Enable non-root building

[ismagulb]

Isar creates root filesystem directories on the host with root privileges. Those are also required for tools like multistrap, mount and chroot. Currently, Isar requires using sudo ALL=NOPASSWD: ALL for simplicity.

The goal is to build without root privileges. Motivation:

• Improve security: Least privilege.
• Enable building on managed corporate hosts / containers.

Candidate tools:

• fakeroot: https://wiki.debian.org/Multistrap/Environment#fakeroot
• libpseudo:
  • https://www.yoctoproject.org/tools-resources/projects/pseudo
  • http://git.yoctoproject.org/cgit/cgit.cgi/pseudo/

See also:

• https://groups.google.com/forum/#!topic/isar-users/l-y_uwTXYSw

[alexbluesman]

Prepare list of commands that require sudo. This will help to adjust sudoers to prevent accident build host damaging.

[ismagulb]

The work will require several iterations, will continue discussing the steps on the mailing list.

[mr-nice]

Are there any efforts or updates to that issue? Just closing it will not remove the issue?

The readme still contains the sudo ALL=NOPASSWD: ALL

Openembedded/yocto is able to build distributions with pseudo just fine. What is the actual problem with pseudo here?

Has anyone looked at using polystrap instead of debootstrap? Also debians CrossDebootstrap has a section for building images as non root user. (also using multistrap)

I saw some approaches using privileged containers but that seam just to "hide" the issue?

1: https://github.com/josch/polystrap 2: https://wiki.debian.org/EmDebian/CrossDebootstrap#Generating_cross_images_as_non-root_user

[jan-kiszka]

The topic is not forgotten, "just" not the most urgent one right now. That's also because it remains hard with a real distribution that does not have this case on its "normal" path.

Some background, others may add more: We need a solution that is in line with official Debian installation here. Neither polystrap nor multistrap are maintained anymore. An option we have currently on the horizon is DPKG_ROOT, but that requires support of the packages, thus is nothing you do "over night".

[mr-nice]

So what about adding an alternative implementation to isar-bootstrap with mmdebstrap [1]? Which you could choose at e.g. local.conf? I understand that this will require a distribution with dpkg and apt installed but if you could choose the provider for the bootstrap you could choose not to require privileges.

DPKG_ROOT seems to be currently in a very experimental state. So having alternatives to tide over would be fine :)

1 https://manpages.debian.org/testing/mmdebstrap/mmdebstrap.1.en.html

[ismagulb]

We do work on the sudo topic (even if with lower priority). Debian relies on root in a number of places. I think those should be solvable, but as commented above, any improvements in Isar should rely on supported Debian use cases.

The first step will be package building migration to sbuild. It's ready for merging, I expect it to be merged in a couple of weeks. In a sense, it also "hides" the issue behind schroot which is SUID root, but that is a known, limited, and more widely tested sandbox. It won't help if you build untrusted sources; in the future, it might be addressable in sbuild via fakechroot / uchroot + pseudo.

The next step will be image building migration to schroot. The patches are production-ready from our PoV. We plan to merge them some time after sbuild, as downstream adjustments might be required.

We have an implementation based on mmdebstrap (far from production state ATM). The current debootstrap implementation relies on debootstrap's internals to supply files. So we looked at upfront package downloading (cache deb, cache deb src) first and have a working version. We'll see whether we push the latter first, or the former could be used with the current cache deb implementation.

We would welcome testing and feedback on those patch series on the isar-users mailing list.

[mr-nice]

That is great to hear about :) I would love to test the patches! And thanks for the time to write this extended information and roadmap.

I need to read more about sbuild. I have a bigger background to openembedded then to Debian :D That's one of the reasons I like this project more then edi.

Can you point out which patchsets you are exactly talking about? Is the patchset "[PATCH v8 01/15] dpkg-gbp: Use host tools for dsc preparation" the rigt one?

Is isar-users the developer mailing list?

Do you offer something like patchwork? Or is there a branch for the patches?

Are the patches to mmdebstrap public available?

[mr-nice]

Any updates? I really would like to try the patch set - if there is any or help on to develop one.

[ismagulb]

Hello mr-nice, thanks for your patience. sbuild has been merged. Imager schroot migration: https://patchwork.isar-build.org/project/isar/list/?series=876 mmdebstrap: https://patchwork.isar-build.org/project/isar/list/?series=880 This moves sudo to schroot and introduces mmdebstrap under sudo. The next step would be to check and drop the remaining sudo calls. For the latest developments you might want to follow https://groups.google.com/g/isar-users.