Commit Graph

140 Commits

Author SHA1 Message Date
Debarshi Ray
b78b16e24a Update to 0.0.99.6
Update the compiler and linker flags for RHEL 10 by incorporating the
distribution's defaults from RHEL 10.0 Beta, because RHEL 10.0 is still
early in its development cycle and the defaults may be in a state of
flux.  Some exceptions are mentioned below.

The '-z pack-relative-relocs' linker flag was left out.  It's currently
not supported on s390x, so using it would require architecture specific
patches, which is a hassle.  Support for aarch64 was recently added [1],
so hopefully s390x will also be supported soon.

The change to use the RPM's %{name}, %{version}, %{release} and the
SOURCE_DATE_EPOCH environment variable [2], instead of /dev/urandom, to
generate the build ID annotation for the toolbox(1) binary [3] was left
out.  It will need more work to propagate the RPM's %{name}, %{version}
and %{release} to Meson.

The 'rpminspect --tests=elf' test run by the downstream CI was silenced
because toolbox(1) is only built with the '-z relro' linker flag, but
not '-z now' [4].  Otherwise, it fails with:
  /usr/bin/toolbox lost full GNU_RELRO security protection

Stop carrying the downstream patch for the compiler and linker flags for
PPC64.  The architecture was already discontinued from Fedora 29 [5],
even before the patch was added [6].  It was added purely for the sake
of completeness, and in the last four years since it was introduced, it
hasn't been tested or used.  At this point it's becoming too much of a
maintenance burden, and removing it silences the %ifarch-applied-patch
warning from rpmlint.

Fill in some of the missing Requires for the toolbox-tests sub-package.

[1] CentOS Stream redhat-rpm-config commit 3c5a6b17540b2a0b
    https://gitlab.com/redhat/centos-stream/rpms/redhat-rpm-config/-/commit/3c5a6b17540b2a0b
    https://gitlab.com/redhat/centos-stream/rpms/redhat-rpm-config/-/merge_requests/42
    https://issues.redhat.com/browse/RHEL-40379

[2] https://reproducible-builds.org/docs/source-date-epoch/

[3] go-rpm-macros commit 1980932bf3a21890
    https://pagure.io/go-rpm-macros/c/1980932bf3a21890
    https://fedoraproject.org/wiki/Changes/ReproduciblePackageBuilds

[4] Upstream commit 83f28c52e47c2d44
    https://github.com/containers/toolbox/commit/83f28c52e47c2d44
    https://github.com/containers/toolbox/pull/1548

[5] https://fedoraproject.org/wiki/Changes/DiscontinuePPC64

[6] Fedora toolbox commit ba60453d21
    https://src.fedoraproject.org/rpms/toolbox/c/ba60453d216a9226
    https://src.fedoraproject.org/rpms/toolbox/pull-request/2

Resolves: RHEL-61579
2024-10-04 22:22:54 +02:00
Adam Williamson
3258a3a85c tests: Avoid running out of storage space
Toolbx's system tests download several images when setting up the test
suite, and cache them for later use by the tests [1].  This saves time
and avoids hitting rate limits imposed by OCI registries by not
downloading the same images repeatedly for several tests, but at the
cost of increased use of storage space to cache the images.

The images are cached under BATS_TMPDIR.  It defaults to the TMPDIR
environment variable, and if that's not set then to /tmp [2].  Normally,
TMPDIR isn't set, and the images end up getting cached under /tmp.  Now,
/tmp is typically on tmpfs backed by RAM or swap, which means that it
should be used for smaller size-bounded files only, and /var/tmp should
be used for everything else [3].

The images are big enough that a collection of them can't be described
as smaller and size-bounded, and it led to:
  1..306
  # test suite: Set up
  # test suite: Tear down
  not ok 1 setup_suite
  # (from function `setup_suite' in test file ./setup_suite.bash, line
      55)
  #   `_pull_and_cache_distro_image fedora "$((system_version-1))" ||
      false' failed
  # Failed to cache image registry.fedoraproject.org/fedora-toolbox:40
      to /tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40
  # time="2024-02-19T11:41:43Z" level=fatal msg="copying system image
      from manifest list: writing blob: write
      /tmp/bats-run-IPz4Cn/image-cache/fedora-toolbox-40/dir-put-blob607392514:
      no space left on device"
  # bats warning: Executed 1 instead of expected 306 tests

So, change the default location of the BATS_TMPDIR environment variable
to /var/tmp by setting TMPDIR.

[1] Toolbx commit 50683c9d9a78adc9
    https://github.com/containers/toolbox/commit/50683c9d9a78adc9
    https://github.com/containers/toolbox/pull/375

[2] https://bats-core.readthedocs.io/en/stable/writing-tests.html

[3] https://systemd.io/TEMPORARY_DIRECTORIES/

Resolves: RHEL-61579
2024-10-04 21:46:25 +02:00
Adam Williamson
4c8bb268a8 tests: Don't use undefined variable
The test.environment variable was removed from the variables defined in
tests.yml in commit 1b207227f3, but it's still used, which causes
Ansible to break:
  The task includes an option with an undefined variable. The error was:
  'dict object' has no attribute 'environment'. 'dict object' has no
  attribute 'environment'

Resolves: RHEL-61579
2024-10-04 21:46:00 +02:00
Debarshi Ray
f510ff5c37 Rebuild for CVE-2024-24791
Resolves: RHEL-47199
2024-08-09 18:34:34 +02:00
Debarshi Ray
ce35655698 Silence 'rpminspect --tests=stack-prot'
The stack-prot test [1] currently fails in Fedora and RHEL 10.  On
Fedora, it says:
  Hardened: /usr/bin/toolbox: FAIL: stack-prot test because stack
      protection not enabled (lto:_cgo_6f668e16310a_Cfunc_mygetgrnam_r)

According to the documentation [1], the test is supposed to pass if the
C compiler is GCC and it was used with the -fstack-protector-strong
option.  That's definitely the case, since both Fedora and RHEL 10 use
GCC by default, and their default build flags (including %optflags)
include -fstack-protector-strong.

There's also no function called mygetgrnam() in neither Toolbx nor its
chain of dependencies.

Therefore, temporarily disable the stack-prot test to prevent the Fedora
and RHEL CIs from failing.

[1] https://sourceware.org/annobin/annobin.html/Test-stack-prot.html

Resolves: RHEL-33522
2024-07-11 11:23:33 +02:00
Debarshi Ray
fa705ed622 Silence 'rpminspect --tests=annocheck' (part 2)
In recent times, 'rpminspect --tests=annocheck', run by the Fedora CI,
has been failing because of the intentional DT_RPATH or DT_RUNPATH value
of /run/host%{_libdir} that's present in %{_bindir}/toolbox [1].  It's
not clear if they started failing again only recently due to changes in
rpminspect(1), or if the previous attempt at silencing it was broken and
never actually worked [2].

[1] Upstream commit 6063eb27b9893994
    https://github.com/containers/toolbox/commit/6063eb27b9893994
    https://github.com/containers/toolbox/issues/821

[2] Commit 12fabacd03

https://github.com/rpminspect/rpminspect/issues/1296

Resolves: RHEL-33522
2024-07-11 11:23:29 +02:00
Troy Dawson
415bc72ed0 Bump release for June 2024 mass rebuild 2024-06-24 09:27:01 -07:00
Debarshi Ray
0949203a92 Rebuild for CVE-2024-24788
Resolves: RHEL-35915
2024-06-19 16:58:38 +02:00
Debarshi Ray
067963eddf Unbreak the tests with Podman 5.0
... and make them show the Bats version.

Resolves: RHEL-36170
2024-06-19 16:22:33 +02:00
Debarshi Ray
5c4f313cc3 Specify the golang versions for RHEL 9 and 10
Resolves: RHEL-30245
2024-03-26 01:15:35 +01:00
Debarshi Ray
2457a327ba Conditionalize the BuildRequires on golang
The OpenSSL FIPS patches in Fedora ELN's golang makes it lag behind its
Fedora counterpart at times.

Spotted by Yaakov Selkowitz.

Fallout from 24f19e416e

https://src.fedoraproject.org/rpms/toolbox/pull-request/18

Resolves: RHEL-30245
2024-03-26 01:04:57 +01:00
Debarshi Ray
709a085a1c Unbreak Podman's downstream Fedora CI (part 2)
... and backport some new upstream tests.

https://bugzilla.redhat.com/show_bug.cgi?id=2263968

Resolves: RHEL-30245
2024-03-26 01:04:22 +01:00
Debarshi Ray
24f19e416e Unbreak Podman's downstream Fedora CI
... and update the BuildRequires on golang to reflect reality.

https://bugzilla.redhat.com/show_bug.cgi?id=2263968

Resolves: RHEL-30245
2024-03-26 01:04:19 +01:00
85becd3dde
Rebuild for golang 1.22.0 2024-02-11 23:40:44 +00:00
Debarshi Ray
5aea389aab Migrate to SPDX license 2024-02-07 14:45:03 +01:00
Fedora Release Engineering
78a3000c62 Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild 2024-01-27 06:33:04 +00:00
25a9050dd0
Remove deprecated %patchN syntax
[skip changelog]

Relates: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/5YUJWTUJK4JA26YP2VD46HOCQ6UZXMQD/
2024-01-12 21:09:56 +00:00
Debarshi Ray
f79961c521 Drop 'Recommends: subscription-manager'
... because subscription-manager requires python3-dnf, which contains
%{_bindir}/dnf-3 and %{_bindir}/dnf4 [1].   This is a problem on Fedora
Silverblue, because they shouldn't be present on OSTree based variants
of Fedora.

This reverts parts of commit 6682165143.

[1] https://github.com/fedora-silverblue/issue-tracker/issues/521
2024-01-11 19:04:31 +01:00
Debarshi Ray
57ae69592c Drop the experience and support subpackages
The only known user of the toolbox-experience and toolbox-support
packages was: https://github.com/AICoE/tf-in-container

... which was declared dead in February 2022.

Hence, there's no need to keep offering these subpackages.  Especially,
since the cost of keeping them updated to match the content of the
fedora-toolbox images is quite high.  If someone really needs these
subpackages, then they can be reinstated.
2023-12-19 14:09:03 +01:00
Debarshi Ray
6682165143 Update to 0.0.99.5
Start using Toolbx as the name of the project, instead of Toolbox; and
recommend subscription-manager, as requested by the Fedora Workstation
Working Group [1], to make it easier to have gratis, self-supported Red Hat
Enterprise Linux containers on Fedora.

[1] https://pagure.io/fedora-workstation/issue/391
2023-12-19 13:28:45 +01:00
Debarshi Ray
a7b53166a8 tests: Remove trailing whitespace 2023-12-19 13:25:48 +01:00
Debarshi Ray
1b207227f3 tests: Remove redundant environment variable
There's no need to explicitly set the PODMAN environment variable to its
default value of /usr/bin/podman.
2023-12-19 13:24:23 +01:00
Debarshi Ray
616aba2f2d Require openssl(1) for the system tests in the tests subpackage 2023-12-19 13:18:49 +01:00
Adam Williamson
2fcdf29a72 tests subpackage: require httpd-tools for htpasswd 2023-12-06 10:45:50 -08:00
Debarshi Ray
8fd7877f42 Fix the conditionals for 'if RHEL <= 9'
'%if 0%{?rhel} <= 9' is the wrong way to express 'if RHEL <= 9'.  On
Fedora, %rhel won't be defined.  So, %{?rhel} will expand to nothing,
and leave only a 0 on the left hand side, making the condition TRUE on
Fedora.

Note, that conditions like '%if 0%{?rhel}', and other relational
operators like ==, > and >= work as expected.  The problem is only with
< and <=.

Fallout from 1d18729e66 and
d437e83604
2023-12-05 15:26:10 +01:00
Debarshi Ray
e7a1de731b Track the active container on Fedora Linux Asahi Remix 2023-11-30 22:16:08 +01:00
Debarshi Ray
a8d29ef83f Silence 'rpminspect --tests=runpath' on i686 2023-11-10 16:01:17 +01:00
Debarshi Ray
1d18729e66 Drop the custom /etc/containers/toolbox.conf from RHEL 10 onwards
Complete support for RHEL Toolbx images based on the Red Hat Universal
Base Images (or UBI) was only recently added to Toolbx [1], in version
0.0.99.4.  Before that, Toolbx would only pick the image for RHEL 8,
and even before that, it would pick the base 'ubi8' image, which isn't
designed for interactive command line use.

Due to this, RHEL >= 8.5 shipped a custom configuration file
in /etc/containers/toolbox.conf to specify the image.

However, that's not necessary anymore.  RHEL 10 is going to be a fresh
new operating system, and it will be better if we don't ship any custom
configuration that's not needed, because it will ensure consistency with
non-RHEL operating systems, including Fedora.

[1] Upstream commit 0a29b374e649437
    https://github.com/containers/toolbox/commit/0a29b374e649437
    https://github.com/containers/toolbox/issues/1065
2023-11-09 18:13:11 +01:00
Debarshi Ray
d437e83604 Clarify that %golang_arches_future are meant for RHEL 10
Since the RHEL conditional was only targeting RHEL 9, it wasn't clear
whether it needed updating for RHEL 10.  So, it's better to say that
%golang_arches are for RHEL 9 and older, and %golang_arches_future are
for Fedora and RHEL 10 onwards.

This doesn't change any behaviour of the built artifacts, because the
build is only shared with RHEL 9 onwards.  Hence, a conditional checking
for RHEL 9 is the same as one checking for RHEL 9 and older.

There's no need to do a build just for this.
2023-11-09 17:15:39 +01:00
Debarshi Ray
12fabacd03 Silence 'rpminspect --tests=annocheck' and 'rpminspect --tests=runpath'
The DT_RPATH or DT_RUNPATH value of /run/host%{_libdir} that's present
in %{_bindir}/toolbox is intentional [1].

[1] Upstream commit 6063eb27b9893994
    https://github.com/containers/toolbox/commit/6063eb27b9893994
    https://github.com/containers/toolbox/issues/821
2023-11-09 12:05:46 +01:00
Debarshi Ray
b6101bf73f Drop github.com/coreos/toolbox compatibility from RHEL 10 onwards
Some limited compatibility with github.com/coreos/toolbox was added to
RHEL 8.5 when the implementation of the toolbox RPM was changed from
github.com/coreos/toolbox to github.com/containers/toolbox.  This was
carried forward to RHEL 9 to give everybody some extra time to adjust.

This compatibility involved setting the HOST environment variable inside
the Toolbx containers for 'sos report' to work, and replicating the
command line interface from github.com/coreos/toolbox.

The problem with setting the HOST environment variable in Toolbx
containers is that it's a very generic name without any namespacing.
Not every user is going to use 'sos report', and it can easily conflict
with a variable of the same name being used for a different purpose.
This is similar to the NAME and VERSION environment variables that used
to be set inside Toolbx containers due to outdated or wrong information
in Fedora's container guidelines [1].  They were a constant source of
complaints and were recently fixed [2].  The same logic applies to HOST.

Instead of expecting the Toolbx container to have the HOST environment
variable, sos(1) should be taught how to work inside a Toolbx container
without requiring any extra configuration [3].

The problem with replicating the command line interface from
github.com/coreos/toolbox is that it's difficult to document it, because
it's so different from the native interface that users on non-RHEL
operating systems, including Fedora, have come to expect.  So, it's an
undocumented easter egg that receives very limited, if any, testing.

RHEL 8.5 was released on the 9th of November in 2021, which was almost
two years ago.  RHEL 10 is going to be a fresh new operating system.
It's time to ship a version of sos(1) in RHEL that works without any
extra configuration inside Toolbx containers, and to inform RHEL users
to adapt to the native command line interface.

[1] https://docs.fedoraproject.org/en-US/containers/guidelines/creation/

[2] Upstream commit 9506173f88dc26bf
    https://github.com/containers/toolbox/commit/9506173f88dc26bf
    https://github.com/containers/toolbox/issues/188

[3] https://github.com/sosreport/sos/pull/3370
2023-10-02 16:59:24 +02:00
Debarshi Ray
a8e2dd8823 Add two upstream patches that are already in CentOS Stream 9 2023-10-02 13:46:15 +02:00
Debarshi Ray
c91cdf0ad7 Unify the build with RHEL
This pulls in an extra patch [1] that's necessary to fix the build on
only CentOS Stream 9, not Fedora.  While not needed, it also doesn't
hurt Fedora and has the added benefit of keeping the build unified with
RHEL.

There's no need to do a build just for this.

[1] Upstream commit f555029304415a06
    https://github.com/containers/toolbox/commit/f555029304415a06
    https://github.com/containers/toolbox/issues/1246
2023-10-02 13:38:10 +02:00
Fedora Release Engineering
0ad2c75c04 Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2023-07-22 16:34:45 +00:00
Debarshi Ray
1591f98256 Remove trailing whitespace
There's no need to do a build just for this.

Fallout from a8db8e5d51
2023-06-26 15:29:46 +02:00
Debarshi Ray
b18f520f26 Pull in the rest of the RHEL specific patches to further unify the build
There's no need to do a build just for this.
2023-06-26 15:27:07 +02:00
Yaakov Selkowitz
006d4f5d81 Add missing files for RHEL builds
Source and Patch listings should not be conditionalized, as that causes
SRPM contents to be inconsistent.

https://src.fedoraproject.org/rpms/toolbox/pull-request/14
2023-06-26 15:08:36 +02:00
Debarshi Ray
037ea0e724 Don't 'BuildRequires: pkgconfig(fish)' on RHEL
... because RHEL doesn't have fish.

There's no need to do a build just for this.
2023-04-04 00:34:08 +02:00
Debarshi Ray
ef153bba41 Shuffle the BuildRequires around
There's no need to do a build just for this.
2023-04-04 00:27:52 +02:00
Debarshi Ray
7ddc864959 Update the commit messages of the downstream patches
Fedora now has a %{gobuildflags} RPM macro with only the flags used by
'go build ...'.

There's no need to do a build just for this.
2023-04-03 23:15:51 +02:00
Debarshi Ray
2f6e2b7cfe Unify the build with RHEL
There's no need to do a build just for this.
2023-04-03 22:23:50 +02:00
Debarshi Ray
a8b4975b5c Don't 'Requires: flatpak-session-helper' on RHEL
... because RHEL has always shipped toolbox >= 0.0.97 and hence doesn't
require flatpak-session-helper.

There's no need to do a build just for this.
2023-04-03 21:33:58 +02:00
Debarshi Ray
2f07af48f5 Don't 'Requires: bats' on RHEL
... because RHEL doesn't have bats.

There's no need to do a build just for this.
2023-04-03 21:33:53 +02:00
Nieves Montero
a8db8e5d51 Sprinkle a debug log
Signed-off-by: Nieves Montero <nmontero@redhat.com>
2023-03-08 11:24:16 +01:00
Debarshi Ray
2f7d549494 Don't use podman(1) when generating the completions
This is actually needed for Fedoras 36 and 37, but, at least currently,
not necessary for Fedoras 38 and 39.

There's no need to do a build just for this.

https://github.com/containers/podman/issues/17657
2023-02-28 19:38:33 +01:00
Debarshi Ray
95d6ea8689 Update to 0.0.99.4
https://bugzilla.redhat.com/show_bug.cgi?id=2171961
2023-02-23 18:05:26 +01:00
Debarshi Ray
79167d70c4 Remove a patch specific to Fedora that doesn't seem necessary anymore
There's no need to do a build just for this.
2023-02-23 17:49:22 +01:00
Debarshi Ray
cbcdb7a21c Simplify and unify the build with RHEL
There's no need to do a build just for this.
2023-02-23 16:13:42 +01:00
Debarshi Ray
7556bb66c2 Bump the golang requirement to ensure recent CVE fixes
'BuildRequires: golang >= 1.19.4' will ensure that recent CVEs like
CVE-2022-41717 remain fixed.

There's no need to do a build just for this, because the toolbox package
has either already been built with a sufficiently recent golang or will
soon be.

https://bugzilla.redhat.com/show_bug.cgi?id=2161274
2023-02-22 20:44:23 +01:00
Martin Jackson
fbfe9ff31b Fix the ExclusiveArch
The %gometa RPM macro also generates a ExclusiveArch on %golang_arches
or %golang_arches_future depending on whether the -f flag is present or
not.  This was overriding the separately specified ExclusiveArch.

Fallout from 7ce081c75c

https://src.fedoraproject.org/rpms/toolbox/pull-request/12
2023-02-22 19:22:47 +01:00