Re: [PATCH v3 1/6] rootfs: introduce wrapper to run commands against a rootfs

["'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>]

On 25.06.25 21:37, 'Cedric Hombourger' via isar-users wrote:
> "sudo chroot" is used in several places to run commands inside rootfs
> directories constructed by Isar. There are cases where a command could
> be used without elevated privileges as long as special folders such as
> /isar-apt are mounted (they are often referenced as /isar-apt in
> configuration files found in the target rootfs). For such cases,
> bubblewrap may be used to create a non-privileged namespace (either
> in a bare/native environment or within a docker/podman container)
> where the command will be executed as if chroot had been used. The
> rootfs may also be the host root file-system: this should however
> be used with care to avoid host contamination problems (note: Isar
> already relies on a number of host tools).

Where does this take the commands from then, the host env or some better
defined rootfs that is aligned with the target rootfs release-wise? Is
that controlled by the caller or implicitly by the wrapper.

I have to remind that we cannot blindly use host-side tools on the
target rootfs (except for the very basic ones) as the latter may be
newer than the former and not necessarily compatible.

Jan

> 
> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
> ---
>  RECIPE-API-CHANGELOG.md     |  7 ++++
>  doc/user_manual.md          |  1 +
>  meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++
>  3 files changed, 75 insertions(+)
> 
> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> index 8468717d..18b90555 100644
> --- a/RECIPE-API-CHANGELOG.md
> +++ b/RECIPE-API-CHANGELOG.md
> @@ -727,3 +727,10 @@ Changes in next
>  
>  This was never documented and never had practical relevance. `oci-archive` is
>  the useful OCI image format that can be imported, e.g., by podman.
> +
> +### Require bubblewrap to run non-privileged commands with bind-mounts
> +
> +Isar occasionally needs to run commands within root file-systems that it
> +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be
> +used in Isar classes instead of `sudo chroot`. It is pre-installed in
> +kas-container version 4.8 (or later).
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index ca551a0d..a4fff34a 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -75,6 +75,7 @@ Install the following packages:
>  ```
>  apt install \
>    binfmt-support \
> +  bubblewrap \
>    bzip2 \
>    mmdebstrap \
>    arch-test \
> diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
> index 5f877962..429494ae 100644
> --- a/meta/classes/rootfs.bbclass
> +++ b/meta/classes/rootfs.bbclass
> @@ -34,6 +34,73 @@ export LANG = "C"
>  export LANGUAGE = "C"
>  export LC_ALL = "C"
>  
> +# Execute a command against a rootfs and with isar-apt bind-mounted.
> +# Additional mounts may be specified using --bind <source> <target> and a
> +# custom directory for the command to be executed with --chdir <dir>. The
> +# command is assumed to follow the special "--" argument. This would replace
> +# "sudo chroot" calls especially when a native command may be used instead of
> +# chroot'ed command and without elevated privileges (the command will likely
> +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the
> +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to
> +# run native commands): this should be used with care.
> +#
> +# Usage: rootfs_cmd [options] [rootfs] -- command
> +#
> +rootfs_cmd() {
> +    set -- "$@"
> +    bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt"
> +    bwrap_binds=""
> +    bwrap_rootfs=""
> +
> +    while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do
> +        case "${1}" in
> +            --bind)
> +                if [ "${#}" -lt "3" ]; then
> +                    bbfatal "--bind requires two arguments"
> +                fi
> +                bwrap_binds="${bwrap_binds} --bind ${2} ${3}"
> +                shift 3
> +                ;;
> +            --chdir)
> +                if [ "${#}" -lt "2" ]; then
> +                    bbfatal "${1} requires an argument"
> +                fi
> +                bwrap_args="${bwrap_args} ${1} ${2}"
> +                shift 2
> +                ;;
> +            -*)
> +                bbfatal "${1} is not a supported option!"
> +                ;;
> +            *)
> +                if [ -z "${bwrap_rootfs}" ]; then
> +                    bwrap_rootfs="${1}"
> +                    shift
> +                else
> +                    bbfatal "unexpected argument '${1}'"
> +                fi
> +                ;;
> +        esac
> +    done
> +
> +    if [ -n "${bwrap_rootfs}" ]; then
> +        bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /"
> +    fi
> +
> +    if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then
> +        bbfatal "no command specified (missing --)"
> +    fi
> +    shift  # remove "--", command and its arguments follows
> +
> +    for ro_d in bin etc lib lib64 sys usr var; do
> +        [ -d ${bwrap_rootfs}/${ro_d} ] || continue
> +        bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}"
> +    done
> +
> +    bwrap --unshare-user --unshare-pid ${bwrap_args} \
> +        --dev-bind /dev /dev --proc /proc --tmpfs /tmp \
> +        ${bwrap_binds} -- "${@}"
> +}
> +
>  rootfs_do_mounts[weight] = "3"
>  rootfs_do_mounts() {
>      sudo -s <<'EOSUDO'


-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/161b6da4-e7d1-4668-87aa-a0ae041fb8c6%40siemens.com.