[PATCH] kas: Support kas build system selection

[PATCH] kas: Support kas build system selection

[Anton Mikanovich]

This adds yaml Kconfig options that allow to choose kas build system
from the following list:

  --isar-rootless
  --isar-privileged

After moving to rootless kas container previously used "--isar" option
turns deprecated and should be replaced by "--isar-privileged".

Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
 Kconfig         |  3 ++-
 kas/opt/Kconfig | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index 66dd4112..cfea1902 100644
--- a/Kconfig
+++ b/Kconfig
@@ -1,5 +1,5 @@
 # This software is a part of Isar.
-# Copyright (C) 2023 ilbers GmbH
+# Copyright (C) 2023-2026 ilbers GmbH
 #
 # SPDX-License-Identifier: MIT
 #
@@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN
 
 config KAS_BUILD_SYSTEM
 	string
+	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
 	default "isar-rootless"
 
 source "kas/machine/Kconfig"
diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig
index ac9b2f55..1bea49b8 100644
--- a/kas/opt/Kconfig
+++ b/kas/opt/Kconfig
@@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR
 
 endmenu
 
+
+menu "Kas build system"
+
+choice
+	prompt "Kas build system"
+	default KAS_BUILD_SYSTEM_ISAR_ROOTLESS
+	help
+          Rootless build mode is using unshare syscall to avoid security issues.
+          Otherwize privileged mode with sudo permissions still can be used.
+
+config KAS_BUILD_SYSTEM_ISAR_ROOTLESS
+	bool "Rootless (--isar-rootless)"
+
+config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
+	bool "Privileged (--isar-privileged)"
+
+endchoice
+
+endmenu
+
 config KAS_IMAGE_FSTYPES
 	string "Additional image fstypes"
 	default ""
-- 
2.34.1

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260609085346.3949936-1-amikan%40ilbers.de.

Re: [PATCH] kas: Support kas build system selection

[Anton Mikanovich]

09.06.2026 11:53, Anton Mikanovich wrote:
> This adds yaml Kconfig options that allow to choose kas build system
> from the following list:
>
>    --isar-rootless
>    --isar-privileged
>
> After moving to rootless kas container previously used "--isar" option
> turns deprecated and should be replaced by "--isar-privileged".
>
> Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
This commit supposed to be a part of "add support to build isar 
unprivileged"
patchset to keep privileged kas building for backward compatibility.

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/16a7a1c7-1a83-43b2-a56a-52c04e7e4680%40ilbers.de.

Re: [PATCH] kas: Support kas build system selection

['MOESSBAUER, Felix' via isar-users]

On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote:
> This adds yaml Kconfig options that allow to choose kas build system
> from the following list:
> 
>   --isar-rootless
>   --isar-privileged
> 
> After moving to rootless kas container previously used "--isar" option
> turns deprecated and should be replaced by "--isar-privileged".
> 
> Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
> ---
>  Kconfig         |  3 ++-
>  kas/opt/Kconfig | 20 ++++++++++++++++++++
>  2 files changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/Kconfig b/Kconfig
> index 66dd4112..cfea1902 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -1,5 +1,5 @@
>  # This software is a part of Isar.
> -# Copyright (C) 2023 ilbers GmbH
> +# Copyright (C) 2023-2026 ilbers GmbH
>  #
>  # SPDX-License-Identifier: MIT
>  #
> @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN
>  
>  config KAS_BUILD_SYSTEM
>  	string
> +	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
>  	default "isar-rootless"

Note, that this will only work on re-execution of kas, i.e. you need to
save the config and then run kas build. Running kas menu + build does
not work, as it is in the wrong container / execution mode.

Felix

>  
>  source "kas/machine/Kconfig"
> diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig
> index ac9b2f55..1bea49b8 100644
> --- a/kas/opt/Kconfig
> +++ b/kas/opt/Kconfig
> @@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR
>  
>  endmenu
>  
> +
> +menu "Kas build system"
> +
> +choice
> +	prompt "Kas build system"
> +	default KAS_BUILD_SYSTEM_ISAR_ROOTLESS
> +	help
> +          Rootless build mode is using unshare syscall to avoid security issues.
> +          Otherwize privileged mode with sudo permissions still can be used.
> +
> +config KAS_BUILD_SYSTEM_ISAR_ROOTLESS
> +	bool "Rootless (--isar-rootless)"
> +
> +config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
> +	bool "Privileged (--isar-privileged)"
> +
> +endchoice
> +
> +endmenu
> +
>  config KAS_IMAGE_FSTYPES
>  	string "Additional image fstypes"
>  	default ""
> -- 
> 2.34.1
> 
> -- 
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260609085346.3949936-1-amikan%40ilbers.de.

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/527456aafc3c58425ae24b2279d14e0445ec200d.camel%40siemens.com.

Re: [PATCH] kas: Support kas build system selection

[Anton Mikanovich]

09.06.2026 14:01, MOESSBAUER, Felix wrote:
> On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote:
>>   config KAS_BUILD_SYSTEM
>>   	string
>> +	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
>>   	default "isar-rootless"
> Note, that this will only work on re-execution of kas, i.e. you need to
> save the config and then run kas build. Running kas menu + build does
> not work, as it is in the wrong container / execution mode.
>
> Felix
In this case previously set "--isar" value will be used, which is still
supported but results in warning by kas.
Is it a big problem?

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/76c90852-b0a0-4cd8-893a-b36a1300060c%40ilbers.de.

Re: [PATCH] kas: Support kas build system selection

['MOESSBAUER, Felix' via isar-users]

On Tue, 2026-06-09 at 14:07 +0300, Anton Mikanovich wrote:
> 09.06.2026 14:01, MOESSBAUER, Felix wrote:
> > On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote:
> > >   config KAS_BUILD_SYSTEM
> > >   	string
> > > +	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
> > >   	default "isar-rootless"
> > Note, that this will only work on re-execution of kas, i.e. you need to
> > save the config and then run kas build. Running kas menu + build does
> > not work, as it is in the wrong container / execution mode.
> > 
> > Felix
> In this case previously set "--isar" value will be used, which is still
> supported but results in warning by kas.
> Is it a big problem?

Well... --isar and --isar-privileged are the same. We should anyways
use --isar to still support older kas releases (in fact we don't even
have a kas release which supports --isar-privileged yet).

The bigger issue is that kas-container --isar-rootless only affects how
the container is started, but not how the build is started. The build
is started based on the build_system entry in the config.yaml file,
whereby rootless mode sets the ISAR_ROOTLESS=1 variable in the local
config.

kas-container also reads the build_system value from the KConfig or
.config.yml and starts the container accordingly. By that, we have to
treat the build system mode (rootless or privileged) as INPUT to kas
menu instead of a KConfig option of the menu.

My proposal is to just keep the build_system as "isar" in both the
KConfig and isar.yaml for now (at least until we have a kas version
that supports both). Later on, we can model the switching.

Best regards,
Felix

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/d42a8ae255c3847f0bf0a276783ade94d80a3754.camel%40siemens.com.

Re: [PATCH] kas: Support kas build system selection

['MOESSBAUER, Felix' via isar-users]

On Tue, 2026-06-09 at 11:01 +0000, 'MOESSBAUER, Felix' via isar-users
wrote:
> On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote:
> > This adds yaml Kconfig options that allow to choose kas build system
> > from the following list:
> > 
> >   --isar-rootless
> >   --isar-privileged
> > 
> > After moving to rootless kas container previously used "--isar" option
> > turns deprecated and should be replaced by "--isar-privileged".
> > 
> > Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
> > ---
> >  Kconfig         |  3 ++-
> >  kas/opt/Kconfig | 20 ++++++++++++++++++++
> >  2 files changed, 22 insertions(+), 1 deletion(-)
> > 
> > diff --git a/Kconfig b/Kconfig
> > index 66dd4112..cfea1902 100644
> > --- a/Kconfig
> > +++ b/Kconfig
> > @@ -1,5 +1,5 @@
> >  # This software is a part of Isar.
> > -# Copyright (C) 2023 ilbers GmbH
> > +# Copyright (C) 2023-2026 ilbers GmbH
> >  #
> >  # SPDX-License-Identifier: MIT
> >  #
> > @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN
> >  
> >  config KAS_BUILD_SYSTEM
> >  	string
> > +	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
> >  	default "isar-rootless"

PS: kas-container is not able to parse this. We must use a trivial
KAS_BUILD_SYSTEM definition.

[1]
https://github.com/siemens/kas/blob/c9e4f67a1a8a7310f81519954370241bba4981c2/kas-container#L568

Felix

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/ae86cf2870ae25f7ec2bc9082d5bea0b9841d3ac.camel%40siemens.com.

Re: [PATCH] kas: Support kas build system selection

['Jan Kiszka' via isar-users]

On 09.06.26 10:53, Anton Mikanovich wrote:
> This adds yaml Kconfig options that allow to choose kas build system
> from the following list:
> 
>   --isar-rootless
>   --isar-privileged
> 
> After moving to rootless kas container previously used "--isar" option
> turns deprecated and should be replaced by "--isar-privileged".
> 
> Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
> ---
>  Kconfig         |  3 ++-
>  kas/opt/Kconfig | 20 ++++++++++++++++++++
>  2 files changed, 22 insertions(+), 1 deletion(-)
> 
> diff --git a/Kconfig b/Kconfig
> index 66dd4112..cfea1902 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -1,5 +1,5 @@
>  # This software is a part of Isar.
> -# Copyright (C) 2023 ilbers GmbH
> +# Copyright (C) 2023-2026 ilbers GmbH
>  #
>  # SPDX-License-Identifier: MIT
>  #
> @@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN
>  
>  config KAS_BUILD_SYSTEM
>  	string
> +	default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
>  	default "isar-rootless"
>  
>  source "kas/machine/Kconfig"
> diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig
> index ac9b2f55..1bea49b8 100644
> --- a/kas/opt/Kconfig
> +++ b/kas/opt/Kconfig
> @@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR
>  
>  endmenu
>  
> +
> +menu "Kas build system"
> +
> +choice
> +	prompt "Kas build system"
> +	default KAS_BUILD_SYSTEM_ISAR_ROOTLESS
> +	help
> +          Rootless build mode is using unshare syscall to avoid security issues.
> +          Otherwize privileged mode with sudo permissions still can be used.
> +
> +config KAS_BUILD_SYSTEM_ISAR_ROOTLESS
> +	bool "Rootless (--isar-rootless)"
> +
> +config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
> +	bool "Privileged (--isar-privileged)"
> +
> +endchoice
> +
> +endmenu
> +
>  config KAS_IMAGE_FSTYPES
>  	string "Additional image fstypes"
>  	default ""

As Felix already pointed out, this will not work. I would recommend to
stick with privileged builds until there is at least a kas release which
comes with the required support. Then, Isar could switch its default
over to rootless, leaving privileged mode only via command line
selection for CI purposes.

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/40aee07a-beb6-4c8f-b70e-f10900bccd02%40siemens.com.