From 70f5d2352ccbbbaf81dc36d6f0a2a58a4b1d4762 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Mon, 25 Oct 2021 13:33:41 +0200 Subject: [PATCH] Restore backwards compatibility with existing containers https://bugzilla.redhat.com/show_bug.cgi?id=1995439 --- ...are-run-against-their-build-time-ABI.patch | 279 +++++++++++++++++- toolbox.spec | 5 +- 2 files changed, 281 insertions(+), 3 deletions(-) diff --git a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch index 9dda641..21892d0 100644 --- a/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch +++ b/toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch @@ -1,7 +1,7 @@ From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 21 Oct 2021 18:59:45 +0200 -Subject: [PATCH 1/2] tmpfiles.d: Style fix +Subject: [PATCH 1/5] tmpfiles.d: Style fix The subsequent commit will add an entry to create a /run/host symbolic link on the host that points to /, and it will require explicitly @@ -27,7 +27,7 @@ index f22b64a0f97c..bdffe7c09639 100644 From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 21 Oct 2021 20:22:11 +0200 -Subject: [PATCH 2/2] build: Ensure that binaries are run against their +Subject: [PATCH 2/5] build: Ensure that binaries are run against their build-time ABI The /usr/bin/toolbox binary is not only used to interact with toolbox @@ -260,3 +260,278 @@ index f76606da3271..759db1f1e900 100644 -- 2.31.1 + +From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Fri, 22 Oct 2021 15:21:41 +0300 +Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests + +There is no significant benefit in keeping this configuration separated. +Now the to-be installed packages are tracked in a single place and the +test playbooks only call the relevant tests. + +This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b + +https://github.com/containers/toolbox/pull/898 +--- + .zuul.yaml | 1 + + playbooks/setup-env.yaml | 18 ++++++++++++++++++ + playbooks/system-test.yaml | 24 +----------------------- + playbooks/unit-test.yaml | 21 --------------------- + 4 files changed, 20 insertions(+), 44 deletions(-) + +diff --git a/.zuul.yaml b/.zuul.yaml +index 1ec2f59738eb..1543b8a04b51 100644 +--- a/.zuul.yaml ++++ b/.zuul.yaml +@@ -7,6 +7,7 @@ + nodes: + - name: ci-node-33 + label: cloud-fedora-33-small ++ pre-run: playbooks/setup-env.yaml + run: playbooks/unit-test.yaml + + - job: +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 7ac9b46ee3ad..460ca9977a9e 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -40,3 +40,21 @@ + + - name: Show podman debug information + command: podman info --debug ++ ++ - name: Set up build directory ++ command: meson builddir ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ ++ - name: Build Toolbox ++ command: ninja -C builddir ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ creates: builddir/src/toolbox ++ ++ - name: Install Toolbox ++ become: yes ++ command: ninja -C builddir install ++ args: ++ chdir: '{{ zuul.project.src_dir }}' ++ creates: /usr/local/bin/toolbox +diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml +index c2eff3f0d77a..0249548acc5d 100644 +--- a/playbooks/system-test.yaml ++++ b/playbooks/system-test.yaml +@@ -1,32 +1,10 @@ + --- + - hosts: all +- +- vars: +- toolbox_bin: '/usr/local/bin/toolbox' +- + tasks: +- - name: Set up build directory +- command: meson builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- +- - name: Build Toolbox +- command: ninja -C builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: builddir/src/toolbox +- +- - name: Install Toolbox +- become: yes +- command: ninja -C builddir install +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: '{{ toolbox_bin }}' +- + - name: Run system tests + command: bats --timing ./test/system + environment: + PODMAN: '/usr/bin/podman' +- TOOLBOX: '{{ toolbox_bin }}' ++ TOOLBOX: '/usr/local/bin/toolbox' + args: + chdir: '{{ zuul.project.src_dir }}' +diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml +index 9be98e7bd86a..2212521c5b9e 100644 +--- a/playbooks/unit-test.yaml ++++ b/playbooks/unit-test.yaml +@@ -1,27 +1,6 @@ + --- + - hosts: all + tasks: +- - name: Install requirements +- become: yes +- package: +- name: +- - golang +- - golang-github-cpuguy83-md2man +- - ninja-build +- - meson +- - ShellCheck +- +- - name: Set up build directory +- command: meson builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- +- - name: Build Toolbox +- command: ninja -C builddir +- args: +- chdir: '{{ zuul.project.src_dir }}' +- creates: builddir/src/toolbox +- + - name: Test + command: ninja -C builddir test + args: +-- +2.31.1 + + +From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Fri, 22 Oct 2021 15:25:20 +0300 +Subject: [PATCH 4/5] playbooks: Fix CI for #897 + +PR #897 made adjustmnets to the Toolbx binary that it requires presence +of /run/host in both the host filesystem and the filesystem in +a container. + +The presence of the directory is assured by systemd-tmpfiles by +running it before the binary is started for the first time. For the run +to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in +a location visible to systemd-tmpfiles. Therefore, the call to +'systemd-tmpfiles --create' had to be placed after the install step. + +https://github.com/containers/toolbox/pull/898 +--- + playbooks/setup-env.yaml | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml +index 460ca9977a9e..2f858bcf722c 100644 +--- a/playbooks/setup-env.yaml ++++ b/playbooks/setup-env.yaml +@@ -26,14 +26,8 @@ + args: + chdir: '{{ zuul.project.src_dir }}' + +- - name: Setup environment +- become: yes +- command: +- cmd: systemd-tmpfiles --create +- creates: /run/media +- + - name: Check versions of crucial packages +- command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper ++ command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf + + - name: Show podman versions + command: podman version +@@ -58,3 +52,10 @@ + args: + chdir: '{{ zuul.project.src_dir }}' + creates: /usr/local/bin/toolbox ++ ++ - name: Setup environment ++ become: yes ++ command: ++ cmd: systemd-tmpfiles --create ++ creates: /run/media ++ creates: /run/host +-- +2.31.1 + + +From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Mon, 25 Oct 2021 02:55:09 +0200 +Subject: [PATCH 5/5] build: Restore backwards compatibility with existing + containers + +The path of the dynamic linker (ie., PT_INTERP), as specified in an +architecture's ABI, often starts with /lib or /lib64, not /usr/lib or +/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and +/lib64/ld-linux-x86-64.so.2 for x86_64. + +Unfortunately, until very recently [1], only the host's /usr was +present inside a toolbox container's /run/host, not /lib or /lib64. +Therefore, simply prepending /run/host to the /usr/bin/toolbox +binary's existing PT_INTERP entry wouldn't locate the host's dynamic +linker inside the toolbox container. This broke backwards compatibility +with every container out there, except the ones created with the +current development version in Git. + +To restore backwards compatibility, the /lib and /lib64 symbolic links +must be resolved to their respective locations inside /usr. + +The following caveats must be noted: + + * With glibc, even the basename of the path of the dynamic linker as + specified in an architecture's ABI, is a symbolic link to a file + named ld-.so. However, this file can't be used as + the PT_INTERP entry, because its name will change when glibc is + updated and the PT_INTERP entry will become invalid until the + /usr/bin/toolbox binary is rebuilt. + + * On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve + to something inside /usr/lib64. Instead it ends up inside + /usr/lib/x86_64-linux-gnu through a series of symbolic links: + - /lib64 -> usr/lib64 + - /usr/lib64/ld-linux-x86-64.so.2 + -> /lib/x86_64-linux-gnu/ld-2.28.so + - /lib -> usr/lib + + * It's assumed that a symbolic link with the basename specified in + the ABI lives in the same directory as the actual dynamic linker + binary named ld-.so. + +Fallout from 6063eb27b98939942e316771224c5653a9b2e59b + +[1] Commit d03a5fee80f2f72d + https://github.com/containers/toolbox/pull/827 + +https://github.com/containers/toolbox/issues/821 +--- + src/go-build-wrapper | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/src/go-build-wrapper b/src/go-build-wrapper +index 677dca94bd5a..24eac674c9ac 100755 +--- a/src/go-build-wrapper ++++ b/src/go-build-wrapper +@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then + exit 1 + fi + +-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then +- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2 ++if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then ++ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_basename=$(basename "$interpreter"); then ++ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2 ++ exit 1 ++fi ++ ++if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then ++ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2 ++ exit 1 ++fi ++ ++interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename" ++ ++if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then ++ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2 + exit 1 + fi + +-- +2.31.1 + diff --git a/toolbox.spec b/toolbox.spec index 4aac6d1..c4f7f4b 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -6,7 +6,7 @@ Version: 0.0.99.2^3.git075b9a8d2779 %global goipath github.com/containers/%{name} %gometa -Release: 8%{?dist} +Release: 9%{?dist} Summary: Tool for containerized command line environments on Linux License: ASL 2.0 @@ -193,6 +193,9 @@ ln -s src/pkg pkg %changelog +* Mon Oct 25 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-9 +- Restore backwards compatibility with existing containers + * Fri Oct 22 2021 Debarshi Ray - 0.0.99.2^3.git075b9a8d2779-8 - Ensure that binaries are run against their build-time ABI