From b817729eefc892c3d6d34caa380ad048d37728f6 Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Sat, 10 Jul 2021 09:02:54 +0200 Subject: [PATCH] toolbox-0.0.99.2-3.el9 - Expose the host's entire / in the container at /run/host - Resolves: #1977343 Signed-off-by: Jindrich Novy --- ...e-the-host-s-entire-in-the-container.patch | 76 +++++++++++++++++++ toolbox.spec | 8 +- 2 files changed, 83 insertions(+), 1 deletion(-) create mode 100644 toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch diff --git a/toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch b/toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch new file mode 100644 index 0000000..3b18c30 --- /dev/null +++ b/toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch @@ -0,0 +1,76 @@ +From d03a5fee80f2f72da6a409f7ebc3b6caf21506e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= +Date: Sat, 3 Jul 2021 20:39:49 +0200 +Subject: [PATCH] cmd/create: Expose the host's entire / in the container at + /run/host + +Having the entire host file system hierarchy mounted inside a toolbox +container gives the containers a more complete environment that's +resilient against future changes in the layout of the file system +hierarchy and the need for giving access to new paths to support new +use-cases. Otherwise, one would have to create a new container to get +access to any path that lies outside the /boot, /etc, /run, /tmp, /usr +and /var directories. + +As a nice side-effect, this also simplifies the bind mount handling +code. + +https://github.com/containers/toolbox/pull/827 +--- + src/cmd/create.go | 29 +---------------------------- + 1 file changed, 1 insertion(+), 28 deletions(-) + +diff --git a/src/cmd/create.go b/src/cmd/create.go +index ff533c26db98..297b336f6382 100644 +--- a/src/cmd/create.go ++++ b/src/cmd/create.go +@@ -265,28 +265,6 @@ func createContainer(container, image, release string, showCommandToEnter bool) + logrus.Debugf("%s canonicalized to %s", currentUser.HomeDir, homeDirEvaled) + homeDirMountArg := homeDirEvaled + ":" + homeDirEvaled + ":rslave" + +- bootMountFlags := "ro" +- isBootReadWrite, err := isPathReadWrite("/boot") +- if err != nil { +- return err +- } +- if isBootReadWrite { +- bootMountFlags = "rw" +- } +- +- bootMountArg := "/boot:/run/host/boot:" + bootMountFlags + ",rslave" +- +- usrMountFlags := "ro" +- isUsrReadWrite, err := isPathReadWrite("/usr") +- if err != nil { +- return err +- } +- if isUsrReadWrite { +- usrMountFlags = "rw" +- } +- +- usrMountArg := "/usr:/run/host/usr:" + usrMountFlags + ",rslave" +- + var avahiSocketMount []string + + avahiSocket, err := getServiceSocket("Avahi", "avahi-daemon.socket") +@@ -423,16 +401,11 @@ func createContainer(container, image, release string, showCommandToEnter bool) + createArgs = append(createArgs, []string{ + "--userns", usernsArg, + "--user", "root:root", +- "--volume", "/etc:/run/host/etc", ++ "--volume", "/:/run/host:rslave", + "--volume", "/dev:/dev:rslave", +- "--volume", "/run:/run/host/run:rslave", +- "--volume", "/tmp:/run/host/tmp:rslave", +- "--volume", "/var:/run/host/var:rslave", +- "--volume", bootMountArg, + "--volume", dbusSystemSocketMountArg, + "--volume", homeDirMountArg, + "--volume", toolboxPathMountArg, +- "--volume", usrMountArg, + "--volume", runtimeDirectoryMountArg, + }...) + +-- +2.31.1 + diff --git a/toolbox.spec b/toolbox.spec index 74a94ec..64a0e6c 100644 --- a/toolbox.spec +++ b/toolbox.spec @@ -9,7 +9,7 @@ Version: 0.0.99.2 %global goipath github.com/containers/%{name} %gometa -Release: 2%{?dist} +Release: 3%{?dist} Summary: Unprivileged development environment License: ASL 2.0 @@ -23,6 +23,7 @@ Source0: %{name}-%{version}-vendored.tar.xz # Upstream Patch0: toolbox-cmd-root-Make-toolbox-create-or-fall-back-to-a-conta.patch +Patch1: toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch # RHEL specific Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch @@ -61,6 +62,7 @@ The %{name}-tests package contains system tests for %{name}. %setup -q %patch0 -p1 +%patch1 -p1 %ifnarch ppc64 %patch100 -p1 @@ -114,6 +116,10 @@ ln -s src/vendor vendor %changelog +* Sat Jul 10 2021 Jindrich Novy - 0.0.99.2-3 +- Expose the host's entire / in the container at /run/host +- Resolves: #1977343 + * Mon Jul 05 2021 Jindrich Novy - 0.0.99.2-2 - Actually apply the patch to make 'toolbox' create or fall back to a container if possible