From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 07 Apr 2026 16:23:31 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-pj1-f59.google.com (mail-pj1-f59.google.com [209.85.216.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 637ENTr4014962 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 7 Apr 2026 16:23:30 +0200 Received: by mail-pj1-f59.google.com with SMTP id 98e67ed59e1d1-35d9e67f6dcsf11111283a91.1 for ; Tue, 07 Apr 2026 07:23:30 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1775571804; cv=pass; d=google.com; s=arc-20240605; b=J+7/e5IOOzDt/2iSpmSow87MwV2WINhrpyar0r04wS+hb6erhz0nYwTiuf99ZatTFf LDhocT9Lys7vNJINEXKSdw+4JCjWASIyUpdLg5Z3Ws8zqw2Kol2e8UIVyeMDQXTrzuAl VG1OfWKeofuJy0n5PLTWtQL5+K1gLxzL7Ygeq/hw7VL0IZnoLYMsXa9s2oViZ61kMXSa /0SF092g+KNFGz45sO1jcUCNw7w11n1C6HImjQCYRFOLE2/tsCLeTj3Q8SjFCCMGVIRS vFwKwjDx/JKlscAbZ56j3ylv7xc92/QmeiN88Qahtca0K39/Dwwd8JdrzdKW/b7AG1MU xnIg== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=iaDZ32KtBAGIIPc47i5eTTQllmyd5DVg6QIDoazq78o=; fh=DGBf14eoLsiFuiLcChgpFmQcYUhflYI353zjRYNAvhw=; b=beKe1F/iW+Js83cYh/h7RW+6VyBdSddFo7gHy+QSn0z8zIPdCB2IfCccVWR73N3Thn 4JPJ3saJAsSjfKWwL8bmy/3jw/OIGYa1SKQcFJ1afV+ZupNtvr/QeNqjam4gxcU6OLiT HSJN/IECkF0XLDh1roBOkwc+ZsMQJM68GDyBx1VNCfVKpBkeiIZMFP91qK+migz1rzvm 0m8AaptP2Oc4NvtSUd8hdQZzClBtzeATst5KtGt4AUvVhxF54gtXZ8Xm9f3rFM+T5KcX QZiT5DJHkWdvndaHDRJHZ831oE3MbTfl0lYCKZOP9+BpBTao+W3LwYGue15JnaEEynOn KwBQ==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tB5v5eUX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1775571804; x=1776176604; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=iaDZ32KtBAGIIPc47i5eTTQllmyd5DVg6QIDoazq78o=; b=vo5PGhC9hSJw0AGDIj2GYvayJRTG63RG22uccUDr94R51DMC6UyzqUWYmhA19sup79 4mrMenOgkwH5c7lYZdPv/xqnG3/gOnIyFiWbD702E80WAz4QczleT9AfMxSGkKqv3zl5 Hsy+hvq6dUGxRtxIRclIN5V9uNkSKNblG3vdV433BB+Uq7nZGHQiqwGX1Mcfqwd/hTcW cjTDKks3ATQyUrVDbe8BCjEUQTqCM7KCVI5ePz1GOCInESOhbxvA8m8UwjoX9xJUnUKj t/Jp2cdssSp992lQgLji+KjRhzR2jqf1exrEgqM3G6aiEezEZbyIPiTywqbOucBzT5iY W/9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1775571804; x=1776176604; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=iaDZ32KtBAGIIPc47i5eTTQllmyd5DVg6QIDoazq78o=; b=sY1qcfSn6ZthGzyqO2BnhqLUegRSJlQuWOuQPWzp55FIbT6iqn8uHuQnDg3Q4U7WPZ 8gDeV6EpVwZ88/NMT6wzIi+92ngJAnSA4wQPbg/gXcjR/eA2IyF7mvr2GoJ17k+/BMlr +813wYW62x0osvuzeCQC7HpAPsI4ftI7YZOYBWOb8hQ1g5E+sb72/WM657lH030+wuts wISYYP+fm91lWVrGg9ynsYsF1N4j3Vwh5M+sDJKRl7gs+2JNv6f8X9nyhvyG26/zX8lh qapzd7wf5tCva1LmbByfgRRwsASCeQ0KSeabrQ8OKXYiJQLxamjIZ4eyysG9HzpFjfr6 6+Aw== X-Forwarded-Encrypted: i=3; AJvYcCWgWcptxf3x59jJGu9dn4VGEWhMuKjqL8XNYHm3c7ySnfc2CjZloCSWgbc77L2S/ByGssLY@ilbers.de X-Gm-Message-State: AOJu0Yz+T8b7e+h4msg0VFT/WqXeqO0sLMoLo/kfzOrScwaMAcXrSxnk XHP3y0HDokHdm4o+Fz8X/sf+29O738csfwV3b1CZeWQ2FD4zVnf8qSJH X-Received: by 2002:a17:90b:17c1:b0:359:fe72:3559 with SMTP id 98e67ed59e1d1-35de691b2f1mr17023156a91.21.1775571803463; Tue, 07 Apr 2026 07:23:23 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AYAyTiIVZ2woBsj1JlDMOovM355SHr0gHwFFDTXF6PFLNq5HbQ==" Received: by 2002:a17:90b:f91:b0:35c:d62:ce51 with SMTP id 98e67ed59e1d1-35dd42324d8ls4698978a91.2.-pod-prod-08-us; Tue, 07 Apr 2026 07:23:22 -0700 (PDT) X-Received: by 2002:a05:6a21:338e:b0:39f:2dd0:65bf with SMTP id adf61e73a8af0-39f2ef00be1mr17151548637.28.1775571801960; Tue, 07 Apr 2026 07:23:21 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1775571801; cv=pass; d=google.com; s=arc-20240605; b=Mjp91yo2odUIHFJYUI8mp1lrElSjX8EW847w/bDYdrYamim+Bs7KMWlSls6xpWTUjL r38Gm0N7n9JlOCVt3r47RQsG39Ha8saNIuWBgNGVDrNx8JEM8Huo5q5vPN9kEOpJPo0w Yh1O6WlXNOyUS/+knPr1KEkp8w6OFI10PXGD7PSgLYzM2fG7O5B/D7uHtSixfFGsxfWj Y7LXmdd8+PZP10dqaLoHoAJ6pRB/InP01Q5DwhVHqbof8TnMEHo2PViaYWWToSGjc0tt z4kg0Cn4aNpH5V7rFkjG5E9xZjbwWolS0+yvrjuujA26xWmdDxpDiKHj1xR8p8kuQk+u +puQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=JPVMx/wkT7EU0zbLHQjRomfQ23N05N0sy+NDig6U75w=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=eo+MbdGRhuYo0L8Vg1+wIoOh6TGq4GSf9OhO3w01+ODx4B2MeV8KEmT9ixLxJ3GntZ OZrRicJ6MRzJOSVP96N7zmdJtEv6+pylmPHDv1g262pF9+Ny5pv6/WfgtGihlwunTz1D MImAMw/GzNeuo2D5U0QQg7n5wOhe83wfRlyUDFQKeWMISqJHtGPTtNaZLX/LgQeYU23H kGcpC5OUeiR+y8J0GNwzuAwCZC0f/+7XLv8be/U9x3CF/mZ1wOSWbY27VosnmCPh0S5d KiSZn6SaOAvlxzkChHHpnKVnHeVvq8Oai1UUlwEVczRQmZwRuox4Ke/R6MsYzcwHRJp6 i6Dg==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tB5v5eUX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AS8PR04CU009.outbound.protection.outlook.com (mail-westeuropeazlp170110003.outbound.protection.outlook.com. [2a01:111:f403:c201::3]) by gmr-mx.google.com with ESMTPS id 41be03b00d2f7-c76c6565af5si550283a12.7.2026.04.07.07.23.21 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Apr 2026 07:23:21 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) client-ip=2a01:111:f403:c201::3; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=WMijn0QmDe4VrfC54NGjyAioNXWFrNwKsSrUuhYbQxITHOOzLph3W44uh5/RkDNRoPctXaXDNOxc6qXLxGyEDNLjL7tS49xxF80sy9Q4xgv/ILV0s0nfqikp4zjTSzBPy9zSk3UhYJ4mlkOkppAHlkWmQNluWR9UFtHRo1K+5Uo264EvUdUyZom6VytfkO1z2y1QJ/CXYh6w1XTIP6FlN2HwTIfuHr7QWcwaKWXLwK1PlloUMs0mowx8+GqNff5wrupkEskYW2UV7ZBTL126+qm+Zbp2r/+aMByIs74nHg4Sdw2TRB0uUSk4KdX5HQ8wjLGqPYnJuHxzCOpHwcJZ0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=JPVMx/wkT7EU0zbLHQjRomfQ23N05N0sy+NDig6U75w=; b=YIo5GgGv/sCWzH50goNQu2PveMOcK6tBXVRzwPpY/Rv23P46sxxfpHKJZAnIxeeucv1uDX3SrsDoIcnQAAVVIlRDqOlVQEI6s34ooKCIbMQKOHrBMjC/wfno57CVkdW0ZS5DAQtoUeFeSI7ey1zgw2MX/vLNlnxIp3NkFLd7LYDkzGwyJvzXSz0WG4FuZUf/FMg8M2wE8DqIHyQ1j1thndKfn87z0o/9WEB/SWKsp6nxhwFCoWQWBEokIIcWp2RV6SkbXwAAdwGxu8fq0/azQfziW8HBBQ2fwayN3RWiyu/M71bONb+vRQ+ygq6I/uubOW8uWronK6SSEvDCj1ScYA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by AS2PR10MB6376.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:557::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9769.17; Tue, 7 Apr 2026 14:23:19 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::9412:cd7f:3f72:92ab%3]) with mapi id 15.20.9745.030; Tue, 7 Apr 2026 14:23:18 +0000 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v3 00/16] add support to build isar unprivileged Date: Tue, 7 Apr 2026 16:22:54 +0200 Message-ID: <20260407142310.2327696-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.53.0 Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: FR4P281CA0367.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:f8::11) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|AS2PR10MB6376:EE_ X-MS-Office365-Filtering-Correlation-Id: 2d2018a3-d723-42a9-c74d-08de94b136fe X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|18002099003|56012099003|55112099003; X-Microsoft-Antispam-Message-Info: yu07m7Vi3Uqabdxbt2foSawZdmrX9fOIWRkk8JqXPCGe8n9xSWPyBJR+bffuyA8vzmlRVqZFLTAeOFsl4U9Tw5vBEpNM0SG3vGME/ZWGL67xKg/Bsqf46aBO5b5EGltaIrGjI/OYZ68TnZvdRSsope6BlgGtQLzNnXJqo6ktfCzQ7qpBZ7KQxEO7wDCokEbQ8l5vYg9nQGf+4p6F3rnYJaYSvy3tQouvAwuEZvka94XGOjIxWdoK2p/kgaqORbzJr7v4WASM9cYhw3l+fMgjF8XkVUOido7J9pq7uKnmnM4aEFd8P8PLZjPFW4i4lg3q+nOoLvTUsjXCKuI22RUb7aydgmiehF4S5/lMxxBLygftH+K+30XstNdtguvItQV3+6MmtX+JtJ2W8SAde+QFU3Z4nSXDw9S3v5swO6fjVhCBwRr1QVOP+mgegs4rKnoPmO7Jgw/5l1p0eOY76+CpCnMuImy34X27TmvfpPrucJoxMgsvPjIyEPhdG6aPJPmhZmtiaIYNU+9JTJfs9nhIitkZ0T87oynsaJqVBDFBazSY/+fnkng4xMzwzwQBY6GKbOzEDgmwLJU/HFN+sX6m8huI76tJ0uDv9SRYMML9JoWKYNrzn+Z4A5UArmtsdE9MAhqI67/BO/VjOkEyjl+E8wZ81joAGFrcWIN39cB9AuNvq9lmaVtpo1xJWWprNAbf X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(18002099003)(56012099003)(55112099003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?vA57QtLa9HQqLKO1DnF7+FXa2IbG/uUwwjgEyPrmU9KRP/Blb9uB5LGntVKJ?= =?us-ascii?Q?Uv2X16hMIaLZiXUi5VrWu0xin4th4fSKfN2ZpwyxPJwITcFL0YjV6cx1+Hub?= =?us-ascii?Q?fEBt5GpeTqgdFRLc237d4BHxDyvvnBxiMrSJQkptDlzkEFy56Zv7pVcatu9/?= =?us-ascii?Q?ZDW4wAVyz8yYEbpA7JvIOjm1ly8+HWmKbLDg7K2KTDLvUt6F7OZK0cdxGF53?= =?us-ascii?Q?/59XKerir8TBZW6HC3w9lO25a355oEb2aLPcjGArbYcNLg0p0KHOuNwhBILh?= =?us-ascii?Q?BYii4SuEVmppzlKQr5l9VijqjY0EiSvKcvLZqWHsxsCAmYDmoRSXtEEwkSmp?= =?us-ascii?Q?WuriRtvlvisWOQxuLNUg+eXf4ZcYTilQyouUe2l9YDD4K2vG3YmrNCoS+lCP?= =?us-ascii?Q?uCFqN3bSUrNgmH7uZ3Yz07jJo2wxfNBPvE1pejEvmkGLCWKE5/SmfQZ69dED?= =?us-ascii?Q?G9Z5rix+LIv/r0R9P67DYQHQv4TtTs0Hpby/rcEfGTu/n+fuJnqdcamo4h3N?= =?us-ascii?Q?ve0SzGJTSeJ6ZQIV0b8RHwTsbbZc73HsHZTm1wNoeQJGwEBScMr/OsAEoZLV?= =?us-ascii?Q?PYJ2MjK/iSSLwtYeqqeNNzJotepgTmWa+bXCiquVhfmd+BpewnPZBDnz5OfL?= =?us-ascii?Q?XqNIQhrxHOudaTG6efhXIvSmfQ6nyy22bGcgn60DY9VsLkL46RPQ0DDUFDes?= =?us-ascii?Q?6yYpdBVl3BRsjZO9/YdFZ0d0cmhy61JwDw/2mdGR/ZSbGafKTXzKQNTlBx/v?= =?us-ascii?Q?2O+AFET/zPTO4KEoWc0WvnapwGhlLpybwhNx6wgI+fGDhzIlCh6y4ViGQiot?= =?us-ascii?Q?PjTynWsi7wUnCBwfvv4R69fsf5LmmXYoSO7ln7j1ZkleYLyQv3feuZcAkSdD?= =?us-ascii?Q?dMW6XWWno1HmLhTjQU/f1C5Hs+w1X/yImvKQ6sE66W2WSUyPn2RAqg2dRu78?= =?us-ascii?Q?SKQ6WcpXLYWqBKWNVQPWO8gpwAYsinuiFzHvnhApNeugn5ANdxmk+1E31YLd?= =?us-ascii?Q?QLKnL/mYGgxFZSiIxwrw1MZjoovTEyU/aZLhq7wJ0EZC1c1IHZhHgMvgHHto?= =?us-ascii?Q?e7vn/OE9B5rsOSrbzOt3aY0HP7q4zpBrgf7blw5LT95mpfrsKWHiCiIE8kfX?= =?us-ascii?Q?C8gZohJJ/+di3JFVlPkhez2cQSYqyQoQEfkHgEJ6xDafIUYgy4nfS+lhC2Rr?= =?us-ascii?Q?Vzw2k4Y8qDyAnuXX+O8+vGQzHxTq43QpT7KeHQ24K9EXPiFc5YpYJq8DB1ox?= =?us-ascii?Q?7GufGPKiIRKd8mtWgBaAuLr3osza9d6vZnvnYfqBfeqql2K9R7z0Sr41mC7v?= =?us-ascii?Q?TjHMsOa2Cvg4/IIQik5rV6Yhrz6+jYimKdcx9ILv8/RDy9LVfzENU77Tc61/?= =?us-ascii?Q?BLCKg4pZ8LL5p9IzTgG94pmEsKZQz3xzg3Z9AiuZpZuI93aRa2vVmBGECNK/?= =?us-ascii?Q?QELDQ7WuP+tTRLGB21Qz19qXB31TWoj86R+L3cMQguCPTcOq7FVD3iDzFXuT?= =?us-ascii?Q?2SpblvR8cXIToqCyuUnZmpvRu/9RI39+K/QXZWGVHxKJKiq/72kd4lTgxCJX?= =?us-ascii?Q?VdScf+dl54tM5kb6kEIeTeUIHkeOqKdI8pNyZNgtwJ87Vcf+29aLAUJDRbHA?= =?us-ascii?Q?4qXlHFc2eFDBzcDSUF1JHlPZuijisjGVSNgfyPV1qNq22e04gduF5aWmUOvt?= =?us-ascii?Q?gtbNGZjRGI5WubnlofY1xaJEeZhzE2k9ktrl7A5vQSimUxiXW55Vq4ta9a48?= =?us-ascii?Q?M5TgtMaI86Htm3TvX0P4dKwJEgxZGyo=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d2018a3-d723-42a9-c74d-08de94b136fe X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Apr 2026 14:23:18.8327 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 9AU1WjWzQ4MvmJDeTB5x9oKEwkQE8qql2uw7T1mtviykPhqxBBB+SjHmlFB+u0zqMArvcKjdh9rPHYY7ikMugQE6sUmxnaKq0iXv7nSy1hY= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS2PR10MB6376 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=tB5v5eUX; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::3 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: k8rTiPtXqnHy Dear isar-users, currently isar requires password-less sudo and an environment where mounting file systems is possible. This has proven problematic for security reasons, both when running in a privileged container or locally. To solve this, we implement fully rootless builds that rely on the unshare syscall which allows us to avoid sudo and instead operate in temporary kernel namespaces as a user that is just privileged within that namespace. This comes with some challenges regarding the handling of mounts (they are cleared when leaving the namespace), as well as cross namespace deployments (the outer user might not be able to access the inner data). For that, we rework the handling of mounts and artifact passing to make it compatible with both chroot modes (schroot and unshare). Note, that this series can be tested on a custom kas-container build provided in [1]. Hints how to migrate downstream layers are provided in the API changelog. Changes since PATCH v2: - add support for cached base apt - rootfs sstate: do not rely on fd3 for copy out, as not always available - sbom: use local copy of sbom rootfs to not leave shared instance behind - testsuite: add parameter to run in rootless mode - rebased onto v1.0 Changes since PATCH v1: - fixed broken rebase onto next - fix root_cleandirs implementation NOTE: This requires the kas series (v3) from [1] for rootless building. Changes since RFC 2: - rebased onto next - fix usage of root_cleandirs - simplify file permission handling by mapping caller user to root inside the namespace. By that, in most cases no changes to the imager are needed anymore. - implement support for devshell under rootless - switch to getpass.getuser() to query user (needed for dynamically created / remapped kas builder user) - rework mapping to be more similar to mapping used by mmdebstrap - sbuild: only copy-out of dpkg.log on schroot (unclear if needed on unshare. To be clarified) - imager-sbom: ensure sbom is extracted before entering the chroot Changes since RFC 1: - switch build_type to isar-rootless in isar.yaml (Note: switch back if testing locally in a unprepared kas container) - complete overhaul of the mounting in unshared namespaces - fixes the systemd presetting - fixes hangs when pulling from snapshot mirrors - rename the run_privileged_here to run_privileged_heredoc to clarify its intention - add support for - dpkg-source with do_fetch_common_source - vm images - container images - discoverable disk images - add helper script to clean build dir in unprivileged mode - reduce clutter we leave after finishing a build - fix issues when running in a privileged environment without sub user ids - bugfixes Note, that the rootless build dir must not reside in a git worktree (a normal git dir is fine). This is probably a bug in combination with kas-container. [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg Best regards, Felix Moessbauer Siemens AG Felix Moessbauer (16): refactor bootstrap: store rootfs tar with user permissions deb-dl-dir: export without root privileges download debs without locking introduce wrappers for privileged execution bootstrap: move cleanup trap to function rootfs: rework sstate caching of rootfs artifact rootfs_generate_initramfs: rework deployment to avoid chowning use bitbake function to generate mounting scripts apt-fetcher: prepare for chroot specific fetching add support for fully rootless builds add helper script to clean artifacts in build dir apt-fetcher: implement support for unshare backend dpkg-source: implement multiarch support for unshare backend use copy of sbom-chroot for sbom creation add support for devshell on unshare backend testsuite: add parameter to run tests in rootless mode Kconfig | 2 +- RECIPE-API-CHANGELOG.md | 42 ++++ doc/user_manual.md | 2 + kas/isar.yaml | 2 +- meta/classes-global/base.bbclass | 124 ++++++++++- meta/classes-recipe/deb-dl-dir.bbclass | 24 ++- meta/classes-recipe/dpkg-base.bbclass | 94 ++++++-- meta/classes-recipe/dpkg-source.bbclass | 40 +++- meta/classes-recipe/dpkg.bbclass | 19 +- .../image-account-extension.bbclass | 4 +- .../image-locales-extension.bbclass | 13 +- .../image-postproc-extension.bbclass | 30 +-- .../image-tools-extension.bbclass | 114 +++++++++- meta/classes-recipe/image.bbclass | 21 +- .../imagetypes_container.bbclass | 28 +-- meta/classes-recipe/imagetypes_wic.bbclass | 10 +- meta/classes-recipe/rootfs.bbclass | 203 +++++++++--------- meta/classes-recipe/sbuild.bbclass | 34 ++- meta/classes-recipe/sdk.bbclass | 22 +- meta/classes/sbom.bbclass | 28 ++- meta/conf/bitbake.conf | 7 +- meta/lib/aptsrc_fetcher.py | 87 +++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 55 +++-- .../sbom-chroot/sbom-chroot.bb | 11 +- .../sbuild-chroot/sbuild-chroot.inc | 24 ++- scripts/isar-clean-builddir | 73 +++++++ testsuite/cibuilder.py | 6 + .../unittests/test_image_account_extension.py | 9 +- 28 files changed, 882 insertions(+), 246 deletions(-) create mode 100755 scripts/isar-clean-builddir -- 2.53.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260407142310.2327696-1-felix.moessbauer%40siemens.com.