Update to 0.0.99.5

Start using Toolbx as the name of the project, instead of Toolbox.

Resolves: RHEL-19774
(cherry picked from commit df08ce6781)

.gitignore

@@ -1,3 +1,4 @@
 SOURCES/toolbox-0.0.99.3-vendored.tar.xz
 /toolbox-0.0.99.3-vendored.tar.xz
 /toolbox-0.0.99.4-vendored.tar.xz
+/toolbox-0.0.99.5-vendored.tar.xz

sources

@@ -1 +1 @@
-SHA512 (toolbox-0.0.99.4-vendored.tar.xz) = 882cd6ec1c1a193af8774dfdfd0aff72d376c4fec3e0cc702e2d524353c051e408eab2ac3fb43ec00fe622b46ac89fdbe97aca2f7cfbe3822e5d3ff1743f2fd0
+SHA512 (toolbox-0.0.99.5-vendored.tar.xz) = d82666e9abcbac2d01de440dfb8d57801bb97ec0854a9859c64689c47c6a1344b846fb151ffa9371d0a9a2c85c8f61c96cf8f546449ec63c9a44d85ef328b745

toolbox-Add-migration-paths-for-coreos-toolbox-users.patch

@@ -1,4 +1,4 @@
-From 4b60bfc74678f8d5fb779be5c0fc0bc8e892d247 Mon Sep 17 00:00:00 2001
+From 4587b6e9240bf936b760e901435c4cfdd9c582b6 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Wed, 18 Aug 2021 17:55:21 +0200
 Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST
@@ -10,10 +10,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1940037
  1 file changed, 1 insertion(+)
 
 diff --git a/src/cmd/run.go b/src/cmd/run.go
-index 7657ffa50821..23d422623b14 100644
+index e2e31d9da4e6..84ad46518bfc 100644
 --- a/src/cmd/run.go
 +++ b/src/cmd/run.go
-@@ -501,6 +501,7 @@ func constructExecArgs(container, preserveFDs string,
+@@ -498,6 +498,7 @@ func constructExecArgs(container, preserveFDs string,
  	execArgs = append(execArgs, envOptions...)
  
  	execArgs = append(execArgs, []string{
@@ -22,10 +22,10 @@ index 7657ffa50821..23d422623b14 100644
  		"--preserve-fds", preserveFDs,
  	}...)
 -- 
-2.41.0
+2.43.0
 
 
-From 4ae3f7afc777dce2fe3b03198e0987507c049258 Mon Sep 17 00:00:00 2001
+From 892c33ed75443de90a2caa90959387bbc270c564 Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Fri, 10 Dec 2021 13:42:15 +0100
 Subject: [PATCH 2/2] test/system: Update to test the migration path for
@@ -36,33 +36,36 @@ This reverts the changes to the tests made in commit
 ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit
 3aeb7cf288319e35eb9c5e26ea18d97452462c1e that were removed.
 ---
- test/system/002-help.bats | 11 -----------
+ test/system/002-help.bats | 14 --------------
  test/system/100-root.bats | 27 +++++++++++++++++++++++++++
- 2 files changed, 27 insertions(+), 11 deletions(-)
+ 2 files changed, 27 insertions(+), 14 deletions(-)
  create mode 100644 test/system/100-root.bats
 
 diff --git a/test/system/002-help.bats b/test/system/002-help.bats
-index 7e4565e9d23d..58a4c2c87ece 100644
+index 695c51f92e7e..5fa4c6fe0b4c 100644
 --- a/test/system/002-help.bats
 +++ b/test/system/002-help.bats
-@@ -23,17 +23,6 @@ setup() {
+@@ -23,20 +23,6 @@ setup() {
    _setup_environment
  }
  
--@test "help: Try to run toolbox with no command" {
--  run $TOOLBOX
+-@test "help: Smoke test" {
+-  run --keep-empty-lines --separate-stderr "$TOOLBOX"
 -
 -  assert_failure
+-  assert [ ${#lines[@]} -eq 0 ]
+-  lines=("${stderr_lines[@]}")
 -  assert_line --index 0 "Error: missing command"
--  assert_line --index 1 "create    Create a new toolbox container"
--  assert_line --index 2 "enter     Enter an existing toolbox container"
--  assert_line --index 3 "list      List all existing toolbox containers and images"
--  assert_line --index 4 "Run 'toolbox --help' for usage."
+-  assert_line --index 2 "create    Create a new toolbox container"
+-  assert_line --index 3 "enter     Enter an existing toolbox container"
+-  assert_line --index 4 "list      List all existing toolbox containers and images"
+-  assert_line --index 6 "Run 'toolbox --help' for usage."
+-  assert [ ${#stderr_lines[@]} -eq 7 ]
 -}
 -
- @test "help: Run command 'help'" {
+ @test "help: Command 'help'" {
    if ! command -v man 2>/dev/null; then
-     skip "Test works only if man is in PATH"
+     skip "not found man(1)"
 diff --git a/test/system/100-root.bats b/test/system/100-root.bats
 new file mode 100644
 index 000000000000..32d87904213e
@@ -97,5 +100,5 @@ index 000000000000..32d87904213e
 +  skip "Testing of entering toolboxes is not implemented"
 +}
 -- 
-2.41.0
+2.43.0
 

toolbox-Build-fixes.patch

@@ -1,240 +0,0 @@
-From 424cc42fba3cb182a360dcdda68caf20d9141ae6 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Tue, 28 Feb 2023 17:12:04 +0100
-Subject: [PATCH 1/4] cmd/root: Don't use podman(1) when generating the
- completions
-
-Ever since commit bafbbe81c9220cb3, the shell completions are generated
-while building Toolbx using the 'completion' command.  This involves
-running toolbox(1) itself, and hence invoking 'podman version' to decide
-if 'podman system migrate' is needed or not.
-
-Unfortunately, some build environments, like Fedora's, are set up inside
-a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may
-not work because it does various things with namespaces(7) and clone(2)
-that can, under certain circumstances, encounter an EPERM.
-
-Therefore, it's better to avoid using podman(1) when generating the
-shell completions, especially, since they are generated by Cobra itself
-and podman(1) is not involved at all.
-
-Note that podman(1) is needed when the generated shell completions are
-actually used in interactive command line environments.  The shell
-completions invoke the hidden '__complete' command to get the results
-that are presented to the user, and, if needed, 'podman system migrate'
-will continue to be run as part of that.
-
-This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011
-because podman(1) is now only an optional runtime dependency for the
-system tests.
-
-https://github.com/containers/podman/issues/17657
----
- meson.build     | 2 +-
- src/cmd/root.go | 9 +++++++--
- 2 files changed, 8 insertions(+), 3 deletions(-)
-
-diff --git a/meson.build b/meson.build
-index 6f044bb204e3..653a3d3ac588 100644
---- a/meson.build
-+++ b/meson.build
-@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h'])
- 
- go = find_program('go')
- go_md2man = find_program('go-md2man')
--podman = find_program('podman')
- 
- bats = find_program('bats', required: false)
- codespell = find_program('codespell', required: false)
- htpasswd = find_program('htpasswd', required: false)
- openssl = find_program('openssl', required: false)
-+podman = find_program('podman', required: false)
- shellcheck = find_program('shellcheck', required: false)
- skopeo = find_program('skopeo', required: false)
- 
-diff --git a/src/cmd/root.go b/src/cmd/root.go
-index 304b03dcd889..9975ccc7a4c8 100644
---- a/src/cmd/root.go
-+++ b/src/cmd/root.go
-@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error {
- 
- 	logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath)
- 
--	if err := migrate(); err != nil {
-+	if err := migrate(cmd, args); err != nil {
- 		return err
- 	}
- 
-@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error {
- 	return rootRunImpl(cmd, args)
- }
- 
--func migrate() error {
-+func migrate(cmd *cobra.Command, args []string) error {
- 	logrus.Debug("Migrating to newer Podman")
- 
- 	if utils.IsInsideContainer() {
- 		return nil
- 	}
- 
-+	if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
-+		logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName)
-+		return nil
-+	}
-+
- 	configDir, err := os.UserConfigDir()
- 	if err != nil {
- 		logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err)
--- 
-2.41.0
-
-
-From 0723706168a1bde708bc9acc203c5e9870bc94d5 Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Wed, 1 Mar 2023 19:41:56 +0100
-Subject: [PATCH 2/4] cmd/root: Sprinkle a debug log
-
-https://github.com/containers/toolbox/pull/1251
----
- src/cmd/root.go | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/src/cmd/root.go b/src/cmd/root.go
-index 9975ccc7a4c8..2e7428a20b24 100644
---- a/src/cmd/root.go
-+++ b/src/cmd/root.go
-@@ -215,6 +215,7 @@ func migrate(cmd *cobra.Command, args []string) error {
- 	logrus.Debug("Migrating to newer Podman")
- 
- 	if utils.IsInsideContainer() {
-+		logrus.Debug("Migration not needed: running inside a container")
- 		return nil
- 	}
- 
--- 
-2.41.0
-
-
-From 0736db58456bb635854493e28a0c36bda49988ce Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Wed, 1 Mar 2023 19:46:11 +0100
-Subject: [PATCH 3/4] cmd/root: Shuffle some code around and sprinkle some
- debug logs
-
-Having a separate convenience function reduces the indentation levels by
-at least one, and sometimes two, and makes it easy to have more detailed
-debug logs.
-
-This will make the subsequent commit easier to read.
-
-https://github.com/containers/toolbox/issues/1246
----
- src/cmd/root.go | 32 ++++++++++++++++++++++++--------
- 1 file changed, 24 insertions(+), 8 deletions(-)
-
-diff --git a/src/cmd/root.go b/src/cmd/root.go
-index 2e7428a20b24..9aafe3e0d3be 100644
---- a/src/cmd/root.go
-+++ b/src/cmd/root.go
-@@ -1,5 +1,5 @@
- /*
-- * Copyright © 2019 – 2022 Red Hat Inc.
-+ * Copyright © 2019 – 2023 Red Hat Inc.
-  *
-  * Licensed under the Apache License, Version 2.0 (the "License");
-  * you may not use this file except in compliance with the License.
-@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error {
- 	if !utils.IsInsideContainer() {
- 		logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion)
- 
--		if currentUser.Uid != "0" {
--			logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username)
--
--			if _, err := utils.ValidateSubIDRanges(currentUser); err != nil {
--				logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
--				return newSubIDError()
--			}
-+		if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil {
-+			return err
- 		}
- 	}
- 
-@@ -392,3 +387,24 @@ func setUpLoggers() error {
- 
- 	return nil
- }
-+
-+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) {
-+	logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username)
-+
-+	if user.Uid == "0" {
-+		logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username)
-+		return true, nil
-+	}
-+
-+	if utils.IsInsideContainer() {
-+		logrus.Debug("Look-up not needed: running inside a container")
-+		return true, nil
-+	}
-+
-+	if _, err := utils.ValidateSubIDRanges(user); err != nil {
-+		logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
-+		return false, newSubIDError()
-+	}
-+
-+	return true, nil
-+}
--- 
-2.41.0
-
-
-From 02537eac420f49e96110663794ef5f2511eb6860 Mon Sep 17 00:00:00 2001
-From: Jan Zerebecki <jan.suse@zerebecki.de>
-Date: Wed, 1 Mar 2023 19:52:28 +0100
-Subject: [PATCH 4/4] cmd/root: Don't validate subordinate IDs when generating
- the completions
-
-Ever since commit bafbbe81c9220cb3, the shell completions are generated
-while building Toolbx using the 'completion' command.  This involves
-running toolbox(1) itself, and hence validating the subordinate user and
-group ID ranges.
-
-Unfortunately, some build environments, like openSUSE's, don't have
-subordinate ID ranges set up.  Therefore, it's better to not validate
-the subordinate ID ranges when generating the shell completions, since
-they are generated by Cobra itself and subordinate ID ranges are not
-involved at all.
-
-Note that subordinate ID ranges may be needed when the generated shell
-completions are actually used in interactive command line environments.
-The shell completions invoke the hidden '__complete' command to get the
-results that are presented to the user, and, if needed, the subordinate
-ID ranges will continue to be used by podman(1) as part of that.
-
-Some changes by Debarshi Ray.
-
-https://github.com/containers/toolbox/issues/1246
-https://github.com/containers/toolbox/pull/1249
----
- src/cmd/root.go | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/cmd/root.go b/src/cmd/root.go
-index 9aafe3e0d3be..aee9fe026ac3 100644
---- a/src/cmd/root.go
-+++ b/src/cmd/root.go
-@@ -401,6 +401,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo
- 		return true, nil
- 	}
- 
-+	if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
-+		logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName)
-+		return true, nil
-+	}
-+
- 	if _, err := utils.ValidateSubIDRanges(user); err != nil {
- 		logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
- 		return false, newSubIDError()
--- 
-2.41.0
-

toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch

@@ -1,4 +1,4 @@
-From c943fe330ddfb91b94efb22a450e491316d2173c Mon Sep 17 00:00:00 2001
+From 3b5b5b2ca2e284d83275ffb73bc413c9234d7b0a Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} for
@@ -51,5 +51,5 @@ index c572d6dfb02b..1addef1f186b 100755
  
  exit "$?"
 -- 
-2.39.2
+2.43.0
 

toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch

@@ -1,4 +1,4 @@
-From 606f135e4900c7d808341515b74811e3a3714cff Mon Sep 17 00:00:00 2001
+From 2ecd1ac4d83844d5b6314762587fc2347adfdd0f Mon Sep 17 00:00:00 2001
 From: Debarshi Ray <rishi@fedoraproject.org>
 Date: Mon, 29 Jun 2020 17:57:47 +0200
 Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags}
@@ -51,5 +51,5 @@ index c572d6dfb02b..c492a4e73445 100755
  
  exit "$?"
 -- 
-2.39.2
+2.43.0
 

toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch

@@ -1,76 +0,0 @@
-From 1fde98456652ddbcb750ade2121c5ceec93fbfae Mon Sep 17 00:00:00 2001
-From: Debarshi Ray <rishi@fedoraproject.org>
-Date: Thu, 13 Jul 2023 13:08:40 +0200
-Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points
-
-Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
-and /var/log/journal sit on security hardened mount points that are
-marked as 'nosuid,nodev,noexec' [1].  In such cases, when Toolbx is used
-rootless, an attempt to bind mount these locations read-only at runtime
-with mount(8) fails because of permission problems:
-  # mount --rbind -o ro <source> <containerPath>
-  mount: <containerPath>: filesystem was mounted, but any subsequent
-      operation failed: Unknown error 5005.
-
-(Note that the above error message from mount(8) was subsequently
-improved to show something more meaningful than 'Unknown error' [2].)
-
-The problem is that 'init-container' is running inside the container's
-mount and user namespace, and the source paths were mounted inside the
-host's namespace with 'nosuid,nodev,noexec'.  The above mount(8) call
-tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
-replace them with only 'ro', which is something that can't be done from
-a child namespace.
-
-Note that this doesn't fail when Toolbx is running as root.  This is
-because the container uses the host's user namespace and is able to
-remove the 'nosuid,nodev,noexec' flags from the mount point and replace
-them with only 'ro'.  Even though it doesn't fail, the flags shouldn't
-get replaced like that inside the container, because it removes the
-security hardening of those mount points.
-
-There's actually no benefit in bind mounting these paths as read-only.
-It was historically done this way 'just to be safe' because a user isn't
-expected to write to these locations from inside a container.  However,
-Toolbx doesn't intend to provide any heightened security beyond what's
-already available on the host.
-
-Hence, it's better to get out of the way and leave it to the permissions
-on the source location from the host operating system to guard the
-castle.  This is accomplished by not passing any file system options to
-mount(8) [1].
-
-Based on an idea from Si.
-
-[1] https://man7.org/linux/man-pages/man8/mount.8.html
-
-[2] util-linux commit 9420ca34dc8b6f0f
-    https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f
-    https://github.com/util-linux/util-linux/pull/2376
-
-https://github.com/containers/toolbox/issues/911
----
- src/cmd/initContainer.go | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
-index 465ac063b210..c4cd1b02d298 100644
---- a/src/cmd/initContainer.go
-+++ b/src/cmd/initContainer.go
-@@ -62,10 +62,10 @@ var (
- 		{"/run/udev/data", "/run/host/run/udev/data", ""},
- 		{"/run/udev/tags", "/run/host/run/udev/tags", ""},
- 		{"/tmp", "/run/host/tmp", "rslave"},
--		{"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"},
-+		{"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""},
- 		{"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""},
--		{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"},
--		{"/var/log/journal", "/run/host/var/log/journal", "ro"},
-+		{"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""},
-+		{"/var/log/journal", "/run/host/var/log/journal", ""},
- 		{"/var/mnt", "/run/host/var/mnt", "rslave"},
- 	}
- )
--- 
-2.41.0
-

toolbox.spec

@@ -1,13 +1,13 @@
 %global __brp_check_rpaths %{nil}
 
 Name:          toolbox
-Version:       0.0.99.4
+Version:       0.0.99.5
 
 %global goipath github.com/containers/%{name}
 %gometa
 
-Release:       8%{?dist}
-Summary:       Tool for containerized command line environments on Linux
+Release:       1%{?dist}
+Summary:       Tool for interactive command line environments on Linux
 
 License:       ASL 2.0
 URL:           https://containertoolbx.org/
@@ -15,11 +15,6 @@ URL:           https://containertoolbx.org/
 Source0:       https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz
 Source1:       %{name}.conf
 
-# Upstream
-Patch0:        toolbox-Build-fixes.patch
-Patch1:        toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch
-Patch2:        toolbox-Simplify-removing-the-user-s-password.patch
-
 # RHEL specific
 Patch100:      toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
 Patch101:      toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
@@ -34,14 +29,23 @@ BuildRequires: shadow-utils-subid-devel
 BuildRequires: systemd
 BuildRequires: systemd-rpm-macros
 
+Recommends:    skopeo
+Recommends:    subscription-manager
+
 Requires:      containers-common
-Requires:      podman >= 1.4.0
+Requires:      podman >= 1.6.4
 
 
 %description
-Toolbox is a tool for Linux operating systems, which allows the use of
-containerized command line environments. It is built on top of Podman and
-other standard container technologies from OCI.
+Toolbx is a tool for Linux, which allows the use of interactive command line
+environments for development and troubleshooting the host operating system,
+without having to install software on the host. It is built on top of Podman
+and other standard container technologies from OCI.
+
+Toolbx environments have seamless access to the user's home directory, the
+Wayland and X11 sockets, networking (including Avahi), removable devices (like
+USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev
+database, etc..
 
 
 %package       tests
@@ -49,7 +53,6 @@ Summary:       Tests for %{name}
 
 Requires:      %{name}%{?_isa} = %{version}-%{release}
 Requires:      coreutils
-Requires:      gawk
 Requires:      grep
 Requires:      httpd-tools
 Requires:      openssl
@@ -62,9 +65,6 @@ The %{name}-tests package contains system tests for %{name}.
 
 %prep
 %setup -q
-%patch0 -p1
-%patch1 -p1
-%patch2 -p1
 
 %ifnarch ppc64
 %patch100 -p1
@@ -131,6 +131,10 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf
 
 
 %changelog
+* Mon Jan 15 2024 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.5-1
+- Update to 0.0.99.5
+Resolves: RHEL-19774
+
 * Fri Dec 08 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-8
 - Rebuild for CVE-2023-39325 and CVE-2023-44487
 Resolves: RHEL-12636