Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package toolbox for openSUSE:Factory checked in at 2022-06-04 23:26:46 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/toolbox (Old) and /work/SRC/openSUSE:Factory/.toolbox.new.1548 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "toolbox" Sat Jun 4 23:26:46 2022 rev:21 rq:980625 version:2.3+git20220603.bbeda2e Changes: -------- --- /work/SRC/openSUSE:Factory/toolbox/toolbox.changes 2022-03-20 20:55:09.666493010 +0100 +++ /work/SRC/openSUSE:Factory/.toolbox.new.1548/toolbox.changes 2022-06-04 23:26:47.856741363 +0200 @@ -1,0 +2,14 @@ +Fri Jun 03 11:13:15 UTC 2022 - [email protected] + +- Update to version 2.3+git20220603.bbeda2e: + * Allow to choose runtime and try to retain the user's groups + * (Try to) Avoid problems when packages touching bind mounts are upgraded + * Try to make sure that (some) foreign distro images (kind of) work as toolboxes + * Do not stop a toolbox with something running inside + * Exit if neither podman or docker are usable + * Support passing just the name of the container to create and enter command + * Fix cleanup logic and make toolbox start a little less verbose + * Always pull when creating a new toolbox + * Add a "more sandboxing" mode + +------------------------------------------------------------------- Old: ---- microos-toolbox-2.3+git20220117.bd53c7c.tar.xz New: ---- microos-toolbox-2.3+git20220603.bbeda2e.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ toolbox.spec ++++++ --- /var/tmp/diff_new_pack.IKqqhC/_old 2022-06-04 23:26:48.332741846 +0200 +++ /var/tmp/diff_new_pack.IKqqhC/_new 2022-06-04 23:26:48.332741846 +0200 @@ -17,12 +17,12 @@ Name: toolbox -Version: 2.3+git20220117.bd53c7c +Version: 2.3+git20220603.bbeda2e Release: 0 Summary: Script to start a toolbox container for system debugging License: Apache-2.0 Group: System/Management -URL: https://github.com/thkukuk/microos-toolbox +URL: https://github.com/openSUSE/microos-toolbox Source: microos-toolbox-%{version}.tar.xz Requires: (podman or docker) BuildArch: noarch ++++++ _service ++++++ --- /var/tmp/diff_new_pack.IKqqhC/_old 2022-06-04 23:26:48.360741874 +0200 +++ /var/tmp/diff_new_pack.IKqqhC/_new 2022-06-04 23:26:48.364741878 +0200 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="disabled"> <param name="version">2.3</param> <param name="versionformat">2.3+git%cd.%h</param> - <param name="url">git://github.com/kubic-project/microos-toolbox.git</param> + <param name="url">https://github.com/openSUSE/microos-toolbox.git</param> <param name="scm">git</param> <param name="changesgenerate">enable</param> </service> ++++++ _servicedata ++++++ --- /var/tmp/diff_new_pack.IKqqhC/_old 2022-06-04 23:26:48.380741894 +0200 +++ /var/tmp/diff_new_pack.IKqqhC/_new 2022-06-04 23:26:48.384741898 +0200 @@ -1,7 +1,7 @@ <servicedata> <service name="tar_scm"> - <param name="url">git://github.com/kubic-project/microos-toolbox.git</param> - <param name="changesrevision">bd53c7cb8a7ac4e0edd8e11b28b2de10d30f7308</param> + <param name="url">https://github.com/openSUSE/microos-toolbox.git</param> + <param name="changesrevision">bbeda2e96bcd8dcf18a3b107ab7a3e868d56a74b</param> </service> </servicedata> (No newline at EOF) ++++++ microos-toolbox-2.3+git20220117.bd53c7c.tar.xz -> microos-toolbox-2.3+git20220603.bbeda2e.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/microos-toolbox-2.3+git20220117.bd53c7c/toolbox new/microos-toolbox-2.3+git20220603.bbeda2e/toolbox --- old/microos-toolbox-2.3+git20220117.bd53c7c/toolbox 2022-01-17 10:46:19.000000000 +0100 +++ new/microos-toolbox-2.3+git20220603.bbeda2e/toolbox 2022-06-03 13:05:18.000000000 +0200 @@ -24,9 +24,12 @@ TOOLBOX_SHELL="/bin/bash" SUDO= -CLI=podman -if [[ ! -f /usr/bin/podman ]] && [[ -f /usr/bin/docker ]]; then +if command -v podman &> /dev/null ; then + CLI=podman +elif command -v docker &> /dev/null ; then CLI=docker +else + echo "$0: ERROR: neither 'podman' nor 'docker' are available. Exiting!" fi test -f /usr/etc/toolboxrc && . /usr/etc/toolboxrc @@ -34,26 +37,6 @@ MODE="system" -USER_ENV="DBUS_SESSION_BUS_ADDRESS \ - DBUS_SYSTEM_BUS_ADDRESS \ - DESKTOP_SESSION \ - SESSION_MANAGER \ - DISPLAY \ - LANG \ - SSH_AUTH_SOCK \ - USER \ - USERNAME \ - WAYLAND_DISPLAY \ - XAUTHORITY \ - XAUTHLOCALHOSTNAME \ - XDG_CURRENT_DESKTOP \ - XDG_DATA_DIRS \ - XDG_MENU_PREFIX \ - XDG_RUNTIME_DIR \ - XDG_SESSION_CLASS \ - XDG_SESSION_DESKTOP \ - XDG_SESSION_TYPE" - setup() { # Allow user overrides if [ -f "${TOOLBOXRC}" ]; then @@ -66,7 +49,7 @@ create() { local msg="creat" if ! container_exists; then - if ! image_exists; then + if ! image_exists || [ -z "$NO_PULL" ]; then image_pull fi local runlabel @@ -111,9 +94,22 @@ groupadd -g ${USER_GID} ${USER_GNAME} useradd -M -N -g ${USER_GNAME} -u ${USER_ID} ${USER_NAME} if ! command -v sudo &> /dev/null ; then - zypper install -y --no-recommends sudo + if command -v zypper &> /dev/null ; then + zypper install -y --no-recommends sudo + elif command -v apt &> /dev/null ; then + apt update && apt -y install sudo + elif command -v dnf ; then + dnf install -y sudo + fi fi mkdir -p /etc/sudoers.d/ && echo "${USER_NAME} ALL = (root) NOPASSWD:ALL" > /etc/sudoers.d/${USER_NAME} +# Avoid issues when updating some packages +if [ -d "/usr/lib/rpm/macros.d/" ]; then + # Problematic packages are (on openSUSE): + # - filesystem: touches /dev + # - netcfg: touches /etc/hosts + echo "%_netsharedpath /dev/:/etc/hosts" > /usr/lib/rpm/macros.d/macros.microos-toolbox +fi EOF ${SUDO} $CLI exec --user root "${TOOLBOX_NAME}" bash "${tmp_user_setup}" &> "${tmp_user_setup_log}" ${SUDO} $CLI exec --user root "${TOOLBOX_NAME}" rm "${tmp_user_setup}" @@ -130,11 +126,9 @@ } cleanup() { - if [ -z "$NO_STOP" ]; then + if [ $(container_active) -eq 0 ] && [ -z "$NO_STOP" ]; then ${SUDO} $CLI stop "$TOOLBOX_NAME" &>/dev/null fi - - ${SUDO} rm -f $tmp_user_setup } container_exists() { @@ -142,7 +136,11 @@ } container_state() { - ${SUDO} $CLI inspect "$TOOLBOX_NAME" --format '{{.State.Status}}' + ${SUDO} $CLI inspect "$TOOLBOX_NAME" --format '{{.State.Status}}' 2> /dev/null +} + +container_active() { + ${SUDO} $CLI inspect "$TOOLBOX_NAME" --format '{{len .ExecIDs}}' 2> /dev/null } image_exists() { @@ -173,35 +171,56 @@ exit $? } +stop() { + # We can't stop non-existing and non-running toolboxes + if ! container_exists ; then + echo "$0: ERROR: Cannot stop non-existing container '$TOOLBOX_NAME'" + exit 2 + fi + if [[ "$(container_state)" != "running" ]]; then + echo "$0: ERROR: Cannot stop non-running container '$TOOLBOX_NAME'" + exit 2 + fi + + # We don't stop toolboxes with active sessions + if [ $(container_active) -ne 0 ]; then + echo "$0: ERROR: The toolbox '$TOOLBOX_NAME' has active sessions. Not stopping" + exit 1 + fi + + ${SUDO} $CLI stop "$TOOLBOX_NAME" &> /dev/null +} + container_create() { + if [ -z "$SANDBOX" ]; then + # this is the default behavior, unless --sandbox is specified + CREATE_NO_SANDBOX="--volume /dev:/dev:rslave --volume /sys:/sys:rslave --volume /:/media/root:rslave" + CREATE_NO_SANDBOX="$CREATE_NO_SANDBOX --privileged --security-opt label=disable --pid host --ipc host" + fi if ! ${SUDO} $CLI create \ + $RUNTIME \ --hostname "$TOOLBOX_NAME" \ --name "$TOOLBOX_NAME" \ --network host \ - --pid host \ - --ipc host \ - --privileged \ - --security-opt label=disable ${CREATE_AS_USER} \ - --volume /:/media/root:rslave \ - --volume /dev:/dev:rslave \ - --volume /sys:/sys:rslave \ + ${CREATE_NO_SANDBOX} \ + ${CREATE_AS_USER} \ --volume /etc/machine-id:/etc/machine-id:ro \ --volume /etc/localtime:/etc/localtime:ro \ - "$TOOLBOX_IMAGE" sleep +Inf 2>&1; then + "$TOOLBOX_IMAGE" sleep +Inf > /dev/null; then echo "$0: failed to create container '$TOOLBOX_NAME'" exit 1 fi } container_start() { - if ! ${SUDO} $CLI start "$TOOLBOX_NAME" 2>&1; then + if ! ${SUDO} $CLI start "$TOOLBOX_NAME" > /dev/null ; then echo "$0: failed to start container '$TOOLBOX_NAME'" exit 1 fi } container_runlabel() { - if ! ${SUDO} $CLI container runlabel --name "$TOOLBOX_NAME" RUN "$TOOLBOX_IMAGE" 2>&1; then + if ! ${SUDO} $CLI container runlabel --name "$TOOLBOX_NAME" RUN "$TOOLBOX_IMAGE" > /dev/null ; then echo "$0: failed to runlabel on image '$TOOLBOX_IMAGE'" exit 1 fi @@ -218,9 +237,9 @@ } show_help() { - echo "USAGE: toolbox [[-h/--help] | [command] [-r/--root] [-u/--user] [-n/--nostop] - [[-R/--reg <registry>] [-I/--img <image>]|[-i/--image <image_URI>]] - [[-t/--tag <tag>]|[-c/--container <name>]] [command_to_run]] + echo "USAGE: toolbox [[-h/--help] | [list|create [<name>]|enter [<name>]|run|stop [<name>]] [-r/--root] [-u/--user] + [-n/--nostop] [-S/--sandbox] [-P/--no-pull] [[-R/--reg <registry>] [-I/--img <image>]|[-i/--image <image_URI>]] + [-X/--runtime <runtime_bin>] [[-t/--tag <tag>]|[-c/--container <name>]] [command_to_run]] toolbox is a small script that launches a container to let you bring in your favorite debugging or admin tools. The toolbox container is a pet container and will be restarted on following runs. To remove the container and start fresh, do $CLI rm ${TOOLBOX_NAME}. @@ -230,13 +249,27 @@ create: Just create the toolbox enter: Enter inside a toolbox (if it does not exist, it is created) run: Run command_to_run inside a toolbox (if it does not exist, it is created) + stop: Stop a running toolbox (_only_ if no active sessions exists for it) + +For the create, enter and stop commands, the toolbox name can be specified either: + - with -t/--tag, e.g.: 'toolbox enter -t dev'. For user foo, will enter 'toolbox-foo-user-dev'. Or, + - with -c/--container, e.g.: 'toolbox create -c work'. Will create 'work'. Or + - with just the name of the container, e.g.: 'toolbox enter test'. Will enter 'test'. Options: -h/--help: Shows this help message -u/--user: Run as the current user inside the container -r/--root: Runs $CLI via sudo as root + -X/--runtime <runtime_bin>: Use the specified runtime (e.g., /usr/bin/crun) -n/--nostop: Does not stop the container on exit, allowing multiple sessions to use the same toolbox at once + -S/--sandbox: Start a \"less privileged than usual\" toolbox. It remains + true, though, that toolbox is *NOT* meant to be used for when + security and strong isolation are important. Always bear this + in mind, even when using this option. + -P/--no-pull: Skip trying to update the image, if it already exists. This + may speedup toolbox creation, but at the risk of creating the + toolbox out of a potentially (very?) old image. -t/--tag <tag>: Add <tag> to the toolbox name -c/--container <name>: Set the name of the toolbox to be equal to <name> (use this alternatively to -t) @@ -281,7 +314,7 @@ COMMAND=run if [ -n "$1" ] && is_option $1 ; then case $1 in - create | list | enter | run ) + create | list | enter | run | stop) MODE="user" COMMAND=$1 shift @@ -289,7 +322,7 @@ esac fi - ARGS=$(getopt -o hrunt:R:I:c:i: --long help,root,user,nostop,tag:,reg:,img:,container:,image: -n toolbox -- "$@") + ARGS=$(getopt -o hrunSPt:R:I:c:i:X: --long help,root,user,nostop,sandbox,no-pull,tag:,reg:,img:,container:,image:,runtime: -n toolbox -- "$@") eval set -- "$ARGS" while true; do case "$1" in @@ -302,6 +335,15 @@ shift SUDO=sudo ;; + -X|--runtime) + RUNTIME="--runtime $2" + if ! command -v $2 &> /dev/null ; then + echo "ERROR: $2 not available as runtime!" + show_help + exit 1 + fi + shift 2 + ;; -u|--user) shift MODE="user" @@ -310,6 +352,15 @@ NO_STOP="true" shift ;; + -S|--sandbox) + echo "WARNING: toolbox is not for sandboxing. Using -S removes some privileges, but don't feel too safe!!!" + SANDBOX="true" + shift + ;; + -P|--no-pull) + NO_PULL="true" + shift + ;; -c|--container) if [ -n "$TAG" ]; then echo "ERROR: Don't use both -c and -t!" @@ -354,21 +405,36 @@ esac done - # Handle list before setting up the cleanup trap, as we won't need - # to try to stop the container, in that case - if [ "$COMMAND" == "list" ]; then - list + ${SUDO} ${CLI} ps &> /dev/null + if [ $? -ne 0 ]; then + echo "$0: ERROR: '${CLI}' is available but does not seem to be usable. Exiting!" fi - # Don't call trap before, else we will cleanup stuff - # where nothing is to cleanup and report wrong error - trap cleanup EXIT - # Let's rebuild the image URI (this means that command # line, if present, overrides config file) TOOLBOX_IMAGE=$(echo "${REGISTRY}"/"${IMAGE}" | sed 's/^\///g') if [ "$MODE" = "user" ]; then + local USER_ENV="DBUS_SESSION_BUS_ADDRESS \ + DBUS_SYSTEM_BUS_ADDRESS \ + DESKTOP_SESSION \ + SESSION_MANAGER \ + DISPLAY \ + LANG \ + SSH_AUTH_SOCK \ + USER \ + USERNAME \ + WAYLAND_DISPLAY \ + XAUTHORITY \ + XAUTHLOCALHOSTNAME \ + XDG_CURRENT_DESKTOP \ + XDG_DATA_DIRS \ + XDG_MENU_PREFIX \ + XDG_RUNTIME_DIR \ + XDG_SESSION_CLASS \ + XDG_SESSION_DESKTOP \ + XDG_SESSION_TYPE" + USER_ID=$(id -u); USER_GID=$(id -g) USER_NAME=$(id -un) ; USER_GNAME=$(id -gn) if [ -z "$CHANGE_NAME" ]; then @@ -384,6 +450,9 @@ test -d /run/media && VOLUMES="$VOLUMES --volume /run/media/:/run/media/:rslave" if [[ "$CLI" == "podman" ]]; then CREATE_AS_USER="--userns=keep-id --user root:root $VOLUMES" + # Let's retain the user's groupd. This will (probably) only work + # with some runtime, but it's harmless for other, so worth a try. + CREATE_AS_USER=" $CREATE_AS_USER --annotation run.oci.keep_original_groups=1" elif [[ "$CLI" == "docker" ]]; then CREATE_AS_USER="--user root:root $VOLUMES" fi @@ -398,17 +467,38 @@ TOOLBOX_NAME="${TOOLBOX_NAME}-$TAG" fi + # enter, create and stop supports the name of the container being as an + # argument, so use if it's there. But there must be no conflict between + # that and the -c and -t options. + if [ "$COMMAND" = "enter" ] || [ "$COMMAND" = "create" ] || [ "$COMMAND" = "stop" ]; then + if [ $# -ge 1 ]; then + if [ -n "$CHANGE_NAME" ] || [ -n "$TAG" ]; then + echo "ERROR: Cannot determine which container to use between $TOOLBOX_NAME and $1" + show_help + exit 1 + fi + TOOLBOX_NAME=$1 + shift + fi + fi + case $COMMAND in - create) - create - ;; - enter|run) - if [ -z "$*" ]; then + create|enter|run) + # Cleanup is only needed if we're really starting the container + trap cleanup EXIT + + if [ "$COMMAND" = "create" ]; then + [ $# -gt 0 ] && echo "WARNING: ignoring the following arguments: $@" + create + elif [ "$COMMAND" = "enter" ] || [ $# -eq 0 ]; then + [ "$COMMAND" = "enter" ] && [ $# -gt 0 ] && echo "WARNING: ignoring the following arguments: $@" run ${TOOLBOX_SHELL} else run "$@" fi - cleanup + ;; + list|stop) + $COMMAND ;; *) echo "unknown command: '$COMMAND'"
