Commit graph

54 commits

Author SHA1 Message Date
Ondřej Míchal
bafbbe81c9 Generate & install completion scripts in build system
The previous commit added a means to generating the completion scripts
and this one plugs that into the build system.

A new build option 'install_completions' has been introduced. Set to
'True' by default.

Completions for bash and fish use pkg-config for getting the preferred
install locations for the completions. If the packages are not
available, fallbacks are in-place.

The 'completion' subdir has been kept to work around the ideology of
Meson that does not allow creating/outputing files in subdirectories nor
using the output of custom_target() in install_data().

https://github.com/containers/toolbox/pull/840
2022-02-21 15:15:30 +02:00
Debarshi Ray
be2ba6d2e2 build: Call 'systemd-tmpfiles --create' when installing
It's only necessary to call 'systemd-tmpfiles --create' when building
and installing from source on the host operating system.

It's not needed when using a pre-built binary downstream package,
because:

  * When 'meson install' is called as part of building the package,
    that's not when the temporary files need to be created. They need
    to be created when the binary package is later downloaded and
    installed by the user.

  * Downstream tools can sometimes handle it automatically. eg., on
    Fedora, the systemd RPM installs a trigger that tells RPM to call
    'systemd-tmpfiles --create' automatically when a tmpfiles.d snippet
    is installed.

It's also not needed when installing inside a toolbox container because
the files that 'systemd-tmpfiles --create' is supposed to create are
meant to be on the host.

Downstream distributors set the DESTDIR environment variable when
building their packages. Therefore, it's used to detect when a
downstream package is being built.

Unfortunately, environment variables are messy and, generally, Meson
doesn't support accessing them inside its scripts [1]. Therefore, this
adds a spurious build-time dependency on systemd for downstream
distributors. However, that's probably not a big problem because all
supported downstream operating systems are already expected to use
systemd for the tmpfiles.d(5) snippets to work.

[1] https://github.com/mesonbuild/meson/issues/9

https://github.com/containers/toolbox/issues/955
2022-01-10 22:14:01 +01:00
Debarshi Ray
d96faf0c1e build: Be more strict when looking for a C compiler
In practice, this means that only Clang and GCC are accepted.

https://github.com/containers/toolbox/pull/960
2021-12-17 02:08:51 +01:00
Debarshi Ray
52c85b60d9 Prepare 0.0.99.3 2021-12-10 03:40:42 +01:00
Debarshi Ray
04426a04e5 build: Add an option for the migration path for coreos/toolbox users
Commit 6c86cabbe5 changed the command line interface to behave
a lot similar to that of github.com/coreos/toolbox, which makes things
easier for those switching over from it.

However, it makes things confusing for the vast majority of users who
have never used coreos/toolbox. The Toolbox CLI aims to be friendly to
new users by being self-documenting and offering a smooth onboarding
experience. It's jarring to new users when 'toolbox', without any
commands specified, suggests that it needs to perform a big download.

It's difficult to document two different sets of CLIs, and if the
manuals don't mention the second behaviour, then it just leaves the
users even more confused.

Hence, it will be good to keep the migration path for coreos/toolbox
behind a build-time option, so that only those OS distributors who
truly need it may enable it without impacting others. Fortunately,
coreos/toolbox doesn't have any manuals, which means that there's no
need to conditionalize the documentation.

This commit merely adds the build-time option. Subsequent commits will
use this to actually conditionalize the code.

https://github.com/containers/toolbox/pull/951
2021-12-10 00:35:13 +01:00
Debarshi Ray
8dd7ee47c5 build: Drop the use of patchelf(1)
Some downstream distributors like RHEL don't have patchelf(1). Relying
on patchelf(1) during the build will make it difficult for such
downstreams to distribute Toolbox.

Fortunately, the path of the dynamic linker (ie., PT_INTERP) is
hardcoded in the ABI specification of each architecture [1]. This means
that Toolbox's build system can keep it's own architecture to dynamic
linker mapping, and specify it during the build through the GNU ld
linker's --dynamic-linker flag, as opposed to using a tool like
patchelf(1) to change the path of the dynamic linker in the built
binary to the one inside /run/host. Currently, the list of
architectures covers the ones that Fedora builds for.

[1] https://sourceware.org/glibc/wiki/ABIList

https://github.com/containers/toolbox/pull/942
2021-12-09 13:16:27 +01:00
Debarshi Ray
e28a306a7f build: Bump minimum Meson version to 0.56.0
The subsequent commit will further bump the minimum Meson version to
0.58.0. This will make it easier to read.

https://github.com/containers/toolbox/pull/942
2021-12-08 18:01:35 +01:00
Debarshi Ray
c8aaed52c5 build: Don't assume that libc.so is always in /usr/lib or /usr/lib64
The location for public shared libraries can change from one operating
system distribution to another. eg., while Fedora uses /usr/lib and
/usr/lib64, depending on the hardware architecture, Debian uses paths
like /usr/lib/x86_64-linux-gnu. Therefore, it's best not to assume
anything and ask the toolchain.

https://github.com/containers/toolbox/pull/923
2021-11-13 03:18:36 +01:00
Debarshi Ray
6063eb27b9 build: Ensure that binaries are run against their build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.

In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available. However, the Go implementation, can run into ABI
compatibility issues because binaries built on newer toolchains aren't
meant to be run against older runtimes.

The previous approach [1] of restricting the versions of the glibc
symbols that are linked against isn't actually supported by glibc, and
breaks if the early process start-up code changes. This is seen in
glibc-2.34, which is used by Fedora 35 onwards, where a new version of
the __libc_start_main symbol [2] was added as part of some security
hardening:
  $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    __libc_start_main
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_detach
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_create
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_attr_getstacksize

This means that /usr/bin/toolbox binaries built against glibc-2.34 on
newer Fedoras fail to run against older glibcs in older Fedoras.

Another option is to make the host's runtime available inside the
toolbox container and ensure that the binary always runs against it.

Luckily, almost all supported containers have the host's /usr available
at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
the path of the dynamic linker (ie., PT_INTERP) to the one inside
/run/host.

Unfortunately, there can only be one PT_INTERP entry inside the
binary, so there must be a /run/host on the host too. Therefore, a
/run/host symbolic link is created on the host that points to the
host's /.

Based on ideas from Alexander Larsson and Ray Strode.

[1] Commit 6ad9c63180
    https://github.com/containers/toolbox/pull/534

[2] glibc commit 035c012e32c11e84
    https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
    https://sourceware.org/bugzilla/show_bug.cgi?id=23323

https://github.com/containers/toolbox/issues/821
2021-10-22 01:20:03 +02:00
Ondřej Míchal
2594199fef test/system: Track bats libs as submodules & install them better
This will make it easier to work with system tests.

https://github.com/containers/toolbox/pull/842
2021-07-22 10:23:53 +02:00
Randall Mason
a733357053 build: Allow overriding the path to tmpfilesdir
When installing to a non-system-wide prefix as a non-root user, the
tmpfilesdir path defined by systemd might not be accessible. Overriding
the path helps to prevent the installation from failing.

https://github.com/containers/toolbox/pull/717
2021-07-05 03:46:07 +02:00
Debarshi Ray
0bdfa53bb2 Prepare 0.0.99.2 2021-06-26 19:48:32 +02:00
Ondřej Míchal
8c1d441916 build: Drop ShellCheck on Shell Toolbox
Shell Toolbox has been replaced by the Go implementation a quite while
ago. It is kept in the repository but is no longer actively developed.
There is no need to continue checking it with ShellCheck.

https://github.com/containers/toolbox/pull/733
2021-03-22 11:50:02 +01:00
Ondřej Míchal
7e60e89086 meson: Rearrange lines & check for Skopeo
Skopeo is now a dependency for running system tests[0]. It is not a hard
dependency but at least give the user a heads-up.

https://github.com/containers/toolbox/pull/732
2021-03-22 10:47:30 +01:00
Debarshi Ray
3801bd6e5a Prepare 0.0.99.1 2021-02-23 19:57:04 +01:00
Debarshi Ray
772451c5e5 Prepare 0.0.99 2021-01-12 14:05:42 +01:00
Debarshi Ray
dd4829a33c Prepare 0.0.98.1 2021-01-07 20:17:06 +01:00
Debarshi Ray
f92f2182a3 Prepare 0.0.98 2021-01-05 17:59:07 +01:00
Debarshi Ray
3cbd2a1343 Prepare 0.0.97 2020-11-03 20:15:39 +01:00
Debarshi Ray
03c69894df Prepare 0.0.96 2020-10-01 20:02:57 +02:00
Debarshi Ray
b3f0a50652 Prepare 0.0.95 2020-08-30 22:40:16 +02:00
Debarshi Ray
69cec92abb Prepare 0.0.94 2020-08-24 19:31:28 +02:00
Debarshi Ray
6ad9c63180 build: Ensure binaries built on Fedora 33 run on Fedoras 32 & 31
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.

In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available.

The Go implementation also mostly worked so far because it's largely
statically linked, with the notable exception of the standard C
library. However, recently glibc-2.32, which is used by Fedora 33
onwards, added a new version of the pthread_sigmask symbol [1] as part
of the libpthread removal project:
  $ objdump -T /usr/bin/toolbox | grep GLIBC_2.32
  0000000000000000      DO *UND*	0000000000000000  GLIBC_2.32
    pthread_sigmask

This means that /usr/bin/toolbox binaries built against glibc-2.32 on
newer Fedoras pick up the latest version of the symbol and fail to run
against older glibcs in older Fedoras.

One way to fix this is to disable the use of any C code from Go by
using the CGO_ENABLED environment variable [2]. However, this can
negatively impact packages like "os/user" [3] and "net" [4], where the
more featureful glibc APIs will be replaced by more limited
equivalents written only in Go.

Instead, since glibc uses symbol versioning, it's better to tell the
Go toolchain to avoid linking against any symbols from glibc-2.32.

This was accomplished by a few linker tricks:

  * The GNU ld linker's --wrap flag was used when building the Go code
    to divert pthread_sigmask invocations from Go to another function
    called __wrap_pthread_sigmask.

  * A static library was added to provide this __wrap_pthread_sigmask
    function, which forwards calls to the actual pthread_sigmask API in
    glibc. This library itself was not linked with --wrap, and
    specifies the latest permissible version of the pthread_sigmask
    symbol from glibc for each architecture. Currently, the list of
    architectures covers the ones that Fedora builds for.

  * The Go cmd/link linker was switched to external mode [5]. This
    ensures that the final object file containing all the Go code gets
    linked to the standard C library and the wrapper static library by
    the GNU ld linker for the --wrap flag to kick in.

Based on ideas from Ondřej Míchal.

[1] glibc commit c6663fee4340291c
    https://sourceware.org/git/?p=glibc.git;a=commit;h=c6663fee4340291c

[2] https://golang.org/cmd/cgo/

[3] https://golang.org/pkg/os/user/

[4] https://golang.org/pkg/net/

[5] https://golang.org/src/cmd/cgo/doc.go

https://github.com/containers/toolbox/issues/529
2020-08-21 16:29:37 +02:00
Ondřej Míchal
f246d20fa6 build: Install the tests
Installing the tests will let downstream distributors like Fedora run
them as part of their build and CI systems.

https://github.com/containers/toolbox/pull/511
2020-08-13 11:34:37 +02:00
Debarshi Ray
238a678264 Prepare 0.0.93 2020-07-24 17:44:51 +02:00
Debarshi Ray
cb5c77eae5 Prepare 0.0.92 2020-07-03 15:54:02 +02:00
Debarshi Ray
387872c6a3 Prepare 0.0.91 2020-06-27 16:27:02 +02:00
Debarshi Ray
0b3c66434e build: Ship the Go implementation by default, not the POSIX shell one
The Go implementation is now considered stable enough for wider use,
and should have feature parity with its POSIX shell counterpart.

https://github.com/containers/toolbox/pull/437
2020-05-14 09:53:18 +02:00
Harry Míchal
53f4d0c2f0 Add versioning infrastructure in Go
https://github.com/containers/toolbox/pull/318
2020-05-13 09:38:58 +02:00
Debarshi Ray
1b6d7d6410 build: Hook up the Go code with Meson
Meson doesn't support Go [1], so this is implemented by a custom target
that invokes 'go build' to generate the binary.

Unfortunately, when using Go modules, 'go build' insists on being
invoked in the same source directory where the go.mod file lives,
while Meson insists on using a build directory separate from the
corresponding source directory. This is addressed by using a build
script that goes into the source directory and then invokes 'go build'.

Currently, the Go code is only built when a Go implementation is found,
and even then, it's not installed. Non-technical end-users are supposed
to continue using the POSIX shell implementation until the Go version
is blessed as stable.

[1] https://github.com/mesonbuild/meson/issues/123

https://github.com/containers/toolbox/pull/318
2020-05-13 09:38:52 +02:00
Debarshi Ray
7b460e390d Prepare 0.0.18 2020-01-14 15:47:45 +01:00
Debarshi Ray
7f5ac939e8 Prepare 0.0.17 2019-11-20 18:08:03 +01:00
Debarshi Ray
2a2867789d Prepare 0.0.16 2019-10-29 16:09:44 +01:00
Debarshi Ray
0ee5b592a2 Prepare 0.0.15 2019-09-30 16:21:56 +02:00
Debarshi Ray
d0fefc8e30 Prepare 0.0.14 2019-09-18 18:47:43 +02:00
Debarshi Ray
cc448a2fb8 Prepare 0.0.13 2019-09-05 15:03:34 +02:00
Debarshi Ray
c8aba029a3 Prepare 0.0.12 2019-07-22 14:28:41 +02:00
Debarshi Ray
3b311313b7 Prepare 0.0.11 2019-06-21 16:31:50 +02:00
Debarshi Ray
8b81058f3f Prepare 0.0.10 2019-05-21 18:55:47 +02:00
Debarshi Ray
3c4c439f69 Prepare 0.0.9 2019-04-30 12:29:09 +02:00
Florian Müllner
01274dc6a6 completion: Add Bash completion
Make using toolbox a bit more convenient by properly completing its
options. The completions should be complete (that is, there are
completions for all the commands and options shown in --help),
but no attempt is made to filter out conflicting options (for
example "toolbox rm --all my-container").

https://github.com/debarshiray/toolbox/pull/133
2019-04-26 15:44:27 +02:00
Debarshi Ray
79f59b667b Show a welcome text on interactive shells running on Silverblue hosts
The welcome text uses the OSC 8 [1] escape sequence to add a hyperlink
to the Silverblue documentation [2].

Silence a SC1003 [3] because the intention is to print the 'ESC \'
string terminator (or ST), and not escape a single quote.

[1] https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda
[2] https://docs.fedoraproject.org/en-US/fedora-silverblue/toolbox/
[3] https://github.com/koalaman/shellcheck/wiki/SC1003

https://github.com/debarshiray/toolbox/pull/127
2019-04-25 15:52:23 +02:00
Debarshi Ray
a5f00c0d26 Prepare 0.0.8 2019-04-12 16:44:16 +02:00
Debarshi Ray
d0cd536bc2 build: Add a test that runs shellcheck on the toolbox script
https://github.com/debarshiray/toolbox/pull/83
2019-04-10 15:18:06 +02:00
Debarshi Ray
2b3989dd7f Prepare 0.0.7 2019-03-14 14:06:57 +01:00
Debarshi Ray
0c848abd18 Give access to removable devices and other temporary mounts
Currently, when udisks is configured to use /run/media instead of
/media, on most operating systems, the /run/media directory is created
by udisks itself when the first mount is handled [1]. This causes
problems when creating the toolbox container, if nothing has been
mounted after the current boot, because a missing directory cannot be
bind mounted.

Fedora Silverblue is a significant exception to the above, where
rpm-ostree takes care of creating /run/media with systemd-tmpfiles [2]
during boot.

The correct long-term solution is to get udisks to create /run/media
during boot with systemd-tmpfiles by installing a snippet in
tmpfiles.d [3, 4]. Until that happens, and is widely deployed, the
toolbox needs to provide the snippet itself to make things work on
the majority of operating systems.

Note that, in case udisks is configured to use /media instead of
/run/media, then this will create an unused /run/media directory. This
is probably fine because /run/media is the default setting for udisks.
Moreover, an unused directory is way better than not being able to
access mount points from a toolbox container or having 'podman create'
fail due to a missing directory.

Based on 4a2a15f2eb and as suggested by
Daniel J Walsh.

[1] UDisks commit aa02e5fc53efdeaf
    https://github.com/storaged-project/udisks/commit/aa02e5fc53efdeaf
[2] rpm-ostree commit 958dfa435e4e4a3e
    https://github.com/projectatomic/rpm-ostree/commit/958dfa435e4e4a3e
[3] https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html
[4] https://github.com/storaged-project/udisks/pull/641

https://github.com/debarshiray/toolbox/issues/3
2019-03-13 15:48:03 +01:00
Debarshi Ray
0a972dfccc Add manuals
https://github.com/debarshiray/toolbox/pull/66
2019-03-01 10:27:09 +01:00
Debarshi Ray
04a91d5189 Prepare 0.0.6 2019-02-21 19:47:56 +01:00
Debarshi Ray
c6b5a4836f Drop the "fedora" prefix and rename the project as just "toolbox"
The "fedora" prefix was used because this project was specifically
incubated to make it easier to hack on Fedora Silverblue. That and the
mix of upstream technologies (ie., Buildah and Podman) made it uniquely
"Fedora".

However, over time it has gotten clear that other groups, currently
Fedora downstreams like RHEL, are interested in it too. It won't be
surprising if in future it transcends the Fedora universe altogether.
Moreover, this project was inspired by coreos/toolbox [1]. There are
good reasons and enough interest to have a unified toolbox project
that addresses the needs of both Fedora CoreOS and Silverblue.

Therefore, it is best to drop the "fedora" prefix and call the whole
thing just "toolbox".

No extra effort was made to retain compatibility with the older name
due to the project's young age. Its userbase is limited to the earliest
of early adopters, and the benefits of a clean break outweigh the
loss of compatibility.

The OCI images and the toolbox container still retain the "fedora"
prefix to disambiguate them from their counterparts from other
operating systems.

[1] https://github.com/coreos/toolbox

https://github.com/debarshiray/toolbox/issues/8
2019-02-15 16:36:30 +01:00
Debarshi Ray
2b6faa26f9 Prepare 0.0.5 2019-02-11 14:17:47 +00:00