rpms
/
toolbox
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import CS toolbox-0.0.99.5-2.module_el8+971+3d3df00d

This commit is contained in:
eabdullin 2024-03-28 13:44:04 +00:00
parent 44fe799397
commit e78da721eb
9 changed files with 68 additions and 355 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/toolbox-0.0.99.4-vendored.tar.xz
SOURCES/toolbox-0.0.99.5-vendored.tar.xz

2
.toolbox.metadata
View File

@ -1 +1 @@
3a2506e53c44cab54d476ee38af7197175e8af10 SOURCES/toolbox-0.0.99.4-vendored.tar.xz
9b8595f66d8dd76636c308426919bb81cba5498a SOURCES/toolbox-0.0.99.5-vendored.tar.xz

39
SOURCES/toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
View File

@ -1,4 +1,4 @@
From d461caa5b1a278124d039df93140d2d5bf4eabe7 Mon Sep 17 00:00:00 2001
From 4587b6e9240bf936b760e901435c4cfdd9c582b6 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Wed, 18 Aug 2021 17:55:21 +0200
Subject: [PATCH 1/2] cmd/run: Make sosreport work by setting the HOST
@ -10,10 +10,10 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1940037
1 file changed, 1 insertion(+)
diff --git a/src/cmd/run.go b/src/cmd/run.go
index 7657ffa50821..23d422623b14 100644
index e2e31d9da4e6..84ad46518bfc 100644
--- a/src/cmd/run.go
+++ b/src/cmd/run.go
@@ -501,6 +501,7 @@ func constructExecArgs(container, preserveFDs string,
@@ -498,6 +498,7 @@ func constructExecArgs(container, preserveFDs string,
execArgs = append(execArgs, envOptions...)
execArgs = append(execArgs, []string{
@ -22,10 +22,10 @@ index 7657ffa50821..23d422623b14 100644
"--preserve-fds", preserveFDs,
}...)
--
2.39.2
2.43.0
From 3c2c67752e8f88f72058799cbce3612fc937b230 Mon Sep 17 00:00:00 2001
From 892c33ed75443de90a2caa90959387bbc270c564 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Fri, 10 Dec 2021 13:42:15 +0100
Subject: [PATCH 2/2] test/system: Update to test the migration path for
@ -36,33 +36,36 @@ This reverts the changes to the tests made in commit
ca899c8a561f357ae32c6ba6813520fd8b682abb and the parts of commit
3aeb7cf288319e35eb9c5e26ea18d97452462c1e that were removed.
---
test/system/002-help.bats | 11 -----------
test/system/002-help.bats | 14 --------------
test/system/100-root.bats | 27 +++++++++++++++++++++++++++
2 files changed, 27 insertions(+), 11 deletions(-)
2 files changed, 27 insertions(+), 14 deletions(-)
create mode 100644 test/system/100-root.bats
diff --git a/test/system/002-help.bats b/test/system/002-help.bats
index 7e4565e9d23d..58a4c2c87ece 100644
index 695c51f92e7e..5fa4c6fe0b4c 100644
--- a/test/system/002-help.bats
+++ b/test/system/002-help.bats
@@ -23,17 +23,6 @@ setup() {
@@ -23,20 +23,6 @@ setup() {
_setup_environment
}
-@test "help: Try to run toolbox with no command" {
- run $TOOLBOX
-@test "help: Smoke test" {
- run --keep-empty-lines --separate-stderr "$TOOLBOX"
-
- assert_failure
- assert [ ${#lines[@]} -eq 0 ]
- lines=("${stderr_lines[@]}")
- assert_line --index 0 "Error: missing command"
- assert_line --index 1 "create Create a new toolbox container"
- assert_line --index 2 "enter Enter an existing toolbox container"
- assert_line --index 3 "list List all existing toolbox containers and images"
- assert_line --index 4 "Run 'toolbox --help' for usage."
- assert_line --index 2 "create Create a new toolbox container"
- assert_line --index 3 "enter Enter an existing toolbox container"
- assert_line --index 4 "list List all existing toolbox containers and images"
- assert_line --index 6 "Run 'toolbox --help' for usage."
- assert [ ${#stderr_lines[@]} -eq 7 ]
-}
-
@test "help: Run command 'help'" {
@test "help: Command 'help'" {
if ! command -v man 2>/dev/null; then
skip "Test works only if man is in PATH"
skip "not found man(1)"
diff --git a/test/system/100-root.bats b/test/system/100-root.bats
new file mode 100644
index 000000000000..32d87904213e
@ -97,5 +100,5 @@ index 000000000000..32d87904213e
+ skip "Testing of entering toolboxes is not implemented"
+}
--
2.39.2
2.43.0

89
SOURCES/toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
View File

@ -1,89 +0,0 @@
From fc5f568c5d82f4a16982268fa67092e52be91fbe Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Tue, 28 Feb 2023 17:12:04 +0100
Subject: [PATCH] cmd/root: Don't use podman(1) when generating the completions
Ever since commit bafbbe81c9220cb3, the shell completions are generated
while building Toolbx using the 'completion' command. This involves
running toolbox(1) itself, and hence invoking 'podman version' to decide
if 'podman system migrate' is needed or not.
Unfortunately, some build environments, like Fedora's, are set up inside
a chroot(2) or systemd-nspawn(1) or similar, where 'podman version' may
not work because it does various things with namespaces(7) and clone(2)
that can, under certain circumstances, encounter an EPERM.
Therefore, it's better to avoid using podman(1) when generating the
shell completions, especially, since they are generated by Cobra itself
and podman(1) is not involved at all.
Note that podman(1) is needed when the generated shell completions are
actually used in interactive command line environments. The shell
completions invoke the hidden '__complete' command to get the results
that are presented to the user, and, if needed, 'podman system migrate'
will continue to be run as part of that.
This partially reverts commit f3e005d0142d7ec76d5ac8f0a2f331a52fd46011
because podman(1) is now only an optional runtime dependency for the
system tests.
https://github.com/containers/podman/issues/17657
---
meson.build | 2 +-
src/cmd/root.go | 9 +++++++--
2 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/meson.build b/meson.build
index 6f044bb204e3..653a3d3ac588 100644
--- a/meson.build
+++ b/meson.build
@@ -18,12 +18,12 @@ subid_dep = cc.find_library('subid', has_headers: ['shadow/subid.h'])
go = find_program('go')
go_md2man = find_program('go-md2man')
-podman = find_program('podman')
bats = find_program('bats', required: false)
codespell = find_program('codespell', required: false)
htpasswd = find_program('htpasswd', required: false)
openssl = find_program('openssl', required: false)
+podman = find_program('podman', required: false)
shellcheck = find_program('shellcheck', required: false)
skopeo = find_program('skopeo', required: false)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 304b03dcd889..9975ccc7a4c8 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -166,7 +166,7 @@ func preRun(cmd *cobra.Command, args []string) error {
logrus.Debugf("TOOLBOX_PATH is %s", toolboxPath)
- if err := migrate(); err != nil {
+ if err := migrate(cmd, args); err != nil {
return err
}
@@ -211,13 +211,18 @@ func rootRun(cmd *cobra.Command, args []string) error {
return rootRunImpl(cmd, args)
}
-func migrate() error {
+func migrate(cmd *cobra.Command, args []string) error {
logrus.Debug("Migrating to newer Podman")
if utils.IsInsideContainer() {
return nil
}
+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
+ logrus.Debugf("Migration not needed: command %s doesn't need it", cmdName)
+ return nil
+ }
+
configDir, err := os.UserConfigDir()
if err != nil {
logrus.Debugf("Migrating to newer Podman: failed to get the user config directory: %s", err)
--
2.39.1

149
SOURCES/toolbox-Don-t-validate-subordinate-IDs-when-generat.patch
View File

@ -1,149 +0,0 @@
From 52de8d4a933ab6a4b1b6ef1c02c7e9f1f834c4a5 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Wed, 1 Mar 2023 19:41:56 +0100
Subject: [PATCH 1/3] cmd/root: Sprinkle a debug log
https://github.com/containers/toolbox/pull/1251
---
src/cmd/root.go | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 304b03dcd889..82fbfd651c33 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -215,6 +215,7 @@ func migrate() error {
logrus.Debug("Migrating to newer Podman")
if utils.IsInsideContainer() {
+ logrus.Debug("Migration not needed: running inside a container")
return nil
}
--
2.39.2
From 0beab62c935cd1166d6b03f58c519bbc7b040221 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Wed, 1 Mar 2023 19:46:11 +0100
Subject: [PATCH 2/3] cmd/root: Shuffle some code around and sprinkle some
debug logs
Having a separate convenience function reduces the indentation levels by
at least one, and sometimes two, and makes it easy to have more detailed
debug logs.
This will make the subsequent commit easier to read.
https://github.com/containers/toolbox/issues/1246
---
src/cmd/root.go | 32 ++++++++++++++++++++++++--------
1 file changed, 24 insertions(+), 8 deletions(-)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 82fbfd651c33..4c740ec60d38 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -1,5 +1,5 @@
/*
- * Copyright © 2019 2022 Red Hat Inc.
+ * Copyright © 2019 2023 Red Hat Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -139,13 +139,8 @@ func preRun(cmd *cobra.Command, args []string) error {
if !utils.IsInsideContainer() {
logrus.Debugf("Running on a cgroups v%d host", cgroupsVersion)
- if currentUser.Uid != "0" {
- logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", currentUser.Username)
-
- if _, err := utils.ValidateSubIDRanges(currentUser); err != nil {
- logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
- return newSubIDError()
- }
+ if _, err := validateSubIDRanges(cmd, args, currentUser); err != nil {
+ return err
}
}
@@ -387,3 +382,24 @@ func setUpLoggers() error {
return nil
}
+
+func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bool, error) {
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges for user %s", user.Username)
+
+ if user.Uid == "0" {
+ logrus.Debugf("Look-up not needed: user %s doesn't need them", user.Username)
+ return true, nil
+ }
+
+ if utils.IsInsideContainer() {
+ logrus.Debug("Look-up not needed: running inside a container")
+ return true, nil
+ }
+
+ if _, err := utils.ValidateSubIDRanges(user); err != nil {
+ logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
+ return false, newSubIDError()
+ }
+
+ return true, nil
+}
--
2.39.2
From d09c9cd1de41b6e85a6953902c9982778a423f3c Mon Sep 17 00:00:00 2001
From: Jan Zerebecki <jan.suse@zerebecki.de>
Date: Wed, 1 Mar 2023 19:52:28 +0100
Subject: [PATCH 3/3] cmd/root: Don't validate subordinate IDs when generating
the completions
Ever since commit bafbbe81c9220cb3, the shell completions are generated
while building Toolbx using the 'completion' command. This involves
running toolbox(1) itself, and hence validating the subordinate user and
group ID ranges.
Unfortunately, some build environments, like openSUSE's, don't have
subordinate ID ranges set up. Therefore, it's better to not validate
the subordinate ID ranges when generating the shell completions, since
they are generated by Cobra itself and subordinate ID ranges are not
involved at all.
Note that subordinate ID ranges may be needed when the generated shell
completions are actually used in interactive command line environments.
The shell completions invoke the hidden '__complete' command to get the
results that are presented to the user, and, if needed, the subordinate
ID ranges will continue to be used by podman(1) as part of that.
Some changes by Debarshi Ray.
https://github.com/containers/toolbox/issues/1246
https://github.com/containers/toolbox/pull/1249
---
src/cmd/root.go | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index 4c740ec60d38..efee8ce9990b 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -396,6 +396,11 @@ func validateSubIDRanges(cmd *cobra.Command, args []string, user *user.User) (bo
return true, nil
}
+ if cmdName, completionCmdName := cmd.Name(), completionCmd.Name(); cmdName == completionCmdName {
+ logrus.Debugf("Look-up not needed: command %s doesn't need them", cmdName)
+ return true, nil
+ }
+
if _, err := utils.ValidateSubIDRanges(user); err != nil {
logrus.Debugf("Looking for sub-GID and sub-UID ranges: %s", err)
return false, newSubIDError()
--
2.39.2

4
SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
View File

@ -1,4 +1,4 @@
From c943fe330ddfb91b94efb22a450e491316d2173c Mon Sep 17 00:00:00 2001
From 3b5b5b2ca2e284d83275ffb73bc413c9234d7b0a Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 29 Jun 2020 17:57:47 +0200
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags} for
@ -51,5 +51,5 @@ index c572d6dfb02b..1addef1f186b 100755
exit "$?"
--
2.39.2
2.43.0

4
SOURCES/toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
View File

@ -1,4 +1,4 @@
From 606f135e4900c7d808341515b74811e3a3714cff Mon Sep 17 00:00:00 2001
From 2ecd1ac4d83844d5b6314762587fc2347adfdd0f Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Mon, 29 Jun 2020 17:57:47 +0200
Subject: [PATCH] build: Make the build flags match RHEL's %{gobuildflags}
@ -51,5 +51,5 @@ index c572d6dfb02b..c492a4e73445 100755
exit "$?"
--
2.39.2
2.43.0

76
SOURCES/toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch
View File

@ -1,76 +0,0 @@
From 1cc9e07b7c36fe9f9784b40b58f0a2a3694dd328 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <rishi@fedoraproject.org>
Date: Thu, 13 Jul 2023 13:08:40 +0200
Subject: [PATCH] cmd/initContainer: Be aware of security hardened mount points
Sometimes locations such as /var/lib/flatpak, /var/lib/systemd/coredump
and /var/log/journal sit on security hardened mount points that are
marked as 'nosuid,nodev,noexec' [1]. In such cases, when Toolbx is used
rootless, an attempt to bind mount these locations read-only at runtime
with mount(8) fails because of permission problems:
# mount --rbind -o ro <source> <containerPath>
mount: <containerPath>: filesystem was mounted, but any subsequent
operation failed: Unknown error 5005.
(Note that the above error message from mount(8) was subsequently
improved to show something more meaningful than 'Unknown error' [2].)
The problem is that 'init-container' is running inside the container's
mount and user namespace, and the source paths were mounted inside the
host's namespace with 'nosuid,nodev,noexec'. The above mount(8) call
tries to remove the 'nosuid,nodev,noexec' flags from the mount point and
replace them with only 'ro', which is something that can't be done from
a child namespace.
Note that this doesn't fail when Toolbx is running as root. This is
because the container uses the host's user namespace and is able to
remove the 'nosuid,nodev,noexec' flags from the mount point and replace
them with only 'ro'. Even though it doesn't fail, the flags shouldn't
get replaced like that inside the container, because it removes the
security hardening of those mount points.
There's actually no benefit in bind mounting these paths as read-only.
It was historically done this way 'just to be safe' because a user isn't
expected to write to these locations from inside a container. However,
Toolbx doesn't intend to provide any heightened security beyond what's
already available on the host.
Hence, it's better to get out of the way and leave it to the permissions
on the source location from the host operating system to guard the
castle. This is accomplished by not passing any file system options to
mount(8) [1].
Based on an idea from Si.
[1] https://man7.org/linux/man-pages/man8/mount.8.html
[2] util-linux commit 9420ca34dc8b6f0f
https://github.com/util-linux/util-linux/commit/9420ca34dc8b6f0f
https://github.com/util-linux/util-linux/pull/2376
https://github.com/containers/toolbox/issues/911
---
src/cmd/initContainer.go | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/cmd/initContainer.go b/src/cmd/initContainer.go
index 222aa42e1036..41b825b33f58 100644
--- a/src/cmd/initContainer.go
+++ b/src/cmd/initContainer.go
@@ -62,10 +62,10 @@ var (
{"/run/udev/data", "/run/host/run/udev/data", ""},
{"/run/udev/tags", "/run/host/run/udev/tags", ""},
{"/tmp", "/run/host/tmp", "rslave"},
- {"/var/lib/flatpak", "/run/host/var/lib/flatpak", "ro"},
+ {"/var/lib/flatpak", "/run/host/var/lib/flatpak", ""},
{"/var/lib/libvirt", "/run/host/var/lib/libvirt", ""},
- {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", "ro"},
- {"/var/log/journal", "/run/host/var/log/journal", "ro"},
+ {"/var/lib/systemd/coredump", "/run/host/var/lib/systemd/coredump", ""},
+ {"/var/log/journal", "/run/host/var/log/journal", ""},
{"/var/mnt", "/run/host/var/mnt", "rslave"},
}
)
--
2.41.0

58
SPECS/toolbox.spec
View File

@ -1,13 +1,13 @@
%global __brp_check_rpaths %{nil}
Name: toolbox
Version: 0.0.99.4
Version: 0.0.99.5
%global goipath github.com/containers/%{name}
%gometa
Release: 5%{?dist}
Summary: Tool for containerized command line environments on Linux
Release: 2%{?dist}
Summary: Tool for interactive command line environments on Linux
License: ASL 2.0
URL: https://containertoolbx.org/
@ -15,18 +15,13 @@ URL: https://containertoolbx.org/
Source0: https://github.com/containers/%{name}/releases/download/%{version}/%{name}-%{version}-vendored.tar.xz
Source1: %{name}.conf
# Upstream
Patch0: toolbox-Don-t-use-podman-1-when-generating-the-comp.patch
Patch1: toolbox-Don-t-validate-subordinate-IDs-when-generat.patch
Patch2: toolbox-cmd-initContainer-Be-aware-of-security-hardened-moun.patch
# RHEL specific
Patch100: toolbox-Make-the-build-flags-match-RHEL-s-gobuild.patch
Patch101: toolbox-Make-the-build-flags-match-RHEL-s-gobuild-for-PPC64.patch
Patch102: toolbox-Add-migration-paths-for-coreos-toolbox-users.patch
BuildRequires: gcc
BuildRequires: golang >= 1.20.4
BuildRequires: golang >= 1.21.7
BuildRequires: /usr/bin/go-md2man
BuildRequires: meson >= 0.58.0
BuildRequires: pkgconfig(bash-completion)
@ -34,14 +29,23 @@ BuildRequires: shadow-utils-subid-devel
BuildRequires: systemd
BuildRequires: systemd-rpm-macros
Recommends: skopeo
Recommends: subscription-manager
Requires: containers-common
Requires: podman >= 1.4.0
Requires: podman >= 1.6.4
%description
Toolbox is a tool for Linux operating systems, which allows the use of
containerized command line environments. It is built on top of Podman and
other standard container technologies from OCI.
Toolbx is a tool for Linux, which allows the use of interactive command line
environments for development and troubleshooting the host operating system,
without having to install software on the host. It is built on top of Podman
and other standard container technologies from OCI.
Toolbx environments have seamless access to the user's home directory, the
Wayland and X11 sockets, networking (including Avahi), removable devices (like
USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev
database, etc..
%package tests
@ -49,19 +53,18 @@ Summary: Tests for %{name}
Requires: %{name}%{?_isa} = %{version}-%{release}
Requires: coreutils
Requires: gawk
Requires: grep
Requires: httpd-tools
Requires: openssl
Requires: skopeo
%description tests
The %{name}-tests package contains system tests for %{name}.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%ifnarch ppc64
%patch100 -p1
@ -122,11 +125,32 @@ install -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/containers/%{name}.conf
%{_sysconfdir}/profile.d/%{name}.sh
%{_tmpfilesdir}/%{name}.conf
%files tests
%{_datadir}/%{name}
%changelog
* Mon Feb 19 2024 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.5-2
- Rebuild for CVE-2023-39326
Resolves: RHEL-18393
* Mon Jan 15 2024 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.5-1
- Update to 0.0.99.5
Resolves: RHEL-19773
* Fri Dec 08 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-8
- Rebuild for CVE-2023-39325 and CVE-2023-44487
Resolves: RHEL-12620
* Mon Nov 27 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-7
- Rebuild for CVE-2023-29406, CVE-2023-39318 and CVE-2023-39319
Resolves: RHEL-4231, RHEL-4475, RHEL-4502
* Mon Oct 02 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-6
- Simplify removing the user's password
Resolves: RHEL-2038
* Fri Aug 11 2023 Debarshi Ray <rishi@fedoraproject.org> - 0.0.99.4-5
- Be aware of security hardened mount points
Resolves: #2144541