rpms/toolbox
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Restore backwards compatibility with existing containers

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1995439
This commit is contained in:
Debarshi Ray 2021-10-25 13:33:41 +02:00
parent 01cc5e6ecc
commit 70f5d2352c
2 changed files with 281 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

279
toolbox-Ensure-that-binaries-are-run-against-their-build-time-ABI.patch
View File

@ -1,7 +1,7 @@
From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001 From 452dc797f7ef12235e4ede83735f5d554f54b012 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org> From: Debarshi Ray <rishi@fedoraproject.org>
Date: Thu, 21 Oct 2021 18:59:45 +0200 Date: Thu, 21 Oct 2021 18:59:45 +0200
Subject: [PATCH 1/2] tmpfiles.d: Style fix Subject: [PATCH 1/5] tmpfiles.d: Style fix
The subsequent commit will add an entry to create a /run/host symbolic The subsequent commit will add an entry to create a /run/host symbolic
link on the host that points to /, and it will require explicitly link on the host that points to /, and it will require explicitly
@ -27,7 +27,7 @@ index f22b64a0f97c..bdffe7c09639 100644
From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001 From 6063eb27b98939942e316771224c5653a9b2e59b Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org> From: Debarshi Ray <rishi@fedoraproject.org>
Date: Thu, 21 Oct 2021 20:22:11 +0200 Date: Thu, 21 Oct 2021 20:22:11 +0200
Subject: [PATCH 2/2] build: Ensure that binaries are run against their Subject: [PATCH 2/5] build: Ensure that binaries are run against their
build-time ABI build-time ABI
The /usr/bin/toolbox binary is not only used to interact with toolbox The /usr/bin/toolbox binary is not only used to interact with toolbox
@ -260,3 +260,278 @@ index f76606da3271..759db1f1e900 100644
-- --
2.31.1 2.31.1
From c33075f3e1c0bad9883caa8d8f7c8ca3d947d2ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
Date: Fri, 22 Oct 2021 15:21:41 +0300
Subject: [PATCH 3/5] playbooks: Unify test setup for system & unit tests
There is no significant benefit in keeping this configuration separated.
Now the to-be installed packages are tracked in a single place and the
test playbooks only call the relevant tests.
This was pointed out by in 6063eb27b98939942e316771224c5653a9b2e59b
https://github.com/containers/toolbox/pull/898
---
.zuul.yaml | 1 +
playbooks/setup-env.yaml | 18 ++++++++++++++++++
playbooks/system-test.yaml | 24 +-----------------------
playbooks/unit-test.yaml | 21 ---------------------
4 files changed, 20 insertions(+), 44 deletions(-)
diff --git a/.zuul.yaml b/.zuul.yaml
index 1ec2f59738eb..1543b8a04b51 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -7,6 +7,7 @@
nodes:
- name: ci-node-33
label: cloud-fedora-33-small
+ pre-run: playbooks/setup-env.yaml
run: playbooks/unit-test.yaml
- job:
diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
index 7ac9b46ee3ad..460ca9977a9e 100644
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@@ -40,3 +40,21 @@
- name: Show podman debug information
command: podman info --debug
+
+ - name: Set up build directory
+ command: meson builddir
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+
+ - name: Build Toolbox
+ command: ninja -C builddir
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+ creates: builddir/src/toolbox
+
+ - name: Install Toolbox
+ become: yes
+ command: ninja -C builddir install
+ args:
+ chdir: '{{ zuul.project.src_dir }}'
+ creates: /usr/local/bin/toolbox
diff --git a/playbooks/system-test.yaml b/playbooks/system-test.yaml
index c2eff3f0d77a..0249548acc5d 100644
--- a/playbooks/system-test.yaml
+++ b/playbooks/system-test.yaml
@@ -1,32 +1,10 @@
---
- hosts: all
-
- vars:
- toolbox_bin: '/usr/local/bin/toolbox'
-
tasks:
- - name: Set up build directory
- command: meson builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
-
- - name: Build Toolbox
- command: ninja -C builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: builddir/src/toolbox
-
- - name: Install Toolbox
- become: yes
- command: ninja -C builddir install
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: '{{ toolbox_bin }}'
-
- name: Run system tests
command: bats --timing ./test/system
environment:
PODMAN: '/usr/bin/podman'
- TOOLBOX: '{{ toolbox_bin }}'
+ TOOLBOX: '/usr/local/bin/toolbox'
args:
chdir: '{{ zuul.project.src_dir }}'
diff --git a/playbooks/unit-test.yaml b/playbooks/unit-test.yaml
index 9be98e7bd86a..2212521c5b9e 100644
--- a/playbooks/unit-test.yaml
+++ b/playbooks/unit-test.yaml
@@ -1,27 +1,6 @@
---
- hosts: all
tasks:
- - name: Install requirements
- become: yes
- package:
- name:
- - golang
- - golang-github-cpuguy83-md2man
- - ninja-build
- - meson
- - ShellCheck
-
- - name: Set up build directory
- command: meson builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
-
- - name: Build Toolbox
- command: ninja -C builddir
- args:
- chdir: '{{ zuul.project.src_dir }}'
- creates: builddir/src/toolbox
-
- name: Test
command: ninja -C builddir test
args:
--
2.31.1
From 69ffc888ca9d481f9f208179949c179d12078501 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
Date: Fri, 22 Oct 2021 15:25:20 +0300
Subject: [PATCH 4/5] playbooks: Fix CI for #897
PR #897 made adjustmnets to the Toolbx binary that it requires presence
of /run/host in both the host filesystem and the filesystem in
a container.
The presence of the directory is assured by systemd-tmpfiles by
running it before the binary is started for the first time. For the run
to be effective 'data/tmpfiles.d/toolbox.conf' has to be installed in
a location visible to systemd-tmpfiles. Therefore, the call to
'systemd-tmpfiles --create' had to be placed after the install step.
https://github.com/containers/toolbox/pull/898
---
playbooks/setup-env.yaml | 15 ++++++++-------
1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/playbooks/setup-env.yaml b/playbooks/setup-env.yaml
index 460ca9977a9e..2f858bcf722c 100644
--- a/playbooks/setup-env.yaml
+++ b/playbooks/setup-env.yaml
@@ -26,14 +26,8 @@
args:
chdir: '{{ zuul.project.src_dir }}'
- - name: Setup environment
- become: yes
- command:
- cmd: systemd-tmpfiles --create
- creates: /run/media
-
- name: Check versions of crucial packages
- command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper
+ command: rpm -qa *kernel* *glibc* golang podman conmon containernetworking-plugins containers-common container-selinux crun runc fuse-overlayfs flatpak-session-helper patchelf
- name: Show podman versions
command: podman version
@@ -58,3 +52,10 @@
args:
chdir: '{{ zuul.project.src_dir }}'
creates: /usr/local/bin/toolbox
+
+ - name: Setup environment
+ become: yes
+ command:
+ cmd: systemd-tmpfiles --create
+ creates: /run/media
+ creates: /run/host
--
2.31.1
From 5429d5e099af96f7af1f9be58ba354fe332b59e9 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 25 Oct 2021 02:55:09 +0200
Subject: [PATCH 5/5] build: Restore backwards compatibility with existing
containers
The path of the dynamic linker (ie., PT_INTERP), as specified in an
architecture's ABI, often starts with /lib or /lib64, not /usr/lib or
/usr/lib64. eg., it's /lib/ld-linux-aarch64.so.1 for aarch64 and
/lib64/ld-linux-x86-64.so.2 for x86_64.
Unfortunately, until very recently [1], only the host's /usr was
present inside a toolbox container's /run/host, not /lib or /lib64.
Therefore, simply prepending /run/host to the /usr/bin/toolbox
binary's existing PT_INTERP entry wouldn't locate the host's dynamic
linker inside the toolbox container. This broke backwards compatibility
with every container out there, except the ones created with the
current development version in Git.
To restore backwards compatibility, the /lib and /lib64 symbolic links
must be resolved to their respective locations inside /usr.
The following caveats must be noted:
* With glibc, even the basename of the path of the dynamic linker as
specified in an architecture's ABI, is a symbolic link to a file
named ld-<glibc-version>.so. However, this file can't be used as
the PT_INTERP entry, because its name will change when glibc is
updated and the PT_INTERP entry will become invalid until the
/usr/bin/toolbox binary is rebuilt.
* On Debian, a path like /lib64/ld-linux-x86-64.so.2 doesn't resolve
to something inside /usr/lib64. Instead it ends up inside
/usr/lib/x86_64-linux-gnu through a series of symbolic links:
- /lib64 -> usr/lib64
- /usr/lib64/ld-linux-x86-64.so.2
-> /lib/x86_64-linux-gnu/ld-2.28.so
- /lib -> usr/lib
* It's assumed that a symbolic link with the basename specified in
the ABI lives in the same directory as the actual dynamic linker
binary named ld-<glibc-version>.so.
Fallout from 6063eb27b98939942e316771224c5653a9b2e59b
[1] Commit d03a5fee80f2f72d
https://github.com/containers/toolbox/pull/827
https://github.com/containers/toolbox/issues/821
---
src/go-build-wrapper | 21 +++++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/src/go-build-wrapper b/src/go-build-wrapper
index 677dca94bd5a..24eac674c9ac 100755
--- a/src/go-build-wrapper
+++ b/src/go-build-wrapper
@@ -34,8 +34,25 @@ if ! interpreter=$(patchelf --print-interpreter "$2/toolbox"); then
exit 1
fi
-if ! patchelf --set-interpreter "/run/host$interpreter" "$2/toolbox"; then
- echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to /run/host$interpreter" >&2
+if ! interpreter_canonical=$(readlink --canonicalize "$interpreter"); then
+ echo "go-build-wrapper: failed to canonicalize PT_INTERP" >&2
+ exit 1
+fi
+
+if ! interpreter_basename=$(basename "$interpreter"); then
+ echo "go-build-wrapper: failed to read the basename of PT_INTERP" >&2
+ exit 1
+fi
+
+if ! interpreter_canonical_dirname=$(dirname "$interpreter_canonical"); then
+ echo "go-build-wrapper: failed to read the dirname of the canonicalized PT_INTERP" >&2
+ exit 1
+fi
+
+interpreter="/run/host$interpreter_canonical_dirname/$interpreter_basename"
+
+if ! patchelf --set-interpreter "$interpreter" "$2/toolbox"; then
+ echo "go-build-wrapper: failed to change PT_INTERP of $2/toolbox to $interpreter" >&2
exit 1
fi
--
2.31.1

5
toolbox.spec
View File

@ -6,7 +6,7 @@ Version: 0.0.99.2^3.git075b9a8d2779
%global goipath github.com/containers/%{name} %global goipath github.com/containers/%{name}
%gometa %gometa
Release: 8%{?dist} Release: 9%{?dist}
Summary: Tool for containerized command line environments on Linux Summary: Tool for containerized command line environments on Linux
License: ASL 2.0 License: ASL 2.0
@ -193,6 +193,9 @@ ln -s src/pkg pkg
%changelog %changelog
* Mon Oct 25 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-9
- Restore backwards compatibility with existing containers
* Fri Oct 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-8 * Fri Oct 22 2021 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.2^3.git075b9a8d2779-8
- Ensure that binaries are run against their build-time ABI - Ensure that binaries are run against their build-time ABI