Re: [PATCH v3 00/16] add support to build isar unprivileged

[Zhihang Wei <wzh@ilbers.de>]

On 5/26/26 11:43, 'MOESSBAUER, Felix' via isar-users wrote:
> On Tue, 2026-04-07 at 16:22 +0200, Felix Moessbauer wrote:
>> Dear isar-users,
>>
>> currently isar requires password-less sudo and an environment
>> where mounting file systems is possible. This has proven problematic
>> for security reasons, both when running in a privileged container or
>> locally.
>>
>> To solve this, we implement fully rootless builds that rely on the
>> unshare syscall which allows us to avoid sudo and instead operate in
>> temporary kernel namespaces as a user that is just privileged within
>> that namespace. This comes with some challenges regarding the handling
>> of mounts (they are cleared when leaving the namespace), as well as
>> cross namespace deployments (the outer user might not be able to access
>> the inner data). For that, we rework the handling of mounts and artifact
>> passing to make it compatible with both chroot modes (schroot and
>> unshare).
> Any news on this one? Do you want me to send a rebase? I did not
> receive any objections regarding the proposed interface on the kas
> side. By that, I would like to move forward with this.
>
> I'm also fine with scheduling this behind the testsuite execution
> series ("Improve testsuite executability, basic GitHub CI"), as this
> significantly simplifies testing.
>
> Just let me know.
>
> Best regards,
> Felix

Hi Felix,

We were testing this patch on downstreams and in CI. Tests on 
downstreams seem
fine.

One issue did show up on CI. "InitRdCrossTests.test_dracut_in_image" in full
failed. (There are two test cases named as test_dracut_in_image, one in 
fast,
one in full).

Specifically, the built image isar-image-ci-debian-bookworm-qemuarm64 
does not
boot. I found nothing was added into the initrd. The generated initrd 
image has
a size of zero bytes.

The log 
tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/temp/log.do_generate_initramfs
coule be relevant. It's pasted below.

Zhihang

DEBUG: Executing python function sstate_task_prefunc
DEBUG: Python function sstate_task_prefunc finished
DEBUG: Executing python function do_generate_initramfs
DEBUG: Executing python function rootfs_do_mounts
DEBUG: Executing shell function rootfs_do_mounts_priv
DEBUG: Shell function rootfs_do_mounts_priv finished
DEBUG: Python function rootfs_do_mounts finished
DEBUG: Executing shell function rootfs_do_qemu
DEBUG: Shell function rootfs_do_qemu finished
DEBUG: Executing shell function rootfs_generate_initramfs
Total number of modules: 3684
Generating initrd for kernel version: 6.1.0-49-arm64
dracut: Executing: /usr/bin/dracut --force --kver 6.1.0-49-arm64 --add 
example-lighttpd
dracut: dracut module 'mksh' will not be installed, because command 
'mksh' could not be found!
dracut: dracut module 'systemd-coredump' will not be installed, because 
command 'coredumpctl' could not be found!
dracut: dracut module 'systemd-coredump' will not be installed, because 
command '/usr/lib/systemd/systemd-coredump' could not be found!
dracut: dracut module 'systemd-portabled' will not be installed, because 
command 'portablectl' could not be found!
dracut: dracut module 'systemd-portabled' will not be installed, because 
command '/usr/lib/systemd/systemd-portabled' could not be found!
dracut: dracut module 'modsign' will not be installed, because command 
'keyctl' could not be found!
dracut: dracut module 'busybox' will not be installed, because command 
'busybox' could not be found!
dracut: dracut module 'dbus-broker' will not be installed, because 
command 'dbus-broker' could not be found!
dracut: dracut module 'rngd' will not be installed, because command 
'rngd' could not be found!
dracut: dracut module 'connman' will not be installed, because command 
'connmand' could not be found!
dracut: dracut module 'connman' will not be installed, because command 
'connmanctl' could not be found!
dracut: dracut module 'connman' will not be installed, because command 
'connmand-wait-online' could not be found!
dracut: dracut module 'network-legacy' will not be installed, because 
command 'pgrep' could not be found!
dracut: dracut module 'url-lib' will not be installed, because command 
'curl' could not be found!
dracut: 62bluetooth: Could not find any command of 
'/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
dracut: dracut module 'lvmmerge' will not be installed, because command 
'lvm' could not be found!
dracut: dracut module 'lvmthinpool-monitor' will not be installed, 
because command 'lvm' could not be found!
dracut: dracut module 'btrfs' will not be installed, because command 
'btrfs' could not be found!
dracut: dracut module 'dmraid' will not be installed, because command 
'dmraid' could not be found!
dracut: dracut module 'lvm' will not be installed, because command 'lvm' 
could not be found!
dracut: dracut module 'mdraid' will not be installed, because command 
'mdadm' could not be found!
dracut: dracut module 'multipath' will not be installed, because command 
'multipath' could not be found!
dracut: dracut module 'crypt-gpg' will not be installed, because command 
'gpg' could not be found!
dracut: dracut module 'pcsc' will not be installed, because command 
'pcscd' could not be found!
dracut: dracut module 'tpm2-tss' will not be installed, because command 
'tpm2' could not be found!
dracut: dracut module 'cifs' will not be installed, because command 
'mount.cifs' could not be found!
dracut: dracut module 'fcoe' will not be installed, because command 
'dcbtool' could not be found!
dracut: dracut module 'fcoe' will not be installed, because command 
'fipvlan' could not be found!
dracut: dracut module 'fcoe' will not be installed, because command 
'lldpad' could not be found!
dracut: dracut module 'fcoe' will not be installed, because command 
'fcoemon' could not be found!
dracut: dracut module 'fcoe' will not be installed, because command 
'fcoeadm' could not be found!
dracut: dracut module 'fcoe-uefi' will not be installed, because command 
'dcbtool' could not be found!
dracut: dracut module 'fcoe-uefi' will not be installed, because command 
'fipvlan' could not be found!
dracut: dracut module 'fcoe-uefi' will not be installed, because command 
'lldpad' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 
'iscsi-iname' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 
'iscsiadm' could not be found!
dracut: dracut module 'iscsi' will not be installed, because command 
'iscsid' could not be found!
dracut: dracut module 'nbd' will not be installed, because command 
'nbd-client' could not be found!
dracut: 95nfs: Could not find any command of 'rpcbind portmap'!
dracut: dracut module 'nvmf' will not be installed, because command 
'nvme' could not be found!
dracut: dracut module 'ssh-client' will not be installed, because 
command 'ssh' could not be found!
dracut: dracut module 'ssh-client' will not be installed, because 
command 'scp' could not be found!
dracut: dracut module 'biosdevname' will not be installed, because 
command 'biosdevname' could not be found!
dracut: dracut module 'memstrack' will not be installed, because command 
'pgrep' could not be found!
dracut: dracut module 'memstrack' will not be installed, because command 
'pkill' could not be found!
dracut: dracut module 'memstrack' will not be installed, because command 
'memstrack' could not be found!
dracut: memstrack is not available
dracut: If you need to use rd.memdebug>=4, please install memstrack and 
procps-ng
dracut: *** Including module: systemd ***
dracut: *** Including module: systemd-network-management ***
dracut: *** Including module: systemd-hostnamed ***
dracut: *** Including module: systemd-initrd ***
dracut: *** Including module: systemd-networkd ***
dracut: *** Including module: systemd-resolved ***
dracut: *** Including module: systemd-sysusers ***
dracut: *** Including module: systemd-timedated ***
dracut: *** Including module: systemd-timesyncd ***
dracut: *** Including module: dbus-daemon ***
dracut: *** Including module: dbus ***
dracut: *** Including module: i18n ***
dracut: *** Including module: network ***
dracut-install: ERROR: installing 'pgrep'
dracut: FAILED: /usr/lib/dracut/dracut-install -D 
/var/tmp/dracut.SLoX4R/initramfs -a ip sed awk grep pgrep tr
dracut: *** Including module: ifcfg ***
dracut: *** Including module: example-lighttpd ***
/usr/lib/dracut/modules.d/50example-lighttpd/module-setup.sh: line 48: 
inst_sysusers: command not found
dracut: *** Including module: crypt ***
dracut: *** Including module: dm ***
dracut: Skipping udev rule: 10-dm.rules
dracut: Skipping udev rule: 13-dm-disk.rules
dracut: Skipping udev rule: 64-device-mapper.rules
dracut: *** Including module: kernel-modules ***
dracut: *** Including module: kernel-modules-extra ***
dracut: *** Including module: kernel-network-modules ***
dracut: *** Including module: nvdimm ***
dracut: *** Including module: overlay-root ***
dracut: *** Including module: qemu ***
dracut: *** Including module: qemu-net ***
dracut: *** Including module: lunmask ***
dracut: *** Including module: resume ***
dracut: *** Including module: rootfs-block ***
dracut: *** Including module: terminfo ***
dracut: *** Including module: udev-rules ***
dracut: Skipping udev rule: 40-redhat.rules
dracut: Skipping udev rule: 91-permissions.rules
dracut: Skipping udev rule: 80-drivers-modprobe.rules
dracut: *** Including module: virtiofs ***
dracut: *** Including module: dracut-systemd ***
dracut: *** Including module: usrmount ***
dracut: *** Including module: base ***
dracut: *** Including module: fs-lib ***
dracut: *** Including module: shutdown ***
dracut: *** Including modules done ***
dracut: *** Installing kernel module dependencies ***
dracut: *** Installing kernel module dependencies done ***
dracut: *** Resolving executable dependencies ***
dracut: *** Resolving executable dependencies done ***
dracut: *** Hardlinking files ***
dracut: Mode:                     real
dracut: Method:                   sha256
dracut: Files:                    1709
dracut: Linked:                   1 files
dracut: Compared:                 0 xattrs
dracut: Compared:                 240 files
dracut: Saved:                    690 B
dracut: Duration:                 0.022064 seconds
dracut: *** Hardlinking files done ***
dracut: Could not find 'strip'. Not stripping the initramfs.
dracut: *** Store current command line parameters ***
dracut: *** Creating image file '/boot/initrd.img-6.1.0-49-arm64' ***
dracut: Using auto-determined compression method 'gzip'
dracut: *** Creating initramfs image file 
'/boot/initrd.img-6.1.0-49-arm64' done ***
cat: 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/rootfs/boot/initrd.img-6.1.0-49-arm64: 
Permission denied
DEBUG: Shell function rootfs_generate_initramfs finished
DEBUG: Executing python function rootfs_do_umounts
DEBUG: Executing shell function rootfs_do_umounts_priv
DEBUG: Shell function rootfs_do_umounts_priv finished
DEBUG: Python function rootfs_do_umounts finished
DEBUG: Python function do_generate_initramfs finished
DEBUG: Executing python function sstate_task_postfunc
NOTE: Using umask 0o002 (not 22) for sstate packaging
DEBUG: Preparing tree 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/deploy 
for packaging at 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/deploy
DEBUG: Executing python function sstate_hardcode_path
NOTE: Removing hardcoded paths from sstate package: 'find 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/ 
\( -name "*.la" -o -name "*-config" -o -name "*_config" -o -name 
"postinst-*" \) -type f | xargs grep -l -e 'None' -e 'None' -e 'None' | 
tee 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/fixmepath 
| xargs --no-run-if-empty sed -i -e 's:None:FIXMESTAGINGDIRHOST:g' -e 
's:None:FIXMESTAGINGDIRTARGET:g' -e 's:None:FIXME_HOSTTOOLS_DIR:g''
DEBUG: Python function sstate_hardcode_path finished
DEBUG: Executing shell function rootfs_install_sstate_prepare
DEBUG: Shell function rootfs_install_sstate_prepare finished
DEBUG: Executing python function sstate_report_unihash
DEBUG: Python function sstate_report_unihash finished
DEBUG: Executing shell function sstate_create_package
DEBUG: Shell function sstate_create_package finished
DEBUG: Executing python function sstate_hardcode_path_unpack
DEBUG: Python function sstate_hardcode_path_unpack finished
DEBUG: Staging files from 
/isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/deploy 
to /isar/build/tmp/deploy/images/qemuarm64
DEBUG: Executing shell function rootfs_install_sstate_finalize
DEBUG: Shell function rootfs_install_sstate_finalize finished
DEBUG: Python function sstate_task_postfunc finished

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/892939b2-5d73-4bd2-b1d8-dbd918f9fb23%40ilbers.de.