From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Tue, 09 Jun 2026 14:34:16 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-qt1-f183.google.com (mail-qt1-f183.google.com [209.85.160.183]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 659CYFwK005465 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 9 Jun 2026 14:34:15 +0200 Received: by mail-qt1-f183.google.com with SMTP id d75a77b69052e-5175a1e32e3sf152613561cf.0 for ; Tue, 09 Jun 2026 05:34:15 -0700 (PDT) ARC-Seal: i=3; a=rsa-sha256; t=1781008449; cv=pass; d=google.com; s=arc-20240605; b=eTHh9gV24QXq5qsvFkWeMFIRrmaIjv+WYBAczLDlJBChKG9OwWcMXBjESHAeAmzFg4 8hzJtTuf5pWpOjHc0YsoOVeJ7utS0c9hfxSRlPafdN/8Ij6gDSyp6V2CWDOvYjaj0hc7 TWOJtOoSTUvr3MQqXLOAgagGm1W3pBX/OAgY+cCbuNoIgKA2pFWz3eSiChY7jgMH2Dt0 LVtCrGAsHeJiyG00y8XJ9N/h66VhR9bmYWUoer+UlZtqt19NO3nyjR6fya7rWS1hQMiC STaL0t5JZ37PplStrmDJOBljeNcFSbXrlsmr7MO5jeNWVVanO57QGriQjBXjmgqcr+01 3pvA== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=0b6Npf5/7d5HbDTyDMeLgZeue/8vS6/SUx1xiz0D2aQ=; fh=ye0VNvl1nowlY+7nCM6QZ/ha58gGCHFCs9DXhJIR3tA=; b=G1PWb6t1HWSsK57wcWZdpsfLxhsYdFmgCV5y36Xgz4tSRxX4wth8hntoIrTrO5MNqg Zi+tvsp8Zl6ptar1Qnr2ejaiu41EyKnq+LuskuvQGutg0u7rjjv5tPytCOrlO3hqgk1S p1Arg7nKEoilbvHVH4n1/C4oc6duG6DNMxlz9ZEODQN/Q4XDe56uv9loAEX9JGcaKJvq XPEWW5A81kH/uyMqIxg0bHv72GL/vnlhFFHUsOpc9KLrsiqpjT0LGhxj739yuHJSN5vb yKndsE+Azrco1QNQDA9Ikv+LG+/Hf4GaFEUDuV2rPF+mOe9Y+6PrJmGkFeWx6GlihVFs 5ZQw==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=QtR2vZpJ; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1781008449; x=1781613249; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=0b6Npf5/7d5HbDTyDMeLgZeue/8vS6/SUx1xiz0D2aQ=; b=j+9uuTIj+dXEtH9PS/7qHc0Buy7U3hLVHDWbMLt9v5b+hkKYbC5THPxwrJoTcdwy4W OEw5gjEgrabycNG5vNLAmymFtj5fXyN+Ny3ygBuiF4BeoDjjk76xqed1lgW2jJMLuhAo /X+b3iKqgKF3phBOWCQD2UX5/0n5KdPiHiVbqQPpW/IV/GFl6k1N7Ov+hdehqXMOKQdW lEuyNgl1qxprg3s83zLFKwAwyV00M5nSVk+Ynlf9+zDji5bvw1i6g7Yeg/BmtUecA2yA rCVBkDtLiTfCC0H+TVs1zf1VFO2PiXGpnV6qEQ/a9uysqr4wXlHebmxCe80GYzzjVljs ciwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781008449; x=1781613249; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=0b6Npf5/7d5HbDTyDMeLgZeue/8vS6/SUx1xiz0D2aQ=; b=TV/A+4sry+yOZKpL+UeYrRqZaoJd2mZsf5GIQOdIXuBhDK5C3K23ZtBzK5QSb5HbUL VU4qed1c0nENGttDxrLYRozkMv+hJtRjY3jazuozh66wwBA3Co5Kqyhk1ttl8lSQwSLQ 0bd6pL70WN3ulIqE5vSy4abtfxE7LXTt+0iatQ7frd7AI1fNX9VsLkCVCpRuYpMut4os FsFpMNmqmd76lOuqDPFckA6hHzuYEhzkadfI/kiNXBbrNxtxZJeQ5gZz9LOJz/PVYTy7 gqN0ryF8zg6NQDicvgsV6WS+kKFqTQPIjKUp10c0FybhpvjZ3vRyGeBqj0HQw/ai+slR bV4Q== X-Forwarded-Encrypted: i=3; AFNElJ+D5OSCxSKWt1uWGFXeDQYMn5hqEGpraCnZ4EXFQtyblC7jZHa0x6i+xroAGpeTtax58Zhi@ilbers.de X-Gm-Message-State: AOJu0YyQ5iywALltwCJgIVHVbEx2jwjKddUVR6f0MJKzu9QXe+n73Cu8 uP4m0C1SZ+8r79jgVcSD3ZKOcAaasbcAKmr3yeSZt32hw2WALxSOjrQh X-Received: by 2002:ac8:7f4d:0:b0:517:87df:d8ec with SMTP id d75a77b69052e-51795b727c1mr283734451cf.9.1781008449182; Tue, 09 Jun 2026 05:34:09 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AX0PUUeT0vpQR67xn2tqZmQt5c7d+mRxjhmDEVDhzoyuh7oGoA==" Received: by 2002:a05:6214:8011:b0:8b4:b672:871f with SMTP id 6a1803df08f44-8ced900346als118129626d6.1.-pod-prod-04-us; Tue, 09 Jun 2026 05:34:07 -0700 (PDT) X-Received: by 2002:a05:6102:dc6:b0:633:7d88:c77d with SMTP id ada2fe7eead31-6fefddf26b9mr10104612137.29.1781008447500; Tue, 09 Jun 2026 05:34:07 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1781008447; cv=pass; d=google.com; s=arc-20240605; b=I+M6/zLTelmQcdNRawsVVXVdoRiKHUBJqCAUQzRNWpe7PFkG3Ph1EuwCzs2DO9RXyr J9QABTxwlGRtmWuU/nC7SpkiSrAOTkAtTz93ECjqgRzhnBK1rsagnW+iZVdNg4FMSAfG xOebfwiC4lu/uRyngYFuAsyDSuiR2sRdIpxZffVC7g0ILoIfmGy6qAmf8Hr57V9QagZP wvXKzmavx8mRv4Ar7mEAm2N+xKLb02+deqVOv+6ubO1RuhisRxsD6uSy0NDFscua0SrU UlFxaTzHXSOie94pGEaiwVHjFno/EOYsfs20SMP4vl5+sl57+oeNGJmzFcgeF0P4mX/0 KIBg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=UBoAUMjWInMc787JgOAy5eFJWjHK5U7zR55np2YBLWo=; fh=WkhL8kaJc+l2wQon1t06Ej3uvBGj9sVhNcE8PaS/XbI=; b=CkiH6DvUJnuMQf0xQGp97ikSO/U/P6aHHzGLriyNNzVkP+g/3V4u4j5M11P7KFmE7s wLhbN9D8UcEAoCFJTBrrRufxfxuc8Bg8nrU1UgwMKHc7ZUJdiHPk40iRLjosoWD2c338 27zksERav34PN3vNEYAcML6mJkK3qxrEGP7Fze5e/Y5lXHkONGhKaMxppIqEDe4icC1D XPjXJ+eykQQrm9Vv4OkkCghVCW1nBL95KkLqJFAWAen9sJAwXIR/0tY8Qnx9tsRldvw+ 2uOsUhHylI8GS83U8CP5HjQuyxIP5UXoGW/4PcES0AMk9AVeI4Ijxz+PJXtG8CD/aSIe 2HKw==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=QtR2vZpJ; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from GVXPR05CU001.outbound.protection.outlook.com (mail-swedencentralazlp170130007.outbound.protection.outlook.com. [2a01:111:f403:c202::7]) by gmr-mx.google.com with ESMTPS id ada2fe7eead31-6eb55c4b627si674447137.1.2026.06.09.05.34.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 09 Jun 2026 05:34:07 -0700 (PDT) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) client-ip=2a01:111:f403:c202::7; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=f1fF89sUVfjorUeEmk0VcAUDSbS5v1utJpKdyvgdUAslT/dII0ErLy4s8NORW/fPh7movfKKaVXFVtuLygdJdcc96qMTPeQESxyJO8bhzBsokDaCcQF/Wvf8Rf1JT4EO8f8EyYj3LolZPLLckOMxfT7Nnypwas/xpf1CejvNsFSlAZjzARHEcuXnG34AD3838wh2ThjZefP3l6nMwFGSn3Fhn1Ljqysj5F9ThxTfk8PEw4EQBxwvL18f4rQC8zMf42ZUIdGOjmSrulbZbYDR03AVEG5AR279/HGJWBcKxM32HSJ+E5zYLAf8uKg6FbXET9yWGpubitwAsxKPU8imXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UBoAUMjWInMc787JgOAy5eFJWjHK5U7zR55np2YBLWo=; b=CavhBDoNXpDE9oQiaAmUlYmSLw8lHm/YfyQee63tQecpXdJ5ivcbkEeMmq+iDj/XPwtEkGzvnbregJPw/Z5AvcpLDnvcpXPWWaVhbpWueEjSBlqDAuIRW3zqPlQ+y1JB9znIqowknFSfzSI40ngzhrW1yzuT02JruOrp5Cryqn9iDMr+subPrLz1Qg4m6QSU6m2ZTC6gXRS26CtmhVW5B5rPeeMNLGgu7Z/WtQRuoIZ5LPj5Gk5UiPLkOjBVmTrGkK7V0DyV/zx4gphq28qEB6TeODBog/aCVRuzyENZSXHbVJQky+7dL+kjRNztltR45mmBIs7WECXAEQiAYQGnFg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:619::6) by AM8PR10MB4097.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:1ec::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.21.92.14; Tue, 9 Jun 2026 12:34:03 +0000 Received: from AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM ([fe80::c0c1:ae4a:a803:8b8a]) by AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM ([fe80::c0c1:ae4a:a803:8b8a%7]) with mapi id 15.21.0092.011; Tue, 9 Jun 2026 12:34:03 +0000 From: "'Felix Moessbauer' via isar-users" To: isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v5 00/17] add support to build isar unprivileged Date: Tue, 9 Jun 2026 14:33:38 +0200 Message-ID: <20260609123355.2368573-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.53.0 Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: DU7P194CA0012.EURP194.PROD.OUTLOOK.COM (2603:10a6:10:553::18) To AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:619::6) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8PR10MB7254:EE_|AM8PR10MB4097:EE_ X-MS-Office365-Filtering-Correlation-Id: d2372885-5c93-4f96-5c55-08dec62363f8 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014|55112099003|6133799003|18002099003|11063799006|56012099006; X-Microsoft-Antispam-Message-Info: qdXRvc0jEeMnprucETrtkHJZjgQCDbWbMa+Jkei4uIO31yRc4Yr4DN67UiXDXp7IPbnxtDcGhEL9D1Wa73gVEhpZBSEOTPZNn/wyNbgfgzff44ioailvgTEBM4krchtm1VsM2PIEjX49D30ecf8TRztk45fO14cMqgdiRj0D99e0shjqbnFbAIlvtr3RMGScE8JWPLH4At89/wjppsCnNSdFWrJGVA0IHsfibv25fgQ2jVeb+FYUevKaz5vdJcfz2IPKXUXJlTzMhDu5YxrR3V1Mp5AchAVirPKwNBus156PV7YDVYK+dVWrx2djNtRskSd+SLddMfIQQwob96TPhUa3m7ZrQemINJZQ35D43VrcjVZyEOEjGMKgerUdIA1NDD3MB3SsXm5lKlTMAxEEjrUki+WV2JrETmaqFIR/1+rzlT14fvdLKdssoWI3avAnqxirlYVndS5YQBDmFTLXz1aCwoxBtUnaSThgVkpf7kv5VUs+ym6RV5zFMnJR9coDZbX7oheG8Uy1OcCjE1p3mCbMjeRkpiWqmELqVS7VkoesGZXODKY16dhCv4aHTMKp4hFzr0XVWiaDvAvezfQGXnyxreC22imGD5yY1Xfd6OdCylO8wDTidIn0zeD1mxHnjVTJKmu1p5HbfvguKsekIw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(55112099003)(6133799003)(18002099003)(11063799006)(56012099006);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?zL7/RkaGEsfSOTMZx+H7It57/cLGjuEqZxFdOLnBckI9MYdLi6p+NLEQXwE6?= =?us-ascii?Q?1wirGsiXpNWYdonlKCrOz1VdqaObyPTu62E/2kXPpKuM0n+tKvA83oMxJxbo?= =?us-ascii?Q?PWX0Q1cK2wSK7cfIfVJC3+EXDulWnQJrD7xItEl5nloxrmfZB6PsbM5Lo5wK?= =?us-ascii?Q?JUwRIG0S047xzJGOsLdWM50xpa48zrI1RcLYvMpvxREjZJEGtKbOlquB+6ld?= =?us-ascii?Q?XZc/i2XyBfi5uIt6nKfwjH07GqW+gF+IDQPYooZSBhEz9hBXiwnaZUO34I5o?= =?us-ascii?Q?oUaQFGOJpbMUSXO8p1PKX9EPl0v9XKgQ/PU7DRYVTm5GwuBuLQ4nGtNrlOSa?= =?us-ascii?Q?nTV4ib5xxMhVEiCp/0Frp63+Rc9vcSPEcD6Nni9Wb1WjqPmsJ20zcp4/BAOQ?= =?us-ascii?Q?Rkdru5xBuu99WtzrNt1F1xvbCJpSndQi2DWi1dXN/7tA74unmjZR8Tz4Vio1?= =?us-ascii?Q?eWHgUZl966rIuUtnufD4SaVYSTLwIXFMT0TyGWRzL9htKDdrZONMIXdwwpLR?= =?us-ascii?Q?/vTsJwbgkq0Vmw9YyR+R6F43nN0uzFe66KJ2WKe68n1JaoPrsK29wjLwQfpC?= =?us-ascii?Q?yCa/T3fr0DhUyjzsZT7/HLdloxEr90a/eqWB3rHULiKs/GnOuG+nhXEG68+b?= =?us-ascii?Q?I3vn+WybTvGv0wCyw84bNP4zlqcvxs9PH43y5Zwlc8xFgJb5Drfr6UjOWgwZ?= =?us-ascii?Q?ad0TNurt5k/vKXr1qGNjoKLlam12Uo/t+BKqO7jFxjhIwnorVo+4/WJ/qto/?= =?us-ascii?Q?4zlTOg4Tef8zGzvPacQ1+N9x1tqgfWF3nTeoRijn7/dsWL1Wa4D8Zp1pj53H?= =?us-ascii?Q?LxPgtNSlaoYfurXRN9B6LE1VCf/RJJ1R+u/dv52FP5r435u+1v+upRPk6Nq6?= =?us-ascii?Q?r/6kx+EXFVLmvWFs30lCqZCmJDRgHvNBIeBEuh+jH8QvFtVfZEAYc1tMo85W?= =?us-ascii?Q?NMQRJ9dE5zo7e7L4Y5uYNs0S6sy1SSJJEYBTFbe2yYSZf/lcNHEy9G5romms?= =?us-ascii?Q?3VA3JkkoJfXymKN1BXUg0GE7S1oFwz79P9qq2DxvkS5EYwxLoD73pAHfAlT2?= =?us-ascii?Q?CUwBfYA9f9s7sS3EFfwtduMuwecLtfp1iUD3/ensHMF930TdVLHVdCV6Sw0N?= =?us-ascii?Q?Ay5j1Eu1day8H+jEjOymDhQYBJBLFaEfpjc0tNDXh32nLpGpdAvG7ZDpd6+Z?= =?us-ascii?Q?u0fh+V44aTsd5n16jQBeeQzyA61XooG+oRuq8pYdXJKOxi8RH8aXAG/+1PIJ?= =?us-ascii?Q?QcD4bxoS3u3iY8YM3d77pJOEwBy5qEO0rBxTvEWrVx2QiqrgjPofat5Y+PE6?= =?us-ascii?Q?npMmQlNDZ10ycBhDEkw8bioKwR2JqKejrMgIH/UtHkYqMOYd3Nm2gJt8qWG1?= =?us-ascii?Q?armBmsEWnss96rF3HMrJceMxLKFAdarciFgkb5nuMglz4WrIY3pl6Unl+Wyj?= =?us-ascii?Q?GvK3URjptBZthGaXPG3L0+etrIpwm2M72FA/JgGA+QcvUPJMADgjEVG8HPXN?= =?us-ascii?Q?2aWnVDmwWQhKTecaCUHGNsDWkuQP/ZFbqsZFvC/qOhqy+CjyzHIcdV/vtkuN?= =?us-ascii?Q?D7/LRlrQ6so75O/UjHuu9b/UMbwZRULgVsGZUzyKghEMC3FFOxND/zQBYxEp?= =?us-ascii?Q?vXhcXleaNwMDBqSquQQ5h2oR5cV3jRcatWlEly3rn5/3xXhfTRi9YPJUR0sP?= =?us-ascii?Q?EumD5KfVGcWQCw8QXfOcpADxeVscXb4JNwoZ+VkMXZlTiwodGnJYiorUGctl?= =?us-ascii?Q?TojCwOAcrRkGuxD3GQU25oQXIG7wJMo=3D?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: d2372885-5c93-4f96-5c55-08dec62363f8 X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7254.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Jun 2026 12:34:03.8676 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: CN4PRdCwdRRRd4jf1TP/XqAPt3cj9fmU2Yh05xAS/tyx4tfmhTPF69I8MPpRcfD/z2eiwdHrkMHN521wFDU9cQOvMCNEw9otdVKqWpdP9WA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR10MB4097 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=QtR2vZpJ; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c202::7 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: BS9Aa5gCOwrS Dear isar-users, currently isar requires password-less sudo and an environment where mounting file systems is possible. This has proven problematic for security reasons, both when running in a privileged container or locally. To solve this, we implement fully rootless builds that rely on the unshare syscall which allows us to avoid sudo and instead operate in temporary kernel namespaces as a user that is just privileged within that namespace. This comes with some challenges regarding the handling of mounts (they are cleared when leaving the namespace), as well as cross namespace deployments (the outer user might not be able to access the inner data). For that, we rework the handling of mounts and artifact passing to make it compatible with both chroot modes (schroot and unshare). Note, that this series can be tested on a custom kas-container build provided in [1]. Hints how to migrate downstream layers are provided in the API changelog. Changes since PATCH v4: - fix cleanup trap in do_bootstrap (only functional change) - keep build_system entries as "isar" until we have official kas support (and for backwards compatibility). Add reasoning to commit message - improve RECIPE-API-CHANGELOG (the kas interfaces are stable now, but not yet released) Changes since PATCH v3: - fix dracut initrd build issue (p7) - testsuite: print if rootless mode is used in summary - testsuite: append newline after ISAR_ROOTLESS = "1" in ci config - run-tests.sh: catch -p rootless=1 flag and start container in rootless mode (requires a not-yet released kas-container, corresponding kas patches are currently under review) Changes since PATCH v2: - add support for cached base apt - rootfs sstate: do not rely on fd3 for copy out, as not always available - sbom: use local copy of sbom rootfs to not leave shared instance behind - testsuite: add parameter to run in rootless mode - rebased onto v1.0 Changes since PATCH v1: - fixed broken rebase onto next - fix root_cleandirs implementation NOTE: This requires the kas series (v3) from [1] for rootless building. Changes since RFC 2: - rebased onto next - fix usage of root_cleandirs - simplify file permission handling by mapping caller user to root inside the namespace. By that, in most cases no changes to the imager are needed anymore. - implement support for devshell under rootless - switch to getpass.getuser() to query user (needed for dynamically created / remapped kas builder user) - rework mapping to be more similar to mapping used by mmdebstrap - sbuild: only copy-out of dpkg.log on schroot (unclear if needed on unshare. To be clarified) - imager-sbom: ensure sbom is extracted before entering the chroot Changes since RFC 1: - switch build_type to isar-rootless in isar.yaml (Note: switch back if testing locally in a unprepared kas container) - complete overhaul of the mounting in unshared namespaces - fixes the systemd presetting - fixes hangs when pulling from snapshot mirrors - rename the run_privileged_here to run_privileged_heredoc to clarify its intention - add support for - dpkg-source with do_fetch_common_source - vm images - container images - discoverable disk images - add helper script to clean build dir in unprivileged mode - reduce clutter we leave after finishing a build - fix issues when running in a privileged environment without sub user ids - bugfixes Note, that the rootless build dir must not reside in a git worktree (a normal git dir is fine). This is probably a bug in combination with kas-container. [1] https://groups.google.com/g/kas-devel/c/NWQFCU2aUHg Best regards, Felix Moessbauer Siemens AG Felix Moessbauer (17): refactor bootstrap: store rootfs tar with user permissions deb-dl-dir: export without root privileges download debs without locking introduce wrappers for privileged execution bootstrap: move cleanup trap to function rootfs: rework sstate caching of rootfs artifact rootfs_generate_initramfs: rework deployment to avoid chowning use bitbake function to generate mounting scripts apt-fetcher: prepare for chroot specific fetching add support for fully rootless builds add helper script to clean artifacts in build dir apt-fetcher: implement support for unshare backend dpkg-source: implement multiarch support for unshare backend use copy of sbom-chroot for sbom creation add support for devshell on unshare backend testsuite: add parameter to run tests in rootless mode run-tests: add support for isar-rootless mode RECIPE-API-CHANGELOG.md | 41 ++++ doc/user_manual.md | 2 + meta/classes-global/base.bbclass | 124 ++++++++++- meta/classes-recipe/deb-dl-dir.bbclass | 24 ++- meta/classes-recipe/dpkg-base.bbclass | 94 ++++++-- meta/classes-recipe/dpkg-source.bbclass | 40 +++- meta/classes-recipe/dpkg.bbclass | 19 +- .../image-account-extension.bbclass | 4 +- .../image-locales-extension.bbclass | 13 +- .../image-postproc-extension.bbclass | 30 +-- .../image-tools-extension.bbclass | 114 +++++++++- meta/classes-recipe/image.bbclass | 21 +- .../imagetypes_container.bbclass | 28 +-- meta/classes-recipe/imagetypes_wic.bbclass | 10 +- meta/classes-recipe/rootfs.bbclass | 204 +++++++++--------- meta/classes-recipe/sbuild.bbclass | 34 ++- meta/classes-recipe/sdk.bbclass | 22 +- meta/classes/sbom.bbclass | 28 ++- meta/conf/bitbake.conf | 7 +- meta/lib/aptsrc_fetcher.py | 87 +++++++- .../isar-mmdebstrap/isar-mmdebstrap.inc | 56 +++-- .../sbom-chroot/sbom-chroot.bb | 11 +- .../sbuild-chroot/sbuild-chroot.inc | 24 ++- scripts/isar-clean-builddir | 73 +++++++ scripts/run-tests.sh | 7 +- testsuite/cibuilder.py | 7 + .../unittests/test_image_account_extension.py | 9 +- 27 files changed, 888 insertions(+), 245 deletions(-) create mode 100755 scripts/isar-clean-builddir -- 2.53.0 -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260609123355.2368573-1-felix.moessbauer%40siemens.com.