toolbox/meson.build

project(
  'toolbox',
  version: '0.0.99.2',
  license: 'ASL 2.0',
  meson_version: '>= 0.53.0',
)

go = find_program('go')
go_md2man = find_program('go-md2man')
patchelf = find_program('patchelf')
shellcheck = find_program('shellcheck', required: false)
skopeo = find_program('skopeo', required: false)

bash_completion = dependency('bash-completion', required: false)

profiledir = get_option('profile_dir')

tmpfilesdir = get_option('tmpfiles_dir')
if tmpfilesdir == ''
  systemd_dep = dependency('systemd')
  tmpfilesdir = systemd_dep.get_pkgconfig_variable('tmpfilesdir')
endif

if bash_completion.found()
  install_data(
    'completion/bash/toolbox',
    install_dir: bash_completion.get_pkgconfig_variable('completionsdir')
  )
endif

if not skopeo.found()
    message('Running system tests requires Skopeo for OCI image manipulation.')
endif

install_subdir(
  'test',
  install_dir: join_paths(get_option('datadir'), meson.project_name()),
  exclude_files: [
    'system/libs/bats-assert/.git',
    'system/libs/bats-assert/.gitignore',
    'system/libs/bats-assert/.travis.yml',
    'system/libs/bats-assert/package.json',
    'system/libs/bats-support/.git',
    'system/libs/bats-support/.gitignore',
    'system/libs/bats-support/.travis.yml',
    'system/libs/bats-support/package.json'
    ],
  exclude_directories: [
    'system/libs/bats-assert/.git',
    'system/libs/bats-assert/script',
    'system/libs/bats-assert/test',
    'system/libs/bats-support/.git',
    'system/libs/bats-support/script',
    'system/libs/bats-support/test'
  ]
)

subdir('data')
subdir('doc')
subdir('profile.d')
subdir('src')
Add a Meson-based build system for ease of distribution 2018-10-19 15:45:15 +00:00			`project(`
Drop the "fedora" prefix and rename the project as just "toolbox" The "fedora" prefix was used because this project was specifically incubated to make it easier to hack on Fedora Silverblue. That and the mix of upstream technologies (ie., Buildah and Podman) made it uniquely "Fedora". However, over time it has gotten clear that other groups, currently Fedora downstreams like RHEL, are interested in it too. It won't be surprising if in future it transcends the Fedora universe altogether. Moreover, this project was inspired by coreos/toolbox [1]. There are good reasons and enough interest to have a unified toolbox project that addresses the needs of both Fedora CoreOS and Silverblue. Therefore, it is best to drop the "fedora" prefix and call the whole thing just "toolbox". No extra effort was made to retain compatibility with the older name due to the project's young age. Its userbase is limited to the earliest of early adopters, and the benefits of a clean break outweigh the loss of compatibility. The OCI images and the toolbox container still retain the "fedora" prefix to disambiguate them from their counterparts from other operating systems. [1] https://github.com/coreos/toolbox https://github.com/debarshiray/toolbox/issues/8 2019-02-15 15:36:30 +00:00			`'toolbox',`
Prepare 0.0.99.2 2021-06-26 17:29:57 +00:00			`version: '0.0.99.2',`
Add a Meson-based build system for ease of distribution 2018-10-19 15:45:15 +00:00			`license: 'ASL 2.0',`
build: Ensure that binaries are run against their build-time ABI The /usr/bin/toolbox binary is not only used to interact with toolbox containers and images from the host. It's also used as the entry point of the containers by bind mounting the binary from the host into the container. This means that the /usr/bin/toolbox binary on the host must also work inside the container, even if they have different operating systems. In the past, this worked perfectly well with the POSIX shell implementation because it got intepreted by whichever /bin/sh was available. However, the Go implementation, can run into ABI compatibility issues because binaries built on newer toolchains aren't meant to be run against older runtimes. The previous approach [1] of restricting the versions of the glibc symbols that are linked against isn't actually supported by glibc, and breaks if the early process start-up code changes. This is seen in glibc-2.34, which is used by Fedora 35 onwards, where a new version of the __libc_start_main symbol [2] was added as part of some security hardening: $ objdump -T ./usr/bin/toolbox \| grep GLIBC_2.34 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 __libc_start_main 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_detach 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_create 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_attr_getstacksize This means that /usr/bin/toolbox binaries built against glibc-2.34 on newer Fedoras fail to run against older glibcs in older Fedoras. Another option is to make the host's runtime available inside the toolbox container and ensure that the binary always runs against it. Luckily, almost all supported containers have the host's /usr available at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to /run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing the path of the dynamic linker (ie., PT_INTERP) to the one inside /run/host. Unfortunately, there can only be one PT_INTERP entry inside the binary, so there must be a /run/host on the host too. Therefore, a /run/host symbolic link is created on the host that points to the host's /. Based on ideas from Alexander Larsson and Ray Strode. [1] Commit 6ad9c631806961f3 https://github.com/containers/toolbox/pull/534 [2] glibc commit 035c012e32c11e84 https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 https://sourceware.org/bugzilla/show_bug.cgi?id=23323 https://github.com/containers/toolbox/issues/821 2021-10-21 18:22:11 +00:00			`meson_version: '>= 0.53.0',`
Add a Meson-based build system for ease of distribution 2018-10-19 15:45:15 +00:00			`)`

build: Ship the Go implementation by default, not the POSIX shell one The Go implementation is now considered stable enough for wider use, and should have feature parity with its POSIX shell counterpart. https://github.com/containers/toolbox/pull/437 2020-05-13 21:34:00 +00:00			`go = find_program('go')`
Add manuals https://github.com/debarshiray/toolbox/pull/66 2019-02-28 17:07:24 +00:00			`go_md2man = find_program('go-md2man')`
build: Ensure that binaries are run against their build-time ABI The /usr/bin/toolbox binary is not only used to interact with toolbox containers and images from the host. It's also used as the entry point of the containers by bind mounting the binary from the host into the container. This means that the /usr/bin/toolbox binary on the host must also work inside the container, even if they have different operating systems. In the past, this worked perfectly well with the POSIX shell implementation because it got intepreted by whichever /bin/sh was available. However, the Go implementation, can run into ABI compatibility issues because binaries built on newer toolchains aren't meant to be run against older runtimes. The previous approach [1] of restricting the versions of the glibc symbols that are linked against isn't actually supported by glibc, and breaks if the early process start-up code changes. This is seen in glibc-2.34, which is used by Fedora 35 onwards, where a new version of the __libc_start_main symbol [2] was added as part of some security hardening: $ objdump -T ./usr/bin/toolbox \| grep GLIBC_2.34 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 __libc_start_main 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_detach 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_create 0000000000000000 DF UND 0000000000000000 GLIBC_2.34 pthread_attr_getstacksize This means that /usr/bin/toolbox binaries built against glibc-2.34 on newer Fedoras fail to run against older glibcs in older Fedoras. Another option is to make the host's runtime available inside the toolbox container and ensure that the binary always runs against it. Luckily, almost all supported containers have the host's /usr available at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to /run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing the path of the dynamic linker (ie., PT_INTERP) to the one inside /run/host. Unfortunately, there can only be one PT_INTERP entry inside the binary, so there must be a /run/host on the host too. Therefore, a /run/host symbolic link is created on the host that points to the host's /. Based on ideas from Alexander Larsson and Ray Strode. [1] Commit 6ad9c631806961f3 https://github.com/containers/toolbox/pull/534 [2] glibc commit 035c012e32c11e84 https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 https://sourceware.org/bugzilla/show_bug.cgi?id=23323 https://github.com/containers/toolbox/issues/821 2021-10-21 18:22:11 +00:00			`patchelf = find_program('patchelf')`
build: Add a test that runs shellcheck on the toolbox script https://github.com/debarshiray/toolbox/pull/83 2019-04-10 12:03:15 +00:00			`shellcheck = find_program('shellcheck', required: false)`
meson: Rearrange lines & check for Skopeo Skopeo is now a dependency for running system tests[0]. It is not a hard dependency but at least give the user a heads-up. https://github.com/containers/toolbox/pull/732 2021-03-21 21:58:23 +00:00			`skopeo = find_program('skopeo', required: false)`
Show a welcome text on interactive shells running on Silverblue hosts The welcome text uses the OSC 8 [1] escape sequence to add a hyperlink to the Silverblue documentation [2]. Silence a SC1003 [3] because the intention is to print the 'ESC \' string terminator (or ST), and not escape a single quote. [1] https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda [2] https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/ [3] https://github.com/koalaman/shellcheck/wiki/SC1003 https://github.com/debarshiray/toolbox/pull/127 2019-04-24 17:36:36 +00:00
meson: Rearrange lines & check for Skopeo Skopeo is now a dependency for running system tests[0]. It is not a hard dependency but at least give the user a heads-up. https://github.com/containers/toolbox/pull/732 2021-03-21 21:58:23 +00:00			`bash_completion = dependency('bash-completion', required: false)`

			`profiledir = get_option('profile_dir')`
build: Allow overriding the path to tmpfilesdir When installing to a non-system-wide prefix as a non-root user, the tmpfilesdir path defined by systemd might not be accessible. Overriding the path helps to prevent the installation from failing. https://github.com/containers/toolbox/pull/717 2021-07-05 01:46:07 +00:00
			`tmpfilesdir = get_option('tmpfiles_dir')`
			`if tmpfilesdir == ''`
			`systemd_dep = dependency('systemd')`
			`tmpfilesdir = systemd_dep.get_pkgconfig_variable('tmpfilesdir')`
			`endif`
Give access to removable devices and other temporary mounts Currently, when udisks is configured to use /run/media instead of /media, on most operating systems, the /run/media directory is created by udisks itself when the first mount is handled [1]. This causes problems when creating the toolbox container, if nothing has been mounted after the current boot, because a missing directory cannot be bind mounted. Fedora Silverblue is a significant exception to the above, where rpm-ostree takes care of creating /run/media with systemd-tmpfiles [2] during boot. The correct long-term solution is to get udisks to create /run/media during boot with systemd-tmpfiles by installing a snippet in tmpfiles.d [3, 4]. Until that happens, and is widely deployed, the toolbox needs to provide the snippet itself to make things work on the majority of operating systems. Note that, in case udisks is configured to use /media instead of /run/media, then this will create an unused /run/media directory. This is probably fine because /run/media is the default setting for udisks. Moreover, an unused directory is way better than not being able to access mount points from a toolbox container or having 'podman create' fail due to a missing directory. Based on 4a2a15f2eb3a6b810fcf9b699272fcc9a7871c6e and as suggested by Daniel J Walsh. [1] UDisks commit aa02e5fc53efdeaf https://github.com/storaged-project/udisks/commit/aa02e5fc53efdeaf [2] rpm-ostree commit 958dfa435e4e4a3e https://github.com/projectatomic/rpm-ostree/commit/958dfa435e4e4a3e [3] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html [4] https://github.com/storaged-project/udisks/pull/641 https://github.com/debarshiray/toolbox/issues/3 2019-03-12 17:45:19 +00:00
completion: Add Bash completion Make using toolbox a bit more convenient by properly completing its options. The completions should be complete (that is, there are completions for all the commands and options shown in --help), but no attempt is made to filter out conflicting options (for example "toolbox rm --all my-container"). https://github.com/debarshiray/toolbox/pull/133 2019-04-25 19:16:30 +00:00			`if bash_completion.found()`
			`install_data(`
			`'completion/bash/toolbox',`
			`install_dir: bash_completion.get_pkgconfig_variable('completionsdir')`
			`)`
			`endif`

meson: Rearrange lines & check for Skopeo Skopeo is now a dependency for running system tests[0]. It is not a hard dependency but at least give the user a heads-up. https://github.com/containers/toolbox/pull/732 2021-03-21 21:58:23 +00:00			`if not skopeo.found()`
			`message('Running system tests requires Skopeo for OCI image manipulation.')`
			`endif`

build: Install the tests Installing the tests will let downstream distributors like Fedora run them as part of their build and CI systems. https://github.com/containers/toolbox/pull/511 2020-07-23 15:17:38 +00:00			`install_subdir(`
			`'test',`
test/system: Track bats libs as submodules & install them better This will make it easier to work with system tests. https://github.com/containers/toolbox/pull/842 2021-07-09 12:05:26 +00:00			`install_dir: join_paths(get_option('datadir'), meson.project_name()),`
			`exclude_files: [`
			`'system/libs/bats-assert/.git',`
			`'system/libs/bats-assert/.gitignore',`
			`'system/libs/bats-assert/.travis.yml',`
			`'system/libs/bats-assert/package.json',`
			`'system/libs/bats-support/.git',`
			`'system/libs/bats-support/.gitignore',`
			`'system/libs/bats-support/.travis.yml',`
			`'system/libs/bats-support/package.json'`
			`],`
			`exclude_directories: [`
			`'system/libs/bats-assert/.git',`
			`'system/libs/bats-assert/script',`
			`'system/libs/bats-assert/test',`
			`'system/libs/bats-support/.git',`
			`'system/libs/bats-support/script',`
			`'system/libs/bats-support/test'`
			`]`
build: Install the tests Installing the tests will let downstream distributors like Fedora run them as part of their build and CI systems. https://github.com/containers/toolbox/pull/511 2020-07-23 15:17:38 +00:00			`)`

Give access to removable devices and other temporary mounts Currently, when udisks is configured to use /run/media instead of /media, on most operating systems, the /run/media directory is created by udisks itself when the first mount is handled [1]. This causes problems when creating the toolbox container, if nothing has been mounted after the current boot, because a missing directory cannot be bind mounted. Fedora Silverblue is a significant exception to the above, where rpm-ostree takes care of creating /run/media with systemd-tmpfiles [2] during boot. The correct long-term solution is to get udisks to create /run/media during boot with systemd-tmpfiles by installing a snippet in tmpfiles.d [3, 4]. Until that happens, and is widely deployed, the toolbox needs to provide the snippet itself to make things work on the majority of operating systems. Note that, in case udisks is configured to use /media instead of /run/media, then this will create an unused /run/media directory. This is probably fine because /run/media is the default setting for udisks. Moreover, an unused directory is way better than not being able to access mount points from a toolbox container or having 'podman create' fail due to a missing directory. Based on 4a2a15f2eb3a6b810fcf9b699272fcc9a7871c6e and as suggested by Daniel J Walsh. [1] UDisks commit aa02e5fc53efdeaf https://github.com/storaged-project/udisks/commit/aa02e5fc53efdeaf [2] rpm-ostree commit 958dfa435e4e4a3e https://github.com/projectatomic/rpm-ostree/commit/958dfa435e4e4a3e [3] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html [4] https://github.com/storaged-project/udisks/pull/641 https://github.com/debarshiray/toolbox/issues/3 2019-03-12 17:45:19 +00:00			`subdir('data')`
Add manuals https://github.com/debarshiray/toolbox/pull/66 2019-02-28 17:07:24 +00:00			`subdir('doc')`
Show a welcome text on interactive shells running on Silverblue hosts The welcome text uses the OSC 8 [1] escape sequence to add a hyperlink to the Silverblue documentation [2]. Silence a SC1003 [3] because the intention is to print the 'ESC \' string terminator (or ST), and not escape a single quote. [1] https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda [2] https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/ [3] https://github.com/koalaman/shellcheck/wiki/SC1003 https://github.com/debarshiray/toolbox/pull/127 2019-04-24 17:36:36 +00:00			`subdir('profile.d')`
build: Hook up the Go code with Meson Meson doesn't support Go [1], so this is implemented by a custom target that invokes 'go build' to generate the binary. Unfortunately, when using Go modules, 'go build' insists on being invoked in the same source directory where the go.mod file lives, while Meson insists on using a build directory separate from the corresponding source directory. This is addressed by using a build script that goes into the source directory and then invokes 'go build'. Currently, the Go code is only built when a Go implementation is found, and even then, it's not installed. Non-technical end-users are supposed to continue using the POSIX shell implementation until the Go version is blessed as stable. [1] https://github.com/mesonbuild/meson/issues/123 https://github.com/containers/toolbox/pull/318 2020-05-08 11:29:18 +00:00			`subdir('src')`