diff --git a/.fmf/version b/.fmf/version deleted file mode 100644 index d00491f..0000000 --- a/.fmf/version +++ /dev/null @@ -1 +0,0 @@ -1 diff --git a/.gitignore b/.gitignore index 2625054..3db2fe9 100644 --- a/.gitignore +++ b/.gitignore @@ -30,10 +30,3 @@ /toolbox-0.0.99.3.tar.xz /toolbox-0.0.99.3-vendor.tar.xz /toolbox-0.0.99.4-vendored.tar.xz -/toolbox-0.0.99.5-vendored.tar.xz -/toolbox-0.0.99.6-vendored.tar.xz -/toolbox-0.1.0-vendored.tar.xz -/toolbox-0.1.1-vendored.tar.xz -/toolbox-0.1.2-vendored.tar.xz -/toolbox-0.2-vendored.tar.xz -/toolbox-0.3-vendored.tar.xz diff --git a/plans/main.fmf b/plans/main.fmf deleted file mode 100644 index e6427de..0000000 --- a/plans/main.fmf +++ /dev/null @@ -1,4 +0,0 @@ -discover: - how: fmf -execute: - how: tmt diff --git a/rpminspect.yaml b/rpminspect.yaml deleted file mode 100644 index f0d9c5c..0000000 --- a/rpminspect.yaml +++ /dev/null @@ -1,16 +0,0 @@ -# https://github.com/rpminspect/rpminspect/blob/master/data/generic.yaml -# https://github.com/rpminspect/rpminspect-data-fedora/blob/main/fedora.yaml - ---- - -annocheck: - extra_opts: - hardened: --skip-run-path --skip-stack-prot - -elf: - exclude_path: /usr/bin/toolbox - -runpath: - allowed_paths: - - /run/host/usr/lib - - /run/host/usr/lib64 diff --git a/sources b/sources index f30b3d7..a8351c5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (toolbox-0.3-vendored.tar.xz) = e464aba1c40b37b0ed027a560a0685e5dc8f07684d33d0e2bac5f0ba8c2b2c2a4c585db8847b23bd0753e33d37e3e88c87ab71d3999c3afedf315717f468c0ba +SHA512 (toolbox-0.0.99.4-vendored.tar.xz) = 882cd6ec1c1a193af8774dfdfd0aff72d376c4fec3e0cc702e2d524353c051e408eab2ac3fb43ec00fe622b46ac89fdbe97aca2f7cfbe3822e5d3ff1743f2fd0 diff --git a/tests/main.fmf b/tests/main.fmf deleted file mode 100644 index 25a6fe7..0000000 --- a/tests/main.fmf +++ /dev/null @@ -1,12 +0,0 @@ -environment: - ROOTLESS_USER: "fedora" - TMPDIR: /var/tmp -require: - - toolbox-tests - -/rootless: - summary: rootless test - test: | - rpm --erase p11-kit-server - bash ./rootless-test.sh - duration: 4h diff --git a/tests/roles/nonroot_user/tasks/main.yml b/tests/roles/nonroot_user/tasks/main.yml new file mode 100644 index 0000000..51bf44a --- /dev/null +++ b/tests/roles/nonroot_user/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: create nonroot user + user: + name: testuser + shell: /bin/bash +- name: enable linger + command: loginctl enable-linger testuser diff --git a/tests/roles/run_bats_tests/files/run_bats_tests.sh b/tests/roles/run_bats_tests/files/run_bats_tests.sh new file mode 100755 index 0000000..e9f5f5f --- /dev/null +++ b/tests/roles/run_bats_tests/files/run_bats_tests.sh @@ -0,0 +1,72 @@ +#!/bin/bash +# +# Run bats tests for a given $TEST_PACKAGE, e.g. buildah, podman +# +# This is invoked by the 'run_bats_tests' role; we assume that +# the package foo has a foo-tests subpackage which provides the +# directory /usr/share/foo/test/system, containing one or more .bats +# test files. +# + +export PATH=/usr/local/bin:/usr/sbin:/usr/bin + +FULL_LOG=/tmp/test.debug.log +BATS_LOG=/tmp/test.bats.log +rm -f $FULL_LOG $BATS_LOG +touch $FULL_LOG $BATS_LOG + +exec &> $FULL_LOG + +# Log program versions +echo "Packages:" +rpm -q ${TEST_PACKAGE} ${TEST_PACKAGE}-tests + +echo "------------------------------" +printenv | sort + +testdir=/usr/share/${TEST_PACKAGE}/test/system + +if ! cd $testdir; then + echo "FAIL ${TEST_NAME} : cd $testdir" >> /tmp/test.log + exit 0 +fi + +if [ -e /tmp/helper.sh ]; then + echo "------------------------------" + echo ". /tmp/helper.sh" + . /tmp/helper.sh +fi + +if [ "$(type -t setup)" = "function" ]; then + echo "------------------------------" + echo "\$ setup" + setup + if [ $? -ne 0 ]; then + echo "FAIL ${TEST_NAME} : setup" >> /tmp/test.log + exit 0 + fi +fi + +echo "------------------------------" +echo "\$ bats ." +bats . &> $BATS_LOG +rc=$? + +echo "------------------------------" +echo "bats completed with status $rc" + +status=PASS +if [ $rc -ne 0 ]; then + status=FAIL +fi + +echo "${status} ${TEST_NAME}" >> /tmp/test.log + +if [ "$(type -t teardown)" = "function" ]; then + echo "------------------------------" + echo "\$ teardown" + teardown +fi + +# FIXME: for CI purposes, always exit 0. This allows subsequent tests. +exit 0 diff --git a/tests/roles/run_bats_tests/tasks/main.yml b/tests/roles/run_bats_tests/tasks/main.yml new file mode 100644 index 0000000..da79a4c --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/main.yml @@ -0,0 +1,37 @@ +--- +# Create empty results file, world-writable +- name: initialize test.log file + copy: dest=/tmp/test.log content='' force=yes mode=0666 + +- name: execute tests + include: run_one_test.yml + with_items: "{{ tests }}" + loop_control: + loop_var: test + +- name: pull test.log results + fetch: + src: "/tmp/test.log" + dest: "{{ artifacts }}/test.log" + flat: yes + +# Copied from standard-test-basic +- name: check results + shell: grep "^FAIL" /tmp/test.log + register: test_fails + # Never fail at this step. Just store result of tests. + failed_when: False + +- name: preserve results + set_fact: + role_result_failed: "{{ (test_fails.stdout|d|length > 0) or (test_fails.stderr|d|length > 0) }}" + role_result_msg: "{{ test_fails.stdout|d('tests failed.') }}" + +- name: display results + vars: + msg: | + Tests failed: {{ role_result_failed|d('Undefined') }} + Tests msg: {{ role_result_msg|d('None') }} + debug: + msg: "{{ msg.split('\n') }}" + failed_when: "role_result_failed|bool" diff --git a/tests/roles/run_bats_tests/tasks/run_one_test.yml b/tests/roles/run_bats_tests/tasks/run_one_test.yml new file mode 100644 index 0000000..b44ed42 --- /dev/null +++ b/tests/roles/run_bats_tests/tasks/run_one_test.yml @@ -0,0 +1,52 @@ +--- +- name: "{{ test.name }} | install test packages" + dnf: name="{{ test.package }}-tests" state=installed + +- name: "{{ test.name }} | define helper variables" + set_fact: + test_name_oneword: "{{ test.name | replace(' ','-') }}" + +# UGH. This is necessary because our caller sets some environment variables +# and we need to set a few more based on other caller variables; then we +# need to combine the two dicts when running the test. This seems to be +# the only way to do it in ansible. +- name: "{{ test.name }} | define local environment" + set_fact: + local_environment: + TEST_NAME: "{{ test.name }}" + TEST_PACKAGE: "{{ test.package }}" + TEST_ENV: "{{ test.environment }}" + +- name: "{{ test.name }} | setup/teardown helper | see if exists" + local_action: stat path={{ role_path }}/files/helper.{{ test_name_oneword }}.sh + register: helper + +- name: "{{ test.name }} | setup/teardown helper | install" + copy: src=helper.{{ test_name_oneword }}.sh dest=/tmp/helper.sh + when: helper.stat.exists + +- name: "{{ test.name }} | run test" + script: ./run_bats_tests.sh + args: + chdir: /usr/share/{{ test.package }}/test/system + become: "{{ true if test.become is defined else false }}" + become_user: testuser + environment: "{{ local_environment | combine(test.environment) }}" + +- name: "{{ test.name }} | pull logs" + fetch: + src: "/tmp/test.{{ item }}.log" + dest: "{{ artifacts }}/test.{{ test_name_oneword }}.{{ item }}.log" + flat: yes + with_items: + - bats + - debug + +- name: "{{ test.name }} | remove remote logs and helpers" + file: + dest=/tmp/{{ item }} + state=absent + with_items: + - test.bats.log + - test.debug.log + - helper.sh diff --git a/tests/rootless-test.sh b/tests/rootless-test.sh deleted file mode 100644 index 16da9fe..0000000 --- a/tests/rootless-test.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env bash - -set -exo pipefail - -uname -r - -loginctl enable-linger "$ROOTLESS_USER" - -rpm -q containers-common-extra podman toolbox - -su --whitelist-environment=$(cat ./tmt-envvars | tr '\n' ',') - "$ROOTLESS_USER" -c "whoami && cd /usr/share/toolbox/test/system && bats ." diff --git a/tests/tests.yml b/tests/tests.yml new file mode 100644 index 0000000..0048a3e --- /dev/null +++ b/tests/tests.yml @@ -0,0 +1,15 @@ +--- +- hosts: localhost + tags: classic + vars: + - artifacts: ./artifacts + roles: + - role: nonroot_user + - role: run_bats_tests + tests: + - name: toolbox + package: toolbox + environment: + PODMAN: /usr/bin/podman + become: true + \ No newline at end of file diff --git a/tests/tmt-envvars b/tests/tmt-envvars deleted file mode 100644 index 6f3176e..0000000 --- a/tests/tmt-envvars +++ /dev/null @@ -1 +0,0 @@ -TMPDIR diff --git a/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch b/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch deleted file mode 100644 index aec1779..0000000 --- a/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 4649e50c28321185cbaa81a37efbd317b84ae840 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Wed, 18 Aug 2021 17:55:21 +0200 -Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST - environment variable - -https://bugzilla.redhat.com/show_bug.cgi?id=1940037 ---- - src/cmd/run.go | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/src/cmd/run.go b/src/cmd/run.go -index ceb277a3640a..72b673f506b3 100644 ---- a/src/cmd/run.go -+++ b/src/cmd/run.go -@@ -576,6 +576,7 @@ func constructExecArgs(container, preserveFDs string, - execArgs = append(execArgs, envOptions...) - - execArgs = append(execArgs, []string{ -+ "--env", "HOST=/run/host", - "--interactive", - "--preserve-fds", preserveFDs, - }...) --- -2.51.0 - - -From b2ba8445bee988143d546bc15fa3a8a8c019aa2e Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Fri, 10 Dec 2021 13:42:15 +0100 -Subject: [PATCH 2/2] test/system: Update to test the migration path for - coreos/toolbox users - -This reverts the changes to the tests made in commit -411147988b730dabf8b9e761a5426e12d648f008 by restoring commit -ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit -3aeb7cf288319e35eb9c5e26ea18d97452462c1e that were removed. ---- - test/system/002-help.bats | 14 -------------- - test/system/100-root.bats | 27 +++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+), 14 deletions(-) - create mode 100644 test/system/100-root.bats - -diff --git a/test/system/002-help.bats b/test/system/002-help.bats -index f7cd3f5480ab..7ad5f72e792f 100644 ---- a/test/system/002-help.bats -+++ b/test/system/002-help.bats -@@ -33,20 +33,6 @@ teardown_file() { - cleanup_all - } - --@test "help: Smoke test" { -- run --keep-empty-lines --separate-stderr "$TOOLBX" -- -- assert_failure -- assert [ ${#lines[@]} -eq 0 ] -- lines=("${stderr_lines[@]}") -- assert_line --index 0 "Error: missing command" -- assert_line --index 2 "create Create a new Toolbx container" -- assert_line --index 3 "enter Enter an existing Toolbx container" -- assert_line --index 4 "list List all existing Toolbx containers and images" -- assert_line --index 6 "Run 'toolbox --help' for usage." -- assert [ ${#stderr_lines[@]} -eq 7 ] --} -- - @test "help: Command 'help'" { - if ! command -v man 2>/dev/null; then - skip "not found man(1)" -diff --git a/test/system/100-root.bats b/test/system/100-root.bats -new file mode 100644 -index 000000000000..cf35d60ac25c ---- /dev/null -+++ b/test/system/100-root.bats -@@ -0,0 +1,27 @@ -+#!/usr/bin/env bats -+ -+load 'libs/bats-support/load' -+load 'libs/bats-assert/load' -+load 'libs/helpers' -+ -+setup() { -+ _setup_environment -+ cleanup_all -+} -+ -+teardown() { -+ cleanup_all -+} -+ -+@test "root: Try to enter the default container with no containers created" { -+ run "$TOOLBX" <<< "n" -+ -+ assert_success -+ assert_line --index 0 "No toolbox containers found. Create now? [y/N] A container can be created later with the 'create' command." -+ assert_line --index 1 "Run 'toolbox --help' for usage." -+} -+ -+# TODO: Write the test -+@test "root: Enter the default container when 1 non-default container is present" { -+ skip "Testing of entering toolboxes is not implemented" -+} --- -2.51.0 - diff --git a/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch b/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch new file mode 100644 index 0000000..85c7289 --- /dev/null +++ b/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch @@ -0,0 +1,89 @@ +From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Tue, 28 Feb 2023 17:12:04 +0100 +Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions + +Ever since commit bafbbe81c9220cb3, the shell completions are generated +while building Toolbx using the 'completion' command. This involves +running toolbox(1) itself, and hence invoking 'podman version' to decide +if 'podman system migrate' is needed or not. + +Unfortunately, some build environments, like Fedora's, are set up inside +a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may +not work because it does various things with namespaces(7) and clone(2) +that can, under certain circumstances, encounter an EPERM. + +Therefore, it's better to avoid using podman(1) when generating the +shell completions, especially, since they are generated by Cobra itself +and podman(1) is not involved at all. + +Note that podman(1) is needed when the generated shell completions are +actually used in interactive command line environments. The shell +completions invoke the hidden '__complete' command to get the results +that are presented to the user, and, if needed, 'podman system migrate' +will continue to be run as part of that. + +This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011 +because podman(1) is now only an optional runtime dependency for the +system tests. + +https://github.com/containers/podman/issues/17657 +--- + meson.build | 2 +- + src/cmd/root.go | 9 +++++++-- + 2 files changed, 8 insertions(+), 3 deletions(-) + +diff --git a/meson.build b/meson.build +index 6f044bb204e3..653a3d3ac588 100644 +--- a/meson.build ++++ b/meson.build +@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h']) + + go = find_program('go') + go_md2man = find_program('go-md2man') +-podman = find_program('podman') + + bats = find_program('bats', required: false) + codespell = find_program('codespell', required: false) + htpasswd = find_program('htpasswd', required: false) + openssl = find_program('openssl', required: false) ++podman = find_program('podman', required: false) + shellcheck = find_program('shellcheck', required: false) + skopeo = find_program('skopeo', required: false) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index 304b03dcd889..9975ccc7a4c8 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error { + + logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath) + +- if err := migrate(); err != nil { ++ if err := migrate(cmd, args); err != nil { + return err + } + +@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error { + return rootRunImpl(cmd, args) + } + +-func migrate() error { ++func migrate(cmd *cobra.Command, args []string) error { + logrus.Debug("Migrating to newer Podman") + + if utils.IsInsideContainer() { + return nil + } + ++ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName { ++ logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName) ++ return nil ++ } ++ + configDir, err := os.UserConfigDir() + if err != nil { + logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err) +-- +2.39.1 + diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch new file mode 100644 index 0000000..f658031 --- /dev/null +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch @@ -0,0 +1,63 @@ +From 17a0e519fd9b1e721b35a823bd244a28e3f87a4a Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 29 Jun 2020 17:57:47 +0200 +Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for + PPC64 + +The Go toolchain doesn't play well with passing compiler and linker +flags via environment variables. The linker flags require a second +level of quoting, which leaves the build system without a quote level +to assign the flags to an environment variable like GOFLAGS. + +This is one reason why Fedora doesn't have a RPM macro with only the +flags. The %{gobuild} RPM macro includes the entire 'go build ...' +invocation. + +The Go toolchain also doesn't like the LDFLAGS environment variable as +exported by Fedora's %{meson} RPM macro. + +Note that these flags are only meant for the "ppc64" CPU architecture, +and should be kept updated to match Fedora's Go guidelines. Use +'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. +--- + src/go-build-wrapper | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index c572d6dfb02b..cae2de426a96 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -33,9 +33,9 @@ if ! cd "$1"; then + exit 1 + fi + +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $7; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$5" --print-file-name=libc.so); then +@@ -70,11 +70,16 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/$3" + + exit "$?" +-- +2.39.1 + diff --git a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch new file mode 100644 index 0000000..7105cb5 --- /dev/null +++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch @@ -0,0 +1,63 @@ +From fd03e31c7d789413700db84af02894d5be70b5ee Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 29 Jun 2020 17:57:47 +0200 +Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} + +The Go toolchain doesn't play well with passing compiler and linker +flags via environment variables. The linker flags require a second +level of quoting, which leaves the build system without a quote level +to assign the flags to an environment variable like GOFLAGS. + +This is one reason why Fedora doesn't have a RPM macro with only the +flags. The %{gobuild} RPM macro includes the entire 'go build ...' +invocation. + +The Go toolchain also doesn't like the LDFLAGS environment variable as +exported by Fedora's %{meson} RPM macro. + +Note that these flags are meant for every CPU architecture other than +PPC64, and should be kept updated to match Fedora's Go guidelines. Use +'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro. +--- + src/go-build-wrapper | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index c572d6dfb02b..0e6a2efa6853 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -33,9 +33,9 @@ if ! cd "$1"; then + exit 1 + fi + +-tags="" ++tags="-tags rpm_crashtraceback,${BUILDTAGS:-}" + if $7; then +- tags="-tags migration_path_for_coreos_toolbox" ++ tags="$tags,migration_path_for_coreos_toolbox" + fi + + if ! libc_dir=$("$5" --print-file-name=libc.so); then +@@ -70,11 +70,17 @@ fi + + dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" + ++unset LDFLAGS ++ + # shellcheck disable=SC2086 + go build \ ++ -buildmode pie \ ++ -compiler gc \ + $tags \ +- -trimpath \ +- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ ++ -a \ ++ -v \ ++ -x \ + -o "$2/$3" + + exit "$?" +-- +2.39.1 + diff --git a/toolbox-Make-the-build-flags-match-Fedora.patch b/toolbox-Make-the-build-flags-match-Fedora.patch deleted file mode 100644 index 5ee5fd4..0000000 --- a/toolbox-Make-the-build-flags-match-Fedora.patch +++ /dev/null @@ -1,62 +0,0 @@ -From a1bb7d53fab70899c991feb9276cf93a12280750 Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Mon, 29 Jun 2020 17:57:47 +0200 -Subject: [PATCH] build: Make the build flags match Fedora's %{gobuildflags} - -These reflect the defaults for Fedora 39, which is the oldest supported -Fedora, barring some exceptions mentioned below. - -The change to use the RPM's %{name}, %{version}, %{release} and the -SOURCE_DATE_EPOCH environment variable [1], instead of /dev/urandom, to -generate the build ID annotation for the toolbox(1) binary [2] was left -out. It will need more work to propagate the RPM's %{name}, %{version} -and %{release} to Meson. - -Note that these flags are meant for every CPU architecture other than -PPC64, and should be kept updated to match Fedora's Go guidelines. Use -'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro. - -[1] https://reproducible-builds.org/docs/source-date-epoch/ - -[2] go-rpm-macros commit 1980932bf3a21890 - https://pagure.io/go-rpm-macros/c/1980932bf3a21890 - https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds ---- - src/go-build-wrapper | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index a5a1a6a508fb..5978422e9aed 100755 ---- a/src/go-build-wrapper -+++ b/src/go-build-wrapper -@@ -33,9 +33,9 @@ if ! cd "$1"; then - exit 1 - fi - --tags="" -+tags="-tags rpm_crashtraceback,${GO_BUILDTAGS:-}" - if $7; then -- tags="-tags migration_path_for_coreos_toolbox" -+ tags="$tags,migration_path_for_coreos_toolbox" - fi - - if ! libc_dir=$("$5" --print-file-name=libc.so); then -@@ -114,9 +114,14 @@ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basen - - # shellcheck disable=SC2086 - go build \ -+ -buildmode pie \ -+ -compiler gc \ - $tags \ - -trimpath \ -- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -ldflags "${GO_LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -a \ -+ -v \ -+ -x \ - -o "$2/$3" - - exit "$?" --- -2.51.0 - diff --git a/toolbox-Make-the-build-flags-match-RHEL-10.patch b/toolbox-Make-the-build-flags-match-RHEL-10.patch deleted file mode 100644 index 9528088..0000000 --- a/toolbox-Make-the-build-flags-match-RHEL-10.patch +++ /dev/null @@ -1,71 +0,0 @@ -From f79f96fb8f3ec528952b9719f356e871837987df Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Mon, 29 Jun 2020 17:57:47 +0200 -Subject: [PATCH] build: Make the build flags match RHEL 10's %{gobuildflags} - -These reflect the defaults for RHEL 10.0 Beta, because RHEL 10.0 is -still early in its development cycle and the defaults may be in a state -of flux. Some exceptions are mentioned below. - -The '-z pack-relative-relocs' linker flag was left out. It's currently -not supported on s390x, so using it would require architecture specific -patches, which is a hassle. Support for aarch64 was recently added [1], -so hopefully s390x will also be supported soon. - -The change to use the RPM's %{name}, %{version}, %{release} and the -SOURCE_DATE_EPOCH environment variable [2], instead of /dev/urandom, to -generate the build ID annotation for the toolbox(1) binary [2] was left -out. It will need more work to propagate the RPM's %{name}, %{version} -and %{release} to Meson. - -Note that these flags are meant for every CPU architecture other than -PPC64, and should be kept updated to match RHEL 10's Go guidelines. Use -'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro. - -[1] CentOS Stream redhat-rpm-config commit 3c5a6b17540b2a0b - https://gitlab.com/redhat/centos-stream/rpms/redhat-rpm-config/-/commit/3c5a6b17540b2a0b - https://gitlab.com/redhat/centos-stream/rpms/redhat-rpm-config/-/merge_requests/42 - https://issues.redhat.com/browse/RHEL-40379 - -[2] go-rpm-macros commit 1980932bf3a21890 - https://pagure.io/go-rpm-macros/c/1980932bf3a21890 - https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds ---- - src/go-build-wrapper | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index a5a1a6a508fb..5978422e9aed 100755 ---- a/src/go-build-wrapper -+++ b/src/go-build-wrapper -@@ -33,9 +33,9 @@ if ! cd "$1"; then - exit 1 - fi - --tags="" -+tags="-tags rpm_crashtraceback,${GO_BUILDTAGS:-}" - if $7; then -- tags="-tags migration_path_for_coreos_toolbox" -+ tags="$tags,migration_path_for_coreos_toolbox" - fi - - if ! libc_dir=$("$5" --print-file-name=libc.so); then -@@ -114,9 +114,14 @@ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basen - - # shellcheck disable=SC2086 - go build \ -+ -buildmode pie \ -+ -compiler gc \ - $tags \ - -trimpath \ -- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -ldflags "${GO_LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -a \ -+ -v \ -+ -x \ - -o "$2/$3" - - exit "$?" --- -2.51.0 - diff --git a/toolbox-Make-the-build-flags-match-RHEL-9.patch b/toolbox-Make-the-build-flags-match-RHEL-9.patch deleted file mode 100644 index 492268a..0000000 --- a/toolbox-Make-the-build-flags-match-RHEL-9.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2d1b4b2492c65abd0d0bf0c71c971f550447412d Mon Sep 17 00:00:00 2001 -From: Debarshi Ray -Date: Mon, 29 Jun 2020 17:57:47 +0200 -Subject: [PATCH] build: Make the build flags match RHEL 9's %{gobuildflags} - -These reflect the defaults for RHEL 9.5, because RHEL 9.6 is still early -in its development cycle and the defaults may be in a state of flux. - -Note that these flags are meant for every CPU architecture other than -PPC64, and should be kept updated to match RHEL 9's Go guidelines. Use -'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro. ---- - src/go-build-wrapper | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/src/go-build-wrapper b/src/go-build-wrapper -index a5a1a6a508fb..0a2c7526f210 100755 ---- a/src/go-build-wrapper -+++ b/src/go-build-wrapper -@@ -33,9 +33,9 @@ if ! cd "$1"; then - exit 1 - fi - --tags="" -+tags="-tags rpm_crashtraceback,${GO_BUILDTAGS:-},libtrust_openssl" - if $7; then -- tags="-tags migration_path_for_coreos_toolbox" -+ tags="$tags,migration_path_for_coreos_toolbox" - fi - - if ! libc_dir=$("$5" --print-file-name=libc.so); then -@@ -114,9 +114,14 @@ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basen - - # shellcheck disable=SC2086 - go build \ -+ -buildmode pie \ -+ -compiler gc \ - $tags \ - -trimpath \ -- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -ldflags "${GO_LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -+ -a \ -+ -v \ -+ -x \ - -o "$2/$3" - - exit "$?" --- -2.51.0 - diff --git a/toolbox-Simplify-removing-the-user-s-password.patch b/toolbox-Simplify-removing-the-user-s-password.patch new file mode 100644 index 0000000..d10d870 --- /dev/null +++ b/toolbox-Simplify-removing-the-user-s-password.patch @@ -0,0 +1,1056 @@ +From 07d5c061eacec0a3b145947a9b95a11b705ea5d3 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Sat, 12 Aug 2023 14:26:22 +0200 +Subject: [PATCH 1/5] test/system: Test that group and user IDs work + +These tests assume that the group and user information on the host +operating system can be provided by different plugins for the GNU Name +Service Switch (or NSS) functionality of the GNU C Library. eg., on +enterprise FreeIPA set-ups. However, it's expected that everything +inside the Toolbx container will be provided by /etc/group, /etc/passwd, +/etc/shadow, etc.. + +While /etc/group and /etc/passwd can be read by any user, /etc/shadow +can only be read by root. However, it's awkward to use sudo(8) in the +test cases involving /etc/shadow, because they ensure that root and +$USER don't need passwords to authenticate inside the container, and +sudo(8) itself depends on that. If sudo(8) is used, the test suite can +behave unexpectedly if Toolbx didn't set up the container correctly. +eg., it can get blocked waiting for a password. + +Hence, 'podman unshare' is used instead to enter the container's initial +user namespace, where $USER from the host appears as root. This is +sufficient because the test cases only need to read /etc/shadow inside +the Toolbx container. + +https://github.com/containers/toolbox/pull/1355 +--- + test/system/206-user.bats | 520 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 520 insertions(+) + create mode 100644 test/system/206-user.bats + +diff --git a/test/system/206-user.bats b/test/system/206-user.bats +new file mode 100644 +index 000000000000..fdb2a33da88c +--- /dev/null ++++ b/test/system/206-user.bats +@@ -0,0 +1,520 @@ ++# shellcheck shell=bats ++# ++# Copyright © 2023 Red Hat, Inc. ++# ++# Licensed under the Apache License, Version 2.0 (the "License"); ++# you may not use this file except in compliance with the License. ++# You may obtain a copy of the License at ++# ++# http://www.apache.org/licenses/LICENSE-2.0 ++# ++# Unless required by applicable law or agreed to in writing, software ++# distributed under the License is distributed on an "AS IS" BASIS, ++# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++# See the License for the specific language governing permissions and ++# limitations under the License. ++# ++ ++load 'libs/bats-support/load' ++load 'libs/bats-assert/load' ++load 'libs/helpers' ++ ++setup() { ++ bats_require_minimum_version 1.7.0 ++ _setup_environment ++ cleanup_containers ++} ++ ++teardown() { ++ cleanup_containers ++} ++ ++@test "user: separate namespace" { ++ local ns_host ++ ns_host=$(readlink /proc/$$/ns/user) ++ ++ create_default_container ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'readlink /proc/$$/ns/user' ++ ++ assert_success ++ assert_line --index 0 --regexp '^user:\[[[:digit:]]+\]$' ++ refute_line --index 0 "$ns_host" ++ ++ if check_bats_version 1.10.0; then ++ assert [ ${#lines[@]} -eq 1 ] ++ else ++ assert [ ${#lines[@]} -eq 2 ] ++ fi ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside the default container" { ++ local default_container ++ default_container="$(get_system_id)-toolbox-$(get_system_version)" ++ ++ create_default_container ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")" ++ ++ "$TOOLBOX" run true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount "$default_container" ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside Arch Linux" { ++ create_distro_container arch latest arch-toolbox-latest ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)" ++ ++ "$TOOLBOX" run --distro arch true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside Fedora 34" { ++ create_distro_container fedora 34 fedora-toolbox-34 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)" ++ ++ "$TOOLBOX" run --distro fedora --release 34 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34 ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside RHEL 8.7" { ++ create_distro_container rhel 8.7 rhel-toolbox-8.7 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.7)" ++ ++ "$TOOLBOX" run --distro rhel --release 8.7 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.7 ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside Ubuntu 16.04" { ++ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 16.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04 ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside Ubuntu 18.04" { ++ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 18.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04 ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: root in shadow(5) inside Ubuntu 20.04" { ++ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 20.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04 ++ ++ assert_success ++ assert_line --regexp '^root::.+$' ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside the default container" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_default_container ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside Arch Linux" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container arch latest arch-toolbox-latest ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro arch sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside Fedora 34" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container fedora 34 fedora-toolbox-34 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro fedora --release 34 sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside RHEL 8.7" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container rhel 8.7 rhel-toolbox-8.7 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro rhel --release 8.7 sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside Ubuntu 16.04" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 16.04 sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside Ubuntu 18.04" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 18.04 sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in passwd(5) inside Ubuntu 20.04" { ++ local user_gecos ++ user_gecos="$(getent passwd "$USER" | cut --delimiter : --fields 5)" ++ ++ local user_id_real ++ user_id_real="$(id --real --user)" ++ ++ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 20.04 sh -c 'cat /etc/passwd' ++ ++ assert_success ++ assert_line --regexp "^$USER::$user_id_real:$user_id_real:$user_gecos:$HOME:$SHELL$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside the default container" { ++ local default_container ++ default_container="$(get_system_id)-toolbox-$(get_system_version)" ++ ++ create_default_container ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount "$default_container")" ++ ++ "$TOOLBOX" run true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount "$default_container" ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside Arch Linux" { ++ create_distro_container arch latest arch-toolbox-latest ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount arch-toolbox-latest)" ++ ++ "$TOOLBOX" run --distro arch true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount arch-toolbox-latest ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside Fedora 34" { ++ create_distro_container fedora 34 fedora-toolbox-34 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount fedora-toolbox-34)" ++ ++ "$TOOLBOX" run --distro fedora --release 34 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount fedora-toolbox-34 ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside RHEL 8.7" { ++ create_distro_container rhel 8.7 rhel-toolbox-8.7 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount rhel-toolbox-8.7)" ++ ++ "$TOOLBOX" run --distro rhel --release 8.7 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount rhel-toolbox-8.7 ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside Ubuntu 16.04" { ++ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-16.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 16.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-16.04 ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside Ubuntu 18.04" { ++ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-18.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 18.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-18.04 ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in shadow(5) inside Ubuntu 20.04" { ++ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 ++ container_root_file_system="$("$PODMAN" unshare "$PODMAN" mount ubuntu-toolbox-20.04)" ++ ++ "$TOOLBOX" run --distro ubuntu --release 20.04 true ++ ++ run --keep-empty-lines --separate-stderr "$PODMAN" unshare cat "$container_root_file_system/etc/shadow" ++ "$PODMAN" unshare "$PODMAN" unmount ubuntu-toolbox-20.04 ++ ++ assert_success ++ refute_line --regexp "^$USER:.*$" ++ assert [ ${#lines[@]} -gt 0 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside the default container" { ++ create_default_container ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^(sudo|wheel):x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside Arch Linux" { ++ create_distro_container arch latest arch-toolbox-latest ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro arch sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside Fedora 34" { ++ create_distro_container fedora 34 fedora-toolbox-34 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro fedora --release 34 sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside RHEL 8.7" { ++ create_distro_container rhel 8.7 rhel-toolbox-8.7 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro rhel --release 8.7 sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^wheel:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside Ubuntu 16.04" { ++ create_distro_container ubuntu 16.04 ubuntu-toolbox-16.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 16.04 sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside Ubuntu 18.04" { ++ create_distro_container ubuntu 18.04 ubuntu-toolbox-18.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 18.04 sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} ++ ++@test "user: $USER in group(5) inside Ubuntu 20.04" { ++ create_distro_container ubuntu 20.04 ubuntu-toolbox-20.04 ++ ++ run --keep-empty-lines --separate-stderr "$TOOLBOX" run --distro ubuntu --release 20.04 sh -c 'cat /etc/group' ++ ++ assert_success ++ assert_line --regexp "^sudo:x:[[:digit:]]+:$USER$" ++ assert [ ${#lines[@]} -gt 1 ] ++ ++ # shellcheck disable=SC2154 ++ assert [ ${#stderr_lines[@]} -eq 0 ] ++} +-- +2.41.0 + + +From 22ba72f3152650d538437bf298ebde4a63e2adc9 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Wed, 4 Nov 2020 00:55:31 +0100 +Subject: [PATCH 2/5] Deprecate the --monitor-host option of 'init-container' + +The --monitor-host option was added to the 'init-container' command in +commit 8b84b5e4604921fa to accommodate Podman versions older than 1.2.0 +that didn't have the '--dns none' and '--no-hosts' options for +'podman create'. These options are necessary to keep the Toolbx +container's /etc/resolv.conf and /etc/hosts files synchronized with +those of the host. + +Note that Podman 1.2.0 was already available a few months before +commit 8b84b5e4604921fa introduced the --monitor-host option. The +chances of someone using an older Podman back then was already on the +decline, and it's very unlikely that a container created with such a +Podman has survived till this date. + +Commit b6b484fa792b442a raised the minimum required Podman version to +1.4.0, and made the '--dns none' and '--no-hosts' options a hard +requirement. The minimum required Podman version was again raised +recently in commit 8e80dd5db1e6f40b to 1.6.4. Therefore, these days, +there's no need to separately use the --monitor-host option of +'init-container' for newly created containers to indicate that the +Podman version wasn't older than 1.2.0. + +Given all this, it's time to stop using the --monitor-host option of +'init-container', and assume that it's always set. The option is still +accepted to retain compatibility with existing Toolbx containers. + +For containers that were created with the --monitor-host option, a +deprecation notice will be shown as: + $ podman start --attach CONTAINER + Flag --monitor-host has been deprecated, it does nothing + ... + +https://github.com/containers/toolbox/pull/617 +--- + doc/toolbox-init-container.1.md | 32 +++--------- + src/cmd/create.go | 1 - + src/cmd/initContainer.go | 86 ++++++++++++++++----------------- + 3 files changed, 49 insertions(+), 70 deletions(-) + +diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md +index 45c9a77939f2..51a7b1ee643d 100644 +--- a/doc/toolbox-init-container.1.md ++++ b/doc/toolbox-init-container.1.md +@@ -9,7 +9,6 @@ toolbox\-init\-container - Initialize a running container + *--home-link* + *--media-link* + *--mnt-link* +- *--monitor-host* + *--shell SHELL* + *--uid UID* + *--user USER* +@@ -76,31 +75,12 @@ Make `/mnt` a symbolic link to `/var/mnt`. + + **--monitor-host** + +-Ensures that certain configuration files inside the toolbox container are kept +-synchronized with their counterparts on the host, and bind mounts some paths +-from the host's file system into the container. +- +-The synchronized files are: +- +-- `/etc/host.conf` +-- `/etc/hosts` +-- `/etc/localtime` +-- `/etc/resolv.conf` +-- `/etc/timezone` +- +-The bind mounted paths are: +- +-- `/etc/machine-id` +-- `/run/libvirt` +-- `/run/systemd/journal` +-- `/run/systemd/resolve` +-- `/run/udev/data` +-- `/tmp` +-- `/var/lib/flatpak` +-- `/var/lib/libvirt` +-- `/var/lib/systemd/coredump` +-- `/var/log/journal` +-- `/var/mnt` ++Deprecated, does nothing. ++ ++Crucial configuration files inside the toolbox container are always kept ++synchronized with their counterparts on the host, and various subsets of the ++host's file system hierarchy are always bind mounted to their corresponding ++locations inside the toolbox container. + + **--shell** SHELL + +diff --git a/src/cmd/create.go b/src/cmd/create.go +index 2a103f01ed2d..6cec99258847 100644 +--- a/src/cmd/create.go ++++ b/src/cmd/create.go +@@ -393,7 +393,6 @@ func createContainer(container, image, release, authFile string, showCommandToEn + "--shell", userShell, + "--uid", currentUser.Uid, + "--user", currentUser.Username, +- "--monitor-host", + } + + entryPoint = append(entryPoint, slashHomeLink...) +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index c4cd1b02d298..cb132bffc817 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -107,8 +107,12 @@ func init() { + + flags.BoolVar(&initContainerFlags.monitorHost, + "monitor-host", +- false, +- "Ensure that certain configuration files inside the toolbox container are in sync with the host") ++ true, ++ "Deprecated, does nothing") ++ if err := flags.MarkDeprecated("monitor-host", "it does nothing"); err != nil { ++ panicMsg := fmt.Sprintf("cannot mark --monitor-host as deprecated: %s", err) ++ panic(panicMsg) ++ } + + flags.StringVar(&initContainerFlags.shell, + "shell", +@@ -163,59 +167,55 @@ func initContainer(cmd *cobra.Command, args []string) error { + + defer toolboxEnvFile.Close() + +- if initContainerFlags.monitorHost { +- logrus.Debug("Monitoring host") +- +- if utils.PathExists("/run/host/etc") { +- logrus.Debug("Path /run/host/etc exists") +- +- if _, err := os.Readlink("/etc/host.conf"); err != nil { +- if err := redirectPath("/etc/host.conf", +- "/run/host/etc/host.conf", +- false); err != nil { +- return err +- } +- } ++ if utils.PathExists("/run/host/etc") { ++ logrus.Debug("Path /run/host/etc exists") + +- if _, err := os.Readlink("/etc/hosts"); err != nil { +- if err := redirectPath("/etc/hosts", +- "/run/host/etc/hosts", +- false); err != nil { +- return err +- } ++ if _, err := os.Readlink("/etc/host.conf"); err != nil { ++ if err := redirectPath("/etc/host.conf", ++ "/run/host/etc/host.conf", ++ false); err != nil { ++ return err + } ++ } + +- if localtimeTarget, err := os.Readlink("/etc/localtime"); err != nil || +- localtimeTarget != "/run/host/etc/localtime" { +- if err := redirectPath("/etc/localtime", +- "/run/host/etc/localtime", +- false); err != nil { +- return err +- } ++ if _, err := os.Readlink("/etc/hosts"); err != nil { ++ if err := redirectPath("/etc/hosts", ++ "/run/host/etc/hosts", ++ false); err != nil { ++ return err + } ++ } + +- if err := updateTimeZoneFromLocalTime(); err != nil { ++ if localtimeTarget, err := os.Readlink("/etc/localtime"); err != nil || ++ localtimeTarget != "/run/host/etc/localtime" { ++ if err := redirectPath("/etc/localtime", ++ "/run/host/etc/localtime", ++ false); err != nil { + return err + } ++ } ++ ++ if err := updateTimeZoneFromLocalTime(); err != nil { ++ return err ++ } + +- if _, err := os.Readlink("/etc/resolv.conf"); err != nil { +- if err := redirectPath("/etc/resolv.conf", +- "/run/host/etc/resolv.conf", +- false); err != nil { +- return err +- } ++ if _, err := os.Readlink("/etc/resolv.conf"); err != nil { ++ if err := redirectPath("/etc/resolv.conf", ++ "/run/host/etc/resolv.conf", ++ false); err != nil { ++ return err + } ++ } + +- for _, mount := range initContainerMounts { +- if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { +- return err +- } ++ for _, mount := range initContainerMounts { ++ if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { ++ return err + } ++ } + +- if utils.PathExists("/sys/fs/selinux") { +- if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { +- return err +- } ++ if utils.PathExists("/sys/fs/selinux") { ++ if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { ++ return err + } + } + } +-- +2.41.0 + + +From 66a791ff10234023b858b7a28dd98985b054eca1 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Tue, 7 Mar 2023 16:13:04 +0100 +Subject: [PATCH 3/5] cmd/initContainer: Bind mount locations regardless of + /run/host/etc + +Bind mounting the locations at runtime doesn't really have anything to +do with whether /run/host/etc is present inside the Toolbx container. + +The only possible exception could have been /etc/machine-id, but it +isn't, because the bind mount is only performed if the source at +/run/host/etc/machine-id is present. + +This is a historical mistake that has persisted for a long time, since, +in practice, /run/host/etc will almost always exist inside the Toolbx +container. It's time to finally correct it. + +Fallout from 9436bbece01d7aa4dc91b4013ed9f80d0b8d34f4 + +https://github.com/containers/toolbox/pull/1255 +--- + src/cmd/initContainer.go | 24 ++++++++++++------------ + 1 file changed, 12 insertions(+), 12 deletions(-) + +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index cb132bffc817..153e5ccb824e 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -206,18 +206,6 @@ func initContainer(cmd *cobra.Command, args []string) error { + return err + } + } +- +- for _, mount := range initContainerMounts { +- if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { +- return err +- } +- } +- +- if utils.PathExists("/sys/fs/selinux") { +- if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { +- return err +- } +- } + } + + if initContainerFlags.mediaLink { +@@ -236,6 +224,18 @@ func initContainer(cmd *cobra.Command, args []string) error { + } + } + ++ for _, mount := range initContainerMounts { ++ if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil { ++ return err ++ } ++ } ++ ++ if utils.PathExists("/sys/fs/selinux") { ++ if err := mountBind("/sys/fs/selinux", "/usr/share/empty", ""); err != nil { ++ return err ++ } ++ } ++ + if _, err := user.Lookup(initContainerFlags.user); err != nil { + if err := configureUsers(initContainerFlags.uid, + initContainerFlags.user, +-- +2.41.0 + + +From d416f1b4abd0782526c011b078442856c733e718 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Tue, 15 Aug 2023 20:57:46 +0200 +Subject: [PATCH 4/5] cmd/initContainer: Simplify code by removing a function + parameter + +Until now, configureUsers() was pushing the burden of deciding whether +to add a new user or modify an existing one on the callers, even though +it can trivially decide itself. Involving the caller loosens the +encapsulation of the user configuration logic by spreading it across +configureUsers() and it's caller, and adds an extra function parameter +that needs to be carefully set and is vulnerable to programmer errors. + +Fallout from 9ea6fe5852ea8f5225114d825e8e6813e2a3cfea + +https://github.com/containers/toolbox/pull/1356 +--- + src/cmd/initContainer.go | 62 ++++++++++++++++------------------------ + 1 file changed, 24 insertions(+), 38 deletions(-) + +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index 153e5ccb824e..02c389635378 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -236,24 +236,12 @@ func initContainer(cmd *cobra.Command, args []string) error { + } + } + +- if _, err := user.Lookup(initContainerFlags.user); err != nil { +- if err := configureUsers(initContainerFlags.uid, +- initContainerFlags.user, +- initContainerFlags.home, +- initContainerFlags.shell, +- initContainerFlags.homeLink, +- false); err != nil { +- return err +- } +- } else { +- if err := configureUsers(initContainerFlags.uid, +- initContainerFlags.user, +- initContainerFlags.home, +- initContainerFlags.shell, +- initContainerFlags.homeLink, +- true); err != nil { +- return err +- } ++ if err := configureUsers(initContainerFlags.uid, ++ initContainerFlags.user, ++ initContainerFlags.home, ++ initContainerFlags.shell, ++ initContainerFlags.homeLink); err != nil { ++ return err + } + + if utils.PathExists("/etc/krb5.conf.d") && !utils.PathExists("/etc/krb5.conf.d/kcm_default_ccache") { +@@ -386,9 +374,7 @@ func initContainerHelp(cmd *cobra.Command, args []string) { + } + } + +-func configureUsers(targetUserUid int, +- targetUser, targetUserHome, targetUserShell string, +- homeLink, targetUserExists bool) error { ++func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShell string, homeLink bool) error { + if homeLink { + if err := redirectPath("/home", "/var/home", true); err != nil { + return err +@@ -400,45 +386,45 @@ func configureUsers(targetUserUid int, + return fmt.Errorf("failed to get group for sudo: %w", err) + } + +- if targetUserExists { +- logrus.Debugf("Modifying user %s with UID %d:", targetUser, targetUserUid) ++ if _, err := user.Lookup(targetUser); err != nil { ++ logrus.Debugf("Adding user %s with UID %d:", targetUser, targetUserUid) + +- usermodArgs := []string{ +- "--append", ++ useraddArgs := []string{ + "--groups", sudoGroup, +- "--home", targetUserHome, ++ "--home-dir", targetUserHome, ++ "--no-create-home", + "--shell", targetUserShell, + "--uid", fmt.Sprint(targetUserUid), + targetUser, + } + +- logrus.Debug("usermod") +- for _, arg := range usermodArgs { ++ logrus.Debug("useradd") ++ for _, arg := range useraddArgs { + logrus.Debugf("%s", arg) + } + +- if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil { +- return fmt.Errorf("failed to modify user %s with UID %d: %w", targetUser, targetUserUid, err) ++ if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { ++ return fmt.Errorf("failed to add user %s with UID %d: %w", targetUser, targetUserUid, err) + } + } else { +- logrus.Debugf("Adding user %s with UID %d:", targetUser, targetUserUid) ++ logrus.Debugf("Modifying user %s with UID %d:", targetUser, targetUserUid) + +- useraddArgs := []string{ ++ usermodArgs := []string{ ++ "--append", + "--groups", sudoGroup, +- "--home-dir", targetUserHome, +- "--no-create-home", ++ "--home", targetUserHome, + "--shell", targetUserShell, + "--uid", fmt.Sprint(targetUserUid), + targetUser, + } + +- logrus.Debug("useradd") +- for _, arg := range useraddArgs { ++ logrus.Debug("usermod") ++ for _, arg := range usermodArgs { + logrus.Debugf("%s", arg) + } + +- if err := shell.Run("useradd", nil, nil, nil, useraddArgs...); err != nil { +- return fmt.Errorf("failed to add user %s with UID %d: %w", targetUser, targetUserUid, err) ++ if err := shell.Run("usermod", nil, nil, nil, usermodArgs...); err != nil { ++ return fmt.Errorf("failed to modify user %s with UID %d: %w", targetUser, targetUserUid, err) + } + } + +-- +2.41.0 + + +From e673dc792438c64683237d26b21d005ffb008fd5 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Tue, 22 Aug 2023 23:29:43 +0200 +Subject: [PATCH 5/5] cmd/initContainer: Simplify removing the user's password + +It's one less invocation of an external command, which is good because +spawning a new process is generally expensive. + +One positive side-effect of this is that on some Active Directory +set-ups, the entry point no longer fails with: + Error: failed to remove password for user login@company.com: failed + to invoke passwd(1) + +... because of: + # passwd --delete login@company.com + passwd: Libuser error at line: 210 - name contains invalid char `@'. + +This is purely an accident, and isn't meant to be an intential change to +support Active Directory. Tools like useradd(8) and usermod(8) from +Shadow aren't meant to work with Active Directory users, and, hence, it +can still break in other ways. For that, one option is to expose $USER +from the host operating system to the Toolbx container through a Varlink +interface that can be used by nss-systemd inside the container. + +Based on an idea from Si. + +https://github.com/containers/toolbox/issues/585 +--- + src/cmd/initContainer.go | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index 02c389635378..91b53cee7d0d 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -393,6 +393,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe + "--groups", sudoGroup, + "--home-dir", targetUserHome, + "--no-create-home", ++ "--password", "", + "--shell", targetUserShell, + "--uid", fmt.Sprint(targetUserUid), + targetUser, +@@ -413,6 +414,7 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe + "--append", + "--groups", sudoGroup, + "--home", targetUserHome, ++ "--password", "", + "--shell", targetUserShell, + "--uid", fmt.Sprint(targetUserUid), + targetUser, +@@ -428,12 +430,6 @@ func configureUsers(targetUserUid int, targetUser, targetUserHome, targetUserShe + } + } + +- logrus.Debugf("Removing password for user %s", targetUser) +- +- if err := shell.Run("passwd", nil, nil, nil, "--delete", targetUser); err != nil { +- return fmt.Errorf("failed to remove password for user %s: %w", targetUser, err) +- } +- + logrus.Debug("Removing password for user root") + + if err := shell.Run("passwd", nil, nil, nil, "--delete", "root"); err != nil { +-- +2.41.0 + diff --git a/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch new file mode 100644 index 0000000..adf39a3 --- /dev/null +++ b/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch @@ -0,0 +1,76 @@ +From 1fde98456652ddbcb750ade2121c5ceec93fbfae Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Thu, 13 Jul 2023 13:08:40 +0200 +Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points + +Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump +and /var/log/journal sit on security hardened mount points that are +marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used +rootless, an attempt to bind mount these locations read-only at runtime +with mount(8) fails because of permission problems: + # mount --rbind -o ro + mount: : filesystem was mounted, but any subsequent + operation failed: Unknown error 5005. + +(Note that the above error message from mount(8) was subsequently +improved to show something more meaningful than 'Unknown error' [2].) + +The problem is that 'init-container' is running inside the container's +mount and user namespace, and the source paths were mounted inside the +host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call +tries to remove the 'nosuid,nodev,noexec' flags from the mount point and +replace them with only 'ro', which is something that can't be done from +a child namespace. + +Note that this doesn't fail when Toolbx is running as root. This is +because the container uses the host's user namespace and is able to +remove the 'nosuid,nodev,noexec' flags from the mount point and replace +them with only 'ro'. Even though it doesn't fail, the flags shouldn't +get replaced like that inside the container, because it removes the +security hardening of those mount points. + +There's actually no benefit in bind mounting these paths as read-only. +It was historically done this way 'just to be safe' because a user isn't +expected to write to these locations from inside a container. However, +Toolbx doesn't intend to provide any heightened security beyond what's +already available on the host. + +Hence, it's better to get out of the way and leave it to the permissions +on the source location from the host operating system to guard the +castle. This is accomplished by not passing any file system options to +mount(8) [1]. + +Based on an idea from Si. + +[1] https://man7.org/linux/man-pages/man8/mount.8.html + +[2] util-linux commit 9420ca34dc8b6f0f + https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f + https://github.com/util-linux/util-linux/pull/2376 + +https://github.com/containers/toolbox/issues/911 +--- + src/cmd/initContainer.go | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go +index 465ac063b210..c4cd1b02d298 100644 +--- a/src/cmd/initContainer.go ++++ b/src/cmd/initContainer.go +@@ -62,10 +62,10 @@ var ( + {"/run/udev/data", "/run/host/run/udev/data", ""}, + {"/run/udev/tags", "/run/host/run/udev/tags", ""}, + {"/tmp", "/run/host/tmp", "rslave"}, +- {"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"}, ++ {"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""}, + {"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""}, +- {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"}, +- {"/var/log/journal", "/run/host/var/log/journal", "ro"}, ++ {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""}, ++ {"/var/log/journal", "/run/host/var/log/journal", ""}, + {"/var/mnt", "/run/host/var/mnt", "rslave"}, + } + ) +-- +2.41.0 + diff --git a/toolbox.conf b/toolbox.conf deleted file mode 100644 index f612e2f..0000000 --- a/toolbox.conf +++ /dev/null @@ -1,17 +0,0 @@ -[general] -# Create a toolbox container for a different operating system distro than the -# host. Cannot be used with 'image'. -## distro = "fedora" - -# Create a toolbox container for a different operating system release than the -# host. Cannot be used with 'image'. -## release = "33" - -# Change the name of the image used to create the toolbox container. This is -# useful for creating containers from custom-built images. Cannot be used with -# 'distro' or 'release'. -# -# If the name does not contain a registry, the local image storage will be -# consulted, and if it's not present there then it will be pulled from a -# suitable remote registry. -image = "registry.access.redhat.com/ubi9/toolbox:latest" diff --git a/toolbox.rpmlintrc b/toolbox.rpmlintrc deleted file mode 100644 index 150b710..0000000 --- a/toolbox.rpmlintrc +++ /dev/null @@ -1 +0,0 @@ -addFilter(r'no-%check-section') diff --git a/toolbox.spec b/toolbox.spec index 09e3785..913b748 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -1,122 +1,155 @@ %global __brp_check_rpaths %{nil} -%if 0%{?rhel} -%if 0%{?rhel} <= 9 -%{!?bash_completions_dir: %global bash_completions_dir %{_datadir}/bash-completion/completions} -%{!?fish_completions_dir: %global fish_completions_dir %{_datadir}/fish/vendor_completions.d} -%{!?zsh_completions_dir: %global zsh_completions_dir %{_datadir}/zsh/site-functions} -%endif -%endif - - Name: toolbox -Version: 0.3 +Version: 0.0.99.4 %global goipath github.com/containers/%{name} -%if 0%{?fedora} -%gometa -f -%endif - -%if 0%{?rhel} -%if 0%{?rhel} <= 9 +%if 0%{?rhel} == 9 %gometa %else %gometa -f %endif -%endif - -%global toolbx_go 1.22 - -%if 0%{?fedora} -%global toolbx_go 1.24.7 -%endif - -%if 0%{?rhel} -%if 0%{?rhel} == 9 -%global toolbx_go 1.22.5 -%elif 0%{?rhel} == 10 -%global toolbx_go 1.22.5 -%elif 0%{?rhel} > 10 -%global toolbx_go 1.24.4 -%endif -%endif Release: 2%{?dist} -Summary: Tool for interactive command line environments on Linux +Summary: Tool for containerized command line environments on Linux -License: Apache-2.0 +License: ASL 2.0 URL: https://containertoolbx.org/ Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz -# RHEL specific -Source1: %{name}.conf +# Upstream +Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch +Patch1: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch +Patch2: toolbox-Simplify-removing-the-user-s-password.patch # Fedora specific -Patch100: toolbox-Make-the-build-flags-match-Fedora.patch - -# RHEL specific -Patch200: toolbox-Make-the-build-flags-match-RHEL-9.patch -Patch201: toolbox-Make-the-build-flags-match-RHEL-10.patch -Patch202: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch +Patch100: toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch +Patch101: toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch BuildRequires: gcc BuildRequires: go-md2man -BuildRequires: golang >= %{toolbx_go} -BuildRequires: meson >= 0.58.0 -BuildRequires: pkgconfig(bash-completion) -BuildRequires: shadow-utils-subid-devel >= 4.16.0 -BuildRequires: systemd -BuildRequires: systemd-rpm-macros +BuildRequires: golang >= 1.19.4 %if ! 0%{?rhel} -BuildRequires: pkgconfig(fish) +BuildRequires: golang(github.com/HarryMichal/go-version) >= 1.0.1 +BuildRequires: golang(github.com/acobaugh/osrelease) >= 0.1.0 +BuildRequires: golang(github.com/briandowns/spinner) >= 1.17.0 +BuildRequires: golang(github.com/docker/go-units) >= 0.4.0 +BuildRequires: golang(github.com/fsnotify/fsnotify) >= 1.5.1 +BuildRequires: golang(github.com/godbus/dbus) >= 5.0.6 +BuildRequires: golang(github.com/sirupsen/logrus) >= 1.8.1 +BuildRequires: golang(github.com/spf13/cobra) >= 1.3.0 +BuildRequires: golang(github.com/spf13/viper) >= 1.10.1 +BuildRequires: golang(golang.org/x/sys/unix) +BuildRequires: golang(golang.org/x/term) # for tests # BuildRequires: codespell +# BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0 # BuildRequires: ShellCheck %endif - -Recommends: p11-kit-server -Recommends: skopeo -%if ! 0%{?rhel} -Recommends: fuse-overlayfs -%endif +BuildRequires: meson >= 0.58.0 +BuildRequires: pkgconfig(bash-completion) +BuildRequires: pkgconfig(fish) +BuildRequires: shadow-utils-subid-devel +BuildRequires: systemd +BuildRequires: systemd-rpm-macros Requires: containers-common Requires: flatpak-session-helper -Requires: podman >= 1.6.4 -Requires: shadow-utils-subid%{?_isa} >= 4.16.0 +Requires: podman >= 1.4.0 %description -Toolbx is a tool for Linux, which allows the use of interactive command line -environments for software development and troubleshooting the host operating -system, without having to install software on the host. It is built on top of -Podman and other standard container technologies from OCI. +Toolbox is a tool for Linux operating systems, which allows the use of +containerized command line environments. It is built on top of Podman and +other standard container technologies from OCI. -Toolbx environments have seamless access to the user's home directory, the -Wayland and X11 sockets, networking (including Avahi), removable devices (like -USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev -database, etc.. +%if ! 0%{?rhel} +# The list of requires packages for -support and -experience should be in sync with: +# https://github.com/containers/toolbox/blob/master/images/fedora/f33/extra-packages +%package support +Summary: Required packages for the container image to support %{name} + +# These are really required to make the image work with toolbox +Requires: passwd +Requires: shadow-utils +Requires: util-linux +Requires: vte-profile + +%description support +The %{name}-support package contains all the required packages that are needed +to be installed in the OCI image to make it work with %{name}. + +The %{name}-support package should be typically installed from the Dockerfile +if the image isn't based on the fedora-toolbox image. + + +%package experience +Summary: Set of packages to enhance the %{name} experience + +Requires: %{name}-support = %{version}-%{release} +Requires: bash-completion +Requires: bc +Requires: bzip2 +Requires: diffutils +Requires: dnf-plugins-core +Requires: findutils +Requires: flatpak-spawn +Requires: fpaste +Requires: git +Requires: gnupg +Requires: gnupg2-smime +Requires: gvfs-client +Requires: hostname +Requires: iproute +Requires: iputils +Requires: jwhois +Requires: keyutils +Requires: krb5-libs +Requires: less +Requires: lsof +Requires: man-db +Requires: man-pages +Requires: mtr +Requires: nano-default-editor +Requires: nss-mdns +Requires: openssh-clients +Requires: pigz +Requires: procps-ng +Requires: rsync +Requires: sudo +Requires: tcpdump +Requires: time +Requires: traceroute +Requires: tree +Requires: unzip +Requires: wget +Requires: which +Requires: words +Requires: xorg-x11-xauth +Requires: xz +Requires: zip + +%description experience +The %{name}-experience package contains all the packages that should be +installed in the container to provide the same default experience as working +on the host. + +The %{name}-experience package should be typically installed from the +Dockerfile if the image isn't based on the fedora-toolbox image. + +%endif %package tests Summary: Tests for %{name} Requires: %{name}%{?_isa} = %{version}-%{release} +Requires: bats Requires: coreutils -Requires: diffutils -# for gdbus(1) -Requires: glib2 +Requires: gawk Requires: grep -# for htpasswd(1) -Requires: httpd-tools -Requires: openssl -Requires: python3 Requires: skopeo -%if ! 0%{?rhel} -Requires: bats >= 1.10.0 -%endif - %description tests The %{name}-tests package contains system tests for %{name}. @@ -124,42 +157,28 @@ The %{name}-tests package contains system tests for %{name}. %prep %setup -q +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 -%if 0%{?fedora} -%patch -P100 -p1 +%ifnarch ppc64 +%patch100 -p1 +%else +%patch101 -p1 %endif -%if 0%{?rhel} -%if 0%{?rhel} == 9 -%patch -P200 -p1 -%endif - -%if 0%{?rhel} >= 10 -%patch -P201 -p1 -%endif - -%if 0%{?rhel} <= 9 -%patch -P202 -p1 -%endif -%endif - -%gomkdir -s %{_builddir}/%{extractdir}/src -k +%gomkdir -s %{_builddir}/%{extractdir}/src %{?rhel:-k} %build +export %{gomodulesmode} +export GOPATH=%{gobuilddir}:%{gopath} export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64" %meson \ -%if 0%{?rhel} - -Dfish_completions_dir=%{fish_completions_dir} \ -%if 0%{?rhel} <= 9 - -Dmigration_path_for_coreos_toolbox=true \ -%endif -%endif -Dprofile_dir=%{_sysconfdir}/profile.d \ -Dtmpfiles_dir=%{_tmpfilesdir} \ - -Dzsh_completions_dir=%{zsh_completions_dir} - + -Dzsh_completions_dir=%{_datadir}/zsh/site-functions %meson_build @@ -170,181 +189,50 @@ export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_ %install %meson_install -%if 0%{?rhel} -%if 0%{?rhel} <= 9 -install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf -%endif -%endif - %files -%doc CODE-OF-CONDUCT.md CONTRIBUTING.md GOALS.md NEWS README.md SECURITY.md -%license COPYING src/vendor/modules.txt +%doc CODE-OF-CONDUCT.md NEWS README.md SECURITY.md +%license COPYING %{?rhel:src/vendor/modules.txt} %{_bindir}/%{name} +%{_datadir}/bash-completion +%{_datadir}/fish +%{_datadir}/zsh %{_mandir}/man1/%{name}.1* %{_mandir}/man1/%{name}-*.1* %{_mandir}/man5/%{name}.conf.5* %config(noreplace) %{_sysconfdir}/containers/%{name}.conf %{_sysconfdir}/profile.d/%{name}.sh %{_tmpfilesdir}/%{name}.conf -%{bash_completions_dir}/%{name}.bash -%{fish_completions_dir}/%{name}.fish -%{zsh_completions_dir}/_%{name} +%if ! 0%{?rhel} + +%files support + +%files experience + +%endif %files tests %{_datadir}/%{name} %changelog -* Fri Oct 10 2025 Alejandro Sáez - 0.3-2 -- rebuild - -* Wed Sep 17 2025 Debarshi Ray - 0.3-1 -- Update to 0.3 - -* Fri Aug 15 2025 Maxwell G - 0.2-2 -- Rebuild for golang-1.25.0 - -* Sat Aug 09 2025 Debarshi Ray - 0.2-1 -- Update to 0.2 -- Fix CVE-2025-23266, CVE-2025-23267, and GHSA-fv92-fjc5-jj9h or GO-2025-3787 - -* Fri Jul 25 2025 Fedora Release Engineering - 0.1.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild - -* Tue Jun 03 2025 Debarshi Ray - 0.1.2-1 -- Update to 0.1.2 - -* Wed Jan 22 2025 Debarshi Ray - 0.1.1-3 -- Use RPM macros for shell completions and clean up directory ownership - -* Sun Jan 19 2025 Fedora Release Engineering - 0.1.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild - -* Mon Nov 04 2024 Debarshi Ray - 0.1.1-1 -- Update to 0.1.1 - -* Tue Oct 22 2024 Debarshi Ray - 0.1.0-1 -- Update to 0.1.0 - -* Wed Oct 16 2024 Debarshi Ray - 0.0.99.6-6 -- Recommend fuse-overlayfs because old containers created with it need it - -* Mon Oct 07 2024 Debarshi Ray - 0.0.99.6-5 -- Don't use slirp4netns(1) in tests to work around bug in pasta(1) - -* Fri Oct 04 2024 Debarshi Ray - 0.0.99.6-4 -- Use the fedora-toolbox:40 image for Fedora Asahi Remix hosts - -* Thu Oct 03 2024 Debarshi Ray - 0.0.99.6-3 -- Unbreak the downstream Fedora CI - -* Wed Oct 02 2024 Debarshi Ray - 0.0.99.6-2 -- Silence 'rpminspect --tests=elf' - -* Mon Sep 30 2024 Debarshi Ray - 0.0.99.6-1 -- Update to 0.0.99.6 - -* Thu Sep 12 2024 Debarshi Ray - 0.0.99.5-18 -- Rebuild against shadow-utils-subid ABI version 5.0.0 - -* Thu Aug 08 2024 Debarshi Ray - 0.0.99.5-17 -- Ensure slirp4netns(1) is installed - -* Wed Jul 31 2024 Debarshi Ray - 0.0.99.5-16 -- Avoid running out of storage space when running the tests - -* Fri Jul 26 2024 Adam Williamson - 0.0.99.5-15 -- Fix CI test (hopefully) - -* Sat Jul 20 2024 Fedora Release Engineering - 0.0.99.5-14 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild - -* Thu Jul 11 2024 Debarshi Ray - 0.0.99.5-13 -- Silence 'rpminspect --tests=stack-prot' - -* Thu Jul 11 2024 Debarshi Ray - 0.0.99.5-12 -- Silence 'rpminspect --tests=annocheck' (part 2) - -* Tue May 07 2024 Debarshi Ray - 0.0.99.5-11 -- Unbreak the tests with Podman 5.0 - -* Tue Mar 26 2024 Debarshi Ray - 0.0.99.5-10 -- Specify the golang versions for RHEL 9 and 10 - -* Tue Mar 05 2024 Debarshi Ray - 0.0.99.5-9 -- Conditionalize the BuildRequires on golang - -* Tue Feb 27 2024 Debarshi Ray - 0.0.99.5-8 -- Unbreak Podman's downstream Fedora CI (part 2) -- Backport some new upstream tests - -* Tue Feb 13 2024 Debarshi Ray - 0.0.99.5-7 -- Unbreak Podman's downstream Fedora CI -- Update the BuildRequires on golang to reflect reality - -* Sun Feb 11 2024 Maxwell G - 0.0.99.5-6 -- Rebuild for golang 1.22.0 - -* Wed Feb 07 2024 Debarshi Ray - 0.0.99.5-5 -- Migrate to SPDX license - -* Sat Jan 27 2024 Fedora Release Engineering - 0.0.99.5-4 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild - -* Thu Jan 11 2024 Debarshi Ray - 0.0.99.5-3 -- Drop 'Recommends: subscription-manager' - -* Tue Dec 19 2023 Debarshi Ray - 0.0.99.5-2 -- Drop the experience and support subpackages - -* Tue Dec 19 2023 Debarshi Ray - 0.0.99.5-1 -- Update to 0.0.99.5 - -* Tue Dec 19 2023 Debarshi Ray - 0.0.99.4-10 -- Require openssl(1) for the system tests in the tests subpackage - -* Wed Dec 06 2023 Adam Williamson - 0.0.99.4-9 -- tests subpackage: require httpd-tools for htpasswd - -* Tue Dec 05 2023 Debarshi Ray - 0.0.99.4-8 -- Fix the conditionals for 'if RHEL <= 9' - -* Thu Nov 30 2023 Debarshi Ray - 0.0.99.4-7 -- Track the active container on Fedora Linux Asahi Remix - -* Thu Nov 09 2023 Debarshi Ray - 0.0.99.4-6 -- Drop the custom /etc/containers/toolbox.conf from RHEL 10 onwards - -* Mon Oct 02 2023 Debarshi Ray - 0.0.99.4-5 -- Drop github.com/coreos/toolbox compatibility from RHEL 10 onwards - -* Mon Oct 02 2023 Debarshi Ray - 0.0.99.4-4 +* Fri Nov 10 2023 Debarshi Ray - 0.0.99.4-2 - Be aware of security hardened mount points - Simplify removing the user's password -* Sat Jul 22 2023 Fedora Release Engineering - 0.0.99.4-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Wed Mar 8 2023 Nieves Montero - 0.0.99.4-2 -- Sprinkle a debug log - * Wed Feb 22 2023 Debarshi Ray - 0.0.99.4-1 - Update to 0.0.99.4 -* Wed Feb 22 2023 Martin Jackson - 0.0.99.3-12 +* Wed Feb 22 2023 Martin Jackson - 0.0.99.3-11 - Fix the ExclusiveArch -* Tue Feb 21 2023 Debarshi Ray - 0.0.99.3-11 +* Tue Feb 21 2023 Debarshi Ray - 0.0.99.3-10 - Add ExclusiveArch to match Podman -* Thu Feb 02 2023 Yaakov Selkowitz - 0.0.99.3-10 +* Thu Feb 02 2023 Yaakov Selkowitz - 0.0.99.3-9 - Sync packaging changes from CentOS Stream -* Sat Jan 21 2023 Fedora Release Engineering - 0.0.99.3-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - * Thu Dec 22 2022 Yaakov Selkowitz - 0.0.99.3-8 - Use vendored dependencies for RHEL/ELN builds