From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 25 Jun 2025 21:39:29 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-il1-f188.google.com (mail-il1-f188.google.com [209.85.166.188]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 55PJdCXt007187 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 25 Jun 2025 21:39:13 +0200 Received: by mail-il1-f188.google.com with SMTP id e9e14a558f8ab-3ddba1b53e8sf3213835ab.1 for ; Wed, 25 Jun 2025 12:39:13 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1750880347; cv=pass; d=google.com; s=arc-20240605; b=j34IqVTh5VQSOfu3Oa1crQQmOJZ/0cG1PvyOZnAKNIb+5aZE5/A5xm6adys+JzrBW4 CSVHmKmqRn3lJUTBtcKu4Ws+mvZ6C5wHyQkRHmRP0i5tBM48+kndNtlQI6Ef3sQspXxQ Cbi2zmXGwmohULBU8gIEZlO0GQ9lxkfk8W0uOWQJC9HrCSv0guP8XOu9TesRx3kBwriz gb1r6RPbZ9eULZJdZZ18TjQD8kzKtlCHh3l82TxE4qCVe/qOQV5flclEBlQS3b4mygNb 8RAid0XBUhjkqMz2F6h9rNwy8LblNSZW+0rU6Px5zHBYLTh+63NBd+8+kURjMFJRpjUA aBfA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; fh=Brj8BH9Vy+yR/1blFtPSbNV4vS6KYHBcNVCgPMVUZEU=; b=I5ttimURA/KYcAS7f94AuqKDVycsqQuO1kvzVY0dMybz2O/k9joeHGbZhqcPQFSz+3 vIGzSEqnssFosMJtS7QOAtYlS9ou9baCgnQW6WW0drm8ljPQOy0s+qNh2vly6RY9WaKv oo45XKMrDWeL1nCavJzFsFYE4uAihXxrpShhoPLs/HIMELRuTTnqaxi/cNZZg4ljNVOG sjaKWPVgROCvqRwe87AjY3+oTiYeGTGsvwI4N8FfiY+eaQL/kan1/CxV7Bj83aY/Z/mK i3w/Kow4Y3MZMP/fOO8L6oJQC6X9Oz8w5vKThngOpFit3Zq9biezZNYL1xsHwuO3NHX0 svMw==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1750880347; x=1751485147; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; b=NHC+ImEujQme/hTaXbX7WJuV3CMMzqmpaZgNcQGqQACumk/Phhnevd6ESmIKfWGnmK wtUEhckXdZiRZQvQn8JmT8GbgKcNGhFjhqwiWa8HSFMZLb7mMBUIPGYifdpsHNP2/lYI nYpbRFSckBj5vidJKgpBXMmJrg5QYp4jSsFzVlfn9y7QG7Ry8X8DNi877e6SuoNv0M4p pzwqED9jesXzAniI4OmAqEdJgI6ICsZW1SWD8WidquUuNc1EHQ7NZpfWouoida9tpPsf eQtnorQvrmFbEIE1ciPWdlhyBF4MIVM3Kts5fiMhbJfEgx60YkLxTVmtl6bJX2hlI9MS lEBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1750880347; x=1751485147; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:x-beenthere:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=S1vuFf7JlGyt5fVr1aoPd+FRJr9eXIG7kfeGCSu6Eew=; b=KxNUfKCD2QbBBB2kdGgJn553EyGFm5sXnqiLOXLenkQv2shZDQSogeEEpRLaGSOvxZ GjGMPyF84CIF/hw4uHo7gX7LshpeEh8auzdx3LFLKC3KcGMGrx6u2cRimyS/Dymj5klB PT6CZZPF31mIgQewY1vWumJNu0XzjT7dGwgABVJ/iwNI7hWTOSnd2jTbRZ62HuB4Huya Uwd50rWlix97bM/ose22Kt+GI4wcxDeX//UkN0xtxO9bdD9qKjTGXbEdBE3oKPRWqivb TaLCSZEWQ0cl+fwSGY7eZzYqgnUNlFJlv1HMWuvaw8Bo+8moydIzDFV+xCH4zK/Gjl/E iadA== X-Forwarded-Encrypted: i=2; AJvYcCUicQ4YpLoD/Af2y+jDv7YM8Rw8pQi329T+KeVG/owEURsXqR3BmjjpLovm2eP+q0V8R/YH@ilbers.de X-Gm-Message-State: AOJu0Yyz9TyfP6cN80BEVxdaar1eGgut7bQmcRGJf+UGbfdage38kdrL DJuOEBssyTAsIuHIawPtU0SEZZx5CU5s4h6qD/HnR2RkXP/MpstsPMQI X-Google-Smtp-Source: AGHT+IGjaJPpq017Hnt0Nw/bEOST+Og5OTskeS656L1o6FIwOrrO9f039B5TstkirTZWsRc/L9t64g== X-Received: by 2002:a05:6e02:160d:b0:3de:2102:f1d8 with SMTP id e9e14a558f8ab-3df32995f39mr65511025ab.18.1750880346841; Wed, 25 Jun 2025 12:39:06 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h=AZMbMZeIeVx1/khP6kaTTHtMs1TKHhOpFgUIpBO7x7a+EU3ifw== Received: by 2002:a05:6e02:480d:b0:3dd:c3df:51e9 with SMTP id e9e14a558f8ab-3df3dc4bf42ls2729335ab.0.-pod-prod-04-us; Wed, 25 Jun 2025 12:39:05 -0700 (PDT) X-Received: by 2002:a05:6602:1352:b0:86d:5b7:5a42 with SMTP id ca18e2360f4ac-8766b893965mr724917839f.4.1750880345389; Wed, 25 Jun 2025 12:39:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1750880345; cv=none; d=google.com; s=arc-20240605; b=YIBWrcFrb00IUu7ddrjH9rDGor5ieQ+Xbvl0H/dNYrhTpBUbrYd/RdcDr7TWbUYet9 p1VMWdzCE30GSoMKlLtz6MOchIMnOZj1CZOnKaFG6zI7OsBVwpmTVXw/BCEMfwzS41h5 2M7jxpB03M1qjE6FrSHPKyywlZRZs2hFaTkmjBiJWoPOZbtajZSS9EHJw7ys8xAth6AB WsFDaXxE/suvg3Rhrqo4qMCTAM7pWzgwZlMF1DF9mJcTJS/hMFx+66ulHZcXSGRYsNva 6clSDP8w2ZNNuHd0MLi+VErZ3QvhXe5zwMhb0tthcgk3W+Afv7y5Hg1zq6ANJ/snpSow r8sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=OZOIFSZNWArrSMK80unVSgo0USFgcB5pCwlqosZzoxI=; fh=D/q4xMKxZDyLo2GtmwQ/2prSr9aCFD3HVqTCj43epLY=; b=e4i6msMox1UULHV+u2z3Q8SR+O0VKA5RmkM/wcLjl4o9+Pwm831M71/bRLSgysLeRx 91PKx1SG2XjU6MVuUH5mnQihl1NbFXvz7k/CiuPkciYGGRuni7OUEmQfJM17lBBSZLs2 1ZrKDO4injH8mYoBUinj6SBkWGo5xfoPJ1bhlPzKRrxGrbzeaONhzNf/jOfrxIQxLgmT z1GgUTckdi32fr1vRVqdNK2NkOg4WNZIC1TJq10T7YtzKfcOYGLRD8nyRhyLQzIW8ula UnKO2tE+W2k6brZ6p36oZcIzWCSjso6jyLd/hncU/vKO3nAd2hgwI9VGsSxhV3+1E987 nPzQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net. [185.136.64.226]) by gmr-mx.google.com with ESMTPS id ca18e2360f4ac-8762b65da6esi50440639f.3.2025.06.25.12.39.05 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jun 2025 12:39:05 -0700 (PDT) Received-SPF: pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) client-ip=185.136.64.226; Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20250625193902056005e860b7ac2a3e for ; Wed, 25 Jun 2025 21:39:02 +0200 From: "'Cedric Hombourger' via isar-users" To: isar-users@googlegroups.com Cc: felix.moessbauer@siemens.com, Cedric Hombourger Subject: [PATCH v3 1/6] rootfs: introduce wrapper to run commands against a rootfs Date: Thu, 26 Jun 2025 03:37:43 +0800 Message-Id: <20250625193748.2681-2-cedric.hombourger@siemens.com> In-Reply-To: <20250625193748.2681-1-cedric.hombourger@siemens.com> References: <20250625193748.2681-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm2 header.b=doQpGrzH; spf=pass (google.com: domain of fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com designates 185.136.64.226 as permitted sender) smtp.mailfrom=fm-1212295-20250625193902056005e860b7ac2a3e-_nds3_@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Content-Type: text/plain; charset="UTF-8" Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: L8inxwk1liC5 "sudo chroot" is used in several places to run commands inside rootfs directories constructed by Isar. There are cases where a command could be used without elevated privileges as long as special folders such as /isar-apt are mounted (they are often referenced as /isar-apt in configuration files found in the target rootfs). For such cases, bubblewrap may be used to create a non-privileged namespace (either in a bare/native environment or within a docker/podman container) where the command will be executed as if chroot had been used. The rootfs may also be the host root file-system: this should however be used with care to avoid host contamination problems (note: Isar already relies on a number of host tools). Signed-off-by: Cedric Hombourger --- RECIPE-API-CHANGELOG.md | 7 ++++ doc/user_manual.md | 1 + meta/classes/rootfs.bbclass | 67 +++++++++++++++++++++++++++++++++++++ 3 files changed, 75 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 8468717d..18b90555 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -727,3 +727,10 @@ Changes in next This was never documented and never had practical relevance. `oci-archive` is the useful OCI image format that can be imported, e.g., by podman. + +### Require bubblewrap to run non-privileged commands with bind-mounts + +Isar occasionally needs to run commands within root file-systems that it +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap may be +used in Isar classes instead of `sudo chroot`. It is pre-installed in +kas-container version 4.8 (or later). diff --git a/doc/user_manual.md b/doc/user_manual.md index ca551a0d..a4fff34a 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -75,6 +75,7 @@ Install the following packages: ``` apt install \ binfmt-support \ + bubblewrap \ bzip2 \ mmdebstrap \ arch-test \ diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 5f877962..429494ae 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -34,6 +34,73 @@ export LANG = "C" export LANGUAGE = "C" export LC_ALL = "C" +# Execute a command against a rootfs and with isar-apt bind-mounted. +# Additional mounts may be specified using --bind and a +# custom directory for the command to be executed with --chdir . The +# command is assumed to follow the special "--" argument. This would replace +# "sudo chroot" calls especially when a native command may be used instead of +# chroot'ed command and without elevated privileges (the command will likely +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}). If the +# optional rootfs argument is omitted, the host rootfs will be used (e.g. to +# run native commands): this should be used with care. +# +# Usage: rootfs_cmd [options] [rootfs] -- command +# +rootfs_cmd() { + set -- "$@" + bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt" + bwrap_binds="" + bwrap_rootfs="" + + while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do + case "${1}" in + --bind) + if [ "${#}" -lt "3" ]; then + bbfatal "--bind requires two arguments" + fi + bwrap_binds="${bwrap_binds} --bind ${2} ${3}" + shift 3 + ;; + --chdir) + if [ "${#}" -lt "2" ]; then + bbfatal "${1} requires an argument" + fi + bwrap_args="${bwrap_args} ${1} ${2}" + shift 2 + ;; + -*) + bbfatal "${1} is not a supported option!" + ;; + *) + if [ -z "${bwrap_rootfs}" ]; then + bwrap_rootfs="${1}" + shift + else + bbfatal "unexpected argument '${1}'" + fi + ;; + esac + done + + if [ -n "${bwrap_rootfs}" ]; then + bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /" + fi + + if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then + bbfatal "no command specified (missing --)" + fi + shift # remove "--", command and its arguments follows + + for ro_d in bin etc lib lib64 sys usr var; do + [ -d ${bwrap_rootfs}/${ro_d} ] || continue + bwrap_args="${bwrap_args} --ro-bind ${bwrap_rootfs}/${ro_d} /${ro_d}" + done + + bwrap --unshare-user --unshare-pid ${bwrap_args} \ + --dev-bind /dev /dev --proc /proc --tmpfs /tmp \ + ${bwrap_binds} -- "${@}" +} + rootfs_do_mounts[weight] = "3" rootfs_do_mounts() { sudo -s <<'EOSUDO' -- 2.39.5 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20250625193748.2681-2-cedric.hombourger%40siemens.com.