toolbox-0.0.99.2-3.el9
- Expose the host's entire / in the container at /run/host - Resolves: #1977343 Signed-off-by: Jindrich Novy <jnovy@redhat.com>
This commit is contained in:
parent
067c49f5d1
commit
b817729eef
@ -0,0 +1,76 @@
|
|||||||
|
From d03a5fee80f2f72da6a409f7ebc3b6caf21506e3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Ond=C5=99ej=20M=C3=ADchal?= <harrymichal@seznam.cz>
|
||||||
|
Date: Sat, 3 Jul 2021 20:39:49 +0200
|
||||||
|
Subject: [PATCH] cmd/create: Expose the host's entire / in the container at
|
||||||
|
/run/host
|
||||||
|
|
||||||
|
Having the entire host file system hierarchy mounted inside a toolbox
|
||||||
|
container gives the containers a more complete environment that's
|
||||||
|
resilient against future changes in the layout of the file system
|
||||||
|
hierarchy and the need for giving access to new paths to support new
|
||||||
|
use-cases. Otherwise, one would have to create a new container to get
|
||||||
|
access to any path that lies outside the /boot, /etc, /run, /tmp, /usr
|
||||||
|
and /var directories.
|
||||||
|
|
||||||
|
As a nice side-effect, this also simplifies the bind mount handling
|
||||||
|
code.
|
||||||
|
|
||||||
|
https://github.com/containers/toolbox/pull/827
|
||||||
|
---
|
||||||
|
src/cmd/create.go | 29 +----------------------------
|
||||||
|
1 file changed, 1 insertion(+), 28 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/cmd/create.go b/src/cmd/create.go
|
||||||
|
index ff533c26db98..297b336f6382 100644
|
||||||
|
--- a/src/cmd/create.go
|
||||||
|
+++ b/src/cmd/create.go
|
||||||
|
@@ -265,28 +265,6 @@ func createContainer(container, image, release string, showCommandToEnter bool)
|
||||||
|
logrus.Debugf("%s canonicalized to %s", currentUser.HomeDir, homeDirEvaled)
|
||||||
|
homeDirMountArg := homeDirEvaled + ":" + homeDirEvaled + ":rslave"
|
||||||
|
|
||||||
|
- bootMountFlags := "ro"
|
||||||
|
- isBootReadWrite, err := isPathReadWrite("/boot")
|
||||||
|
- if err != nil {
|
||||||
|
- return err
|
||||||
|
- }
|
||||||
|
- if isBootReadWrite {
|
||||||
|
- bootMountFlags = "rw"
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- bootMountArg := "/boot:/run/host/boot:" + bootMountFlags + ",rslave"
|
||||||
|
-
|
||||||
|
- usrMountFlags := "ro"
|
||||||
|
- isUsrReadWrite, err := isPathReadWrite("/usr")
|
||||||
|
- if err != nil {
|
||||||
|
- return err
|
||||||
|
- }
|
||||||
|
- if isUsrReadWrite {
|
||||||
|
- usrMountFlags = "rw"
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- usrMountArg := "/usr:/run/host/usr:" + usrMountFlags + ",rslave"
|
||||||
|
-
|
||||||
|
var avahiSocketMount []string
|
||||||
|
|
||||||
|
avahiSocket, err := getServiceSocket("Avahi", "avahi-daemon.socket")
|
||||||
|
@@ -423,16 +401,11 @@ func createContainer(container, image, release string, showCommandToEnter bool)
|
||||||
|
createArgs = append(createArgs, []string{
|
||||||
|
"--userns", usernsArg,
|
||||||
|
"--user", "root:root",
|
||||||
|
- "--volume", "/etc:/run/host/etc",
|
||||||
|
+ "--volume", "/:/run/host:rslave",
|
||||||
|
"--volume", "/dev:/dev:rslave",
|
||||||
|
- "--volume", "/run:/run/host/run:rslave",
|
||||||
|
- "--volume", "/tmp:/run/host/tmp:rslave",
|
||||||
|
- "--volume", "/var:/run/host/var:rslave",
|
||||||
|
- "--volume", bootMountArg,
|
||||||
|
"--volume", dbusSystemSocketMountArg,
|
||||||
|
"--volume", homeDirMountArg,
|
||||||
|
"--volume", toolboxPathMountArg,
|
||||||
|
- "--volume", usrMountArg,
|
||||||
|
"--volume", runtimeDirectoryMountArg,
|
||||||
|
}...)
|
||||||
|
|
||||||
|
--
|
||||||
|
2.31.1
|
||||||
|
|
@ -9,7 +9,7 @@ Version: 0.0.99.2
|
|||||||
%global goipath github.com/containers/%{name}
|
%global goipath github.com/containers/%{name}
|
||||||
%gometa
|
%gometa
|
||||||
|
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Summary: Unprivileged development environment
|
Summary: Unprivileged development environment
|
||||||
|
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
@ -23,6 +23,7 @@ Source0: %{name}-%{version}-vendored.tar.xz
|
|||||||
|
|
||||||
# Upstream
|
# Upstream
|
||||||
Patch0: toolbox-cmd-root-Make-toolbox-create-or-fall-back-to-a-conta.patch
|
Patch0: toolbox-cmd-root-Make-toolbox-create-or-fall-back-to-a-conta.patch
|
||||||
|
Patch1: toolbox-cmd-create-Expose-the-host-s-entire-in-the-container.patch
|
||||||
|
|
||||||
# RHEL specific
|
# RHEL specific
|
||||||
Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
|
Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
|
||||||
@ -61,6 +62,7 @@ The %{name}-tests package contains system tests for %{name}.
|
|||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%ifnarch ppc64
|
%ifnarch ppc64
|
||||||
%patch100 -p1
|
%patch100 -p1
|
||||||
@ -114,6 +116,10 @@ ln -s src/vendor vendor
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Sat Jul 10 2021 Jindrich Novy <jnovy@redhat.com> - 0.0.99.2-3
|
||||||
|
- Expose the host's entire / in the container at /run/host
|
||||||
|
- Resolves: #1977343
|
||||||
|
|
||||||
* Mon Jul 05 2021 Jindrich Novy <jnovy@redhat.com> - 0.0.99.2-2
|
* Mon Jul 05 2021 Jindrich Novy <jnovy@redhat.com> - 0.0.99.2-2
|
||||||
- Actually apply the patch to make 'toolbox' create or fall back to a
|
- Actually apply the patch to make 'toolbox' create or fall back to a
|
||||||
container if possible
|
container if possible
|
||||||
|
Loading…
Reference in New Issue
Block a user