This is meant to alleviate some of the pain of not being able to modify
the list of bind mounts once a toolbox container has been created. For
some cases, especially where read-only access is enough, one can get
by with setting up symbolic links inside the toolbox container.
Based on an idea from Colin Walters.
https://github.com/debarshiray/toolbox/pull/264
Since Podman supports '--ulimit host' only from version 1.5.0, which
is newer than the minimum required version of 1.4.0, this only works
if a new enough Podman is available.
https://github.com/debarshiray/toolbox/issues/213
When listing only images, 'exit' was picking up the non-zero exit code
from the following (failing) statement meant for containers. An
explicit 'if' branch prevents the exit code of the condition from
leaking out.
Fallout from 5e4e63a11bhttps://github.com/debarshiray/toolbox/pull/258
This is helpful when running a development build of GNOME Shell from
within a toolbox container. It enables populating the application grid
with Flatpak applications installed system-wide on the host.
https://github.com/debarshiray/toolbox/pull/256
See: https://github.com/containers/libpod/issues/3946
COLUMNS and LINES may not be set in the user's environment. Hence the
existing mechanism for preserving environment variables don't work.
Note that for things to keep working when invoked via D-Bus from
inside a toolbox container, the terminal size needs to be queried using
the standard input stream, instead of explicitly mentioning the
controlling terminal device /dev/tty. This is because stty(1) doesn't
have the notion of a controlling terminal when invoked via D-Bus, but
flatpak-spawn(1) ensures that the standard input stream still points
to the user's interactive terminal.
https://github.com/debarshiray/toolbox/issues/242
The '--workdir ...' option was added to 'podman exec' in Podman 1.0.0,
which is within the current minimum required Podman version of 1.4.0.
https://github.com/debarshiray/toolbox/pull/254
This lets podman do the calculations for mapping the host UID into the
user namespace within the container. See cfcf4eb31e for original
context.
The '--userns=keep-id' option was introduced in Podman 1.4.0, which is
old enough to be in even RHEL 7.
https://github.com/debarshiray/toolbox/issues/244
A new help command has been added which either shows the toolbox(1)
manual or a manual page for a specific command. The '--help' flag is
now identical to the help command and can be placed after the COMMAND
segment in the list of command line arguments.
Due to a bizarre quirk in less(1) [1], the default pager used to render
manuals on most systems, the man(1) invocations need the standard error
stream to point to the controlling terminal, if any, to work. This
interferes with the global redirection of standard error to /dev/null
in the absence of the '--verbose' flag, and is worked around by
redirecting to standard output instead.
[1] It turns out that less(1) tries to open the controlling terminal
device /dev/tty to get to the keyboard for accepting input.
However, it doesn't have a controlling terminal when invoked via
D-Bus to render a manual on the host. It then strangely falls back
to using the standard error stream to get to the keyboard.
https://github.com/debarshiray/toolbox/pull/200
The Silverblue welcome message was being displayed incorrectly on
other OSTree based OS's (Fedora Atomic Host, Fedora CoreOS, etc).
Note that none of the stable Silverblue releases that have shipped so
far (ie., until Silverblue 30) have had 'silverblue' as the VARIANT_ID.
This makes the check a bit more convoluted that it should have been.
https://github.com/debarshiray/toolbox/pull/236
It connects to the host's PackageKit instance, and tries to install the
packages on the host instead of inside the toolbox container. Remove it
unless there's a proper solution.
https://github.com/debarshiray/toolbox/issues/158
Toolbox containers created prior to commit 8db414ddc2 didn't have
/run/host/monitor inside them. Therefore, those containers were having
their /etc/localtime and /etc/timezone redirected to locations that
didn't exist.
Instead of selectively checking locations that were added later, it's
more manageable to handle all bind mounted target locations the same.
https://github.com/debarshiray/toolbox/pull/207
Creating /run/.toolboxenv in run(), outside the entry point, has the
advantage of automatically working with older toolbox containers.
However, at some point those containers are going to get end-of-lifed.
Then it would be nice to have this bit of initialization tucked away
inside the entry point.
https://github.com/debarshiray/toolbox/pull/206
Copying files into a running container is considered inherently hacky.
Rootful Podman can pause a container using 'podman cp --pause ...'
during the copy, but that's not possible when used rootless.
Secondly 'podman cp' has suffered from a series of regressions lately.
First there was the problem with how the --pause flag was handled [1],
and then /etc/profile.d/toolbox.sh was getting created as a
directory [2], not regular file, by:
$ podman cp \
--pause=false \
/etc/profile.d/toolbox.sh \
"$container":/etc/profile.d
Try to side-step all that by using $XDG_RUNTIME_DIR as a conduit to
share the file with the container and using plain cp(1) to place it in
the toolbox container's /etc/profile.d.
[1] Commit e715ff2f9bhttps://github.com/debarshiray/toolbox/pull/193
[2] https://github.com/containers/libpod/issues/3384https://github.com/debarshiray/toolbox/issues/196
It was working because 'toolbox_container' is a global variable.
However, given that the name of the toolbox container is already being
passed as an argument to the function, it's better not to use the
global variable.
Fallout from c492907c12https://github.com/debarshiray/toolbox/pull/201
This will let GNOME Terminal preserve the current toolbox container, if
any, when opening a new terminal. Since this is mainly beneficial to
users of an interactive shell inside a toolbox container, the escape
sequences are only emitted by 'toolbox enter', and not 'toolbox run'.
The OSC 777 escape sequence is taken from Enlightenment's Terminology:
https://phab.enlightenment.org/T1765
It's a VTE-specific extension until a standard escape sequence is
agreed upon across multiple different terminal emulators [1].
[1] https://gitlab.freedesktop.org/terminal-wg/specifications/issues/17https://github.com/debarshiray/toolbox/pull/199
The whole idea behind commit 66e982af72 was to set up $HOME and
/home to match the host. Therefore, it's pointless to check if /home
is a symbolic link or not inside the toolbox container. The state of
/home needs to be checked on the host, and then the toolbox container
adjusted accordingly.
One crucial difference is that the toolbox container is created before
its /home can be adjusted. Earlier, there was the user-specific
customized image, whose /home was adjusted first, and then the toolbox
container created from that. This boils down to the following
invocation happening before the symbolic link can be set up:
podman create --volume "$HOME":$HOME":rslave --workdir "$HOME" ...
As a result, on host operating systems like Fedora 29 where /home is a
symbolic link with $HOME pointing inside it, Podman populates /home
with the user's sub-directory inside the toolbox container. This
prevents the subsequent 'rmdir $HOME' from working, and consequently
kills the container's entry point.
Compare that to Fedora 30 and newer where this problem doesn't occur
because /home is a symbolic link but $HOME points inside the target
/var/home directory.
This is why $HOME is canonicalized before bind mounting it into the
container and the container's working directory is reverted back to the
default (ie. /).
Fallout from 8b84b5e460https://github.com/debarshiray/toolbox/issues/185
Rootless containers cannot be paused while data is copied into them.
The '--pause' flag used to default to 'true', but it would be silently
ignored until recently [1,2] when it got turned into an error in
podman-1.4.0. Therefore, it has to be explicitly toggled using
'--pause=false'. Otherwise, it would lead to:
toolbox: copying /etc/profile.d/toolbox.sh to container fubar
Error: cannot copy into running rootless container with pause set -
pass --pause=false to force copying
toolbox: unable to copy /etc/profile.d/toolbox.sh to container fubar
The '--pause' flag was latter changed to default to 'false' [3], but
it's good to be defensive and have this addressed from both sides.
Note that 'podman cp --pause false ...' doesn't work. It's necessary to
use the '=' because it gets confused trying to parse the
space-separated source and destination path arguments.
[1] Podman commit 48e35f7da70c24ed
https://github.com/containers/libpod/commit/48e35f7da70c24ed
[2] Podman commit 57d40939792719e6
https://github.com/containers/libpod/commit/57d40939792719e6
[3] Podman commit d40b450afdc9784a
https://github.com/containers/libpod/commit/d40b450afdc9784ahttps://github.com/debarshiray/toolbox/pull/193
This is relevant when running on hosts where the current user might
have been created long ago with an old version of shadow-utils, and
the host OS has been upgraded in-place ever since.
https://github.com/debarshiray/toolbox/issues/174
Things like the proprietary NVIDIA driver need access to devices
directly inside the /dev directory (eg., /dev/nvidia0 and
/dev/nvidiactl), and since such devices can come and go at runtime they
cannot be bind mounted individually. Instead, the entire directory
needs to be made available.
https://github.com/debarshiray/toolbox/issues/116
Most Debian based images use the 'sudo' group for sudo(8) access, while
Fedora uses the 'wheel' group. Hence check if either group exists
before attempting to add the user to it and fail otherwise.
https://github.com/debarshiray/toolbox/pull/167
The unary logical negation operator (ie. !) was getting associated with
the 'cd /etc' instead of the entire sequence. As a result, neither
/etc/hosts nor /etc/resolv.conf were getting symlinked.
Fallout from 8b84b5e460https://github.com/debarshiray/toolbox/pull/168
The prefixed spinner messages look odd because neither the download
confirmation prompts nor the hints on how to enter a container have
them. It's better to only prefix the debug and error messages so as to
disambiguate their origins.
https://github.com/debarshiray/toolbox/pull/164
This works by configuring the toolbox container after it has been
created, instead of before. The toolbox script itself is mentioned as
the entry point of the container, which does 'exec sleep +Inf' once the
initialization is done.
A new command 'init-container' was added to perform the initialization.
It is primarily meant to be used as the entry point for all toolbox
containers, and must be run inside the container that's to be
initialized. It is not expected to be directly invoked by humans, and
cannot be used on the host.
As a result, the default name for the toolbox containers is now
fedora-toolbox-<version-id>, not fedora-toolbox-<user>-<version-id>.
For backwards compatibility, 'toolbox enter' and 'toolbox run' will
continue to work with containers using the old naming scheme.
https://github.com/debarshiray/toolbox/pull/160
A subsequent commit will create toolbox container names based on both
the base image and the user-specific customized image. This will make
it easier to read.
https://github.com/debarshiray/toolbox/pull/160
