From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <isar-users+bncBCYIZ4M3XAKRBXVN4LGAMGQEDX5QM3Y@googlegroups.com>
Received: from shymkent.ilbers.de ([unix socket])
	 by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA;
	 Fri, 20 Feb 2026 18:16:23 +0100
X-Sieve: CMU Sieve 2.4
Received: from mail-oa1-f63.google.com (mail-oa1-f63.google.com [209.85.160.63])
	by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61KHGLQa005918
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)
	for <iupi@ilbers.de>; Fri, 20 Feb 2026 18:16:21 +0100
Received: by mail-oa1-f63.google.com with SMTP id 586e51a60fabf-40f04a08234sf8679663fac.0
        for <iupi@ilbers.de>; Fri, 20 Feb 2026 09:16:21 -0800 (PST)
ARC-Seal: i=3; a=rsa-sha256; t=1771607775; cv=pass;
        d=google.com; s=arc-20240605;
        b=EwYQ8oQRQ3vZdETbiq+ZIBqFbrgZ5x+jz+IBSyt+50DOwfjioWgtFA4yrukt3rHDoD
         whdURoI/BF85+IIapxj0lZWh3Zz21hQJtBFNuXyEukcTMAdv3Z1Od7P8F7xEhHmzYhLL
         KUFWg2J/R6Ut7IYJKKsI6Jm7ULv7/8tKn9DgyiF4ANEmNua/wZfS5LNI1irmvGx0BwkJ
         /VoLpEGKwuVocYetxMu+ymaFOkTFcSHMQZtLwNlveI3I5hvlAyRbDtcTLRJRMNya+R8P
         ve9fn+bz/zHUCa9zjYxga/dyByGq9XxvmLq2GU95rQFbLXWh93TiINYwgsqzUMrWAuwx
         iTMw==
ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to:mime-version:message-id
         :date:subject:cc:to:from:dkim-signature;
        bh=tbS9NAGCoaCs7O32aTZs7x/XUZQ4O9kJVlxj0Z6co9M=;
        fh=pJMsjfW9cc14zlxryA1pqq1CX3pvqIL+gKMyMcmUP6o=;
        b=MG2ZKSfRu/aCtdLf/fO+anFWMIM1ETtpIHf8YR/74a59N8bEXN9306j0jdhQUjxeiI
         hvLeVDlLmnl8THHWkklBiqgj5WQgovYtEE/R+6hrpgh0Hg4jwuYyA0ri66vGoFqrJ2cm
         sGgW6svl2wfV7/6Fj3YIRs2UQQoHEe9m+gNsZjLX1pQB3jTqECyBGGEZH3JMgBlMLgFG
         VettOTX7K0G5EN7qRUx48spVOZ//RMrKBJkVx5kbY5rS611VHuXnAs2HaYc3xMMP9TqQ
         r5Hf9fe8NV9kG2x0Lg6P2SJ1FiqJ8r3o3XhAmz5N/o+LHYhvfbfcXnUZbIV5zNf8/UXm
         RWcA==;
        darn=ilbers.de
ARC-Authentication-Results: i=3; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=YGiLHCh3;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20a::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlegroups.com; s=20230601; t=1771607775; x=1772212575; darn=ilbers.de;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=tbS9NAGCoaCs7O32aTZs7x/XUZQ4O9kJVlxj0Z6co9M=;
        b=jwLwQm5JpUVa63BqEJaZpKDfA7BDxvUhz1Tk6xN4BVjm6wbT+X+oe2iX72SlByztdg
         YvT6qkVvOxyfvrDFtEZaedaJXOsqEuP9/5+K860mGDfuYLenZ1Jgbdcox7z6HswCcutq
         9nrQc5ne3dS4jMx3Sto1sreyjcaoau5zaPTLvc7Um9JfRckv/TC2VlFlffvUCOjFrICb
         GtfzGNGntFYGKLqyMT9t+NgAgSc6r70+urwzyCbBVzw19aCYpzfR6RrTgecUiYD+Tjh8
         jUhOi2THk/cgD7uWpmN9EKh4PWlQnG/tiAz9LXUj+5EhAftHH1/CpJ6rQc+aN76lmplg
         3p0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771607775; x=1772212575;
        h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post
         :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to
         :x-original-authentication-results:x-original-sender:mime-version
         :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=tbS9NAGCoaCs7O32aTZs7x/XUZQ4O9kJVlxj0Z6co9M=;
        b=APIiO2A6P0KrNmaNT/1lQdKLkOWwL9lphs6xr1JCML0sb6nalEFWOUbNJJr3zm5191
         oBYPZmiof6lIL3ek2rlIw4yJ3kczgFQAPKb1IAJ2/DxWenyCHQ3aA5TmL9NZpWbNSO38
         IBwYoIIIA7cIr71ctHK7mOrj/Z8wrKKLYdBtkOtkIgrjtg+MsqDWOActKbVmfii9P8An
         dCTnW9QYld1wTIyjMYNG8tKGZHRST0Ps9lol0fsUxRNB5sVXtUShFZt4kR53jfczG+Iq
         nvZZBMgL9YTQLAPAk7s+ziaBQcjfMsxRkdXj4A9+540K1VU/f0pRcthMsAMyBcbmByP6
         +NnQ==
X-Forwarded-Encrypted: i=3; AJvYcCUgdnShWzMG9VtEC9h3kj2yHPKdtojS00DW4XyHJhZ5peFPWJX6GHw/WE+jfvNLOtCK4dkN@ilbers.de
X-Gm-Message-State: AOJu0YxxGFXH5StIKacwWT2JGvkxE0xN5Xv8sa4WKDhs9mw46sRQX4qX
	dLbp23ZdV2SULJuG0+xWqCAacMEbpeQ45xKJuUKpX4aSDthj5tjVyLuN
X-Received: by 2002:a05:6870:9386:b0:404:18f7:810a with SMTP id 586e51a60fabf-4157b0ad203mr301692fac.32.1771607775128;
        Fri, 20 Feb 2026 09:16:15 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com; h="AV1CL+HO8FzvVY4H7q3qUXAtEKDoFHCm8CsGimx4Ok1YRI5/Vg=="
Received: by 2002:a05:6870:d28a:b0:40e:f455:16fb with SMTP id
 586e51a60fabf-40ef4551d67ls4643326fac.0.-pod-prod-04-us; Fri, 20 Feb 2026
 09:16:13 -0800 (PST)
X-Received: by 2002:a05:6808:1586:b0:45a:5db2:d42c with SMTP id 5614622812f47-4644622cf3amr405109b6e.25.1771607773786;
        Fri, 20 Feb 2026 09:16:13 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1771607773; cv=pass;
        d=google.com; s=arc-20240605;
        b=J5V7pqdrXKgAW4HD2Z0uNZ61hXaPJLaGFXkwZ0rtEOw8+USCknn8dGsJSHWV1dmIeY
         uKrniM9jXll+SiPZ7rl1kzRYHO8vS5Enyi3OrlPoQt42X/E/yL0XE3MZxmFwpFSPIhKJ
         bdygBo3fL6akUT3HwRcOSMD3nA8NodtMYju8aDhxuU85FHF/ZoWC4eVG56Yw1dZ0ypgZ
         HHk98X2g9hLhEScwq+H2OkHfTrSHkC7nth1lBWAX2zBfIFNqlIJSfS1mWPfM6EbfTjT8
         wTSwrfDOes2uWLZA3Z+cWeC5bC91asmOvQJHt+ql9g4g19mOLVM76twLCStRCJomaqnu
         l3Lw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605;
        h=mime-version:content-transfer-encoding:message-id:date:subject:cc
         :to:from:dkim-signature;
        bh=Pnfw+7ifYPWZUDzha9fkp/wbgPXi31o3GXFHu32N7oE=;
        fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=;
        b=Tjp7DaMcukdQqIkWEkhLNqAg5g/WEcuIW6Rv/HJlldaDo5fbkUBsSBM0NecgjJw0KV
         jCohVweg8oXLjMoli3gxoAmwLcqjzts9TB5zgbRQzRrScwFKuNqvcj9A0mo46+mMDQkX
         6cffcSlNPP89Efsqlun6wVSoLdVAVRhEA8gXI8hhoZmpG6UKDVuqbNQzh+OFmhbTun/o
         iO38dxrMQe7SiOne0Djgdx+OuICnt+WpsAddARbDjKmqXXtp/U+xgjBI6pfaisOvTHan
         /DvuCdDoJW4xyJ7eexEEgKO6xCcs2DhuWOD0VP+lkgOHmkO2+nnLvtqA+UI45fWTq2MN
         0nQw==;
        dara=google.com
ARC-Authentication-Results: i=2; gmr-mx.google.com;
       dkim=pass header.i=@siemens.com header.s=selector2 header.b=YGiLHCh3;
       arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com);
       spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20a::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c20a::7])
        by gmr-mx.google.com with ESMTPS id 5614622812f47-4638c55a742si743968b6e.0.2026.02.20.09.16.13
        for <isar-users@googlegroups.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 20 Feb 2026 09:16:13 -0800 (PST)
Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20a::7 as permitted sender) client-ip=2a01:111:f403:c20a::7;
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=a956lLESd+e+pdkWg/qSeoFwDD9mkxJ00mtuLdKBEmAvKONMk1+yiGUo0m0jaM5JN/D8YjaJOGmWdArgH5YMq/YvH8cld6q/Qq8W4tipl15JunWdMsXalSA2Iykvbf2XWffj83c9dP/tHTpLGlPqRnjGFuQHyfVeF3tb0B7ZGP9DKSr/iHwEQ2WjYXVDCY3ELxrP90caD1r7i4613HSfrCsrpDa5jU1QqEm6baBDgNQbLc5CCdOs2sZYpkuedt7n06gtFdAHzsGIb3DMaT5yTnVJXEL0Wghtuey7lbQoyrBjE0QN51YhmNkKRmeV04njFEm0So/MWTr662GZilj2Pg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Pnfw+7ifYPWZUDzha9fkp/wbgPXi31o3GXFHu32N7oE=;
 b=sIk//kQA2H90lSdfSpb1iyWm3kfdd0+GeTDlASVZd++kRIDhPCIPW90RB+jmg7zXvS1ZYtqZ4fhKtFxw9SoRWaakpATlDlN80Ed2tco/ylqBf9RYpfKyl0/UMt7plUgmi9vWJT5b8OcEGKGD0WIygWjbd53VO4FxEUSn1TvqHF3S45YvgrxOZ3PiazAPlgAqx6goW4HDV9k+jhBb7wI0jGcI0vttgtkJQFeubisI5eYCkTd3VTF774dUl/NQWQaEpMSPq8KhFX0TOs5uKkgIRPbGefkPBrhSkSuMP53UCRrGpqE8saJylviY82cM3ALNESdX5qOKTSDkvh2wMCmuFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com;
 dkim=pass header.d=siemens.com; arc=none
Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13)
 by GVXPR10MB6007.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:17::16) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.16; Fri, 20 Feb
 2026 17:16:10 +0000
Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9632.015; Fri, 20 Feb 2026
 17:16:10 +0000
From: "'Felix Moessbauer' via isar-users" <isar-users@googlegroups.com>
To: isar-users@googlegroups.com
Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com,
        Felix Moessbauer <felix.moessbauer@siemens.com>
Subject: [RFC v2 00/20] add support to build isar unprivileged
Date: Fri, 20 Feb 2026 18:15:42 +0100
Message-ID: <20260220171601.3845113-1-felix.moessbauer@siemens.com>
X-Mailer: git-send-email 2.51.0
Content-Type: text/plain; charset="UTF-8"
X-ClientProxiedBy: FR3P281CA0085.DEUP281.PROD.OUTLOOK.COM
 (2603:10a6:d10:1f::22) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
 (2603:10a6:10:47f::13)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GVXPR10MB6007:EE_
X-MS-Office365-Filtering-Correlation-Id: 52943402-d076-4a5b-1804-08de70a3be21
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024|7142099003;
X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?es3Rz2om9HxhoSjH78tBfrO4ftWF7e9tVh3u88YrfjiNQ1cRUDzlQvhkNxq4?=
 =?us-ascii?Q?v/B4Db9ac7ZW+mGsxS5apBFd/PniIdPgUzqvkLCg4oGVZzp8wJNLt6EI9M5G?=
 =?us-ascii?Q?aSQMFujD5ppt39Wk6m6VXMoKMra99lzNfua0kxcMqvZBur/qxuUqx0X6QR8R?=
 =?us-ascii?Q?NQsiBdxYLN+HkBBn05gnT1k9DlFQdmPqT4mqmoEFG8K8KdS4xkIZCzjaJ0Hc?=
 =?us-ascii?Q?5e7MG4tTjiEz6j7YHVheYMjt5EIVc0B3CXdEdXwujivDRyksfAp1/NvNLpNL?=
 =?us-ascii?Q?w98VaaXIlyffzCKxOkiJ94in9w2i0g1j2XnYo4JlHD84NzcrJS6r/90Y9G5e?=
 =?us-ascii?Q?j31yC3YdkEkLaRiuOSZzdubl5apaZSySNI5Wgc9hnub7GS/qI2/uenMmNZi6?=
 =?us-ascii?Q?8dC5bj/8NLryHpqbJ2tOt4+hKK65Ac0AKJ2st/rlI4lksuSylJ/caxXGaXQL?=
 =?us-ascii?Q?j9i3t5gZ8dXMEx7cVCAuaaapP+SicCqg+EQ0SVpvA9QOgL14InZKJS3zNwNW?=
 =?us-ascii?Q?makkCZkG9EEbuaUWk11cRxzZRq9/KzAglGIpuQAJVhRk96gMju0darVIymOg?=
 =?us-ascii?Q?b+AeA2FbP8b3wGmSQecBF8DGUCI0rhyxoIv203CGR7pCCKwG5Wixazuhygp8?=
 =?us-ascii?Q?AjjcfdJn7FQ651KgiiQu16adwjoP240XPdo4KQ0TQnLWmUoiQGfnYASqWXe1?=
 =?us-ascii?Q?iZi5hvpWb1oejtQoKFUP3qJh7vZ9GN7BqKgWEIOZt6al7j3WAw/ImVjNuB0V?=
 =?us-ascii?Q?33WBbaQKBv5WmxMZqMht7lC7HgkuidqmDRvUurgMKJFa2ZgEkF2jzfnQO+Dy?=
 =?us-ascii?Q?X1AxT2jRh6IrjeUaZFzxqOHfESAcG1O2XbNfFr3gSM3Lpu5ZwwbjRKPB3/VZ?=
 =?us-ascii?Q?KOZWj2LS64wUlNZ3oafIEVpoxWXUZQuevFzD7YsmkqQleOA9iEUtB0cXxTFF?=
 =?us-ascii?Q?pNhQoCpjf4YEOJyvyFLY4T3lKVmzHGLzcojWDXluOhBy/vYPq8J+NVocMfAU?=
 =?us-ascii?Q?Pxriqzw3rPV4yb7swJfbFB0j0isYYDTtmevKbN1IuANp9bgNODH8sON0rmA9?=
 =?us-ascii?Q?wlZd6N3j+2TRPErWhw1/mIWaIqTzZwmm7GFKnBhb8bWjCwtBRjLeNRmfGOte?=
 =?us-ascii?Q?B5CXJRF7Kpi5budl4Sy6NF1L4W67LvQ7I4NBK8DV344rmxx/kmUDWKPiJqdq?=
 =?us-ascii?Q?jBHelQ4eR6AEPlb5PU8EXWy2LmfuyJI6xzZS5QukRTLIHrXm2ROw/Tm2NJEp?=
 =?us-ascii?Q?L5yM/lTwvTESsGxNb1BpwbRzLLH2hFVXkpD94QzO4OeCnlVf1/E42+HznL1W?=
 =?us-ascii?Q?WsrvtDfJKBukwW74jiMx/qqmF+ykGzqua91O/wuSHPh5TEMnjEYGVFPAk/36?=
 =?us-ascii?Q?HsYCFKj5f6uJBdX32o6Zfr8TfeQGT4BaTKclvbDZmgx+nzyQpANelR5OZLHP?=
 =?us-ascii?Q?xsAdGPpWBWUYnPjljMhNwpPh1xcIC6O3dQe/zcxx3P+m4e5NwKqGQxioia3M?=
 =?us-ascii?Q?DH0PhWbwo5HJ14hpIEIQRnY5xs3b/uQa0KY42tqr+7tnPOWFFXe1OtJUPb5H?=
 =?us-ascii?Q?S+VnF5GcsjH0rnQy3B0=3D?=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024)(7142099003);DIR:OUT;SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Qj+RRliLYTkAbvyy+LlnP+aIQA/sWOzQk7L7vIZLxXunnBEfB6UlOpbIE57u?=
 =?us-ascii?Q?98xJVO39BlhJzvNJSkUFJA6M5c76sSZQ6UJcWnnDwrbI9NLmql+GeuaP/r1Q?=
 =?us-ascii?Q?CESAvHY2MWwsnA13N3/75fNauNCiAFXZfVuuIqHG/3jmDmPRK3BiogWprFBM?=
 =?us-ascii?Q?F3NYk9nl7BCtZBIXP95v2IKomsZo/EuUqQwjtTD27TV2PGISD9qzKTd9hwb0?=
 =?us-ascii?Q?eqRCv7+Sb8N4CN2JFx44Nl78wh4DUcA704cCXtTBpA+8iJyKSQ2iVfoaQqKh?=
 =?us-ascii?Q?mBdF+O8Hg7U2yKKvHG6liy1f/BW4dE3w6ae2Nz3nKBh5IHYkc6pVrvSkdLQG?=
 =?us-ascii?Q?ohUbfHtMB+F+JHgRpfBI8nNOxzuQNevn50/COnBMBet8UElHbMD9jBav+MBN?=
 =?us-ascii?Q?mAm3/2fdppez9HPcOldUak2Fhcc52CPPONcl5NmXJ8WVSYFMOx9Th2eD/OAm?=
 =?us-ascii?Q?HHpYR73MQFxR6PRhzExutbFV+FjssXm1OR5gZ2ol2lYMwhhC27TUBJveNPIz?=
 =?us-ascii?Q?obHHO+DQBehnr6KnkHthyHqqYP2cVvKC4CuHwUBEa5/9jCZrqG++glDgLNMs?=
 =?us-ascii?Q?KDfXyc7qrDgvLlSNdP5WPQWg0FaeELnAOWGl98OTcUjGNnZbeJtFe4+R2170?=
 =?us-ascii?Q?UcRncf6LICL7fZxjxrWZG2vn0D2W1l4dMtQkvNZSphBEIsF2khSc60oy0nfb?=
 =?us-ascii?Q?WNnDKtLzYqM5Om1jHsadXOmUdbWU1wRyYxA6VbFffNkqOdkblaVcc+zHV+gq?=
 =?us-ascii?Q?h5Phrmga7shm0vGm7mKSXu0ThdA3LmnOTpBbynL6ClOqQS2iLgamtOHHhkHg?=
 =?us-ascii?Q?0dxc6zL5yUlLFVdUBPfboM/b9hnFHnLuTaRQXFJDetamGts/7MYYIdWVyBwj?=
 =?us-ascii?Q?03RwsOwGLf9Nj/gHOfMRcCvwhTRY6/uBoqpGLaIBchgZO1uktYGOxEkEBxY2?=
 =?us-ascii?Q?QeH/NL78dF1gBCqWk8tLqgLdDPYF/WZe5zdyBP36lxGW5SrxP9TUnEbu7peA?=
 =?us-ascii?Q?BWOqocao+LIeeBXiVYy89KVTZfad+0P+7CZ5lfM4hUGzLfFeAqUBnYPZtoUu?=
 =?us-ascii?Q?6u9RSxN9h76AhI9+kMcBAbp7c6lEN8LgT8/ZFnO4aEuxF4CLvnd0AhYOcFKx?=
 =?us-ascii?Q?DJ3cnqaF68xEoUyREEYLrmCDSPdShuhNYmgpoMwxekU93rg3Psnkau9EjDmv?=
 =?us-ascii?Q?/mg7wfCuM1O228tbKB0neRgd3mdipJYodigdmLz+N/nQk28z1vd/pF4WM5nz?=
 =?us-ascii?Q?1xeTBgxFkbIpqgsf5XhtTSwPb13dFTxkhgZpbRdt6kG6u7Kd445oNVX09Chj?=
 =?us-ascii?Q?AeSZegWUxSAHEPfWw5JewNwhrTlEfTkjshp9ENoWIjSEQv937jTszVg9sR7A?=
 =?us-ascii?Q?Uy0A8Pz4ujSODKeDlw2zyijdksNipmsINjnRvp/KiSYT4PRriBYqPCGBAGs/?=
 =?us-ascii?Q?6VWx+CxUy/9UIvtoqzxHZnZ+Cw6HQWBc2UrVh4d4LlvAIwaqHkTjZOLoRwvA?=
 =?us-ascii?Q?sRBBF2f2n4gU11Coeqtc4AYNgupU9MIhBd64RbWcArXUY9ZFjZEvO/1AZ0/u?=
 =?us-ascii?Q?eIw2Yds52MiJj/1KcTg+xR7U+roj3l0FnLEGtj95HtEmGg0pxysZsWjuBNXu?=
 =?us-ascii?Q?c8ciIG4ze0AvRt36KW6etsHnQYWCWD+R0ErVVH9Fhb3o1cuajKmMfNQmEIXH?=
 =?us-ascii?Q?FHIh545dma2i8CnKDJqEL6Y5ZXeBjOAQcOVJ9tR28JOmJe5w4GUjBwypt6MJ?=
 =?us-ascii?Q?VcLpB6cY0G/mtjaYR94MItYkG1oWINQ=3D?=
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 52943402-d076-4a5b-1804-08de70a3be21
X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2026 17:16:10.6622
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: /EdVVgsIm9u7b1s5+E8YsQVfY9IXspzKG5oH13kVX4FdRGB6MYJjFOeDabIR0QJMGDrdKyeIPaFQ9MZKSXlv1QeGbrZs294T0Hy2u69FmCM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB6007
X-Original-Sender: felix.moessbauer@siemens.com
X-Original-Authentication-Results: gmr-mx.google.com;       dkim=pass
 header.i=@siemens.com header.s=selector2 header.b=YGiLHCh3;       arc=pass
 (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass
 fromdomain=siemens.com);       spf=pass (google.com: domain of
 felix.moessbauer@siemens.com designates 2a01:111:f403:c20a::7 as permitted
 sender) smtp.mailfrom=felix.moessbauer@siemens.com;       dmarc=pass
 (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com
X-Original-From: Felix Moessbauer <felix.moessbauer@siemens.com>
Reply-To: Felix Moessbauer <felix.moessbauer@siemens.com>
Precedence: list
Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com
List-ID: <isar-users.googlegroups.com>
X-Spam-Checked-In-Group: isar-users@googlegroups.com
X-Google-Group-Id: 914930254986
List-Post: <https://groups.google.com/group/isar-users/post>, <mailto:isar-users@googlegroups.com>
List-Help: <https://groups.google.com/support/>, <mailto:isar-users+help@googlegroups.com>
List-Archive: <https://groups.google.com/group/isar-users
List-Subscribe: <https://groups.google.com/group/isar-users/subscribe>, <mailto:isar-users+subscribe@googlegroups.com>
List-Unsubscribe: <mailto:googlegroups-manage+914930254986+unsubscribe@googlegroups.com>,
 <https://groups.google.com/group/isar-users/subscribe>
X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED,
	RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable
	autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de
X-TUID: VJ+FSEbodRE8

Dear isar-users,

currently isar requires password-less sudo and an environment
where mounting file systems is possible. This has proven problematic
for security reasons, both when running in a privileged container or
locally.

To solve this, we implement fully rootless builds that rely on the
unshare syscall which allows us to avoid sudo and instead operate in
temporary kernel namespaces as a user that is just privileged within
that namespace. This comes with some challenges regarding the handling
of mounts (they are cleared when leaving the namespace), as well as
cross namespace deployments (the outer user might not be able to access
the inner data). For that, we rework the handling of mounts and artifact
passing to make it compatible with both chroot modes (schroot and
unshare).

The patches 1-10 align the file permissions of deployments and artifacts
to avoid the use of chown (which will not work anymore across uid
boundaries). In addition, helpers are introduced to perform privileged
operations, which simplifies the migration of existing layers.

The patches 11 and 12 introduce the unshare mode, which can be executed
as a normal user and does not require root. To enable this mode, set
ISAR_ROOTLESS = "1".

While the series is by far not complete yet, it already passes the DevTest
CI. Know issues are currently:

- no support for VM and container images
- unprivileged cleanup of the build/tmp dir is non trivial
- sporadic issues on partial rebuilds on rootfs_install_sstate_finalize
- interfaces between kas and isar need to be defined

Note, that this series can be tested on a custom kas-container build
provided in [1]. Hints how to migrate downstream layers are provided
in the API changelog.

Changes since RFC 1:

- switch build_type to isar-rootless in isar.yaml (Note: switch back
  if testing locally in a unprepared kas container)
- complete overhaul of the mounting in unshared namespaces
  - fixes the systemd presetting
  - fixes hangs when pulling from snapshot mirrors
- rename the run_privileged_here to run_privileged_heredoc to clarify its intention
- add support for
  - dpkg-source with do_fetch_common_source
  - vm images
  - container images
  - discoverable disk images
- add helper script to clean build dir in unprivileged mode
- reduce clutter we leave after finishing a build
- fix issues when running in a privileged environment without sub user ids
- bugfixes

Still missing is the support for the devshell. Further, the rootless build dir
must not reside in a git worktree (a normal git dir is fine). This is probably a
bug in combination with kas-container.

[1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg

Best regards,
Felix Moessbauer
Siemens AG

Felix Moessbauer (19):
  refactor bootstrap: store rootfs tar with user permissions
  deb-dl-dir: export without root privileges
  download debs without locking
  introduce wrappers for privileged execution
  bootstrap: move cleanup trap to function
  rootfs: rework sstate caching of rootfs artifact
  rootfs_generate_initramfs: rework deployment to avoid chowning
  wic: rework image deploy logic to deploy under correct user
  use bitbake function to generate mounting scripts
  apt-fetcher: prepare for chroot specific fetching
  add support for fully rootless builds
  add helper script to clean artifacts in build dir
  apt-fetcher: implement support for unshare backend
  vm images: make compatible with rootless build
  ddi image: convert to two stage deploy
  container images: make compatible with rootless build
  dpkg-source: implement multiarch support for unshare backend
  rootfs: remove temporary sstate deploy directory after task execution
  use copy of sbom-chroot for sbom creation

 Kconfig                                       |   2 +-
 RECIPE-API-CHANGELOG.md                       |  58 +++++
 doc/user_manual.md                            |   2 +
 kas/isar.yaml                                 |   2 +-
 meta/classes-global/base.bbclass              | 132 +++++++++++
 meta/classes-recipe/deb-dl-dir.bbclass        |  20 +-
 meta/classes-recipe/dpkg-base.bbclass         |  20 +-
 meta/classes-recipe/dpkg-source.bbclass       |  42 +++-
 meta/classes-recipe/dpkg.bbclass              |  16 +-
 .../image-account-extension.bbclass           |   4 +-
 .../image-locales-extension.bbclass           |  13 +-
 .../image-postproc-extension.bbclass          |  30 +--
 .../image-tools-extension.bbclass             |  96 +++++++-
 meta/classes-recipe/image.bbclass             |  24 +-
 meta/classes-recipe/imagetypes.bbclass        |  47 ++--
 .../imagetypes_container.bbclass              |  37 ++--
 meta/classes-recipe/imagetypes_ddi.bbclass    |   8 +-
 meta/classes-recipe/imagetypes_vm.bbclass     |  29 ++-
 meta/classes-recipe/imagetypes_wic.bbclass    |  12 +-
 meta/classes-recipe/rootfs.bbclass            | 205 +++++++++---------
 meta/classes-recipe/sbuild.bbclass            |  36 ++-
 meta/classes-recipe/sdk.bbclass               |  22 +-
 meta/classes-recipe/squashfs.bbclass          |   2 +-
 meta/classes/sbom.bbclass                     |  29 ++-
 meta/conf/bitbake.conf                        |   7 +-
 meta/lib/aptsrc_fetcher.py                    |  90 +++++++-
 .../isar-mmdebstrap/isar-mmdebstrap.inc       |  47 ++--
 .../sbom-chroot/sbom-chroot.bb                |  11 +-
 .../sbuild-chroot/sbuild-chroot.inc           |  24 +-
 scripts/isar-clean-builddir                   |  73 +++++++
 .../unittests/test_image_account_extension.py |   9 +-
 31 files changed, 886 insertions(+), 263 deletions(-)
 create mode 100755 scripts/isar-clean-builddir

-- 
2.51.0

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260220171601.3845113-1-felix.moessbauer%40siemens.com.