Re: [PATCH v3 1/6] rootfs: introduce wrapper to run commands against a rootfs

["'cedric.hombourger@siemens.com' via isar-users" <isar-users@googlegroups.com>]

On Mon, 2025-09-15 at 10:28 +0200, Jan Kiszka wrote:
> On 25.06.25 21:37, 'Cedric Hombourger' via isar-users wrote:
> > "sudo chroot" is used in several places to run commands inside
> > rootfs
> > directories constructed by Isar. There are cases where a command
> > could
> > be used without elevated privileges as long as special folders such
> > as
> > /isar-apt are mounted (they are often referenced as /isar-apt in
> > configuration files found in the target rootfs). For such cases,
> > bubblewrap may be used to create a non-privileged namespace (either
> > in a bare/native environment or within a docker/podman container)
> > where the command will be executed as if chroot had been used. The
> > rootfs may also be the host root file-system: this should however
> > be used with care to avoid host contamination problems (note: Isar
> > already relies on a number of host tools).
> 
> Where does this take the commands from then, the host env or some
> better
> defined rootfs that is aligned with the target rootfs release-wise?
> Is
> that controlled by the caller or implicitly by the wrapper.

rootfs_cmd is a general-purpose helper and does not select a rootfs of
its own where it will run commands from. This is left to the caller to
decide. given a rootfs, it will let bubblewrap create a namespace with
relevant mappings, optionally chdir to a specified directory and run
the user-specified command.

> 
> I have to remind that we cannot blindly use host-side tools on the
> target rootfs (except for the very basic ones) as the latter may be
> newer than the former and not necessarily compatible.

Agreed. if we agree on introducing rootfs_cmd then uses shall be
audited. Reliance on host-tools shall be kept to a minimum to avoid
host-contamination problems but also avoid incompatibilities as you
have correctly noted.

We can debate whether the 1st user of rootfs_cmd from this patch series
(using apt to download source packages from a target rootfs) should
have used apt from / (hopefully a kas-container but not guaranteed) or
from Isar's host rootfs. With mmdebstrap (used from /) using apt (also
from /), I felt that it was ok.

If you prefer that I switch to have rootfs_cmd call apt from an Isar
host rootfs then I can rework the patch series to do so. We may have
other cases where we need a host tool (pulled into an Isar's host
rootfs) to operate on a target rootfs.

Please advise.

> 
> Jan
> 
> > 
> > Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
> > ---
> >  RECIPE-API-CHANGELOG.md     |  7 ++++
> >  doc/user_manual.md          |  1 +
> >  meta/classes/rootfs.bbclass | 67
> > +++++++++++++++++++++++++++++++++++++
> >  3 files changed, 75 insertions(+)
> > 
> > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
> > index 8468717d..18b90555 100644
> > --- a/RECIPE-API-CHANGELOG.md
> > +++ b/RECIPE-API-CHANGELOG.md
> > @@ -727,3 +727,10 @@ Changes in next
> >  
> >  This was never documented and never had practical relevance. `oci-
> > archive` is
> >  the useful OCI image format that can be imported, e.g., by podman.
> > +
> > +### Require bubblewrap to run non-privileged commands with bind-
> > mounts
> > +
> > +Isar occasionally needs to run commands within root file-systems
> > that it
> > +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap
> > may be
> > +used in Isar classes instead of `sudo chroot`. It is pre-installed
> > in
> > +kas-container version 4.8 (or later).
> > diff --git a/doc/user_manual.md b/doc/user_manual.md
> > index ca551a0d..a4fff34a 100644
> > --- a/doc/user_manual.md
> > +++ b/doc/user_manual.md
> > @@ -75,6 +75,7 @@ Install the following packages:
> >  ```
> >  apt install \
> >    binfmt-support \
> > +  bubblewrap \
> >    bzip2 \
> >    mmdebstrap \
> >    arch-test \
> > diff --git a/meta/classes/rootfs.bbclass
> > b/meta/classes/rootfs.bbclass
> > index 5f877962..429494ae 100644
> > --- a/meta/classes/rootfs.bbclass
> > +++ b/meta/classes/rootfs.bbclass
> > @@ -34,6 +34,73 @@ export LANG = "C"
> >  export LANGUAGE = "C"
> >  export LC_ALL = "C"
> >  
> > +# Execute a command against a rootfs and with isar-apt bind-
> > mounted.
> > +# Additional mounts may be specified using --bind <source>
> > <target> and a
> > +# custom directory for the command to be executed with --chdir
> > <dir>. The
> > +# command is assumed to follow the special "--" argument. This
> > would replace
> > +# "sudo chroot" calls especially when a native command may be used
> > instead of
> > +# chroot'ed command and without elevated privileges (the command
> > will likely
> > +# take the rootfs as argument; e.g. apt-get -o Dir=${ROOTFSDIR}).
> > If the
> > +# optional rootfs argument is omitted, the host rootfs will be
> > used (e.g. to
> > +# run native commands): this should be used with care.
> > +#
> > +# Usage: rootfs_cmd [options] [rootfs] -- command
> > +#
> > +rootfs_cmd() {
> > +    set -- "$@"
> > +    bwrap_args="--bind ${REPO_ISAR_DIR}/${DISTRO} /isar-apt"
> > +    bwrap_binds=""
> > +    bwrap_rootfs=""
> > +
> > +    while [ "${#}" -gt "0" ] && [ "${1}" != "--" ]; do
> > +        case "${1}" in
> > +            --bind)
> > +                if [ "${#}" -lt "3" ]; then
> > +                    bbfatal "--bind requires two arguments"
> > +                fi
> > +                bwrap_binds="${bwrap_binds} --bind ${2} ${3}"
> > +                shift 3
> > +                ;;
> > +            --chdir)
> > +                if [ "${#}" -lt "2" ]; then
> > +                    bbfatal "${1} requires an argument"
> > +                fi
> > +                bwrap_args="${bwrap_args} ${1} ${2}"
> > +                shift 2
> > +                ;;
> > +            -*)
> > +                bbfatal "${1} is not a supported option!"
> > +                ;;
> > +            *)
> > +                if [ -z "${bwrap_rootfs}" ]; then
> > +                    bwrap_rootfs="${1}"
> > +                    shift
> > +                else
> > +                    bbfatal "unexpected argument '${1}'"
> > +                fi
> > +                ;;
> > +        esac
> > +    done
> > +
> > +    if [ -n "${bwrap_rootfs}" ]; then
> > +        bwrap_args="${bwrap_args} --bind ${bwrap_rootfs} /"
> > +    fi
> > +
> > +    if [ "${#}" -le "1" ] || [ "${1}" != "--" ]; then
> > +        bbfatal "no command specified (missing --)"
> > +    fi
> > +    shift  # remove "--", command and its arguments follows
> > +
> > +    for ro_d in bin etc lib lib64 sys usr var; do
> > +        [ -d ${bwrap_rootfs}/${ro_d} ] || continue
> > +        bwrap_args="${bwrap_args} --ro-bind
> > ${bwrap_rootfs}/${ro_d} /${ro_d}"
> > +    done
> > +
> > +    bwrap --unshare-user --unshare-pid ${bwrap_args} \
> > +        --dev-bind /dev /dev --proc /proc --tmpfs /tmp \
> > +        ${bwrap_binds} -- "${@}"
> > +}
> > +
> >  rootfs_do_mounts[weight] = "3"
> >  rootfs_do_mounts() {
> >      sudo -s <<'EOSUDO'
> 
> 

-- 
Cedric Hombourger
Siemens AG
www.siemens.com

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/40ffc532715cbb285f2e41ec11909a7ff145da05.camel%40siemens.com.