From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 20 Feb 2026 18:16:29 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f55.google.com (mail-oa1-f55.google.com [209.85.160.55]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61KHGRBK006032 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 20 Feb 2026 18:16:27 +0100 Received: by mail-oa1-f55.google.com with SMTP id 586e51a60fabf-40eb57139f3sf22386558fac.1 for ; Fri, 20 Feb 2026 09:16:27 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771607781; cv=pass; d=google.com; s=arc-20240605; b=VoOhB4ZXrPwBNYUddNdQPR2+sxL519cb7MxSVwdZIengj0BeLiwl44uOvBQrIU4CBe /PG9tdgFrm8xNZ1m4ABtQwYMzmUTBAsDVZj7QkzKBxnFc5JWT7DWPxb2dXhY+d0skXBO aaEf7Bz61tofGJtcn8iUe5RPWgVpus5qZQ/wndae8GZr3lpZ/BpgNUg189Y3t5ezYVbJ J99MNZDndzeHxU5K3OVuG92YJxRSboa6fgPteVkpPDhQqbsRqyUl43Zp1e0RS5+FLyL5 DlCQ3JdivFZ2FdqPw/SYs5R/uYrVUQ13EYhleJvZdMAWtkaK1OowKVOJcFoy8+lSQlsP zRRQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:references :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; fh=5Q7haRfCGWaMY0wYSXcs4X3M7WS6UKVhjXZ4JsbUXUE=; b=dxUJpCCpd2I+etmKvlQpxAoaLYVPNMcw4hj/zrpkwP9prqT7swmi4RbUPuI7AUV2GL Mr10pRpXyJ7o77SpejG6Oit+ba1qaZjuFP7TGWG7zGeCNFvbb8hYOWRcj3AkxbfpypH7 KuryWPu+5Zg2n5VcuWVSRk88clSYwjT4ANn8o57uoOJVaTabD0IV8QsO4vw6KHSCrbHz lwGJPvn9QIXOV/a+UaicrQ35uQJzALWOkQK3wkkM6KEcTVl3QkBMND2NciRRUhZZdBUC OjJd0UFgpZcZPLWJlB93Jn3nBWH05LGgKXVKqPQ3Mb3v0V4J2kGq531sw+1lsDnaAFki b6FQ==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771607781; x=1772212581; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; b=umT//Zj4w3wVJ5Oh0XY6zZuPrMTquUBR6/mZCasOm1TnYDh9caApePaUyRO+vxPl/i +5o+3O60L9AcN8TiTiZxLFoMwST6icdDNRBsw2UWSRvYWPdhYsK9477xVawcVSGcakgQ sp6uasiEnEg8Kv2KPAZGnn/pxD7xVdlEiNKh48s4i7xFFwMXhiqziS+/4ULGLWTVgO5i z7HKRzCNCWZjDhpgqsIw87RruGDaSR81AtoFQanbfLCh2F2bTVJh+wMH/N1apr8EhSmB gIMHDZhFqDPFCcVh8+WH/ZciZ9gQUlUhdw9+DPOnSfAyDL46HAYHQn3xUxA5etlrYAPT caLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771607781; x=1772212581; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :x-beenthere:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+QgOm8RhoSmUPN5AzDqlOaYWugZF22bsY0b8Iogjgg4=; b=DkxmUgwsHMdFJaMeOjBPxf9DPupw4E6E4uTFH5WsBmfYPl4EsxIW1R3nknqmWzmXzs xFyHywW2H0QqO/6TIrVS+0J6BhXGeCDb9kh5QaUP78zzu97VmKp3cSWziz+X9gWvFkqf FK/g45Zz0QY5orUyKSkM/XTbzVllDHSEocNCMwP7t4BdEVBt5S5Y7x7C0C9I58BRbuEY VGIJh8tR/O0L7LVh/bCPnlSAh8kUQEAvZNNtI19dWh/BU3mbT3YVA9Ech4oLdd90ZJse EEOs/lKFJWO0frwqNY63BYjRfATBBt66WrYQLV+oxNGu5J6Ry0tnwcraw7dVotaPffnp sc2Q== X-Forwarded-Encrypted: i=3; AJvYcCU1OUy3iFuKYAxfzp3zhRHUiTUVerN13ltWL3jqYXWG1rRow1guuNoIf3aJw8ZRa+nVie1f@ilbers.de X-Gm-Message-State: AOJu0YzE/XCqHmAcVmy4P5H+6xrOrepe21vd1tMzyXbq6f3gwgpHt5NE /uXP7nMwrEe+bq7FSTxwYXJ8NE4ebM3Cpy3GR9ESWc6XY/vdiIf58W85 X-Received: by 2002:a05:6870:8922:b0:349:de3c:bfc5 with SMTP id 586e51a60fabf-4157abcaf0emr207886fac.7.1771607781355; Fri, 20 Feb 2026 09:16:21 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+HNE88qmnEDogFvSVKtfxBJr5mIAQw1Ws5r9k9robqmYw==" Received: by 2002:a05:6870:420c:b0:40e:f703:9195 with SMTP id 586e51a60fabf-40ef703caf4ls5836748fac.0.-pod-prod-01-us; Fri, 20 Feb 2026 09:16:20 -0800 (PST) X-Received: by 2002:a05:6808:c1bb:b0:45f:13fe:4a3d with SMTP id 5614622812f47-4644612e148mr371849b6e.7.1771607780457; Fri, 20 Feb 2026 09:16:20 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771607780; cv=pass; d=google.com; s=arc-20240605; b=LlcBI/Q6SsygEZiNUXtpv/in0/CvyGdeJn4BOq0NoHRm5SLd6VTrJuBM89rpBB40+Z 2cEfeeHB/rjUJNNXxIWrGLnqwIclp9StusLAdam262iKNZgJeinuofLkq+MVKF9dTlNW BNudAu06km44ybb7wCxuM2SeLY7C3bzmItQwdYKqbjgONNv8Nj+V582x4NKsK78dj8lB orSHuvu37kKpsc7pzqchTfPZaLid7w4uoUnS+c4H0KJ5cPI6P7VZWeOnJJRLx+awR0DU 1YBkfMSFEwv2y02+YR0WNEEQ9rN0EVB+zaD4GEErZn0ileagdqiYyhYzpa1rZwLFl/2X 6sbw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:references:in-reply-to :message-id:date:subject:cc:to:from:dkim-signature; bh=8ldsHLsmrJkXrm3UG+5tekzysSBq5w557SlIlRuxZAY=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=JjOOGHYfbbD9EnkEP3cXcN6JxWtgSTHsW62FM4KWmt/2fm30Gqs9wcYectL/3/eI/k nAaI9+9qrgQe7CG/r1o/v3CiF9cptOQL58m8vep+JFQNtE8FKudomiAAz8f3t006YED8 Rf5iex4/8O2WVT/feBGPQMvGCoX7Y5Ru+BL4IDqO8RRTq2wER8PpZylEp72gkuijm24/ tpaLWnQxKgxowGcKANiAhkwy9XCsSXp/5wKddEqwcDqbqT6iPUklanbXdZOlCh3ZR1x1 hOGeaOc5Xtx8fd5CcWMiPlN8gCyz6lhif4jiu5rW9/6ymcuf0vKyTFpO3S3Hof6E4h/G pFGw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from OSPPR02CU001.outbound.protection.outlook.com (mail-norwayeastazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c20f::7]) by gmr-mx.google.com with ESMTPS id 5614622812f47-4636ae55f7bsi1149069b6e.2.2026.02.20.09.16.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 20 Feb 2026 09:16:20 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) client-ip=2a01:111:f403:c20f::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=nxP07+3aeZ9z1/3c4jO80SKl8BdRDg4SjXWpW+kfCCVanycGALQkFGlotMGYxg1guf9l7DdYqSMtawhOgn/CxGOaUv8J0NYRHo8fEOg58okMh/82Fbe8L3xIFB0mkiveLIJCz7hx+a9RJ6LHbrfWGVQe2EWOawNwqBNcp+zPWk0oLJzTfXMD96tHd5h30CStKJf2pk0i/gVuXuXPTONh1v1c32CiZypZ14f2lOPcNZGP1UshhBygGHmzjFUHnZSBumUM3tFSOihAghiGXcppKWsD9/s/9SljkqB4oRIycnjxux6H94qcfASCzbGJxAi3ZASDcTwnFFA2HBJyIbUTlA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8ldsHLsmrJkXrm3UG+5tekzysSBq5w557SlIlRuxZAY=; b=ag0MxysB5/dMKvxqAKz3br4kZE4XqzkU6ESFeYsEpIWoBh+T+9Sdvgi2OGOHCWgmFA8SlLVGDoNeoOxJIyn5iWxS8EVAgabQ8Qyyh/tHPExHYG5RC5DErqgsqCmctYJ1lnOqcAI/UaRO5B8RvoHjFjYZxe2iqHDXxtBZf1VZEqpFwV/0zXaFo9aXbBY6bepWQbdlqogJMz7ztqA2q00kJT7CVJkBHqnqooin8XjJ/82/S58VQGudVh8CrcfEkrt5TzV1PLGjwK9m/hpWy6NSWNWfMWWkvOfOih6dPSm/4OVw1otg6Y5HyI0c/tgpRLNmiDBCi2mtHiu8cd25eAinkA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GVXPR10MB6007.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:17::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9632.16; Fri, 20 Feb 2026 17:16:16 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9632.015; Fri, 20 Feb 2026 17:16:16 +0000 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [RFC v2 08/19] wic: rework image deploy logic to deploy under correct user Date: Fri, 20 Feb 2026 18:15:50 +0100 Message-ID: <20260220171601.3845113-9-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20260220171601.3845113-1-felix.moessbauer@siemens.com> References: <20260220171601.3845113-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR3P281CA0085.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1f::22) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GVXPR10MB6007:EE_ X-MS-Office365-Filtering-Correlation-Id: 94e66097-eea0-40b9-79fa-08de70a3c192 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?tXmGONxuWQ+XQxZMLDC+wq7e5Y/WsnCRKJjB3g4m9B63S0s0NBC9b6W9U7UF?= =?us-ascii?Q?KkRUZxqcMlHNS984NLIX10wPB06JK2QnvPx3bjqR3EISSJqHKi+urjlubj2h?= =?us-ascii?Q?eXcjK38EKkZ8oq4+C6Jhp4sLDQQX711Yu7beXaDCgoNnIX2Q9/+7it9ykNt9?= =?us-ascii?Q?997adro+//P4lMSnYxeNi1nGEKwRlTNUpJOnM1cukM+MOmC5ZLqR3/aBR62y?= =?us-ascii?Q?ZPBl1zbY/ATOroDnS8c9mDOzt8AKSj9GHR4MditRGDQFYW2N6b4XnZZ8L9Wf?= =?us-ascii?Q?y8A18RPbwOZeQO+sUUEUqw5/5aBUnXH4Sq/4gtkTy8PjCES/Opu0ZW7gOQ68?= =?us-ascii?Q?GVogYnRhozLTyIQnxWvVApr7qhyGevdCjX7aGh/3kMsm+ggu6ez3OWbHctRs?= =?us-ascii?Q?FDj32xQuViBN415j8tLJCm2ZBayLJIK0TdaWyPuCmfL2OfUHeSJ52R56j9nc?= =?us-ascii?Q?yRRElvmu1arCCwJjhjgYFmK3+bdqEg/7gwuEquczn2/5e99XCzGiGbgQfRTv?= =?us-ascii?Q?3E1tk98CjG11ZyBcaTDwcLlDQIkNNgqvtJWF0vvX166wiBl+fPMQrgUc12NY?= =?us-ascii?Q?k/QSsOtD4dcX5FZjBlyDQ7M+6QeK0YxsEJFLbt3eOUS/vj+iOQx5h8CReD72?= =?us-ascii?Q?Qvq7KUm7qgnHod9XjAUgNeGniOEc+zmXraufSbbxXKThkhRCFvrwEbnY94Ci?= =?us-ascii?Q?Zp7mgg+3sS+DKb6jYVglLEYSjOzJ6EukaPC6XDxjXPN+SnX6oh/REaMugTvu?= =?us-ascii?Q?P3E5l4v5Xa2+7/TmQG6UTlPLwJvB3iAxnxah1lO8di+i7K+6sEt6ZoMfH5T7?= =?us-ascii?Q?EZizqrBu3Wf7X9Xt99+8/OMVsONTNg+QTfn6nEXwNjRkhghjsjH898qDE8+P?= =?us-ascii?Q?QWptTKlPBvyQkMU83FMtLPUfcXKnE2NcnaJ8h9G33RUqgOW/vDpamdv4ZFuq?= =?us-ascii?Q?PtIEqk7qh1KHmO/xGnDIGytx6uwqaBSamMca3r+qg3And9ZKkWRGIsh7+qHr?= =?us-ascii?Q?vswpa7GJ4ePIXsO+Kxtis6PjsMCuuHrvQgvlM6Oquljhtti2mZjvDJSkgpnq?= =?us-ascii?Q?Zdky6boY5cvhoZzEs15CIW5+m19J/DjBIL1Eb7Ht0ba281HLNPreTZBl2mOs?= =?us-ascii?Q?gR1oi59M6bP/2SegzSodvL8AtGu9WIi59JqbjwCDNSC6KL0lct9aWuMaUhQa?= =?us-ascii?Q?BMGQw1Sb+IkgH01zTCgWmRHs6Uslu29fZ7Ub3mjP8Mc+42JQJy7nIon93O6R?= =?us-ascii?Q?gj6NK0owAFpaCaXUsNxVVgTpWANLvEo884jTDepTYQr2YkdSNSMqjhau05wP?= =?us-ascii?Q?CKSNTjiD9towtaocKaL+Q40hSd9lK+5eADHCxP3PrnlxLjx2+NyqTr91V98O?= =?us-ascii?Q?aeMq6UeErz8TGTYKyMfliQqI7xBa9gfLEGXM4DOqUxiNQB0k4dVjfwgtoejM?= =?us-ascii?Q?HeGKD612z30dhaSEjDZ2aLrpEBsXNm8VPJkLZdNZQDrMqgRMrUuHfyQfrRxh?= =?us-ascii?Q?PBjWArzBCiKE45cl1ETkoLm1Km9VeHQbm8eue9es5f+INghHJOsbg3LuOvPB?= =?us-ascii?Q?2IuopS0gWFCvtjDr3Ew=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?GA1uZpqkaM30pvRj6o8lDCcZsl4VdqSiMykU8bmeG8Bx6zr3XxSvS9mhtkOf?= =?us-ascii?Q?KylOQN8/9E6LoiqrUhg1ZB9OLvi7vNFt47L024//nY+hS5SYUiqUS8flbPH0?= =?us-ascii?Q?N69+w1ksP6OG6j8aEHqjafFBOxe8x80QC3bE8A2r79RsuwTTTGm/D2GseWxy?= =?us-ascii?Q?R+s6Yj/9LNeOCl/dGWkCnUufGrRTAmauFRuUQV3OUzbkeYtz6UUWp98Jshtx?= =?us-ascii?Q?EZc+bvAniyRapptf7eeQymzLW0yJprxffpWJEXQWiLR5BGH4uGnXQaKzWV+0?= =?us-ascii?Q?/XRxlS0X3xl83MLy5/DxIpJ8Nx8dmuBe8a5b0Q7R5vikowBFeOnPMZSg3xgP?= =?us-ascii?Q?vkHEO0GR31+ZSjhxtEJgPLGcAugAj15lhQxQwW1w0XN2WLj+YZRASUNOer3f?= =?us-ascii?Q?oFRSDE0bA+7FcXh+lu9cCvErGwEzHRm6bU8xg/mNsGIe0TJAnibpn7+6Jfbq?= =?us-ascii?Q?BU2iY5lOegsd3VsJuimMU+1JlbcHuVMfl+gJUhTDrfxIw9RmkzWQF1IQL1Pg?= =?us-ascii?Q?gYP5JLqeZxHmy/GAW3FfFVFSR+yHNVDFgHueeAGSPxvDqicJa1jbT2R1Wxom?= =?us-ascii?Q?t9aFkFtRUpWHa6towTVR03r+PqTAUuFC/GquoQLH7kl2Ky9bTUcOoTYhA0sp?= =?us-ascii?Q?qGkPA8+yZW2g0AW3b7A7ML1mHo6oblyuE2ymsBKjSj1jKrR7bZP5/43/Ow0R?= =?us-ascii?Q?VXohDEGFhQS53bu6Zu6IgiI4zgqo8AremfGE+WjdnewLiC0yjB2MNyuzTL7n?= =?us-ascii?Q?5mGjzHcZjU17onxNLa9mTKIQ/y1j931N153bRHU0bjRs/HVIqFQmxAahykgS?= =?us-ascii?Q?QfPMZn3bZEusROVsbCCnqcQtydOzmYvAmByghrtkaNlz3t428/fkeX+uF8p6?= =?us-ascii?Q?inHXMzwWB+25mem2VJexnb1cOARL7v85BZhiaPZlQdnbUS+QP5wvSzYRNbZi?= =?us-ascii?Q?i3Fksvk3WJ8mHBHahVdWsnMDela6n3MRuzHHiT0YTWhlD4qcMwBD8/TxfrFD?= =?us-ascii?Q?vrFBi8N/jZtttE+RRAosOyJTT5E0SI4q5jr0cTq+azahroGuklaqk0GenKv9?= =?us-ascii?Q?6PsRPSqhJtR+LiaasLk3a+h/0FLMWlf5hh9iVuhPsev1g4MQGqeTyrqT7IIP?= =?us-ascii?Q?+FINkwGqooWa7D+UFDBMfr4MVeW18YQF4ioIuv/vuHDKhdXCa8o9n+qhupFM?= =?us-ascii?Q?tzPnGQ5ccwypW0tDPBNkydBAklcGnnUbeqKmVZnaKlZnkQXhuab19eGp+cvu?= =?us-ascii?Q?ads48yvjRm4lgsEyWJ7P+n1gV/iHFwdFWikSLXivNIyBnRejvRuL5Rq0wZwY?= =?us-ascii?Q?Lyb/CVsLeX7YyiNXy1Q5xdRhMtp6BgkshdKIR7j14cUhJ2R9wxEhW0l+mTN7?= =?us-ascii?Q?gFyfe1du5f9R2dNf5WZeSn3QGc0e0ij4r56AcirT6QrRYUseBCBYiSpd1okR?= =?us-ascii?Q?kOB2kNG7ZpSxZtGNdvdJANe34E2VLc3CEnwPQ569cwghjdVgwbgXlliLpwxy?= =?us-ascii?Q?lCSCLpMXqNnQU8LErhgM5m6Y+RNBCnN1qU8ApZxBBpB3ZQvWi6gSMAsHIdFh?= =?us-ascii?Q?SrjiCuPCHqr+JTq3LD4da3luNavU3CI5PP7RfzknqVDHVepWc3mERSPu856U?= =?us-ascii?Q?6EP/ssbul1XkWVaE4yevSc4h/Ln0EffLq25r6Y7cECntMohKC0Je3gf3ejMJ?= =?us-ascii?Q?1jI8GcVanKET0L2pJU2O0kzvRqQdIWnO49CBpU1iyj6haJHRuoR4tTSTKH3P?= =?us-ascii?Q?YcLqWzj7k2Mtqz4O20BWVI1D3K1ApGk=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 94e66097-eea0-40b9-79fa-08de70a3c192 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Feb 2026 17:16:16.4299 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rW55JLqP3e3K3HdigmtkHanlA4VfFq7OsJSJ5b413QKCUY6p19T1SQIY6bv+UMtCmQr1Rcfl+VCcwpPMeCae4UWLK+X3G0YIeCWyoo86z00= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR10MB6007 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b="Da3ri/fv"; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c20f::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: qaSoMcmv4p8g We previously deployed the image file as root and then chowned the deployed files to the calling user. Hereby the chown command itself requires to be run under root, which is not possible on rootless. As a preparation for rootless, we rework the deploy logic to deploy the files under the calling user. For that, we deploy to a temporary directory within workdir that is writeable from inside the chroot and then copy out under the calling user. Signed-off-by: Felix Moessbauer --- RECIPE-API-CHANGELOG.md | 12 +++++ .../image-tools-extension.bbclass | 11 +++++ meta/classes-recipe/image.bbclass | 10 +++- meta/classes-recipe/imagetypes.bbclass | 47 +++++++++++-------- meta/classes-recipe/imagetypes_wic.bbclass | 10 ++-- meta/classes-recipe/squashfs.bbclass | 2 +- 6 files changed, 66 insertions(+), 26 deletions(-) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index ad03ed68..31c61789 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -978,3 +978,15 @@ specifies the rootfs path. Using these helpers instead of direct `sudo` invocations centralizes platform-specific privileged execution logic in `base.bbclass`. Direct use of `sudo` is discouraged in downstream layers. + +### Changes to image types + +The way different image types are handled has changed to be be compatible with +rootless builds. For that, the deployment of images happens in two steps: + +1. generate the image in the `${IMAGE_STAGE_CHROOT}` +2. the `imager_run` or `${SUDO_CHROOT}` command takes care of deploying the image + into the `${DEPLOY_DIR_IMAGE}` + +Conversion commands need to follow this strategy as well, but can read the image +(prior to conversion) from `${IMAGE_FILE_CHROOT}`. diff --git a/meta/classes-recipe/image-tools-extension.bbclass b/meta/classes-recipe/image-tools-extension.bbclass index e88557f6..2eac3619 100644 --- a/meta/classes-recipe/image-tools-extension.bbclass +++ b/meta/classes-recipe/image-tools-extension.bbclass @@ -17,6 +17,17 @@ SCHROOT_MOUNTS = "${WORKDIR}:${PP_WORK} ${IMAGE_ROOTFS}:${PP_ROOTFS} ${DEPLOY_DI SCHROOT_MOUNTS += "${REPO_ISAR_DIR}/${DISTRO}:/isar-apt" imager_run() { + IMAGE_STAGE_DIR=$(dirname $IMAGE_STAGE_HOST) + create_chroot_parent_dir $IMAGE_STAGE_DIR + imager_run_${ISAR_CHROOT_MODE} "$@" + + # copy locally deployed files with correct permissions to deploy dir + find $IMAGE_STAGE_DIR -type f -exec cp {} ${DEPLOY_DIR_IMAGE} \; + # on error keep the files for investigation + run_privileged rm -rf $IMAGE_STAGE_DIR +} + +imager_run_schroot() { local_install="${@(d.getVar("INSTALL_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" local_bom="${@(d.getVar("BOM_%s" % d.getVar("BB_CURRENTTASK")) or '').strip()}" diff --git a/meta/classes-recipe/image.bbclass b/meta/classes-recipe/image.bbclass index 4a250964..2049d80b 100644 --- a/meta/classes-recipe/image.bbclass +++ b/meta/classes-recipe/image.bbclass @@ -180,8 +180,14 @@ IMGCLASSES += "${IMAGE_CLASSES}" inherit ${IMGCLASSES} # convenience variables to be used by CMDs +# Note, that the variables are only valid within the type specific task itself +# but not in transitively called shell functions IMAGE_FILE_HOST = "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${type}" +# view (only for reading) the image in the deploy dir (useful for conversion commands) IMAGE_FILE_CHROOT = "${PP_DEPLOY}/${IMAGE_FULLNAME}.${type}" +# staging location for copy-out (should only be written to from chroot) +IMAGE_STAGE_HOST = "${WORKDIR}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" +IMAGE_STAGE_CHROOT = "${PP_WORK}/deploy-image-${type}/${IMAGE_FULLNAME}.${type}" SUDO_CHROOT = "imager_run -d ${PP_ROOTFS} -u root --" # hook up IMAGE_CMD_* @@ -262,8 +268,8 @@ python() { image_cmd = localdata.getVar('IMAGE_CMD:' + bt_clean) if image_cmd: localdata.setVar('type', bt) + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(localdata.expand(image_cmd)) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}')) else: bb.fatal("No IMAGE_CMD for %s" % bt) vardeps.add('IMAGE_CMD:' + bt_clean) @@ -292,8 +298,8 @@ python() { localdata.setVar('type', t) cmd = '\t' + localdata.getVar('CONVERSION_CMD:' + c) if cmd not in cmds: + cmds.append(localdata.expand('\tIMAGE_STAGE_HOST="${IMAGE_STAGE_HOST}"')) cmds.append(cmd) - cmds.append(localdata.expand('\tsudo chown $(id -u):$(id -g) ${IMAGE_FILE_HOST}.%s' % c)) vardeps.add('CONVERSION_CMD:' + c) for dep in (localdata.getVar('CONVERSION_DEPS:' + c) or '').split(): conversion_install.add(dep) diff --git a/meta/classes-recipe/imagetypes.bbclass b/meta/classes-recipe/imagetypes.bbclass index f802c11c..78b89393 100644 --- a/meta/classes-recipe/imagetypes.bbclass +++ b/meta/classes-recipe/imagetypes.bbclass @@ -9,7 +9,7 @@ TAR_TRANSFORM = "--transform='s|rootfs|.|'" TAR_OPTIONS:append = " ${TAR_TRANSFORM}" IMAGE_CMD:tar() { ${SUDO_CHROOT} tar ${TAR_OPTIONS} -cvSf \ - ${IMAGE_FILE_CHROOT} --one-file-system -C ${PP} rootfs + ${IMAGE_STAGE_CHROOT} --one-file-system -C ${PP} rootfs } # image type: ext4 @@ -38,10 +38,11 @@ do_image_ext4[prefuncs] = "set_mke2fs_args" IMAGE_CMD:ext4() { export E2FSPROGS_FAKE_TIME="${SOURCE_DATE_EPOCH}" - truncate -s ${ROOTFS_SIZE}K '${IMAGE_FILE_HOST}' - - ${SUDO_CHROOT} /sbin/mke2fs ${MKE2FS_ARGS} \ - -F -d '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /bin/bash -s <<'EOF' + set -e + truncate -s ${ROOTFS_SIZE}K '${IMAGE_STAGE_CHROOT}' + /sbin/mke2fs ${MKE2FS_ARGS} -F -d '${PP_ROOTFS}' '${IMAGE_STAGE_CHROOT}' +EOF } # image type: cpio @@ -49,10 +50,12 @@ IMAGER_INSTALL:cpio += "cpio" CPIO_IMAGE_FORMAT ?= "newc" IMAGE_CMD:cpio() { - ${SUDO_CHROOT} \ - sh -c "cd ${PP_ROOTFS}; /usr/bin/find . | \ - /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ - ${IMAGE_FILE_CHROOT}" + imager_run -p -d ${PP_WORK} -u root <<'EOIMAGER' + set -e + cd '${PP_ROOTFS}'; /usr/bin/find . | \ + /usr/bin/cpio -H ${CPIO_IMAGE_FORMAT} -o > \ + '${IMAGE_STAGE_CHROOT}' +EOIMAGER } # image type: fit @@ -72,8 +75,9 @@ IMAGE_CMD:fit() { die "FIT_IMAGE_SOURCE does not contain fitimage source file" fi - ${SUDO_CHROOT} /usr/bin/mkimage ${MKIMAGE_ARGS} \ - -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/bin/mkimage \ + ${MKIMAGE_ARGS} -f '${PP_WORK}/${FIT_IMAGE_SOURCE}' \ + '${IMAGE_STAGE_CHROOT}' } IMAGE_CMD:fit[depends] = "${PN}:do_transform_template" @@ -90,8 +94,9 @@ THIS_ISAR_CROSS_COMPILE := "${ISAR_CROSS_COMPILE}" ISAR_CROSS_COMPILE:armhf = "${@bb.utils.contains('IMAGE_BASETYPES', 'ubifs', '1', '${THIS_ISAR_CROSS_COMPILE}', d)}" IMAGE_CMD:ubifs() { - ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs ${MKUBIFS_ARGS} \ - -r '${PP_ROOTFS}' '${IMAGE_FILE_CHROOT}' + ${SUDO_CHROOT} /usr/sbin/mkfs.ubifs \ + ${MKUBIFS_ARGS} -r '${PP_ROOTFS}' \ + '${IMAGE_FILE_CHROOT}' } # image type: ubi @@ -108,22 +113,26 @@ IMAGE_CMD:ubi() { die "UBINIZE_CFG does not contain ubinize config file." fi - ${SUDO_CHROOT} /usr/sbin/ubinize ${UBINIZE_ARGS} \ - -o '${IMAGE_FILE_CHROOT}' '${PP_WORK}/${UBINIZE_CFG}' + ${SUDO_CHROOT} /usr/sbin/ubinize \ + ${UBINIZE_ARGS} -o '${IMAGE_STAGE_CHROOT}' \ + '${PP_WORK}/${UBINIZE_CFG}' } IMAGE_CMD:ubi[depends] = "${PN}:do_transform_template" # image conversions IMAGE_CONVERSIONS = "gz xz zst zck" -CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.gz'" +# image conversions +IMAGE_CONVERSIONS = "gz xz zst zck" + +CONVERSION_CMD:gz = "${SUDO_CHROOT} sh -c 'gzip -f -9 -n -c --rsyncable ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.gz'" CONVERSION_DEPS:gz = "gzip" -CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.xz'" +CONVERSION_CMD:xz = "${SUDO_CHROOT} sh -c 'xz -c ${XZ_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.xz'" CONVERSION_DEPS:xz = "xz-utils" -CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_FILE_CHROOT}.zst'" +CONVERSION_CMD:zst = "${SUDO_CHROOT} sh -c 'zstd -c --sparse ${ZSTD_DEFAULTS} ${IMAGE_FILE_CHROOT} > ${IMAGE_STAGE_CHROOT}.zst'" CONVERSION_DEPS:zst = "zstd" -CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_FILE_CHROOT}'" +CONVERSION_CMD:zck = "${SUDO_CHROOT} sh -c 'cd $(dirname ${IMAGE_FILE_CHROOT}); zck ${ZCK_DEFAULTS} ${IMAGE_STAGE_CHROOT}'" CONVERSION_DEPS:zck = "zchunk" diff --git a/meta/classes-recipe/imagetypes_wic.bbclass b/meta/classes-recipe/imagetypes_wic.bbclass index 63974a3e..ebf3ce8e 100644 --- a/meta/classes-recipe/imagetypes_wic.bbclass +++ b/meta/classes-recipe/imagetypes_wic.bbclass @@ -145,6 +145,9 @@ check_for_wic_warnings() { do_image_wic[file-checksums] += "${WKS_FILE_CHECKSUM}" IMAGE_CMD:wic() { + # variable is type specific, hence capture here and + # forward to functions via export + export IMAGE_STAGE_CHROOT="${IMAGE_STAGE_CHROOT}" generate_wic_image check_for_wic_warnings } @@ -181,20 +184,19 @@ generate_wic_image() { -e "${IMAGE_BASENAME}" ${WIC_CREATE_EXTRA_ARGS} WIC_DIRECT=$(ls -t -1 /tmp/${IMAGE_FULLNAME}.wic/*.direct | head -1) - mv -f ${WIC_DIRECT} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic - mv -f ${WIC_DIRECT}.bmap ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic.bmap + mv -f ${WIC_DIRECT} $IMAGE_STAGE_CHROOT + mv -f ${WIC_DIRECT}.bmap $IMAGE_STAGE_CHROOT.bmap # deploy partition files if requested (ending with .p) if [ "${WIC_DEPLOY_PARTITIONS}" -eq "1" ]; then # locate *.direct.p partition files find "/tmp/${IMAGE_FULLNAME}.wic/" -type f -regextype sed -regex ".*\.direct.*\.p[0-9]\{1,\}" | while read f; do suffix=$(basename $f | sed 's/.*\.direct\(.*\)/\1/') - mv -f ${f} ${PP_DEPLOY}/${IMAGE_FULLNAME}.wic${suffix} + mv -f ${f} $IMAGE_STAGE_CHROOT${suffix} done fi EOIMAGER run_privileged chown -R $(stat -c "%U" ${LAYERDIR_core}) ${LAYERDIR_core} ${LAYERDIR_isar} ${SCRIPTSDIR} || true - run_privileged chown -R $(id -u):$(id -g) "${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.wic"* rm -rf ${IMAGE_ROOTFS}/../pseudo cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.manifest \ diff --git a/meta/classes-recipe/squashfs.bbclass b/meta/classes-recipe/squashfs.bbclass index 9cd7ed3d..8330ffb5 100644 --- a/meta/classes-recipe/squashfs.bbclass +++ b/meta/classes-recipe/squashfs.bbclass @@ -42,6 +42,6 @@ IMAGE_CMD:squashfs[depends] = "${PN}:do_transform_template" IMAGE_CMD:squashfs[vardepsexclude] += "SQUASHFS_CREATION_LIMITS" IMAGE_CMD:squashfs() { ${SUDO_CHROOT} /bin/mksquashfs \ - '${SQUASHFS_CONTENT}' '${IMAGE_FILE_CHROOT}' \ + '${SQUASHFS_CONTENT}' '${IMAGE_STAGE_CHROOT}' \ -noappend ${SQUASHFS_CREATION_LIMITS} ${SQUASHFS_CREATION_ARGS} } -- 2.51.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260220171601.3845113-9-felix.moessbauer%40siemens.com.