Re: [PATCH v3 00/16] add support to build isar unprivileged

["'MOESSBAUER, Felix' via isar-users" <isar-users@googlegroups.com>]

On Fri, 2026-05-29 at 14:28 +0200, Zhihang Wei wrote:
> On 5/26/26 11:43, 'MOESSBAUER, Felix' via isar-users wrote:
> > On Tue, 2026-04-07 at 16:22 +0200, Felix Moessbauer wrote:
> > > Dear isar-users,
> > > 
> > > currently isar requires password-less sudo and an environment
> > > where mounting file systems is possible. This has proven problematic
> > > for security reasons, both when running in a privileged container or
> > > locally.
> > > 
> > > To solve this, we implement fully rootless builds that rely on the
> > > unshare syscall which allows us to avoid sudo and instead operate in
> > > temporary kernel namespaces as a user that is just privileged within
> > > that namespace. This comes with some challenges regarding the handling
> > > of mounts (they are cleared when leaving the namespace), as well as
> > > cross namespace deployments (the outer user might not be able to access
> > > the inner data). For that, we rework the handling of mounts and artifact
> > > passing to make it compatible with both chroot modes (schroot and
> > > unshare).
> > Any news on this one? Do you want me to send a rebase? I did not
> > receive any objections regarding the proposed interface on the kas
> > side. By that, I would like to move forward with this.
> > 
> > I'm also fine with scheduling this behind the testsuite execution
> > series ("Improve testsuite executability, basic GitHub CI"), as this
> > significantly simplifies testing.
> > 
> > Just let me know.
> > 
> > Best regards,
> > Felix
> 
> Hi Felix,
> 
> We were testing this patch on downstreams and in CI. Tests on 
> downstreams seem
> fine.

Hi, that's good to know. The corresponding kas patches are now also
rebased and will be added to kas:next soon [1]

[1] https://groups.google.com/g/kas-devel/c/ibWQT0-FtCg

> 
> One issue did show up on CI. "InitRdCrossTests.test_dracut_in_image" in full
> failed. (There are two test cases named as test_dracut_in_image, one in 
> fast,
> one in full).
> 
> Specifically, the built image isar-image-ci-debian-bookworm-qemuarm64 
> does not
> boot. I found nothing was added into the initrd. The generated initrd 
> image has
> a size of zero bytes.

I'll have a look. Thanks for the detailed report. Just for
clarification: Does this fail under rootless or default / root?

Best regards,
Felix

> 
> The log 
> tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/temp/log.do_generate_initramfs
> coule be relevant. It's pasted below.
> 
> Zhihang
> 
> DEBUG: Executing python function sstate_task_prefunc
> DEBUG: Python function sstate_task_prefunc finished
> DEBUG: Executing python function do_generate_initramfs
> DEBUG: Executing python function rootfs_do_mounts
> DEBUG: Executing shell function rootfs_do_mounts_priv
> DEBUG: Shell function rootfs_do_mounts_priv finished
> DEBUG: Python function rootfs_do_mounts finished
> DEBUG: Executing shell function rootfs_do_qemu
> DEBUG: Shell function rootfs_do_qemu finished
> DEBUG: Executing shell function rootfs_generate_initramfs
> Total number of modules: 3684
> Generating initrd for kernel version: 6.1.0-49-arm64
> dracut: Executing: /usr/bin/dracut --force --kver 6.1.0-49-arm64 --add 
> example-lighttpd
> dracut: dracut module 'mksh' will not be installed, because command 
> 'mksh' could not be found!
> dracut: dracut module 'systemd-coredump' will not be installed, because 
> command 'coredumpctl' could not be found!
> dracut: dracut module 'systemd-coredump' will not be installed, because 
> command '/usr/lib/systemd/systemd-coredump' could not be found!
> dracut: dracut module 'systemd-portabled' will not be installed, because 
> command 'portablectl' could not be found!
> dracut: dracut module 'systemd-portabled' will not be installed, because 
> command '/usr/lib/systemd/systemd-portabled' could not be found!
> dracut: dracut module 'modsign' will not be installed, because command 
> 'keyctl' could not be found!
> dracut: dracut module 'busybox' will not be installed, because command 
> 'busybox' could not be found!
> dracut: dracut module 'dbus-broker' will not be installed, because 
> command 'dbus-broker' could not be found!
> dracut: dracut module 'rngd' will not be installed, because command 
> 'rngd' could not be found!
> dracut: dracut module 'connman' will not be installed, because command 
> 'connmand' could not be found!
> dracut: dracut module 'connman' will not be installed, because command 
> 'connmanctl' could not be found!
> dracut: dracut module 'connman' will not be installed, because command 
> 'connmand-wait-online' could not be found!
> dracut: dracut module 'network-legacy' will not be installed, because 
> command 'pgrep' could not be found!
> dracut: dracut module 'url-lib' will not be installed, because command 
> 'curl' could not be found!
> dracut: 62bluetooth: Could not find any command of 
> '/usr/lib/bluetooth/bluetoothd /usr/libexec/bluetooth/bluetoothd'!
> dracut: dracut module 'lvmmerge' will not be installed, because command 
> 'lvm' could not be found!
> dracut: dracut module 'lvmthinpool-monitor' will not be installed, 
> because command 'lvm' could not be found!
> dracut: dracut module 'btrfs' will not be installed, because command 
> 'btrfs' could not be found!
> dracut: dracut module 'dmraid' will not be installed, because command 
> 'dmraid' could not be found!
> dracut: dracut module 'lvm' will not be installed, because command 'lvm' 
> could not be found!
> dracut: dracut module 'mdraid' will not be installed, because command 
> 'mdadm' could not be found!
> dracut: dracut module 'multipath' will not be installed, because command 
> 'multipath' could not be found!
> dracut: dracut module 'crypt-gpg' will not be installed, because command 
> 'gpg' could not be found!
> dracut: dracut module 'pcsc' will not be installed, because command 
> 'pcscd' could not be found!
> dracut: dracut module 'tpm2-tss' will not be installed, because command 
> 'tpm2' could not be found!
> dracut: dracut module 'cifs' will not be installed, because command 
> 'mount.cifs' could not be found!
> dracut: dracut module 'fcoe' will not be installed, because command 
> 'dcbtool' could not be found!
> dracut: dracut module 'fcoe' will not be installed, because command 
> 'fipvlan' could not be found!
> dracut: dracut module 'fcoe' will not be installed, because command 
> 'lldpad' could not be found!
> dracut: dracut module 'fcoe' will not be installed, because command 
> 'fcoemon' could not be found!
> dracut: dracut module 'fcoe' will not be installed, because command 
> 'fcoeadm' could not be found!
> dracut: dracut module 'fcoe-uefi' will not be installed, because command 
> 'dcbtool' could not be found!
> dracut: dracut module 'fcoe-uefi' will not be installed, because command 
> 'fipvlan' could not be found!
> dracut: dracut module 'fcoe-uefi' will not be installed, because command 
> 'lldpad' could not be found!
> dracut: dracut module 'iscsi' will not be installed, because command 
> 'iscsi-iname' could not be found!
> dracut: dracut module 'iscsi' will not be installed, because command 
> 'iscsiadm' could not be found!
> dracut: dracut module 'iscsi' will not be installed, because command 
> 'iscsid' could not be found!
> dracut: dracut module 'nbd' will not be installed, because command 
> 'nbd-client' could not be found!
> dracut: 95nfs: Could not find any command of 'rpcbind portmap'!
> dracut: dracut module 'nvmf' will not be installed, because command 
> 'nvme' could not be found!
> dracut: dracut module 'ssh-client' will not be installed, because 
> command 'ssh' could not be found!
> dracut: dracut module 'ssh-client' will not be installed, because 
> command 'scp' could not be found!
> dracut: dracut module 'biosdevname' will not be installed, because 
> command 'biosdevname' could not be found!
> dracut: dracut module 'memstrack' will not be installed, because command 
> 'pgrep' could not be found!
> dracut: dracut module 'memstrack' will not be installed, because command 
> 'pkill' could not be found!
> dracut: dracut module 'memstrack' will not be installed, because command 
> 'memstrack' could not be found!
> dracut: memstrack is not available
> dracut: If you need to use rd.memdebug>=4, please install memstrack and 
> procps-ng
> dracut: *** Including module: systemd ***
> dracut: *** Including module: systemd-network-management ***
> dracut: *** Including module: systemd-hostnamed ***
> dracut: *** Including module: systemd-initrd ***
> dracut: *** Including module: systemd-networkd ***
> dracut: *** Including module: systemd-resolved ***
> dracut: *** Including module: systemd-sysusers ***
> dracut: *** Including module: systemd-timedated ***
> dracut: *** Including module: systemd-timesyncd ***
> dracut: *** Including module: dbus-daemon ***
> dracut: *** Including module: dbus ***
> dracut: *** Including module: i18n ***
> dracut: *** Including module: network ***
> dracut-install: ERROR: installing 'pgrep'
> dracut: FAILED: /usr/lib/dracut/dracut-install -D 
> /var/tmp/dracut.SLoX4R/initramfs -a ip sed awk grep pgrep tr
> dracut: *** Including module: ifcfg ***
> dracut: *** Including module: example-lighttpd ***
> /usr/lib/dracut/modules.d/50example-lighttpd/module-setup.sh: line 48: 
> inst_sysusers: command not found
> dracut: *** Including module: crypt ***
> dracut: *** Including module: dm ***
> dracut: Skipping udev rule: 10-dm.rules
> dracut: Skipping udev rule: 13-dm-disk.rules
> dracut: Skipping udev rule: 64-device-mapper.rules
> dracut: *** Including module: kernel-modules ***
> dracut: *** Including module: kernel-modules-extra ***
> dracut: *** Including module: kernel-network-modules ***
> dracut: *** Including module: nvdimm ***
> dracut: *** Including module: overlay-root ***
> dracut: *** Including module: qemu ***
> dracut: *** Including module: qemu-net ***
> dracut: *** Including module: lunmask ***
> dracut: *** Including module: resume ***
> dracut: *** Including module: rootfs-block ***
> dracut: *** Including module: terminfo ***
> dracut: *** Including module: udev-rules ***
> dracut: Skipping udev rule: 40-redhat.rules
> dracut: Skipping udev rule: 91-permissions.rules
> dracut: Skipping udev rule: 80-drivers-modprobe.rules
> dracut: *** Including module: virtiofs ***
> dracut: *** Including module: dracut-systemd ***
> dracut: *** Including module: usrmount ***
> dracut: *** Including module: base ***
> dracut: *** Including module: fs-lib ***
> dracut: *** Including module: shutdown ***
> dracut: *** Including modules done ***
> dracut: *** Installing kernel module dependencies ***
> dracut: *** Installing kernel module dependencies done ***
> dracut: *** Resolving executable dependencies ***
> dracut: *** Resolving executable dependencies done ***
> dracut: *** Hardlinking files ***
> dracut: Mode:                     real
> dracut: Method:                   sha256
> dracut: Files:                    1709
> dracut: Linked:                   1 files
> dracut: Compared:                 0 xattrs
> dracut: Compared:                 240 files
> dracut: Saved:                    690 B
> dracut: Duration:                 0.022064 seconds
> dracut: *** Hardlinking files done ***
> dracut: Could not find 'strip'. Not stripping the initramfs.
> dracut: *** Store current command line parameters ***
> dracut: *** Creating image file '/boot/initrd.img-6.1.0-49-arm64' ***
> dracut: Using auto-determined compression method 'gzip'
> dracut: *** Creating initramfs image file 
> '/boot/initrd.img-6.1.0-49-arm64' done ***
> cat: 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/rootfs/boot/initrd.img-6.1.0-49-arm64: 
> Permission denied
> DEBUG: Shell function rootfs_generate_initramfs finished
> DEBUG: Executing python function rootfs_do_umounts
> DEBUG: Executing shell function rootfs_do_umounts_priv
> DEBUG: Shell function rootfs_do_umounts_priv finished
> DEBUG: Python function rootfs_do_umounts finished
> DEBUG: Python function do_generate_initramfs finished
> DEBUG: Executing python function sstate_task_postfunc
> NOTE: Using umask 0o002 (not 22) for sstate packaging
> DEBUG: Preparing tree 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/deploy 
> for packaging at 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/deploy
> DEBUG: Executing python function sstate_hardcode_path
> NOTE: Removing hardcoded paths from sstate package: 'find 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/ 
> \( -name "*.la" -o -name "*-config" -o -name "*_config" -o -name 
> "postinst-*" \) -type f | xargs grep -l -e 'None' -e 'None' -e 'None' | 
> tee 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/sstate-build-generate_initramfs/fixmepath 
> | xargs --no-run-if-empty sed -i -e 's:None:FIXMESTAGINGDIRHOST:g' -e 
> 's:None:FIXMESTAGINGDIRTARGET:g' -e 's:None:FIXME_HOSTTOOLS_DIR:g''
> DEBUG: Python function sstate_hardcode_path finished
> DEBUG: Executing shell function rootfs_install_sstate_prepare
> DEBUG: Shell function rootfs_install_sstate_prepare finished
> DEBUG: Executing python function sstate_report_unihash
> DEBUG: Python function sstate_report_unihash finished
> DEBUG: Executing shell function sstate_create_package
> DEBUG: Shell function sstate_create_package finished
> DEBUG: Executing python function sstate_hardcode_path_unpack
> DEBUG: Python function sstate_hardcode_path_unpack finished
> DEBUG: Staging files from 
> /isar/build/tmp/work/debian-bookworm-arm64/isar-dracut-qemuarm64/1.0-r0/deploy 
> to /isar/build/tmp/deploy/images/qemuarm64
> DEBUG: Executing shell function rootfs_install_sstate_finalize
> DEBUG: Shell function rootfs_install_sstate_finalize finished
> DEBUG: Python function sstate_task_postfunc finished

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/bdc61fdf418877bb36ecca901a1c234e4d7c349e.camel%40siemens.com.