From: "'Jan Kiszka' via isar-users" <isar-users@googlegroups.com>
To: Felix Moessbauer <felix.moessbauer@siemens.com>,
isar-users@googlegroups.com
Cc: quirin.gylstorff@siemens.com
Subject: Re: [RFC 11/12] add support for fully rootless builds
Date: Wed, 18 Feb 2026 17:50:37 +0100 [thread overview]
Message-ID: <fe587e5b-9d7d-432b-aee5-df18d10a5743@siemens.com> (raw)
In-Reply-To: <20260218115827.3947145-12-felix.moessbauer@siemens.com>
On 18.02.26 12:58, 'Felix Moessbauer' via isar-users wrote:
> Currently isar requires passwordless sudo and an environment
> where mounting file systems is possible. This has proven problematic
> for security reasons, both when running in a privileged container or
> locally.
>
> To solve this, we implement fully rootless builds that rely on the
> unshare syscall which allows us to avoid sudo and instead operate in
> temporary kernel namespaces as a user that is just privileged within
> that namespace. This comes with some challenges regarding the handling
> of mounts (they are cleared when leaving the namespace), as well as
> cross namespace deployments (the outer user might not be able to access
> the inner data). For that, we rework the handling of mounts and artifact
> passing to make it compatible with both chroot modes (schroot and
> unshare).
>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> Kconfig | 2 +-
> RECIPE-API-CHANGELOG.md | 29 +++++++
> doc/user_manual.md | 2 +
> meta/classes-global/base.bbclass | 67 ++++++++++++++-
> meta/classes-recipe/deb-dl-dir.bbclass | 9 +-
> meta/classes-recipe/dpkg-base.bbclass | 16 +++-
> meta/classes-recipe/dpkg.bbclass | 14 +++-
> .../image-locales-extension.bbclass | 9 +-
> .../image-tools-extension.bbclass | 82 +++++++++++++++++++
> meta/classes-recipe/rootfs.bbclass | 53 +++++++++---
> meta/classes-recipe/sbuild.bbclass | 27 +++++-
> meta/classes-recipe/sdk.bbclass | 11 ++-
> meta/conf/bitbake.conf | 7 +-
> .../isar-mmdebstrap/isar-mmdebstrap.inc | 12 ++-
> .../sbuild-chroot/sbuild-chroot.inc | 24 +++++-
> 15 files changed, 332 insertions(+), 32 deletions(-)
>
> diff --git a/Kconfig b/Kconfig
> index 683c0da5..5ef2bfcb 100644
> --- a/Kconfig
> +++ b/Kconfig
> @@ -14,7 +14,7 @@ config KAS_INCLUDE_MAIN
>
> config KAS_BUILD_SYSTEM
> string
> - default "isar"
> + default "isar-rootless"
You didn't patch kas/isar.yaml as well - might be a trap for people not
using the menu.
Jan
--
Siemens AG, Foundational Technologies
Linux Expert Center
--
You received this message because you are subscribed to the Google Groups "isar-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/isar-users/fe587e5b-9d7d-432b-aee5-df18d10a5743%40siemens.com.
next prev parent reply other threads:[~2026-02-18 16:50 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-18 11:58 [RFC 00/12] add support to build isar unprivileged 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 01/12] refactor bootstrap: store rootfs tar with user permissions 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 02/12] deb-dl-dir: export without root privileges 'Felix Moessbauer' via isar-users
2026-02-18 14:01 ` 'Jan Kiszka' via isar-users
2026-02-18 11:58 ` [RFC 03/12] download debs without locking 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 04/12] introduce wrappers for privileged execution 'Felix Moessbauer' via isar-users
2026-02-18 14:11 ` 'Jan Kiszka' via isar-users
2026-02-18 11:58 ` [RFC 05/12] bootstrap: move cleanup trap to function 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 06/12] rootfs: rework sstate caching of rootfs artifact 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 07/12] rootfs_generate_initramfs: rework deployment to avoid chowning 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 08/12] wic: rework image deploy logic to deploy under correct user 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 09/12] use bitbake function to generate mounting scripts 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 10/12] apt-fetcher: prepare for chroot specific fetching 'Felix Moessbauer' via isar-users
2026-02-18 11:58 ` [RFC 11/12] add support for fully rootless builds 'Felix Moessbauer' via isar-users
2026-02-18 16:09 ` 'Jan Kiszka' via isar-users
2026-02-18 16:50 ` 'Jan Kiszka' via isar-users [this message]
2026-02-18 11:58 ` [RFC 12/12] apt-fetcher: implement support for unshare backend 'Felix Moessbauer' via isar-users
2026-02-18 18:20 ` [RFC 00/12] add support to build isar unprivileged 'Jan Kiszka' via isar-users
2026-02-18 18:31 ` 'Jan Kiszka' via isar-users
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fe587e5b-9d7d-432b-aee5-df18d10a5743@siemens.com \
--to=isar-users@googlegroups.com \
--cc=felix.moessbauer@siemens.com \
--cc=jan.kiszka@siemens.com \
--cc=quirin.gylstorff@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox