Re: [PATCH 1/4] rootfs: introduce wrapper to run commands against a rootfs

["'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>]

On 06.06.25 08:02, Hombourger, Cedric (FT FDS CES LX) wrote:
> On Thu, 2025-06-05 at 15:57 +0200, Jan Kiszka wrote:
>> On 19.05.25 13:57, 'Cedric Hombourger' via isar-users wrote:
>>> "sudo chroot" is used in several places to run commands inside
>>> rootfs
>>> directories constructed by Isar. There are cases where a command
>>> could
>>> be used without elevated privileges as long as special folders such
>>> as
>>> /isar-apt are mounted (they are often referenced as /isar-apt in
>>> configuration files found in the target rootfs). For such cases,
>>> bubblewrap may be used to create a non-privileged namespace (either
>>> in a bare/native environment or within a docker/podman container)
>>> where the command will be executed as if chroot had been used. The
>>> rootfs may also be the host root file-system: this should however
>>> be used with care to avoid host contamination problems (note: Isar
>>> already relies on a number of host tools).
>>>
>>> Signed-off-by: Cedric Hombourger <cedric.hombourger@siemens.com>
>>> ---
>>>  RECIPE-API-CHANGELOG.md     |  6 ++++
>>>  doc/user_manual.md          |  1 +
>>>  meta/classes/rootfs.bbclass | 66
>>> +++++++++++++++++++++++++++++++++++++
>>>  3 files changed, 73 insertions(+)
>>>
>>> diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
>>> index a4cf1338..725737b2 100644
>>> --- a/RECIPE-API-CHANGELOG.md
>>> +++ b/RECIPE-API-CHANGELOG.md
>>> @@ -722,3 +722,9 @@ Optional fields of the isar-apt repo can be
>>> controlled by adding to the
>>>  
>>>  Changes in next
>>>  ---------------
>>> +
>>> +### Require bubblewrap to run non-privileged commands with bind-
>>> mounts
>>> +
>>> +Isar occasionally needs to run commands within root file-systems
>>> that it
>>> +builds and with several bind-mounts (e.g. /isar-apt). bubblewrap
>>> may be
>>> +used in Isar classes instead of `sudo chroot`.
>>> diff --git a/doc/user_manual.md b/doc/user_manual.md
>>> index 0dc317c3..3cf1a9aa 100644
>>> --- a/doc/user_manual.md
>>> +++ b/doc/user_manual.md
>>> @@ -75,6 +75,7 @@ Install the following packages:
>>>  ```
>>>  apt install \
>>>    binfmt-support \
>>> +  bubblewrap \
>>
>> Does the bubblewrap (and kernel features) of bullseye suffice here,
>> or
>> is that a bookworm+ thing? How about buster (still listed as host)?
> 
> bubblewrap has been around for ages: these older distros did support
> flatpak. buster included.
> 
> https://packages.debian.org/buster/bubblewrap
>  

Then I suppose our CI would catch any nasty difference in our usage
compared to those standard use cases, right?

Jan

-- 
Siemens AG, Foundational Technologies
Linux Expert Center

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/a324f93b-ae8a-46f3-a8f7-10088b8d4ef4%40siemens.com.