From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 15 May 2025 17:07:44 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f64.google.com (mail-wm1-f64.google.com [209.85.128.64]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 54FF7hfX000759 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 15 May 2025 17:07:43 +0200 Received: by mail-wm1-f64.google.com with SMTP id 5b1f17b1804b1-43cf5196c25sf6205785e9.0 for ; Thu, 15 May 2025 08:07:43 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747321658; cv=pass; d=google.com; s=arc-20240605; b=hq99TyNCyieiHf1C3iC/6khpzsgDh+hS4pZK27hRLUPQJLUs2n6OqZkYk0vHg43TTr fEWKIWdoE1hBMjHlI0pIg469PyGZ6KipVgaIdmtgDiBcteaCfhTx/OpPkEnGPn9Iq6GT V982wHOhWcS6O7wVqOym0fxVJsXRP3FzgAkwuvdhN/K3mk6AnQ1yDh8YMLUT0zdPSrqx K795nYa0P7yusJEK4emXTdj9TccscTdNNvsjv4aFOyoJfVe4ENFjKZx0W3rnhUWpQRMB 3NTVgmPLFSENPbjFllqXHTbPsnJHelJMEcTsxirtQWuPbJNey9ANKqLNQ3AT6vnWZ9sK MwFg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=nryBfFntH+4u//PxfHMn0DW1mHVVXdf7tk48tomNbwY=; fh=rMJJLzVTmLWT+i2omYiddg8e7ub8hQPepUmy/0RUTXc=; b=bBaekd+vw3T2X6Vy4/VDwl1aqJtG8h1rtCrJ3gQQq0Vgc2Kxo/wzVxmy8sQ+JhjsWs BPtB+xns4TAVAGI2CjcjrCQPqrN+61KQzrW4pJe/1dgwWzs8esZo7vLTeLxHJI0l8eAb QnwT4HrdfrhT6egKtrQ9e5HGPE2AHitxDz6mbsk7DpfFZHVGoyjF3QIho3mNY3ig3lvk vU0Me5/UD02XDASebELVmZYW8W0jqf3JbLqL1nMmqKxv5eTrrDWB/g9CyxRYecwg8gxj K+m0RKBKpHkjUurmLoEMGLZMuYnzOWLKLuoY8qsOfFgc3tfgsoHLw+YDLH1c4cjWRSGY uMAw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=AxzpdtCq; spf=pass (google.com: domain of fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1747321658; x=1747926458; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=nryBfFntH+4u//PxfHMn0DW1mHVVXdf7tk48tomNbwY=; b=nIhkHSmvFWbhZIZyWRQ2LrKYvarV8YhhqkanjXfzuoEocg7c91HPtniiF0MWKcbO3s fZxNdsjuCU0ByI4/zesVMzuvZPxgrtUFEAYTFqrJTUv2BnbE7Y2b9CegrlzyrF67MOPe 1wsm9kG1TMG+/JhiOBVs0b3q2g/zmQOG/5oPHZ91WUt+ks2W5IKQsbQbgjYuno8zL545 vwESHROhIR22kQkiTkkt9IM2gFD5unWyyrUCxZgTYIHGsPXvtqrU1gRbq5zlyThJvDju wSLlLBy6JsVxAX58td9wBc4Z78eLq/nN+HwkxqomCaoX/4QFT5wuSxIPZlrs3aIfAm6y LrSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747321658; x=1747926458; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=nryBfFntH+4u//PxfHMn0DW1mHVVXdf7tk48tomNbwY=; b=idrLpJM5pAUs7Tdqsr70PFgdNDDq9X9vBcDXiJVPrVPKappBnFJVkvQTapqjfSnK+P sYBcpXixmNu95Vv+5mVo+uXTI2sKBkxH4N54GYHXUEFAd8IAfU49rXgRo1MAaE/5PqZ6 NPGKfhwULd4vTIPbGhyxmfTpQ0NDpr+HWPhX2XK1F8XQ7ixyFDMUVa/YhyGMcabOjJnK 3ZrtXHPeqhczCF2CWjjOhuzjXqinLZS7QAcmfb00PXW4pB9aQKme+JbsMfUGdPVGxUDo rQBXxMCWo5qq49RK8gtAEOlYla66ZloKTKjsnb7/+eDQtDus+SwWiZEOvw9p1Qbw+i2d bIuw== X-Forwarded-Encrypted: i=2; AJvYcCVj1GCZ/inbS5RxCNffPthSJGvvc+/XGaNZ490Cyu+LwG1meE58xlSsfynygWkozy4k9wKb@ilbers.de X-Gm-Message-State: AOJu0YwBK7ZjeOWO4rh2/yzjNcpPx+lUsnPGZTpFZFoeyuImeRnNdvRb dfcF8YJ6FdjShCtdJFfkv0P6QwUPsLhSvT3Q/L7xFn+gi4Go5XOj X-Google-Smtp-Source: AGHT+IGwdEe58uJwuBkhwOEgSKSqnRav3GKPufwPFBHHaK1RLWkETbyVX3Tcijq/DcND6Uv4pui3Cg== X-Received: by 2002:a05:600c:1c2a:b0:43d:683:8caa with SMTP id 5b1f17b1804b1-442f20fc9b4mr77480725e9.15.1747321657096; Thu, 15 May 2025 08:07:37 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AVT/gBFLiSPohgnIdaGTM/UFtLOiWemptFL5Vmv9lSowwciYAQ== Received: by 2002:a05:600c:3d05:b0:43d:1776:2ebe with SMTP id 5b1f17b1804b1-442f878ecd2ls2015895e9.2.-pod-prod-08-eu; Thu, 15 May 2025 08:07:34 -0700 (PDT) X-Received: by 2002:a05:600c:474a:b0:43d:8ea:8d7a with SMTP id 5b1f17b1804b1-442f2177839mr61813125e9.28.1747321654150; Thu, 15 May 2025 08:07:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747321654; cv=none; d=google.com; s=arc-20240605; b=gpGewqM4Tutj34P5B6K7uB4MT4SAJx2Gcmi/sknQmmb6pl65hBVTS+3HVEPnU5uP/I 2jFcmCdODZm81oFVzcKzAHTFoGgS6a2HPQ7ku04UxcKxZhmk+/FRuZgWAgE40bHyyve2 cY/ib6ygbVBs72W02UUr/xzdR0TbYeOHiw29NuiS3Zw2CW4+ZvyUZR+Tam3If+1kILe7 x2IBiDjJYcvYIpUhx2daKR3kD+hWZiFxepyPgj7W3nFL60iyJrNcrt2UAOMfciAoVYbW MEIKS0iqIsRX+qindCJhr+p0thsDJvxku85AW+GU+i7V7vtUY/a/CC8aqBeMhCL/cUgN NoPg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=cazgJAQAEaD+HIlTa1ZoQB830tlP1h61wLHNdU5a7zE=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=kQ/DJDnkyul3Ads9ilPrxWIiNudEcH1A13U4pP9BdTExyz0zAFZTQPG80E9ldELq4L 9b+Cnvb5FZxUHInn6wWVZ1/PBGwvIs4DBI2lAFBzvaUv3mNZ4d3OufQaLeDV+4tHwJFe e0B0M56asKO0YdMjdTk7Xi0biIqfw/j6SMc55OVjNrxPe9qSLVb17TFxYdWtbR0TYLcV fTeeF3Xw8ORfZ7z1zeFcR0B2hdxgAOlXfkkAZhSclqkBvPNXL5bWRpsDi+WDKkudQUoa nbCpcKk50ya3bJdduBSIpOcabBfcVh/x6NjpNGx4CFJBYXi6JIgrioO7GZ1KQ6+7jZ3s cB/w==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=AxzpdtCq; spf=pass (google.com: domain of fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-65-227.siemens.flowmailer.net (mta-65-227.siemens.flowmailer.net. [185.136.65.227]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-442ebd54ff1si2605795e9.0.2025.05.15.08.07.34 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 May 2025 08:07:34 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) client-ip=185.136.65.227; Received: by mta-65-227.siemens.flowmailer.net with ESMTPSA id 202505151507339a1c338d33a6b43079 for ; Thu, 15 May 2025 17:07:33 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [RFC PATCH 1/2] rootfs: introduce wrapper to run native commands against a rootfs Date: Thu, 15 May 2025 17:07:26 +0200 Message-Id: <20250515150727.1764989-2-cedric.hombourger@siemens.com> In-Reply-To: <20250515150727.1764989-1-cedric.hombourger@siemens.com> References: <20250515150727.1764989-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=AxzpdtCq; spf=pass (google.com: domain of fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com designates 185.136.65.227 as permitted sender) smtp.mailfrom=fm-1212295-202505151507339a1c338d33a6b43079-bdg520@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: e42dpE5lwkXL "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a native command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) to achieve better performance when execution through QEMU may be avoided. Signed-off-by: Cedric Hombourger --- meta/classes/rootfs.bbclass | 64 +++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index f16ecc00..2975eb6b 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -30,6 +30,70 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a native command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). +# +# Usage: rootfs_native_cmd [options] -- command +# +rootfs_native_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_args="${bwrap_args} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${rootfs}" ]; then + rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + [ -n "${rootfs}" ] || bbfatal "no rootfs path provided" + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + + shift # remove the "--" + exec bwrap \ + ${bwrap_args} \ + --bind "${rootfs}" "${rootfs}" \ + --unshare-user \ + --unshare-pid \ + --dev-bind /dev /dev --proc /proc --ro-bind /sys /sys \ + --ro-bind /etc /etc --ro-bind /bin /bin \ + --ro-bind /lib /lib --ro-bind /lib64 /lib64 \ + --ro-bind /usr /usr --tmpfs /tmp \ + -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO' -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250515150727.1764989-2-cedric.hombourger%40siemens.com.