From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <isar-users+bncBDB6LLF7YUBRBSEIZPBAMGQEVGJBDXY@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Wed, 18 Jun 2025 15:51:12 +0200
X-Sieve: CMU Sieve 2.4
Received: from mail-pl1-f185.google.com (mail-pl1-f185.google.com [209.85.214.185])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55IDpA4a003047
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupi@ilbers.de>; Wed, 18 Jun 2025 15:51:11 +0200
Received: by mail-pl1-f185.google.com with SMTP id d9443c01a7336-234a102faa3sf47755145ad.0
        for <iupi@ilbers.de>; Wed, 18 Jun 2025 06:51:11 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1750254665; cv=pass;
        d=google.com; s=arc-20240605;
        b=Boas7LL+wPKciQmEe7Gj1QwaXqbfPUGi9brH52/pslIM4MCl4d8JWPUXZxHWcwnQkS
         Iy9839ASh7vIVashQ1UdpEWHnt8v9girTAhRym4quzqA6pjNNc3B90ZIWG4C/w3U1+PA
         vKTKGg4y8wjJv8pi33nIRRLH5Cl0pkneVUEypTV66+f/a2OfMTXUXHafm3f9o0lCcbLV
         zi5acK0W+oeOIJw7d9LQ7Q1YqmmM8fWQCTzTRo3HsUhxQbnseGCikgLeTXdSTPYuZ3Ow
         GpOOoCMhKzZ/M/jVBDnWbQkfuYoWxqI5UmHa22ch52+/uIOzGR+jmaX/cTuo2kMGoLnS
         68pw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=+VsEysiMzKBMkFYNGvO+rJrdg+EnXZUi5nGPHSSc+fQ=;
        fh=YixRPu0hEV+GqhFYue9MxzZ0J2eezNuusZWRNLVbotU=;
        b=g6HvrZm+x6HbEJIxF29qkxoWShhi+kfi9++bHdPpx44lRK6cP6P25zTsOHFWfJ6XJy
         j0eErmZeAIrTt+awoEGts5lUzWczs2JqCtIGjOlwzupZ4epaFZ3F3EkQ6bWlNN03FGAe
         Bt5YgBvAjGaWx7ybAIApvLAJ6pzkZjJStH76W79c3IUMnMLv58rsIR8XluACKjBLogCO
         2mFujUhOXNkxjiHGj5NLLN4Al4gTiOFMtnp2CVP8hp06BE3wgxWXXLRckKB+iPrSnXFK
         x08LPy2764N58HePw6nJ4S6RfRfsmDzyO/52E3hExjXtQSDK7f1QvQjPHvJv7nrV5zWi
         msKw==;
        darn=ilbers.de
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=GA9okGAO;
       spf=pass (google.com: domain of fm-1212295-20250618135100d159b0e947301a89e4-_qrsou@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20250618135100d159b0e947301a89e4-_qrSoU@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1750254665; x=1750859465; darn=ilbers.de;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=+VsEysiMzKBMkFYNGvO+rJrdg+EnXZUi5nGPHSSc+fQ=;
        b=X8KyBKIpM7Nhc3XI4TVpOhplUS0Lj9MiPIT1n/S1lS4yider5VCVpTse8YX+N05cbu
         6c6/JhxIZKDQ7PFDuDhrZ24k4apwacebOAfqQzU4Uhn7CXMZrp8fBtCRGIIWiBWzmEkC
         9qVK9fJ0MF13QWMj7Eh2mTtYkytfaFRsW+LXzGCJW+14IUdi0xvs7t+lvqVSdvl9lJwP
         E9gJHPjhCY0YmMpHcqNU4bOBEE1+tAf7NaJmxUVqoRcXYQvOBnxWohQMHu2n/88IYqbq
         uM0aKykziH2EKAytG9695CTL74Z2oG3NUF3QFM28RcCImva4/xBUhjnqJD6qKwL1JscD
         HR1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1750254665; x=1750859465;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:feedback-id
         :mime-version:references:in-reply-to:message-id:date:subject:cc:to
         :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=+VsEysiMzKBMkFYNGvO+rJrdg+EnXZUi5nGPHSSc+fQ=;
        b=uJ/Sg7tn9U/EoUlIexf7UNYEz+80ijHNLjzDcRY8nR+eCqFQpozwZPUp7zqIcWROZv
         BAViRgGkfsvGn/FGPjZG4Pd85pk5I20koBgHr56Dwu5Uf32lIZdDVnGsmr2iah0H8SX4
         gES0yK1SYWl3KPINbHBv5ZJJkHUB8eZXT2QiauSUVYa/viGRSd4OjYpnk7d9N7NH19RR
         LzRumNvgqoh+rQREd2qAhFvqm4+ij6dJcceSGPUHU92AxGRYMLswWBiK3YTW4LPK2zNJ
         OXK4pGaJVgNmwccNtqdOcnCYMBx+O19G5xhDCkJT51ZNyGrmRBYar6VX/apjzzmyclsm
         d+Tg==
X-Forwarded-Encrypted: i=2; AJvYcCWLWPEWK3lRUqZkLzwVlsV5/UQV9Po1+fcndWfdY4/ouJ2q49upmPyOQlimjIbNlOPBZmOe@ilbers.de
X-Gm-Message-State: AOJu0Yzfpctofy3ZorYeYqf9q+qu1XeBk0ZXI8eFROPxGA4VWgb/LSOu
	uxlNjmL6MkrsrjpsnUimmCl4X3CYf6b6fRTaljTvJBxgGx1k1RtB1k/c
X-Google-Smtp-Source: AGHT+IGzu56Nq+7hgJdTLo3Rhx4F8uN5LAg6wPjYne1mJQVwCsB7BUglpvxKhkscMWjG5bdIIZEqww==
X-Received: by 2002:a17:903:1b05:b0:234:c549:da13 with SMTP id d9443c01a7336-2366afe7d87mr233952135ad.17.1750254664594;
        Wed, 18 Jun 2025 06:51:04 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com; h=AZMbMZdCjPPqoOKL1DQ+bbf9bGS55dD894fTTsAPjgQaiPoEeg==
Received: by 2002:a17:902:704c:b0:234:f1c0:68d1 with SMTP id
 d9443c01a7336-2364dccd98cls41533315ad.0.-pod-prod-02-us; Wed, 18 Jun 2025
 06:51:03 -0700 (PDT)
X-Received: by 2002:a17:902:ce85:b0:234:d679:72e3 with SMTP id d9443c01a7336-2366b13ae36mr240408685ad.42.1750254663082;
        Wed, 18 Jun 2025 06:51:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1750254663; cv=none;
        d=google.com; s=arc-20240605;
        b=fhHkAF5oX4v8qoNGtl3JFLA8gElmvxyxAJg8CNBkfQ1V1ktPD5q8fyixGprQY1QAVm
         ubRgI00P7hJEj+hUYZic7hBkHpNF5EvDwye+OOV+Not1FarhYLMEkYoDov3grXu4sQ+w
         C9tGqlyem8eo1MWOsxkQ2am70uN9WC/c7KtfqRSi9ujVHtE0ZhIj9gEPTWpEPLbNdRsV
         JzIuPL6uiTVxu4w+s82jqB4kceWHoG45ZEsGBRG/Rv2VQOUFuzyaSg6AaEz5wpq57gcu
         3mkznh0niNCVvgmq2Mk3RZGjaa4DiLi2bIwqU5biyL0lIfd+4VH2DWcDoPDZhsZck2yj
         rIVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=feedback-id:content-transfer-encoding:mime-version:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature;
        bh=czJa24/GpZZPDbs1rg0Dyib0+ZINGv+BygsccGmEVzU=;
        fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=;
        b=df2bnx94PnihgHW1cgj/LD8j/2fHeuQpy67WWwRxRcCMqbIVsKbtAt9RKjupDn/j8P
         /4pnT6aCns7OzBuPKloNF+Xw8mSPHYiHvb3YvrAgXqrE+PSOcyEkb7jO+9lG8TsUa+2L
         UaiFLD2mDszxNqnxqaV1tsqL5VcNiTQqyihLQqe0bbGyiutPp+0s30AjzquEze6w9sqD
         cHsTEQGwC3Sb2UnDwSBjbhniYB0qpiwKIbHEPg+Kw0FyB7MQ/RM2Qc47ru3VtqrnmR1X
         DnPoSPgsQusoQnUHyX7fSh92Ung+58/ORQBlAfhsHbA9Ze4jaPooHGGt6E5Ve/9JINV0
         F0iQ==;
        dara=google.com
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=fm2 header.b=GA9okGAO;
       spf=pass (google.com: domain of fm-1212295-20250618135100d159b0e947301a89e4-_qrsou@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20250618135100d159b0e947301a89e4-_qrSoU@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net. [185.136.64.225])
        by gmr-mx.google.com with ESMTPS id d9443c01a7336-2365de40d74si4604155ad.8.2025.06.18.06.51.02
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 18 Jun 2025 06:51:03 -0700 (PDT)
Received-SPF: pass (google.com: domain of fm-1212295-20250618135100d159b0e947301a89e4-_qrsou@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) client-ip=185.136.64.225;
Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20250618135100d159b0e947301a89e4
        for <isar-users@googlegroups.com>;
        Wed, 18 Jun 2025 15:51:00 +0200
From: "'Cedric Hombourger' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: felix.moessbauer@siemens.com,
        Cedric Hombourger <cedric.hombourger@siemens.com>
Subject: [PATCH v2 1/4] rootfs: introduce wrapper to run commands against a rootfs
Date: Wed, 18 Jun 2025 15:50:37 +0200
Message-Id: <20250618135040.8252-2-cedric.hombourger@siemens.com>
In-Reply-To: <20250618135040.8252-1-cedric.hombourger@siemens.com>
References: <20250519115750.3195300-1-cedric.hombourger@siemens.com>
 <20250618135040.8252-1-cedric.hombourger@siemens.com>
MIME-Version: 1.0
X-Flowmailer-Platform: Siemens
Feedback-ID: 519:519-1212295:519-21489:flowmailer
X-Original-Sender: cedric.hombourger@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=fm2 header.b=GA9okGAO;       spf=pass
 (google.com: domain of fm-1212295-20250618135100d159b0e947301a89e4-_qrsou@rts-flowmailer.siemens.com
 designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20250618135100d159b0e947301a89e4-_qrSoU@rts-flowmailer.siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Cedric Hombourger <cedric.hombourger@siemens.com>
Reply-To: Cedric Hombourger <cedric.hombourger@siemens.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: list
Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>, <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>, <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,
	RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS
	autolearn=unavailable autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: DH8Jv9UPBmcT

"sudo chroot" is used in several places to run commands inside rootfs
directories constructed by Isar. There are cases where a command could
be used without elevated privileges as long as special folders such as
/isar-apt are mounted (they are often referenced as /isar-apt in
configuration files found in the target rootfs). For such cases,
bubblewrap may be used to create a non-privileged namespace (either
in a bare/native environment or within a docker/podman container)
where the command will be executed as if chroot had been used. The
rootfs may also be the host root file-system: this should however
be used with care to avoid host contamination problems (note: Isar
already relies on a number of host tools).

Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
---
 RECIPE-API-CHANGELOG.md     |  7 ++++
 doc/user_manual.md          |  1 +
 meta/classes/rootfs.bbclass | 66 +++++++++++++++++++++++++++++++++++++
 3 files changed, 74 insertions(+)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 8468717d..18b90555 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -727,3 +727,10 @@ Changes in next
 
 This was never documented and never had practical relevance. `oci-archive` is
 the useful OCI image format that can be imported, e.g., by podman.
+
+### Require bubblewrap to run non-privileged commands with bind-mounts
+
+Isar occasionally needs to run commands within root file-systems that it
+builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be
+used in Isar classes instead of `sudo chroot`. It is pre-installed in
+kas-container version 4.8 (or later).
diff --git a/doc/user_manual.md b/doc/user_manual.md
index ca551a0d..a4fff34a 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -75,6 +75,7 @@ Install the following packages:
 ```
 apt install \
   binfmt-support \
+  bubblewrap \
   bzip2 \
   mmdebstrap \
   arch-test \
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 5f877962..f0c172b8 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -34,6 +34,72 @@ export LANG = "C"
 export LANGUAGE = "C"
 export LC_ALL = "C"
 
+# Execute a command against a rootfs and with isar-apt bind-mounted.
+# Additional mounts may be specified using --bind <source> <target> and a
+# custom directory for the command to be executed with --chdir <dir>. The
+# command is assumed to follow the special "--" argument. This would replace
+# "sudo chroot" calls especially when a native command may be used instead of
+# chroot'ed command and without elevated privileges (the command will likely
+# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the
+# optional rootfs argument is omitted, the host rootfs will be used (e.g. to
+# run native commands): this should be used with care.
+#
+# Usage: rootfs_cmd [options] [rootfs] -- command
+#
+rootfs_cmd() {
+    set -- "$@"
+    bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt"
+    bwrap_rootfs=""
+
+    while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do
+        case "${1}" in
+            --bind)
+                if [ "${#}" -lt "3" ]; then
+                    bbfatal "--bind requires two arguments"
+                fi
+                bwrap_args="${bwrap_args} --bind ${2} ${3}"
+                shift 3
+                ;;
+            --chdir)
+                if [ "${#}" -lt "2" ]; then
+                    bbfatal "${1} requires an argument"
+                fi
+                bwrap_args="${bwrap_args} ${1} ${2}"
+                shift 2
+                ;;
+            -*)
+                bbfatal "${1} is not a supported option!"
+                ;;
+            *)
+                if [ -z "${bwrap_rootfs}" ]; then
+                    bwrap_rootfs="${1}"
+                    shift
+                else
+                    bbfatal "unexpected argument '${1}'"
+                fi
+                ;;
+        esac
+    done
+
+    if [ -n "${bwrap_rootfs}" ]; then
+        bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /"
+    fi
+
+    if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then
+        bbfatal "no command specified (missing --)"
+    fi
+    shift  # remove "--", command and its arguments follows
+
+    for ro_d in bin etc lib lib64 sys usr var; do
+        [ -d ${bwrap_rootfs}/${ro_d} ] || continue
+        bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}"
+    done
+
+    bwrap --unshare-user --unshare-pid ${bwrap_args} \
+        --dev-bind /dev /dev --proc /proc --tmpfs /tmp \
+        -- "${@}"
+}
+
 rootfs_do_mounts[weight] = "3"
 rootfs_do_mounts() {
     sudo -s <<'EOSUDO'
-- 
2.39.5

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250618135040.8252-2-cedric.hombourger%40siemens.com.