From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Thu, 04 Jun 2026 08:41:27 +0200 X-Sieve: CMU Sieve 2.4 Received: from mail-lj1-f190.google.com (mail-lj1-f190.google.com [209.85.208.190]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 6546fRIX008575 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 4 Jun 2026 08:41:27 +0200 Received: by mail-lj1-f190.google.com with SMTP id 38308e7fff4ca-39666ac1dd0sf7219501fa.1 for ; Wed, 03 Jun 2026 23:41:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1780555281; cv=pass; d=google.com; s=arc-20240605; b=N6sb9+PE2LSo8cSFgxX2lzX2JgcQp2EVvJKBi2D4UWNI8oUa5XiJvcEqPXyotWjHtm u2AumT4p2svM95AfRQlTzKR6SoMDx4QhGNqRCZ8f2QDuVBjxW9jCbf05fQIID5Rq0eP7 lWOnruY9lXFj/pGo96p/1luk3dkZxmOfBFe6Fx5BJ+Gg4KMwRW5byDhze94OSxBHS9xS +aLuWoruq+reo3Od1nOYL5cTXBFireQsNScLSg7Ottra7tRmTIN8a84LJEG22wy/+5lS vF0CA32Z7kkNV0BR2vy0vAqb+YAsQz9UagygjFcNb5eB8y4ftjpADNddL4SLJXituV7J NE7w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=vlNCTVNzmYPtnDj4+UkA8DAHZ/Ctu6x+lrjl0K5mfLM=; fh=I7eYgP84OoTPD//kRzHLPjkBUz8si9PsfQK/7+Z9tQU=; b=PZiaC3XZnr1mmbIVc2mF4GQN85xh7RlAzioXW7bj1WtRteWlb/+rHGM1BJPLO6zUO8 4KMp92sle0ng/JVu1OnTHcCkFDC8hK3lB8V6fPdZ05raeQPuSekfeuDzkvzKFUto8tFX wO6zcCY/vNK/cprlsle8F2V0e2D/fjgF/doz6EvIJHkCJWAkyeAAx8f5uw7vAHB/7W2F tO5nZU7ezhXlRljIflnidkIB3EtI9wlPja0n9yArjr3sdrkXQO9Gls4Jc1DAwpzRBeeH d+03yM7KGQqepVI0V8yWnbuPPRULVazq/fP/ndVC8BoTbjD9hYlsmklL5Isev5S/Zgv7 0cAQ==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20251104; t=1780555281; x=1781160081; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=vlNCTVNzmYPtnDj4+UkA8DAHZ/Ctu6x+lrjl0K5mfLM=; b=Qjjwqu/rdFRn2ZXjmRCaMMEInJtSViiZBZCOnt81waf3kEUBKdrBXKmBVmAKR/iyDG dOinnyUtbCG2KdAQfZSSVsNCuiZ1tx5MM83QVl0N/Hn4xeqjiDG8KTPBvQn/q70slso1 NDZlWcQzkLOYPWlwNAcgeLQcLttBYGkkCpaKmjaZ3nJwYptGDrJ7o+8GwFJF28B+6a/q LwAlf9N3ibhf0SywFXRfh1wRy7aqgeAiLKIugDSElNaFXpW9nK4OUIakWwWLMKh5yEEp oHXxuFST/qgjg+PxNbVB+gTYOiNO7kMNMfD5okgFqFd/pEiL76+bw1KUyTqmU/kLD3bG CFlQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780555281; x=1781160081; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:to:subject:user-agent:mime-version :date:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc :subject:date:message-id:reply-to; bh=vlNCTVNzmYPtnDj4+UkA8DAHZ/Ctu6x+lrjl0K5mfLM=; b=Tk/s9C4dfuAO2nK1Ty+rbFxYCqSeY2w08/9Jt98RG9q3x71H2b6ZW+WKfvBI1ODSK1 S8rBoHwnEI7weDiId+yLvk4g2l9sgtfYjsTZXVmqYGeR2yO7McYBGCRBae7fFpCT/Ytc AJSQNtYtJfBqK5AL79ijCy2NsqQu+7EM2G2DL+6bm0IlDdPweKzkBaW/6klpvj8NXtgq 1XxYyzqTaXCjvMhYFPppmB3o6PbDz9IiBuKo+FiEslxaYagFHTka4JATez6eFqjyhTuC Q4ndU2ox5wWBlElRD6beeD4G98QdMys6XaUA+Lx/1XBcE2zvj9USwY5yo0R4KCYCgyK8 Ej/g== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AFNElJ+hqEPCWETZ/naevmLwViGyHc3N21/bCFmzZ8insw0gCj/olBXmS0I/kAaSrTQ7mVEyXzeA@ilbers.de X-Gm-Message-State: AOJu0Yy3287OO3MTyZIxczYV4kh6qVFDy4DLq+nLFYFzYLtkd7zTEJxH UWkw5b/X3mfVgh8cEAKzjyt17YQUUkwBbRfPMg6OJfnKc7nSFf0rclCj X-Received: by 2002:a05:651c:1510:b0:396:3ca3:4f1b with SMTP id 38308e7fff4ca-396bbb14a9amr6494981fa.19.1780555281369; Wed, 03 Jun 2026 23:41:21 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com; h="AUV6zMPx4dqGfyQdrmnPDFdMcc5h2S0W5KXc3VIYKftN5kYQkg==" Received: by 2002:a2e:2ac5:0:b0:38e:7ffc:59ce with SMTP id 38308e7fff4ca-396acfbda0cls3673041fa.0.-pod-prod-00-eu-canary; Wed, 03 Jun 2026 23:41:19 -0700 (PDT) X-Received: by 2002:a05:6512:118f:b0:5a8:73c2:c90b with SMTP id 2adb3069b0e04-5aa80ca018cmr510571e87.20.1780555279070; Wed, 03 Jun 2026 23:41:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780555279; cv=none; d=google.com; s=arc-20240605; b=jw+KIWO8tRVq5ufUB3Iueo81FtvXWrexiyTQQUw2pDNYyPy3VI7ypRCbtF2NnQJz4L pNSGHBlnWeTB3D6au7aak7ImXu1R5BVS+6j98kiti+u4y1MGEi96TlRSLkrQ5rK0PTtH knjEzyo/qFzxCw6LX7oTwX6RB3C+J1XnzwHKI2G9dihbEfw3veSnBI45E5hjwhARcJzD FgdVBMo+bxA6KaxcjH6P3PmFXcBtxfQjsNrvY2j2jhs9aow+BJE4cVsEZjXXvJFD00ze Q/61VqI6uzUPKyMExOXQJyc7nBBcVpMPRmaReyg14f5yhwYS+RGIvvL7pybsGIze5CoH V4jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id; bh=7XoMyok4fIpV2mWh2m6bxDXq5kPJWG6qFI9suNA9GDM=; fh=oskC/wTH4Yg/Pch44SQk3gvXjQNwnc6ylanjKKtLw94=; b=U7E+zuhvTZ98YU3p667asO9vg72gSj86Av4Z3LRVbydWtXCvOyBetQgXGiOy7W05lG 8jWGJFiaUzj1wJUqbhZvrj+TZzFYvnK6l50hV3Udn2Kiwo/7VO9fEebdHM39a9k0qlpy SQBOxMx4hBGDE3e7ncPSbVoDNwLz1AYnYUanBsULLt7bUU5DqYSJqn2SSULozJjJOLi6 qIMe8RXS+4P/Hp4Dx2tht7GfBvoP9dhmEcpYQVJ4QRPnuETPLWs8yB/L6IeVGXMyDBXH hd+OtNzc/sfZM+FZchFY259ze2jxBnX+vGlXVtzqUQRzzbJJgcw+BudFfRuTUxKr3DlC BXCA==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 2adb3069b0e04-5aa7b97fe8asi82387e87.6.2026.06.03.23.41.18 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 03 Jun 2026 23:41:18 -0700 (PDT) Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [127.0.0.1] (host-80-81-17-52.static.customer.m-online.net [80.81.17.52]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 6546fHc1008568 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 4 Jun 2026 08:41:17 +0200 Message-ID: Date: Thu, 4 Jun 2026 09:41:16 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH v4 00/17] add support to build isar unprivileged To: isar-users@googlegroups.com, Felix Moessbauer References: <20260601113505.2898877-1-felix.moessbauer@siemens.com> Content-Language: en-US, ru-RU From: Anton Mikanovich In-Reply-To: <20260601113505.2898877-1-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: amikan@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: ZHCdNVJRLyHp 01.06.2026 14:34, 'Felix Moessbauer' via isar-users wrote: > Dear isar-users, > > currently isar requires password-less sudo and an environment > where mounting file systems is possible. This has proven problematic > for security reasons, both when running in a privileged container or > locally. > > To solve this, we implement fully rootless builds that rely on the > unshare syscall which allows us to avoid sudo and instead operate in > temporary kernel namespaces as a user that is just privileged within > that namespace. This comes with some challenges regarding the handling > of mounts (they are cleared when leaving the namespace), as well as > cross namespace deployments (the outer user might not be able to access > the inner data). For that, we rework the handling of mounts and artifact > passing to make it compatible with both chroot modes (schroot and > unshare). > > Note, that this series can be tested on a custom kas-container build > provided in [1]. Hints how to migrate downstream layers are provided > in the API changelog. Hello Felix, This patchset version just have passed both fast and full CI. -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/a320b6b7-39f5-4a75-8fe1-8851c162e3d3%40ilbers.de.