[PATCH] kas: Support kas build system selection

1 view
Skip to first unread message

Anton Mikanovich

unread,
Jun 9, 2026, 4:53:56 AM (20 hours ago) Jun 9
to isar-...@googlegroups.com, Anton Mikanovich
This adds yaml Kconfig options that allow to choose kas build system
from the following list:

--isar-rootless
--isar-privileged

After moving to rootless kas container previously used "--isar" option
turns deprecated and should be replaced by "--isar-privileged".

Signed-off-by: Anton Mikanovich <ami...@ilbers.de>
---
Kconfig | 3 ++-
kas/opt/Kconfig | 20 ++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/Kconfig b/Kconfig
index 66dd4112..cfea1902 100644
--- a/Kconfig
+++ b/Kconfig
@@ -1,5 +1,5 @@
# This software is a part of Isar.
-# Copyright (C) 2023 ilbers GmbH
+# Copyright (C) 2023-2026 ilbers GmbH
#
# SPDX-License-Identifier: MIT
#
@@ -14,6 +14,7 @@ config KAS_INCLUDE_MAIN

config KAS_BUILD_SYSTEM
string
+ default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
default "isar-rootless"

source "kas/machine/Kconfig"
diff --git a/kas/opt/Kconfig b/kas/opt/Kconfig
index ac9b2f55..1bea49b8 100644
--- a/kas/opt/Kconfig
+++ b/kas/opt/Kconfig
@@ -115,6 +115,26 @@ config KAS_INCLUDE_USER_ISAR

endmenu

+
+menu "Kas build system"
+
+choice
+ prompt "Kas build system"
+ default KAS_BUILD_SYSTEM_ISAR_ROOTLESS
+ help
+ Rootless build mode is using unshare syscall to avoid security issues.
+ Otherwize privileged mode with sudo permissions still can be used.
+
+config KAS_BUILD_SYSTEM_ISAR_ROOTLESS
+ bool "Rootless (--isar-rootless)"
+
+config KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
+ bool "Privileged (--isar-privileged)"
+
+endchoice
+
+endmenu
+
config KAS_IMAGE_FSTYPES
string "Additional image fstypes"
default ""
--
2.34.1

Anton Mikanovich

unread,
Jun 9, 2026, 4:55:43 AM (20 hours ago) Jun 9
to isar-...@googlegroups.com, Felix Moessbauer
09.06.2026 11:53, Anton Mikanovich wrote:
> This adds yaml Kconfig options that allow to choose kas build system
> from the following list:
>
> --isar-rootless
> --isar-privileged
>
> After moving to rootless kas container previously used "--isar" option
> turns deprecated and should be replaced by "--isar-privileged".
>
> Signed-off-by: Anton Mikanovich <ami...@ilbers.de>
This commit supposed to be a part of "add support to build isar
unprivileged"
patchset to keep privileged kas building for backward compatibility.

MOESSBAUER, Felix

unread,
Jun 9, 2026, 7:01:57 AM (18 hours ago) Jun 9
to ami...@ilbers.de, isar-...@googlegroups.com

Note, that this will only work on re-execution of kas, i.e. you need to
save the config and then run kas build. Running kas menu + build does
not work, as it is in the wrong container / execution mode.

Felix

> --
> You received this message because you are subscribed to the Google Groups "isar-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+...@googlegroups.com.
> To view this discussion visit https://groups.google.com/d/msgid/isar-users/20260609085346.3949936-1-amikan%40ilbers.de.

Anton Mikanovich

unread,
Jun 9, 2026, 7:07:38 AM (18 hours ago) Jun 9
to MOESSBAUER, Felix, isar-...@googlegroups.com
09.06.2026 14:01, MOESSBAUER, Felix wrote:
> On Tue, 2026-06-09 at 11:53 +0300, Anton Mikanovich wrote:
>> config KAS_BUILD_SYSTEM
>> string
>> + default "isar-privileged" if KAS_BUILD_SYSTEM_ISAR_PRIVILEGED
>> default "isar-rootless"
> Note, that this will only work on re-execution of kas, i.e. you need to
> save the config and then run kas build. Running kas menu + build does
> not work, as it is in the wrong container / execution mode.
>
> Felix
In this case previously set "--isar" value will be used, which is still
supported but results in warning by kas.
Is it a big problem?

MOESSBAUER, Felix

unread,
Jun 9, 2026, 7:26:14 AM (17 hours ago) Jun 9
to ami...@ilbers.de, isar-...@googlegroups.com

Well... --isar and --isar-privileged are the same. We should anyways
use --isar to still support older kas releases (in fact we don't even
have a kas release which supports --isar-privileged yet).

The bigger issue is that kas-container --isar-rootless only affects how
the container is started, but not how the build is started. The build
is started based on the build_system entry in the config.yaml file,
whereby rootless mode sets the ISAR_ROOTLESS=1 variable in the local
config.

kas-container also reads the build_system value from the KConfig or
.config.yml and starts the container accordingly. By that, we have to
treat the build system mode (rootless or privileged) as INPUT to kas
menu instead of a KConfig option of the menu.

My proposal is to just keep the build_system as "isar" in both the
KConfig and isar.yaml for now (at least until we have a kas version
that supports both). Later on, we can model the switching.

Best regards,
Felix

MOESSBAUER, Felix

unread,
Jun 9, 2026, 7:30:10 AM (17 hours ago) Jun 9
to ami...@ilbers.de, isar-...@googlegroups.com
On Tue, 2026-06-09 at 11:01 +0000, 'MOESSBAUER, Felix' via isar-users
wrote:

PS: kas-container is not able to parse this. We must use a trivial
KAS_BUILD_SYSTEM definition.

[1]
https://github.com/siemens/kas/blob/c9e4f67a1a8a7310f81519954370241bba4981c2/kas-container#L568

Felix

Jan Kiszka

unread,
Jun 9, 2026, 10:08:21 AM (15 hours ago) Jun 9
to Anton Mikanovich, isar-...@googlegroups.com, Felix Moessbauer
As Felix already pointed out, this will not work. I would recommend to
stick with privileged builds until there is at least a kas release which
comes with the required support. Then, Isar could switch its default
over to rootless, leaving privileged mode only via command line
selection for CI purposes.

Jan

--
Siemens AG, Foundational Technologies
Linux Expert Center
Reply all
Reply to author
Forward
0 new messages