Re: [PATCH v6 00/17] add support to build isar unprivileged

["'MOESSBAUER, Felix' via isar-users" <isar-users@googlegroups.com>]

On Fri, 2026-06-19 at 11:00 +0200, Zhihang Wei wrote:
> On 6/15/26 11:24, 'Felix Moessbauer' via isar-users wrote:
> > Dear isar-users,
> > 
> > currently isar requires password-less sudo and an environment
> > where mounting file systems is possible. This has proven problematic
> > for security reasons, both when running in a privileged container or
> > locally.
> > 
> > To solve this, we implement fully rootless builds that rely on the
> > unshare syscall which allows us to avoid sudo and instead operate in
> > temporary kernel namespaces as a user that is just privileged within
> > that namespace. This comes with some challenges regarding the handling
> > of mounts (they are cleared when leaving the namespace), as well as
> > cross namespace deployments (the outer user might not be able to access
> > the inner data). For that, we rework the handling of mounts and artifact
> > passing to make it compatible with both chroot modes (schroot and
> > unshare).
> > 
> > Note, that this series can be tested on a custom kas-container build
> > provided in [1]. Hints how to migrate downstream layers are provided
> > in the API changelog.
> > 
> > Changes since PATCH v5:
> > 
> > - rebased onto next
> > - adjust to changes from "Rootfs install race fix for isar-apt packages":
> >    Manually add isar-apt mount in rootfs_install_pkgs_isar_download on
> >    rootless
> > - adjust to changes in "image-postproc: gate systemd preset-all on masked
> >    unit state": Trivial change to use run_in_chroot instead of sudo chroot.
> > 
> 
> Hi,
> 
> I found an issue when testing in rootless mode.
> 
> The test was run using a test-container with a customized kas container
> built on 25307f7.
> 
> The following test case fails:
> testsuite/citest.py:NoCrossTest.test_nocross
> when building 'mc:qemumipsel-bookworm:isar-image-ci' in nocross mode.
> 
> Logs follow:
> [stdlog] 2026-06-19 09:30:44,290 avocado.app cibuilder L0347 ERROR| 
> ERROR: mc:qemumipsel-bookworm:isar-mmdebstrap-target-1.0-r0 
> do_bootstrap: 
> ExecutionError('/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/temp/run.do_bootstrap.2096', 
> 25, None, None)
> [stdlog] 2026-06-19 09:30:44,290 avocado.app cibuilder L0347 ERROR| 
> ERROR: Logfile of failure stored in: 
> /isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/temp/log.do_bootstrap.2096
> 
> DEBUG: Executing python function sstate_task_prefunc
> DEBUG: Python function sstate_task_prefunc finished
> DEBUG: Executing shell function do_bootstrap
> removed 
> '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/sources.list.d/bootstrap.list'
> '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/apt-sources' 
> -> 
> '/isar/build/tmp/work/debian-bookworm-mipsel/isar-mmdebstrap-target/1.0-r0/sources.list.d/bootstrap.list'
> W: binfmt_misc not found in /proc/mounts -- not mounted?
> W: cannot find update-binfmts
> E: mipsel can neither be executed natively nor via qemu user emulation 
> with binfmt_misc

I just tested this, but cannot reproduce. My build correctly passes in
rootless mode. To me, it looks like your container is started in
rootless mode, but the avocado executes the build in privileged mode
(missing the ISAR_ROOTLESS = 1 flag, which is set by setting -p
rootless=1).

> 
> When testing them directly in rootful mode, we have an EXT4 filesystem
> error also when running no_cross, but not known yet which target. Also
> not sure whether it's related. Let me check and get back to you.

Let me know once you identified the target.

Felix

> 
> Zhihang
> 
> -- 
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/isar-users/4365217a-491e-4b9c-9a8f-f9c92ce6bcda%40ilbers.de.

-- 
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/e297b0a534f817ef13dfb8c12c81c0edafb9b916.camel%40siemens.com.