diff --git a/.gitignore b/.gitignore index 03742d2..66d6df6 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /toolbox-0.0.99.2^1.git9820550c82bb.tar.xz /toolbox-0.0.99.2^2.git40fbd377ed0b.tar.xz /toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz +/toolbox-0.0.99.3.tar.xz diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..5ab3627 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,9 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: + - bodhi_update_push_stable + - bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/sources b/sources index 529eaaf..64d6d65 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d +SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca diff --git a/tests/roles/nonroot_user/tasks/main.yml b/tests/roles/nonroot_user/tasks/main.yml new file mode 100644 index 0000000..51bf44a --- /dev/null +++ b/tests/roles/nonroot_user/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: create nonroot user + user: + name: testuser + shell: /bin/bash +- name: enable linger + command: loginctl enable-linger testuser diff --git a/tests/roles/run_bats_tests/files/run_bats_tests.sh b/tests/roles/run_bats_tests/files/run_bats_tests.sh new file mode 100755 index 0000000..e9f5f5f --- /dev/null +++ b/tests/roles/run_bats_tests/files/run_bats_tests.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# +# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman +# +# This is invoked by the 'run_bats_tests' role; we assume that +# the package foo has a foo-tests subpackage which provides the +# directory /usr/share/foo/test/system, containing one or more .bats +# test files. +# + +export PATH=/usr/local/bin:/usr/sbin:/usr/bin + +FULL_LOG=/tmp/test.debug.log +BATS_LOG=/tmp/test.bats.log +rm -f $FULL_LOG $BATS_LOG +touch $FULL_LOG $BATS_LOG + +exec &> $FULL_LOG + +# Log program versions +echo "Packages:" +rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests + +echo "------------------------------" +printenv | sort + +testdir=/usr/share/${TEST_PACKAGE}/test/system + +if ! cd $testdir; then + echo "FAIL ${TEST_NAME} : cd $testdir" >> /tmp/test.log + exit 0 +fi + +if [ -e /tmp/helper.sh ]; then + echo "------------------------------" + echo ". /tmp/helper.sh" + . /tmp/helper.sh +fi + +if [ "$(type -t setup)" = "function" ]; then + echo "------------------------------" + echo "\$ setup" + setup + if [ $? -ne 0 ]; then + echo "FAIL ${TEST_NAME} : setup" >> /tmp/test.log + exit 0 + fi +fi + +echo "------------------------------" +echo "\$ bats ." +bats . &> $BATS_LOG +rc=$? + +echo "------------------------------" +echo "bats completed with status $rc" + +status=PASS +if [ $rc -ne 0 ]; then + status=FAIL +fi + +echo "${status} ${TEST_NAME}" >> /tmp/test.log + +if [ "$(type -t teardown)" = "function" ]; then + echo "------------------------------" + echo "\$ teardown" + teardown +fi + +# FIXME: for CI purposes, always exit 0. This allows subsequent tests. +exit 0 diff --git a/tests/roles/run_bats_tests/tasks/main.yml b/tests/roles/run_bats_tests/tasks/main.yml new file mode 100644 index 0000000..da79a4c --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/main.yml @@ -0,0 +1,37 @@ +--- +# Create empty results file, world-writable +- name: initialize test.log file + copy: dest=/tmp/test.log content='' force=yes mode=0666 + +- name: execute tests + include: run_one_test.yml + with_items: "{{ tests }}" + loop_control: + loop_var: test + +- name: pull test.log results + fetch: + src: "/tmp/test.log" + dest: "{{ artifacts }}/test.log" + flat: yes + +# Copied from standard-test-basic +- name: check results + shell: grep "^FAIL" /tmp/test.log + register: test_fails + # Never fail at this step. Just store result of tests. + failed_when: False + +- name: preserve results + set_fact: + role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}" + role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}" + +- name: display results + vars: + msg: | + Tests failed: {{ role_result_failed|d('Undefined') }} + Tests msg: {{ role_result_msg|d('None') }} + debug: + msg: "{{ msg.split('\n') }}" + failed_when: "role_result_failed|bool" diff --git a/tests/roles/run_bats_tests/tasks/run_one_test.yml b/tests/roles/run_bats_tests/tasks/run_one_test.yml new file mode 100644 index 0000000..b44ed42 --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/run_one_test.yml @@ -0,0 +1,52 @@ +--- +- name: "{{ test.name }} | install test packages" + dnf: name="{{ test.package }}-tests" state=installed + +- name: "{{ test.name }} | define helper variables" + set_fact: + test_name_oneword: "{{ test.name | replace(' ','-') }}" + +# UGH. This is necessary because our caller sets some environment variables +# and we need to set a few more based on other caller variables; then we +# need to combine the two dicts when running the test. This seems to be +# the only way to do it in ansible. +- name: "{{ test.name }} | define local environment" + set_fact: + local_environment: + TEST_NAME: "{{ test.name }}" + TEST_PACKAGE: "{{ test.package }}" + TEST_ENV: "{{ test.environment }}" + +- name: "{{ test.name }} | setup/teardown helper | see if exists" + local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh + register: helper + +- name: "{{ test.name }} | setup/teardown helper | install" + copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh + when: helper.stat.exists + +- name: "{{ test.name }} | run test" + script: ./run_bats_tests.sh + args: + chdir: /usr/share/{{ test.package }}/test/system + become: "{{ true if test.become is defined else false }}" + become_user: testuser + environment: "{{ local_environment | combine(test.environment) }}" + +- name: "{{ test.name }} | pull logs" + fetch: + src: "/tmp/test.{{ item }}.log" + dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log" + flat: yes + with_items: + - bats + - debug + +- name: "{{ test.name }} | remove remote logs and helpers" + file: + dest=/tmp/{{ item }} + state=absent + with_items: + - test.bats.log + - test.debug.log + - helper.sh diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..0048a3e --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,15 @@ +--- +- hosts: localhost + tags: classic + vars: + - artifacts: ./artifacts + roles: + - role: nonroot_user + - role: run_bats_tests + tests: + - name: toolbox + package: toolbox + environment: + PODMAN: /usr/bin/podman + become: true + \ No newline at end of file diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch index f5511f6..a1d92a5 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -1,4 +1,4 @@ -From 5ec9997c0f11bb9d1f7eee2e5014130cadc70c91 Mon Sep 17 00:00:00 2001 +From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for @@ -20,20 +20,43 @@ Note that these flags are only meant for the "ppc64" CPU architecture, and should be kept updated to match Fedora's Go guidelines. Use 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. --- - src/go-build-wrapper | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/go-build-wrapper | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..03a32bc5af33 100755 +index ef4aafc8b024..f8ea8370792c 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -32,9 +32,9 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $6; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$4" --print-file-name=libc.so); then +@@ -69,11 +69,16 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + +unset LDFLAGS -+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" ++ + # shellcheck disable=SC2086 + go build \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/toolbox" + exit "$?" -- 2.31.1 diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch index c97e978..2e4cbfd 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -1,4 +1,4 @@ -From 64c8066535dacbe37abc35485347c59df553bfbb Mon Sep 17 00:00:00 2001 +From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} @@ -19,20 +19,44 @@ Note that these flags are meant for every CPU architecture other than PPC64, and should be kept updated to match Fedora's Go guidelines. Use 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. --- - src/go-build-wrapper | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/go-build-wrapper | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..4793d29a7021 100755 +index ef4aafc8b024..4354beceb215 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -32,9 +32,9 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $6; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$4" --print-file-name=libc.so); then +@@ -69,11 +69,17 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + +unset LDFLAGS -+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" ++ + # shellcheck disable=SC2086 + go build \ ++ -buildmode pie \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/toolbox" + exit "$?" -- 2.31.1 diff --git a/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch b/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch new file mode 100644 index 0000000..a618021 --- /dev/null +++ b/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch @@ -0,0 +1,95 @@ +From e598e2160323b63310ad7b6def723eb1f8767f90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Thu, 11 Nov 2021 18:18:52 +0200 +Subject: [PATCH 02/13] cmd/root: Work around Cobra 1.1.2's handling of usage + functions + +In version 1.1.2 of Cobra has been included a change[0] that changes +how custom usage functions are handled. + +Example of the wrong behaviour: +$ toolbox --foo +Error: unknown flag: --foo +Run 'toolbox --help' for usage.Error: Run 'toolbox --help' for usage. + +Desired behaviour: +$ toolbox --foo +Error: unknown flag: --foo +Run 'toolbox --help' for usage. + +A workaround is to define a template string for the usage instead. The +template uses the templating language of Go[1]. See the default +template string in version 1.2.1[2]. + +Because the template is set only once, the executableBase needs to be +set before the template is applied. That required the move of +setUpGlobals() into init() of the cmd package. This is a better place +for the function call as init() is called earlier than Execute()[3]. + +Upstream issue: https://github.com/spf13/cobra/issues/1532 + +[0] https://github.com/spf13/cobra/pull/1044 +[1] https://pkg.go.dev/text/template +[2] https://github.com/spf13/cobra/blob/v1.2.1/command.go#L491 +[3] https://golang.org/doc/effective_go#init + +https://github.com/containers/toolbox/pull/917 +--- + src/cmd/root.go | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index eb0622f..ad0753b 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -62,11 +62,6 @@ var ( + ) + + func Execute() { +- if err := setUpGlobals(); err != nil { +- fmt.Fprintf(os.Stderr, "Error: %s\n", err) +- os.Exit(1) +- } +- + if err := rootCmd.Execute(); err != nil { + os.Exit(1) + } +@@ -75,6 +70,11 @@ func Execute() { + } + + func init() { ++ if err := setUpGlobals(); err != nil { ++ fmt.Fprintf(os.Stderr, "Error: %s\n", err) ++ os.Exit(1) ++ } ++ + persistentFlags := rootCmd.PersistentFlags() + + persistentFlags.BoolVarP(&rootFlags.assumeYes, +@@ -96,7 +96,9 @@ func init() { + persistentFlags.CountVarP(&rootFlags.verbose, "verbose", "v", "Set log-level to 'debug'") + + rootCmd.SetHelpFunc(rootHelp) +- rootCmd.SetUsageFunc(rootUsage) ++ ++ usageTemplate := fmt.Sprintf("Run '%s --help' for usage.", executableBase) ++ rootCmd.SetUsageTemplate(usageTemplate) + } + + func preRun(cmd *cobra.Command, args []string) error { +@@ -188,12 +190,6 @@ func rootRun(cmd *cobra.Command, args []string) error { + return rootRunImpl(cmd, args) + } + +-func rootUsage(cmd *cobra.Command) error { +- err := fmt.Errorf("Run '%s --help' for usage.", executableBase) +- fmt.Fprintf(os.Stderr, "%s", err) +- return err +-} +- + func migrate() error { + logrus.Debug("Migrating to newer Podman") + +-- +2.34.1 + diff --git a/toolbox.spec b/toolbox.spec index 7f95195..849f26a 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -1,23 +1,23 @@ +%global __brp_check_rpaths %{nil} + Name: toolbox -Version: 0.0.99.2^3.git075b9a8d2779 +Version: 0.0.99.3 %global goipath github.com/containers/%{name} %gometa -Release: 1%{?dist} +Release: 4%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 -URL: https://github.com/containers/%{name} - -# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz -# Snapshot tarball -Source0: %{name}-%{version}.tar.xz +URL: https://containertoolbx.org/ +Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz # Fedora specific Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch Patch102: toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +Patch103: toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch BuildRequires: ShellCheck BuildRequires: golang >= 1.13 @@ -33,10 +33,11 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2 # BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5 BuildRequires: golang(golang.org/x/sys/unix) -BuildRequires: meson +BuildRequires: meson >= 0.58.0 BuildRequires: pkgconfig(bash-completion) BuildRequires: systemd +Requires: containers-common Requires: flatpak-session-helper Requires: podman >= 1.4.0 @@ -54,6 +55,7 @@ Summary: Required packages for the container image to support %{name} # These are really required to make the image work with toolbox Requires: passwd Requires: shadow-utils +Requires: util-linux Requires: vte-profile %description support @@ -90,7 +92,6 @@ Requires: less Requires: lsof Requires: man-db Requires: man-pages -Requires: mlocate Requires: mtr Requires: nano-default-editor Requires: nss-mdns @@ -144,6 +145,8 @@ The %{name}-tests package contains system tests for %{name}. %patch102 -p1 %endif +%patch103 -p1 + %gomkdir @@ -185,6 +188,29 @@ ln -s src/pkg pkg %changelog +* Sat Jul 09 2022 Maxwell G - 0.0.99.3-4 +- Rebuild for CVE-2022-{24675,28327,29526 in golang} + +* Sat Jul 09 2022 Maxwell G - 0.0.99.3-3 +- Rebuild for CVE-2022-{24675,28327,29526} in golang + +* Sun Jan 09 2022 Ondřej Míchal - 0.0.99.3-2 +- Add upstream patch fixing doubled error messages + +* Fri Dec 10 2021 Debarshi Ray - 0.0.99.3-1 +- Update to 0.0.99.3 +- Update the URL to point to the website + +* Mon Oct 25 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-4 +- Restore backwards compatibility with existing containers + +* Fri Oct 22 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-3 +- Ensure that binaries are run against their build-time ABI +- Require containers-common for ownership of %%{_sysconfdir}/containers + +* Wed Aug 25 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-2 +- Rebuilt for gating check + * Mon Aug 09 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-1 - Updated to 0.0.99.2^3.git075b9a8d2779 snapshot