Restore backwards compatibility with existing containers

https://bugzilla.redhat.com/show_bug.cgi?id=1995439
2021-10-25 13:33:41 +02:00 · 2021-10-25 13:33:41 +02:00 · 70f5d2352c
commit 70f5d2352c
parent 01cc5e6ecc
2 changed files with 281 additions and 3 deletions
--- a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
+++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
@ -1,7 +1,7 @@
 From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Thu, 21 Oct 2021 18:59:45 +0200
-Subject: [PATCH 1/2] tmpfiles.d: Style fix
+Subject: [PATCH 1/5] tmpfiles.d: Style fix

 The subsequent commit will add an entry to create a /run/host symbolic
 link on the host that points to /, and it will require explicitly
@ -27,7 +27,7 @@ index f22b64a0f97c..bdffe7c09639 100644
 From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Thu, 21 Oct 2021 20:22:11 +0200
-Subject: [PATCH 2/2] build: Ensure that binaries are run against their
+Subject: [PATCH 2/5] build: Ensure that binaries are run against their
 build-time ABI

 The /usr/bin/toolbox binary is not only used to interact with toolbox
@ -260,3 +260,278 @@ index f76606da3271..759db1f1e900 100644
 -- 
 2.31.1

+
+From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
+Date: Fri, 22 Oct 2021 15:21:41 +0300
+Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests
+
+There is no significant benefit in keeping this configuration separated.
+Now the to-be installed packages are tracked in a single place and the
+test playbooks only call the relevant tests.
+
+This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b
+
+https://github.com/containers/toolbox/pull/898
+---
+ .zuul.yaml                 |  1 +
+ playbooks/setup-env.yaml   | 18 ++++++++++++++++++
+ playbooks/system-test.yaml | 24 +-----------------------
+ playbooks/unit-test.yaml   | 21 ---------------------
+ 4 files changed, 20 insertions(+), 44 deletions(-)
+
+diff --git a/.zuul.yaml b/.zuul.yaml
+index 1ec2f59738eb..1543b8a04b51 100644
+--- a/.zuul.yaml
+++ b/.zuul.yaml
+@@ -7,6 +7,7 @@
+       nodes:
+         - name: ci-node-33
+           label: cloud-fedora-33-small
+    pre-run: playbooks/setup-env.yaml
+     run: playbooks/unit-test.yaml
+ 
+ - job:
+diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
+index 7ac9b46ee3ad..460ca9977a9e 100644
+--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
+@@ -40,3 +40,21 @@
+ 
+     - name: Show podman debug information
+       command: podman info --debug
+
+    - name: Set up build directory
+      command: meson builddir
+      args:
+        chdir: '{{ zuul.project.src_dir }}'
+
+    - name: Build Toolbox
+      command: ninja -C builddir
+      args:
+        chdir: '{{ zuul.project.src_dir }}'
+        creates: builddir/src/toolbox
+
+    - name: Install Toolbox
+      become: yes
+      command: ninja -C builddir install
+      args:
+        chdir: '{{ zuul.project.src_dir }}'
+        creates: /usr/local/bin/toolbox
+diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml
+index c2eff3f0d77a..0249548acc5d 100644
+--- a/playbooks/system-test.yaml
+++ b/playbooks/system-test.yaml
+@@ -1,32 +1,10 @@
+ ---
+ - hosts: all
+-
+-  vars:
+-    toolbox_bin: '/usr/local/bin/toolbox'
+-
+   tasks:
+-    - name: Set up build directory
+-      command: meson builddir
+-      args:
+-        chdir: '{{ zuul.project.src_dir }}'
+-
+-    - name: Build Toolbox
+-      command: ninja -C builddir
+-      args:
+-        chdir: '{{ zuul.project.src_dir }}'
+-        creates: builddir/src/toolbox
+-
+-    - name: Install Toolbox
+-      become: yes
+-      command: ninja -C builddir install
+-      args:
+-        chdir: '{{ zuul.project.src_dir }}'
+-        creates: '{{ toolbox_bin }}'
+-
+     - name: Run system tests
+       command: bats --timing ./test/system
+       environment:
+         PODMAN: '/usr/bin/podman'
+-        TOOLBOX: '{{ toolbox_bin }}'
+        TOOLBOX: '/usr/local/bin/toolbox'
+       args:
+         chdir: '{{ zuul.project.src_dir }}'
+diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml
+index 9be98e7bd86a..2212521c5b9e 100644
+--- a/playbooks/unit-test.yaml
+++ b/playbooks/unit-test.yaml
+@@ -1,27 +1,6 @@
+ ---
+ - hosts: all
+   tasks:
+-    - name: Install requirements
+-      become: yes
+-      package:
+-        name:
+-          - golang
+-          - golang-github-cpuguy83-md2man
+-          - ninja-build
+-          - meson
+-          - ShellCheck
+-
+-    - name: Set up build directory
+-      command: meson builddir
+-      args:
+-        chdir: '{{ zuul.project.src_dir }}'
+-
+-    - name: Build Toolbox
+-      command: ninja -C builddir
+-      args:
+-        chdir: '{{ zuul.project.src_dir }}'
+-        creates: builddir/src/toolbox
+-
+     - name: Test
+       command: ninja -C builddir test
+       args:
+-- 
+2.31.1
+
+
+From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
+Date: Fri, 22 Oct 2021 15:25:20 +0300
+Subject: [PATCH 4/5] playbooks: Fix CI for #897
+
+PR #897 made adjustmnets to the Toolbx binary that it requires presence
+of /run/host in both the host filesystem and the filesystem in
+a container.
+
+The presence of the directory is assured by systemd-tmpfiles by
+running it before the binary is started for the first time. For the run
+to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
+a location visible to systemd-tmpfiles. Therefore, the call to
+'systemd-tmpfiles --create' had to be placed after the install step.
+
+https://github.com/containers/toolbox/pull/898
+---
+ playbooks/setup-env.yaml | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
+index 460ca9977a9e..2f858bcf722c 100644
+--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
+@@ -26,14 +26,8 @@
+       args:
+         chdir: '{{ zuul.project.src_dir }}'
+ 
+-    - name: Setup environment
+-      become: yes
+-      command:
+-        cmd: systemd-tmpfiles --create
+-        creates: /run/media
+-
+     - name: Check versions of crucial packages
+-      command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper
+      command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf
+ 
+     - name: Show podman versions
+       command: podman version
+@@ -58,3 +52,10 @@
+       args:
+         chdir: '{{ zuul.project.src_dir }}'
+         creates: /usr/local/bin/toolbox
+
+    - name: Setup environment
+      become: yes
+      command:
+        cmd: systemd-tmpfiles --create
+        creates: /run/media
+        creates: /run/host
+-- 
+2.31.1
+
+
+From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001
+From: Debarshi Ray <rishi@fedoraproject.org>
+Date: Mon, 25 Oct 2021 02:55:09 +0200
+Subject: [PATCH 5/5] build: Restore backwards compatibility with existing
+ containers
+
+The path of the dynamic linker (ie., PT_INTERP), as specified in an
+architecture's ABI, often starts with /lib or /lib64, not /usr/lib or
+/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and
+/lib64/ld-linux-x86-64.so.2 for x86_64.
+
+Unfortunately, until very recently [1], only the host's /usr was
+present inside a toolbox container's /run/host, not /lib or /lib64.
+Therefore, simply prepending /run/host to the /usr/bin/toolbox
+binary's existing PT_INTERP entry wouldn't locate the host's dynamic
+linker inside the toolbox container. This broke backwards compatibility
+with every container out there, except the ones created with the
+current development version in Git.
+
+To restore backwards compatibility, the /lib and /lib64 symbolic links
+must be resolved to their respective locations inside /usr.
+
+The following caveats must be noted:
+
+  * With glibc, even the basename of the path of the dynamic linker as
+    specified in an architecture's ABI, is a symbolic link to a file
+    named ld-<glibc-version>.so. However, this file can't be used as
+    the PT_INTERP entry, because its name will change when glibc is
+    updated and the PT_INTERP entry will become invalid until the
+    /usr/bin/toolbox binary is rebuilt.
+
+  * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve
+    to something inside /usr/lib64. Instead it ends up inside
+    /usr/lib/x86_64-linux-gnu through a series of symbolic links:
+      - /lib64 -> usr/lib64
+      - /usr/lib64/ld-linux-x86-64.so.2
+          -> /lib/x86_64-linux-gnu/ld-2.28.so
+      - /lib -> usr/lib
+
+  * It's assumed that a symbolic link with the basename specified in
+    the ABI lives in the same directory as the actual dynamic linker
+    binary named ld-<glibc-version>.so.
+
+Fallout from 6063eb27b98939942e316771224c5653a9b2e59b
+
+[1] Commit d03a5fee80f2f72d
+    https://github.com/containers/toolbox/pull/827
+
+https://github.com/containers/toolbox/issues/821
+---
+ src/go-build-wrapper | 21 +++++++++++++++++++--
+ 1 file changed, 19 insertions(+), 2 deletions(-)
+
+diff --git a/src/go-build-wrapper b/src/go-build-wrapper
+index 677dca94bd5a..24eac674c9ac 100755
+--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
+@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
+     exit 1
+ fi
+ 
+-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
+-    echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
+if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then
+    echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2
+    exit 1
+fi
+
+if ! interpreter_basename=$(basename "$interpreter"); then
+    echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2
+    exit 1
+fi
+
+if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then
+    echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2
+    exit 1
+fi
+
+interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename"
+
+if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then
+    echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2
+     exit 1
+ fi
+ 
+-- 
+2.31.1
+
--- a/toolbox.spec
+++ b/toolbox.spec
@ -6,7 +6,7 @@ Version:       0.0.99.2^3.git075b9a8d2779
 %global goipath github.com/containers/%{name}
 %gometa

-Release:       8%{?dist}
+Release:       9%{?dist}
 Summary:       Tool for containerized command line environments on Linux

 License:       ASL 2.0
@ -193,6 +193,9 @@ ln -s src/pkg pkg


 %changelog
+* Mon Oct 25 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-9
+- Restore backwards compatibility with existing containers
+
 * Fri Oct 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-8
 - Ensure that binaries are run against their build-time ABI