The TMT namespaced environment variables are not referenced anywhere
else and were recently removed from Podman too [1]. It's confusing to
have a long list of variables, which are either unused or don't need to
be explicitly preserved within the child session started by su(1).
ROOTLESS_USER is used when invoking su(1) and there's no need for it
within the child session started by su(1).
[1] Fedora podman commit b972298be7d228f4
https://src.fedoraproject.org/rpms/podman/c/b972298be7d228f4https://src.fedoraproject.org/rpms/toolbox/pull-request/36
... and fix CVE-2025-23266, CVE-2025-23267, and GHSA-fv92-fjc5-jj9h or
GO-2025-3787.
The following rpmlint warning was silenced:
toolbox.spec: W: no-%check-section
The timeout for the CI was increased to prevent it from timing out. The
upstream CI runs the test suite in three parallel batches, with each
batch having a timeout of 2 hours. The downstream CI doesn't run
parallelly, so a timeout of 4 hours was chosen.
https://src.fedoraproject.org/rpms/toolbox/pull-request/33
The CI needs to be run without 'p11-kit server' because the lingering
singleton process causes Bats to hang when tearing down the suite of
system tests [1]. To terminate the 'p11-kit server' instance run by the
system tests, it needs to be distinguishable from the instance run by
'normal' use of Toolbx by the user. One way to do this is to isolate
the host operating system's XDG_RUNTIME_DIR from the system tests.
Unfortunately, this is easier said than done [2]. So, this workaround
has to suffice until the problem is solved.
With the recent expansion of the test suite, it's necessary to increase
the timeout to prevent the CI from timing out.
[1] https://bats-core.readthedocs.io/en/stable/writing-tests.html
[2] https://github.com/containers/toolbox/pull/1652https://src.fedoraproject.org/rpms/toolbox/pull-request/30
Switch to vendored dependencies on Fedora because the package for
github.com/spf13/viper (ie., golang-github-spf13-viper) currently has
broken dependencies because a number of Go packages were recently
orphaned and retired. Hopefully, this is aligned with the direction the
Go ecosystem in Fedora is taking [1], and won't lead to too many
problems.
This further unifies Fedora with RHEL, which was already using vendored
dependencies.
Now that all the Go dependencies are in the src/vendor directory,
there's no need to mess around with the GO111MODULE (ie., gomodulesmode)
and GOPATH environment variables. Those were probably already not
needed on RHEL.
[1] https://fedoraproject.org/wiki/Changes/GolangPackagesVendoredByDefaulthttps://bugzilla.redhat.com/show_bug.cgi?id=2370151
With Toolbx 0.0.99.6, 'rpminspect --tests=elf', run by the Fedora CI,
fails with:
/usr/bin/toolbox lost full GNU_RELRO security protection
This is because from version 0.0.99.6 onwards, toolbox(1) is only built
with the '-z relro' linker flag, but not '-z now' [1].
Fallout from e447d41208
[1] Upstream commit 83f28c52e47c2d44
83f28c52e4https://github.com/containers/toolbox/pull/1548
Start using the golang-ipath(...) virtual Provides for BuildRequires
because they use the top-level import paths and are closer to what is
listed in the upstream go.mod. The golang(...) virtual Provides mention
each individual Go package within a Go module, and bigger modules can
have several packages in them. It is noisy and tedious to keep up with
the list of packages that are currently in use, by looking at all the Go
source files, and then to list them as BuildRequires.
Update the compiler and linker flags for Fedora by incorporating some of
the changes to the distribution's defaults up to Fedora 39, which is the
oldest supported Fedora. Switch to using the GO_BUILDTAGS and
GO_LDFLAGS environment variables, because their unprefixed counterparts
have been deprecated [1], and start annotating the toolbox(1) binary
with an ELF note that identifies the RPM for which it was built [2].
However, the change to use the RPM's %{name}, %{version}, %{release} and
the SOURCE_DATE_EPOCH environment variable [3], instead of /dev/urandom,
to generate the build ID annotation for the toolbox(1) binary [4] was
left out. It will need more work to propagate the RPM's %{name},
%{version} and %{release} to Meson.
Stop carrying the downstream patch for the compiler and linker flags for
PPC64. The architecture was already discontinued from Fedora 29 [5],
even before the patch was added [6]. It was added purely for the sake
of completeness, and in the last four years since it was introduced, it
hasn't been tested or used. At this point it's becoming too much of a
maintenance burden, and removing it silences the %ifarch-applied-patch
warning from rpmlint.
Fill in some of the missing Requires for the toolbox-tests sub-package.
[1] go-rpm-macros commit bc7e5cc55c4709e8
https://pagure.io/go-rpm-macros/c/bc7e5cc55c4709e8
[2] Fedora redhat-rpm-config commit 57edf0cad7b089ed
https://src.fedoraproject.org/rpms/redhat-rpm-config/c/57edf0cad7b089edhttps://fedoraproject.org/wiki/Changes/Package_information_on_ELF_objects
[3] https://reproducible-builds.org/docs/source-date-epoch/
[4] go-rpm-macros commit 1980932bf3a21890
https://pagure.io/go-rpm-macros/c/1980932bf3a21890https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds
[5] https://fedoraproject.org/wiki/Changes/DiscontinuePPC64
[6] Commit ba60453d21https://src.fedoraproject.org/rpms/toolbox/pull-request/22
The runtime dependency on shadow-utils-subid should have already been
part of commit 95d6ea8689 to ensure that Toolbx >= 0.0.99.4 would
be able to dlopen(3) the library. It only worked in practice because
the podman RPM also required it.
Podman 5.0 switched to using pasta(1), instead of slirp4netns(1), by
default for rootless containers. This change has led to a regression
causing 'skopeo copy' to get stuck uploading an OCI image to the local
temporary Docker registry run by the tests as a Podman container [1],
which breaks the test suite on Fedora 40 onwards.
This was worked around by forcing the use of slirp4netns(1).
The slirp4nets package needs to be explicitly installed on Fedora 40
onwards, because the dependency in containers-common-extra changed from
Recommends to Suggests [2]. Otherwise, it led to:
1..320
# test suite: Set up
# test suite: Tear down
not ok 1 setup_suite
# (from function `assert_success' in file
./libs/bats-assert/src/assert.bash, line 114,
# from function `_setup_docker_registry' in file ./libs/helpers.bash,
line 208,
# from function `setup_suite' in test file ./setup_suite.bash, line
59)
# `_setup_docker_registry' failed
#
# -- command failed --
# status : 127
# output : Error: could not find slirp4netns, the network namespace
can't be configured: exec: "slirp4netns": executable file not
found in $PATH
# --
#
# Untagged: quay.io/toolbox_tests/registry:latest
# Deleted: fea5a12cde107bb407bc44ede6dd9edea1d2b4171cd8e52b0cb330bf45e517e1
# bats warning: Executed 1 instead of expected 320 tests
The missing dependency on the slirp4netns package in toolbox-tests
doesn't affect Podman's downstream Fedora CI, which runs toolbox-tests,
because it separately installs slirp4netns for other tests [3].
Fallout from d8388da39e
[1] https://github.com/containers/podman/issues/22575
[2] Fedora containers-common commit 17934d87b2686ab5
Fedora containers-common commit 13c232f064113860
https://src.fedoraproject.org/rpms/containers-common/c/17934d87b2686ab5https://src.fedoraproject.org/rpms/containers-common/c/13c232f064113860
[3] Fedora podman commit 9667d0f5b5069acb
https://src.fedoraproject.org/rpms/podman/c/9667d0f5b5069acbhttps://src.fedoraproject.org/rpms/toolbox/pull-request/20
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Toolbx's system tests download several images when setting up the test
suite, and cache them for later use by the tests [1]. This saves time
and avoids hitting rate limits imposed by OCI registries by not
downloading the same images repeatedly for several tests, but at the
cost of increased use of storage space to cache the images.
The images are cached under BATS_TMPDIR. It defaults to the TMPDIR
environment variable, and if that's not set then to /tmp [2]. Normally,
TMPDIR isn't set, and the images end up getting cached under /tmp. Now,
/tmp is typically on tmpfs backed by RAM or swap, which means that it
should be used for smaller size-bounded files only, and /var/tmp should
be used for everything else [3].
The images are big enough that a collection of them can't be described
as smaller and size-bounded, and it led to:
1..306
# test suite: Set up
# test suite: Tear down
not ok 1 setup_suite
# (from function `setup_suite' in test file ./setup_suite.bash, line
55)
# `_pull_and_cache_distro_image fedora "$((system_version-1))" ||
false' failed
# Failed to cache image registry.fedoraproject.org/fedora-toolbox:40
to /tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40
# time="2024-02-19T11:41:43Z" level=fatal msg="copying system image
from manifest list: writing blob: write
/tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40/dir-put-blob607392514:
no space left on device"
# bats warning: Executed 1 instead of expected 306 tests
So, change the default location of the BATS_TMPDIR environment variable
to /var/tmp by setting TMPDIR.
[1] Toolbx commit 50683c9d9a78adc9
50683c9d9ahttps://github.com/containers/toolbox/pull/375
[2] https://bats-core.readthedocs.io/en/stable/writing-tests.html
[3] https://systemd.io/TEMPORARY_DIRECTORIES/https://src.fedoraproject.org/rpms/toolbox/pull-request/20
Signed-off-by: Adam Williamson <awilliam@redhat.com>
The test.environment variable was removed from the variables defined in
tests.yml in commit 1b207227f3, but it's still used, which causes
Ansible to break:
The task includes an option with an undefined variable. The error was:
'dict object' has no attribute 'environment'. 'dict object' has no
attribute 'environment'
https://src.fedoraproject.org/rpms/toolbox/pull-request/19
The stack-prot test [1] currently fails with:
Hardened: /usr/bin/toolbox: FAIL: stack-prot test because stack
protection not enabled (lto:_cgo_6f668e16310a_Cfunc_mygetgrnam_r)
According to the documentation [1], the test is supposed to pass if the
C compiler is GCC and it was used with the -fstack-protector-strong
option. That's definitely the case, since Fedora uses GCC by default,
and its default build flags (including %optflags) include
-fstack-protector-strong.
There's also no function called mygetgrnam() in neither Toolbx nor its
chain of dependencies.
Therefore, temporarily disable the stack-prot test to prevent the Fedora
CI from failing.
[1] https://sourceware.org/annobin/annobin.html/Test-stack-prot.html
In recent times, 'rpminspect --tests=annocheck', run by the Fedora CI,
has been failing because of the intentional DT_RPATH or DT_RUNPATH value
of /run/host%{_libdir} that's present in %{_bindir}/toolbox [1]. It's
not clear if they started failing again only recently due to changes in
rpminspect(1), or if the previous attempt at silencing it was broken and
never actually worked [2].
[1] Upstream commit 6063eb27b9893994
6063eb27b9https://github.com/containers/toolbox/issues/821
[2] Commit 12fabacd03https://github.com/rpminspect/rpminspect/issues/1296
... because subscription-manager requires python3-dnf, which contains
%{_bindir}/dnf-3 and %{_bindir}/dnf4 [1]. This is a problem on Fedora
Silverblue, because they shouldn't be present on OSTree based variants
of Fedora.
This reverts parts of commit 6682165143.
[1] https://github.com/fedora-silverblue/issue-tracker/issues/521
The only known user of the toolbox-experience and toolbox-support
packages was: https://github.com/AICoE/tf-in-container
... which was declared dead in February 2022.
Hence, there's no need to keep offering these subpackages. Especially,
since the cost of keeping them updated to match the content of the
fedora-toolbox images is quite high. If someone really needs these
subpackages, then they can be reinstated.
Start using Toolbx as the name of the project, instead of Toolbox; and
recommend subscription-manager, as requested by the Fedora Workstation
Working Group [1], to make it easier to have gratis, self-supported Red Hat
Enterprise Linux containers on Fedora.
[1] https://pagure.io/fedora-workstation/issue/391
