Commit graph

517 commits

Author SHA1 Message Date
Harry Míchal
d3e0f3df06 Don't use a toolbox container until after it has been configured
It was possible to have 'podman exec' invoked against a toolbox
container before the entry point had finished initializing it. This
could lead to situations where '$USER' didn't yet exist inside the
container when 'podman exec' attempted running a binary as that user,
which would end up failing 'toolbox enter'.

There are a number of corner cases that need to be kept in mind while
implementing any kind of synchronization.

First, older containers don't use 'toolbox init-container' as their
entry point. This might mean that their start-up can't be synchronized
but they should still be kept working in their current state.

Second, once a container has been started, subsequent 'podman start'
invocations are NOPs. They won't lead to newer instances of the entry
point process being launched.

Third, the entry point process can crash or get killed due to an
out-of-band 'podman stop'. In such cases, 'toolbox enter' should not
get confused or deadlocked. It should give a meaningful error message
to the user.

Fourth, it would be nice to not have to touch the 'create' command so
that toolbox containers created with Toolbox 0.0.10 onwards can have
their start-up synchronized. This means that the host can't add any
new environment variable or bind mount to the container to agree upon
a path that's keyed by the container's identity and shared with the
host.

Given all these considerations, a timed busy loop that looks for the
presence of a stamp file, keyed by the entry point's PID, is the most
robust solution that can be verified as correct. Anything involving
file locks becomes increasingly complicated and hard to verify.

Under normal circumstances, the loop isn't expected to last more than
a few iterations. In case the entry point dies, the loop will time out
after approximately 25 seconds, the same interval as the default for
D-Bus method calls.

Some changes by Debarshi Ray based on an idea from Jan Hlaváč.

https://github.com/containers/toolbox/pull/305
2019-10-23 02:19:25 +02:00
Debarshi Ray
08fa8f5440 Quote a few variables to avoid triggering SC2086 in future
See: https://github.com/koalaman/shellcheck/wiki/SC2086

https://github.com/containers/toolbox/pull/305
2019-10-23 02:18:07 +02:00
Debarshi Ray
7d6ad61f32 Log the GID map of the user namespace in 'reset' into the debug output
https://github.com/containers/toolbox/pull/305
2019-10-23 02:18:03 +02:00
Debarshi Ray
1736e7037a Tweak the debug output
https://github.com/containers/toolbox/pull/305
2019-10-23 02:17:58 +02:00
Debarshi Ray
01cecdd1c2 Re-use a lower numbered file descriptor in 'reset'
POSIX only supports single digit file descriptors. Therefore, there's
value in being frugal about how we allocate them throughout the code.

The 'reset' command is very standalone and isolated from the other
code paths, because it's meant to be a last-ditch attempt to unbreak a
broken Podman installation. This can be exploited to re-use one of the
file descriptors that's used elsewhere in the code. In this case, file
descriptor number 4 is also used to control the spinner.

https://github.com/containers/toolbox/pull/305
2019-10-23 02:17:53 +02:00
Debarshi Ray
2a099e8049 Add a reset command
The 'reset' command is meant to factory reset the local Podman and
Toolbox installations. Every now and then early adopters and testers of
Toolbox have to do this when their local Podman state has gotten
irrecoverably broken due to some Podman bug.

It's useful to have a command that encapsulates all the steps to do a
factory reset, as opposed to having to spell them out separately. It's
easier to document, helps with user support, and can enable less opaque
error messages that suggest a way forward when nothing is working.

Since this command is meant to be used when the Podman installation is
completely broken, it must avoid using any Podman commands at all
costs. This is why it cannot use 'podman stop' to stop any running
containers, nor can it use 'podman unshare' to delete
~/.local/share/containers when running rootless. Instead, it relies on
the user rebooting the machine for the former, and uses newgidmap(1),
newuidmap(1) and unshare(1) to reimplement 'podman unshare' for the
latter.

Note that when running as root, some care has been taken to avoid
removing directories that might be owned by the operating system. eg.,
on Fedora /var/lib/containers/sigstore is owned by the
containers-common RPM.

https://github.com/containers/toolbox/pull/295
2019-10-21 16:27:41 +02:00
Debarshi Ray
4481769182 README.md: Add a section about distro support
Toolbox is being increasingly used outside the Fedora universe. Endless
OS already uses it, and there's some interest in using it on Arch
Linux, Red Hat Enterprise Linux and Ubuntu. Therefore, it's a good
idea to clearly document what's necessary for a smooth Toolbox user
experience on a given operating system distribution.

Note that this might not match the current reality of the code, which
is predominantly developed, tested and used on Fedora. This is a step
towards formally specifying what an OS distributor is expected to
provide. The code can then be iteratively improved to match the
specification.

https://github.com/containers/toolbox/pull/300
2019-10-21 15:36:26 +02:00
Seppo Yli-Olli
0cf3c99377 Unbreak 'run' if container lacks files that are redirected to the host
There's no reason to fail the toolbox container's entry point, if the
container doesn't have its own copies of configuration files that are
ultimately going to be replaced with symbolic links to their host
counterparts.

https://github.com/containers/toolbox/pull/294
2019-10-18 19:15:59 +02:00
Debarshi Ray
2b4c4513c8 README.md: Tweak
Toolbox is being used with Endless OS, which is an OSTree based
operating system built out of Debian packages, not RPMs; and in the
Fedora universe, CoreOS is being increasingly treated as a primary
use-case for Toolbox alongside Silverblue.

https://github.com/containers/toolbox/pull/299
2019-10-16 15:57:45 -04:00
Debarshi Ray
de5e5df9b7 Update the label for tagging to reflect the project's new home
The older com.github.debarshiray.toolbox label is still used in most
places as an alias for the new name for the sake of simplicity and
compatibility; except in 'create', where the new label is explicitly
specified in addition to the older one to help popularize it via newly
created toolbox containers.

The older com.github.debarshiray.toolbox label should eventually be
dropped, but before that, the even older use of com.redhat.component
for tagging needs to be phased out. The com.github.debarshiray.toolbox
label was introduced in commit 0ab6eb7401, as part of Toolbox
0.0.8, right before the release of Fedora 30 [1]. Therefore,
com.redhat.component needs to stay at least until Fedora 29 is
supported.

[1] https://fedoraproject.org/wiki/Releases/30/Schedule

https://github.com/containers/toolbox/pull/293
2019-10-14 12:36:17 +02:00
Harry Míchal
a2b1baf43b completion: Make it work with short options
Using the shorter variant of an option was breaking the state machine.
It would stop suggesting accompanying arguments, commands and other
options.

https://github.com/containers/toolbox/pull/292
2019-10-11 17:02:23 +02:00
Harry Míchal
75a513bf10 completion: Offer all commands after --verbose
This fixes an old remnant of the past. Even though the '--verbose'
option may not do anything for the command, it is compatible with all
of them.

https://github.com/containers/toolbox/pull/292
2019-10-11 17:02:21 +02:00
Harry Míchal
7565f96808 completion: Update Fedora Rawhide version
Fedora 31 has already been branched from Rawhide. F32 is the current
Rawhide.

https://github.com/containers/toolbox/pull/292
2019-10-11 16:55:23 +02:00
Debarshi Ray
4d03cc6eb8 README.md: Update 2019-10-10 15:40:34 +02:00
Debarshi Ray
9474bf3548 Remove the hidden --sudo option and the /etc/sudoers.d snippet
A year ago, when rootless Podman was in its infancy, it was often
necessary to run rootful to test and shake out bugs in Podman. Things
are lot more mature now and this hasn't been necessary in the past few
months. Therefore, it's time to sunset this option.

Removing the --sudo option doesn't break backwards compatibility
because it was neither documented nor advertised to the user in any
way. It was a hidden option only meant to be used by those hacking on
Toolbox itself.

Note that this is different from running 'sudo toolbox ...', which is a
different use-case and uses separate code paths. This is about running
the rest of toolbox(1) as non-root and only invoking the container
tools like Podman as root.

This reverts commit 66ab4da724.

https://github.com/debarshiray/toolbox/pull/285
2019-10-04 15:50:52 +02:00
Debarshi Ray
13a5d15d2f Drop the coloured heading from 'list'
It seems cleaner to limit the use of colour to only marking running
containers. It's redundant to mention that the containers and images
were created by Toolbox because they are being shown by 'toolbox list'
anyway; and there's a second uncoloured heading in a different case,
that differentiates containers from images.

https://github.com/debarshiray/toolbox/pull/284
2019-10-04 14:50:16 +02:00
Debarshi Ray
0ee5b592a2 Prepare 0.0.15 2019-09-30 16:21:56 +02:00
Debarshi Ray
88dc6bb0a9 Tweak the debug output and error messages
This should make it more obvious which part of the two-step process of
copying /etc/profile.d/toolbox.sh into a container the strings are
coming from.

https://github.com/debarshiray/toolbox/pull/279
2019-09-27 18:36:17 +02:00
Debarshi Ray
f647639b8a Be forgiving of a missing /etc/profile.d/toolbox.sh in 'run'
It's common for people to run the toolbox script straight out of the
source tree without installing it system-wide. In such cases, it's
likely that /etc/profile.d/toolbox.sh would be absent on the host, and
as a result also absent from the toolbox container.

The welcome messages and the primary shell prompt (or PS1) are set
through /etc/profile.d/toolbox.sh, so not having it does degrade the
user experience, but it's probably not severe enough to fail the 'run'
command.

This should have been part of commit 0db54946b4 which split the
copying of /etc/profile.d/toolbox.sh into a container into two steps to
avoid using 'podman cp'. It already tried to handle the missing file
in the first step, but not in the second step.

It's also nice to at least make the user aware of the situation by
printing an error message.

https://github.com/debarshiray/toolbox/pull/278
2019-09-27 18:20:57 +02:00
Jens Petersen
d517dc8b01 Update default release to 30 when running on non-fedora hosts
https://github.com/debarshiray/toolbox/pull/205
2019-09-27 17:13:39 +02:00
Debarshi Ray
32bd215f30 Unbreak 'create' on Silverblue
Podman defaults to bind-mounting locations as read-write when neither
'rw' nor 'ro' is explicitly specified.

On Silverblue /usr is mounted read-only on the host. Therefore, it's
not possible to bind-mount it as read-write inside the toolbox
container.

It turns out that Podman doesn't downgrade the default mount flag to
read-only when the source location is such, and this breaks creating
new toolbox containers on Silverblue. See:
https://github.com/containers/libpod/issues/4061

Fallout from d63b0a9c0f

https://github.com/debarshiray/toolbox/pull/276
2019-09-26 20:22:15 +02:00
Debarshi Ray
8308ea6bd6 images: Install only flatpak-spawn, not the rest of flatpak-xdg-utils
https://github.com/debarshiray/toolbox/issues/147
2019-09-24 21:04:32 +02:00
Jens Petersen
033ed71ec1 images: Don't worry about coreutils-single
The fedora base images no longer come with coreutils-single.

https://github.com/fedora-cloud/docker-brew-fedora/issues/58
2019-09-24 20:19:58 +02:00
Debarshi Ray
e265c34cec images: Add fedora-toolbox image definition for Fedora 32 2019-09-24 20:14:32 +02:00
Debarshi Ray
9145ae7690 Don't sanity check /etc/subgid and /etc/subuid when running as root
The /etc/subgid and /etc/subuid files are only meant to be used when
running rootless, and hence don't have an entry for root.

https://github.com/debarshiray/toolbox/issues/267
2019-09-23 18:23:33 +02:00
Debarshi Ray
691c551cd2 Log the real user ID into the debug output
Toolbox might be used as root or rootless. Including the real user ID
in the debug output can help understand bugs or oddities caused by
differences in root versus rootless scenarios.

https://github.com/debarshiray/toolbox/issues/267
2019-09-23 18:23:28 +02:00
Debarshi Ray
3a96feba47 Let the terminal know the active container only on some Fedora variants
In practice, the OSC 777 escape sequence is only supported in Fedora's
fork of VTE. It's completely useless on other distributions.

Moreover, the user experience of tracking and preserving the user's
current toolbox container in GNOME Terminal was designed specifically
for Fedora Silverblue and Workstation, and it still has some rough
edges. eg., not being able to request a shell running on the host from
inside the toolbox, which can make the user feel trapped. While those
kinks get worked out, it's better to not expose users of other Fedora
variants, like CoreOS, to this.

https://github.com/debarshiray/toolbox/pull/272
2019-09-23 17:35:04 +02:00
Debarshi Ray
0c967bcac9 Switch to using /usr/lib/os-release instead of /etc/os-release
On systemd-based systems /etc/os-release is a symbolic link to
/usr/lib/os-release. So this avoids one extra lookup.

https://github.com/debarshiray/toolbox/pull/271
2019-09-23 17:18:11 +02:00
Debarshi Ray
b6b484fa79 Simplify code by dropping compatibility with 'podman create' < 1.4.0
The '--dns=none --no-hosts' options were added to 'podman create' in
Podman 1.2.0, which is within the current minimum required Podman
version of 1.4.0.

https://github.com/debarshiray/toolbox/pull/270
2019-09-23 16:13:12 +02:00
Debarshi Ray
7747274f64 Simplify code
Fallout from 5d78707a21

https://github.com/debarshiray/toolbox/pull/270
2019-09-23 16:13:09 +02:00
Debarshi Ray
2c77778f04 Rely on 'podman system migrate' always being present
The 'podman system migrate' command was added in Podman 1.3.0, which is
within the current minimum required Podman version of 1.4.0.

https://github.com/debarshiray/toolbox/pull/269
2019-09-23 15:48:09 +02:00
Debarshi Ray
d0fefc8e30 Prepare 0.0.14 2019-09-18 18:47:43 +02:00
Debarshi Ray
d63b0a9c0f Expose a few more host locations inside the container under /run/host
This is meant to alleviate some of the pain of not being able to modify
the list of bind mounts once a toolbox container has been created. For
some cases, especially where read-only access is enough, one can get
by with setting up symbolic links inside the toolbox container.

Based on an idea from Colin Walters.

https://github.com/debarshiray/toolbox/pull/264
2019-09-18 17:11:39 +02:00
Erik Sjölund
28833fc95b Adjust the grep match pattern to be more specific
https://github.com/debarshiray/toolbox/pull/211

Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2019-09-10 13:42:59 +02:00
Akira TAGOH
0ed441e471 Check if /run/media is available
No /run/media directory on Chromebook.

https://github.com/debarshiray/toolbox/pull/238
2019-09-10 13:24:49 +02:00
Debarshi Ray
341541ad53 Try to unbreak the terminal size when working nested
When running nested, stty(1) is invoked against the inner
pseudo-terminal pair created by 'podman exec --tty' which may not have
a valid size due to: https://github.com/containers/libpod/issues/3946

In such cases, the COLUMNS and LINES variables set by toolbox(1) in the
outer environment should be forwarded.

This should have been part of commit 05544fb271.

https://github.com/debarshiray/toolbox/issues/242
2019-09-10 12:52:51 +02:00
Debarshi Ray
b2d31e3ab8 Fix typo
It was working because the environment_options variable gets reset
soon afterwards.

Fallout from 05544fb271

https://github.com/debarshiray/toolbox/issues/242
2019-09-10 12:52:51 +02:00
Harry Míchal
44bfa7d304 Preserve the host's ulimits when creating toolbox containers
Since Podman supports '--ulimit host' only from version 1.5.0, which
is newer than the minimum required version of 1.4.0, this only works
if a new enough Podman is available.

https://github.com/debarshiray/toolbox/issues/213
2019-09-09 21:32:43 +02:00
Harry Míchal
49163a89aa Don't exit with a non-zero code from 'toolbox list -i'
When listing only images, 'exit' was picking up the non-zero exit code
from the following (failing) statement meant for containers. An
explicit 'if' branch prevents the exit code of the condition from
leaking out.

Fallout from 5e4e63a11b

https://github.com/debarshiray/toolbox/pull/258
2019-09-09 19:53:32 +02:00
Debarshi Ray
4f8759f759 Suppress error output unless --verbose is being used
https://github.com/debarshiray/toolbox/pull/258
2019-09-09 19:53:29 +02:00
Debarshi Ray
50432df0d6 Give access to the system libvirt instance
This is useful when the session libvirt instance doesn't offer all the
bells and whistles needed for running virtual machines.

https://github.com/debarshiray/toolbox/pull/257
2019-09-09 18:56:55 +02:00
Debarshi Ray
b2e3cbf661 Give access to the system Flatpak directory
This is helpful when running a development build of GNOME Shell from
within a toolbox container. It enables populating the application grid
with Flatpak applications installed system-wide on the host.

https://github.com/debarshiray/toolbox/pull/256
2019-09-09 17:13:51 +02:00
Akira TAGOH
05544fb271 Work around 'podman exec' resetting the terminal size to 80x24
See: https://github.com/containers/libpod/issues/3946

COLUMNS and LINES may not be set in the user's environment. Hence the
existing mechanism for preserving environment variables don't work.

Note that for things to keep working when invoked via D-Bus from
inside a toolbox container, the terminal size needs to be queried using
the standard input stream, instead of explicitly mentioning the
controlling terminal device /dev/tty. This is because stty(1) doesn't
have the notion of a controlling terminal when invoked via D-Bus, but
flatpak-spawn(1) ensures that the standard input stream still points
to the user's interactive terminal.

https://github.com/debarshiray/toolbox/issues/242
2019-09-09 14:40:52 +02:00
Debarshi Ray
cc448a2fb8 Prepare 0.0.13 2019-09-05 15:03:34 +02:00
Debarshi Ray
20dcd81d12 Simplify code by taking advantage of 'podman exec --workdir ...'
The '--workdir ...' option was added to 'podman exec' in Podman 1.0.0,
which is within the current minimum required Podman version of 1.4.0.

https://github.com/debarshiray/toolbox/pull/254
2019-09-05 13:24:50 +02:00
Dusty Mabe
f1524260eb Simplify code by taking advantage of 'podman create --userns=keep-id'
This lets podman do the calculations for mapping the host UID into the
user namespace within the container. See cfcf4eb31e for original
context.

The '--userns=keep-id' option was introduced in Podman 1.4.0, which is
old enough to be in even RHEL 7.

https://github.com/debarshiray/toolbox/issues/244
2019-09-04 21:07:13 +02:00
Harry Míchal
5e63e9ec9b Improve the help or usage output
A new help command has been added which either shows the toolbox(1)
manual or a manual page for a specific command. The '--help' flag is
now identical to the help command and can be placed after the COMMAND
segment in the list of command line arguments.

Due to a bizarre quirk in less(1) [1], the default pager used to render
manuals on most systems, the man(1) invocations need the standard error
stream to point to the controlling terminal, if any, to work. This
interferes with the global redirection of standard error to /dev/null
in the absence of the '--verbose' flag, and is worked around by
redirecting to standard output instead.

[1] It turns out that less(1) tries to open the controlling terminal
    device /dev/tty to get to the keyboard for accepting input.
    However, it doesn't have a controlling terminal when invoked via
    D-Bus to render a manual on the host. It then strangely falls back
    to using the standard error stream to get to the keyboard.

https://github.com/debarshiray/toolbox/pull/200
2019-09-04 20:54:13 +02:00
Harry Míchal
6b8593ec1d doc/toolbox: Shorten the description of the --verbose flag
https://github.com/debarshiray/toolbox/pull/200
2019-09-04 13:06:19 +02:00
Michael Nguyen
c6e37cdef3 profile.d: Tighten the Silverblue check
The Silverblue welcome message was being displayed incorrectly on
other OSTree based OS's (Fedora Atomic Host, Fedora CoreOS, etc).

Note that none of the stable Silverblue releases that have shipped so
far (ie., until Silverblue 30) have had 'silverblue' as the VARIANT_ID.
This makes the check a bit more convoluted that it should have been.

https://github.com/debarshiray/toolbox/pull/236
2019-08-12 13:47:36 +02:00
Debarshi Ray
0dee71b13f images: Drop PackageKit-command-not-found
It connects to the host's PackageKit instance, and tries to install the
packages on the host instead of inside the toolbox container. Remove it
unless there's a proper solution.

https://github.com/debarshiray/toolbox/issues/158
2019-07-22 15:05:21 +02:00