From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 18 Feb 2026 17:09:54 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-oa1-f56.google.com (mail-oa1-f56.google.com [209.85.160.56]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 61IG9qBc025519 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 18 Feb 2026 17:09:53 +0100 Received: by mail-oa1-f56.google.com with SMTP id 586e51a60fabf-40ea48ccbd2sf18468277fac.3 for ; Wed, 18 Feb 2026 08:09:53 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1771430987; cv=pass; d=google.com; s=arc-20240605; b=gBg1uzQmCbzTsqS/3QMFL7J+eyu+/UyRADUGtDPgS4MWnD3G5juFKRdjM1G/AUpk2F L+tseoaMjBb9eiksIZdhGh/7+kl+9qQCsa6Hq2PLSv8Dx7fNSM5CrQ0KAim0/dfJ7fZv PmYjaoSpMERggL15BfBRH+OEINB9dPFJIoBxyHPiG6V9GBstys8VMZSQ2x3Vn3WpRs1w sMGhnvwcQpsBd1e8qA9ObNZyOE55K/tWTAdUe47xc7hblBnQ6jpo/nNgUhfAvSuXwJ/r npXJzC0653t7DTkL58FhxWngk+Qey5LmcXlgxSHQ2sgoQIWua8qIMUwije6WsiwdaFfi vxlw== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:in-reply-to :autocrypt:content-language:from:references:cc:to:subject:user-agent :date:message-id:dkim-signature; bh=wjWZXBeFapcfnmfF7QCQLdc+FH5eFpAjtzd5S1xTfhY=; fh=0UnHnTmeIt8MfB3bDereYyep0QW1uEZHH4URnfe7TR8=; b=HWjrrlLnmpoIzOoTUHZq2EtqRXaKM8RQd4aEL4/74DeIaLDvlvG2QQ9X3Ce5aNs+iV ufL6FgsGWk9+cbFlMgvARAvD/DGtTFWyeTc4KMqJ+Zee/viKLVs5L6ixJj/856esvKrZ z5PYXuSgnx2IF75LP1ok8PqEIgm20rgDdCLx6n6gm8v1JQeDVbQ+iM0ASatmVAvUJJ1D W/M7WrhhsH469CGKFcxi81lH7d9peQloacG7dLy1gb6p61ZiAdXoXj38210j79SylFwd qgw5ArZINKtw2qEE2KiSQcWJhUMq5tUpTbbMm4W7puHR6p2eSqS2DaecizjsUmEj3XTh tgdw==; darn=ilbers.de ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=EdQRHmwA; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1771430987; x=1772035787; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=wjWZXBeFapcfnmfF7QCQLdc+FH5eFpAjtzd5S1xTfhY=; b=qJqOk/+luB/MGA9Zu8rleuoXrjjJe8DKX4HRWUaN6Q64U6cffiOTVUqSffzy52qM88 W58LkJ54jJ88ogkf/+q5ceCrNh7sOIWlQRSp57gZHJ7EAZ1OyfIcMpKwQvkPrRqPdQj6 40yHeblB7RPLacU5Ti4i1Dg/ANOQ1gwoOvdrz4/lH+HhslRYaU2KIzT0Tq5vE9hSmcyu 10nKk4CgH0m+kW6cLpnI2zCLUpDT9/RsqNwLLinr7jiW9GSFMNIvjiiCceLr57f+13PM 7NRjpnO0YOZWlmc77CxaMkj8/eoRLbD7KuRurjzA38nzxZdqhtcI0d0VyQTwHsi/kv8e SQqg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1771430987; x=1772035787; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :in-reply-to:autocrypt:content-language:from:references:cc:to :subject:user-agent:date:message-id:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wjWZXBeFapcfnmfF7QCQLdc+FH5eFpAjtzd5S1xTfhY=; b=QWVplQd/RYGfLl3fx48FRJzLmXgvhKJjrppoT/ckmGP35l92xG76W5HW6ZVsiFTuec 4WlJd5of+yPSPmTYl/lyaaBa8D2SS+7VuyofIrBGE7t0tG0Z1jSD5LUVPg/KKZzMF8Ra PyXplDOgzASl+3bz7LntoMUDffvOCx6a4d+gTu0/+xJ6EwMSXNpMzIZr1zDT9rizoawI xtgL/Y6JFWrofRPYQeEIE9c6LmkNd2tcpBc8U5WMA6mkeBoZp+scpL9kuhtGW8vnWoMV T8MTgGa1fKpBGh722s0tQf3iD7iBHiVWu91CyKylvLdhKcjlmXxKRhqDs+gsMNeru8tb QFRw== X-Forwarded-Encrypted: i=3; AJvYcCU/Y4m0OfBLGxBNV2+ZqkxVAAGpRZ9y9Lm5MPc9Xeze3VfTWUaBMO+VsVKd/X5TzO1J41nE@ilbers.de X-Gm-Message-State: AOJu0YxMb+OoQRScRU4grpAcpC11V7PrmN61fiJ+ie5Mzml9h8yMn0zd TFD00kM3jfkC0hXwfjHqc4Uv4x5nC6D8vcL0eihVj3lYNMlMKRRVvMNC X-Received: by 2002:a05:6870:1587:b0:409:a121:19d9 with SMTP id 586e51a60fabf-40f0d9b194dmr7287186fac.47.1771430987061; Wed, 18 Feb 2026 08:09:47 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="AV1CL+G8RVttcW2JvaDTc2IRt+KVU5eNtnQXjKfegzEqrq5i1Q==" Received: by 2002:a05:6870:148c:b0:40f:17a9:2919 with SMTP id 586e51a60fabf-40f17a92af4ls2635136fac.0.-pod-prod-06-us; Wed, 18 Feb 2026 08:09:45 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXHYnhXDAAT+ny051cdw1f7RFn8Utw8hCAGHqELD79iFMEydo8nN+qOnRl68CiKicTjec5x18yQdJen@googlegroups.com X-Received: by 2002:a05:6870:7884:b0:3eb:7a2e:34a4 with SMTP id 586e51a60fabf-40f0d8d3d2dmr11746086fac.28.1771430985661; Wed, 18 Feb 2026 08:09:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1771430985; cv=pass; d=google.com; s=arc-20240605; b=VWyngG6/qMjgfUqY3fi17AFeLgaoe6tmOs7jQvr4qVnEq/uY23Gz0HcZ/PSsZ/Dda8 iLiojbe7f9K7eY7eTtXPF6/oGJy7LH8pX05LpM4pJCDUgk5nwNz/zOk1WnwAZ2Jmrkz4 J3FDd3S4hfkFFkwFHJPxnLsLkmbx4ZVY5SJoICorhGMUvZ6CjQMEquADgw3kT/dE3lhu e1ZRawKA+yY4GIjyPquBKzpyLsCBNLbfvuEM5QbZKIwysJvH8WvbzUo0IB3xa+0q8SNO ss8ocw+Mab0GZP4YkBBfiAVkApCo2lB31i83w8cVtd05VK5rCCbcve6H5NC+9V2kWcJ5 uEhw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:in-reply-to:autocrypt :content-language:from:references:cc:to:subject:user-agent:date :message-id:dkim-signature; bh=uVcXygNZgftbujK50KKkw8dLORmHLyYIrozbo0mJuqM=; fh=OPAseo6bwwFPu0Z/TgqZ37S26U8kSSi3ubVyFPIawCA=; b=YwtwKg/SS0kEJeH8G/cDgppw3+oNgUf3bA4n0hHZzKEQxzrT+BZjq9WtoE5Sfy3IfW xRvyfiyg3tQiqjKc04Fz7HECOEQQGc+L5DtmjzSrWVQocr0CPsuYqi2LObshrqKG206a zehVDy/snQ1dYb78d5Ni3DSjE+e4m0fDroEjsod2uXiCFHzn8Q2mF+TcQtpZ8ArgcXwo lZ0WyRoYTDGvCvJQDxZ986en9tLsd+CDIE+grWyI0saZMoPHlhlS6VM+Iom02ZvtqHKd w5wopHaClNVG/q8ATmQtCo01LzcMTrgOaXQX8EduKqboSYbnYmph98+T5MPPRQkFTpEG /IOA==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=EdQRHmwA; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR02CU008.outbound.protection.outlook.com (mail-westeuropeazlp170130006.outbound.protection.outlook.com. [2a01:111:f403:c201::6]) by gmr-mx.google.com with ESMTPS id 586e51a60fabf-40eaf087cbcsi793804fac.3.2026.02.18.08.09.45 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Feb 2026 08:09:45 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) client-ip=2a01:111:f403:c201::6; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=XXG/HZmnjDFgPwPPM5vQ5GKCk+WhrMJF93T1LdOiY8HEX9qV1UUl21Waj7WBu2D4Ezm/LU8kXWDQc6mtyJMiIlliGVBWnwLrlkmQQqWPO0qhNpKAmSlWcfXxaLrrexVviw61lNf4ywne1yzMxSfBsN3tbz7gbbufB7XkZZ62ev/8mEOPOaWfgUMwFi83fnv6xfX8/BHuzBk/8Sq98xN1Uf1gMqLODsIWLvsnXt6ap3GNW0d3KjE3JjP4uNadUi3suzigypVUOPHlOeUFVEWWWVEYtYWH/Y18Rtz6Oi0rRlOqgznA/jB4Aoi9Ijq7lkgwkLs8Hf/jetJ3ph/wn0OAnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=uVcXygNZgftbujK50KKkw8dLORmHLyYIrozbo0mJuqM=; b=bPqEG+xdzH/p6X6zsObN/PsGjz/xNf/1+cEYmu7vyPdCTHC0l79DuNF31C0QSzaC98FRcMU7TXnIHNf3zr7pjjpEUyhIufWqJvYyInJeTtCbhNGYA4luMon4dwvr8XTdpW4PYjxZ2xLIjc8rvj0lMC3I/xrE+xOIWehEjfVttq0cmIdS2lKYIes03GdOF/8vJKOLlLG26Tad2e+cQNE1+POcUPIdpJ/vjEEV1K3YnImHHBVYAYWe4A8pVnIrWTcMZKfJEN0sNmrpnn8Wf/y6Tm9RWW10ufKkCTCrgbjy7//SJO2jDReMfYHeJLihujmOA5EM8/nZ6v4JAQHiE8VerA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) by VI0PR10MB9336.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:800:2ae::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9611.16; Wed, 18 Feb 2026 16:09:43 +0000 Received: from AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1]) by AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM ([fe80::be9f:e8ca:ee9:83e1%6]) with mapi id 15.20.9632.010; Wed, 18 Feb 2026 16:09:43 +0000 Message-ID: Date: Wed, 18 Feb 2026 17:09:38 +0100 User-Agent: Mozilla Thunderbird Subject: Re: [RFC 11/12] add support for fully rootless builds To: Felix Moessbauer , isar-users@googlegroups.com Cc: quirin.gylstorff@siemens.com References: <20260218115827.3947145-1-felix.moessbauer@siemens.com> <20260218115827.3947145-12-felix.moessbauer@siemens.com> From: "'Jan Kiszka' via isar-users" Content-Language: en-US Autocrypt: addr=jan.kiszka@siemens.com; keydata= xsFNBGZY+hkBEACkdtFD81AUVtTVX+UEiUFs7ZQPQsdFpzVmr6R3D059f+lzr4Mlg6KKAcNZ uNUqthIkgLGWzKugodvkcCK8Wbyw+1vxcl4Lw56WezLsOTfu7oi7Z0vp1XkrLcM0tofTbClW xMA964mgUlBT2m/J/ybZd945D0wU57k/smGzDAxkpJgHBrYE/iJWcu46jkGZaLjK4xcMoBWB I6hW9Njxx3Ek0fpLO3876bszc8KjcHOulKreK+ezyJ01Hvbx85s68XWN6N2ulLGtk7E/sXlb 79hylHy5QuU9mZdsRjjRGJb0H9Buzfuz0XrcwOTMJq7e7fbN0QakjivAXsmXim+s5dlKlZjr L3ILWte4ah7cGgqc06nFb5jOhnGnZwnKJlpuod3pc/BFaFGtVHvyoRgxJ9tmDZnjzMfu8YrA +MVv6muwbHnEAeh/f8e9O+oeouqTBzgcaWTq81IyS56/UD6U5GHet9Pz1MB15nnzVcyZXIoC roIhgCUkcl+5m2Z9G56bkiUcFq0IcACzjcRPWvwA09ZbRHXAK/ao/+vPAIMnU6OTx3ejsbHn oh6VpHD3tucIt+xA4/l3LlkZMt5FZjFdkZUuAVU6kBAwElNBCYcrrLYZBRkSGPGDGYZmXAW/ VkNUVTJkRg6MGIeqZmpeoaV2xaIGHBSTDX8+b0c0hT/Bgzjv8QARAQABzSNKYW4gS2lzemth IDxqYW4ua2lzemthQHNpZW1lbnMuY29tPsLBlAQTAQoAPhYhBABMZH11cs99cr20+2mdhQqf QXvYBQJmWPvXAhsDBQkFo5qABQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEGmdhQqfQXvY zPAP/jGiVJ2VgPcRWt2P8FbByfrJJAPCsos+SZpncRi7tl9yTEpS+t57h7myEKPdB3L+kxzg K3dt1UhYp4FeIHA3jpJYaFvD7kNZJZ1cU55QXrJI3xu/xfB6VhCs+VAUlt7XhOsOmTQqCpH7 pRcZ5juxZCOxXG2fTQTQo0gfF5+PQwQYUp0NdTbVox5PTx5RK3KfPqmAJsBKdwEaIkuY9FbM 9lGg8XBNzD2R/13cCd4hRrZDtyegrtocpBAruVqOZhsMb/h7Wd0TGoJ/zJr3w3WnDM08c+RA 5LHMbiA29MXq1KxlnsYDfWB8ts3HIJ3ROBvagA20mbOm26ddeFjLdGcBTrzbHbzCReEtN++s gZneKsYiueFDTxXjUOJgp8JDdVPM+++axSMo2js8TwVefTfCYt0oWMEqlQqSqgQwIuzpRO6I ik7HAFq8fssy2cY8Imofbj77uKz0BNZC/1nGG1OI9cU2jHrqsn1i95KaS6fPu4EN6XP/Gi/O 0DxND+HEyzVqhUJkvXUhTsOzgzWAvW9BlkKRiVizKM6PLsVm/XmeapGs4ir/U8OzKI+SM3R8 VMW8eovWgXNUQ9F2vS1dHO8eRn2UqDKBZSo+qCRWLRtsqNzmU4N0zuGqZSaDCvkMwF6kIRkD ZkDjjYQtoftPGchLBTUzeUa2gfOr1T4xSQUHhPL8zsFNBGZY+hkBEADb5quW4M0eaWPIjqY6 aC/vHCmpELmS/HMa5zlA0dWlxCPEjkchN8W4PB+NMOXFEJuKLLFs6+s5/KlNok/kGKg4fITf Vcd+BQd/YRks3qFifckU+kxoXpTc2bksTtLuiPkcyFmjBph/BGms35mvOA0OaEO6fQbauiHa QnYrgUQM+YD4uFoQOLnWTPmBjccoPuiJDafzLxwj4r+JH4fA/4zzDa5OFbfVq3ieYGqiBrtj tBFv5epVvGK1zoQ+Rc+h5+dCWPwC2i3cXTUVf0woepF8mUXFcNhY+Eh8vvh1lxfD35z2CJeY txMcA44Lp06kArpWDjGJddd+OTmUkFWeYtAdaCpj/GItuJcQZkaaTeiHqPPrbvXM361rtvaw XFUzUlvoW1Sb7/SeE/BtWoxkeZOgsqouXPTjlFLapvLu5g9MPNimjkYqukASq/+e8MMKP+EE v3BAFVFGvNE3UlNRh+ppBqBUZiqkzg4q2hfeTjnivgChzXlvfTx9M6BJmuDnYAho4BA6vRh4 Dr7LYTLIwGjguIuuQcP2ENN+l32nidy154zCEp5/Rv4K8SYdVegrQ7rWiULgDz9VQWo2zAjo TgFKg3AE3ujDy4V2VndtkMRYpwwuilCDQ+Bpb5ixfbFyZ4oVGs6F3jhtWN5Uu43FhHSCqUv8 FCzl44AyGulVYU7hTQARAQABwsF8BBgBCgAmFiEEAExkfXVyz31yvbT7aZ2FCp9Be9gFAmZY +hkCGwwFCQWjmoAACgkQaZ2FCp9Be9hN3g/8CdNqlOfBZGCFNZ8Kf4tpRpeN3TGmekGRpohU bBMvHYiWW8SvmCgEuBokS+Lx3pyPJQCYZDXLCq47gsLdnhVcQ2ZKNCrr9yhrj6kHxe1Sqv1S MhxD8dBqW6CFe/mbiK9wEMDIqys7L0Xy/lgCFxZswlBW3eU2Zacdo0fDzLiJm9I0C9iPZzkJ gITjoqsiIi/5c3eCY2s2OENL9VPXiH1GPQfHZ23ouiMf+ojVZ7kycLjz+nFr5A14w/B7uHjz uL6tnA+AtGCredDne66LSK3HD0vC7569sZ/j8kGKjlUtC+zm0j03iPI6gi8YeCn9b4F8sLpB lBdlqo9BB+uqoM6F8zMfIfDsqjB0r/q7WeJaI8NKfFwNOGPuo93N+WUyBi2yYCXMOgBUifm0 T6Hbf3SHQpbA56wcKPWJqAC2iFaxNDowcJij9LtEqOlToCMtDBekDwchRvqrWN1mDXLg+av8 qH4kDzsqKX8zzTzfAWFxrkXA/kFpR3JsMzNmvextkN2kOLCCHkym0zz5Y3vxaYtbXG2wTrqJ 8WpkWIE8STUhQa9AkezgucXN7r6uSrzW8IQXxBInZwFIyBgM0f/fzyNqzThFT15QMrYUqhhW ZffO4PeNJOUYfXdH13A6rbU0y6xE7Okuoa01EqNi9yqyLA8gPgg/DhOpGtK8KokCsdYsTbk= In-Reply-To: <20260218115827.3947145-12-felix.moessbauer@siemens.com> Content-Type: text/plain; charset="UTF-8" X-ClientProxiedBy: CH0PR03CA0330.namprd03.prod.outlook.com (2603:10b6:610:118::22) To AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:588::19) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS4PR10MB6181:EE_|VI0PR10MB9336:EE_ X-MS-Office365-Filtering-Correlation-Id: 466fb8d9-c9df-4e01-9e53-08de6f082095 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?utf-8?B?RTZTREhNenNsbDY4SkZBMzRjVVY0RDZIZTg3dnBGbE0vdnFxOWNnU1dkdC9V?= =?utf-8?B?VDJ4OFNGeDErRUNRcU8wRHVacjVEbmh4RWdreklValdJVGhUVUloa0ptNzZi?= =?utf-8?B?d1E4SUwvS1l3VXFHMjhwTnFwNnY1YTFLbXFQVjRMN1QzenEyVzV5WXNTdlRj?= =?utf-8?B?aHFTa25KVFAzUlRMaU1EQW9HNGQ2ckdNWjJtOVBjd2V4TnFvNEpYY05WWTAx?= =?utf-8?B?NGk2dzc1cFo2L2t6cU5IcFFqdUJNMmtrVGc5RkpxQ1JsREhEQ2lJUHUrSUxR?= =?utf-8?B?V1M5SDM3OXFpelBBdGVBR00zcjJSTm1PVldYZGMrbmk2TE5paVhaS1lkYmhw?= =?utf-8?B?RHo2NHhRaTZQRFZzTGR3ZERKNU81SGZJL2loMlMzc0pNSld5dm5sL1ZRMC9l?= =?utf-8?B?cFkrQVNBZnlUSzBHdjdWVE9EdFJROWkzajhScE84S2daUklTK2hsbjM1andY?= =?utf-8?B?R0tSNnN0SHZCWGZuR3VhRklQeXNYQlIveGg3SGlxUlN4RmVBVlhSanJibzho?= =?utf-8?B?TkZyMmNxcng2V09LRVdOVThLOG1HeWF5NUtNbmJwM2QwbUt6QWhyS09MUVZJ?= =?utf-8?B?NGRMQjRUOFdPSzFvaGc2U1pTOTFqd2ExYTUrNGV1K04zRVZMamFHOHhRTzBD?= =?utf-8?B?aU5MdHpkTFhDQ0ZqREhpd1hKeUpjaVlVYzVXNU1GL0NXRGw5MU8vNTNDcW03?= =?utf-8?B?Mlc5Vng0SmtzY3pmRGpGT1ZoNm5CN05XeWovSU9qYmEvTWd5ajNGQnBLeXFj?= =?utf-8?B?dyszY3B2NTYrbFhHYXNlbFB3VGdiZzVmOUR1VENOK21zRUhRMVoyV3BUTGVo?= =?utf-8?B?SXVkcEhyUGhrMUFSVXdzYlBrTzFkQkVzSVNteExCNDgzb3IrV3diZ3JpT1Nj?= =?utf-8?B?WE1ITHFJdHpRcU5YNFphbkMxdzF5SE84enpISGZXL0xqZlBDdG4wTHNpZ2hm?= =?utf-8?B?ZnA1M1NDL1JseFB6S2t4bkF4c01PNU9iL0FQam5LeklDMzk5QVV3ZncxZm5J?= =?utf-8?B?L2JWMWk3bTk4NTQyTEdLRVRObHp2dUdDd1lmY21Ed2g1SGtWZkFzcXhORk1C?= =?utf-8?B?L1pqSFZSeldjOFFmQzdPUUFXSThQbVZabkh5UXhsYnE3MWhkeitVeGRxN0NP?= =?utf-8?B?dnRqMG00RjgzZ3VpQSs0dk5aRFdnbG9sRUtXNGVZRGxxUCt5MUpHZ0lLZGN3?= =?utf-8?B?MTdVMXVPR2plWE9jK1lkcmQ2L0pzeUVPMjBiZEt6SDAzSFVWWDhURTBRMFdO?= =?utf-8?B?K1ptOWdaMlBwakpjOUJoWGtZSnU2VlMwZ052N1R5RHVhUnZPR0Uyc0s5am42?= =?utf-8?B?aG9iZ3VpN2FxK2FZS29aeFJQSkRBOW5aTXc4VmNXdTJUWElvN2ZhY3JmMjBI?= =?utf-8?B?ZnQ2NmthTjV3eEFkSjVoZDRJTHZ3Rm4wN2RZaWRpWFByb0J6SjNHNTd2cXpv?= =?utf-8?B?K0lvUXBOQWpCTUlYTXhIQ1VCeHhybElhL2pROWxzRnlEV0dMUGpJTUdGZnhp?= =?utf-8?B?d041YjRxc1NoTmw2R01PZ0NkTGxzemFZbzhoTUVmam9DaWtRa2RzNTZMUk03?= =?utf-8?B?TU1kd1R0R3NSZU1tOG8yWFVnclVKekY3cTVvTFVOWjRYUW5rL1FPTW9kd1Ja?= =?utf-8?B?N1hxODBXbm1KcXE5NGFXQnkrY0dQMllpa3JLMTNqV3hwZTZJRVhVK3dUU1RJ?= =?utf-8?B?VlQ1Uzc4ekRTQ1M5cjVEalRoaUVLaHYrbHJBZkxmeXpybStBMG11OFE5RWxB?= =?utf-8?B?S0NCRVJaSytTcXdSakRFRUw2MnRIMVUzb0ZGam1yamFURnVCZEpGVjJ2Q25D?= =?utf-8?B?Z3FyaGZMVm12RUZjTGIzRGx2azMreitGc3VIK2ZaazhMajdrRnpiMnA4elE4?= =?utf-8?B?Nk9tS1FyVzhMTXdhenhPcUhXc0dydVVWUTFwK21vbEJ6SmhKMzJnWFA5aVdv?= =?utf-8?B?bTRISTNDMnd6VTJzSnp5TCsxZVJxaDJZZVdxZS9uUE1NTUJRc2pCOEs4ckcv?= =?utf-8?B?citOZ3BxTTUybktwVFU3Y0dUKzJTdENqei9ZNUsySGh1MytzU3pySUNXWmRm?= =?utf-8?B?OEdDT3hpMGpqVUVWa2ZkRk1IWEo3QXBhNnRlU0hsSEpkcFo0eW8ySVV0bEU4?= =?utf-8?Q?OPEA=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?YzRiZlVoN1FlRURJY1RSODJ3TmFNUG4xbXFzRERoSE5EM3RKM3BIVzF0VGs4?= =?utf-8?B?VFRwNkY1MDRLOGI1WW9RVnlWYm5HM0tmNS9tU29UZXRad3pCVXVXVGJWcTNK?= =?utf-8?B?aU1uU09ISm5wdnBVakg1NCtLVDUweGp3QmJ1ZXBuN1ZLZ05LQ2FNMnp6cmly?= =?utf-8?B?dXMzS0pBdWM3SG95RkNDMmZPUGFkcWVvSUlmR0lza2pVNTIzREVIaEd0bGFG?= =?utf-8?B?MUVrOTZObHlnK2ZJKzl2Z1MzVTA3bks4UEZZdFF1dEM1Q1BFM0ZVS0thaU1H?= =?utf-8?B?RWVyMkdXUk9pbnFjVjh3blVBaXl0eUR0OTBtNUVTMnM2RkIxM2NJVy9qQURj?= =?utf-8?B?UTFvd095bDl2bFJBOTlINldHR2hCaVc1eDRWeXpUVjVHa0xnOHBFdm1MWWdE?= =?utf-8?B?SEorU2hzV2RZQjlCeVZ2OE8xNjVTd3J1K2Z3UzFRRWJrUGtpZmtzb00yRWY5?= =?utf-8?B?VHd6YUFYaVhSV0xxc2Jwakhhd0dXNlBHbXc5dzFBSk9zZkg0SXEyZkZ1T3k0?= =?utf-8?B?cUluekNaTERaS2xINlVDOEExY2ZuWTE3NkR6b0ZtTElnN1l5V2hqTy9lWFFO?= =?utf-8?B?bmkyRXgxaVR1dGdzV2JBNU1rNmwvQmNkbThNZDVXUHR6VW9oQTRhcEN2Rnp1?= =?utf-8?B?MVVybkVSQVJGQWQ2ZVM1UmZQRFFFSDNUMHRJQTlESFZOWVh4VnZGM3ZueHZi?= =?utf-8?B?SkN0WExBUVBhTGZwWTJYTGJGL1Q4WlVTWXh6T2tKNVcrWlpjQVZFMmcrOURi?= =?utf-8?B?eGNSdU13M0t4MnY2Qk1xbkQ5elNHT3c0ZlBwRFVFeGg0MkhFbHJmc042UTl1?= =?utf-8?B?V2hFL1FaemxXT3Z3VHlKRWwyR0IrQVN6VGxWK2w0MXdFNmxUSW5mUmVFWXZU?= =?utf-8?B?b1h0MGZsMmdST0FFc004YTgyR0hPczBmTjZPY2k3djNZRzZXcjdRUW9DZm5q?= =?utf-8?B?K2lCcXRJQWorV3ZsS2FMUHBCOFU4YlRTUVRUK2s4NVBzUUVGVkZ2VWN5dmtm?= =?utf-8?B?SURlOVRqSEpTaUZqcEo3dEpWK1R5MWJaTDFOajAwN21HS2NiME9McWRqVUJ0?= =?utf-8?B?YzFuUFc2dVpvTzNqa3R0Ukl2b1ZOMnE1K3hQejdtbHZsWlV2cFlsM1ExUG9X?= =?utf-8?B?a2oxaTAxOVdLN2kwRWV3aG9hU2tjUm5OblRrbUt0bUVSamlVT01PNGFIRWxz?= =?utf-8?B?Qk5ERUNpT2VGRzFYSUlhT2REQmY4cVBHT0xWTE1PNGVNNjlNeWkvcWtQSW50?= =?utf-8?B?dTNKMGxDMmhpRjRIUW1rRGUwdnVvTDZYWlFBMTRnbzc4c2NHbHdaVUNNZ1Nt?= =?utf-8?B?d2JpZldRWmRraUVSK1VudzM4NFB1MnRPSC9wS0tSM3l6TzlVQ0NzZWx1dFk4?= =?utf-8?B?UXlGRWh6SnZXbEFRUVlpOXdxOWg4MkYyeEw0akZIU1RNZ1g2Z3QyUmVXd3JO?= =?utf-8?B?bzgzb1JWTTNsTlNzRk5WL0ZIQ0JISjN3K3hhTUFGaGtMdEQ0cnZTK0JZMElE?= =?utf-8?B?YnVHdmx0SWJ3U1M5VnY2SjlKb3lVL2d0dktiV3V3Y1o5OEpqaEVHRDNLdmdJ?= =?utf-8?B?Q0x0aDI3eFZ3Tk5EN09teE10R3FDc3B3N1pSbE5MZWR2L1p6NjYyNzc5dUhQ?= =?utf-8?B?MFhleWJDMm1MdGwybm9FZUcyR25zN0wwUndPZU81bUZCRHQ3a3dScWJLVDA5?= =?utf-8?B?a1NQZ2hUbHdXWGtZMERSVGZvTks2d3BKWmJDZmNKd1BCWHhrdG5SRTJTN0NF?= =?utf-8?B?cVpLOVBPMzl2QlRpM0Q5T1ZWK0E3endtaVkwcGdNdDBUNXltYkJCbTRlTlpt?= =?utf-8?B?Z3JCMEVBZU0wNmNHeEFWTXRRa2tHbVZ0a3lNeEZQL0NwdXZtdnZ3SU1JR2hS?= =?utf-8?B?djczMjh2d1JhNnlmZkV5akswUXdYY1FiQWljNVo4Y21UWGhETVhPTDNNTDla?= =?utf-8?B?eFI4bFlzV0lyN2crSnpoTGRmSU1hUE5POC9ORUkxT1NNKy9lK3Q1RlNwMXRT?= =?utf-8?B?VDdMM2NydG9xMkV2RCszK2Qwdi91UUQ5b0VmaGltRm1FQTducGFsNFRDU3dG?= =?utf-8?B?QnlCVDBnc0hEUm5nSi93M3JESWN0RkhoamhIK01IR2ZPMzE3OUNjSjhndjU0?= =?utf-8?B?aFpUQnEwU25KT3JSbWhxdEVYR0hLeDJLeTZSeE5hQXh6eVprYTAvSHpSY0Ru?= =?utf-8?B?SUJPQ0U5clAwOTVzVFpTZlJnK3hldHZIOVVGQnp6MkFPTFhwbUxvSDdReVk3?= =?utf-8?B?UDhIQURTcVczUHdMY0JPWkhTQk1aWlNNd3VzYmtUVjNORjlSQ3UzZ0t4a3Zs?= =?utf-8?B?WllMd2IrY0d5UFVZaFM5d00wMWVQUDF6NGk4UGo5V0k2MDY4TjRwUT09?= X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 466fb8d9-c9df-4e01-9e53-08de6f082095 X-MS-Exchange-CrossTenant-AuthSource: AS4PR10MB6181.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 18 Feb 2026 16:09:43.2384 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: oWeFV+m0qpJ15PyYMZAHAmsXPw9ZbTofG/dihJ6eqRVJgnPs6L2ly9DS5UsSn0Ed75tiFIRGxfDQR8BilCXOQA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI0PR10MB9336 X-Original-Sender: jan.kiszka@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=EdQRHmwA; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of jan.kiszka@siemens.com designates 2a01:111:f403:c201::6 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Jan Kiszka Reply-To: Jan Kiszka Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: at76gVp9kCdY On 18.02.26 12:58, 'Felix Moessbauer' via isar-users wrote: > Currently isar requires passwordless sudo and an environment > where mounting file systems is possible. This has proven problematic > for security reasons, both when running in a privileged container or > locally. > > To solve this, we implement fully rootless builds that rely on the > unshare syscall which allows us to avoid sudo and instead operate in > temporary kernel namespaces as a user that is just privileged within > that namespace. This comes with some challenges regarding the handling > of mounts (they are cleared when leaving the namespace), as well as > cross namespace deployments (the outer user might not be able to access > the inner data). For that, we rework the handling of mounts and artifact > passing to make it compatible with both chroot modes (schroot and > unshare). > > Signed-off-by: Felix Moessbauer > --- > Kconfig | 2 +- > RECIPE-API-CHANGELOG.md | 29 +++++++ > doc/user_manual.md | 2 + > meta/classes-global/base.bbclass | 67 ++++++++++++++- > meta/classes-recipe/deb-dl-dir.bbclass | 9 +- > meta/classes-recipe/dpkg-base.bbclass | 16 +++- > meta/classes-recipe/dpkg.bbclass | 14 +++- > .../image-locales-extension.bbclass | 9 +- > .../image-tools-extension.bbclass | 82 +++++++++++++++++++ > meta/classes-recipe/rootfs.bbclass | 53 +++++++++--- > meta/classes-recipe/sbuild.bbclass | 27 +++++- > meta/classes-recipe/sdk.bbclass | 11 ++- > meta/conf/bitbake.conf | 7 +- > .../isar-mmdebstrap/isar-mmdebstrap.inc | 12 ++- > .../sbuild-chroot/sbuild-chroot.inc | 24 +++++- > 15 files changed, 332 insertions(+), 32 deletions(-) > > diff --git a/Kconfig b/Kconfig > index 683c0da5..5ef2bfcb 100644 > --- a/Kconfig > +++ b/Kconfig > @@ -14,7 +14,7 @@ config KAS_INCLUDE_MAIN > > config KAS_BUILD_SYSTEM > string > - default "isar" > + default "isar-rootless" > > source "kas/machine/Kconfig" > source "kas/distro/Kconfig" > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index f80630a0..29bf7590 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -990,3 +990,32 @@ rootless builds. For that, the deployment of images happens in two steps: > > Conversion commands need to follow this strategy as well, but can read the image > (prior to conversion) from `${IMAGE_FILE_CHROOT}`. > + > +### Rootless isar execution > + > +Isar is able to run without the need for `sudo` in an environment that > +allows unprivileged users to unshare the kernels `user namespace`. Further, > +a sufficiently large set of sub ids needs to be configured in `/etc/subuid` / `etc/subgid`. > +This range should be `> 65536`, but smaller ranges might work as well, depending on the > +ids used in the rootfs. > + > +A simple check if rootless is supported can be done by running: > + > +```bash > +mmdebstrap --unshare-helper /bin/echo "rootless supported" || echo "rootless not supported" > +``` > + > +On many systems, setting the following settings is sufficent, but no general guidance > +can be provided. > + > +```bash > +echo 0 | sudo tee -a /proc/sys/kernel/apparmor_restrict_unprivileged_userns This might be an Ubuntu patch, right? Should be clarified. > +echo 1 | sudo tee -a /proc/sys/kernel/unprivileged_userns_clone This is Debian-only (see e.g. https://salsa.debian.org/kernel-team/linux/-/blob/debian/latest/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch?ref_type=heads). But it's on by default now. Jan -- Siemens AG, Foundational Technologies Linux Expert Center -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/da499bc0-a3f6-48de-884a-8e9a3e435b85%40siemens.com.