[PATCH v3 1/3] kas-container: add partial support for run0
0 views
Skip to first unread message
Felix Moessbauer
Aug 11, 2025, 5:46:00 AMAug 11
to kas-...@googlegroups.com, jan.k...@siemens.com, cedric.h...@siemens.com, Felix Moessbauer, joerg....@navimatix.de, Michael Adler
ISAR builds need to be executed in privileged mode. Currently,
kas-container uses sudo to start the container, but this breaks in
environments that set the "no new privileges" flag (like the VSCode
shell). This can be solved by using run0 (which is a wrapper around
systemd-run) to let the init system directly start the privileged
workload (with PolicyKit based authentication).
We now add experimental support for run0 to kas-container for targets
that conceptually support this (like the podman / docker execution).
We further add this as a fallback in case sudo is not installed.
Tested-by: Michael Adler <michae...@siemens.com>
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
docs/command-line/environment-variables.inc | 7 +++++
kas-container | 33 +++++++++++++++++++--
2 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index 3ed26603a..b4ea240e8 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -200,6 +200,13 @@ overwritten using the ``env`` section of the config file.
| (C) | ``docker`` or ``podman``). If not set, this is |
| | auto-detected (preference: docker). |
+--------------------------+--------------------------------------------------+
+| ``KAS_SUDO_CMD`` | Explicitly set the sudo command (either ``sudo`` |
+| (C) | or ``run0``) for operations that require higher |
+| | privileges. If not set, this is auto-detected |
+| | (preference: ``sudo``). Note, that ``run0`` does |
+| | not preserve the environment and cannot setup |
+| | loopback devices. |
++--------------------------+--------------------------------------------------+
.. |aws_cred| replace:: ``AWS_ROLE_ARN``
``AWS_SHARED_CREDENTIALS_FILE``
diff --git a/kas-container b/kas-container
index 9388c81a9..787a02be6 100755
--- a/kas-container
+++ b/kas-container
@@ -64,7 +64,8 @@ usage()
printf "%b" "menu\t\t\tProvide configuration menu and trigger " \
"configured build.\n"
printf "%b" "\nOptional arguments:\n"
- printf "%b" "--isar\t\t\tUse kas-isar container to build Isar image.\n"
+ printf "%b" "--isar\t\t\tUse kas-isar container to build Isar image. To force\n"
+ printf "%b" " \t\t\tthe use of run0 over sudo, set KAS_SUDO_CMD=run0.\n"
printf "%b" "--with-loop-dev Pass a loop device to the " \
"container. Only required if\n"
printf "%b" "\t\t\tloop-mounting is used by recipes.\n"
@@ -117,6 +118,26 @@ trace()
"$@"
}
+prepare_sudo_cmd()
+{
+ if [ -z "${KAS_SUDO_CMD}" ]; then
+ # Try to auto-detect a privileged executor
+ if command -v sudo >/dev/null; then
+ KAS_SUDO_CMD="sudo"
+ elif command -v run0 >/dev/null; then
+ KAS_SUDO_CMD="run0"
+ else
+ fatal_error "No privileged executor found, need sudo or run0."
+ fi
+ fi
+
+ case "$KAS_SUDO_CMD" in
+ sudo) _KAS_SUDO_CMD="sudo --preserve-env";;
+ run0) _KAS_SUDO_CMD="run0 --background= --unit=kas-container@$$";;
+ *) fatal_error "Unsupported KAS_SUDO_CMD ('${KAS_SUDO_CMD}'), use sudo or run0.";;
+ esac
+}
+
enable_isar_mode()
{
if [ -n "${ISAR_MODE}" ]; then
@@ -128,15 +149,17 @@ enable_isar_mode()
KAS_ISAR_ARGS="--privileged"
if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then
+ prepare_sudo_cmd
# sudo is needed for a privileged podman container
- KAS_CONTAINER_COMMAND="sudo --preserve-env ${KAS_CONTAINER_COMMAND}"
+ KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
# preserved user PATH may lack sbin needed by privileged podman
export PATH="${PATH}:/usr/sbin"
elif [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then
+ prepare_sudo_cmd
export DOCKER_HOST="${DOCKER_HOST:-unix:///var/run/docker.sock}"
debug "kas-isar does not support rootless docker. Using system docker"
# force use of well-known system docker socket
- KAS_CONTAINER_COMMAND="sudo --preserve-env ${KAS_CONTAINER_COMMAND}"
+ KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
KAS_DOCKER_ROOTLESS=0
fi
}
@@ -339,6 +362,10 @@ while [ $# -gt 0 ]; do
if [ "$(id -u)" -eq 0 ]; then
fatal_error "loop device not available!"
fi
+ prepare_sudo_cmd
+ if ! [ "$KAS_SUDO_CMD" = "sudo" ]; then
+ fatal_error '--with-loop-dev requires sudo for device setup.'
+ fi
sudo_command="/sbin/losetup -f"
sudo_message="[sudo] enter password to setup loop"
sudo_message="$sudo_message devices by calling"
--
2.50.1
kas-container uses sudo to start the container, but this breaks in
environments that set the "no new privileges" flag (like the VSCode
shell). This can be solved by using run0 (which is a wrapper around
systemd-run) to let the init system directly start the privileged
workload (with PolicyKit based authentication).
We now add experimental support for run0 to kas-container for targets
that conceptually support this (like the podman / docker execution).
We further add this as a fallback in case sudo is not installed.
Tested-by: Michael Adler <michae...@siemens.com>
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
docs/command-line/environment-variables.inc | 7 +++++
kas-container | 33 +++++++++++++++++++--
2 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/docs/command-line/environment-variables.inc b/docs/command-line/environment-variables.inc
index 3ed26603a..b4ea240e8 100644
--- a/docs/command-line/environment-variables.inc
+++ b/docs/command-line/environment-variables.inc
@@ -200,6 +200,13 @@ overwritten using the ``env`` section of the config file.
| (C) | ``docker`` or ``podman``). If not set, this is |
| | auto-detected (preference: docker). |
+--------------------------+--------------------------------------------------+
+| ``KAS_SUDO_CMD`` | Explicitly set the sudo command (either ``sudo`` |
+| (C) | or ``run0``) for operations that require higher |
+| | privileges. If not set, this is auto-detected |
+| | (preference: ``sudo``). Note, that ``run0`` does |
+| | not preserve the environment and cannot setup |
+| | loopback devices. |
++--------------------------+--------------------------------------------------+
.. |aws_cred| replace:: ``AWS_ROLE_ARN``
``AWS_SHARED_CREDENTIALS_FILE``
diff --git a/kas-container b/kas-container
index 9388c81a9..787a02be6 100755
--- a/kas-container
+++ b/kas-container
@@ -64,7 +64,8 @@ usage()
printf "%b" "menu\t\t\tProvide configuration menu and trigger " \
"configured build.\n"
printf "%b" "\nOptional arguments:\n"
- printf "%b" "--isar\t\t\tUse kas-isar container to build Isar image.\n"
+ printf "%b" "--isar\t\t\tUse kas-isar container to build Isar image. To force\n"
+ printf "%b" " \t\t\tthe use of run0 over sudo, set KAS_SUDO_CMD=run0.\n"
printf "%b" "--with-loop-dev Pass a loop device to the " \
"container. Only required if\n"
printf "%b" "\t\t\tloop-mounting is used by recipes.\n"
@@ -117,6 +118,26 @@ trace()
"$@"
}
+prepare_sudo_cmd()
+{
+ if [ -z "${KAS_SUDO_CMD}" ]; then
+ # Try to auto-detect a privileged executor
+ if command -v sudo >/dev/null; then
+ KAS_SUDO_CMD="sudo"
+ elif command -v run0 >/dev/null; then
+ KAS_SUDO_CMD="run0"
+ else
+ fatal_error "No privileged executor found, need sudo or run0."
+ fi
+ fi
+
+ case "$KAS_SUDO_CMD" in
+ sudo) _KAS_SUDO_CMD="sudo --preserve-env";;
+ run0) _KAS_SUDO_CMD="run0 --background= --unit=kas-container@$$";;
+ *) fatal_error "Unsupported KAS_SUDO_CMD ('${KAS_SUDO_CMD}'), use sudo or run0.";;
+ esac
+}
+
enable_isar_mode()
{
if [ -n "${ISAR_MODE}" ]; then
@@ -128,15 +149,17 @@ enable_isar_mode()
KAS_ISAR_ARGS="--privileged"
if [ "${KAS_CONTAINER_ENGINE}" = "podman" ]; then
+ prepare_sudo_cmd
# sudo is needed for a privileged podman container
- KAS_CONTAINER_COMMAND="sudo --preserve-env ${KAS_CONTAINER_COMMAND}"
+ KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
# preserved user PATH may lack sbin needed by privileged podman
export PATH="${PATH}:/usr/sbin"
elif [ "${KAS_DOCKER_ROOTLESS}" = "1" ]; then
+ prepare_sudo_cmd
export DOCKER_HOST="${DOCKER_HOST:-unix:///var/run/docker.sock}"
debug "kas-isar does not support rootless docker. Using system docker"
# force use of well-known system docker socket
- KAS_CONTAINER_COMMAND="sudo --preserve-env ${KAS_CONTAINER_COMMAND}"
+ KAS_CONTAINER_COMMAND="${_KAS_SUDO_CMD} ${KAS_CONTAINER_COMMAND}"
KAS_DOCKER_ROOTLESS=0
fi
}
@@ -339,6 +362,10 @@ while [ $# -gt 0 ]; do
if [ "$(id -u)" -eq 0 ]; then
fatal_error "loop device not available!"
fi
+ prepare_sudo_cmd
+ if ! [ "$KAS_SUDO_CMD" = "sudo" ]; then
+ fatal_error '--with-loop-dev requires sudo for device setup.'
+ fi
sudo_command="/sbin/losetup -f"
sudo_message="[sudo] enter password to setup loop"
sudo_message="$sudo_message devices by calling"
--
2.50.1
Reply all
Reply to author
Forward
0 new messages