in0/CvyGdeJn4BOq0NoHRm5SLd6VTrJuBM89rpBB40+Z 2cEfeeHB/rjUJNNXxIWrGLnqwIclp9StusLAdam262iKNZgJeinuofLkq+MVKF9dTlNW BNudAu06km44ybb7wCxuM2SeLY7C3bzmItQwdYKqbjgONNv8Nj+V582x4NKsK78dj8lB orSHuvu37kKpsc7pzqchTfPZaLid7w4uoUnS+c4H0KJ5cPI6P7VZWeOnJJRLx+awR0DU 1YBkfMSFEwv2y02+YR0WNEEQ9rN0EVB+zaD4GEErZn0ileagdqiYyhYzpa1rZwLFl/2X 6sbw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=8ldsHLsmrJkXrm3UG+5tekzysSBq5w557SlIlRuxZAY=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=JjOOGHYfbbD9EnkEP3cXcN6JxWtgSTHsW62FM4KWmt/2fm30Gqs9wcYectL/3/eI/k nAaI9+9qrgQe7CG/r1o/v3CiF9cptOQL58m8vep+JFQNtE8FKudomiAAz8f3t006YED8 Rf5iex4/8O2WVT/feBGPQMvGCoX7Y5Ru+BL4IDqO8RRTq2wER8PpZylEp72gkuijm24/ tpaLWnQxKgxowGcKANiAhkwy9XCsSXp/5wKddEqwcDqbqT6iPUklanbXdZOlCh3ZR1x1 hOGeaOc5Xtx8fd5CcWMiPlN8gCyz6lhif4jiu5rW9/6ymcuf0vKyTFpO3S3Hof6E4h/G pFGw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c20f::7]) by gmr-mx.google.com with ESMTPS id 5614622812f47-4636ae55f7bsi1149069b6e.2.2026.02.20.09.16.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Feb 2026 09:16:20 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) client-ip=2a01:111:f403:c20f::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nxP07+3aeZ9z1/3c4jO80SKl8BdRDg4SjXWpW+kfCCVanycGALQkFGlotMGYxg1guf9l7DdYqSMtawhOgn/CxGOaUv8J0NYRHo8fEOg58okMh/82Fbe8L3xIFB0mkiveLIJCz7hx+a9RJ6LHbrfWGVQe2EWOawNwqBNcp+zPWk0oLJzTfXMD96tHd5h30CStKJf2pk0i/gVuXuXPTONh1v1c32CiZypZ14f2lOPcNZGP1UshhBygGHmzjFUHnZSBumUM3tFSOihAghiGXcppKWsD9/s/9SljkqB4oRIycnjxux6H94qcfASCzbGJxAi3ZASDcTwnFFA2HBJyIbUTlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8ldsHLsmrJkXrm3UG+5tekzysSBq5w557SlIlRuxZAY=; b=ag0MxysB5/dMKvxqAKz3br4kZE4XqzkU6ESFeYsEpIWoBh+T+9Sdvgi2OGOHCWgmFA8SlLVGDoNeoOxJIyn5iWxS8EVAgabQ8Qyyh/tHPExHYG5RC5DErqgsqCmctYJ1lnOqcAI/UaRO5B8RvoHjFjYZxe2iqHDXxtBZf1VZEqpFwV/0zXaFo9aXbBY6bepWQbdlqogJMz7ztqA2q00kJT7CVJkBHqnqooin8XjJ/82/S58VQGudVh8CrcfEkrt5TzV1PLGjwK9m/hpWy6NSWNWfMWWkvOfOih6dPSm/4OVw1otg6Y5HyI0c/tgpRLNmiDBCi2mtHiu8cd25eAinkA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GVXPR10MB6007.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:17::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.16; Fri, 20 Feb 2026 17:16:16 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9632.015; Fri, 20 Feb 2026 17:16:16 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: Felix Moessbauer To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [RFC v2 08/19] wic: rework image deploy logic to deploy under correct user Date: Fri, 20 Feb 2026 18:15:50 +0100 Message-ID: <20260220171601.3845113-9-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260220171601.3845113-1-felix.moessbauer@siemens.com> References: <20260220171601.3845113-1-felix.moessbauer@siemens.com> X-ClientProxiedBy: FR3P281CA0085.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1f::22) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GVXPR10MB6007:EE_ X-MS-Office365-Filtering-Correlation-Id: 94e66097-eea0-40b9-79fa-08de70a3c192 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: tXmGONxuWQ+XQxZMLDC+wq7e5Y/WsnCRKJjB3g4m9B63S0s0NBC9b6W9U7UFKkRUZxqcMlHNS984NLIX10wPB06JK2QnvPx3bjqR3EISSJqHKi+urjlubj2heXcjK38EKkZ8oq4+C6Jhp4sLDQQX711Yu7beXaDCgoNnIX2Q9/+7it9ykNt9997adro+//P4lMSnYxeNi1nGEKwRlTNUpJOnM1cukM+MOmC5ZLqR3/aBR62yZPBl1zbY/ATOroDnS8c9mDOzt8AKSj9GHR4MditRGDQFYW2N6b4XnZZ8L9Wfy8A18RPbwOZeQO+sUUEUqw5/5aBUnXH4Sq/4gtkTy8PjCES/Opu0ZW7gOQ68GVogYnRhozLTyIQnxWvVApr7qhyGevdCjX7aGh/3kMsm+ggu6ez3OWbHctRsFDj32xQuViBN415j8tLJCm2ZBayLJIK0TdaWyPuCmfL2OfUHeSJ52R56j9ncyRRElvmu1arCCwJjhjgYFmK3+bdqEg/7gwuEquczn2/5e99XCzGiGbgQfRTv3E1tk98CjG11ZyBcaTDwcLlDQIkNNgqvtJWF0vvX166wiBl+fPMQrgUc12NYk/QSsOtD4dcX5FZjBlyDQ7M+6QeK0YxsEJFLbt3eOUS/vj+iOQx5h8CReD72Qvq7KUm7qgnHod9XjAUgNeGniOEc+zmXraufSbbxXKThkhRCFvrwEbnY94CiZp7mgg+3sS+DKb6jYVglLEYSjOzJ6EukaPC6XDxjXPN+SnX6oh/REaMugTvuP3E5l4v5Xa2+7/TmQG6UTlPLwJvB3iAxnxah1lO8di+i7K+6sEt6ZoMfH5T7EZizqrBu3Wf7X9Xt99+8/OMVsONTNg+QTfn6nEXwNjRkhghjsjH898qDE8+PQWptTKlPBvyQkMU83FMtLPUfcXKnE2NcnaJ8h9G33RUqgOW/vDpamdv4ZFuqPtIEqk7qh1KHmO/xGnDIGytx6uwqaBSamMca3r+qg3And9ZKkWRGIsh7+qHrvswpa7GJ4ePIXsO+Kxtis6PjsMCuuHrvQgvlM6Oquljhtti2mZjvDJSkgpnqZdky6boY5cvhoZzEs15CIW5+m19J/DjBIL1Eb7Ht0ba281HLNPreTZBl2mOsgR1oi59M6bP/2SegzSodvL8AtGu9WIi59JqbjwCDNSC6KL0lct9aWuMaUhQaBMGQw1Sb+IkgH01zTCgWmRHs6Uslu29fZ7Ub3mjP8Mc+42JQJy7nIon93O6Rgj6NK0owAFpaCaXUsNxVVgTpWANLvEo884jTDepTYQr2YkdSNSMqjhau05wPCKSNTjiD9towtaocKaL+Q40hSd9lK+5eADHCxP3PrnlxLjx2+NyqTr91V98OaeMq6UeErz8TGTYKyMfliQqI7xBa9gfLEGXM4DOqUxiNQB0k4dVjfwgtoejMHeGKD612z30dhaSEjDZ2aLrpEBsXNm8VPJkLZdNZQDrMqgRMrUuHfyQfrRxhPBjWArzBCiKE45cl1ETkoLm1Km9VeHQbm8eue9es5f+INghHJOsbg3LuOvPB2IuopS0gWFCvtjDr3Ew= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: GA1uZpqkaM30pvRj6o8lDCcZsl4VdqSiMykU8bmeG8Bx6zr3XxSvS9mhtkOfKylOQN8/9E6LoiqrUhg1ZB9OLvi7vNFt47L024//nY+hS5SYUiqUS8flbPH0N69+w1ksP6OG6j8aEHqjafFBOxe8x80QC3bE8A2r79RsuwTTTGm/D2GseWxyR+s6Yj/9LNeOCl/dGWkCnUufGrRTAmauFRuUQV3OUzbkeYtz6UUWp98JshtxEZc+bvAniyRapptf7eeQymzLW0yJprxffpWJEXQWiLR5BGH4uGnXQaKzWV+0/XRxlS0X3xl83MLy5/DxIpJ8Nx8dmuBe8a5b0Q7R5vikowBFeOnPMZSg3xgPvkHEO0GR31+ZSjhxtEJgPLGcAugAj15lhQxQwW1w0XN2WLj+YZRASUNOer3foFRSDE0bA+7FcXh+lu9cCvErGwEzHRm6bU8xg/mNsGIe0TJAnibpn7+6JfbqBU2iY5lOegsd3VsJuimMU+1JlbcHuVMfl+gJUhTDrfxIw9RmkzWQF1IQL1PggYP5JLqeZxHmy/GAW3FfFVFSR+yHNVDFgHueeAGSPxvDqicJa1jbT2R1Wxomt9aFkFtRUpWHa6towTVR03r+PqTAUuFC/GquoQLH7kl2Ky9bTUcOoTYhA0spqGkPA8+yZW2g0AW3b7A7ML1mHo6oblyuE2ymsBKjSj1jKrR7bZP5/43/Ow0RVXohDEGFhQS53bu6Zu6IgiI4zgqo8AremfGE+WjdnewLiC0yjB2MNyuzTL7n5mGjzHcZjU17onxNLa9mTKIQ/y1j931N153bRHU0bjRs/HVIqFQmxAahykgSQfPMZn3bZEusROVsbCCnqcQtydOzmYvAmByghrtkaNlz3t428/fkeX+uF8p6inHXMzwWB+25mem2VJexnb1cOARL7v85BZhiaPZlQdnbUS+QP5wvSzYRNbZii3Fksvk3WJ8mHBHahVdWsnMDela6n3MRuzHHiT0YTWhlD4qcMwBD8/TxfrFDvrFBi8N/jZtttE+RRAosOyJTT5E0SI4q5jr0cTq+azahroGuklaqk0GenKv96PsRPSqhJtR+LiaasLk3a+h/0FLMWlf5hh9iVuhPsev1g4MQGqeTyrqT7IIP+FINkwGqooWa7D+UFDBMfr4MVeW18YQF4ioIuv/vuHDKhdXCa8o9n+qhupFMtzPnGQ5ccwypW0tDPBNkydBAklcGnnUbeqKmVZnaKlZnkQXhuab19eGp+cvuads48yvjRm4lgsEyWJ7P+n1gV/iHFwdFWikSLXivNIyBnRejvRuL5Rq0wZwYLyb/CVsLeX7YyiNXy1Q5xdRhMtp6BgkshdKIR7j14cUhJ2R9wxEhW0l+mTN7gFyfe1du5f9R2dNf5WZeSn3QGc0e0ij4r56AcirT6QrRYUseBCBYiSpd1okRkOB2kNG7ZpSxZtGNdvdJANe34E2VLc3CEnwPQ569cwghjdVgwbgXlliLpwxylCSCLpMXqNnQU8LErhgM5m6Y+RNBCnN1qU8ApZxBBpB3ZQvWi6gSMAsHIdFhSrjiCuPCHqr+JTq3LD4da3luNavU3CI5PP7RfzknqVDHVepWc3mERSPu856U6EP/ssbul1XkWVaE4yevSc4h/Ln0EffLq25r6Y7cECntMohKC0Je3gf3ejMJ1jI8GcVanKET0L2pJU2O0kzvRqQdIWnO49CBpU1iyj6haJHRuoR4tTSTKH3PYcLqWzj7k2Mtqz4O20BWVI1D3K1ApGk= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 94e66097-eea0-40b9-79fa-08de70a3c192 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2026 17:16:16.4299 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rW55JLqP3e3K3HdigmtkHanlA4VfFq7OsJSJ5b413QKCUY6p19T1SQIY6bv+UMtCmQr1Rcfl+VCcwpPMeCae4UWLK+X3G0YIeCWyoo86z00= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB6007 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= We previously deployed the image file as root and then chowned the deployed files to the calling user. Hereby the chown command itself requires to be run under root, which is not possible on rootless. As a preparation for rootless, we rework the deploy logic to deploy the files under the calling user. For that, we deploy to a temporary directory within workdir that is writeable from inside the chroot and then copy out under the calling user. Signed-off-by: Felix Moessbauer --- RECIPE-API-CHANGELOG.md | 12 +++++ .../image-tools-extension.bbclass | 11 +++++ meta/classes-recipe/image.bbclass | 10 +++- meta/classes-recipe/imagetypes.bbclass | 47 +++++++++++-------- meta/classes-recipe/imagetypes_wic.bbclass | 10 ++-- meta/classes-recipe/squashfs.bbclass | 2 +- 6 files changed, 66 insertions(+), 26 deletions(-) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index ad03ed68..31c61789 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -978,3 +978,15 @@ specifies the rootfs path. Using these helpers instead of direct `sudo` invocations centralizes platform-specific privileged execution logic in `base.bbclass`. Direct use of `sudo` is discouraged in downstream layers. + +### Changes to image types + +The way different image types are handled has changed to be be compatible with +rootless builds. For that, the deployment of images happens in two steps: + +1. generate the image in the `${IMAGE_STAGE_CHROOT}` +2. the `imager_run` or `${SUDO_CHROOT}` command takes care of deploying the image + into the `${DEPLOY_DIR_IMAGE}` + +Conversion commands need to follow this strategy as well, but can read the image +(prior to conversion) from `${IMAGE_FILE_CHROOT}`. diff --git a/meta/classes-recipe/image-tools-extension.bbclass b/meta/classes-recipe/image-tools-extension.bbclass index e88557f6..2eac3619 100644 --- a/meta/classes-recipe/image-tools-extension.bbclass +++ b/meta/classes-recipe/image-tools-extension.bbclass @@ -17,6 +17,17 @@ SCHROOT_MOUNTS = "${WORKDIR}:${PP_WORK} ${IMAGE_ROOTFS}:${PP_ROOTFS} ${DEPLOY_DI SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt" imager_run() { + IMAGE_STAGE_DIR=$(dirname $IMAGE_STAGE_HOST) + create_chroot_parent_dir $IMAGE_STAGE_DIR + imager_run_${ISAR_CHROOT_MODE} "$@" + + # copy locally deployed files with correct permissions to deploy dir + find $IMAGE_STAGE_DIR -type f -exec cp {} ${DEPLOY_DIR_IMAGE} \; + # on error keep the files for investigation + run_privileged rm -rf $IMAGE_STAGE_DIR +} + +imager_run_schroot() { local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" diff --git a/meta/classes-recipe/image.bbclass b/meta/classes-recipe/image.bbclass index 4a250964..2049d80b 100644 --- a/meta/classes-recipe/image.bbclass +++ b/meta/classes-recipe/image.bbclass @@ -180,8 +180,14 @@ IMGCLASSES += "${IMAGE_CLASSES}" inherit ${IMGCLASSES} # convenience variables to be used by CMDs +# Note, that the variables are only valid within the type specific task itself +# but not in transitively called shell functions IMAGE_FILE_HOST = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${type}" +# view (only for reading) the image in the deploy dir (useful for conversion commands) IMAGE_FILE_CHROOT = "${PP_DEPLOY}/${IMAGE_FULLNAME}.${type}" +# staging location for copy-out (should only be written to from chroot) +IMAGE_STAGE_HOST = "${WORKDIR}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" +IMAGE_STAGE_CHROOT = "${PP_WORK}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" SUDO_CHROOT = "imager_run -d ${PP_ROOTFS} -u root --" # hook up IMAGE_CMD_* @@ -262,8 +268,8 @@ python() { image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean) if image_cmd: localdata.setVar('type', bt) + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(localdata.expand(image_cmd)) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}')) else: bb.fatal("No IMAGE_CMD for %s" % bt) vardeps.add('IMAGE_CMD:' + bt_clean) @@ -292,8 +298,8 @@ python() { localdata.setVar('type', t) cmd = '\t' + localdata.getVar('CONVERSION_CMD:' + c) if cmd not in cmds: + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(cmd) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}.%s' % c)) vardeps.add('CONVERSION_CMD:' + c) for dep in (localdata.getVar('CONVERSION_DEPS:' + c) or '').split(): conversion_install.add(dep) diff --git a/meta/classes-recipe/imagetypes.bbclass b/meta/classes-recipe/imagetypes.bbclass index f802c11c..78b89393 100644 --- a/meta/classes-recipe/imagetypes.bbclass +++ b/meta/classes-recipe/imagetypes.bbclass @@ -9,7 +9,7 @@ TAR_TRANSFORM = "--transform='s|rootfs|.|'" TAR_OPTIONS:append = " ${TAR_TRANSFORM}" IMAGE_CMD:tar() { ${SUDO_CHROOT} tar ${TAR_OPTIONS} -cvSf \ - ${IMAGE_FILE_CHROOT} --one-file-system -C ${PP} rootfs + ${IMAGE_STAGE_CHROOT} --one-file-system -C ${PP} rootfs } # image type: ext4 @@ -38,10 +38,11 @@ do_image_ext4[prefuncs] = "set_mke2fs_args" IMAGE_CMD:ext4() { export E2FSPROGS_FAKE_TIME="${SOURCE_DATE_EPOCH}" - truncate -s ${ROOTFS_SIZE}K '${IMAGE_FILE_HOST}' - - ${SUDO_CHROOT} /sbin/mke2fs ${MKE2FS_ARGS} \ - -F -d '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /bin/bash -s <<'EOF' + set -e + truncate -s ${ROOTFS_SIZE}K '${IMAGE_STAGE_CHROOT}' + /sbin/mke2fs ${MKE2FS_ARGS} -F -d '${PP_ROOTFS}' '${IMAGE_STAGE_CHROOT}' +EOF } # image type: cpio @@ -49,10 +50,12 @@ IMAGER_INSTALL:cpio += "cpio" CPIO_IMAGE_FORMAT ?= "newc" IMAGE_CMD:cpio() { - ${SUDO_CHROOT} \ - sh -c "cd ${PP_ROOTFS}; /usr/bin/find . | \ - /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ - ${IMAGE_FILE_CHROOT}" + imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER' + set -e + cd '${PP_ROOTFS}'; /usr/bin/find . | \ + /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ + '${IMAGE_STAGE_CHROOT}' +EOIMAGER } # image type: fit @@ -72,8 +75,9 @@ IMAGE_CMD:fit() { die "FIT_IMAGE_SOURCE does not contain fitimage source file" fi - ${SUDO_CHROOT} /usr/bin/mkimage ${MKIMAGE_ARGS} \ - -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/bin/mkimage \ + ${MKIMAGE_ARGS} -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' \ + '${IMAGE_STAGE_CHROOT}' } IMAGE_CMD:fit[depends] = "${PN}:do_transform_template" @@ -90,8 +94,9 @@ THIS_ISAR_CROSS_COMPILE := "${ISAR_CROSS_COMPILE}" ISAR_CROSS_COMPILE:armhf = "${@bb.utils.contains('IMAGE_BASETYPES', 'ubifs', '1', '${THIS_ISAR_CROSS_COMPILE}', d)}" IMAGE_CMD:ubifs() { - ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs ${MKUBIFS_ARGS} \ - -r '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs \ + ${MKUBIFS_ARGS} -r '${PP_ROOTFS}' \ + '${IMAGE_FILE_CHROOT}' } # image type: ubi @@ -108,22 +113,26 @@ IMAGE_CMD:ubi() { die "UBINIZE_CFG does not contain ubinize config file." fi - ${SUDO_CHROOT} /usr/sbin/ubinize ${UBINIZE_ARGS} \ - -o '${IMAGE_FILE_CHROOT}' '${PP_WORK}/${UBINIZE_CFG}' + ${SUDO_CHROOT} /usr/sbin/ubinize \ + ${UBINIZE_ARGS} -o '${IMAGE_STAGE_CHROOT}' \ + '${PP_WORK}/${UBINIZE_CFG}' } IMAGE_CMD:ubi[depends] = "${PN}:do_transform_template" # image conversions IMAGE_CONVERSIONS = "gz xz zst zck" -CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.gz'" +# image conversions +IMAGE_CONVERSIONS = "gz xz zst zck" + +CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.gz'" CONVERSION_DEPS:gz = "gzip" -CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.xz'" +CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.xz'" CONVERSION_DEPS:xz = "xz-utils" -CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.zst'" +CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.zst'" CONVERSION_DEPS:zst = "zstd" -CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_FILE_CHROOT}'" +CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_STAGE_CHROOT}'" CONVERSION_DEPS:zck = "zchunk" diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass index 63974a3e..ebf3ce8e 100644 --- a/meta/classes-recipe/imagetypes_wic.bbclass +++ b/meta/classes-recipe/imagetypes_wic.bbclass @@ -145,6 +145,9 @@ check_for_wic_warnings() { do_image_wic[file-checksums] += "${WKS_FILE_CHECKSUM}" IMAGE_CMD:wic() { + # variable is type specific, hence capture here and + # forward to functions via export + export IMAGE_STAGE_CHROOT="${IMAGE_STAGE_CHROOT}" generate_wic_image check_for_wic_warnings } @@ -181,20 +184,19 @@ generate_wic_image() { -e "${IMAGE_BASENAME}" ${WIC_CREATE_EXTRA_ARGS} WIC_DIRECT=$(ls -t -1 /tmp/${IMAGE_FULLNAME}.wic/*.direct | head -1) - mv -f ${WIC_DIRECT} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic - mv -f ${WIC_DIRECT}.bmap ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic.bmap + mv -f ${WIC_DIRECT} $IMAGE_STAGE_CHROOT + mv -f ${WIC_DIRECT}.bmap $IMAGE_STAGE_CHROOT.bmap # deploy partition files if requested (ending with .p) if [ "${WIC_DEPLOY_PARTITIONS}" -eq "1" ]; then # locate *.direct.p partition files find "/tmp/${IMAGE_FULLNAME}.wic/" -type f -regextype sed -regex ".*\.direct.*\.p[0-9]\{1,\}" | while read f; do suffix=$(basename $f | sed 's/.*\.direct\(.*\)/\1/') - mv -f ${f} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic${suffix} + mv -f ${f} $IMAGE_STAGE_CHROOT${suffix} done fi EOIMAGER run_privileged chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true - run_privileged chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"* rm -rf ${IMAGE_ROOTFS}/../pseudo cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \ diff --git a/meta/classes-recipe/squashfs.bbclass b/meta/classes-recipe/squashfs.bbclass index 9cd7ed3d..8330ffb5 100644 --- a/meta/classes-recipe/squashfs.bbclass +++ b/meta/classes-recipe/squashfs.bbclass @@ -42,6 +42,6 @@ IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" IMAGE_CMD:squashfs() { ${SUDO_CHROOT} /bin/mksquashfs \ - '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ + '${SQUASHFS_CONTENT}' '${IMAGE_STAGE_CHROOT}' \ -noappend ${SQUASHFS_CREATION_LIMITS} ${SQUASHFS_CREATION_ARGS} }