From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 29 May 2026 16:03:13 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f62.google.com (mail-wm1-f62.google.com [209.85.128.62]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 64TE3CKm010681 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 29 May 2026 16:03:12 +0200 Received: by mail-wm1-f62.google.com with SMTP id 5b1f17b1804b1-48fd396daedsf77575665e9.0 for ; Fri, 29 May 2026 07:03:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780063387; cv=pass; d=google.com; s=arc-20240605; b=dyiHSb5yVbO7flFW5WF4zjKLEv3b5MBiJ5Yn0a/WnmPU45BZE5HSQrSEAWKH/1Tpbr lJYsdV904n06Ot68xCeCMUEzHa7g+87eCz5YR2sVISCySXoWA2goBWMia8BfJxws3U1I bTF/vO2iw22AauKGuC7Z2YyYhSAHkZYhP+SWBDKl9xbbI7C5BVl6wfJgosd4oAJ3bg06 yjGnQpZcHiZUkaudQYOLd2FixvtthS28ul2ti7VfxVZulA5JaDt+PO06lNHmcO94+pBE zutVOW748qNbDsIeXJ7QWxPVEpIBBBzG2eN7v/iHr6oCvhedeTyiyPNC5qYvSEMFB1hh iQUg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=DMKidKyV5t5ZJOx+CIKGIQ0s0o7NCU1ZWczUtDTqbzY=; fh=zMLPrfhFXS0RJf7ZzZA+UMAwO3l+gRR7P/4lz95N8/8=; b=gZBlgETGWne5w5VJPqKOrb16xM+naX9rhIuU9w15enyLQa8eDXSyLqkrH2ZXYArZUn qJjQ4nTD2DLJ0lXPUQDLaNe0viEDVeC9AxZwjQEfmmLKSLgu7DkyY91wo7Kj0VbHzyyK u720YCKzt7TnT+tgq9D1zg+V07ya2Gh8LDY2dMhbIBQkfhdQVWLYHJ980vCP6mFKLhJ4 xpquH1Qkjas0y5j+hSG0abzYsAWvLmAQKDARyTTl+wuqh4qG9RM6S4jHJn9qhMqWSMWu jAT9oJDsOxu+3JN5Wnnpj/Kzjiam3/jC5ZGoDLT+3z5t2rmAslyj6b9SswjMz2kqDOcH 9QLg==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780063387; x=1780668187; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:cc :to:subject:user-agent:mime-version:date:message-id:sender:from:to :cc:subject:date:message-id:reply-to; bh=DMKidKyV5t5ZJOx+CIKGIQ0s0o7NCU1ZWczUtDTqbzY=; b=bgsgB6AmVz1xHlByKPgz8gP/qWbBH//B8KnWN1n8L8KK+HRTZ7dB9ybKk5ZCTQeqMI RkvJ+meGQlSjNTrSDt9WQjCJXf12NQ+90OVGuuFVuUssftdH7rEpFZZiCLSviIj4Bt4J eELKxby4wBzUqRCum29Vl5bGS3YEnr7DROC5RczKWfH+iJw1OVOaNLJ/Wb92N/1wOxoa Do0v5twtNrhbMJn99q5fF5m61xHyUkg8T6ct8K1c/E6uV2eHvEfZFdx6UjRPf9GDY/aj ojiXi7auJsJA4QTvbKrrmHwxIobwwCOgqTj8eVkH3pgAgXRGFBlHA76PSMNFFgZ+FnTz semA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780063387; x=1780668187; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:cc:to:subject:user-agent :mime-version:date:message-id:x-beenthere:x-gm-message-state:sender :from:to:cc:subject:date:message-id:reply-to; bh=DMKidKyV5t5ZJOx+CIKGIQ0s0o7NCU1ZWczUtDTqbzY=; b=deFQ/s3XsnyTYKglWVuKRZcLbpusYGovswujU0eZYeuNYLXJI/Pe94Hj5PtHLqt5GI Bnn8DyTIBTryCERzvRMvaY7Gbmbhn75xWrJEUahb0lTOvybxkxLzjAz/eXxYxUrAsOOT ArxJola3SqakZHYBIjH1fufKOOeG7IhhOtuPibbVjf23DtphUylx0ssQE2OJaQTSe+Jm Y9x5wdFXKz+EOVzsP4G+WkV9e+oLezd3yCMGeP59XF9GfbX1XFki39EhJze7Zy530DzS Psaj+VQNfproUpSgRF+9UULr8LIuonR+qqgRk7+bRHifHpJBux+hXEqvDJcoZdT2UedB Xsnw== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ/ST5x1mX//5Y4L4KI3Av8kob8VxM892UWz5FcLpVB52p0EL3tbtaZSk/dbqfuYCrj1nTCJ@ilbers.de X-Gm-Message-State: AOJu0Yz7IIkjP6b8N5P6y+d35ciH/1We7oyNqwp5JLOUcLvE/5vfBTC7 PQ51zP77WFYuoFbPH5tUPNm6lvHE5g6poFBRRAoddJxTwe5Qd+rBaUTG X-Received: by 2002:a05:600c:1d14:b0:490:45bb:8dd9 with SMTP id 5b1f17b1804b1-4909c0a1134mr54128155e9.8.1780063386947; Fri, 29 May 2026 07:03:06 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AUV6zMMysU14B2+zjUiLZ6XZzWeahCm5sTXRr8CoWk7Tp9P9Nw==" Received: by 2002:a05:6000:25c7:b0:43e:aede:ace3 with SMTP id ffacd0b85a97d-45eefc06209ls892083f8f.0.-pod-prod-08-eu; Fri, 29 May 2026 07:03:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ8vy3Zot711feZVYOrAP/gjkwJonCcwzdAdiQccd07z1lVNULMA1IFQajTfSfpnZ+rDjlztKpVD/Dzb@googlegroups.com X-Received: by 2002:a05:600c:1994:b0:490:48df:2793 with SMTP id 5b1f17b1804b1-4909c0e77d6mr54220195e9.26.1780063383968; Fri, 29 May 2026 07:03:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780063383; cv=none; d=google.com; s=arc-20240605; b=Hw+Rs2dMYJ+8OSXKja9bhy87ijoy7/AAHn6/rI8w/7QpA2mv0K/qpwE1i3gPFrGHWm ZBEDAZrKZ6mfmtsSFpL0dTKYRdSSaMMLgXsMwNWq3jnN7+p42tshkuU0AMnEsqwoFxuK yEk5mkG+xQxGF/zNMyYjPZPHidzEsLlOxqWGmenM8ob2aoT3KOYAlVbFjcfatFeCeMiM jgeJ00Yr1H4l9qJSnO10pshWa8Xg6ApXhHcS+TMhLfHp1qDp6oQKhkfZaFQVPmE9SklS bgphLvjNI+F5LclTuWxyhcTLkAH8OyOGHMCbNpuhJbsUb3spAbbiQwaU/qs0CMeRpxro axNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:cc:to:subject:user-agent:mime-version:date:message-id; bh=eCNFm90JDbs+mdCvogt9kA5tTMVMG0G8zrxUsBvCgFg=; fh=snPUeFaciPd44DGD7CKIfMxKy9UIWquFtZirq2e+a3E=; b=Y1L4EFNq9LsRNkJ37vq/PsIaBWArnc529hWSEuu42Zc7g/ODIoPd2T1cOQngCj0u5x LXrpLON577M+odHt02cSQ/jmmSKVTFWVNEBU9HOd6rBELOKDQnOw+FJAY7yS50TCqT8Q x4ROm6Qq+aPbuHsylFE7VSBz4ZvSqAtF7fcPEeytcHAs+sit1bzo9dqTUAnLeRcnKSaM 55cLq0R61f+oUil1LeZ+si2s7C93VA25LYB2R6WcoiFGL8/zGpeTJrIO4j9abRloV+V3 558OYbLs5NFe54MKjJdlDGO0ewzXHA6DSv864EBE3zYbayFOBYb5sdp4gKi/A9hLsuMw Cihw==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4909c04b285si245125e9.0.2026.05.29.07.03.03 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Fri, 29 May 2026 07:03:03 -0700 (PDT) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.148] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 64TE328t010669 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 29 May 2026 16:03:03 +0200 Message-ID: <5b55371c-825d-4ab2-aaa5-fd55733c34fe@ilbers.de> Date: Fri, 29 May 2026 16:03:02 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v3 00/16] add support to build isar unprivileged To: "MOESSBAUER, Felix" , "isar-users@googlegroups.com" Cc: "Kiszka, Jan" , "Gylstorff, Quirin" References: <20260407142310.2327696-1-felix.moessbauer@siemens.com> <88aa53960d349c6679345286a5bed59113b0661d.camel@siemens.com> <892939b2-5d73-4bd2-b1d8-dbd918f9fb23@ilbers.de> Content-Language: en-US From: Zhihang Wei In-Reply-To: Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: b3gjwRvmgcCB On 5/29/26 15:07, MOESSBAUER, Felix wrote: > On Fri, 2026-05-29 at 14:28 +0200, Zhihang Wei wrote: >> On 5/26/26 11:43, 'MOESSBAUER, Felix' via isar-users wrote: >>> On Tue, 2026-04-07 at 16:22 +0200, Felix Moessbauer wrote: >>>> Dear isar-users, >>>> >>>> currently isar requires password-less sudo and an environment >>>> where mounting file systems is possible. This has proven problematic >>>> for security reasons, both when running in a privileged container or >>>> locally. >>>> >>>> To solve this, we implement fully rootless builds that rely on the >>>> unshare syscall which allows us to avoid sudo and instead operate in >>>> temporary kernel namespaces as a user that is just privileged within >>>> that namespace. This comes with some challenges regarding the handling >>>> of mounts (they are cleared when leaving the namespace), as well as >>>> cross namespace deployments (the outer user might not be able to access >>>> the inner data). For that, we rework the handling of mounts and artifact >>>> passing to make it compatible with both chroot modes (schroot and >>>> unshare). >>> Any news on this one? Do you want me to send a rebase? I did not >>> receive any objections regarding the proposed interface on the kas >>> side. By that, I would like to move forward with this. >>> >>> I'm also fine with scheduling this behind the testsuite execution >>> series ("Improve testsuite executability, basic GitHub CI"), as this >>> significantly simplifies testing. >>> >>> Just let me know. >>> >>> Best regards, >>> Felix >> Hi Felix, >> >> We were testing this patch on downstreams and in CI. Tests on >> downstreams seem >> fine. > Hi, that's good to know. The corresponding kas patches are now also > rebased and will be added to kas:next soon [1] > > [1] https://groups.google.com/g/kas-devel/c/ibWQT0-FtCg > That's good to know. >> One issue did show up on CI. "InitRdCrossTests.test_dracut_in_image" in full >> failed. (There are two test cases named as test_dracut_in_image, one in >> fast, >> one in full). >> >> Specifically, the built image isar-image-ci-debian-bookworm-qemuarm64 >> does not >> boot. I found nothing was added into the initrd. The generated initrd >> image has >> a size of zero bytes. > I'll have a look. Thanks for the detailed report. Just for > clarification: Does this fail under rootless or default / root? It's under default root. Zhihang -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/5b55371c-825d-4ab2-aaa5-fd55733c34fe%40ilbers.de.