From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 19 Jun 2026 11:00:09 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-ej1-f59.google.com (mail-ej1-f59.google.com [209.85.218.59]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 65J909VJ001214 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 19 Jun 2026 11:00:09 +0200 Received: by mail-ej1-f59.google.com with SMTP id a640c23a62f3a-bf523d7b023sf185030066b.2 for ; Fri, 19 Jun 2026 02:00:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1781859603; cv=pass; d=google.com; s=arc-20240605; b=Bd0DFkRghe8SWNBA0zUKCrL5TdwWtjFldMxOoXxLH/p1nhPIaSebErVt8VsF9jTqdH PgtraA1VMrA4w0zFkkP4m5d6erKMryIRdU9BrSPlCWy1uIz1S2JtXNGWZd56VYh/1ufi ZFcZTStnASzX5SdpeG5d5ZPRadv+SX4A3Ph7824p91fx/7RsTto+xSakhZshMFJ9q7Xh jpNePVld1vBDZm+RpWe9rE61v+P/nzDUVyH0mU1YjPRs5xvxJlqGYJSm/3inG8FTwbxe WMqB8yIQYqGXM5qsA2iG40m3Fp2I1R/QTdhOrS1PQT0S26JJGTIBoUExQQJ91QYH/Kai GpqA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=6bv/Ew5XKHXOUNiBx7PCWtI8DgMtLuDRzbzGgGlhD8Y=; fh=YxvuzAmLGs+pZWWwi1HVrMpcvGJwQDp1hdkybC/IBwk=; b=EKF7H95Dy11SDzAsK4bKkDbK6iGdUi8wpzK7XG0LGXKJ/i1/47OMXNwwsuEVBltrg5 i3x0XHKzB8YfYJhxoFOjFgweyDsAkcaHnQF0KKXkG5pidsVsfb8maa5gV+u4wbgGQ/u+ yVsCRhhxoZhu4DWmdBOIuS9yjwJKDWadOI2JJ/h+WLjkY70aXqnUIVDgtc3vTOUq2ZqY AKPBkE+tMYFxksngTVedoLiJFxSusyAuG2e+T/+G5YrM43ftHSd1wQV+1OZr3/uvDIX8 W7I+2ZRWeJyDfxdg3BHUGGPdjN+QNp9qU5H6SUTyGODdQbwIwTd8oYHaTskKCLFrLKUs Wk5g==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1781859603; x=1782464403; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:cc :to:subject:user-agent:mime-version:date:message-id:sender:from:to :cc:subject:date:message-id:reply-to; bh=6bv/Ew5XKHXOUNiBx7PCWtI8DgMtLuDRzbzGgGlhD8Y=; b=guiGQya3MBYPX4TW0NxBvTAVfz9c4oUX11OoYr1C7cXfQugzCkym3TU5N9MOlDT3sj ryYwC+kX61dKl0OEWF7B0HmYH6qJPKpkhNqhFtL3ZTolqKgc6mg09TsKqce5ssLVso+v tfoyJfudSBXCxN8dkQteEgbKNfuKRP88f1Lp2jp6hCW5PmUJqhBm8hhCRLI68zcVDT9x e+F0Imq0F0f/5IsHNHrQPirmjgebXxjSc1R4jnEx36TKOos18YgutDJLJPglA0EmBN2/ tJn7gp5ZrjQJO7EwggjcV5q4fofxzlCClJRnYj/78fOZWyKZIl83eTSmc2xy2Iy+fVes /lpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1781859603; x=1782464403; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:cc:to:subject:user-agent :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender :from:to:cc:subject:date:message-id:reply-to; bh=6bv/Ew5XKHXOUNiBx7PCWtI8DgMtLuDRzbzGgGlhD8Y=; b=EJg8wPcjT2et76wh7LdgLEfS5l25otbjowMm8a7X7QYkOf8pKiZeNKlNIi4zrAVYY+ N/tBYe1hiNE/BY3g1OBTycidbzhJ3o9N8X5bITdhcDRM8BVCvyYybwccwuTh6o2oX/Sh yEIWtDIRElPRIXQoNKR+wb+BHrYzlgvCSGiSRl6k+zhKrHsBhpdz4uRQ1Ct4nLXh7bE/ X5WRWbIy0aHllO6DQ4YSrTcze4k9e0NAonVEDqTJDd00Rgb9HDdkgWqrM7UIOto7a3pv jcqF9QcneTtTFbmN6/QEvq4AXJFvNNz8glMysDQhaVgPB2vhA1EKyqIQRqi1JE5Q19aP h7XQ== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ9sryhR5nV7RnQyGT1Kmf7q8kWjK//4Vrir/S/c8OG/64A8wH49A4KcBiPRWqZx8E/WDjcg@ilbers.de X-Gm-Message-State: AOJu0YzpNUY4GjDwv4ibRm/o0SjjHmGrFth51W6Z1Zkw7l8XBLdbGVkL dmCBUGW5AFwb2vbk6TDzyWUuiNj+mPHn4QPrqSikPFvheLMoQcdg6Gye X-Received: by 2002:a17:906:209c:b0:bdb:6077:a168 with SMTP id a640c23a62f3a-c097c1bfd91mr78986766b.26.1781859603471; Fri, 19 Jun 2026 02:00:03 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AX0PUUfEGtC/ma297vGrUN7cWpqgvAqK3AvbKE6YMxf/IGge+Q==" Received: by 2002:a05:6402:450b:b0:688:9b98:481e with SMTP id 4fb4d7f45d1cf-695bb5d3ec2ls1920896a12.0.-pod-prod-06-eu; Fri, 19 Jun 2026 02:00:01 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ83vzIdQuA2nMK5HPyqHu0gqAJ5iq6BpTEF922QE/PrJqFTfGpWY93eYCYLyKLuF/Ne6jZb/3yEGve1@googlegroups.com X-Received: by 2002:a05:6402:321f:b0:696:a4fb:f238 with SMTP id 4fb4d7f45d1cf-696e4a4bfecmr1421903a12.18.1781859601492; Fri, 19 Jun 2026 02:00:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1781859601; cv=none; d=google.com; s=arc-20240605; b=XaKdUk7Fc5SsvoIY2DV/nzs1vLijOyAYLt6xOyr2c0VXnUnUQoS7FuKdx8zDuu9II+ y+WZjyhVgSbV2k73R9gvzzXMUTyZSnFgGYJPnMIjnziO19PjIdyVCNv8ILqztfnSR1h2 KKaU/7ltCaBh7leK3qHmVGDkfrsAfzYBz6QGW8wq5I4piDb/seuRETI/mzQpQmpQAvKI khs8dAuPRyeWzuTTX2ths4zgG2ge9Msd6K58ZeSqIxOh5UfiDSHSW1nF0ClsSBMI+P+Q oU610uEJ1HCdVIZLiZ0xkABhumejNp+MUo5B3NuJ1FdGyewqW2KYX3obo31UveS49oDG eU8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=yi80vp7meUhA0MTzYDanrRHgwoXN4p9IFXE+2DjnQRw=; fh=aM+XVJzw2ahpEoNJzMYTk1qqXlaHrvkUStg13X+UaOc=; b=TbpHQCcrst/sicEqgN69wxdeld3hvbbne4rn33TFqT5cRQ6K6nqWbIkpJkOi2ZtTCi fXHgXpRdZSSj8l/q8AL7RJ49+73IcP/Nf4v/Ipk09vdPKlQbI3F8FTBtDOTwwa7GBPh7 3x6FdBh7RSuKkGluQtB0e9Wisiup+3HskybkfnI6xgPRfGFb5TWTgdFQhrAMxqLzGLGq Tk1RsJKR20ylNIjzilfmteOi50ZEOKCZX3rtPy9Cjihz2fOVasH2KXxZfN4rIoLMWyaZ JxQvDbWRN851q8W7KEesxm28HVB/7XPPttTf4Mrq6Bj6JMaDIzDOe3Of4OOYGrS7Ja6o lmCw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-69711e2c043si56278a12.5.2026.06.19.02.00.01 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 19 Jun 2026 02:00:01 -0700 (PDT) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.148] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 65J900xb001188 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 19 Jun 2026 11:00:00 +0200 Message-ID: <4365217a-491e-4b9c-9a8f-f9c92ce6bcda@ilbers.de> Date: Fri, 19 Jun 2026 11:00:00 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v6 00/17] add support to build isar unprivileged To: Felix Moessbauer , isar-users@googlegroups.com Cc: jan.kiszka@siemens.com, quirin.gylstorff@siemens.com References: <20260615092458.259691-1-felix.moessbauer@siemens.com> Content-Language: en-US From: Zhihang Wei In-Reply-To: <20260615092458.259691-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: leNUxmqbGtmT On 6/15/26 11:24, 'Felix Moessbauer' via isar-users wrote: > Dear isar-users, > > currently isar requires password-less sudo and an environment > where mounting file systems is possible. This has proven problematic > for security reasons, both when running in a privileged container or > locally. > > To solve this, we implement fully rootless builds that rely on the > unshare syscall which allows us to avoid sudo and instead operate in > temporary kernel namespaces as a user that is just privileged within > that namespace. This comes with some challenges regarding the handling > of mounts (they are cleared when leaving the namespace), as well as > cross namespace deployments (the outer user might not be able to access > the inner data). For that, we rework the handling of mounts and artifact > passing to make it compatible with both chroot modes (schroot and > unshare). > > Note, that this series can be tested on a custom kas-container build > provided in [1]. Hints how to migrate downstream layers are provided > in the API changelog. > > Changes since PATCH v5: > > - rebased onto next > - adjust to changes from "Rootfs install race fix for isar-apt packages": > Manually add isar-apt mount in rootfs_install_pkgs_isar_download on > rootless > - adjust to changes in "image-postproc: gate systemd preset-all on masked > unit state": Trivial change to use run_in_chroot instead of sudo chroot. > Hi, I found an issue when testing in rootless mode. The test was run using a test-container with a customized kas container built on 25307f7. The following test case fails: testsuite/citest.py:NoCrossTest.test_nocross when building 'mc:qemumipsel-bookworm:isar-image-ci' in nocross mode. Logs follow: [stdlog] 2026-06-19 09:30:44,290 avocado.app cibuilder L0347 ERROR| ERROR: mc:qemumipsel-bookworm:isar-mmdebstrap-target-1.0-r0 do_bootstrap: ExecutionError('/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/temp/run.do_bootstrap.2096', 25, None, None) [stdlog] 2026-06-19 09:30:44,290 avocado.app cibuilder L0347 ERROR| ERROR: Logfile of failure stored in: /isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/temp/log.do_bootstrap.2096 DEBUG: Executing python function sstate_task_prefunc DEBUG: Python function sstate_task_prefunc finished DEBUG: Executing shell function do_bootstrap removed '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/sources.list.d/bootstrap.list' '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/apt-sources' -> '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/sources.list.d/bootstrap.list' W: binfmt_misc not found in /proc/mounts -- not mounted? W: cannot find update-binfmts E: mipsel can neither be executed natively nor via qemu user emulation with binfmt_misc When testing them directly in rootful mode, we have an EXT4 filesystem error also when running no_cross, but not known yet which target. Also not sure whether it's related. Let me check and get back to you. Zhihang -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/4365217a-491e-4b9c-9a8f-f9c92ce6bcda%40ilbers.de.