Re: [RFC v2 19/19] use copy of sbom-chroot for sbom creation

[Uladzimir Bely <ubely@ilbers.de>]

On Tue, 2026-02-24 at 11:36 +0000, MOESSBAUER, Felix wrote:
> On Tue, 2026-02-24 at 13:33 +0300, Uladzimir Bely wrote:
> > Hello Felix.
> > 
> > On Fri, 2026-02-20 at 18:16 +0100, 'Felix Moessbauer' via isar-
> > users
> > wrote:
> > > We previously used the same sbom-chroot for generating the sbom
> > > of
> > > different root filesystems. This required to have a live copy of
> > > the
> > > sbom-chroot in the deploy dir, on which also was operated on.
> > > Further,
> > > this copy was left behind in the deploy dir.
> > > 
> > > We improve this by just storing a minimized tarball of the sbom-
> > > chroot
> > > in the deploy dir and extract that into the workdir of the
> > > rootfs.
> > > 
> > > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> > > ---
> > >  meta/classes/sbom.bbclass                     | 29
> > > ++++++++++++++++-
> > > --
> > >  .../sbom-chroot/sbom-chroot.bb                | 11 ++++++-
> > >  2 files changed, 35 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/meta/classes/sbom.bbclass
> > > b/meta/classes/sbom.bbclass
> > > index e3d0e702..69c5d1b0 100644
> > > --- a/meta/classes/sbom.bbclass
> > > +++ b/meta/classes/sbom.bbclass
> > > @@ -23,7 +23,8 @@ SBOM_SPDX_NAMESPACE_PREFIX ?=
> > > "https://spdx.org/spdxdocs"
> > >  DEPLOY_DIR_SBOM = "${DEPLOY_DIR_IMAGE}"
> > >  
> > >  SBOM_DIR = "${DEPLOY_DIR}/sbom"
> > > -SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot"
> > > +SBOM_CHROOT = "${SBOM_DIR}/sbom-chroot.tar.zst"
> > > +SBOM_CHROOT_LOCAL = "${WORKDIR}/sbom-chroot"
> > 
> > This change also requires appropriate changes in at least image-
> > tools-
> > extension.bbclass and imagetype_wic.bbclass, e.g.:
> 
> Yes, I also found this later on and already fixed it. Will be part of
> the v3. Are you considering this patch relevant for the release? In
> this case I can just send the fixed version as a standalone patch on
> next. Just let me know.
> 
> 
> Not sure it's ready enough for release.
> 
> I managed to build some targets using KAS_CONTAINER_ENGINE=podman,
> but it doesn't work with default "docker" value. Initial issue comes
> from option "--userns=keep-id" podman has since docker doesn't have.
> But even when bypassing it, I faced some more issues under docker.
> 
> v3 also reworks the whole imaging part to require less (or ideally
> no)
> changes in downstream layers.
> 
> 
> Anyway, if v3 fixes mentioned docker-related issues, it would be good
> to have the fixed version for futher testing.
> 
> 
> Felix
> 
> > 
> > 
> > diff --git a/meta/classes-recipe/imagetypes_wic.bbclass
> > b/meta/classes-
> > recipe/imagetypes_wic.bbclass
> > index ebf3ce8e..34f2286e 100644
> > --- a/meta/classes-recipe/imagetypes_wic.bbclass
> > +++ b/meta/classes-recipe/imagetypes_wic.bbclass
> > @@ -216,13 +216,16 @@ merge_wic_sbom() {
> >      TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
> >      sbom_document_uuid="${@d.getVar('SBOM_DOCUMENT_UUID') or
> > generate_document_uuid(d, False)}"
> >  
> > +    mkdir -p ${SBOM_CHROOT_LOCAL}
> > +    tar -xf ${SBOM_CHROOT} -C ${SBOM_CHROOT_LOCAL}
> > +
> >      cat ${DEPLOY_DIR_IMAGE}/${IMAGE_FULLNAME}.${bomtype}.json \
> >          ${DEPLOY_DIR_IMAGE}/${INITRD_DEPLOY_FILE}.${bomtype}.json
> > \
> >          ${WORKDIR}/imager.${bomtype}.json 2>/dev/null | \
> >      bwrap \
> >          --unshare-user \
> >          --unshare-pid \
> > -        --bind ${SBOM_CHROOT} / \
> > +        --bind ${SBOM_CHROOT_LOCAL} / \
> >          -- debsbom -v merge -t $BOMTYPE \
> >              --distro-name '${SBOM_DISTRO_NAME}-Image' --distro-
> > supplier '${SBOM_DISTRO_SUPPLIER}' \
> >              --distro-version '${SBOM_DISTRO_VERSION}' --base-
> > distro-
> > vendor '${SBOM_BASE_DISTRO_VENDOR}' \
> > 
> > 
> > Without it, in my build this failed at wic stage (qemuamd64 target)
> > when attempting to bind-mount tar.zst:
> > 
> > 
> > bwrap --unshare-user --unshare-pid --bind
> >  /work/build/tmp/deploy/sbom/sbom-chroot.tar.zst / -- debsbom -v
> > merge
> > -t spdx --distro-name ISAR-Debian-GNU-Linux-Image --distro-supplier
> > ISAR --distro-version 1 --base-distro-vendor debian --cdx-
> > serialnumber
> > 4641ea56-9fce-4120-ae90-0784cd98d434 --spdx-namespace
> > https://spdx.org/spdxdocs-4641ea56-9fce-4120-ae90-0784cd98d434 --
> > timestamp 2024-03-04T18:14:11+03:00 - -o -
> > 
> > bwrap: Can't create file at /: Is a directory
> > 
> > 
> > >  
> > >  # adapted from the isar-cip-core image_uuid.bbclass
> > >  def generate_document_uuid(d, warn_not_repr=True):
> > > @@ -40,14 +41,25 @@ def sbom_doc_uuid(d):
> > >      if not d.getVar("SBOM_DOCUMENT_UUID"):
> > >          d.setVar("SBOM_DOCUMENT_UUID",
> > > generate_document_uuid(d))
> > >  
> > > +prepare_sbom_chroot() {
> > > +    create_chroot_parent_dir ${WORKDIR}
> > > +    run_privileged_heredoc <<'EOF'
> > > +        set -e
> > > +        mkdir -p ${SBOM_CHROOT_LOCAL}
> > > +        tar -xf ${SBOM_CHROOT} -C ${SBOM_CHROOT_LOCAL}
> > > +EOF
> > > +}
> > > +
> > >  generate_sbom() {
> > > -    run_privileged mkdir -p ${SBOM_CHROOT}/mnt/rootfs
> > > ${SBOM_CHROOT}/mnt/deploy-dir
> > > +    run_privileged mkdir -p \
> > > +        ${SBOM_CHROOT_LOCAL}/mnt/rootfs \
> > > +        ${SBOM_CHROOT_LOCAL}/mnt/deploy-dir
> > >  
> > >      TIMESTAMP=$(date --iso-8601=s -d @${SOURCE_DATE_EPOCH})
> > >      bwrap \
> > >          --unshare-user \
> > >          --unshare-pid \
> > > -        --bind ${SBOM_CHROOT} / \
> > > +        --bind ${SBOM_CHROOT_LOCAL} / \
> > >          --bind ${ROOTFSDIR} /mnt/rootfs \
> > >          --bind ${DEPLOY_DIR_SBOM} /mnt/deploy-dir \
> > >          -- debsbom -v generate ${SBOM_DEBSBOM_TYPE_ARGS} -r
> > > /mnt/rootfs -o /mnt/deploy-dir/'${PN}-${DISTRO}-${MACHINE}' \
> > > @@ -59,8 +71,17 @@ generate_sbom() {
> > >              --timestamp $TIMESTAMP ${SBOM_DEBSBOM_EXTRA_ARGS}
> > >  }
> > >  
> > > +cleanup_sbom_chroot() {
> > > +    run_privileged rm -rf ${SBOM_CHROOT_LOCAL}
> > > +}
> > > +
> > >  do_generate_sbom[dirs] += "${DEPLOY_DIR_SBOM}"
> > > +do_generate_sbom[network] = "${TASK_USE_SUDO}"
> > >  python do_generate_sbom() {
> > >      sbom_doc_uuid(d)
> > > -    bb.build.exec_func("generate_sbom", d)
> > > +    try:
> > > +        bb.build.exec_func("prepare_sbom_chroot", d)
> > > +        bb.build.exec_func("generate_sbom", d)
> > > +    finally:
> > > +        bb.build.exec_func("cleanup_sbom_chroot", d)
> > >  }
> > > diff --git a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > > b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > > index bf6d6683..fec1f502 100644
> > > --- a/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > > +++ b/meta/recipes-devtools/sbom-chroot/sbom-chroot.bb
> > > @@ -27,7 +27,16 @@ ROOTFSDIR = "${WORKDIR}/rootfs"
> > >  ROOTFS_PACKAGES = "${SBOM_IMAGE_INSTALL}"
> > >  
> > >  do_sbomchroot_deploy[dirs] = "${SBOM_DIR}"
> > > +do_sbomchroot_deploy[network] = "${TASK_USE_SUDO}"
> > >  do_sbomchroot_deploy() {
> > > -    ln -Tfsr "${ROOTFSDIR}" "${SBOM_CHROOT}"
> > > +    # deploy with empty var to make it smaller
> > > +    lopts="--one-file-system --exclude=var/*"
> > > +    ZSTD="zstd -${SSTATE_ZSTD_CLEVEL} -T${ZSTD_THREADS}"
> > > +
> > > +    run_privileged \
> > > +        tar -C ${ROOTFSDIR} -cpS $lopts ${ROOTFS_TAR_ATTR_FLAGS}
> > > . \
> > > +            | $ZSTD > ${SBOM_CHROOT}
> > > +    # cleanup extracted rootfs
> > > +    run_privileged rm -rf ${ROOTFSDIR}
> > >  }
> > >  addtask do_sbomchroot_deploy before do_build after do_rootfs
> > > -- 
> > > 2.51.0
> > 
> > --
> > Best regards,
> > Uladzimir.
> 
> -- 
> Siemens AG
> Linux Expert Center
> Friedrich-Ludwig-Bauer-Str. 3
> 85748 Garching, Germany

-- 
Best regards,
Uladzimir.

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/597e22183bf6fa70ed1286a06c2f6657247086b6.camel%40ilbers.de.