From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 19 May 2025 13:58:24 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wr1-f63.google.com (mail-wr1-f63.google.com [209.85.221.63]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 54JBwNBW018150 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 19 May 2025 13:58:23 +0200 Received: by mail-wr1-f63.google.com with SMTP id ffacd0b85a97d-3a361c82d9dsf317938f8f.2 for ; Mon, 19 May 2025 04:58:23 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1747655898; cv=pass; d=google.com; s=arc-20240605; b=Ufq2j6dM4TB3rU7HPPyc5wGQkdb57P8/x3/hpPQfX/wPeZQXXbwjq+bjyva2xcvQSi X3p6r3jcrL5T4B8Xfq1PvaXCC7/v2RfO6zthyPXCX6//rTw/6mF67tqWkG6k7YyVqGbB +cqrcOxqnnIAnCHJzUDjNr8vr59egJpAwsqHkDI89hci0f0Vk6sS3xMUKT3LE/cSuAOx 9/sj08bGa/DFQvRZkOAI+ujAR0QERLr3/myrtFL+JCmmexaUI+u9l+oxuY9M/hqfJQ5K 2OXMgKkwfw0UuQ2B8VtfJ9OzYHH6T2H/IMFVvaKYIUQ6oDrdkZ3fmM9dMzI9fIzUBYBB qA7A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; fh=crHbN3PsISdZ9yzsmar9OtoNZa0479yIp7uB7ovxzGU=; b=eDbzTetApUejzZ4NFBGHfCWgtw0YriQMibkZJfqMstxlOLoHFH7AJ9M31FV0i6Vnhd IxIb0HaOb9U39C9eKXkbXsySVWAWx2GnYm7KSZtpwjkr/fqzneR2rHWG2T4JKypxT5hf lMKtphKb0UkrMAfvP9NuUea1Yp7GEOpf4F6IfaPFZX8sMMkN4ixyMTkQhjYzYxMUL+Bv v9oSWCWbe/zOw84X1N7cjaHhexYoPo54pQjaMXN/js94Swt/se/iIIfVIS7H6WlbKkgq f4zfq6btwRtmX8svgAYv7CUlmVb0oW6IYWzgHCKQAS8iQ2eKdXJgHOMyhkWAWmqFte8V RuYQ==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1747655898; x=1748260698; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; b=Xor5jM/fMWQRBLuZb4CYQoet2q6QspbWiCAbApwESplyqazPvYY/MWa4ThuPKXPTrb x1Wi2o9pQMDRd6bI6fsVT+xSjr2DQCXz0Q9wF2VmTD8tWydzHxtkRu4Sp+DO+axZMClB Zf55UBFqlz/nBsX3mjVEb5bs1mdDng18t5cGmk+gEJ6oQbebbRIROlO91mGZ4O4PMqg3 PUzcB151+BX+vSdtxVQVCpCg4yF3uSRzJyfSjflODr2EmCbr790Xsy9tyddtLbiTNc4E +cOdAvWAtyugHaptl7kvsDkGQ8jp1ML1Sv4DYAgWz5K/TMvZt7btAS7061ZcXzGThC5F hPSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1747655898; x=1748260698; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=yrHwf/WtHuEawDw9J44kw13IVJZb9iXLIfQGlJPI4k8=; b=KE4X+PF3kYf0ZoswrXAGNZsMukZjOMXFhyNKNulOcga7YsV0nMLAvDOFwfVHy/qxk2 h47oi7t83PMLfn6GyBaUFjS2xFJaANTsctDab3V3VtwRWmLJc5Re9qAKmpFru2X7/0aN DLJB9P3WVNkSzEuoV5m3PayX9NN4hGQdGbqTHymOkE/R/XGr8iaeP5fzgJt/sgInGsiI ObNkoAk9Yx1U0iXcwHIVurwBv+R2jDGZf6F9j7UPuh6GiySxE8sPNrltS/YvRA8yydoq XbgmdEGT4Ue0llawoyAXIBu65nqiv52qd7VleyvXB73rY+/7vEUQWM092FHqtYy/i28H bRxA== X-Forwarded-Encrypted: i=2; AJvYcCW/+eSclryv1LSAwgsIDZKLjFJKvjp+Y8kE6VIAewkty/08NJJ/gH4Yimjr5JXiLUHLx2LZ@ilbers.de X-Gm-Message-State: AOJu0YwiLTTjdHRqP22r/4ulHWBIZM8Zyy0IKzblTU0Zau0wvfkzZntx rGh9G/5Uzkr2O54Aabx1eyVFFAI8qB4lnAbIjU6yGB0vupmHW4Nul/iz X-Google-Smtp-Source: AGHT+IHUw5v7AyFjyi5Yep1Zvrb48USsFtqFyV+eVZ5nQ5OySTkrGsWMq/LFcnIm1pwppMXWgHbupg== X-Received: by 2002:a05:600c:4f8e:b0:442:fac9:5e2f with SMTP id 5b1f17b1804b1-442fd60e7c3mr42044035e9.2.1747655897096; Mon, 19 May 2025 04:58:17 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AVT/gBHzziOtJEX+H4eD8+DW7a0BoBrnFsJAbdfseM5jahC4IQ== Received: by 2002:a05:600c:3d0b:b0:43b:c5a5:513c with SMTP id 5b1f17b1804b1-442f8782f41ls1496185e9.1.-pod-prod-02-eu; Mon, 19 May 2025 04:58:14 -0700 (PDT) X-Received: by 2002:a05:600c:64cf:b0:442:e9eb:cba2 with SMTP id 5b1f17b1804b1-442fd5a1054mr137531295e9.0.1747655894412; Mon, 19 May 2025 04:58:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1747655894; cv=none; d=google.com; s=arc-20240605; b=QKCaG9Il58/ylSBG50fhY5grN7Vyo2xGhitDhthRLHVbNfgpoBUiK0tAYmraM2MORr n8qGouFb0cM7BvMOdGR4z+IEP/y/XANEzmJ2PIyz1OpfGyiTdEgHTpQx/SnBCW5cfOGt YBmczCXEz+MKZ1hivI0ih3tOSUDcl8E0bIa1NXgDgTNtRkm5N1OG0DdK9KoCVeiqs7d+ Y1UwJgrmcYPt3MWGyjc0MPYaxQLTFrlRm6JsGZNAD3H5iRQVC17iRKmHwBURRBYwnke/ a+77trhpim5iZZ1/e3Q7zC//07NebPfD32XR1hRN5NjCS6hft9yJWynPR8Zbyj0E1XV5 g1oA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=Rxqy/i9jmF3n8GI1f+kCRds2Kzmz6AV6tgyliaVoNgY=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=PtRm6I+UYES+zvSktYRghYs05N7F7ccPGILNuWFy6tyFODy65zTW3JB0Ncqr8exdch KwbdHSVAts8HXXSl2CXEef8N7H/AY9rSnnMxZwmYpz7nsFlOFkp1q65JXvUXZN8DuGup uE50mlwQrsf4mrSlyrcd3wBtkuWawaEMfYnarKtGPI5ptQNtmUrAASJThW4u86HicImm dMr2GpkCfwpUBH4sxoxr0Vd8UAe6/QHUXPSQaAYNZ1gJQSdOEo2sQbl/5vNBm/vnT12U qbstuyDC0MfIkgwfUy7HivBqEmnC7SMapYR+jXZRbIElBDhvcJOAz/Wx7wg911ulHQ31 N6Sw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-442fb685038si2353755e9.0.2025.05.19.04.58.14 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 19 May 2025 04:58:14 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250519115813d3ffc491885eb7773e for ; Mon, 19 May 2025 13:58:13 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH 1/4] rootfs: introduce wrapper to run commands against a rootfs Date: Mon, 19 May 2025 13:57:47 +0200 Message-Id: <20250519115750.3195300-2-cedric.hombourger@siemens.com> In-Reply-To: <20250519115750.3195300-1-cedric.hombourger@siemens.com> References: <20250515150727.1764989-2-cedric.hombourger@siemens.com> <20250519115750.3195300-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=CBeJZ9fo; spf=pass (google.com: domain of fm-1212295-20250519115813d3ffc491885eb7773e-0idr7d@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250519115813d3ffc491885eb7773e-0IDr7D@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: MrjLaKSYsBM0 "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger --- RECIPE-API-CHANGELOG.md | 6 ++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 66 +++++++++++++++++++++++++++++++++++++ 3 files changed, 73 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index a4cf1338..725737b2 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be controlled by adding to the Changes in next --------------- + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot`. diff --git a/doc/user_manual.md b/doc/user_manual.md index 0dc317c3..3cf1a9aa 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..5b96b414 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,72 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_args="${bwrap_args} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${rootfs}" ]; then + rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${rootfs} ${rootfs}" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO' -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250519115750.3195300-2-cedric.hombourger%40siemens.com.