@@ -999,3 +999,8 @@ This internally switches the chroot mode from `schroot` to `unshare`.
When using kas, the `build_system` needs to be set to `isar-rootless`, but the final
interfaces still need to be clarified. Further, kas patches are needed (for details,
check the kas mailing list).
+
+Note, that the build dir may contain files that were generated within the rootless
+environment and cannot be deleted from the outside by the calling user. To simplify
+the cleanup, we provide the `isar-clean-builddir` script that helps purging
+directories with mixed ownerships (without requiring root privileges).
new file mode 100755
@@ -0,0 +1,73 @@
+#!/bin/sh
+# isar-clean-builddir - Clean the build/tmp directory
+#
+# This script removes all files from the specified directory, including those
+# owned by other users (which requires elevated privileges).
+#
+# Rootless Mode:
+# When --rootless is specified, no privileged commands are executed. This
+# requires that the UID namespace where files were generated matches the
+# cleanup environment. When running from a container, this script must be
+# called from within the same container.
+#
+# Part of the Isar API. External tools may call this script for cleanup.
+#
+# Copyright (c) Siemens AG, 2026
+# SPDX-License-Identifier: MIT
+
+DRY_RUN=0
+ROOTLESS=0
+
+usage()
+{
+ EXIT_CODE="$1"
+ SELF="isar-clean-builddir"
+ printf "%b" "Usage: ${SELF} [--rootless] [--dry-run] [dir]\n"
+
+ exit "${EXIT_CODE:-1}"
+}
+
+while [ $# -gt 0 ]; do
+ case "$1" in
+ --dry-run)
+ DRY_RUN=1
+ shift 1
+ ;;
+ -h | --help)
+ usage 0
+ ;;
+ --rootless)
+ ROOTLESS=1
+ shift 1
+ ;;
+ --*)
+ usage 1
+ ;;
+ *)
+ break
+ ;;
+ esac
+done
+
+[ $# -eq 1 ] || usage 1
+if ! [ -d "$1" ]; then
+ echo "error: \"$1\" is not a directory"
+ exit 1
+fi
+
+if [ $ROOTLESS -eq 1 ]; then
+ PRIVILEGED_CMD="unshare --map-auto --map-root-user --keep-caps"
+else
+ PRIVILEGED_CMD="sudo"
+fi
+
+if [ $DRY_RUN -eq 1 ]; then
+ echo "dry-run, not executing"
+ DRY_RUN_PREFIX="/bin/echo"
+fi
+
+# clean all files that do not belong to us
+# shellcheck disable=2086
+find "$1" \( ! -user "$(whoami)" -type d -prune \) -exec $DRY_RUN_PREFIX $PRIVILEGED_CMD rm -rf {} \;
+# clean remaining files
+$DRY_RUN_PREFIX rm -rf "$1"
When running in rootless mode, cleaning the build directory from outside the build environment is a non trivial task due to mixed file ownerships. To simplify this, we introduce the isar-clean-builddir script that can perform the cleanup without requiring root privileges. Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com> --- RECIPE-API-CHANGELOG.md | 5 +++ scripts/isar-clean-builddir | 73 +++++++++++++++++++++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100755 scripts/isar-clean-builddir