import CS toolbox-0.0.99.4-5.el9
This commit is contained in:
parent
0742f46b86
commit
25c2503fe7
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
|||||||
SOURCES/toolbox-0.0.99.3-vendored.tar.xz
|
SOURCES/toolbox-0.0.99.4-vendored.tar.xz
|
||||||
|
@ -1 +1 @@
|
|||||||
ae6e6ac18c0d350eeabe9392a37ddc70cd60b52f SOURCES/toolbox-0.0.99.3-vendored.tar.xz
|
3a2506e53c44cab54d476ee38af7197175e8af10 SOURCES/toolbox-0.0.99.4-vendored.tar.xz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From cc15d0ac76fa77a2fa0f3c73e1a3ed4e7ceb2b29 Mon Sep 17 00:00:00 2001
|
From d461caa5b1a278124d039df93140d2d5bf4eabe7 Mon Sep 17 00:00:00 2001
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
Date: Wed, 18 Aug 2021 17:55:21 +0200
|
Date: Wed, 18 Aug 2021 17:55:21 +0200
|
||||||
Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST
|
Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST
|
||||||
@ -10,22 +10,22 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1940037
|
|||||||
1 file changed, 1 insertion(+)
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
diff --git a/src/cmd/run.go b/src/cmd/run.go
|
diff --git a/src/cmd/run.go b/src/cmd/run.go
|
||||||
index 5954eac55fad..ca363815d4c9 100644
|
index 7657ffa50821..23d422623b14 100644
|
||||||
--- a/src/cmd/run.go
|
--- a/src/cmd/run.go
|
||||||
+++ b/src/cmd/run.go
|
+++ b/src/cmd/run.go
|
||||||
@@ -441,6 +441,7 @@ func constructExecArgs(container string,
|
@@ -501,6 +501,7 @@ func constructExecArgs(container, preserveFDs string,
|
||||||
execArgs = append(execArgs, detachKeys...)
|
execArgs = append(execArgs, envOptions...)
|
||||||
|
|
||||||
execArgs = append(execArgs, []string{
|
execArgs = append(execArgs, []string{
|
||||||
+ "--env", "HOST=/run/host",
|
+ "--env", "HOST=/run/host",
|
||||||
"--interactive",
|
"--interactive",
|
||||||
"--tty",
|
"--preserve-fds", preserveFDs,
|
||||||
"--user", currentUser.Username,
|
}...)
|
||||||
--
|
--
|
||||||
2.39.1
|
2.39.2
|
||||||
|
|
||||||
|
|
||||||
From a47cd46e0ca32b8af0ea8181c856ce2a8d8307fd Mon Sep 17 00:00:00 2001
|
From 3c2c67752e8f88f72058799cbce3612fc937b230 Mon Sep 17 00:00:00 2001
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
Date: Fri, 10 Dec 2021 13:42:15 +0100
|
Date: Fri, 10 Dec 2021 13:42:15 +0100
|
||||||
Subject: [PATCH 2/2] test/system: Update to test the migration path for
|
Subject: [PATCH 2/2] test/system: Update to test the migration path for
|
||||||
@ -42,10 +42,10 @@ ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit
|
|||||||
create mode 100644 test/system/100-root.bats
|
create mode 100644 test/system/100-root.bats
|
||||||
|
|
||||||
diff --git a/test/system/002-help.bats b/test/system/002-help.bats
|
diff --git a/test/system/002-help.bats b/test/system/002-help.bats
|
||||||
index 689f95e472a1..525d44431ee5 100644
|
index 7e4565e9d23d..58a4c2c87ece 100644
|
||||||
--- a/test/system/002-help.bats
|
--- a/test/system/002-help.bats
|
||||||
+++ b/test/system/002-help.bats
|
+++ b/test/system/002-help.bats
|
||||||
@@ -8,17 +8,6 @@ setup() {
|
@@ -23,17 +23,6 @@ setup() {
|
||||||
_setup_environment
|
_setup_environment
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -97,5 +97,5 @@ index 000000000000..32d87904213e
|
|||||||
+ skip "Testing of entering toolboxes is not implemented"
|
+ skip "Testing of entering toolboxes is not implemented"
|
||||||
+}
|
+}
|
||||||
--
|
--
|
||||||
2.39.1
|
2.39.2
|
||||||
|
|
||||||
|
@ -0,0 +1,89 @@
|
|||||||
|
From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
|
Date: Tue, 28 Feb 2023 17:12:04 +0100
|
||||||
|
Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions
|
||||||
|
|
||||||
|
Ever since commit bafbbe81c9220cb3, the shell completions are generated
|
||||||
|
while building Toolbx using the 'completion' command. This involves
|
||||||
|
running toolbox(1) itself, and hence invoking 'podman version' to decide
|
||||||
|
if 'podman system migrate' is needed or not.
|
||||||
|
|
||||||
|
Unfortunately, some build environments, like Fedora's, are set up inside
|
||||||
|
a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may
|
||||||
|
not work because it does various things with namespaces(7) and clone(2)
|
||||||
|
that can, under certain circumstances, encounter an EPERM.
|
||||||
|
|
||||||
|
Therefore, it's better to avoid using podman(1) when generating the
|
||||||
|
shell completions, especially, since they are generated by Cobra itself
|
||||||
|
and podman(1) is not involved at all.
|
||||||
|
|
||||||
|
Note that podman(1) is needed when the generated shell completions are
|
||||||
|
actually used in interactive command line environments. The shell
|
||||||
|
completions invoke the hidden '__complete' command to get the results
|
||||||
|
that are presented to the user, and, if needed, 'podman system migrate'
|
||||||
|
will continue to be run as part of that.
|
||||||
|
|
||||||
|
This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011
|
||||||
|
because podman(1) is now only an optional runtime dependency for the
|
||||||
|
system tests.
|
||||||
|
|
||||||
|
https://github.com/containers/podman/issues/17657
|
||||||
|
---
|
||||||
|
meson.build | 2 +-
|
||||||
|
src/cmd/root.go | 9 +++++++--
|
||||||
|
2 files changed, 8 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/meson.build b/meson.build
|
||||||
|
index 6f044bb204e3..653a3d3ac588 100644
|
||||||
|
--- a/meson.build
|
||||||
|
+++ b/meson.build
|
||||||
|
@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h'])
|
||||||
|
|
||||||
|
go = find_program('go')
|
||||||
|
go_md2man = find_program('go-md2man')
|
||||||
|
-podman = find_program('podman')
|
||||||
|
|
||||||
|
bats = find_program('bats', required: false)
|
||||||
|
codespell = find_program('codespell', required: false)
|
||||||
|
htpasswd = find_program('htpasswd', required: false)
|
||||||
|
openssl = find_program('openssl', required: false)
|
||||||
|
+podman = find_program('podman', required: false)
|
||||||
|
shellcheck = find_program('shellcheck', required: false)
|
||||||
|
skopeo = find_program('skopeo', required: false)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/root.go b/src/cmd/root.go
|
||||||
|
index 304b03dcd889..9975ccc7a4c8 100644
|
||||||
|
--- a/src/cmd/root.go
|
||||||
|
+++ b/src/cmd/root.go
|
||||||
|
@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error {
|
||||||
|
|
||||||
|
logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath)
|
||||||
|
|
||||||
|
- if err := migrate(); err != nil {
|
||||||
|
+ if err := migrate(cmd, args); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error {
|
||||||
|
return rootRunImpl(cmd, args)
|
||||||
|
}
|
||||||
|
|
||||||
|
-func migrate() error {
|
||||||
|
+func migrate(cmd *cobra.Command, args []string) error {
|
||||||
|
logrus.Debug("Migrating to newer Podman")
|
||||||
|
|
||||||
|
if utils.IsInsideContainer() {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
|
||||||
|
+ logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName)
|
||||||
|
+ return nil
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
configDir, err := os.UserConfigDir()
|
||||||
|
if err != nil {
|
||||||
|
logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err)
|
||||||
|
--
|
||||||
|
2.39.1
|
||||||
|
|
@ -0,0 +1,149 @@
|
|||||||
|
From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
|
Date: Wed, 1 Mar 2023 19:41:56 +0100
|
||||||
|
Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log
|
||||||
|
|
||||||
|
https://github.com/containers/toolbox/pull/1251
|
||||||
|
---
|
||||||
|
src/cmd/root.go | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/root.go b/src/cmd/root.go
|
||||||
|
index 304b03dcd889..82fbfd651c33 100644
|
||||||
|
--- a/src/cmd/root.go
|
||||||
|
+++ b/src/cmd/root.go
|
||||||
|
@@ -215,6 +215,7 @@ func migrate() error {
|
||||||
|
logrus.Debug("Migrating to newer Podman")
|
||||||
|
|
||||||
|
if utils.IsInsideContainer() {
|
||||||
|
+ logrus.Debug("Migration not needed: running inside a container")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
|
|
||||||
|
From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
|
Date: Wed, 1 Mar 2023 19:46:11 +0100
|
||||||
|
Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some
|
||||||
|
debug logs
|
||||||
|
|
||||||
|
Having a separate convenience function reduces the indentation levels by
|
||||||
|
at least one, and sometimes two, and makes it easy to have more detailed
|
||||||
|
debug logs.
|
||||||
|
|
||||||
|
This will make the subsequent commit easier to read.
|
||||||
|
|
||||||
|
https://github.com/containers/toolbox/issues/1246
|
||||||
|
---
|
||||||
|
src/cmd/root.go | 32 ++++++++++++++++++++++++--------
|
||||||
|
1 file changed, 24 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/root.go b/src/cmd/root.go
|
||||||
|
index 82fbfd651c33..4c740ec60d38 100644
|
||||||
|
--- a/src/cmd/root.go
|
||||||
|
+++ b/src/cmd/root.go
|
||||||
|
@@ -1,5 +1,5 @@
|
||||||
|
/*
|
||||||
|
- * Copyright © 2019 – 2022 Red Hat Inc.
|
||||||
|
+ * Copyright © 2019 – 2023 Red Hat Inc.
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
* you may not use this file except in compliance with the License.
|
||||||
|
@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error {
|
||||||
|
if !utils.IsInsideContainer() {
|
||||||
|
logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion)
|
||||||
|
|
||||||
|
- if currentUser.Uid != "0" {
|
||||||
|
- logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username)
|
||||||
|
-
|
||||||
|
- if _, err := utils.ValidateSubIDRanges(currentUser); err != nil {
|
||||||
|
- logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
|
||||||
|
- return newSubIDError()
|
||||||
|
- }
|
||||||
|
+ if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil {
|
||||||
|
+ return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -387,3 +382,24 @@ func setUpLoggers() error {
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) {
|
||||||
|
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username)
|
||||||
|
+
|
||||||
|
+ if user.Uid == "0" {
|
||||||
|
+ logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username)
|
||||||
|
+ return true, nil
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if utils.IsInsideContainer() {
|
||||||
|
+ logrus.Debug("Look-up not needed: running inside a container")
|
||||||
|
+ return true, nil
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if _, err := utils.ValidateSubIDRanges(user); err != nil {
|
||||||
|
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
|
||||||
|
+ return false, newSubIDError()
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return true, nil
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
||||||
|
|
||||||
|
From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Zerebecki <jan.suse@zerebecki.de>
|
||||||
|
Date: Wed, 1 Mar 2023 19:52:28 +0100
|
||||||
|
Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating
|
||||||
|
the completions
|
||||||
|
|
||||||
|
Ever since commit bafbbe81c9220cb3, the shell completions are generated
|
||||||
|
while building Toolbx using the 'completion' command. This involves
|
||||||
|
running toolbox(1) itself, and hence validating the subordinate user and
|
||||||
|
group ID ranges.
|
||||||
|
|
||||||
|
Unfortunately, some build environments, like openSUSE's, don't have
|
||||||
|
subordinate ID ranges set up. Therefore, it's better to not validate
|
||||||
|
the subordinate ID ranges when generating the shell completions, since
|
||||||
|
they are generated by Cobra itself and subordinate ID ranges are not
|
||||||
|
involved at all.
|
||||||
|
|
||||||
|
Note that subordinate ID ranges may be needed when the generated shell
|
||||||
|
completions are actually used in interactive command line environments.
|
||||||
|
The shell completions invoke the hidden '__complete' command to get the
|
||||||
|
results that are presented to the user, and, if needed, the subordinate
|
||||||
|
ID ranges will continue to be used by podman(1) as part of that.
|
||||||
|
|
||||||
|
Some changes by Debarshi Ray.
|
||||||
|
|
||||||
|
https://github.com/containers/toolbox/issues/1246
|
||||||
|
https://github.com/containers/toolbox/pull/1249
|
||||||
|
---
|
||||||
|
src/cmd/root.go | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/root.go b/src/cmd/root.go
|
||||||
|
index 4c740ec60d38..efee8ce9990b 100644
|
||||||
|
--- a/src/cmd/root.go
|
||||||
|
+++ b/src/cmd/root.go
|
||||||
|
@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo
|
||||||
|
return true, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
|
||||||
|
+ logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName)
|
||||||
|
+ return true, nil
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if _, err := utils.ValidateSubIDRanges(user); err != nil {
|
||||||
|
logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
|
||||||
|
return false, newSubIDError()
|
||||||
|
--
|
||||||
|
2.39.2
|
||||||
|
|
@ -1,16 +1,8 @@
|
|||||||
From 024cf19e52544814cdee80693a6dc12b5a92943c Mon Sep 17 00:00:00 2001
|
From 973600219168f3c4efeb627c103085555327eaa5 Mon Sep 17 00:00:00 2001
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
Date: Mon, 29 Jun 2020 17:57:47 +0200
|
Date: Mon, 29 Jun 2020 17:57:47 +0200
|
||||||
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild} for PPC64
|
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} for
|
||||||
|
PPC64
|
||||||
The Go toolchain doesn't play well with passing compiler and linker
|
|
||||||
flags via environment variables. The linker flags require a second
|
|
||||||
level of quoting, which leaves the build system without a quote level
|
|
||||||
to assign the flags to an environment variable like GOFLAGS.
|
|
||||||
|
|
||||||
This is one reason why RHEL doesn't have a RPM macro with only the
|
|
||||||
flags. The %{gobuild} RPM macro includes the entire 'go build ...'
|
|
||||||
invocation.
|
|
||||||
|
|
||||||
The Go toolchain also doesn't like the LDFLAGS environment variable as
|
The Go toolchain also doesn't like the LDFLAGS environment variable as
|
||||||
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
|
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
|
||||||
@ -18,28 +10,28 @@ like the compressed DWARF data generated by the Go toolchain.
|
|||||||
|
|
||||||
Note that these flags are only meant for the "ppc64" CPU architecture,
|
Note that these flags are only meant for the "ppc64" CPU architecture,
|
||||||
and should be kept updated to match RHEL's Go guidelines. Use
|
and should be kept updated to match RHEL's Go guidelines. Use
|
||||||
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
|
'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro.
|
||||||
---
|
---
|
||||||
src/go-build-wrapper | 13 +++++++++----
|
src/go-build-wrapper | 13 +++++++++----
|
||||||
1 file changed, 9 insertions(+), 4 deletions(-)
|
1 file changed, 9 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
|
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
|
||||||
index ef4aafc8b024..00d7e9fca0e0 100755
|
index c572d6dfb02b..86f174716608 100755
|
||||||
--- a/src/go-build-wrapper
|
--- a/src/go-build-wrapper
|
||||||
+++ b/src/go-build-wrapper
|
+++ b/src/go-build-wrapper
|
||||||
@@ -32,9 +32,9 @@ if ! cd "$1"; then
|
@@ -33,9 +33,9 @@ if ! cd "$1"; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-tags=""
|
-tags=""
|
||||||
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
|
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-},libtrust_openssl"
|
||||||
if $6; then
|
if $7; then
|
||||||
- tags="-tags migration_path_for_coreos_toolbox"
|
- tags="-tags migration_path_for_coreos_toolbox"
|
||||||
+ tags="$tags,migration_path_for_coreos_toolbox"
|
+ tags="$tags,migration_path_for_coreos_toolbox"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! libc_dir=$("$4" --print-file-name=libc.so); then
|
if ! libc_dir=$("$5" --print-file-name=libc.so); then
|
||||||
@@ -69,11 +69,16 @@ fi
|
@@ -70,11 +70,16 @@ fi
|
||||||
|
|
||||||
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
|
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
|
||||||
|
|
||||||
@ -50,14 +42,14 @@ index ef4aafc8b024..00d7e9fca0e0 100755
|
|||||||
+ -compiler gc \
|
+ -compiler gc \
|
||||||
$tags \
|
$tags \
|
||||||
- -trimpath \
|
- -trimpath \
|
||||||
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
|
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
|
||||||
+ -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
|
+ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
|
||||||
+ -a \
|
+ -a \
|
||||||
+ -v \
|
+ -v \
|
||||||
+ -x \
|
+ -x \
|
||||||
-o "$2/toolbox"
|
-o "$2/$3"
|
||||||
|
|
||||||
exit "$?"
|
exit "$?"
|
||||||
--
|
--
|
||||||
2.31.1
|
2.39.2
|
||||||
|
|
||||||
|
@ -1,45 +1,36 @@
|
|||||||
From 89129bd096c8bfac4ff84fc19726898cc901c1fc Mon Sep 17 00:00:00 2001
|
From aeaa8cd30a8c5ad33ee1fe6b9e84ecbb28f7264c Mon Sep 17 00:00:00 2001
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
Date: Mon, 29 Jun 2020 17:57:47 +0200
|
Date: Mon, 29 Jun 2020 17:57:47 +0200
|
||||||
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuild}
|
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags}
|
||||||
|
|
||||||
The Go toolchain doesn't play well with passing compiler and linker
|
The Go toolchain doesn't like the LDFLAGS environment variable as
|
||||||
flags via environment variables. The linker flags require a second
|
|
||||||
level of quoting, which leaves the build system without a quote level
|
|
||||||
to assign the flags to an environment variable like GOFLAGS.
|
|
||||||
|
|
||||||
This is one reason why RHEL doesn't have a RPM macro with only the
|
|
||||||
flags. The %{gobuild} RPM macro includes the entire 'go build ...'
|
|
||||||
invocation.
|
|
||||||
|
|
||||||
The Go toolchain also doesn't like the LDFLAGS environment variable as
|
|
||||||
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
|
exported by RHEL's %{meson} RPM macro, and RHEL's RPM toolchain doesn't
|
||||||
like the compressed DWARF data generated by the Go toolchain.
|
like the compressed DWARF data generated by the Go toolchain.
|
||||||
|
|
||||||
Note that these flags are meant for every CPU architecture other than
|
Note that these flags are meant for every CPU architecture other than
|
||||||
PPC64, and should be kept updated to match RHEL's Go guidelines. Use
|
PPC64, and should be kept updated to match RHEL's Go guidelines. Use
|
||||||
'rpm --eval "%{gobuild}"' to expand the %{gobuild} macro.
|
'rpm --eval "%{gobuildflags}"' to expand the %{gobuildflags} macro.
|
||||||
---
|
---
|
||||||
src/go-build-wrapper | 14 ++++++++++----
|
src/go-build-wrapper | 14 ++++++++++----
|
||||||
1 file changed, 10 insertions(+), 4 deletions(-)
|
1 file changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
|
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
|
||||||
index ef4aafc8b024..e82e42ca8151 100755
|
index c572d6dfb02b..d39764fda0c1 100755
|
||||||
--- a/src/go-build-wrapper
|
--- a/src/go-build-wrapper
|
||||||
+++ b/src/go-build-wrapper
|
+++ b/src/go-build-wrapper
|
||||||
@@ -32,9 +32,9 @@ if ! cd "$1"; then
|
@@ -33,9 +33,9 @@ if ! cd "$1"; then
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
-tags=""
|
-tags=""
|
||||||
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-}"
|
+tags="-tags rpm_crashtraceback,${BUILDTAGS:-},libtrust_openssl"
|
||||||
if $6; then
|
if $7; then
|
||||||
- tags="-tags migration_path_for_coreos_toolbox"
|
- tags="-tags migration_path_for_coreos_toolbox"
|
||||||
+ tags="$tags,migration_path_for_coreos_toolbox"
|
+ tags="$tags,migration_path_for_coreos_toolbox"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if ! libc_dir=$("$4" --print-file-name=libc.so); then
|
if ! libc_dir=$("$5" --print-file-name=libc.so); then
|
||||||
@@ -69,11 +69,17 @@ fi
|
@@ -70,11 +70,17 @@ fi
|
||||||
|
|
||||||
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
|
dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
|
||||||
|
|
||||||
@ -51,14 +42,14 @@ index ef4aafc8b024..e82e42ca8151 100755
|
|||||||
+ -compiler gc \
|
+ -compiler gc \
|
||||||
$tags \
|
$tags \
|
||||||
- -trimpath \
|
- -trimpath \
|
||||||
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
|
- -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
|
||||||
+ -ldflags "${LDFLAGS:-} -compressdwarf=false -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$3" \
|
+ -ldflags "${LDFLAGS:-} -B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \n') -compressdwarf=false -extldflags '-Wl,-z,relro -Wl,--as-needed -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
|
||||||
+ -a \
|
+ -a \
|
||||||
+ -v \
|
+ -v \
|
||||||
+ -x \
|
+ -x \
|
||||||
-o "$2/toolbox"
|
-o "$2/$3"
|
||||||
|
|
||||||
exit "$?"
|
exit "$?"
|
||||||
--
|
--
|
||||||
2.31.1
|
2.39.2
|
||||||
|
|
||||||
|
@ -1,211 +0,0 @@
|
|||||||
From 9bffb4630b2fc026fe32ddcb2674499c863aac32 Mon Sep 17 00:00:00 2001
|
|
||||||
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
|
|
||||||
Date: Sat, 8 Jan 2022 19:53:53 +0200
|
|
||||||
Subject: [PATCH 1/3] pkg/utils: Use new UBI toolbox image
|
|
||||||
|
|
||||||
Red Hat has published a new UBI image made specificaly for Toolbx.
|
|
||||||
Make use of it from now on.
|
|
||||||
|
|
||||||
Fixes: https://github.com/containers/toolbox/issues/961
|
|
||||||
|
|
||||||
https://github.com/containers/toolbox/issues/976
|
|
||||||
(cherry picked from commit f456c173b6fd69ad390a419d23dafcf3f25b15a8)
|
|
||||||
---
|
|
||||||
src/pkg/utils/utils.go | 2 +-
|
|
||||||
test/system/libs/helpers.bash | 2 +-
|
|
||||||
2 files changed, 2 insertions(+), 2 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
|
|
||||||
index ab59afc22283..3119fee74375 100644
|
|
||||||
--- a/src/pkg/utils/utils.go
|
|
||||||
+++ b/src/pkg/utils/utils.go
|
|
||||||
@@ -104,7 +104,7 @@ var (
|
|
||||||
},
|
|
||||||
"rhel": {
|
|
||||||
"rhel-toolbox",
|
|
||||||
- "ubi",
|
|
||||||
+ "toolbox",
|
|
||||||
parseReleaseRHEL,
|
|
||||||
"registry.access.redhat.com",
|
|
||||||
"ubi8",
|
|
||||||
diff --git a/test/system/libs/helpers.bash b/test/system/libs/helpers.bash
|
|
||||||
index 548c4c0e745f..e29273a644dd 100644
|
|
||||||
--- a/test/system/libs/helpers.bash
|
|
||||||
+++ b/test/system/libs/helpers.bash
|
|
||||||
@@ -18,7 +18,7 @@ readonly SKOPEO=$(command -v skopeo)
|
|
||||||
# Images
|
|
||||||
declare -Ag IMAGES=([busybox]="quay.io/toolbox_tests/busybox" \
|
|
||||||
[fedora]="registry.fedoraproject.org/fedora-toolbox" \
|
|
||||||
- [rhel]="registry.access.redhat.com/ubi8")
|
|
||||||
+ [rhel]="registry.access.redhat.com/ubi8/toolbox")
|
|
||||||
|
|
||||||
|
|
||||||
function cleanup_all() {
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From 643384caf11050a1e8d694176a6e09d732461975 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
|
||||||
Date: Sun, 29 Jan 2023 09:41:16 +0100
|
|
||||||
Subject: [PATCH 2/3] pkg/utils: Be more strict about what is acceptable
|
|
||||||
|
|
||||||
https://github.com/containers/toolbox/issues/1065
|
|
||||||
(cherry picked from commit 262c90e06fdb91e0b693fae33a519eb2756de75b)
|
|
||||||
---
|
|
||||||
src/pkg/utils/utils.go | 15 ++++++++++++++-
|
|
||||||
1 file changed, 14 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
|
|
||||||
index 3119fee74375..b4c012e8fe3a 100644
|
|
||||||
--- a/src/pkg/utils/utils.go
|
|
||||||
+++ b/src/pkg/utils/utils.go
|
|
||||||
@@ -1,5 +1,5 @@
|
|
||||||
/*
|
|
||||||
- * Copyright © 2019 – 2021 Red Hat Inc.
|
|
||||||
+ * Copyright © 2019 – 2023 Red Hat Inc.
|
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
* you may not use this file except in compliance with the License.
|
|
||||||
@@ -278,6 +278,19 @@ func GetEnvOptionsForPreservedVariables() []string {
|
|
||||||
func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
|
|
||||||
logrus.Debugf("Resolving fully qualified name for image %s from known registries", image)
|
|
||||||
|
|
||||||
+ if image == "" {
|
|
||||||
+ panic("image not specified")
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if release == "" {
|
|
||||||
+ panic("release not specified")
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if tag := ImageReferenceGetTag(image); tag != "" && release != tag {
|
|
||||||
+ panicMsg := fmt.Sprintf("image %s does not match release %s", image, release)
|
|
||||||
+ panic(panicMsg)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if ImageReferenceHasDomain(image) {
|
|
||||||
return image, nil
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
||||||
|
|
||||||
From 1ce213fabb3321937421404350e57f376cb9134d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Debarshi Ray <rishi@fedoraproject.org>
|
|
||||||
Date: Sun, 29 Jan 2023 09:47:13 +0100
|
|
||||||
Subject: [PATCH 3/3] pkg/utils: Support RHEL 9 Toolbx containers
|
|
||||||
|
|
||||||
The URLs for the RHEL Toolbx images based on the Red Hat Universal Base
|
|
||||||
Images (or UBI) are a bit more complicated to construct, in comparison
|
|
||||||
to the URLs for Fedora's fedora-toolbox images. It's not enough to just
|
|
||||||
concatenate the registry, the image's basename and the release. Some
|
|
||||||
parts of the URL depend on the release's major number, which requires
|
|
||||||
custom code.
|
|
||||||
|
|
||||||
So far, the release's major number was hard coded to 8 since only RHEL 8
|
|
||||||
Toolbx containers were supported.
|
|
||||||
|
|
||||||
To support other RHEL major releases, it's necessary to have custom code
|
|
||||||
to construct the URLs for the Toolbx images.
|
|
||||||
|
|
||||||
https://github.com/containers/toolbox/issues/1065
|
|
||||||
(cherry picked from commit 0a29b374e649437126d8bbe12707fb44d20073d3)
|
|
||||||
---
|
|
||||||
src/pkg/utils/utils.go | 47 +++++++++++++++++++++---------------------
|
|
||||||
1 file changed, 23 insertions(+), 24 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/src/pkg/utils/utils.go b/src/pkg/utils/utils.go
|
|
||||||
index b4c012e8fe3a..4e4abeca4817 100644
|
|
||||||
--- a/src/pkg/utils/utils.go
|
|
||||||
+++ b/src/pkg/utils/utils.go
|
|
||||||
@@ -38,15 +38,14 @@ import (
|
|
||||||
"golang.org/x/sys/unix"
|
|
||||||
)
|
|
||||||
|
|
||||||
+type GetFullyQualifiedImageFunc func(string, string) string
|
|
||||||
type ParseReleaseFunc func(string) (string, error)
|
|
||||||
|
|
||||||
type Distro struct {
|
|
||||||
ContainerNamePrefix string
|
|
||||||
ImageBasename string
|
|
||||||
+ GetFullyQualifiedImage GetFullyQualifiedImageFunc
|
|
||||||
ParseRelease ParseReleaseFunc
|
|
||||||
- Registry string
|
|
||||||
- Repository string
|
|
||||||
- RepositoryNeedsRelease bool
|
|
||||||
}
|
|
||||||
|
|
||||||
const (
|
|
||||||
@@ -97,18 +96,14 @@ var (
|
|
||||||
"fedora": {
|
|
||||||
"fedora-toolbox",
|
|
||||||
"fedora-toolbox",
|
|
||||||
+ getFullyQualifiedImageFedora,
|
|
||||||
parseReleaseFedora,
|
|
||||||
- "registry.fedoraproject.org",
|
|
||||||
- "",
|
|
||||||
- false,
|
|
||||||
},
|
|
||||||
"rhel": {
|
|
||||||
"rhel-toolbox",
|
|
||||||
"toolbox",
|
|
||||||
+ getFullyQualifiedImageRHEL,
|
|
||||||
parseReleaseRHEL,
|
|
||||||
- "registry.access.redhat.com",
|
|
||||||
- "ubi8",
|
|
||||||
- false,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
)
|
|
||||||
@@ -305,21 +300,8 @@ func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
- var repository string
|
|
||||||
-
|
|
||||||
- if distroObj.RepositoryNeedsRelease {
|
|
||||||
- repository = fmt.Sprintf(distroObj.Repository, release)
|
|
||||||
- } else {
|
|
||||||
- repository = distroObj.Repository
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- imageFull := distroObj.Registry
|
|
||||||
-
|
|
||||||
- if repository != "" {
|
|
||||||
- imageFull = imageFull + "/" + repository
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- imageFull = imageFull + "/" + image
|
|
||||||
+ getFullyQualifiedImageImpl := distroObj.GetFullyQualifiedImage
|
|
||||||
+ imageFull := getFullyQualifiedImageImpl(image, release)
|
|
||||||
|
|
||||||
logrus.Debugf("Resolved image %s to %s", image, imageFull)
|
|
||||||
|
|
||||||
@@ -329,6 +311,23 @@ func GetFullyQualifiedImageFromDistros(image, release string) (string, error) {
|
|
||||||
return "", fmt.Errorf("failed to resolve image %s", image)
|
|
||||||
}
|
|
||||||
|
|
||||||
+func getFullyQualifiedImageFedora(image, release string) string {
|
|
||||||
+ imageFull := "registry.fedoraproject.org/" + image
|
|
||||||
+ return imageFull
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+func getFullyQualifiedImageRHEL(image, release string) string {
|
|
||||||
+ i := strings.IndexRune(release, '.')
|
|
||||||
+ if i == -1 {
|
|
||||||
+ panicMsg := fmt.Sprintf("release %s not in '<major>.<minor>' format", release)
|
|
||||||
+ panic(panicMsg)
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ releaseMajor := release[:i]
|
|
||||||
+ imageFull := "registry.access.redhat.com/ubi" + releaseMajor + "/" + image
|
|
||||||
+ return imageFull
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
// GetGroupForSudo returns the name of the sudoers group.
|
|
||||||
//
|
|
||||||
// Some distros call it 'sudo' (eg. Ubuntu) and some call it 'wheel' (eg. Fedora).
|
|
||||||
--
|
|
||||||
2.39.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,76 @@
|
|||||||
|
From 1cc9e07b7c36fe9f9784b40b58f0a2a3694dd328 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Debarshi Ray <rishi@fedoraproject.org>
|
||||||
|
Date: Thu, 13 Jul 2023 13:08:40 +0200
|
||||||
|
Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points
|
||||||
|
|
||||||
|
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
|
||||||
|
and /var/log/journal sit on security hardened mount points that are
|
||||||
|
marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used
|
||||||
|
rootless, an attempt to bind mount these locations read-only at runtime
|
||||||
|
with mount(8) fails because of permission problems:
|
||||||
|
# mount --rbind -o ro <source> <containerPath>
|
||||||
|
mount: <containerPath>: filesystem was mounted, but any subsequent
|
||||||
|
operation failed: Unknown error 5005.
|
||||||
|
|
||||||
|
(Note that the above error message from mount(8) was subsequently
|
||||||
|
improved to show something more meaningful than 'Unknown error' [2].)
|
||||||
|
|
||||||
|
The problem is that 'init-container' is running inside the container's
|
||||||
|
mount and user namespace, and the source paths were mounted inside the
|
||||||
|
host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call
|
||||||
|
tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
|
||||||
|
replace them with only 'ro', which is something that can't be done from
|
||||||
|
a child namespace.
|
||||||
|
|
||||||
|
Note that this doesn't fail when Toolbx is running as root. This is
|
||||||
|
because the container uses the host's user namespace and is able to
|
||||||
|
remove the 'nosuid,nodev,noexec' flags from the mount point and replace
|
||||||
|
them with only 'ro'. Even though it doesn't fail, the flags shouldn't
|
||||||
|
get replaced like that inside the container, because it removes the
|
||||||
|
security hardening of those mount points.
|
||||||
|
|
||||||
|
There's actually no benefit in bind mounting these paths as read-only.
|
||||||
|
It was historically done this way 'just to be safe' because a user isn't
|
||||||
|
expected to write to these locations from inside a container. However,
|
||||||
|
Toolbx doesn't intend to provide any heightened security beyond what's
|
||||||
|
already available on the host.
|
||||||
|
|
||||||
|
Hence, it's better to get out of the way and leave it to the permissions
|
||||||
|
on the source location from the host operating system to guard the
|
||||||
|
castle. This is accomplished by not passing any file system options to
|
||||||
|
mount(8) [1].
|
||||||
|
|
||||||
|
Based on an idea from Si.
|
||||||
|
|
||||||
|
[1] https://man7.org/linux/man-pages/man8/mount.8.html
|
||||||
|
|
||||||
|
[2] util-linux commit 9420ca34dc8b6f0f
|
||||||
|
https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f
|
||||||
|
https://github.com/util-linux/util-linux/pull/2376
|
||||||
|
|
||||||
|
https://github.com/containers/toolbox/issues/911
|
||||||
|
---
|
||||||
|
src/cmd/initContainer.go | 6 +++---
|
||||||
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
|
||||||
|
index 222aa42e1036..41b825b33f58 100644
|
||||||
|
--- a/src/cmd/initContainer.go
|
||||||
|
+++ b/src/cmd/initContainer.go
|
||||||
|
@@ -62,10 +62,10 @@ var (
|
||||||
|
{"/run/udev/data", "/run/host/run/udev/data", ""},
|
||||||
|
{"/run/udev/tags", "/run/host/run/udev/tags", ""},
|
||||||
|
{"/tmp", "/run/host/tmp", "rslave"},
|
||||||
|
- {"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"},
|
||||||
|
+ {"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""},
|
||||||
|
{"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""},
|
||||||
|
- {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"},
|
||||||
|
- {"/var/log/journal", "/run/host/var/log/journal", "ro"},
|
||||||
|
+ {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""},
|
||||||
|
+ {"/var/log/journal", "/run/host/var/log/journal", ""},
|
||||||
|
{"/var/mnt", "/run/host/var/mnt", "rslave"},
|
||||||
|
}
|
||||||
|
)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -1,51 +1,70 @@
|
|||||||
%global __brp_check_rpaths %{nil}
|
%global __brp_check_rpaths %{nil}
|
||||||
|
|
||||||
# RHEL's RPM toolchain doesn't like the compressed DWARF data generated by the
|
|
||||||
# Go toolchain.
|
|
||||||
%global _dwz_low_mem_die_limit 0
|
|
||||||
%global _find_debuginfo_dwz_opts %{nil}
|
|
||||||
|
|
||||||
Name: toolbox
|
Name: toolbox
|
||||||
Version: 0.0.99.3
|
Version: 0.0.99.4
|
||||||
|
|
||||||
%global goipath github.com/containers/%{name}
|
%global goipath github.com/containers/%{name}
|
||||||
%gometa
|
|
||||||
|
|
||||||
Release: 9%{?dist}
|
%if 0%{?rhel} == 9
|
||||||
|
%gometa
|
||||||
|
%else
|
||||||
|
%gometa -f
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Release: 5%{?dist}
|
||||||
Summary: Tool for containerized command line environments on Linux
|
Summary: Tool for containerized command line environments on Linux
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://containertoolbx.org/
|
URL: https://containertoolbx.org/
|
||||||
|
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz
|
||||||
# https://github.com/containers/%%{name}/releases/download/%%{version}/%%{name}-%%{version}.tar.xz
|
%if 0%{?rhel}
|
||||||
# A vendored tarball was created from the upstream tarball:
|
|
||||||
# $ cd src
|
|
||||||
# $ go mod vendor
|
|
||||||
Source0: %{name}-%{version}-vendored.tar.xz
|
|
||||||
Source1: %{name}.conf
|
Source1: %{name}.conf
|
||||||
|
%endif
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2033282
|
# Upstream
|
||||||
Patch0: toolbox-Unbreak-sorting-and-clearly-identify-copied-images-in-list.patch
|
Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
|
||||||
|
Patch1: toolbox-Don-t-validate-subordinate-IDs-when-generat.patch
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=2163752
|
Patch2: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch
|
||||||
Patch1: toolbox-Support-RHEL-9-containers.patch
|
|
||||||
|
|
||||||
# RHEL specific
|
# RHEL specific
|
||||||
Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
|
Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
|
||||||
Patch101: toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
|
Patch101: toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
|
||||||
|
%if 0%{?rhel}
|
||||||
Patch102: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
|
Patch102: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
|
||||||
|
%endif
|
||||||
|
|
||||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1905383
|
BuildRequires: gcc
|
||||||
ExcludeArch: %{ix86}
|
BuildRequires: go-md2man
|
||||||
|
BuildRequires: golang >= 1.20.6-4
|
||||||
BuildRequires: golang >= 1.19.4
|
|
||||||
BuildRequires: /usr/bin/go-md2man
|
|
||||||
BuildRequires: meson >= 0.58.0
|
BuildRequires: meson >= 0.58.0
|
||||||
BuildRequires: pkgconfig(bash-completion)
|
BuildRequires: pkgconfig(bash-completion)
|
||||||
|
BuildRequires: shadow-utils-subid-devel
|
||||||
|
BuildRequires: systemd
|
||||||
BuildRequires: systemd-rpm-macros
|
BuildRequires: systemd-rpm-macros
|
||||||
|
%if ! 0%{?rhel}
|
||||||
|
BuildRequires: golang(github.com/HarryMichal/go-version) >= 1.0.1
|
||||||
|
BuildRequires: golang(github.com/acobaugh/osrelease) >= 0.1.0
|
||||||
|
BuildRequires: golang(github.com/briandowns/spinner) >= 1.17.0
|
||||||
|
BuildRequires: golang(github.com/docker/go-units) >= 0.4.0
|
||||||
|
BuildRequires: golang(github.com/fsnotify/fsnotify) >= 1.5.1
|
||||||
|
BuildRequires: golang(github.com/godbus/dbus) >= 5.0.6
|
||||||
|
BuildRequires: golang(github.com/sirupsen/logrus) >= 1.8.1
|
||||||
|
BuildRequires: golang(github.com/spf13/cobra) >= 1.3.0
|
||||||
|
BuildRequires: golang(github.com/spf13/viper) >= 1.10.1
|
||||||
|
BuildRequires: golang(golang.org/x/sys/unix)
|
||||||
|
BuildRequires: golang(golang.org/x/term)
|
||||||
|
BuildRequires: pkgconfig(fish)
|
||||||
|
# for tests
|
||||||
|
# BuildRequires: codespell
|
||||||
|
# BuildRequires: golang(github.com/stretchr/testify) >= 1.7.0
|
||||||
|
# BuildRequires: ShellCheck
|
||||||
|
%endif
|
||||||
|
|
||||||
Requires: containers-common
|
Requires: containers-common
|
||||||
Requires: podman >= 1.4.0
|
Requires: podman >= 1.4.0
|
||||||
|
%if ! 0%{?rhel}
|
||||||
|
Requires: flatpak-session-helper
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -62,6 +81,9 @@ Requires: coreutils
|
|||||||
Requires: gawk
|
Requires: gawk
|
||||||
Requires: grep
|
Requires: grep
|
||||||
Requires: skopeo
|
Requires: skopeo
|
||||||
|
%if ! 0%{?rhel}
|
||||||
|
Requires: bats
|
||||||
|
%endif
|
||||||
|
|
||||||
%description tests
|
%description tests
|
||||||
The %{name}-tests package contains system tests for %{name}.
|
The %{name}-tests package contains system tests for %{name}.
|
||||||
@ -69,9 +91,9 @@ The %{name}-tests package contains system tests for %{name}.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
%ifnarch ppc64
|
%ifnarch ppc64
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
@ -79,51 +101,52 @@ The %{name}-tests package contains system tests for %{name}.
|
|||||||
%patch101 -p1
|
%patch101 -p1
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
|
%if 0%{?rhel}
|
||||||
%patch102 -p1
|
%patch102 -p1
|
||||||
|
%endif
|
||||||
|
|
||||||
# %%gomkdir is absent from RHEL 8.
|
%gomkdir -s %{_builddir}/%{extractdir}/src %{?rhel:-k}
|
||||||
GOBUILDDIR="$(pwd)/_build"
|
|
||||||
GOSOURCEDIR="$(pwd)"
|
|
||||||
if [[ ! -e "$GOBUILDDIR/bin" ]] ; then
|
|
||||||
install -m 0755 -vd "$GOBUILDDIR/bin"
|
|
||||||
fi
|
|
||||||
if [[ ! -e "$GOBUILDDIR/src/%{goipath}" ]] ; then
|
|
||||||
install -m 0755 -vd "$(dirname $GOBUILDDIR/src/%{goipath})"
|
|
||||||
ln -fs "$GOSOURCEDIR" "$GOBUILDDIR/src/%{goipath}"
|
|
||||||
fi
|
|
||||||
cd "$GOBUILDDIR/src/%{goipath}"
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
export GO111MODULE=off
|
export %{gomodulesmode}
|
||||||
GOBUILDDIR="$(pwd)/_build"
|
export GOPATH=%{gobuilddir}:%{gopath}
|
||||||
export GOPATH="$GOBUILDDIR:%{gopath}"
|
|
||||||
export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
|
export CGO_CFLAGS="%{optflags} -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64"
|
||||||
ln -s src/cmd cmd
|
|
||||||
ln -s src/pkg pkg
|
|
||||||
ln -s src/vendor vendor
|
|
||||||
|
|
||||||
%meson \
|
%meson \
|
||||||
--buildtype=plain \
|
%if 0%{?rhel}
|
||||||
|
-Dfish_completions_dir=%{_datadir}/fish/vendor_completions.d \
|
||||||
-Dmigration_path_for_coreos_toolbox=true \
|
-Dmigration_path_for_coreos_toolbox=true \
|
||||||
|
%endif
|
||||||
-Dprofile_dir=%{_sysconfdir}/profile.d \
|
-Dprofile_dir=%{_sysconfdir}/profile.d \
|
||||||
-Dtmpfiles_dir=%{_tmpfilesdir}
|
-Dtmpfiles_dir=%{_tmpfilesdir} \
|
||||||
|
-Dzsh_completions_dir=%{_datadir}/zsh/site-functions
|
||||||
|
|
||||||
%meson_build
|
%meson_build
|
||||||
|
|
||||||
|
|
||||||
|
# %%check
|
||||||
|
# %%meson_test
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%meson_install
|
%meson_install
|
||||||
|
|
||||||
|
%if 0%{?rhel}
|
||||||
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf
|
install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf
|
||||||
|
%endif
|
||||||
|
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%doc CODE-OF-CONDUCT.md NEWS README.md SECURITY.md
|
%doc CODE-OF-CONDUCT.md NEWS README.md SECURITY.md
|
||||||
%license COPYING
|
%license COPYING %{?rhel:src/vendor/modules.txt}
|
||||||
%{_bindir}/%{name}
|
%{_bindir}/%{name}
|
||||||
%{_datadir}/bash-completion
|
%{_datadir}/bash-completion
|
||||||
|
%{_datadir}/fish
|
||||||
|
%{_datadir}/zsh
|
||||||
%{_mandir}/man1/%{name}.1*
|
%{_mandir}/man1/%{name}.1*
|
||||||
%{_mandir}/man1/%{name}-*.1*
|
%{_mandir}/man1/%{name}-*.1*
|
||||||
|
%{_mandir}/man5/%{name}.conf.5*
|
||||||
%config(noreplace) %{_sysconfdir}/containers/%{name}.conf
|
%config(noreplace) %{_sysconfdir}/containers/%{name}.conf
|
||||||
%{_sysconfdir}/profile.d/%{name}.sh
|
%{_sysconfdir}/profile.d/%{name}.sh
|
||||||
%{_tmpfilesdir}/%{name}.conf
|
%{_tmpfilesdir}/%{name}.conf
|
||||||
@ -133,6 +156,27 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-5
|
||||||
|
- Be aware of security hardened mount points
|
||||||
|
Resolves: #2222789
|
||||||
|
|
||||||
|
* Mon Aug 07 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-4
|
||||||
|
- Rebuild for CVE-2023-24539, CVE-2023-24540 and CVE-2023-29400
|
||||||
|
Resolves: #2221850
|
||||||
|
|
||||||
|
* Tue May 16 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-3
|
||||||
|
- Rebuild for CVE-2022-41723, CVE-2023-24534, CVE-2023-24536 and
|
||||||
|
CVE-2023-24538
|
||||||
|
Resolves: #2187337, #2187385, #2203706
|
||||||
|
|
||||||
|
* Tue May 16 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-2
|
||||||
|
- Rebuild for CVE-2022-41724 and CVE-2022-41725
|
||||||
|
Resolves: #2179968
|
||||||
|
|
||||||
|
* Mon Apr 03 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-1
|
||||||
|
- Update to 0.0.99.4
|
||||||
|
Resolves: #2165742
|
||||||
|
|
||||||
* Mon Feb 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-9
|
* Mon Feb 06 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.3-9
|
||||||
- Rebuild for CVE-2022-41717
|
- Rebuild for CVE-2022-41717
|
||||||
Resolves: #2164292
|
Resolves: #2164292
|
||||||
|
Loading…
Reference in New Issue
Block a user