diff --git a/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch b/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch new file mode 100644 index 0000000..3d5812e --- /dev/null +++ b/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch @@ -0,0 +1,149 @@ +From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Wed, 1 Mar 2023 19:41:56 +0100 +Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log + +https://github.com/containers/toolbox/pull/1251 +--- + src/cmd/root.go | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index 304b03dcd889..82fbfd651c33 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -215,6 +215,7 @@ func migrate() error { + logrus.Debug("Migrating to newer Podman") + + if utils.IsInsideContainer() { ++ logrus.Debug("Migration not needed: running inside a container") + return nil + } + +-- +2.39.2 + + +From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001 +From: Debarshi Ray +Date: Wed, 1 Mar 2023 19:46:11 +0100 +Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some + debug logs + +Having a separate convenience function reduces the indentation levels by +at least one, and sometimes two, and makes it easy to have more detailed +debug logs. + +This will make the subsequent commit easier to read. + +https://github.com/containers/toolbox/issues/1246 +--- + src/cmd/root.go | 32 ++++++++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 8 deletions(-) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index 82fbfd651c33..4c740ec60d38 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -1,5 +1,5 @@ + /* +- * Copyright © 2019 – 2022 Red Hat Inc. ++ * Copyright © 2019 – 2023 Red Hat Inc. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. +@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error { + if !utils.IsInsideContainer() { + logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion) + +- if currentUser.Uid != "0" { +- logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username) +- +- if _, err := utils.ValidateSubIDRanges(currentUser); err != nil { +- logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) +- return newSubIDError() +- } ++ if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil { ++ return err + } + } + +@@ -387,3 +382,24 @@ func setUpLoggers() error { + + return nil + } ++ ++func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) { ++ logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username) ++ ++ if user.Uid == "0" { ++ logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username) ++ return true, nil ++ } ++ ++ if utils.IsInsideContainer() { ++ logrus.Debug("Look-up not needed: running inside a container") ++ return true, nil ++ } ++ ++ if _, err := utils.ValidateSubIDRanges(user); err != nil { ++ logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) ++ return false, newSubIDError() ++ } ++ ++ return true, nil ++} +-- +2.39.2 + + +From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001 +From: Jan Zerebecki +Date: Wed, 1 Mar 2023 19:52:28 +0100 +Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating + the completions + +Ever since commit bafbbe81c9220cb3, the shell completions are generated +while building Toolbx using the 'completion' command. This involves +running toolbox(1) itself, and hence validating the subordinate user and +group ID ranges. + +Unfortunately, some build environments, like openSUSE's, don't have +subordinate ID ranges set up. Therefore, it's better to not validate +the subordinate ID ranges when generating the shell completions, since +they are generated by Cobra itself and subordinate ID ranges are not +involved at all. + +Note that subordinate ID ranges may be needed when the generated shell +completions are actually used in interactive command line environments. +The shell completions invoke the hidden '__complete' command to get the +results that are presented to the user, and, if needed, the subordinate +ID ranges will continue to be used by podman(1) as part of that. + +Some changes by Debarshi Ray. + +https://github.com/containers/toolbox/issues/1246 +https://github.com/containers/toolbox/pull/1249 +--- + src/cmd/root.go | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/cmd/root.go b/src/cmd/root.go +index 4c740ec60d38..efee8ce9990b 100644 +--- a/src/cmd/root.go ++++ b/src/cmd/root.go +@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo + return true, nil + } + ++ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName { ++ logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName) ++ return true, nil ++ } ++ + if _, err := utils.ValidateSubIDRanges(user); err != nil { + logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err) + return false, newSubIDError() +-- +2.39.2 + diff --git a/toolbox.spec b/toolbox.spec index d187995..a78b38f 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -23,6 +23,7 @@ Source1: %{name}.conf # Upstream Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch +Patch1: toolbox-Don-t-validate-subordinate-IDs-when-generat.patch # RHEL specific Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch @@ -90,6 +91,7 @@ The %{name}-tests package contains system tests for %{name}. %prep %setup -q %patch0 -p1 +%patch1 -p1 %ifnarch ppc64 %patch100 -p1