From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 27 Feb 2026 15:57:43 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-pg1-f183.google.com (mail-pg1-f183.google.com [209.85.215.183]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61REvfDt015365 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 27 Feb 2026 15:57:42 +0100 Received: by mail-pg1-f183.google.com with SMTP id 41be03b00d2f7-c70f137aa4asf1190264a12.2 for ; Fri, 27 Feb 2026 06:57:42 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1772204256; cv=pass; d=google.com; s=arc-20240605; b=VAoXWyDMNtc7/ECa9QOEF3uF0ZchL6RaETLE1EtHirDBfrKhOkJtuE9vrrhUIGb8sD 0qEJbgu5E8/4YNe3RKngVQEeblFG2x04/i7tSYOZ0FBxctDJByyeccU5mo3frAqpKk6t YuGBc4rpv2u1rsDn9BZZlN+ClWyhk4an5C9evaZRCmnwNRg2n/0z4D74/bzwttSRKmhb XWL+D2RPVJDF7ZTTC6o86BRb7ZvI6hJGnuMJq3fUj5KMSYOIrlZW7bxp/s2t3IxySShO OnbDCs7eli8LRYGMl3/8owC5jByDVhTVJHOMGn0rZqmxn3QaEVrK2iGqrs9xu81h2AND HEVQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=F/HNJEeIsBf+XXsBumtfrzVlIWJZIlHSXTiBjz0UX/4=; fh=xGVZGyCJFPXvG3B7qryMJVZa2butSYt27TKQygTWPvQ=; b=BefOeRYMPs9VX43JG3Al5A3annqBWPjS/bRXZ5TAHURHPfYoDLjthNHKjHs0GAMxbn 6NCfcRM2HDABYxYbEPBRbaHEhKD4ch4sHA7GNolePNnIdyhBC4Stf9v51Ch/rixi7/jj pl2KN5INIlTdW2Ro2ysVEgb8/IZm41CIM0U3wCtSTKszZJONOnnh6wfCzZIp0sAPsWZI 7Wm4ZpI8ZYvIXW45NU6LhMdHd2i71qW9mviQvdrHGWJJusD4sTT2NJUYrcD3WNU7zcsF OYOO2lcb0SJtC8/VWl2Mh/5wl9OQmvwou/2YvbCKwsEE/KD+yTVVi3g49jjQGAJ8Oh6k 71rg==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=KLO7i8Vr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1772204256; x=1772809056; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=F/HNJEeIsBf+XXsBumtfrzVlIWJZIlHSXTiBjz0UX/4=; b=dV6oxojWfRgHW9pqb9Zbi5jD/vfj+Zh3fnXHsr4F7Dj8sE4NqX+lHFuCzqt3oZYWu7 wOrbFkQIP7bsUF3JT2sIjvg+TrOIOhAPYDr67OjVgdgmU5umYCGYvcjZV0h/03MyNFR5 /uzaqFFoUIOuKmGbqEqlGhDTS2NnfujO8h/VvnO1dOgAJN/zZ/ntoNo3fsDFaoH/A59H Ira/3oZKhGIMvnJTHyVzzEx0dA3A6yn/OMgtMckcOQbxke2Ibvux81iGIFxNF381W+EW aSnxzBD3Q2FKb7epAMbWWrb5Ez2tne4UPRnh9aGRBZJuR/ecCU20o6D526pJ7eS+rod4 nE9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1772204256; x=1772809056; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=F/HNJEeIsBf+XXsBumtfrzVlIWJZIlHSXTiBjz0UX/4=; b=UnWNrC3F6pPLfAWDv7WPkbucCqtqJPaRXtAXt+VTPgnbHi9+e9rPgSNYqNCXt1ADnO 4dB9uop0vqGOf708R5DJ4l4zzG7CtwnausB+mDCjsCN/uPCubm4b7pdkZein+S1Y2+3t N3G5WF1UGa1INX+0e7VtXs1PeLpHsuWD7CxCY1NY39ijaE5/yB+0nzbF0z+rdTVoHcsD tn8Aya+qcbqrO4giZU6UTVT9iPFE4nSZ0CSRx/x9PdFFNnuLyLv2cdRxinrRhyGkOrmh lU+uLd4btV+AV+oMxw/QwSGejLBT/8jBUb4Le8P0cmI/NDgq1a7Nud7KKjgJMcy983Ah Qrjg== X-Forwarded-Encrypted: i=3; AJvYcCWH9E3J1qiS0BX+9KwrOsLRGWOKXwyvYv+P9OZkfSq5p0tIpcdKU6KZLD8AlP1FisEUvV71@ilbers.de X-Gm-Message-State: AOJu0YyHvKrz7YyegjlTil3glmqWRwYmcgmv7XBIzXix2SyS4XuDmcbh Q1FK49pkCWubRj0SDC6rlgn5sgf6TgBUnXo+/uwSavOBnW6ugC3NTOsj X-Received: by 2002:a05:6a00:882:b0:824:9bad:94d1 with SMTP id d2e1a72fcca58-8274da086f5mr2630681b3a.51.1772204255658; Fri, 27 Feb 2026 06:57:35 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+G9H81J299UyYU+7Jo/iUa1Pn0jtaSEhQpqiz/i5SdBwQ==" Received: by 2002:a05:6a00:3d52:b0:80c:2c90:7cfb with SMTP id d2e1a72fcca58-82726b8bae9ls2432176b3a.0.-pod-prod-07-us; Fri, 27 Feb 2026 06:57:34 -0800 (PST) X-Received: by 2002:a05:6a00:a055:10b0:824:47e9:adc2 with SMTP id d2e1a72fcca58-8274d95ca96mr2135395b3a.25.1772204253621; Fri, 27 Feb 2026 06:57:33 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1772204253; cv=pass; d=google.com; s=arc-20240605; b=eHxOdQSk5+gIxAcHgUKElFpYkZzIMNC70kWtMphZwGbj7E5/s/KSqNS83L3dvRHTFH qLQ1box/yxy2ZPB2PRlJCQC7iel0HJ92h4olP1RMweZO+6GpwMQpVhve6B5obmqkTwQ6 UVdpSr3T6d3e7awexySqunFr4x/a/H5koLsnfn2Ti4+QBEU1kqrUyz92CDMg5wuV0waX J2gsK60AMKrzydaQnT24PKwoYyvh7ut5nnfpnfrqPJGkD1XIYk5Txr36S2lxHjP7ZPg4 mbnnAB5QnzwcAycpdURjrJmX0haADpEarmaukEN/lT0BuSFqTU9sK0NRYn9FYfbhi4Fg fusA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=GXFDZzXmjHn6TFx3ZIwgRFUom8Pm1FyKZ9a39nolw3w=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=QxTGWmBc+uv8BoK47NZ6br23Pzbq4UbO2xx12Py+o7QCfUzoUwHLhgPxMvgHG/OpM/ 62hjdEvRV+kmtbkaKyQSmGZpEKLP2nK+QlmxU/ZMZTMTEVqDhDin/CRTLUGqTGBeW4j6 d5jKfKCPQdAj32FnThatpwSUGFL2rSMRXMaym4q5R6ZdNmdH4ccID8l/VycyB+EaFETO cAnqA6zxHKQ3K4huHGNUDNmg0GqdZsVcoq4axeIsmUhNvngWXdSqukQ9EQgJzGxDEfcl XGhLAshQU2JEkaBckVks4ZYCSOlPidwbu3BH/FlcULDLoaOPKM/aT/iq6CRjz07B+CPn mmug==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=KLO7i8Vr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazlp170100001.outbound.protection.outlook.com. [2a01:111:f403:c201::1]) by gmr-mx.google.com with ESMTPS id d2e1a72fcca58-8273a16e78bsi204560b3a.7.2026.02.27.06.57.33 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 27 Feb 2026 06:57:33 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) client-ip=2a01:111:f403:c201::1; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ihwruLeQJlmjI8y8wJ2ikzG6qAZzi2cI40lTqPFddEW4+Aq9VNu7/Rjk+i0ZXLCJht2RjX8AeuY/N8iJ/rBDB2jwRxlAc7/7/bh6ceAt7Y2P4WwAtyb2itJySzZ+x+zfK6q29nlbc9x4Z194JrCg3eUD7f/EC9g7aW1/qUJ+mDJ7CXeW+Z3+p6H64ECh9pdvy94ZDu9rPUUgSOr89qxZ/6HAvgZuNtuk1KyBJpRRofN7hCEwd5HJb6d4GcX+0NMLJm/e/j8PDsy9pbbwPCSkVC2oHLRLflH3acgoMVSfCSqN1+U1f1jtvJ32PdANvecceoq/JD29e6Ixgz/s/3SOww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=GXFDZzXmjHn6TFx3ZIwgRFUom8Pm1FyKZ9a39nolw3w=; b=CCR65Qw9BCDxNLmDDO94wdMq0sdrV0Z4DRLfdh4BmXNtZzuahIVm43ZlZHrtPE+2SkL+3K3onjRCy1wC3muhdBBhBEWPtNhDc+0YeC6VhTYzgo8dwANtOQfQyeo+KZqOnVLP8SSzLa+xz3hoUT5SBNS1td+y9npAyjgITTID4ssB6cdhbryEbaNGaYpzCqN7NqYvUdAcV/05WEKbtbt1pAbOhW2wq16Zq0eXCu2MXoBAeH0/eUejMreYuiJMwNzYMIE8EyMV0vXxndoinp2yUqquAM8q80EdPRQR0SIWraZCKZiBLUCEXgYWtUGjXToyzOm9NOipgCoizDIlupjVHA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by GV2PR10MB6982.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:150:d5::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9654.11; Fri, 27 Feb 2026 14:57:30 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9654.014; Fri, 27 Feb 2026 14:57:30 +0000 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v2 00/16] add support to build isar unprivileged Date: Fri, 27 Feb 2026 15:57:00 +0100 Message-ID: <20260227145716.3794146-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR4P281CA0274.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:e6::18) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|GV2PR10MB6982:EE_ X-MS-Office365-Filtering-Correlation-Id: 9edafa1a-6588-4760-b7a4-08de761087b7 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|10070799003|366016|1800799024|7142099003; X-Microsoft-Antispam-Message-Info: UDiCjsynZ7RhIXheRhj37bEpQN0Xk8oDdnokPggUmpNm47juuSTM0KdlozJBdQq01wzV6hhkSwx0tvGvWsdB16c/cw/eH4z+7bfbG59I5fHYET1Ix6UFj6U2Ne5t5q0KYFiyvjli38TNVl8cxNVrskw6n78sVr6tqzA0mujDsR0ApewjZCPI3oM9ZT4F/Us6aGZhorCzm0r4aZ2m+NUZON+rQSLoABa46HAINETln44tNciCLdDD5e+PmzD5UI3M2I5Du/jdpwAURbVH8lCCRLuj0Xb/1opTUnQfMKIpergnFVDYL6TAfubyCP2CgjT5MBcdo+ZgC16PvBns4f0E/vwjEbaNFmgFRXIs2a+EfgQOHk5WjJhklPtRW9FodqqiLiViK/QZNFtc+6nOuI+fnqCfbWUVZ5DfT27AtIKQr8xSAk8prAzc4x3XWG1hKZAzRLySRWqvhadf26PlaADr4z0giwPA6Va6TmE37SHhCq34MI1VZCRuGIfkWI/Oi7TkTxFUtBCpbN+/SdWhlelzMK4Rr+I22B497WdSosu5jf+8Sxjf5Ft8LuSgs3vSPA4OyBfnVg0ISi6lIVzoR4PyzQSGaXo4Nri3pPrbHc6TLOWag+0Ip2eXPDunjsXX2oUDQs2RNX3gC5SxeraQRcz3uAhJ/5dnFow7kjonQGRZGfAAoPApOPDgO0EKrLgtWEoF X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(10070799003)(366016)(1800799024)(7142099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 2 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?1lbN9lj0m8Y07Pj99sxT4sWz27Ds87xaDzMYFYoKGtR7AgNXzS1J7/s81g0M?= =?us-ascii?Q?jzGztOVih7B3iHkR6P/9GowTw7jGGd2oxILQfhaVyA6Qvf0Q1z/PyLktsefo?= =?us-ascii?Q?Z49K/4OPumBBd6DI1zsMEsTle6f7oRxGEWkydGB6qcityiiTTxVh6aDTzrlZ?= =?us-ascii?Q?33KZT/+LOVTXNmDJqRRXW3GKf3+BVub97RblOCG1Tcon7I/QeI82/kbde+Z/?= =?us-ascii?Q?URLYmgQis12kgJ7URFy2PrPIr1AUYgnz9Zo7pOxwPxowYWSRZ4eOSXBQi//1?= =?us-ascii?Q?E8692zPO5v2mHm9nG96QlQgXOEuABetJi/RBbVWBM8PnBl23Ia8XAi1iqRR4?= =?us-ascii?Q?FFivNT3OQINOBEfZKWzqKi/OyYGwh439kKEHACW5VulyR1yN/l9YNJD6PwDB?= =?us-ascii?Q?YbjV2MagpfDb33AdAS3D8m7wbZr5EGgTfS2jIwyr1hjAvism5+2dIQMpA8zq?= =?us-ascii?Q?0YLsJ+GSjx+/Z7i4HtgHb+q/Qa5dZdewyHXJ61peIS+STFXwK/b9KQVm/D1U?= =?us-ascii?Q?d86OmjC3z5eyqnY1wYJbeMJy2jpusnKrg/gY2sKbw57Sw+xVngAgZww43Nwh?= =?us-ascii?Q?58dt2Em1JheNGS9fZ0N2QPLHL+tg8vxfFTeGdwlcw1H6z8dUKhzBky277yiF?= =?us-ascii?Q?tlZd7tM15dIyOQeyOG7i2ya6i5HvDejdK+hdp88JH4pxkQrGzlrJBZz6q9pD?= =?us-ascii?Q?7KoJv9AtFukBn6yEGGmRSxLViCp0+8YZh/J6FX5H/E9UvETFpOGMq6KotUyd?= =?us-ascii?Q?tKKZSatL9zz2vM5Pp/+11Jk4NEXj+QYv3RD7kHLN9k/t0MUDavokmDa8ipkz?= =?us-ascii?Q?WZmoEwEMt08MKJilybFA/+dfvJwxxXgwCXhesbCoFfL6mStDMvG6EbFqwU2t?= =?us-ascii?Q?FSkJiOMSHxlTnbw0oiG0TpMWQglcsbFKox34BH+iHU4ykZc9hjUw8AiAo9qA?= =?us-ascii?Q?w9DIcU+sUbfyl3CCWrzlGooYKCXxDLQmL8xiVQh+jk9KdDAav3c8DP9VID2I?= =?us-ascii?Q?kjWKLLx4nulq83yASagm16Illr7CZfWzFyixEq+nnTwtV4q+aeyAcrjMMuA5?= =?us-ascii?Q?ct8OJvE+MKSoCRysds505Ey3io9FpzJjVAMvQzAFD0qEJiRGHgkUt+Q0XFzq?= =?us-ascii?Q?v+hjVVh7fOODDzUVgICJSP0yqxdwAQ2nt6FEr9hlHHAREE7/xTuGM404HZc+?= =?us-ascii?Q?UFw7OzoFrZOXr+B4j83xWB3Lz+U2ue/QBo3e4kSI+I2YP00+kAzyd7eRXEs7?= =?us-ascii?Q?qIpxn6FhXSU0YNJsmkUzF+aAK9BUiAP/YcgHWAhZPleuNMiwP4RAbxgWoBI/?= =?us-ascii?Q?Z3latttbgM0GluVbp2jwQEVoNVAMhfarBRmUW7iqP7gXD6DXCMkN2cNjvptc?= =?us-ascii?Q?oTzh9fj76FDGUQzsWzz6dkMd9fZZY1kwzTsoZwhXg6iaTKSJOIL9LKwbCTDm?= =?us-ascii?Q?17zakRamMpV1pUx1QfDSET83xnwbK3Pf9gPZGBjZhR1cDZwId4a8+FcRjYAM?= =?us-ascii?Q?XKrD14fynR1fPIOT/cqr/pt3MX3y9lzj71mZjKIy4JV+qGzKi4ds34M1IhBe?= =?us-ascii?Q?zPZjZHih2uMVNWSKYgB14woA+9nv00WM6fE5NVbEfLtiCbj4V18xOmqEOcJV?= =?us-ascii?Q?+YIg5Aon6SaM/9Dj5hc9VVEyPfRykS/Vsn0bEugrVywYWP/1WEvpt3w5OVL1?= =?us-ascii?Q?Ks5Yfpdzo4KuMTzUDUNckJDVIM8qUE97iwdp/QuA5Nb5ojoKrYN3sSh3MVt3?= =?us-ascii?Q?Qi8NjXkUnEZaqLqdeHCot54txDDQKeV12ejc56fwKWNXcEw2bAfSBv3Eto7D?= X-MS-Exchange-AntiSpam-MessageData-1: ISpVa+Ntwxr+9FgmEUYPYsc7st+zy5Eo3S4= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9edafa1a-6588-4760-b7a4-08de761087b7 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 27 Feb 2026 14:57:30.3680 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: iGFn6CxYORvEMhzTkFtGnEePSEZLirC6onv4Z6+3hozBm5qRAb7sDhcE+T08MLatYjdumgC+M82qmY1E9AxEmtES/XOvzf6qHDcGwePmQIQ= X-MS-Exchange-Transport-CrossTenantHeadersStamped: GV2PR10MB6982 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=KLO7i8Vr; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: 6Tu16IRlawTT Dear isar-users, currently isar requires password-less sudo and an environment where mounting file systems is possible. This has proven problematic for security reasons, both when running in a privileged container or locally. To solve this, we implement fully rootless builds that rely on the unshare syscall which allows us to avoid sudo and instead operate in temporary kernel namespaces as a user that is just privileged within that namespace. This comes with some challenges regarding the handling of mounts (they are cleared when leaving the namespace), as well as cross namespace deployments (the outer user might not be able to access the inner data). For that, we rework the handling of mounts and artifact passing to make it compatible with both chroot modes (schroot and unshare). Note, that this series can be tested on a custom kas-container build provided in [1]. Hints how to migrate downstream layers are provided in the API changelog. Changes since PATCH v1: - fixed broken rebase onto next - fix root_cleandirs implementation NOTE: This requires the kas series (v3) from [1] for rootless building. Changes since RFC 2: - rebased onto next - fix usage of root_cleandirs - simplify file permission handling by mapping caller user to root inside the namespace. By that, in most cases no changes to the imager are needed anymore. - implement support for devshell under rootless - switch to getpass.getuser() to query user (needed for dynamically created / remapped kas builder user) - rework mapping to be more similar to mapping used by mmdebstrap - sbuild: only copy-out of dpkg.log on schroot (unclear if needed on unshare. To be clarified) - imager-sbom: ensure sbom is extracted before entering the chroot Changes since RFC 1: - switch build_type to isar-rootless in isar.yaml (Note: switch back if testing locally in a unprepared kas container) - complete overhaul of the mounting in unshared namespaces - fixes the systemd presetting - fixes hangs when pulling from snapshot mirrors - rename the run_privileged_here to run_privileged_heredoc to clarify its intention - add support for - dpkg-source with do_fetch_common_source - vm images - container images - discoverable disk images - add helper script to clean build dir in unprivileged mode - reduce clutter we leave after finishing a build - fix issues when running in a privileged environment without sub user ids - bugfixes Still missing is the support for the devshell. Further, the rootless build dir must not reside in a git worktree (a normal git dir is fine). This is probably a bug in combination with kas-container. [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg Best regards, Felix Moessbauer Siemens AG Felix Moessbauer (16): refactor bootstrap: store rootfs tar with user permissions deb-dl-dir: export without root privileges download debs without locking introduce wrappers for privileged execution bootstrap: move cleanup trap to function rootfs: rework sstate caching of rootfs artifact rootfs_generate_initramfs: rework deployment to avoid chowning use bitbake function to generate mounting scripts apt-fetcher: prepare for chroot specific fetching add support for fully rootless builds add helper script to clean artifacts in build dir apt-fetcher: implement support for unshare backend dpkg-source: implement multiarch support for unshare backend use copy of sbom-chroot for sbom creation add support for devshell on unshare backend compat: handle user errors gracefully to avoid parser splat Kconfig | 2 +- RECIPE-API-CHANGELOG.md | 42 ++++ doc/user_manual.md | 2 + kas/isar.yaml | 2 +- meta/classes-global/base.bbclass | 124 ++++++++++- meta/classes-recipe/compat.bbclass | 3 + meta/classes-recipe/deb-dl-dir.bbclass | 20 +- meta/classes-recipe/dpkg-base.bbclass | 94 ++++++-- meta/classes-recipe/dpkg-source.bbclass | 40 +++- meta/classes-recipe/dpkg.bbclass | 17 +- .../image-account-extension.bbclass | 4 +- .../image-locales-extension.bbclass | 13 +- .../image-postproc-extension.bbclass | 30 +-- .../image-tools-extension.bbclass | 87 +++++++- meta/classes-recipe/image.bbclass | 21 +- .../imagetypes_container.bbclass | 28 +-- meta/classes-recipe/imagetypes_wic.bbclass | 10 +- meta/classes-recipe/rootfs.bbclass | 202 +++++++++--------- meta/classes-recipe/sbuild.bbclass | 34 ++- meta/classes-recipe/sdk.bbclass | 22 +- meta/classes/sbom.bbclass | 28 ++- meta/conf/bitbake.conf | 7 +- meta/lib/aptsrc_fetcher.py | 87 +++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 46 ++-- .../sbom-chroot/sbom-chroot.bb | 11 +- .../sbuild-chroot/sbuild-chroot.inc | 24 ++- scripts/isar-clean-builddir | 73 +++++++ .../unittests/test_image_account_extension.py | 9 +- 28 files changed, 845 insertions(+), 237 deletions(-) create mode 100755 scripts/isar-clean-builddir -- 2.51.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260227145716.3794146-1-felix.moessbauer%40siemens.com.