Update to 0.0.99.3

2021-12-10 04:46:24 +01:00 · 2021-12-10 04:46:24 +01:00 · 08f687ebe2
commit 08f687ebe2
parent 70f5d2352c
6 changed files with 72 additions and 569 deletions
--- a/.gitignore
+++ b/.gitignore
@ -27,3 +27,4 @@
 /toolbox-0.0.99.2^1.git9820550c82bb.tar.xz
 /toolbox-0.0.99.2^2.git40fbd377ed0b.tar.xz
 /toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz
 /toolbox-0.0.99.3.tar.xz
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d
+SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca
--- a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
+++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
@ -1,537 +0,0 @@
 From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Thu, 21 Oct 2021 18:59:45 +0200
 Subject: [PATCH 1/5] tmpfiles.d: Style fix
 The subsequent commit will add an entry to create a /run/host symbolic
 link on the host that points to /, and it will require explicitly
 skipping some of the columns. Doing the same for the existing entry
 will make the file more readable.
 https://github.com/containers/toolbox/issues/821
 ---
 data/tmpfiles.d/toolbox.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf
 index f22b64a0f97c..bdffe7c09639 100644
 --- a/data/tmpfiles.d/toolbox.conf
 +++ b/data/tmpfiles.d/toolbox.conf
@@ -1 +1 @@
 -d /run/media 0755 root root
 +d /run/media 0755 root root - -
 -- 
 2.31.1
 From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Thu, 21 Oct 2021 20:22:11 +0200
 Subject: [PATCH 2/5] build: Ensure that binaries are run against their
 build-time ABI
 The /usr/bin/toolbox binary is not only used to interact with toolbox
 containers and images from the host. It's also used as the entry point
 of the containers by bind mounting the binary from the host into the
 container. This means that the /usr/bin/toolbox binary on the host must
 also work inside the container, even if they have different operating
 systems.
 In the past, this worked perfectly well with the POSIX shell
 implementation because it got intepreted by whichever /bin/sh was
 available. However, the Go implementation, can run into ABI
 compatibility issues because binaries built on newer toolchains aren't
 meant to be run against older runtimes.
 The previous approach [1] of restricting the versions of the glibc
 symbols that are linked against isn't actually supported by glibc, and
 breaks if the early process start-up code changes. This is seen in
 glibc-2.34, which is used by Fedora 35 onwards, where a new version of
 the __libc_start_main symbol [2] was added as part of some security
 hardening:
  $ objdump -T ./usr/bin/toolbox | grep GLIBC_2.34
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    __libc_start_main
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_detach
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_create
  0000000000000000      DF *UND*	0000000000000000  GLIBC_2.34
    pthread_attr_getstacksize
 This means that /usr/bin/toolbox binaries built against glibc-2.34 on
 newer Fedoras fail to run against older glibcs in older Fedoras.
 Another option is to make the host's runtime available inside the
 toolbox container and ensure that the binary always runs against it.
 Luckily, almost all supported containers have the host's /usr available
 at /run/host/usr. This is exploited by embedding RPATHs or RUNPATHs to
 /run/host/usr/lib and /run/host/usr/lib64 in the binary, and changing
 the path of the dynamic linker (ie., PT_INTERP) to the one inside
 /run/host.
 Unfortunately, there can only be one PT_INTERP entry inside the
 binary, so there must be a /run/host on the host too. Therefore, a
 /run/host symbolic link is created on the host that points to the
 host's /.
 Based on ideas from Alexander Larsson and Ray Strode.
 [1] Commit 6ad9c631806961f3
    https://github.com/containers/toolbox/pull/534
 [2] glibc commit 035c012e32c11e84
    https://sourceware.org/git/?p=glibc.git;a=commit;h=035c012e32c11e84
    https://sourceware.org/bugzilla/show_bug.cgi?id=23323
 https://github.com/containers/toolbox/issues/821
 ---
 data/tmpfiles.d/toolbox.conf      |  1 +
 meson.build                       |  8 ++----
 playbooks/setup-env.yaml          |  1 +
 src/go-build-wrapper              | 17 ++++++++++---
 src/libc-wrappers/libc-wrappers.c | 42 -------------------------------
 src/libc-wrappers/meson.build     |  8 ------
 src/meson.build                   |  4 ---
 7 files changed, 18 insertions(+), 63 deletions(-)
 delete mode 100644 src/libc-wrappers/libc-wrappers.c
 delete mode 100644 src/libc-wrappers/meson.build
 diff --git a/data/tmpfiles.d/toolbox.conf b/data/tmpfiles.d/toolbox.conf
 index bdffe7c09639..0ddb1f08830d 100644
 --- a/data/tmpfiles.d/toolbox.conf
 +++ b/data/tmpfiles.d/toolbox.conf
@@ -1 +1,2 @@
 d /run/media 0755 root root - -
 +L /run/host  -    -    -    - ../
 diff --git a/meson.build b/meson.build
 index b580c10fe7d8..ae228ee287d5 100644
 --- a/meson.build
 +++ b/meson.build
@@ -1,17 +1,13 @@
 project(
   'toolbox',
 -  'c',
   version: '0.0.99.2',
   license: 'ASL 2.0',
 -  meson_version: '>= 0.42.0',
 +  meson_version: '>= 0.53.0',
 )
 -cc = meson.get_compiler('c')
 -add_project_arguments('-pthread', language: 'c')
 -add_project_link_arguments('-pthread', language: 'c')
 -
 go = find_program('go')
 go_md2man = find_program('go-md2man')
 +patchelf = find_program('patchelf')
 shellcheck = find_program('shellcheck', required: false)
 skopeo = find_program('skopeo', required: false)
 diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
 index 5644f1ab01b4..7ac9b46ee3ad 100644
 --- a/playbooks/setup-env.yaml
 +++ b/playbooks/setup-env.yaml
@@ -13,6 +13,7 @@
           - golang-github-cpuguy83-md2man
           - meson
           - ninja-build
 +          - patchelf
           - podman
           - skopeo
           - systemd
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
 index 0d27120da052..677dca94bd5a 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
@@ -16,9 +16,9 @@
 #
 -if [ "$#" -ne 4 ]; then
 +if [ "$#" -ne 3 ]; then
     echo "go-build-wrapper: wrong arguments" >&2
 -    echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION] [libc-wrappers.a]" >&2
 +    echo "Usage: go-build-wrapper [SOURCE DIR] [OUTPUT DIR] [VERSION]" >&2
     exit 1
 fi
@@ -27,5 +27,16 @@ if ! cd "$1"; then
     exit 1
 fi
 -go build -trimpath -ldflags "-extldflags '-Wl,--wrap,pthread_sigmask $4' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
 +go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
 +
 +if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
 +    echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
 +    exit 1
 +fi
 +
 +if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
 +    echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
 +    exit 1
 +fi
 +
 exit "$?"
 diff --git a/src/libc-wrappers/libc-wrappers.c b/src/libc-wrappers/libc-wrappers.c
 deleted file mode 100644
 index 7b402bc2fe78..000000000000
 --- a/src/libc-wrappers/libc-wrappers.c
 +++ /dev/null
@@ -1,42 +0,0 @@
 -/*
 - * Copyright © 2020 – 2021 Red Hat Inc.
 - *
 - * Licensed under the Apache License, Version 2.0 (the "License");
 - * you may not use this file except in compliance with the License.
 - * You may obtain a copy of the License at
 - *
 - *    http://www.apache.org/licenses/LICENSE-2.0
 - *
 - * Unless required by applicable law or agreed to in writing, software
 - * distributed under the License is distributed on an "AS IS" BASIS,
 - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 - * See the License for the specific language governing permissions and
 - * limitations under the License.
 - */
 -
 -
 -#include <signal.h>
 -
 -
 -#if defined __aarch64__
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17");
 -#elif defined __arm__
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.4");
 -#elif defined __i386__
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.0");
 -#elif defined __powerpc64__ && _CALL_ELF == 2 /* ppc64le */
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.17");
 -#elif defined __s390x__
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2");
 -#elif defined __x86_64__
 -__asm__(".symver pthread_sigmask,pthread_sigmask@GLIBC_2.2.5");
 -#else
 -#error "Please specify symbol version for pthread_sigmask"
 -#endif
 -
 -
 -int
 -__wrap_pthread_sigmask (int how, const sigset_t *set, sigset_t *oldset)
 -{
 -  return pthread_sigmask (how, set, oldset);
 -}
 diff --git a/src/libc-wrappers/meson.build b/src/libc-wrappers/meson.build
 deleted file mode 100644
 index 3984ce449c57..000000000000
 --- a/src/libc-wrappers/meson.build
 +++ /dev/null
@@ -1,8 +0,0 @@
 -sources = files(
 -  'libc-wrappers.c',
 -)
 -
 -libc_wrappers = static_library(
 -  'c-wrappers',
 -  sources,
 -)
 diff --git a/src/meson.build b/src/meson.build
 index f76606da3271..759db1f1e900 100644
 --- a/src/meson.build
 +++ b/src/meson.build
@@ -1,5 +1,3 @@
 -subdir('libc-wrappers')
 -
 go_build_wrapper_file = files('go-build-wrapper')
 go_build_wrapper_program = find_program('go-build-wrapper')
@@ -28,9 +26,7 @@ custom_target(
     meson.current_source_dir(),
     meson.current_build_dir(),
     meson.project_version(),
 -    libc_wrappers.full_path(),
   ],
 -  depends: libc_wrappers,
   input: sources,
   install: true,
   install_dir: get_option('bindir'),
 -- 
 2.31.1
 From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
 Date: Fri, 22 Oct 2021 15:21:41 +0300
 Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests
 There is no significant benefit in keeping this configuration separated.
 Now the to-be installed packages are tracked in a single place and the
 test playbooks only call the relevant tests.
 This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b
 https://github.com/containers/toolbox/pull/898
 ---
 .zuul.yaml                 |  1 +
 playbooks/setup-env.yaml   | 18 ++++++++++++++++++
 playbooks/system-test.yaml | 24 +-----------------------
 playbooks/unit-test.yaml   | 21 ---------------------
 4 files changed, 20 insertions(+), 44 deletions(-)
 diff --git a/.zuul.yaml b/.zuul.yaml
 index 1ec2f59738eb..1543b8a04b51 100644
 --- a/.zuul.yaml
 +++ b/.zuul.yaml
@@ -7,6 +7,7 @@
       nodes:
         - name: ci-node-33
           label: cloud-fedora-33-small
 +    pre-run: playbooks/setup-env.yaml
     run: playbooks/unit-test.yaml
 - job:
 diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
 index 7ac9b46ee3ad..460ca9977a9e 100644
 --- a/playbooks/setup-env.yaml
 +++ b/playbooks/setup-env.yaml
@@ -40,3 +40,21 @@
     - name: Show podman debug information
       command: podman info --debug
 +
 +    - name: Set up build directory
 +      command: meson builddir
 +      args:
 +        chdir: '{{ zuul.project.src_dir }}'
 +
 +    - name: Build Toolbox
 +      command: ninja -C builddir
 +      args:
 +        chdir: '{{ zuul.project.src_dir }}'
 +        creates: builddir/src/toolbox
 +
 +    - name: Install Toolbox
 +      become: yes
 +      command: ninja -C builddir install
 +      args:
 +        chdir: '{{ zuul.project.src_dir }}'
 +        creates: /usr/local/bin/toolbox
 diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml
 index c2eff3f0d77a..0249548acc5d 100644
 --- a/playbooks/system-test.yaml
 +++ b/playbooks/system-test.yaml
@@ -1,32 +1,10 @@
 ---
 - hosts: all
 -
 -  vars:
 -    toolbox_bin: '/usr/local/bin/toolbox'
 -
   tasks:
 -    - name: Set up build directory
 -      command: meson builddir
 -      args:
 -        chdir: '{{ zuul.project.src_dir }}'
 -
 -    - name: Build Toolbox
 -      command: ninja -C builddir
 -      args:
 -        chdir: '{{ zuul.project.src_dir }}'
 -        creates: builddir/src/toolbox
 -
 -    - name: Install Toolbox
 -      become: yes
 -      command: ninja -C builddir install
 -      args:
 -        chdir: '{{ zuul.project.src_dir }}'
 -        creates: '{{ toolbox_bin }}'
 -
     - name: Run system tests
       command: bats --timing ./test/system
       environment:
         PODMAN: '/usr/bin/podman'
 -        TOOLBOX: '{{ toolbox_bin }}'
 +        TOOLBOX: '/usr/local/bin/toolbox'
       args:
         chdir: '{{ zuul.project.src_dir }}'
 diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml
 index 9be98e7bd86a..2212521c5b9e 100644
 --- a/playbooks/unit-test.yaml
 +++ b/playbooks/unit-test.yaml
@@ -1,27 +1,6 @@
 ---
 - hosts: all
   tasks:
 -    - name: Install requirements
 -      become: yes
 -      package:
 -        name:
 -          - golang
 -          - golang-github-cpuguy83-md2man
 -          - ninja-build
 -          - meson
 -          - ShellCheck
 -
 -    - name: Set up build directory
 -      command: meson builddir
 -      args:
 -        chdir: '{{ zuul.project.src_dir }}'
 -
 -    - name: Build Toolbox
 -      command: ninja -C builddir
 -      args:
 -        chdir: '{{ zuul.project.src_dir }}'
 -        creates: builddir/src/toolbox
 -
     - name: Test
       command: ninja -C builddir test
       args:
 -- 
 2.31.1
 From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
 Date: Fri, 22 Oct 2021 15:25:20 +0300
 Subject: [PATCH 4/5] playbooks: Fix CI for #897
 PR #897 made adjustmnets to the Toolbx binary that it requires presence
 of /run/host in both the host filesystem and the filesystem in
 a container.
 The presence of the directory is assured by systemd-tmpfiles by
 running it before the binary is started for the first time. For the run
 to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
 a location visible to systemd-tmpfiles. Therefore, the call to
 'systemd-tmpfiles --create' had to be placed after the install step.
 https://github.com/containers/toolbox/pull/898
 ---
 playbooks/setup-env.yaml | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)
 diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
 index 460ca9977a9e..2f858bcf722c 100644
 --- a/playbooks/setup-env.yaml
 +++ b/playbooks/setup-env.yaml
@@ -26,14 +26,8 @@
       args:
         chdir: '{{ zuul.project.src_dir }}'
 -    - name: Setup environment
 -      become: yes
 -      command:
 -        cmd: systemd-tmpfiles --create
 -        creates: /run/media
 -
     - name: Check versions of crucial packages
 -      command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper
 +      command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf
     - name: Show podman versions
       command: podman version
@@ -58,3 +52,10 @@
       args:
         chdir: '{{ zuul.project.src_dir }}'
         creates: /usr/local/bin/toolbox
 +
 +    - name: Setup environment
 +      become: yes
 +      command:
 +        cmd: systemd-tmpfiles --create
 +        creates: /run/media
 +        creates: /run/host
 -- 
 2.31.1
 From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 25 Oct 2021 02:55:09 +0200
 Subject: [PATCH 5/5] build: Restore backwards compatibility with existing
 containers
 The path of the dynamic linker (ie., PT_INTERP), as specified in an
 architecture's ABI, often starts with /lib or /lib64, not /usr/lib or
 /usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and
 /lib64/ld-linux-x86-64.so.2 for x86_64.
 Unfortunately, until very recently [1], only the host's /usr was
 present inside a toolbox container's /run/host, not /lib or /lib64.
 Therefore, simply prepending /run/host to the /usr/bin/toolbox
 binary's existing PT_INTERP entry wouldn't locate the host's dynamic
 linker inside the toolbox container. This broke backwards compatibility
 with every container out there, except the ones created with the
 current development version in Git.
 To restore backwards compatibility, the /lib and /lib64 symbolic links
 must be resolved to their respective locations inside /usr.
 The following caveats must be noted:
  * With glibc, even the basename of the path of the dynamic linker as
    specified in an architecture's ABI, is a symbolic link to a file
    named ld-<glibc-version>.so. However, this file can't be used as
    the PT_INTERP entry, because its name will change when glibc is
    updated and the PT_INTERP entry will become invalid until the
    /usr/bin/toolbox binary is rebuilt.
  * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve
    to something inside /usr/lib64. Instead it ends up inside
    /usr/lib/x86_64-linux-gnu through a series of symbolic links:
      - /lib64 -> usr/lib64
      - /usr/lib64/ld-linux-x86-64.so.2
          -> /lib/x86_64-linux-gnu/ld-2.28.so
      - /lib -> usr/lib
  * It's assumed that a symbolic link with the basename specified in
    the ABI lives in the same directory as the actual dynamic linker
    binary named ld-<glibc-version>.so.
 Fallout from 6063eb27b98939942e316771224c5653a9b2e59b
 [1] Commit d03a5fee80f2f72d
    https://github.com/containers/toolbox/pull/827
 https://github.com/containers/toolbox/issues/821
 ---
 src/go-build-wrapper | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
 index 677dca94bd5a..24eac674c9ac 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
     exit 1
 fi
 -if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
 -    echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
 +if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then
 +    echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2
 +    exit 1
 +fi
 +
 +if ! interpreter_basename=$(basename "$interpreter"); then
 +    echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2
 +    exit 1
 +fi
 +
 +if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then
 +    echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2
 +    exit 1
 +fi
 +
 +interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename"
 +
 +if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then
 +    echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2
     exit 1
 fi
 -- 
 2.31.1
--- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
+++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild-for-PPC64.patch
@ -1,4 +1,4 @@
-From df2d42ec5aee27f9f92ce7825d020425c2dac885 Mon Sep 17 00:00:00 2001
+From 32aa30a17358598f568991a5375f6182e4135648 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild} for
@ -20,23 +20,44 @@ Note that these flags are only meant for the "ppc64" CPU architecture,
 and should be kept updated to match Fedora's Go guidelines. Use
 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
 ---
- src/go-build-wrapper | 3 ++-
+ src/go-build-wrapper | 13 +++++++++----
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ 1 file changed, 9 insertions(+), 4 deletions(-)
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index 677dca94bd5a..e6e9caf1049e 100755
+index ef4aafc8b024..f8ea8370792c 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -27,7 +27,8 @@ if ! cd "$1"; then
+@@ -32,9 +32,9 @@ if ! cd "$1"; then
     exit 1
 fi
-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+-tags=""
-+unset LDFLAGS
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
-+go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
+ if $6; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
 fi
- if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
+ if ! libc_dir=$("$4" --print-file-name=libc.so); then
-     echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
+@@ -69,11 +69,16 @@ fi
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 +unset LDFLAGS
 +
 # shellcheck disable=SC2086
 go build \
 +        -compiler gc \
         $tags \
 -        -trimpath \
 -        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
 +        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
 +        -a \
 +        -v \
 +        -x \
         -o "$2/toolbox"
 exit "$?"
 -- 
 2.31.1
--- a/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
+++ b/toolbox-Make-the-build-flags-match-Fedora-s-gobuild.patch
@ -1,4 +1,4 @@
-From 18cbc514c8b776c855a24cdcf8b326d592322d44 Mon Sep 17 00:00:00 2001
+From 6d913f1fbd6e609957bb01273504b2f479e1b546 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match Fedora's %{gobuild}
@ -19,23 +19,45 @@ Note that these flags are meant for every CPU architecture other than
 PPC64, and should be kept updated to match Fedora's Go guidelines. Use
 'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
 ---
- src/go-build-wrapper | 3 ++-
+ src/go-build-wrapper | 14 ++++++++++----
- 1 file changed, 2 insertions(+), 1 deletion(-)
+ 1 file changed, 10 insertions(+), 4 deletions(-)
 diff --git a/src/go-build-wrapper b/src/go-build-wrapper
-index 677dca94bd5a..581d5c82cf2f 100755
+index ef4aafc8b024..4354beceb215 100755
 --- a/src/go-build-wrapper
 +++ b/src/go-build-wrapper
-@@ -27,7 +27,8 @@ if ! cd "$1"; then
+@@ -32,9 +32,9 @@ if ! cd "$1"; then
     exit 1
 fi
-go build -trimpath -ldflags "-extldflags '-Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -o "$2/toolbox"
+-tags=""
-+unset LDFLAGS
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
-+go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-rpath,/run/host/usr/lib -Wl,-rpath,/run/host/usr/lib64' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" -a -v -x -o "$2/toolbox"
+ if $6; then
 -    tags="-tags migration_path_for_coreos_toolbox"
 +    tags="$tags,migration_path_for_coreos_toolbox"
 fi
- if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
+ if ! libc_dir=$("$4" --print-file-name=libc.so); then
-     echo "go-build-wrapper: failed to read PT_INTERP from $2/toolbox" >&2
+@@ -69,11 +69,17 @@ fi
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 +unset LDFLAGS
 +
 # shellcheck disable=SC2086
 go build \
 +        -buildmode pie \
 +        -compiler gc \
         $tags \
 -        -trimpath \
 -        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
 +        -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
 +        -a \
 +        -v \
 +        -x \
         -o "$2/toolbox"
 exit "$?"
 -- 
 2.31.1
--- a/toolbox.spec
+++ b/toolbox.spec
@ -1,23 +1,18 @@
 %global __brp_check_rpaths %{nil}
 Name:          toolbox
-Version:       0.0.99.2^3.git075b9a8d2779
+Version:       0.0.99.3
 %global goipath github.com/containers/%{name}
 %gometa
-Release:       9%{?dist}
+Release:       1%{?dist}
 Summary:       Tool for containerized command line environments on Linux
 License:       ASL 2.0
 URL:           https://github.com/containers/%{name}
-# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz
+Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}.tar.xz
 # Snapshot tarball
 Source0:       %{name}-%{version}.tar.xz
 # https://bugzilla.redhat.com/show_bug.cgi?id=1995439
 Patch0:        toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
 # Fedora specific
 Patch100:      toolbox-Don-t-use-Go-s-semantic-import-versioning.patch
@ -39,7 +34,6 @@ BuildRequires: golang(github.com/sirupsen/logrus) >= 1.4.2
 BuildRequires: golang(github.com/spf13/cobra) >= 0.0.5
 BuildRequires: golang(golang.org/x/sys/unix)
 BuildRequires: meson
 BuildRequires: patchelf
 BuildRequires: pkgconfig(bash-completion)
 BuildRequires: systemd
@ -61,6 +55,7 @@ Summary:       Required packages for the container image to support %{name}
 # These are really required to make the image work with toolbox
 Requires:      passwd
 Requires:      shadow-utils
 Requires:      util-linux
 Requires:      vte-profile
 %description   support
@ -97,7 +92,6 @@ Requires:      less
 Requires:      lsof
 Requires:      man-db
 Requires:      man-pages
 Requires:      mlocate
 Requires:      mtr
 Requires:      nano-default-editor
 Requires:      nss-mdns
@ -143,7 +137,6 @@ The %{name}-tests package contains system tests for %{name}.
 %prep
 %setup -q
 %patch0 -p1
 %patch100 -p1
 %ifnarch ppc64
@ -193,6 +186,9 @@ ln -s src/pkg pkg
 %changelog
 * Fri Dec 10 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-1
 - Update to 0.0.99.3
 * Mon Oct 25 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-9
 - Restore backwards compatibility with existing containers
`@ -1 +1 @@`
	`SHA512 (toolbox-0.0.99.2^3.git075b9a8d2779.tar.xz) = e9ebb306fa3fe72dede4d08e1428dbfde12fe44274b4ea7cd356cba28a90daff728c4182f13e20f8a05603aeefb4cf484611805dac2776ab38c37764e6069c5d`	`SHA512 (toolbox-0.0.99.3.tar.xz) = d9e4bd1cc7667b6ecdcf25a2c3ad7d7d67cc997168a41e668c936d2de24db774331a78a1b4a06b63e7cef8e0dc4ac5651591b6d9cec0d8e81be2b2dd64854dca`