rpms/toolbox
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to 0.0.99.3

Browse Source
This commit is contained in:
Debarshi Ray 2021-12-10 04:46:24 +01:00
parent 70f5d2352c
commit 08f687ebe2
6 changed files with 72 additions and 569 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -27,3 +27,4 @@
/toolbox-0.0.99.2^1.git9820550c82bb.tar.xz
/toolbox-0.0.99.2^2.git40fbd377ed0b.tar.xz
/toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz
/toolbox-0.0.99.3.tar.xz

2
sources
View File

@ -1 +1 @@
SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d
SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca

537
toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
View File

@ -1,537 +0,0 @@
From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Thu, 21 Oct 2021 18:59:45 +0200
Subject: [PATCH 1/5] tmpfiles.d: Style fix
The subsequent commit will add an entry to create a /run/host symbolic
link on the host that points to /, and it will require explicitly
skipping some of the columns. Doing the same for the existing entry
will make the file more readable.
https://github.com/containers/toolbox/issues/821
---
data/tmpfiles.d/toolbox.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf
index f22b64a0f97c..bdffe7c09639 100644
--- a/data/tmpfiles.d/toolbox.conf
+++ b/data/tmpfiles.d/toolbox.conf
@@ -1 +1 @@
-d /run/media 0755 root root
+d /run/media 0755 root root - -
--
2.31.1
From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Thu, 21 Oct 2021 20:22:11 +0200
Subject: [PATCH 2/5] build: Ensure that binaries are run against their
build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox
containers and images from the host. It's also used as the entry point
of the containers by bind mounting the binary from the host into the
container. This means that the /usr/bin/toolbox binary on the host must
also work inside the container, even if they have different operating
systems.
In the past, this worked perfectly well with the POSIX shell
implementation because it got intepreted by whichever /bin/sh was
available. However, the Go implementation, can run into ABI
compatibility issues because binaries built on newer toolchains aren't
meant to be run against older runtimes.
The previous approach [1] of restricting the versions of the glibc
symbols that are linked against isn't actually supported by glibc, and
breaks if the early process start-up code changes. This is seen in
glibc-2.34, which is used by Fedora 35 onwards, where a new version of
the __libc_start_main symbol [2] was added as part of some security
hardening:
$ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34
__libc_start_main
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34
pthread_detach
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34
pthread_create
0000000000000000 DF *UND* 0000000000000000 GLIBC_2.34
pthread_attr_getstacksize
This means that /usr/bin/toolbox binaries built against glibc-2.34 on
newer Fedoras fail to run against older glibcs in older Fedoras.
Another option is to make the host's runtime available inside the
toolbox container and ensure that the binary always runs against it.
Luckily, almost all supported containers have the host's /usr available
at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
/run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
the path of the dynamic linker (ie., PT_INTERP) to the one inside
/run/host.
Unfortunately, there can only be one PT_INTERP entry inside the
binary, so there must be a /run/host on the host too. Therefore, a
/run/host symbolic link is created on the host that points to the
host's /.
Based on ideas from Alexander Larsson and Ray Strode.
[1] Commit 6ad9c631806961f3
https://github.com/containers/toolbox/pull/534
[2] glibc commit 035c012e32c11e84
https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
https://sourceware.org/bugzilla/show_bug.cgi?id=23323
https://github.com/containers/toolbox/issues/821
---
data/tmpfiles.d/toolbox.conf | 1 +
meson.build | 8 ++----
playbooks/setup-env.yaml | 1 +
src/go-build-wrapper | 17 ++++++++++---
src/libc-wrappers/libc-wrappers.c | 42 -------------------------------
src/libc-wrappers/meson.build | 8 ------
src/meson.build | 4 ---
7 files changed, 18 insertions(+), 63 deletions(-)
delete mode 100644 src/libc-wrappers/libc-wrappers.c
delete mode 100644 src/libc-wrappers/meson.build
diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf
index bdffe7c09639..0ddb1f08830d 100644
--- a/data/tmpfiles.d/toolbox.conf
+++ b/data/tmpfiles.d/toolbox.conf
@@ -1 +1,2 @@
d /run/media 0755 root root - -
+L /run/host - - - - ../
diff --git a/meson.build b/meson.build
index b580c10fe7d8..ae228ee287d5 100644
--- a/meson.build
+++ b/meson.build
@@ -1,17 +1,13 @@
project(
'toolbox',
- 'c',
version: '0.0.99.2',
license: 'ASL 2.0',
- meson_version: '>= 0.42.0',
+ meson_version: '>= 0.53.0',
)
-cc = meson.get_compiler('c')
-add_project_arguments('-pthread', language: 'c')
-add_project_link_arguments('-pthread', language: 'c')
-
go = find_program('go')
go_md2man = find_program('go-md2man')
+patchelf = find_program('patchelf')
shellcheck = find_program('shellcheck', required: false)
skopeo = find_program('skopeo', required: false)
diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
index 5644f1ab01b4..7ac9b46ee3ad 100644
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@@ -13,6 +13,7 @@
- golang-github-cpuguy83-md2man
- meson
- ninja-build
+ - patchelf
- podman
- skopeo
- systemd
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index 0d27120da052..677dca94bd5a 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -16,9 +16,9 @@
#
-if [ "$#" -ne 4 ]; then
+if [ "$#" -ne 3 ]; then
echo "go-build-wrapper: wrong arguments" >&2
- echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2
+ echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2
exit 1
fi
@@ -27,5 +27,16 @@ if ! cd "$1"; then
exit 1
fi
-go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+
+if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
+ echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
+ exit 1
+fi
+
+if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
+ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
+ exit 1
+fi
+
exit "$?"
diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c
deleted file mode 100644
index 7b402bc2fe78..000000000000
--- a/src/libc-wrappers/libc-wrappers.c
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright © 2020 2021 Red Hat Inc.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-
-#include <signal.h>
-
-
-#if defined __aarch64__
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17");
-#elif defined __arm__
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4");
-#elif defined __i386__
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0");
-#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17");
-#elif defined __s390x__
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2");
-#elif defined __x86_64__
-__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5");
-#else
-#error "Please specify symbol version for pthread_sigmask"
-#endif
-
-
-int
-__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset)
-{
- return pthread_sigmask (how, set, oldset);
-}
diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build
deleted file mode 100644
index 3984ce449c57..000000000000
--- a/src/libc-wrappers/meson.build
+++ /dev/null
@@ -1,8 +0,0 @@
-sources = files(
- 'libc-wrappers.c',
-)
-
-libc_wrappers = static_library(
- 'c-wrappers',
- sources,
-)
diff --git a/src/meson.build b/src/meson.build
index f76606da3271..759db1f1e900 100644
--- a/src/meson.build
+++ b/src/meson.build
@@ -1,5 +1,3 @@
-subdir('libc-wrappers')
-
go_build_wrapper_file = files('go-build-wrapper')
go_build_wrapper_program = find_program('go-build-wrapper')
@@ -28,9 +26,7 @@ custom_target(
meson.current_source_dir(),
meson.current_build_dir(),
meson.project_version(),
- libc_wrappers.full_path(),
],
- depends: libc_wrappers,
input: sources,
install: true,
install_dir: get_option('bindir'),
--
2.31.1
From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
Date: Fri, 22 Oct 2021 15:21:41 +0300
Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests
There is no significant benefit in keeping this configuration separated.
Now the to-be installed packages are tracked in a single place and the
test playbooks only call the relevant tests.
This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b
https://github.com/containers/toolbox/pull/898
---
.zuul.yaml | 1 +
playbooks/setup-env.yaml | 18 ++++++++++++++++++
playbooks/system-test.yaml | 24 +-----------------------
playbooks/unit-test.yaml | 21 ---------------------
4 files changed, 20 insertions(+), 44 deletions(-)
diff --git a/.zuul.yaml b/.zuul.yaml
index 1ec2f59738eb..1543b8a04b51 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -7,6 +7,7 @@
nodes:
- name: ci-node-33
label: cloud-fedora-33-small
+ pre-run: playbooks/setup-env.yaml
run: playbooks/unit-test.yaml
- job:
diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
index 7ac9b46ee3ad..460ca9977a9e 100644
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@@ -40,3 +40,21 @@
- name: Show podman debug information
command: podman info --debug
+
+ - name: Set up build directory
+ command: meson builddir
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+
+ - name: Build Toolbox
+ command: ninja -C builddir
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+ creates: builddir/src/toolbox
+
+ - name: Install Toolbox
+ become: yes
+ command: ninja -C builddir install
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+ creates: /usr/local/bin/toolbox
diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml
index c2eff3f0d77a..0249548acc5d 100644
--- a/playbooks/system-test.yaml
+++ b/playbooks/system-test.yaml
@@ -1,32 +1,10 @@
---
- hosts: all
-
- vars:
- toolbox_bin: '/usr/local/bin/toolbox'
-
tasks:
- - name: Set up build directory
- command: meson builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
-
- - name: Build Toolbox
- command: ninja -C builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: builddir/src/toolbox
-
- - name: Install Toolbox
- become: yes
- command: ninja -C builddir install
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: '{{ toolbox_bin }}'
-
- name: Run system tests
command: bats --timing ./test/system
environment:
PODMAN: '/usr/bin/podman'
- TOOLBOX: '{{ toolbox_bin }}'
+ TOOLBOX: '/usr/local/bin/toolbox'
args:
chdir: '{{ zuul.project.src_dir }}'
diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml
index 9be98e7bd86a..2212521c5b9e 100644
--- a/playbooks/unit-test.yaml
+++ b/playbooks/unit-test.yaml
@@ -1,27 +1,6 @@
---
- hosts: all
tasks:
- - name: Install requirements
- become: yes
- package:
- name:
- - golang
- - golang-github-cpuguy83-md2man
- - ninja-build
- - meson
- - ShellCheck
-
- - name: Set up build directory
- command: meson builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
-
- - name: Build Toolbox
- command: ninja -C builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: builddir/src/toolbox
-
- name: Test
command: ninja -C builddir test
args:
--
2.31.1
From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
Date: Fri, 22 Oct 2021 15:25:20 +0300
Subject: [PATCH 4/5] playbooks: Fix CI for #897
PR #897 made adjustmnets to the Toolbx binary that it requires presence
of /run/host in both the host filesystem and the filesystem in
a container.
The presence of the directory is assured by systemd-tmpfiles by
running it before the binary is started for the first time. For the run
to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
a location visible to systemd-tmpfiles. Therefore, the call to
'systemd-tmpfiles --create' had to be placed after the install step.
https://github.com/containers/toolbox/pull/898
---
playbooks/setup-env.yaml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
index 460ca9977a9e..2f858bcf722c 100644
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@@ -26,14 +26,8 @@
args:
chdir: '{{ zuul.project.src_dir }}'
- - name: Setup environment
- become: yes
- command:
- cmd: systemd-tmpfiles --create
- creates: /run/media
-
- name: Check versions of crucial packages
- command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper
+ command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf
- name: Show podman versions
command: podman version
@@ -58,3 +52,10 @@
args:
chdir: '{{ zuul.project.src_dir }}'
creates: /usr/local/bin/toolbox
+
+ - name: Setup environment
+ become: yes
+ command:
+ cmd: systemd-tmpfiles --create
+ creates: /run/media
+ creates: /run/host
--
2.31.1
From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 25 Oct 2021 02:55:09 +0200
Subject: [PATCH 5/5] build: Restore backwards compatibility with existing
containers
The path of the dynamic linker (ie., PT_INTERP), as specified in an
architecture's ABI, often starts with /lib or /lib64, not /usr/lib or
/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and
/lib64/ld-linux-x86-64.so.2 for x86_64.
Unfortunately, until very recently [1], only the host's /usr was
present inside a toolbox container's /run/host, not /lib or /lib64.
Therefore, simply prepending /run/host to the /usr/bin/toolbox
binary's existing PT_INTERP entry wouldn't locate the host's dynamic
linker inside the toolbox container. This broke backwards compatibility
with every container out there, except the ones created with the
current development version in Git.
To restore backwards compatibility, the /lib and /lib64 symbolic links
must be resolved to their respective locations inside /usr.
The following caveats must be noted:
* With glibc, even the basename of the path of the dynamic linker as
specified in an architecture's ABI, is a symbolic link to a file
named ld-<glibc-version>.so. However, this file can't be used as
the PT_INTERP entry, because its name will change when glibc is
updated and the PT_INTERP entry will become invalid until the
/usr/bin/toolbox binary is rebuilt.
* On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve
to something inside /usr/lib64. Instead it ends up inside
/usr/lib/x86_64-linux-gnu through a series of symbolic links:
- /lib64 -> usr/lib64
- /usr/lib64/ld-linux-x86-64.so.2
-> /lib/x86_64-linux-gnu/ld-2.28.so
- /lib -> usr/lib
* It's assumed that a symbolic link with the basename specified in
the ABI lives in the same directory as the actual dynamic linker
binary named ld-<glibc-version>.so.
Fallout from 6063eb27b98939942e316771224c5653a9b2e59b
[1] Commit d03a5fee80f2f72d
https://github.com/containers/toolbox/pull/827
https://github.com/containers/toolbox/issues/821
---
src/go-build-wrapper | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index 677dca94bd5a..24eac674c9ac 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
exit 1
fi
-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
+if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then
+ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2
+ exit 1
+fi
+
+if ! interpreter_basename=$(basename "$interpreter"); then
+ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2
+ exit 1
+fi
+
+if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then
+ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2
+ exit 1
+fi
+
+interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename"
+
+if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then
+ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2
exit 1
fi
--
2.31.1

41
toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
View File

@ -1,4 +1,4 @@
From df2d42ec5aee27f9f92ce7825d020425c2dac885 Mon Sep 17 00:00:00 2001
From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 29 Jun 2020 17:57:47 +0200
Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for
@ -20,23 +20,44 @@ Note that these flags are only meant for the "ppc64" CPU architecture,
and should be kept updated to match Fedora's Go guidelines. Use
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
---
src/go-build-wrapper | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
src/go-build-wrapper | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index 677dca94bd5a..e6e9caf1049e 100755
index ef4aafc8b024..f8ea8370792c 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -27,7 +27,8 @@ if ! cd "$1"; then
@@ -32,9 +32,9 @@ if ! cd "$1"; then
exit 1
fi
-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+unset LDFLAGS
+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
-tags=""
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
if $6; then
- tags="-tags migration_path_for_coreos_toolbox"
+ tags="$tags,migration_path_for_coreos_toolbox"
fi
if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
if ! libc_dir=$("$4" --print-file-name=libc.so); then
@@ -69,11 +69,16 @@ fi
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
+unset LDFLAGS
+
# shellcheck disable=SC2086
go build \
+ -compiler gc \
$tags \
- -trimpath \
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+ -a \
+ -v \
+ -x \
-o "$2/toolbox"
exit "$?"
--
2.31.1

42
toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
View File

@ -1,4 +1,4 @@
From 18cbc514c8b776c855a24cdcf8b326d592322d44 Mon Sep 17 00:00:00 2001
From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 29 Jun 2020 17:57:47 +0200
Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild}
@ -19,23 +19,45 @@ Note that these flags are meant for every CPU architecture other than
PPC64, and should be kept updated to match Fedora's Go guidelines. Use
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
---
src/go-build-wrapper | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
src/go-build-wrapper | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index 677dca94bd5a..581d5c82cf2f 100755
index ef4aafc8b024..4354beceb215 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -27,7 +27,8 @@ if ! cd "$1"; then
@@ -32,9 +32,9 @@ if ! cd "$1"; then
exit 1
fi
-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+unset LDFLAGS
+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
-tags=""
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
if $6; then
- tags="-tags migration_path_for_coreos_toolbox"
+ tags="$tags,migration_path_for_coreos_toolbox"
fi
if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
if ! libc_dir=$("$4" --print-file-name=libc.so); then
@@ -69,11 +69,17 @@ fi
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
+unset LDFLAGS
+
# shellcheck disable=SC2086
go build \
+ -buildmode pie \
+ -compiler gc \
$tags \
- -trimpath \
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
+ -a \
+ -v \
+ -x \
-o "$2/toolbox"
exit "$?"
--
2.31.1

18
toolbox.spec
View File

@ -1,23 +1,18 @@
%global __brp_check_rpaths %{nil}
Name: toolbox
Version: 0.0.99.2^3.git075b9a8d2779
Version: 0.0.99.3
%global goipath github.com/containers/%{name}
%gometa
Release: 9%{?dist}
Release: 1%{?dist}
Summary: Tool for containerized command line environments on Linux
License: ASL 2.0
URL: https://github.com/containers/%{name}
# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz
# Snapshot tarball
Source0: %{name}-%{version}.tar.xz
# https://bugzilla.redhat.com/show_bug.cgi?id=1995439
Patch0: toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
# Fedora specific
Patch100: toolbox-Don-t-use-Go-s-semantic-import-versioning.patch
@ -39,7 +34,6 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2
BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5
BuildRequires: golang(golang.org/x/sys/unix)
BuildRequires: meson
BuildRequires: patchelf
BuildRequires: pkgconfig(bash-completion)
BuildRequires: systemd
@ -61,6 +55,7 @@ Summary: Required packages for the container image to support %{name}
# These are really required to make the image work with toolbox
Requires: passwd
Requires: shadow-utils
Requires: util-linux
Requires: vte-profile
%description support
@ -97,7 +92,6 @@ Requires: less
Requires: lsof
Requires: man-db
Requires: man-pages
Requires: mlocate
Requires: mtr
Requires: nano-default-editor
Requires: nss-mdns
@ -143,7 +137,6 @@ The %{name}-tests package contains system tests for %{name}.
%prep
%setup -q
%patch0 -p1
%patch100 -p1
%ifnarch ppc64
@ -193,6 +186,9 @@ ln -s src/pkg pkg
%changelog
* Fri Dec 10 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-1
- Update to 0.0.99.3
* Mon Oct 25 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-9
- Restore backwards compatibility with existing containers