Commit graph

1177 commits

Author SHA1 Message Date
Jordan Petridis
219f5b4be4 cmd/initContainer: Be aware of security hardened / or /etc
On new builds of GNOME OS [1], the host's / is mounted with 'nodev,...'
and those flags are also inherited by /etc because it's not a separate
mount point.  This leads to the same problem with /etc/machine-id that
was seen before with /var/lib/flatpak, /var/lib/systemd/coredump and
/var/log/journal [2].

Therefore, use the same approach [2] to handle /etc/machine-id.

[1] https://gitlab.gnome.org/GNOME/gnome-build-meta/-/issues/718

[2] Commit 1cc9e07b7c
    https://github.com/containers/toolbox/commit/1cc9e07b7c36fe9f
    https://github.com/containers/toolbox/pull/1340

https://github.com/containers/toolbox/issues/911
https://github.com/containers/toolbox/pull/1354

Signed-off-by: Jordan Petridis <jordan@centricular.com>
2023-08-22 22:32:48 +02:00
Nieves Montero
a0514cba12 test/system: Test that D-Bus works
https://github.com/containers/toolbox/issues/1330

Signed-off-by: Nieves Montero <nmontero@redhat.com>
2023-08-22 17:11:59 +02:00
Debarshi Ray
58134f8497 test/system: Test that group and user IDs work
These tests assume that the group and user information on the host
operating system can be provided by different plugins for the GNU Name
Service Switch (or NSS) functionality of the GNU C Library.  eg., on
enterprise FreeIPA set-ups.  However, it's expected that everything
inside the Toolbx container will be provided by /etc/group, /etc/passwd,
/etc/shadow, etc..

While /etc/group and /etc/passwd can be read by any user, /etc/shadow
can only be read by root.  However, it's awkward to use sudo(8) in the
test cases involving /etc/shadow, because they ensure that root and
$USER don't need passwords to authenticate inside the container, and
sudo(8) itself depends on that.  If sudo(8) is used, the test suite can
behave unexpectedly if Toolbx didn't set up the container correctly.
eg., it can get blocked waiting for a password.

Hence, 'podman unshare' is used instead to enter the container's initial
user namespace, where $USER from the host appears as root.  This is
sufficient because the test cases only need to read /etc/shadow inside
the Toolbx container.

https://github.com/containers/toolbox/pull/1355
2023-08-22 16:01:08 +02:00
Debarshi Ray
8ef3dd997e .github/workflows: Bump Bats to 1.10.0 for CI on Ubuntu 22.04
https://github.com/containers/toolbox/pull/1352
2023-08-18 07:01:41 +02:00
Debarshi Ray
f716b23914 test/system: Unbreak the line count checks with Bats >= 1.10.0
Until Bats 1.10.0, 'run --keep-empty-lines' had a bug where it counted
the trailing newline on the last line as a separate line [1].  However,
Bats 1.10.0 is only available in Fedora >= 39 and is absent from Fedoras
37 and 38.

[1] Bats commit 6648e2143bffb933
    https://github.com/bats-core/bats-core/commit/6648e2143bffb933
    https://github.com/bats-core/bats-core/issues/708

https://github.com/containers/toolbox/pull/1352
2023-08-18 06:21:40 +02:00
Debarshi Ray
1cc9e07b7c cmd/initContainer: Be aware of security hardened mount points
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
and /var/log/journal sit on security hardened mount points that are
marked as 'nosuid,nodev,noexec' [1].  In such cases, when Toolbx is used
rootless, an attempt to bind mount these locations read-only at runtime
with mount(8) fails because of permission problems:
  # mount --rbind -o ro <source> <containerPath>
  mount: <containerPath>: filesystem was mounted, but any subsequent
      operation failed: Unknown error 5005.

(Note that the above error message from mount(8) was subsequently
improved to show something more meaningful than 'Unknown error' [2].)

The problem is that 'init-container' is running inside the container's
mount and user namespace, and the source paths were mounted inside the
host's namespace with 'nosuid,nodev,noexec'.  The above mount(8) call
tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
replace them with only 'ro', which is something that can't be done from
a child namespace.

Note that this doesn't fail when Toolbx is running as root.  This is
because the container uses the host's user namespace and is able to
remove the 'nosuid,nodev,noexec' flags from the mount point and replace
them with only 'ro'.  Even though it doesn't fail, the flags shouldn't
get replaced like that inside the container, because it removes the
security hardening of those mount points.

There's actually no benefit in bind mounting these paths as read-only.
It was historically done this way 'just to be safe' because a user isn't
expected to write to these locations from inside a container.  However,
Toolbx doesn't intend to provide any heightened security beyond what's
already available on the host.

Hence, it's better to get out of the way and leave it to the permissions
on the source location from the host operating system to guard the
castle.  This is accomplished by not passing any file system options to
mount(8) [1].

Based on an idea from Si.

[1] https://man7.org/linux/man-pages/man8/mount.8.html

[2] util-linux commit 9420ca34dc8b6f0f
    https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f
    https://github.com/util-linux/util-linux/pull/2376

https://github.com/containers/toolbox/issues/911
2023-08-11 17:28:32 +02:00
Debarshi Ray
a055e78d42 test/system: Silence SC2004
Otherwise https://www.shellcheck.net/ would complain
  Line 110:
  for ((i = ${num_of_retries}; i > 0; i--)); do
            ^---------------^ SC2004 (style): $/${} is unnecessary on
                              arithmetic variables.

See: https://www.shellcheck.net/wiki/SC2004

https://github.com/containers/toolbox/pull/1347
2023-08-11 17:21:55 +02:00
Debarshi Ray
41349f4ee4 test/system: Silence SC1090
Otherwise https://www.shellcheck.net/ would complain:
  Line 218:
  source <(echo "$output")
         ^---------------^ SC1090 (warning): ShellCheck can't follow
                           non-constant source. Use a directive to
                           specify location.

See: https://www.shellcheck.net/wiki/SC1090

https://github.com/containers/toolbox/pull/1347
2023-08-11 17:20:47 +02:00
Debarshi Ray
341ae55f9d test/system: Avoid conditionals only supported by Bash's built-in 'test'
The '[' and 'test' implementations from GNU coreutils don't support '-v'
as a way to check if a shell variable is set [1].  Only Bash's built-in
implementations do.

This is quite confusing and makes it difficult to find out what '-v'
actually does.  eg., 'man --all test' only shows the manual for the GNU
coreutils version, which doesn't list '-v' [1], and, 'man --all [' only
shows the manual for Bash's built-ins, which also doesn't list '-v'.
One has to go to the bash(1) manual to find it [2].

Elsewhere in the code base [3], the same thing is accomplished with '-z'
and parameter substitution, which are more widely supported and, hence,
easier to find documentation for.

[1] https://manpages.debian.org/testing/coreutils/test.1.en.html

[2] https://linux.die.net/man/1/bash

[3] Commit 84ae385f33
    https://github.com/containers/toolbox/pull/1334

https://github.com/containers/toolbox/pull/1341
2023-07-14 00:17:48 +02:00
Debarshi Ray
21299a3c5b test/system: Fix typos in conditional expressions
'[' is a command that's the same as 'test' and they might be implemented
as standalone executables or shell built-ins.  Therefore, the negation
(ie., '!') has to cover the entire command to operate on its exit code.
Instead, if it's writtten as '[ ! ... ]', then the negation becomes an
argument to '[', which isn't the same thing.

Fallout from 54a2ca1ead

https://github.com/containers/toolbox/pull/1341
2023-07-14 00:17:02 +02:00
Debarshi Ray
c846b6d844 test/system: Simplify the check for Fedora Rawhide
First, it's not a good idea to use awk(1) as a grep(1) replacement.
Unless one really needs the AWK programming language, it's better to
stick to grep(1) because it's simpler.

Secondly, it's better to look for a specific os-release(5) field instead
of looking for the occurrence of 'rawhide' anywhere in the file, because
it lowers the possibility of false positives.

https://github.com/containers/toolbox/pull/1336
2023-07-11 20:30:35 +02:00
Daniel Pawlik
96791726a3 playbooks: Add workaround for Fedora Rawhide
The Zuul executor contains Ansible 2.13.7 whose 'dnf' module is not
working as it should with Fedora Rawhide because of the DNF5 Change [1].
Unlike DNF4, DNF5 no longer pulls in the python3-dnf RPM, which causes:
  TASK [Install RPM packages]
  fedora-rawhide | ERROR
  fedora-rawhide | {
  fedora-rawhide |   "msg": "Could not import the dnf python module
      using /usr/bin/python3 (3.12.0b3 (main, Jun 21 2023, 00:00:00)
      [GCC 13.1.1 20230614 (Red Hat 13.1.1-4)]). Please install
      `python3-dnf` or `python2-dnf` package or ensure you have
      specified the correct ansible_python_interpreter. (attempted
      ['/usr/libexec/platform-python', '/usr/bin/python3',
      '/usr/bin/python2', '/usr/bin/python'])",
  fedora-rawhide |   "results": []
  fedora-rawhide | }

This adds a workaround that explicitly installs the python3-dnf RPM
using Ansible's 'command' module.  It should be removed after Zuul
contains a newer release of Ansible.

[1] https://fedoraproject.org/wiki/Changes/ReplaceDnfWithDnf5

https://github.com/containers/toolbox/pull/1338

Signed-off-by: Daniel Pawlik <dpawlik@redhat.com>
2023-07-11 19:40:07 +02:00
Debarshi Ray
84ae385f33 test/system: Silence SC2154
Otherwise https://www.shellcheck.net/ would complain:
  Line 202:
  run echo "$name"
            ^---^ SC2154 (warning): name is referenced but not assigned.

See: https://www.shellcheck.net/wiki/SC2154

Note that there's no need to use Bats' 'run' helper to merely check if
the command succeeded or not, because 'set -e' is set for all tests [1].

[1] https://bats-core.readthedocs.io/en/stable/writing-tests.html

https://github.com/containers/toolbox/pull/1334
2023-07-07 17:36:44 +02:00
Osama Albahrani
7e4e78067b CODE-OF-CONDUCT.md Update URL
https://github.com/containers/common/issues/549
https://github.com/containers/toolbox/pull/1322
2023-07-05 14:32:01 +02:00
Debarshi Ray
db9a906b50 test/system: Simplify the check for Fedora Rawhide
First, it's not a good idea to use awk(1) as a grep(1) replacement.
Unless one really needs the AWK programming language, it's better to
stick to grep(1) because it's simpler.

Secondly, it's better to look for a specific os-release(5) field instead
of looking for the occurrence of 'rawhide' anywhere in the file, because
it lowers the possibility of false positives.

https://github.com/containers/toolbox/pull/1332
2023-07-04 18:20:59 +02:00
Debarshi Ray
569b4df24d test/system: Test the resource limits
The following caveats must be noted:

  * Podman sets the Toolbx container's soft limit for the maximum number
    of open file descriptors to the host's hard limit, which is often
    greater than the host's soft limit [1].

  * The ulimit(1) options -P, -T, -b, and -k don't work on Fedora 38
    because the corresponding resource arguments for getrlimit(2) are
    absent from the operating system.  These are RLIMIT_NPTS,
    RLIMIT_PTHREAD, RLIMIT_SBSIZE and RLIMIT_KQUEUES respectively.

[1] https://github.com/containers/podman/issues/17681

https://github.com/containers/toolbox/issues/213
2023-07-04 15:34:21 +02:00
Debarshi Ray
ea91335ebb test/system: Limit the scope of temporary files used by a single test
BATS_TMPDIR is the base directory used by Bats for all temporary files
and directories, and BATS_TEST_TMPDIR is unique to each test [1].  It's
better to limit the scope of the tests' temporary files as much as
possible to avoid unexpected collisions with Bats' own internal
temporary files.

[1] https://bats-core.readthedocs.io/en/stable/writing-tests.html

https://github.com/containers/toolbox/pull/1327
2023-06-30 20:45:48 +02:00
Debarshi Ray
c43cf5d763 test/system: Test that interprocess communication works
Note that 'run --keep-empty-lines' counts the trailing newline on the
last line as a separate line.

https://github.com/containers/toolbox/pull/1326
2023-06-30 20:30:48 +02:00
Debarshi Ray
41215cf82e test/system: Test that networking works
Note that 'run --keep-empty-lines' counts the trailing newline on the
last line as a separate line.

https://github.com/containers/toolbox/pull/1325
2023-06-30 19:53:31 +02:00
Debarshi Ray
d7d2fd90cb test/system: Remove stray newline
https://github.com/containers/toolbox/pull/1325
2023-06-30 14:45:21 +02:00
Debarshi Ray
a23b411a1b SECURITY.md: Update URL
https://github.com/containers/common/issues/549
https://github.com/containers/toolbox/pull/1324
2023-06-27 17:20:43 +02:00
Debarshi Ray
8c28dc2660 .github/workflows: Run the CI on Ubuntu 22.04
Now that Toolbx offers built-in support for Ubuntu containers [1],
adding an Ubuntu host to the upstream CI will help ensure that Toolbx
continues to work well on Ubuntu.  Ubuntu 22.04 is the latest long term
support (or LTS) release [2] from Ubuntu, and is the latest Ubuntu
version that GitHub provides runners for [3].

Ubuntu 22.04 only has Bats 1.2.1 [4], while Toolbx requires 1.7.0 [5];
and Shadow 4.8 [6], while Toolbx requires 4.9 because it needs
libsubid.so [7,8].  Hence, newer versions of these dependencies need to
be built to run the tests.  The build flags for Shadow were taken from
the Debian package [9].

A separate sub-directory inside $GITHUB_WORKSPACE [10] is used for
Toolbx itself to prevent codespell from getting triggered by spelling
mistakes in these dependencies themselves [11].

Unfortunately, the SHELL environment variable goes mysteriously missing
from the runtime environment of the GitHub Actions workflow [12].  This
breaks the 'create' and 'enter' commands, and therefore tests involving
them can't be run until this is resolved.  Meanwhile, running the CI on
Ubuntu with a subset of the tests, is still better than not running the
CI on Ubuntu at all.

[1] Commit a84a358b3b
    https://github.com/containers/toolbox/pull/483
    https://github.com/containers/toolbox/pull/1284

[2] https://wiki.ubuntu.com/Releases

[3] https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners

[4] https://packages.ubuntu.com/jammy/bats

[5] Commit e22a82fec8
    https://github.com/containers/toolbox/pull/1273

[6] https://packages.ubuntu.com/source/jammy/shadow
    https://packages.ubuntu.com/source/jammy-updates/shadow

[7] Shadow commit 0a7888b1fad613a0
    https://github.com/shadow-maint/shadow/commit/0a7888b1fad613a0
    https://github.com/shadow-maint/shadow/issues/154

[8] Commit ca8007c192
    https://github.com/containers/toolbox/issues/1074

[9] https://salsa.debian.org/debian/shadow/

[10] https://docs.github.com/en/actions/learn-github-actions/variables

[11] https://github.com/bats-core/bats-core/pull/743

[12] https://github.com/orgs/community/discussions/59413

https://github.com/containers/toolbox/pull/1319
2023-06-27 13:08:05 +02:00
Debarshi Ray
4322824061 test/system: Fix reading the os-release(5) VERSION_ID on Ubuntu
The current approach of extracting the VERSION_ID field from
os-release(5) assumes that the value is not quoted.  There's no
guarantee that this will be the case.  It only happens to be so on
Fedora by chance, and is different on Ubuntu:
  $ cat /etc/os-release
  ...
  VERSION_ID="22.04"
  ...

This means that "22.04", including the double quotes, is read as the
value of VERSION_ID on Ubuntu, not 22.04.  This is wrong because this
value can't be used as is in image and container names.  There's no
image called quay.io/toolbx/ubuntu-toolbox:"22.04" and double quotes are
not allowed in container names.

Instead, use the same approach as profile.d/toolbox.sh and the old POSIX
shell implementation that doesn't rely on the quoting of the
os-release(5) values.

Fallout from b27795a03e

https://github.com/containers/toolbox/pull/1320
2023-06-23 13:58:42 +02:00
Debarshi Ray
62c31ca8ea test/system: Fix reading the os-release(5) ID on Ubuntu
The current approach of selecting all the os-release(5) fields that have
'ID' in their name (eg., ID, VERSION_ID, PLATFORM_ID, VARIANT_ID, etc.)
and then picking the first one, assumes that the ID field will always be
placed above the others in os-release(5).  There's no guarantee that
this will be the case.  It only happens to be so on Fedora by chance,
and is different on Ubuntu:
  $ cat /etc/os-release
  ...
  VERSION_ID="22.04"
  ...
  ID=ubuntu
  ID_LIKE=debian
  ...

This means that "22.04" is read as the value of ID on Ubuntu, which is
clearly wrong.

Instead, use the same approach as profile.d/toolbox.sh and the old POSIX
shell implementation that doesn't rely on the order of the os-release(5)
fields.

Fallout from 54a2ca1ead

https://github.com/containers/toolbox/pull/1320
2023-06-23 13:27:07 +02:00
Debarshi Ray
b57dfd8b58 playbooks: Use Ansible's 'command' module, instead of 'shell'
Ansible's 'shell' module is almost exactly like the 'command' module,
except that it runs the command through a command line shell so that
environment variables like HOSTNAME and operations like '*', '<' and '>'
work.  None of those things are necessary are here.  Hence, it's better
to use the 'command' module as elsewhere.

Note that, unlike Ansible's 'shell' module, the 'command' module doesn't
support inline scripts.  So, each command needs to be in its own
separate task.

https://github.com/containers/toolbox/pull/1318
2023-06-22 18:20:49 +02:00
Matthias Clasen
2c09606603 test/system: Clarify the use of Git submodules
We wasted some time trying to get the tests running locally, when all we
were missing were the 'git submodule ...' commands.

Add some more obvious hints about this possible stumbling block.

Note that Bats cautions against printing outside the @test, setup* or
teardown* functions [1].  In this case, doing so leads to the first line
of the error output going missing, when using the pretty formatter for
human consumption:

  $ bats --formatter pretty ./test/system
   ✗ setup_suite
     Forgot to run 'git submodule init' and 'git submodule update' ?
     bats warning: Executed 1 instead of expected 191 tests

  191 tests, 1 failure, 190 not run

[1] https://bats-core.readthedocs.io/en/stable/writing-tests.html

https://github.com/containers/toolbox/pull/1298

Signed-off-by: Matthias Clasen <mclasen@redhat.com>
2023-06-21 12:34:08 +02:00
Debarshi Ray
7a387dcc8b test/system: Simplify running a subset of the tests with Bats >= 1.7.0
The 000-setup.bats and 999-teardown.bats files were added [1] at a time
when Bats didn't offer any hooks for suite-wide setup and teardown.

That changed in Bats 1.7.0, which introduced the setup_suite and
teardown_suite hooks.  These hooks make it easier to run a subset of the
tests, which is a good thing.

In the past, to run a subset of the tests, one had to do:
  $ bats ./test/system/000-setup.bats ./test/system/002-help.bats \
      ./test/system/999-teardown.bats

Now, one only has to do:
  $ bats ./test/system/002-help.bats

Commit e22a82fec8 already added a dependency on Bats >= 1.7.0.
Therefore, it should be exploited wherever possible to simplify things.

[1] Commit 54a2ca1ead
    https://github.com/containers/toolbox/issues/751

[2] Bats commit fb467ec3f04e322a
    https://github.com/bats-core/bats-core/issues/39
    https://bats-core.readthedocs.io/en/stable/writing-tests.html

https://github.com/containers/toolbox/pull/1317
2023-06-21 09:07:29 +02:00
Debarshi Ray
c37c5238dd test/system: Re-align
All the other Bats files for the system tests are indented by two
spaces, not four.

This will make the subsequent commit easier to read.

https://github.com/containers/toolbox/pull/1317
2023-06-21 09:07:25 +02:00
Avimitin Lu
26bf55ea24 build: Make it build on riscv64
Go 1.14 added experimental support for 64-bit RISC-V on Linux
(GOOS=linux, GOARCH=riscv64) [1], and the path of the dynamic linker
(ie., PT_INTERP) was taken from the ABI specification [2].

Tested in Arch Linux rv64gc qemu user image.

[1] https://tip.golang.org/doc/go1.14#riscv

[2] https://sourceware.org/glibc/wiki/ABIList

https://github.com/containers/toolbox/pull/1159
https://github.com/containers/toolbox/pull/1316

Signed-off-by: Avimitin Lu <avimitin@gmail.com>
2023-06-13 16:04:47 +02:00
Nieves Montero
0a1417799a test/system: Fix warnings by specifying the minimum needed Bats version
Bats 1.7.0 emits a warning if a feature that is only available starting
from a certain version of Bats onwards is used without specifying that
version [1]:
  BW02: Using flags on `run` requires at least BATS_VERSION=1.5.0. Use
    `bats_require_minimum_version 1.5.0` to fix this message.
        (from function `bats_warn_minimum_guaranteed_version' in file
           /usr/lib/bats-core/warnings.bash, line 32,
         from function `run' in file
           /usr/lib/bats-core/test_functions.bash, line 227,
         in test file test/system/001-version.bats, line 27)

Note that bats_require_minimum_version itself is only available from
Bats 1.7.0 [2].  Hence, even though the specific feature here (using
flags on 'run') only requires Bats >= 1.5.0, in practice Bats >= 1.7.0
is needed.  Fortunately, commit e22a82fec8 already added a
dependency on Bats >= 1.7.0.  So, there's nothing to worry about.

[1] Bats commit 82002bb6c1a5c418
    https://github.com/bats-core/bats-core/issues/556
    https://bats-core.readthedocs.io/en/stable/warnings/BW02.html

[2] Bats commit 71d6b71cebc3d32b
    https://github.com/bats-core/bats-core/issues/556
    https://bats-core.readthedocs.io/en/stable/warnings/BW02.html

https://github.com/containers/toolbox/pull/1315
2023-06-13 12:48:11 +02:00
Debarshi Ray
bc067f12d6 test/system: Simplify the line count checks by relying on Bats >= 1.7.0
Commit e22a82fec8 already added a dependency on Bats >= 1.7.0,
which is present on Fedora >= 36.  Therefore, it should be exploited
wherever possible to simplify things.

Earlier, when the line counts were checked only with Bats >= 1.7.0,
there was a need to separately check the whole standard error and
output streams with 'assert_output' for the tests to be useful on
Fedora 35, which only had Bats 1.5.0.  Now that the line counts are
being checked unconditionally, there's no need for that anymore.

Note that bats_require_minimum_version itself is only available from
Bats 1.7.0 [1].

[1] Bats commit 71d6b71cebc3d32b
    https://github.com/bats-core/bats-core/issues/556
    https://bats-core.readthedocs.io/en/stable/warnings/BW02.html

https://github.com/containers/toolbox/pull/1314
2023-06-13 12:43:14 +02:00
Debarshi Ray
0676eb98ea .zuul: Drop testing on Fedora 36
Fedora 36 reached End of Life on 16th May 2023:
https://docs.fedoraproject.org/en-US/releases/eol/

https://github.com/containers/toolbox/pull/1313
2023-06-13 10:02:17 +02:00
Debarshi Ray
923fc10bd5 .github/CODEOWNERS: Clarify ownership of Ubuntu image publication
This reflects the value of the 'maintainer' LABELs of the images.

https://github.com/containers/toolbox/pull/1307
2023-06-13 09:49:21 +02:00
Debarshi Ray
2ee82affeb pkg/utils: Offer built-in support for Arch Linux
This allows using the 'distro' option to create and enter Arch Linux
containers.  Due to Arch's rolling-release model, the 'release' option
isn't required.  If 'release' is used, the accepted values are 'latest'
and 'rolling'.

https://github.com/containers/toolbox/pull/1311
2023-06-12 22:26:46 +02:00
Debarshi Ray
ed76734eb6 pkg/utils: Support OSes that don't have the concept of a release
Operating system distributions like Arch Linux that follow a
rolling-release model don't have the concept of a release.  The latest
snapshot is the only available release.

A subsequent commit will add built-in support for Arch Linux.  Hence,
the code can no longer assume that every distribution will have a
matching release.

Note that just because an operating system distribution may not have the
concept of a release, it doesn't mean that it will accept an invalid
'release' option.

https://github.com/containers/toolbox/pull/1311
2023-06-12 22:23:14 +02:00
Debarshi Ray
774ce8bd07 pkg/utils: Rename a variable for consistency
Fallout from df7e01df10

https://github.com/containers/toolbox/pull/1303
2023-06-12 17:01:24 +02:00
Debarshi Ray
d14fd7bb50 pkg/utils: Support host operating systems without VERSION_ID
The VERSION_ID field in os-release(5) is optional [1].  It's absent on
Arch Linux, which follows a rolling-release model and uses the BUILD_ID
field instead:
  BUILD_ID=rolling

A subsequent commit will add built-in support for Arch Linux.  Hence,
the code to get the default release from the host operating system can
no longer assume the presence of the VERSION_ID field in os-release(5).

Note that the arch-toolbox image is tagged with 'latest', in accordance
with OCI conventions, not 'rolling' [2,3], which is the os-release(5)
BUILD_ID.  Therefore, it will be wise to use 'latest' as the default
release on Arch Linux, to simplify how the default release matches with
the default image's tag.  This means that a os-release(5) field can't be
used for the default release on Arch.

[1] https://www.freedesktop.org/software/systemd/man/os-release.html

[2] Commit 2568528cb7
    https://github.com/containers/toolbox/pull/861

[3] Commit a4e5861ae5
    https://github.com/containers/toolbox/pull/1308

https://github.com/containers/toolbox/pull/1303
2023-06-12 16:47:48 +02:00
Debarshi Ray
28913fad1d .github/CODEOWNERS: Clarify ownership of Arch Linux image publication
This reflects the value of the 'maintainer' LABELs of the images.

https://github.com/containers/toolbox/pull/1308
2023-06-09 13:32:28 +02:00
Debarshi Ray
33815da389 .github/workflows: Build the Arch Linux image for pull requests
... when there are changes in the 'images/arch' directory or in the
GitHub workflow itself.

https://github.com/containers/toolbox/pull/1308
2023-06-09 13:32:28 +02:00
Debarshi Ray
a4e5861ae5 .github/workflows: Publish the Arch Linux image at quay.io/toolbx/...
Until now, the Arch Linux image was being published at
quay.io/toolbx-images/archlinux-toolbox:latest.  This renames the image
to arch-toolbox [1] to match the os-release(5) ID on Arch, and changes
the location to quay.io/toolbx/arch-toolbox:latest.

Build and push when there are changes in the 'images/arch' directory
or in the GitHub workflow itself, as well as at 00:00 every Monday.

[1] Commit 2568528cb7
    https://github.com/containers/toolbox/pull/861

https://github.com/containers/toolbox/pull/1308
2023-06-09 13:32:28 +02:00
Benjamin Asbach
73663a6f80 README.md: Unbreak Arch Linux package URL
The toolbox(1) binary is now available from Arch Linux's Extra
repository, not Community:
https://archlinux.org/packages/extra/x86_64/toolbox/

https://github.com/containers/toolbox/pull/1300

Signed-off-by: Benjamin Asbach <asbachb.github.toolbox@impl.it>
2023-06-09 11:19:45 +02:00
Jakub Sierżęga
90a03b61f4 profile.d: Show welcome message on Fedora Sericea
Since Sericea is an official variant of Fedora, it should have an
official welcome message like the other ones.

https://github.com/containers/toolbox/pull/1293

Signed-off-by: Jakub Sierżęga <jakub.sierzega@comarch.com>
2023-06-09 10:29:59 +02:00
Debarshi Ray
a58d81db4e profile.d: Re-align
This will make the subsequent commit easier to read.

https://github.com/containers/toolbox/pull/1293
2023-06-09 10:28:31 +02:00
Debarshi Ray
b6ca18ead1 pkg/utils, test/system: Use the Ubuntu images from quay.io/toolbx/...
https://github.com/containers/toolbox/pull/1306
2023-06-08 15:35:44 +02:00
Ievgen Popovych
8dcd5d7cb4 .github/workflows: Publish the Ubuntu images at quay.io/toolbx/...
Until now, the Ubuntu images (versions 16.04, 18.04, 20.04, 22.04 and
22.10) were published at quay.io/toolbx-images/ubuntu-toolbox:22.04,
etc..  This changes the location to quay.io/toolbx/ubuntu-toolbox:22.04
and builds an image for Ubuntu 23.04 that was added recently [1].

Build and push when there are changes in the `images/ubuntu` directory
or in the GitHub workflow itself, as well as every other week (7th and
21st days of a month to be precise).

The toolbox(1) code and the system tests will be switched to the new
location after the first round of images are available.

[1] Commit 3cfb6bf888
    https://github.com/containers/toolbox/pull/1292

https://github.com/containers/toolbox/pull/483

Signed-off-by: Ievgen Popovych <jmennius@gmail.com>
2023-06-08 14:52:31 +02:00
Debarshi Ray
4a1d9fc037 pkg/utils: Mark a private function as such
Reading the VERSION_ID field from the host operating system's
os-release(5) only needs to happen when initializing this package.

Fallout from 9e2825524a

https://github.com/containers/toolbox/pull/1304
2023-06-07 17:04:06 +02:00
Erazem Kokot
2568528cb7 images: Add arch-toolbox image definitions for Arch Linux
This is the definition of the arch-toolbox image for Arch Linux that
plays well with Toolbx.

Today, it's published at quay.io/toolbx-images/archlinux-toolbox:latest,
but the name of the published image will be changed to arch-toolbox [1]
to match the os-release(5) ID on Arch Linux.  The convention of naming
the Toolbx images according to the os-release(5) ID is deeply ingrained
in the Toolbx code base.  It will be better to keep things simple by
continuing that practice, instead of adding a one-off exception.

Maintenance of this image has been passed to Morten Linderud.

[1] https://github.com/toolbx-images/images/pull/82

https://github.com/containers/toolbox/pull/861
2023-06-06 22:57:22 +02:00
Ievgen Popovych
3cfb6bf888 images: ubuntu: Add 23.04 Lunar image
Signed-off-by: Ievgen Popovych <jmennius@gmail.com>

https://github.com/containers/toolbox/pull/1292
2023-05-03 13:45:04 +02:00
Ievgen Popovych
10b39a6a12 images: ubuntu: Remove APT ESM hook
This was recently introduced with `ubuntu-advantage-tools` and it tries
to poke at some system services introducing annoying delay and messages.

Even if the services are present (on Ubuntu host) and systemd is
accessible (rootful container) - that wouldn't be appropriate still.

https://github.com/containers/toolbox/pull/1291

Signed-off-by: Ievgen Popovych <jmennius@gmail.com>
2023-05-03 13:41:01 +02:00
Ievgen Popovych
947bb612e1 images: ubuntu: Move flatpak-xdg-utils installation to Containerfile
Since `flatpak-xdg-utils` is essential to the images, not 'extra'.

https://github.com/containers/toolbox/pull/1291

Signed-off-by: Ievgen Popovych <jmennius@gmail.com>
2023-05-03 13:41:00 +02:00