Commit graph

1033 commits

Author SHA1 Message Date
Oliver Gutierrez
7a5f3ba2e2 test/system: Make tests non-destructive
This allows to run the test suite without having to worry about blasting
the whole local state of Podman.

This is done by creating a configuration file with a custom path for the
storage of Podman and specifying the config file using an env var.

The used location for the temporary storage is located either under
XDG_CACHE_HOME and if the one is not defined, $HOME/.cache is used
instead. The data are namespaced. This follows the XDG Base Directory
Specification[0]. Other locations could be /tmp or /run but those
locations usually use tmpfs and that filesystem can not be used by
Podman[1] due to missing features in tmpfs.

https://github.com/containers/toolbox/pull/818

[0] https://specifications.freedesktop.org/basedir-spec/latest/index.html
[1] https://github.com/containers/podman/issues/10693#issuecomment-863007516
2021-12-01 01:09:34 +02:00
Jens Petersen
8a329752e0 .zuul: pump the current fedora releases to 34 & 35
F33 will EOL at the end of this month (Nov 2021)

https://github.com/containers/toolbox/pull/927
2021-12-01 01:01:40 +02:00
Debarshi Ray
61efad34bc profile.d: Fix the PS1 on Z shell
Currently, on Fedora, a nested instance of Z shell inside a Toolbox
container renders the PS1 like this:
\[\]⬢\[\][\u@\h \W]\$

Notice that Z shell doesn't like that the terminal escape sequences
for the foreground colour are wrapped in '\[' and '\]' [1], and doesn't
understand the special characters like '\u' and '\h'.

This is fixed by making the PS1 specific to the shell. The prompt for
Z shell is based on the default prompt used on Fedora, just like the
one for Bash.

Note that this only affects nested instances of Z shell because of the
way the start-up scripts for Z shell are written on Fedora. Toolbox
invokes top-level shell as a login shell, and for those the PS1 set by
profile.d/toolbox.sh is overwritten by the operating system's default
in /etc/zshrc. See:
https://bugzilla.redhat.com/show_bug.cgi?id=2026749

[1] Commit bc1a816ea3
    https://github.com/debarshiray/toolbox/issues/190

https://github.com/containers/toolbox/pull/936
2021-11-25 19:04:20 +01:00
Debarshi Ray
95dbb5ed49 profile.d: Avoid warnings for undefined variables with 'set -u'
See:
https://gitlab.gnome.org/GNOME/vte/-/issues/285
https://gitlab.gnome.org/GNOME/vte/-/commit/e148105691926cbd

https://github.com/containers/toolbox/pull/936
2021-11-25 18:10:43 +01:00
Debarshi Ray
5c51809a35 README.md: Remove stale comment
Fallout from abb2ac6fd4

https://github.com/containers/toolbox/pull/934
2021-11-23 16:16:14 +01:00
Debarshi Ray
80bed47919 README.md: Update image requirements
All these tools were only used by the POSIX shell implementation. The
Go implementation never used them.

Note that the test suite still invokes id(1) inside a container.
However, it's not a user-visible requirement, and hence is not a hard
requirement for Toolbox images.

https://github.com/containers/toolbox/pull/934
2021-11-23 16:16:10 +01:00
Debarshi Ray
bcb80cf7c6 README.md: Don't require unlink(1) in images
Fallout from 0cf3c99377

https://github.com/containers/toolbox/pull/934
2021-11-23 16:16:06 +01:00
Debarshi Ray
036a33882f README.md: Require mount(8) in images
Fallout from 819bb46aaa

https://github.com/containers/toolbox/issues/929
2021-11-23 15:52:44 +01:00
Austin C. Minor
2e4e5bc2a8 README.md: Require capsh(1) in images
https://github.com/containers/toolbox/pull/930
2021-11-23 15:43:14 +01:00
Debarshi Ray
8071bb5cb8 images: Add fedora-toolbox image definition for Fedora 36
https://github.com/containers/toolbox/pull/931
2021-11-19 03:27:45 +01:00
Debarshi Ray
df05e276b2 images: Avoid losing mount(8) by accident
The util-linux package was added to ensure the presence of the mount(8)
command. Currently the package is already pulled in by various
dependencies. Therefore, it doesn't increase the size of the image, but
serves as a safeguard against any inadvertent changes.

Note that starting from Fedora 35 onwards, the fedora base images no
longer have mount(8), which increases the importance of this change.

Only the images for currently maintained Fedoras (ie., 34 and 35) were
updated.

https://github.com/containers/toolbox/issues/929
2021-11-19 02:46:34 +01:00
Debarshi Ray
5dbcd377c6 images: Ensure that coreutils-single is replaced by coreutils-full
It's true that the fedora base images no longer come with
coreutils-single, but they used to, and the ubi base images still do.
Therefore, it's worth being extra defensive about this.

It's better to make the build system execute one extra redundant
command than expose users to a bug because of a change that snuck in
unnoticed.

Only the images for currently maintained Fedoras (ie., 34 and 35) were
updated.

This reverts commit 033ed71ec1.

https://github.com/containers/toolbox/pull/931
2021-11-19 02:46:30 +01:00
Debarshi Ray
7542f5fc86 cmd/initContainer: Avoid RPM failures due to unexpected file owners
When running rootless, files and directories bind mounted from the
host operating system can have their ownership listed as
nobody:nobody. This is because the UIDs and GIDs that actually own
those locations are not available inside the container.

Some distribution packages are particular about the file ownerships of
some of these locations. eg., Fedora's filesystem, flatpak and
libvirt-libs RPMs. Encountering nobody:nobody as the owner can fail
package management transactions involving such packages leading to
unforeseen consequences.

Therefore, configure RPM to leave these locations alone.

https://github.com/containers/toolbox/pull/640
2021-11-17 02:55:09 +01:00
Debarshi Ray
55f944c1e7 cmd/utils: Add copyright and license notices
https://github.com/containers/toolbox/pull/924
2021-11-16 10:29:37 +02:00
Debarshi Ray
c8aaed52c5 build: Don't assume that libc.so is always in /usr/lib or /usr/lib64
The location for public shared libraries can change from one operating
system distribution to another. eg., while Fedora uses /usr/lib and
/usr/lib64, depending on the hardware architecture, Debian uses paths
like /usr/lib/x86_64-linux-gnu. Therefore, it's best not to assume
anything and ask the toolchain.

https://github.com/containers/toolbox/pull/923
2021-11-13 03:18:36 +01:00
Jakub Steiner
b80ffecd3d README.md, data: Replace outdated logos with pixels
https://github.com/containers/toolbox/issues/920
2021-11-13 02:17:21 +01:00
Debarshi Ray
c9fc47adfd cmd/utils: Style fixes
https://github.com/containers/toolbox/pull/922
2021-11-13 01:21:56 +01:00
Debarshi Ray
01863d8fe0 test/system: Use 'command -v' to detect the presence of man(1)
'command -v' is more obvious when reading and is POSIX compatible [1].
While 'hash' also gets the job done, it's more of a caching mechanism.

[1] http://pubs.opengroup.org/onlinepubs/9699919799/utilities/command.html

https://github.com/containers/toolbox/pull/922
2021-11-13 01:21:52 +01:00
kuba3351
3641a0032f profile.d: Show welcome message on Fedora Kinoite
SC3059 shellcheck rule could be disabled,
because we reqiure bash or zsh to run the welcome script,
so case modification will work.

https://github.com/containers/toolbox/pull/881
2021-11-08 18:06:05 +02:00
Anthony Rabbito
a9cc052efe src: mount pcsd inside toolbox container
https://github.com/containers/toolbox/pull/907

Signed-off-by: Anthony Rabbito <hello@anthonyrabbito.com>
2021-11-08 10:33:50 +02:00
Ondřej Míchal
07afff0c30 test/system: Adjust help test to work only with man present
Unlike the following test this one tests using the content of the
toolbox(1) manual page in man. man has to be present in PATH for this
test to be relevant.

Also, this changes the text used to test the output. The current text
can be found in the added short help message and that causes the test
to pass even though it should not. Instead, look for the text in the
"header" of the manual page.

https://github.com/containers/toolbox/pull/837
2021-11-08 01:44:15 +02:00
Oliver Gutierrez
40fc1689a3 utils, help: Show basic help when "man" command is not available.
Fedora CoreOS systems do not have the man command installed. Running
toolbox --help on such a system results in a "man(1) not found" error.

As a compromise for systems without man, we added a simple help text
showing the most commonly used toolbox commands and an URL that direct
users to the Toolbox website where they can find the manuals in Markdown
format.

Fixes #713

https://github.com/containers/toolbox/pull/837
2021-11-08 01:44:15 +02:00
Ondřej Míchal
be4d3974ef pkg/utils: Move CLI utility functions to cmd
pkg/utils has been in Go Toolbox since its birth. Along the way it
accumulated a number of functions where a few of them are purely CLI
related. Since the majority of functions in the package are related to
some "deeper" functionality in Toolbox, it makes more sense to move the
selected few to package cmd. This will make pkg/utils a bit leaner and
create a dedicated space for cmd utility functions to live in.

In the process the error creation functions no longer require the
executableBase argument to be passed to them.

https://github.com/containers/toolbox/pull/819
2021-11-07 23:18:46 +02:00
Ondřej Míchal
3aeb7cf288 test/system: Add test placeholders for entering containers
These tests need to be implemented in the future but they require some
magic with socat or similar tools as entering a container is creating
a new subshell and that is hard to monitor from a bash script. Better
not to forget then.

https://github.com/containers/toolbox/pull/915
2021-11-07 17:06:53 +02:00
Ondřej Míchal
ca899c8a56 test/system: Add tests for failures for 'root'
https://github.com/containers/toolbox/pull/915
2021-11-07 17:06:53 +02:00
Ondřej Míchal
a7e7e0ac2b test/system: Add tests for failures for 'enter'
https://github.com/containers/toolbox/pull/915
2021-11-07 17:06:53 +02:00
Ondřej Míchal
fc336bd8b0 test/system: Add tests for failures for 'run'
https://github.com/containers/toolbox/pull/915
2021-11-07 17:06:53 +02:00
Ondřej Míchal
02a831466e cmd/enter: Don't use double negation
Double negation is hard to wrap your head around.

https://github.com/containers/toolbox/pull/913
2021-11-07 13:43:27 +02:00
Ron
4d9849c386 Update README.md
Added patchelf under dependencies
2021-11-03 11:21:45 +02:00
Debarshi Ray
112f281fc4 build: Restore backwards compatibility with existing containers
The path of the dynamic linker (ie., PT_INTERP), as specified in an
architecture's ABI, often starts with /lib or /lib64, not /usr/lib or
/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and
/lib64/ld-linux-x86-64.so.2 for x86_64.

Unfortunately, until very recently [1], only the host's /usr was
present inside a toolbox container's /run/host, not /lib or /lib64.
Therefore, simply prepending /run/host to the /usr/bin/toolbox
binary's existing PT_INTERP entry wouldn't locate the host's dynamic
linker inside the toolbox container. This broke backwards compatibility
with every container out there, except the ones created with the
current development version in Git.

To restore backwards compatibility, the /lib and /lib64 symbolic links
must be resolved to their respective locations inside /usr.

The following caveats must be noted:

  * With glibc, even the basename of the path of the dynamic linker as
    specified in an architecture's ABI, is a symbolic link to a file
    named ld-<glibc-version>.so. However, this file can't be used as
    the PT_INTERP entry, because its name will change when glibc is
    updated and the PT_INTERP entry will become invalid until the
    /usr/bin/toolbox binary is rebuilt.

  * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve
    to something inside /usr/lib64. Instead it ends up inside
    /usr/lib/x86_64-linux-gnu through a series of symbolic links:
      - /lib64 -> usr/lib64
      - /usr/lib64/ld-linux-x86-64.so.2
          -> /lib/x86_64-linux-gnu/ld-2.28.so
      - /lib -> usr/lib

  * It's assumed that a symbolic link with the basename specified in
    the ABI lives in the same directory as the actual dynamic linker
    binary named ld-<glibc-version>.so.

Fallout from 6063eb27b9

[1] Commit d03a5fee80
    https://github.com/containers/toolbox/pull/827

https://github.com/containers/toolbox/issues/821
2021-10-25 15:44:51 +02:00
Debarshi Ray
606b37b226 playbooks/setup-env: Restore running ShellCheck in the CI
Fallout from c33075f3e1
2021-10-25 16:12:14 +03:00
Ondřej Míchal
69ffc888ca playbooks: Fix CI for #897
PR #897 made adjustmnets to the Toolbx binary that it requires presence
of /run/host in both the host filesystem and the filesystem in
a container.

The presence of the directory is assured by systemd-tmpfiles by
running it before the binary is started for the first time. For the run
to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
a location visible to systemd-tmpfiles. Therefore, the call to
'systemd-tmpfiles --create' had to be placed after the install step.

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Ondřej Míchal
c33075f3e1 playbooks: Unify test setup for system & unit tests
There is no significant benefit in keeping this configuration separated.
Now the to-be installed packages are tracked in a single place and the
test playbooks only call the relevant tests.

This was pointed out by in 6063eb27b9

https://github.com/containers/toolbox/pull/898
2021-10-22 16:43:38 +03:00
Debarshi Ray
6063eb27b9 build: Ensure that binaries are run against their build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.

In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available. However, the Go implementation, can run into ABI
compatibility issues because binaries built on newer toolchains aren't
meant to be run against older runtimes.

The previous approach [1] of restricting the versions of the glibc
symbols that are linked against isn't actually supported by glibc, and
breaks if the early process start-up code changes. This is seen in
glibc-2.34, which is used by Fedora 35 onwards, where a new version of
the __libc_start_main symbol [2] was added as part of some security
hardening:
  $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    __libc_start_main
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_detach
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_create
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_attr_getstacksize

This means that /usr/bin/toolbox binaries built against glibc-2.34 on
newer Fedoras fail to run against older glibcs in older Fedoras.

Another option is to make the host's runtime available inside the
toolbox container and ensure that the binary always runs against it.

Luckily, almost all supported containers have the host's /usr available
at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
the path of the dynamic linker (ie., PT_INTERP) to the one inside
/run/host.

Unfortunately, there can only be one PT_INTERP entry inside the
binary, so there must be a /run/host on the host too. Therefore, a
/run/host symbolic link is created on the host that points to the
host's /.

Based on ideas from Alexander Larsson and Ray Strode.

[1] Commit 6ad9c63180
    https://github.com/containers/toolbox/pull/534

[2] glibc commit 035c012e32c11e84
    https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
    https://sourceware.org/bugzilla/show_bug.cgi?id=23323

https://github.com/containers/toolbox/issues/821
2021-10-22 01:20:03 +02:00
Debarshi Ray
452dc797f7 tmpfiles.d: Style fix
The subsequent commit will add an entry to create a /run/host symbolic
link on the host that points to /, and it will require explicitly
skipping some of the columns. Doing the same for the existing entry
will make the file more readable.

https://github.com/containers/toolbox/issues/821
2021-10-21 20:29:35 +02:00
Debarshi Ray
d6b1fbea4c cmd/run: Unbreak 'enter' if the shell had exited with 127
Currently, 'toolbox enter' can get into a loop if the user tried to
run something inside the shell that didn't exist, and quit immediately
afterwards:
  $ toolbox enter
  ⬢$ foo
  bash: foo: command not found
  ⬢$
  logout
  Error: command /bin/bash not found in container fedora-toolbox-34
  Using /bin/bash instead.
  ⬢$

This is because:

  * The shell forwards the exit code of the last command that was
    invoked as its own exit code. If the last command that was
    attempted was absent then this exit code is 127.

  * 'podman exec' uses 127 as the exit code when it can't invoke the
    command. If it's able to successfully invoke the command, it
    forwards the exit code of the command itself.

Therefore, in the above example 'podman exec' itself returns with an
exit code of 127 even though both the working directory and the command
that were passed to it were present. Hence, it's necessary to
explicitly check if the requested command was really absent before
attempting the fallbacks.

Fallout from 4536e2c8c2

https://github.com/containers/toolbox/pull/872
2021-09-13 13:28:38 +02:00
Debarshi Ray
208d553cec cmd/run: Style fixes
Fallout from 4536e2c8c2

https://github.com/containers/toolbox/pull/872
2021-09-13 13:28:38 +02:00
Alex Jia
26ae0bb896 test/system: fix typo in 102-list.bats
Signed-off-by: Alex Jia <chuanchang.jia@gmail.com>
2021-09-10 10:42:16 +01:00
Oliver Gutierrez
075b9a8d27 tests: Fix tests to setup the XDG_RUNTIME_DIR variable when empty
https://github.com/containers/toolbox/pull/857

When the XDG_RUNTIME_DIR variable is empty toolbox is not able to
initialize the container correctly and fails to run.
2021-08-09 19:57:41 +02:00
Oliver Gutierrez
09fb237727 tests: Changed container image source for busybox
Due to docker rate limiting we can not rely in docker.io for
retrieving the images.

This was detected when executing our tests for podman fedora
gating pipeline. Our busybox image was not downloaded and
one of the list tests was failing.
2021-08-09 17:09:29 +02:00
Ondřej Míchal
04c673dd06 test/system: Test pull failure
Follow-up to https://github.com/containers/toolbox/pull/852

https://github.com/containers/toolbox/pull/854
2021-07-29 10:10:02 +02:00
Ondřej Míchal
9820550c82 test/system: Use BATS_RUN_TMPDIR for image cache
Using the current working directory for cache is not a good solution
since the test files may reside in a location that is unwritable (e.g.,
/usr/share). The `BATS_RUN_TMPDIR` variable should point to a location
that is sure to be writeable from the test suite.

https://github.com/containers/toolbox/pull/850
2021-07-28 09:31:35 +02:00
Debarshi Ray
660b6970e9 cmd/create: Mention that private images require 'podman login'
It's not possible to programmatically detect when an image requires
logging into the registry [1]. Therefore, instead of trying to handle
'podman pull' failures due to lack of authorization, just mention that
private images require 'podman login' and that further details of the
failure can be found by using the --verbose option.

[1] https://github.com/containers/podman/issues/10858

https://github.com/containers/toolbox/issues/754
https://github.com/containers/toolbox/pull/852
2021-07-23 04:00:20 +02:00
Ondřej Míchal
20f4f68c4e cmd/root, pkg/utils: Add support for configuration files
It looks like there are some oddities with Viper [1]. The errors can't
be examined with errors.As [2] and Viper doesn't actually throw
ConfigFileNotFoundError if a configuration file is not found. Secondly,
there's no way to find out if a key was actually specified in a
configuration file. The InConfig API doesn't return 'true' even if a
key was mentioned in a configuration file, and the IsSet API returns
'true' even if the key was only set via SetDefault in the code.

Some changes by Debarshi Ray.

[1] https://pkg.go.dev/github.com/spf13/viper
[2] https://blog.golang.org/go1.13-errors

https://github.com/containers/toolbox/pull/828
https://github.com/containers/toolbox/pull/851
2021-07-23 03:56:03 +02:00
Ondřej Míchal
ffdfaa7410 data/config: Add reference configuration file
The file format is TOML[0] but the file extension is .conf to follow the
convention set by Podman.

https://github.com/containers/toolbox/pull/828
https://github.com/containers/toolbox/pull/851
2021-07-23 03:56:03 +02:00
Debarshi Ray
5824f0adcb cmd/create, pkg/utils: Simplify hint after creating a container
A subsequent commit will add support for configuration files, which can
override the default toolbox image. Since this override affects all
commands, it effectively ends up adding a fourth option to the 'enter'
command, other than the existing options to change the distribution,
release and container. This makes it a lot more difficult to reason
when only 'toolbox enter --release N' is enough to enter the created
container.

https://github.com/containers/toolbox/pull/828
https://github.com/containers/toolbox/pull/851
2021-07-23 03:49:08 +02:00
Debarshi Ray
6a37695086 pkg/utils: Mark a private function as such
Figuring out the default toolbox image for a given distribution only
needs to happen as part of resolving the final toolbox image name from
the given command line options.

Fallout from c990fb43ca

https://github.com/containers/toolbox/pull/828
https://github.com/containers/toolbox/pull/851
2021-07-23 03:49:08 +02:00
Ondřej Míchal
b0beb68255 test/system: Fix flaky test
This is a naive attempt to solve the flaking. It could be caused by what
is going inside of the run function.
2021-07-22 11:19:02 +02:00
Ondřej Míchal
0ff01977d6 playbooks: Stop cloning bats libraries
The libraries are now provided as submodules. There's no need to clone
them separately.

https://github.com/containers/toolbox/pull/842
2021-07-22 10:23:53 +02:00
Ondřej Míchal
2594199fef test/system: Track bats libs as submodules & install them better
This will make it easier to work with system tests.

https://github.com/containers/toolbox/pull/842
2021-07-22 10:23:53 +02:00