From 76445a86a8a424c406a88f96c94715ee136ad337 Mon Sep 17 00:00:00 2001 From: Oliver Gutierrez Date: Wed, 25 Aug 2021 11:54:33 +0100 Subject: [PATCH 1/8] Added gating files and version bump for build check --- gating.yaml | 9 +++ tests/roles/nonroot_user/tasks/main.yml | 7 ++ .../run_bats_tests/files/run_bats_tests.sh | 72 +++++++++++++++++++ tests/roles/run_bats_tests/tasks/main.yml | 37 ++++++++++ .../run_bats_tests/tasks/run_one_test.yml | 52 ++++++++++++++ tests/tests.yml | 15 ++++ toolbox.spec | 5 +- 7 files changed, 196 insertions(+), 1 deletion(-) create mode 100644 gating.yaml create mode 100644 tests/roles/nonroot_user/tasks/main.yml create mode 100755 tests/roles/run_bats_tests/files/run_bats_tests.sh create mode 100644 tests/roles/run_bats_tests/tasks/main.yml create mode 100644 tests/roles/run_bats_tests/tasks/run_one_test.yml create mode 100644 tests/tests.yml diff --git a/gating.yaml b/gating.yaml new file mode 100644 index 0000000..5ab3627 --- /dev/null +++ b/gating.yaml @@ -0,0 +1,9 @@ +--- !Policy +product_versions: + - fedora-* +decision_contexts: + - bodhi_update_push_stable + - bodhi_update_push_testing +subject_type: koji_build +rules: + - !PassingTestCaseRule {test_case_name: fedora-ci.koji-build.tier0.functional} diff --git a/tests/roles/nonroot_user/tasks/main.yml b/tests/roles/nonroot_user/tasks/main.yml new file mode 100644 index 0000000..51bf44a --- /dev/null +++ b/tests/roles/nonroot_user/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: create nonroot user + user: + name: testuser + shell: /bin/bash +- name: enable linger + command: loginctl enable-linger testuser diff --git a/tests/roles/run_bats_tests/files/run_bats_tests.sh b/tests/roles/run_bats_tests/files/run_bats_tests.sh new file mode 100755 index 0000000..e9f5f5f --- /dev/null +++ b/tests/roles/run_bats_tests/files/run_bats_tests.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# +# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman +# +# This is invoked by the 'run_bats_tests' role; we assume that +# the package foo has a foo-tests subpackage which provides the +# directory /usr/share/foo/test/system, containing one or more .bats +# test files. +# + +export PATH=/usr/local/bin:/usr/sbin:/usr/bin + +FULL_LOG=/tmp/test.debug.log +BATS_LOG=/tmp/test.bats.log +rm -f $FULL_LOG $BATS_LOG +touch $FULL_LOG $BATS_LOG + +exec &> $FULL_LOG + +# Log program versions +echo "Packages:" +rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests + +echo "------------------------------" +printenv | sort + +testdir=/usr/share/${TEST_PACKAGE}/test/system + +if ! cd $testdir; then + echo "FAIL ${TEST_NAME} : cd $testdir" >> /tmp/test.log + exit 0 +fi + +if [ -e /tmp/helper.sh ]; then + echo "------------------------------" + echo ". /tmp/helper.sh" + . /tmp/helper.sh +fi + +if [ "$(type -t setup)" = "function" ]; then + echo "------------------------------" + echo "\$ setup" + setup + if [ $? -ne 0 ]; then + echo "FAIL ${TEST_NAME} : setup" >> /tmp/test.log + exit 0 + fi +fi + +echo "------------------------------" +echo "\$ bats ." +bats . &> $BATS_LOG +rc=$? + +echo "------------------------------" +echo "bats completed with status $rc" + +status=PASS +if [ $rc -ne 0 ]; then + status=FAIL +fi + +echo "${status} ${TEST_NAME}" >> /tmp/test.log + +if [ "$(type -t teardown)" = "function" ]; then + echo "------------------------------" + echo "\$ teardown" + teardown +fi + +# FIXME: for CI purposes, always exit 0. This allows subsequent tests. +exit 0 diff --git a/tests/roles/run_bats_tests/tasks/main.yml b/tests/roles/run_bats_tests/tasks/main.yml new file mode 100644 index 0000000..da79a4c --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/main.yml @@ -0,0 +1,37 @@ +--- +# Create empty results file, world-writable +- name: initialize test.log file + copy: dest=/tmp/test.log content='' force=yes mode=0666 + +- name: execute tests + include: run_one_test.yml + with_items: "{{ tests }}" + loop_control: + loop_var: test + +- name: pull test.log results + fetch: + src: "/tmp/test.log" + dest: "{{ artifacts }}/test.log" + flat: yes + +# Copied from standard-test-basic +- name: check results + shell: grep "^FAIL" /tmp/test.log + register: test_fails + # Never fail at this step. Just store result of tests. + failed_when: False + +- name: preserve results + set_fact: + role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}" + role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}" + +- name: display results + vars: + msg: | + Tests failed: {{ role_result_failed|d('Undefined') }} + Tests msg: {{ role_result_msg|d('None') }} + debug: + msg: "{{ msg.split('\n') }}" + failed_when: "role_result_failed|bool" diff --git a/tests/roles/run_bats_tests/tasks/run_one_test.yml b/tests/roles/run_bats_tests/tasks/run_one_test.yml new file mode 100644 index 0000000..b44ed42 --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/run_one_test.yml @@ -0,0 +1,52 @@ +--- +- name: "{{ test.name }} | install test packages" + dnf: name="{{ test.package }}-tests" state=installed + +- name: "{{ test.name }} | define helper variables" + set_fact: + test_name_oneword: "{{ test.name | replace(' ','-') }}" + +# UGH. This is necessary because our caller sets some environment variables +# and we need to set a few more based on other caller variables; then we +# need to combine the two dicts when running the test. This seems to be +# the only way to do it in ansible. +- name: "{{ test.name }} | define local environment" + set_fact: + local_environment: + TEST_NAME: "{{ test.name }}" + TEST_PACKAGE: "{{ test.package }}" + TEST_ENV: "{{ test.environment }}" + +- name: "{{ test.name }} | setup/teardown helper | see if exists" + local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh + register: helper + +- name: "{{ test.name }} | setup/teardown helper | install" + copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh + when: helper.stat.exists + +- name: "{{ test.name }} | run test" + script: ./run_bats_tests.sh + args: + chdir: /usr/share/{{ test.package }}/test/system + become: "{{ true if test.become is defined else false }}" + become_user: testuser + environment: "{{ local_environment | combine(test.environment) }}" + +- name: "{{ test.name }} | pull logs" + fetch: + src: "/tmp/test.{{ item }}.log" + dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log" + flat: yes + with_items: + - bats + - debug + +- name: "{{ test.name }} | remove remote logs and helpers" + file: + dest=/tmp/{{ item }} + state=absent + with_items: + - test.bats.log + - test.debug.log + - helper.sh diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..0048a3e --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,15 @@ +--- +- hosts: localhost + tags: classic + vars: + - artifacts: ./artifacts + roles: + - role: nonroot_user + - role: run_bats_tests + tests: + - name: toolbox + package: toolbox + environment: + PODMAN: /usr/bin/podman + become: true + \ No newline at end of file diff --git a/toolbox.spec b/toolbox.spec index 7f95195..199dd29 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -4,7 +4,7 @@ Version: 0.0.99.2^3.git075b9a8d2779 %global goipath github.com/containers/%{name} %gometa -Release: 1%{?dist} +Release: 2%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -185,6 +185,9 @@ ln -s src/pkg pkg %changelog +* Wed Aug 25 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-2 +- Rebuilt for gating check + * Mon Aug 09 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-1 - Updated to 0.0.99.2^3.git075b9a8d2779 snapshot From 3dabc5cde9acab89604d73c8319b485533279c40 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 22 Oct 2021 02:17:56 +0200 Subject: [PATCH 2/8] Ensure that binaries are run against their build-time ABI ... and require containers-common for ownership of %%{_sysconfdir}/containers. https://bugzilla.redhat.com/show_bug.cgi?id=1995439 --- ...are-run-against-their-build-time-ABI.patch | 262 ++++++++++++++++++ ...ags-match-Fedora-s-gobuild-for-PPC64.patch | 14 +- ...e-build-flags-match-Fedora-s-gobuild.patch | 14 +- toolbox.spec | 14 +- 4 files changed, 291 insertions(+), 13 deletions(-) create mode 100644 toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch diff --git a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch new file mode 100644 index 0000000..9dda641 --- /dev/null +++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch @@ -0,0 +1,262 @@ +From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 21 Oct 2021 18:59:45 +0200 +Subject: [PATCH 1/2] tmpfiles.d: Style fix + +The subsequent commit will add an entry to create a /run/host symbolic +link on the host that points to /, and it will require explicitly +skipping some of the columns. Doing the same for the existing entry +will make the file more readable. + +https://github.com/containers/toolbox/issues/821 +--- + data/tmpfiles.d/toolbox.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf +index f22b64a0f97c..bdffe7c09639 100644 +--- a/data/tmpfiles.d/toolbox.conf ++++ b/data/tmpfiles.d/toolbox.conf +@@ -1 +1 @@ +-d /run/media 0755 root root ++d /run/media 0755 root root - - +-- +2.31.1 + + +From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 21 Oct 2021 20:22:11 +0200 +Subject: [PATCH 2/2] build: Ensure that binaries are run against their + build-time ABI + +The /usr/bin/toolbox binary is not only used to interact with toolbox +containers and images from the host. It's also used as the entry point +of the containers by bind mounting the binary from the host into the +container. This means that the /usr/bin/toolbox binary on the host must +also work inside the container, even if they have different operating +systems. + +In the past, this worked perfectly well with the POSIX shell +implementation because it got intepreted by whichever /bin/sh was +available. However, the Go implementation, can run into ABI +compatibility issues because binaries built on newer toolchains aren't +meant to be run against older runtimes. + +The previous approach [1] of restricting the versions of the glibc +symbols that are linked against isn't actually supported by glibc, and +breaks if the early process start-up code changes. This is seen in +glibc-2.34, which is used by Fedora 35 onwards, where a new version of +the __libc_start_main symbol [2] was added as part of some security +hardening: + $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34 + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + __libc_start_main + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_detach + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_create + 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 + pthread_attr_getstacksize + +This means that /usr/bin/toolbox binaries built against glibc-2.34 on +newer Fedoras fail to run against older glibcs in older Fedoras. + +Another option is to make the host's runtime available inside the +toolbox container and ensure that the binary always runs against it. + +Luckily, almost all supported containers have the host's /usr available +at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to +/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing +the path of the dynamic linker (ie., PT_INTERP) to the one inside +/run/host. + +Unfortunately, there can only be one PT_INTERP entry inside the +binary, so there must be a /run/host on the host too. Therefore, a +/run/host symbolic link is created on the host that points to the +host's /. + +Based on ideas from Alexander Larsson and Ray Strode. + +[1] Commit 6ad9c631806961f3 + https://github.com/containers/toolbox/pull/534 + +[2] glibc commit 035c012e32c11e84 + https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 + https://sourceware.org/bugzilla/show_bug.cgi?id=23323 + +https://github.com/containers/toolbox/issues/821 +--- + data/tmpfiles.d/toolbox.conf | 1 + + meson.build | 8 ++---- + playbooks/setup-env.yaml | 1 + + src/go-build-wrapper | 17 ++++++++++--- + src/libc-wrappers/libc-wrappers.c | 42 ------------------------------- + src/libc-wrappers/meson.build | 8 ------ + src/meson.build | 4 --- + 7 files changed, 18 insertions(+), 63 deletions(-) + delete mode 100644 src/libc-wrappers/libc-wrappers.c + delete mode 100644 src/libc-wrappers/meson.build + +diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf +index bdffe7c09639..0ddb1f08830d 100644 +--- a/data/tmpfiles.d/toolbox.conf ++++ b/data/tmpfiles.d/toolbox.conf +@@ -1 +1,2 @@ + d /run/media 0755 root root - - ++L /run/host - - - - ../ +diff --git a/meson.build b/meson.build +index b580c10fe7d8..ae228ee287d5 100644 +--- a/meson.build ++++ b/meson.build +@@ -1,17 +1,13 @@ + project( + 'toolbox', +- 'c', + version: '0.0.99.2', + license: 'ASL 2.0', +- meson_version: '>= 0.42.0', ++ meson_version: '>= 0.53.0', + ) + +-cc = meson.get_compiler('c') +-add_project_arguments('-pthread', language: 'c') +-add_project_link_arguments('-pthread', language: 'c') +- + go = find_program('go') + go_md2man = find_program('go-md2man') ++patchelf = find_program('patchelf') + shellcheck = find_program('shellcheck', required: false) + skopeo = find_program('skopeo', required: false) + +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 5644f1ab01b4..7ac9b46ee3ad 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -13,6 +13,7 @@ + - golang-github-cpuguy83-md2man + - meson + - ninja-build ++ - patchelf + - podman + - skopeo + - systemd +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 0d27120da052..677dca94bd5a 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -16,9 +16,9 @@ + # + + +-if [ "$#" -ne 4 ]; then ++if [ "$#" -ne 3 ]; then + echo "go-build-wrapper: wrong arguments" >&2 +- echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2 ++ echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2 + exit 1 + fi + +@@ -27,5 +27,16 @@ if ! cd "$1"; then + exit 1 + fi + +-go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" ++ ++if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then ++ echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 ++ exit 1 ++fi ++ ++if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++ exit 1 ++fi ++ + exit "$?" +diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c +deleted file mode 100644 +index 7b402bc2fe78..000000000000 +--- a/src/libc-wrappers/libc-wrappers.c ++++ /dev/null +@@ -1,42 +0,0 @@ +-/* +- * Copyright © 2020 – 2021 Red Hat Inc. +- * +- * Licensed under the Apache License, Version 2.0 (the "License"); +- * you may not use this file except in compliance with the License. +- * You may obtain a copy of the License at +- * +- * http://www.apache.org/licenses/LICENSE-2.0 +- * +- * Unless required by applicable law or agreed to in writing, software +- * distributed under the License is distributed on an "AS IS" BASIS, +- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +- * See the License for the specific language governing permissions and +- * limitations under the License. +- */ +- +- +-#include +- +- +-#if defined __aarch64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __arm__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4"); +-#elif defined __i386__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0"); +-#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); +-#elif defined __s390x__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2"); +-#elif defined __x86_64__ +-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5"); +-#else +-#error "Please specify symbol version for pthread_sigmask" +-#endif +- +- +-int +-__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset) +-{ +- return pthread_sigmask (how, set, oldset); +-} +diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build +deleted file mode 100644 +index 3984ce449c57..000000000000 +--- a/src/libc-wrappers/meson.build ++++ /dev/null +@@ -1,8 +0,0 @@ +-sources = files( +- 'libc-wrappers.c', +-) +- +-libc_wrappers = static_library( +- 'c-wrappers', +- sources, +-) +diff --git a/src/meson.build b/src/meson.build +index f76606da3271..759db1f1e900 100644 +--- a/src/meson.build ++++ b/src/meson.build +@@ -1,5 +1,3 @@ +-subdir('libc-wrappers') +- + go_build_wrapper_file = files('go-build-wrapper') + go_build_wrapper_program = find_program('go-build-wrapper') + +@@ -28,9 +26,7 @@ custom_target( + meson.current_source_dir(), + meson.current_build_dir(), + meson.project_version(), +- libc_wrappers.full_path(), + ], +- depends: libc_wrappers, + input: sources, + install: true, + install_dir: get_option('bindir'), +-- +2.31.1 + diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch index f5511f6..d464eea 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -1,4 +1,4 @@ -From 5ec9997c0f11bb9d1f7eee2e5014130cadc70c91 Mon Sep 17 00:00:00 2001 +From df2d42ec5aee27f9f92ce7825d020425c2dac885 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for @@ -24,17 +24,19 @@ and should be kept updated to match Fedora's Go guidelines. Use 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..03a32bc5af33 100755 +index 677dca94bd5a..e6e9caf1049e 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -27,7 +27,8 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +unset LDFLAGS -+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" - exit "$?" ++go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" + + if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 -- 2.31.1 diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch index c97e978..4aa1e11 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -1,4 +1,4 @@ -From 64c8066535dacbe37abc35485347c59df553bfbb Mon Sep 17 00:00:00 2001 +From 18cbc514c8b776c855a24cdcf8b326d592322d44 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} @@ -23,17 +23,19 @@ PPC64, and should be kept updated to match Fedora's Go guidelines. Use 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..4793d29a7021 100755 +index 677dca94bd5a..581d5c82cf2f 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,5 +27,6 @@ if ! cd "$1"; then +@@ -27,7 +27,8 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" +unset LDFLAGS -+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" - exit "$?" ++go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" + + if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 -- 2.31.1 diff --git a/toolbox.spec b/toolbox.spec index 199dd29..4f09f60 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -1,10 +1,12 @@ +%global __brp_check_rpaths %{nil} + Name: toolbox Version: 0.0.99.2^3.git075b9a8d2779 %global goipath github.com/containers/%{name} %gometa -Release: 2%{?dist} +Release: 3%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -14,6 +16,9 @@ URL: https://github.com/containers/%{name} # Snapshot tarball Source0: %{name}-%{version}.tar.xz +# https://bugzilla.redhat.com/show_bug.cgi?id=1995439 +Patch0: toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch + # Fedora specific Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -34,9 +39,11 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5 BuildRequires: golang(golang.org/x/sys/unix) BuildRequires: meson +BuildRequires: patchelf BuildRequires: pkgconfig(bash-completion) BuildRequires: systemd +Requires: containers-common Requires: flatpak-session-helper Requires: podman >= 1.4.0 @@ -136,6 +143,7 @@ The %{name}-tests package contains system tests for %{name}. %prep %setup -q +%patch0 -p1 %patch100 -p1 %ifnarch ppc64 @@ -185,6 +193,10 @@ ln -s src/pkg pkg %changelog +* Fri Oct 22 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-3 +- Ensure that binaries are run against their build-time ABI +- Require containers-common for ownership of %%{_sysconfdir}/containers + * Wed Aug 25 2021 Oliver Gutiérrez - 0.0.99.2^3.git075b9a8d2779-2 - Rebuilt for gating check From 91f86961b46187aa2456d43f143bb64481676db4 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 25 Oct 2021 13:33:41 +0200 Subject: [PATCH 3/8] Restore backwards compatibility with existing containers https://bugzilla.redhat.com/show_bug.cgi?id=1995439 --- ...are-run-against-their-build-time-ABI.patch | 279 +++++++++++++++++- toolbox.spec | 5 +- 2 files changed, 281 insertions(+), 3 deletions(-) diff --git a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch index 9dda641..21892d0 100644 --- a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch +++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch @@ -1,7 +1,7 @@ From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 21 Oct 2021 18:59:45 +0200 -Subject: [PATCH 1/2] tmpfiles.d: Style fix +Subject: [PATCH 1/5] tmpfiles.d: Style fix The subsequent commit will add an entry to create a /run/host symbolic link on the host that points to /, and it will require explicitly @@ -27,7 +27,7 @@ index f22b64a0f97c..bdffe7c09639 100644 From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 21 Oct 2021 20:22:11 +0200 -Subject: [PATCH 2/2] build: Ensure that binaries are run against their +Subject: [PATCH 2/5] build: Ensure that binaries are run against their build-time ABI The /usr/bin/toolbox binary is not only used to interact with toolbox @@ -260,3 +260,278 @@ index f76606da3271..759db1f1e900 100644 -- 2.31.1 + +From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Fri, 22 Oct 2021 15:21:41 +0300 +Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests + +There is no significant benefit in keeping this configuration separated. +Now the to-be installed packages are tracked in a single place and the +test playbooks only call the relevant tests. + +This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b + +https://github.com/containers/toolbox/pull/898 +--- + .zuul.yaml | 1 + + playbooks/setup-env.yaml | 18 ++++++++++++++++++ + playbooks/system-test.yaml | 24 +----------------------- + playbooks/unit-test.yaml | 21 --------------------- + 4 files changed, 20 insertions(+), 44 deletions(-) + +diff --git a/.zuul.yaml b/.zuul.yaml +index 1ec2f59738eb..1543b8a04b51 100644 +--- a/.zuul.yaml ++++ b/.zuul.yaml +@@ -7,6 +7,7 @@ + nodes: + - name: ci-node-33 + label: cloud-fedora-33-small ++ pre-run: playbooks/setup-env.yaml + run: playbooks/unit-test.yaml + + - job: +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 7ac9b46ee3ad..460ca9977a9e 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -40,3 +40,21 @@ + + - name: Show podman debug information + command: podman info --debug ++ ++ - name: Set up build directory ++ command: meson builddir ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ ++ - name: Build Toolbox ++ command: ninja -C builddir ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ creates: builddir/src/toolbox ++ ++ - name: Install Toolbox ++ become: yes ++ command: ninja -C builddir install ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ creates: /usr/local/bin/toolbox +diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml +index c2eff3f0d77a..0249548acc5d 100644 +--- a/playbooks/system-test.yaml ++++ b/playbooks/system-test.yaml +@@ -1,32 +1,10 @@ + --- + - hosts: all +- +- vars: +- toolbox_bin: '/usr/local/bin/toolbox' +- + tasks: +- - name: Set up build directory +- command: meson builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- +- - name: Build Toolbox +- command: ninja -C builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: builddir/src/toolbox +- +- - name: Install Toolbox +- become: yes +- command: ninja -C builddir install +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: '{{ toolbox_bin }}' +- + - name: Run system tests + command: bats --timing ./test/system + environment: + PODMAN: '/usr/bin/podman' +- TOOLBOX: '{{ toolbox_bin }}' ++ TOOLBOX: '/usr/local/bin/toolbox' + args: + chdir: '{{ zuul.project.src_dir }}' +diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml +index 9be98e7bd86a..2212521c5b9e 100644 +--- a/playbooks/unit-test.yaml ++++ b/playbooks/unit-test.yaml +@@ -1,27 +1,6 @@ + --- + - hosts: all + tasks: +- - name: Install requirements +- become: yes +- package: +- name: +- - golang +- - golang-github-cpuguy83-md2man +- - ninja-build +- - meson +- - ShellCheck +- +- - name: Set up build directory +- command: meson builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- +- - name: Build Toolbox +- command: ninja -C builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: builddir/src/toolbox +- + - name: Test + command: ninja -C builddir test + args: +-- +2.31.1 + + +From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Fri, 22 Oct 2021 15:25:20 +0300 +Subject: [PATCH 4/5] playbooks: Fix CI for #897 + +PR #897 made adjustmnets to the Toolbx binary that it requires presence +of /run/host in both the host filesystem and the filesystem in +a container. + +The presence of the directory is assured by systemd-tmpfiles by +running it before the binary is started for the first time. For the run +to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in +a location visible to systemd-tmpfiles. Therefore, the call to +'systemd-tmpfiles --create' had to be placed after the install step. + +https://github.com/containers/toolbox/pull/898 +--- + playbooks/setup-env.yaml | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 460ca9977a9e..2f858bcf722c 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -26,14 +26,8 @@ + args: + chdir: '{{ zuul.project.src_dir }}' + +- - name: Setup environment +- become: yes +- command: +- cmd: systemd-tmpfiles --create +- creates: /run/media +- + - name: Check versions of crucial packages +- command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper ++ command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf + + - name: Show podman versions + command: podman version +@@ -58,3 +52,10 @@ + args: + chdir: '{{ zuul.project.src_dir }}' + creates: /usr/local/bin/toolbox ++ ++ - name: Setup environment ++ become: yes ++ command: ++ cmd: systemd-tmpfiles --create ++ creates: /run/media ++ creates: /run/host +-- +2.31.1 + + +From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 25 Oct 2021 02:55:09 +0200 +Subject: [PATCH 5/5] build: Restore backwards compatibility with existing + containers + +The path of the dynamic linker (ie., PT_INTERP), as specified in an +architecture's ABI, often starts with /lib or /lib64, not /usr/lib or +/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and +/lib64/ld-linux-x86-64.so.2 for x86_64. + +Unfortunately, until very recently [1], only the host's /usr was +present inside a toolbox container's /run/host, not /lib or /lib64. +Therefore, simply prepending /run/host to the /usr/bin/toolbox +binary's existing PT_INTERP entry wouldn't locate the host's dynamic +linker inside the toolbox container. This broke backwards compatibility +with every container out there, except the ones created with the +current development version in Git. + +To restore backwards compatibility, the /lib and /lib64 symbolic links +must be resolved to their respective locations inside /usr. + +The following caveats must be noted: + + * With glibc, even the basename of the path of the dynamic linker as + specified in an architecture's ABI, is a symbolic link to a file + named ld-.so. However, this file can't be used as + the PT_INTERP entry, because its name will change when glibc is + updated and the PT_INTERP entry will become invalid until the + /usr/bin/toolbox binary is rebuilt. + + * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve + to something inside /usr/lib64. Instead it ends up inside + /usr/lib/x86_64-linux-gnu through a series of symbolic links: + - /lib64 -> usr/lib64 + - /usr/lib64/ld-linux-x86-64.so.2 + -> /lib/x86_64-linux-gnu/ld-2.28.so + - /lib -> usr/lib + + * It's assumed that a symbolic link with the basename specified in + the ABI lives in the same directory as the actual dynamic linker + binary named ld-.so. + +Fallout from 6063eb27b98939942e316771224c5653a9b2e59b + +[1] Commit d03a5fee80f2f72d + https://github.com/containers/toolbox/pull/827 + +https://github.com/containers/toolbox/issues/821 +--- + src/go-build-wrapper | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 677dca94bd5a..24eac674c9ac 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + exit 1 + fi + +-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then +- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then ++ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_basename=$(basename "$interpreter"); then ++ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then ++ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2 ++ exit 1 ++fi ++ ++interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename" ++ ++if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2 + exit 1 + fi + +-- +2.31.1 + diff --git a/toolbox.spec b/toolbox.spec index 4f09f60..fd5f452 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.2^3.git075b9a8d2779 %global goipath github.com/containers/%{name} %gometa -Release: 3%{?dist} +Release: 4%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -193,6 +193,9 @@ ln -s src/pkg pkg %changelog +* Mon Oct 25 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-4 +- Restore backwards compatibility with existing containers + * Fri Oct 22 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-3 - Ensure that binaries are run against their build-time ABI - Require containers-common for ownership of %%{_sysconfdir}/containers From f78a22ea5903d38f646b5fb074778c1c433124fd Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 10 Dec 2021 04:46:24 +0100 Subject: [PATCH 4/8] Update to 0.0.99.3 ... and update the URL to point to the website. --- .gitignore | 1 + sources | 2 +- ...are-run-against-their-build-time-ABI.patch | 537 ------------------ ...ags-match-Fedora-s-gobuild-for-PPC64.patch | 41 +- ...e-build-flags-match-Fedora-s-gobuild.patch | 42 +- toolbox.spec | 23 +- 6 files changed, 75 insertions(+), 571 deletions(-) delete mode 100644 toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch diff --git a/.gitignore b/.gitignore index 03742d2..66d6df6 100644 --- a/.gitignore +++ b/.gitignore @@ -27,3 +27,4 @@ /toolbox-0.0.99.2^1.git9820550c82bb.tar.xz /toolbox-0.0.99.2^2.git40fbd377ed0b.tar.xz /toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz +/toolbox-0.0.99.3.tar.xz diff --git a/sources b/sources index 529eaaf..64d6d65 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d +SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca diff --git a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch deleted file mode 100644 index 21892d0..0000000 --- a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch +++ /dev/null @@ -1,537 +0,0 @@ -From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Thu, 21 Oct 2021 18:59:45 +0200 -Subject: [PATCH 1/5] tmpfiles.d: Style fix - -The subsequent commit will add an entry to create a /run/host symbolic -link on the host that points to /, and it will require explicitly -skipping some of the columns. Doing the same for the existing entry -will make the file more readable. - -https://github.com/containers/toolbox/issues/821 ---- - data/tmpfiles.d/toolbox.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf -index f22b64a0f97c..bdffe7c09639 100644 ---- a/data/tmpfiles.d/toolbox.conf -+++ b/data/tmpfiles.d/toolbox.conf -@@ -1 +1 @@ --d /run/media 0755 root root -+d /run/media 0755 root root - - --- -2.31.1 - - -From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Thu, 21 Oct 2021 20:22:11 +0200 -Subject: [PATCH 2/5] build: Ensure that binaries are run against their - build-time ABI - -The /usr/bin/toolbox binary is not only used to interact with toolbox -containers and images from the host. It's also used as the entry point -of the containers by bind mounting the binary from the host into the -container. This means that the /usr/bin/toolbox binary on the host must -also work inside the container, even if they have different operating -systems. - -In the past, this worked perfectly well with the POSIX shell -implementation because it got intepreted by whichever /bin/sh was -available. However, the Go implementation, can run into ABI -compatibility issues because binaries built on newer toolchains aren't -meant to be run against older runtimes. - -The previous approach [1] of restricting the versions of the glibc -symbols that are linked against isn't actually supported by glibc, and -breaks if the early process start-up code changes. This is seen in -glibc-2.34, which is used by Fedora 35 onwards, where a new version of -the __libc_start_main symbol [2] was added as part of some security -hardening: - $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34 - 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 - __libc_start_main - 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 - pthread_detach - 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 - pthread_create - 0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34 - pthread_attr_getstacksize - -This means that /usr/bin/toolbox binaries built against glibc-2.34 on -newer Fedoras fail to run against older glibcs in older Fedoras. - -Another option is to make the host's runtime available inside the -toolbox container and ensure that the binary always runs against it. - -Luckily, almost all supported containers have the host's /usr available -at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to -/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing -the path of the dynamic linker (ie., PT_INTERP) to the one inside -/run/host. - -Unfortunately, there can only be one PT_INTERP entry inside the -binary, so there must be a /run/host on the host too. Therefore, a -/run/host symbolic link is created on the host that points to the -host's /. - -Based on ideas from Alexander Larsson and Ray Strode. - -[1] Commit 6ad9c631806961f3 - https://github.com/containers/toolbox/pull/534 - -[2] glibc commit 035c012e32c11e84 - https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84 - https://sourceware.org/bugzilla/show_bug.cgi?id=23323 - -https://github.com/containers/toolbox/issues/821 ---- - data/tmpfiles.d/toolbox.conf | 1 + - meson.build | 8 ++---- - playbooks/setup-env.yaml | 1 + - src/go-build-wrapper | 17 ++++++++++--- - src/libc-wrappers/libc-wrappers.c | 42 ------------------------------- - src/libc-wrappers/meson.build | 8 ------ - src/meson.build | 4 --- - 7 files changed, 18 insertions(+), 63 deletions(-) - delete mode 100644 src/libc-wrappers/libc-wrappers.c - delete mode 100644 src/libc-wrappers/meson.build - -diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf -index bdffe7c09639..0ddb1f08830d 100644 ---- a/data/tmpfiles.d/toolbox.conf -+++ b/data/tmpfiles.d/toolbox.conf -@@ -1 +1,2 @@ - d /run/media 0755 root root - - -+L /run/host - - - - ../ -diff --git a/meson.build b/meson.build -index b580c10fe7d8..ae228ee287d5 100644 ---- a/meson.build -+++ b/meson.build -@@ -1,17 +1,13 @@ - project( - 'toolbox', -- 'c', - version: '0.0.99.2', - license: 'ASL 2.0', -- meson_version: '>= 0.42.0', -+ meson_version: '>= 0.53.0', - ) - --cc = meson.get_compiler('c') --add_project_arguments('-pthread', language: 'c') --add_project_link_arguments('-pthread', language: 'c') -- - go = find_program('go') - go_md2man = find_program('go-md2man') -+patchelf = find_program('patchelf') - shellcheck = find_program('shellcheck', required: false) - skopeo = find_program('skopeo', required: false) - -diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml -index 5644f1ab01b4..7ac9b46ee3ad 100644 ---- a/playbooks/setup-env.yaml -+++ b/playbooks/setup-env.yaml -@@ -13,6 +13,7 @@ - - golang-github-cpuguy83-md2man - - meson - - ninja-build -+ - patchelf - - podman - - skopeo - - systemd -diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 0d27120da052..677dca94bd5a 100755 ---- a/src/go-build-wrapper -+++ b/src/go-build-wrapper -@@ -16,9 +16,9 @@ - # - - --if [ "$#" -ne 4 ]; then -+if [ "$#" -ne 3 ]; then - echo "go-build-wrapper: wrong arguments" >&2 -- echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2 -+ echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2 - exit 1 - fi - -@@ -27,5 +27,16 @@ if ! cd "$1"; then - exit 1 - fi - --go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" -+go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" -+ -+if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then -+ echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 -+ exit 1 -+fi -+ -+if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then -+ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 -+ exit 1 -+fi -+ - exit "$?" -diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c -deleted file mode 100644 -index 7b402bc2fe78..000000000000 ---- a/src/libc-wrappers/libc-wrappers.c -+++ /dev/null -@@ -1,42 +0,0 @@ --/* -- * Copyright © 2020 – 2021 Red Hat Inc. -- * -- * Licensed under the Apache License, Version 2.0 (the "License"); -- * you may not use this file except in compliance with the License. -- * You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ -- -- --#include -- -- --#if defined __aarch64__ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); --#elif defined __arm__ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4"); --#elif defined __i386__ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0"); --#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17"); --#elif defined __s390x__ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2"); --#elif defined __x86_64__ --__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5"); --#else --#error "Please specify symbol version for pthread_sigmask" --#endif -- -- --int --__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset) --{ -- return pthread_sigmask (how, set, oldset); --} -diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build -deleted file mode 100644 -index 3984ce449c57..000000000000 ---- a/src/libc-wrappers/meson.build -+++ /dev/null -@@ -1,8 +0,0 @@ --sources = files( -- 'libc-wrappers.c', --) -- --libc_wrappers = static_library( -- 'c-wrappers', -- sources, --) -diff --git a/src/meson.build b/src/meson.build -index f76606da3271..759db1f1e900 100644 ---- a/src/meson.build -+++ b/src/meson.build -@@ -1,5 +1,3 @@ --subdir('libc-wrappers') -- - go_build_wrapper_file = files('go-build-wrapper') - go_build_wrapper_program = find_program('go-build-wrapper') - -@@ -28,9 +26,7 @@ custom_target( - meson.current_source_dir(), - meson.current_build_dir(), - meson.project_version(), -- libc_wrappers.full_path(), - ], -- depends: libc_wrappers, - input: sources, - install: true, - install_dir: get_option('bindir'), --- -2.31.1 - - -From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= -Date: Fri, 22 Oct 2021 15:21:41 +0300 -Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests - -There is no significant benefit in keeping this configuration separated. -Now the to-be installed packages are tracked in a single place and the -test playbooks only call the relevant tests. - -This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b - -https://github.com/containers/toolbox/pull/898 ---- - .zuul.yaml | 1 + - playbooks/setup-env.yaml | 18 ++++++++++++++++++ - playbooks/system-test.yaml | 24 +----------------------- - playbooks/unit-test.yaml | 21 --------------------- - 4 files changed, 20 insertions(+), 44 deletions(-) - -diff --git a/.zuul.yaml b/.zuul.yaml -index 1ec2f59738eb..1543b8a04b51 100644 ---- a/.zuul.yaml -+++ b/.zuul.yaml -@@ -7,6 +7,7 @@ - nodes: - - name: ci-node-33 - label: cloud-fedora-33-small -+ pre-run: playbooks/setup-env.yaml - run: playbooks/unit-test.yaml - - - job: -diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml -index 7ac9b46ee3ad..460ca9977a9e 100644 ---- a/playbooks/setup-env.yaml -+++ b/playbooks/setup-env.yaml -@@ -40,3 +40,21 @@ - - - name: Show podman debug information - command: podman info --debug -+ -+ - name: Set up build directory -+ command: meson builddir -+ args: -+ chdir: '{{ zuul.project.src_dir }}' -+ -+ - name: Build Toolbox -+ command: ninja -C builddir -+ args: -+ chdir: '{{ zuul.project.src_dir }}' -+ creates: builddir/src/toolbox -+ -+ - name: Install Toolbox -+ become: yes -+ command: ninja -C builddir install -+ args: -+ chdir: '{{ zuul.project.src_dir }}' -+ creates: /usr/local/bin/toolbox -diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml -index c2eff3f0d77a..0249548acc5d 100644 ---- a/playbooks/system-test.yaml -+++ b/playbooks/system-test.yaml -@@ -1,32 +1,10 @@ - --- - - hosts: all -- -- vars: -- toolbox_bin: '/usr/local/bin/toolbox' -- - tasks: -- - name: Set up build directory -- command: meson builddir -- args: -- chdir: '{{ zuul.project.src_dir }}' -- -- - name: Build Toolbox -- command: ninja -C builddir -- args: -- chdir: '{{ zuul.project.src_dir }}' -- creates: builddir/src/toolbox -- -- - name: Install Toolbox -- become: yes -- command: ninja -C builddir install -- args: -- chdir: '{{ zuul.project.src_dir }}' -- creates: '{{ toolbox_bin }}' -- - - name: Run system tests - command: bats --timing ./test/system - environment: - PODMAN: '/usr/bin/podman' -- TOOLBOX: '{{ toolbox_bin }}' -+ TOOLBOX: '/usr/local/bin/toolbox' - args: - chdir: '{{ zuul.project.src_dir }}' -diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml -index 9be98e7bd86a..2212521c5b9e 100644 ---- a/playbooks/unit-test.yaml -+++ b/playbooks/unit-test.yaml -@@ -1,27 +1,6 @@ - --- - - hosts: all - tasks: -- - name: Install requirements -- become: yes -- package: -- name: -- - golang -- - golang-github-cpuguy83-md2man -- - ninja-build -- - meson -- - ShellCheck -- -- - name: Set up build directory -- command: meson builddir -- args: -- chdir: '{{ zuul.project.src_dir }}' -- -- - name: Build Toolbox -- command: ninja -C builddir -- args: -- chdir: '{{ zuul.project.src_dir }}' -- creates: builddir/src/toolbox -- - - name: Test - command: ninja -C builddir test - args: --- -2.31.1 - - -From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= -Date: Fri, 22 Oct 2021 15:25:20 +0300 -Subject: [PATCH 4/5] playbooks: Fix CI for #897 - -PR #897 made adjustmnets to the Toolbx binary that it requires presence -of /run/host in both the host filesystem and the filesystem in -a container. - -The presence of the directory is assured by systemd-tmpfiles by -running it before the binary is started for the first time. For the run -to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in -a location visible to systemd-tmpfiles. Therefore, the call to -'systemd-tmpfiles --create' had to be placed after the install step. - -https://github.com/containers/toolbox/pull/898 ---- - playbooks/setup-env.yaml | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml -index 460ca9977a9e..2f858bcf722c 100644 ---- a/playbooks/setup-env.yaml -+++ b/playbooks/setup-env.yaml -@@ -26,14 +26,8 @@ - args: - chdir: '{{ zuul.project.src_dir }}' - -- - name: Setup environment -- become: yes -- command: -- cmd: systemd-tmpfiles --create -- creates: /run/media -- - - name: Check versions of crucial packages -- command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper -+ command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf - - - name: Show podman versions - command: podman version -@@ -58,3 +52,10 @@ - args: - chdir: '{{ zuul.project.src_dir }}' - creates: /usr/local/bin/toolbox -+ -+ - name: Setup environment -+ become: yes -+ command: -+ cmd: systemd-tmpfiles --create -+ creates: /run/media -+ creates: /run/host --- -2.31.1 - - -From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Mon, 25 Oct 2021 02:55:09 +0200 -Subject: [PATCH 5/5] build: Restore backwards compatibility with existing - containers - -The path of the dynamic linker (ie., PT_INTERP), as specified in an -architecture's ABI, often starts with /lib or /lib64, not /usr/lib or -/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and -/lib64/ld-linux-x86-64.so.2 for x86_64. - -Unfortunately, until very recently [1], only the host's /usr was -present inside a toolbox container's /run/host, not /lib or /lib64. -Therefore, simply prepending /run/host to the /usr/bin/toolbox -binary's existing PT_INTERP entry wouldn't locate the host's dynamic -linker inside the toolbox container. This broke backwards compatibility -with every container out there, except the ones created with the -current development version in Git. - -To restore backwards compatibility, the /lib and /lib64 symbolic links -must be resolved to their respective locations inside /usr. - -The following caveats must be noted: - - * With glibc, even the basename of the path of the dynamic linker as - specified in an architecture's ABI, is a symbolic link to a file - named ld-.so. However, this file can't be used as - the PT_INTERP entry, because its name will change when glibc is - updated and the PT_INTERP entry will become invalid until the - /usr/bin/toolbox binary is rebuilt. - - * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve - to something inside /usr/lib64. Instead it ends up inside - /usr/lib/x86_64-linux-gnu through a series of symbolic links: - - /lib64 -> usr/lib64 - - /usr/lib64/ld-linux-x86-64.so.2 - -> /lib/x86_64-linux-gnu/ld-2.28.so - - /lib -> usr/lib - - * It's assumed that a symbolic link with the basename specified in - the ABI lives in the same directory as the actual dynamic linker - binary named ld-.so. - -Fallout from 6063eb27b98939942e316771224c5653a9b2e59b - -[1] Commit d03a5fee80f2f72d - https://github.com/containers/toolbox/pull/827 - -https://github.com/containers/toolbox/issues/821 ---- - src/go-build-wrapper | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 677dca94bd5a..24eac674c9ac 100755 ---- a/src/go-build-wrapper -+++ b/src/go-build-wrapper -@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then - exit 1 - fi - --if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then -- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 -+if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then -+ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2 -+ exit 1 -+fi -+ -+if ! interpreter_basename=$(basename "$interpreter"); then -+ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2 -+ exit 1 -+fi -+ -+if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then -+ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2 -+ exit 1 -+fi -+ -+interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename" -+ -+if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then -+ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2 - exit 1 - fi - --- -2.31.1 - diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch index d464eea..a1d92a5 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -1,4 +1,4 @@ -From df2d42ec5aee27f9f92ce7825d020425c2dac885 Mon Sep 17 00:00:00 2001 +From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for @@ -20,23 +20,44 @@ Note that these flags are only meant for the "ppc64" CPU architecture, and should be kept updated to match Fedora's Go guidelines. Use 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. --- - src/go-build-wrapper | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/go-build-wrapper | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 677dca94bd5a..e6e9caf1049e 100755 +index ef4aafc8b024..f8ea8370792c 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,7 +27,8 @@ if ! cd "$1"; then +@@ -32,9 +32,9 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" -+unset LDFLAGS -+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $6; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi - if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then - echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 + if ! libc_dir=$("$4" --print-file-name=libc.so); then +@@ -69,11 +69,16 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/toolbox" + + exit "$?" -- 2.31.1 diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch index 4aa1e11..2e4cbfd 100644 --- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -1,4 +1,4 @@ -From 18cbc514c8b776c855a24cdcf8b326d592322d44 Mon Sep 17 00:00:00 2001 +From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 29 Jun 2020 17:57:47 +0200 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} @@ -19,23 +19,45 @@ Note that these flags are meant for every CPU architecture other than PPC64, and should be kept updated to match Fedora's Go guidelines. Use 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. --- - src/go-build-wrapper | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) + src/go-build-wrapper | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index 677dca94bd5a..581d5c82cf2f 100755 +index ef4aafc8b024..4354beceb215 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper -@@ -27,7 +27,8 @@ if ! cd "$1"; then +@@ -32,9 +32,9 @@ if ! cd "$1"; then exit 1 fi --go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox" -+unset LDFLAGS -+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox" +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $6; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi - if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then - echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2 + if ! libc_dir=$("$4" --print-file-name=libc.so); then +@@ -69,11 +69,17 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -buildmode pie \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/toolbox" + + exit "$?" -- 2.31.1 diff --git a/toolbox.spec b/toolbox.spec index fd5f452..008308e 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -1,23 +1,18 @@ %global __brp_check_rpaths %{nil} Name: toolbox -Version: 0.0.99.2^3.git075b9a8d2779 +Version: 0.0.99.3 %global goipath github.com/containers/%{name} %gometa -Release: 4%{?dist} +Release: 1%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 -URL: https://github.com/containers/%{name} +URL: https://containertoolbx.org/ -# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz -# Snapshot tarball -Source0: %{name}-%{version}.tar.xz - -# https://bugzilla.redhat.com/show_bug.cgi?id=1995439 -Patch0: toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch +Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz # Fedora specific Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch @@ -38,8 +33,7 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2 # BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5 BuildRequires: golang(golang.org/x/sys/unix) -BuildRequires: meson -BuildRequires: patchelf +BuildRequires: meson >= 0.58.0 BuildRequires: pkgconfig(bash-completion) BuildRequires: systemd @@ -61,6 +55,7 @@ Summary: Required packages for the container image to support %{name} # These are really required to make the image work with toolbox Requires: passwd Requires: shadow-utils +Requires: util-linux Requires: vte-profile %description support @@ -97,7 +92,6 @@ Requires: less Requires: lsof Requires: man-db Requires: man-pages -Requires: mlocate Requires: mtr Requires: nano-default-editor Requires: nss-mdns @@ -143,7 +137,6 @@ The %{name}-tests package contains system tests for %{name}. %prep %setup -q -%patch0 -p1 %patch100 -p1 %ifnarch ppc64 @@ -193,6 +186,10 @@ ln -s src/pkg pkg %changelog +* Fri Dec 10 2021 Debarshi Ray - 0.0.99.3-1 +- Update to 0.0.99.3 +- Update the URL to point to the website + * Mon Oct 25 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-4 - Restore backwards compatibility with existing containers From 4290933472158b4a70ce950479307cb721df08f5 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Fri, 10 Dec 2021 10:04:59 +0100 Subject: [PATCH 5/8] Style fix No need to issue a build just for this. --- toolbox.spec | 1 - 1 file changed, 1 deletion(-) diff --git a/toolbox.spec b/toolbox.spec index 008308e..d95edeb 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -11,7 +11,6 @@ Summary: Tool for containerized command line environments on Linux License: ASL 2.0 URL: https://containertoolbx.org/ - Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz # Fedora specific From e8690b9a2b5d0c147dea7115dceeec4d4cd21f33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= Date: Sun, 9 Jan 2022 20:36:32 +0200 Subject: [PATCH 6/8] Add upstream patch fixing doubled error messages --- ...ound-Cobra-1.1.2-s-handling-of-usage.patch | 95 +++++++++++++++++++ toolbox.spec | 8 +- 2 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch diff --git a/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch b/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch new file mode 100644 index 0000000..a618021 --- /dev/null +++ b/toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch @@ -0,0 +1,95 @@ +From e598e2160323b63310ad7b6def723eb1f8767f90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Thu, 11 Nov 2021 18:18:52 +0200 +Subject: [PATCH 02/13] cmd/root: Work around Cobra 1.1.2's handling of usage + functions + +In version 1.1.2 of Cobra has been included a change[0] that changes +how custom usage functions are handled. + +Example of the wrong behaviour: +$ toolbox --foo +Error: unknown flag: --foo +Run 'toolbox --help' for usage.Error: Run 'toolbox --help' for usage. + +Desired behaviour: +$ toolbox --foo +Error: unknown flag: --foo +Run 'toolbox --help' for usage. + +A workaround is to define a template string for the usage instead. The +template uses the templating language of Go[1]. See the default +template string in version 1.2.1[2]. + +Because the template is set only once, the executableBase needs to be +set before the template is applied. That required the move of +setUpGlobals() into init() of the cmd package. This is a better place +for the function call as init() is called earlier than Execute()[3]. + +Upstream issue: https://github.com/spf13/cobra/issues/1532 + +[0] https://github.com/spf13/cobra/pull/1044 +[1] https://pkg.go.dev/text/template +[2] https://github.com/spf13/cobra/blob/v1.2.1/command.go#L491 +[3] https://golang.org/doc/effective_go#init + +https://github.com/containers/toolbox/pull/917 +--- + src/cmd/root.go | 20 ++++++++------------ + 1 file changed, 8 insertions(+), 12 deletions(-) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index eb0622f..ad0753b 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -62,11 +62,6 @@ var ( + ) + + func Execute() { +- if err := setUpGlobals(); err != nil { +- fmt.Fprintf(os.Stderr, "Error: %s\n", err) +- os.Exit(1) +- } +- + if err := rootCmd.Execute(); err != nil { + os.Exit(1) + } +@@ -75,6 +70,11 @@ func Execute() { + } + + func init() { ++ if err := setUpGlobals(); err != nil { ++ fmt.Fprintf(os.Stderr, "Error: %s\n", err) ++ os.Exit(1) ++ } ++ + persistentFlags := rootCmd.PersistentFlags() + + persistentFlags.BoolVarP(&rootFlags.assumeYes, +@@ -96,7 +96,9 @@ func init() { + persistentFlags.CountVarP(&rootFlags.verbose, "verbose", "v", "Set log-level to 'debug'") + + rootCmd.SetHelpFunc(rootHelp) +- rootCmd.SetUsageFunc(rootUsage) ++ ++ usageTemplate := fmt.Sprintf("Run '%s --help' for usage.", executableBase) ++ rootCmd.SetUsageTemplate(usageTemplate) + } + + func preRun(cmd *cobra.Command, args []string) error { +@@ -188,12 +190,6 @@ func rootRun(cmd *cobra.Command, args []string) error { + return rootRunImpl(cmd, args) + } + +-func rootUsage(cmd *cobra.Command) error { +- err := fmt.Errorf("Run '%s --help' for usage.", executableBase) +- fmt.Fprintf(os.Stderr, "%s", err) +- return err +-} +- + func migrate() error { + logrus.Debug("Migrating to newer Podman") + +-- +2.34.1 + diff --git a/toolbox.spec b/toolbox.spec index d95edeb..be92972 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.3 %global goipath github.com/containers/%{name} %gometa -Release: 1%{?dist} +Release: 2%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -17,6 +17,7 @@ Source0: https://github.com/containers/%{name}/releases/download/%{version Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch Patch102: toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch +Patch103: toolbox-cmd-root-Work-around-Cobra-1.1.2-s-handling-of-usage.patch BuildRequires: ShellCheck BuildRequires: golang >= 1.13 @@ -144,6 +145,8 @@ The %{name}-tests package contains system tests for %{name}. %patch102 -p1 %endif +%patch103 -p1 + %gomkdir @@ -185,6 +188,9 @@ ln -s src/pkg pkg %changelog +* Sun Jan 09 2022 Ondřej Míchal - 0.0.99.3-2 +- Add upstream patch fixing doubled error messages + * Fri Dec 10 2021 Debarshi Ray - 0.0.99.3-1 - Update to 0.0.99.3 - Update the URL to point to the website From efde7c55868356ea5ab1e2b11d93a22eea397417 Mon Sep 17 00:00:00 2001 From: Maxwell G Date: Fri, 8 Jul 2022 19:25:19 -0500 Subject: [PATCH 7/8] Rebuild for CVE-2022-{24675,28327,29526} in golang --- toolbox.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/toolbox.spec b/toolbox.spec index be92972..79270f5 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.3 %global goipath github.com/containers/%{name} %gometa -Release: 2%{?dist} +Release: 3%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -188,6 +188,9 @@ ln -s src/pkg pkg %changelog +* Sat Jul 09 2022 Maxwell G - 0.0.99.3-3 +- Rebuild for CVE-2022-{24675,28327,29526} in golang + * Sun Jan 09 2022 Ondřej Míchal - 0.0.99.3-2 - Add upstream patch fixing doubled error messages From 045cdef923f5c9eafd3e5bff7f13f89f9dff765d Mon Sep 17 00:00:00 2001 From: Maxwell G Date: Sat, 9 Jul 2022 17:07:44 -0500 Subject: [PATCH 8/8] Rebuild for CVE-2022-{24675,28327,29526 in golang} --- toolbox.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/toolbox.spec b/toolbox.spec index 79270f5..849f26a 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.3 %global goipath github.com/containers/%{name} %gometa -Release: 3%{?dist} +Release: 4%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -188,6 +188,9 @@ ln -s src/pkg pkg %changelog +* Sat Jul 09 2022 Maxwell G - 0.0.99.3-4 +- Rebuild for CVE-2022-{24675,28327,29526 in golang} + * Sat Jul 09 2022 Maxwell G - 0.0.99.3-3 - Rebuild for CVE-2022-{24675,28327,29526} in golang