diff --git a/.zuul.yaml b/.zuul.yaml index 637c38d0f..fd16caec6 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -51,7 +51,7 @@ - job: name: system-test-fedora-rawhide description: Run Toolbx's system tests in Fedora Rawhide - timeout: 7800 + timeout: 10800 nodeset: nodes: - name: fedora-rawhide @@ -59,10 +59,21 @@ pre-run: playbooks/setup-env.yaml run: playbooks/system-test.yaml +- job: + name: system-test-fedora-41 + description: Run Toolbx's system tests in Fedora 41 + timeout: 9000 + nodeset: + nodes: + - name: fedora-41 + label: cloud-fedora-41 + pre-run: playbooks/setup-env.yaml + run: playbooks/system-test.yaml + - job: name: system-test-fedora-40 description: Run Toolbx's system tests in Fedora 40 - timeout: 7200 + timeout: 9000 nodeset: nodes: - name: fedora-40 @@ -73,7 +84,7 @@ - job: name: system-test-fedora-39 description: Run Toolbx's system tests in Fedora 39 - timeout: 7200 + timeout: 9000 nodeset: nodes: - name: fedora-39 @@ -85,6 +96,7 @@ periodic: jobs: - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39 check: @@ -93,6 +105,7 @@ - unit-test-migration-path-for-coreos-toolbox - unit-test-restricted - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39 gate: @@ -101,5 +114,6 @@ - unit-test-migration-path-for-coreos-toolbox - unit-test-restricted - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39 diff --git a/README.md b/README.md index 6fe503f4f..baa3a602a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![README](data/gfx/README.gif) [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the -use of interactive command line environments for development and +use of interactive command line environments for software development and troubleshooting the host operating system, without having to install software on the host. It is built on top of [Podman](https://podman.io/) and other standard container technologies from [OCI](https://opencontainers.org/). diff --git a/doc/toolbox.1.md b/doc/toolbox.1.md index 22261147c..6102e7b43 100644 --- a/doc/toolbox.1.md +++ b/doc/toolbox.1.md @@ -1,7 +1,7 @@ % toolbox 1 ## NAME -toolbox - Tool for containerized command line environments on Linux +toolbox - Tool for interactive command line environments on Linux ## SYNOPSIS **toolbox** [*--assumeyes* | *-y*] @@ -13,21 +13,27 @@ toolbox - Tool for containerized command line environments on Linux ## DESCRIPTION -Toolbx is a tool for Linux operating systems, which allows the use of -containerized command line environments. It is built on top of Podman and -other standard container technologies from OCI. +Toolbx is a tool for Linux, which allows the use of interactive command line +environments for software development and troubleshooting the host operating +system, without having to install software on the host. It is built on top of +Podman and other standard container technologies from OCI. + +Toolbx environments have seamless access to the user’s home directory, the +Wayland and X11 sockets, networking (including Avahi), removable devices (like +USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev +database, etc.. This is particularly useful on OSTree based operating systems like Fedora CoreOS and Silverblue. The intention of these systems is to discourage installation of software on the host, and instead install software as (or in) containers — they mostly don't even have package managers like DNF or YUM. -This makes it difficult to set up a development environment or install tools -for debugging in the usual way. +This makes it difficult to set up a development environment or troubleshoot +the operating system in the usual way. Toolbx solves this problem by providing a fully mutable container within -which one can install their favourite development and debugging tools, editors -and SDKs. For example, it's possible to do `yum install ansible` without -affecting the base operating system. +which one can install their favourite development and troubleshooting tools, +editors and SDKs. For example, it's possible to do `yum install ansible` +without affecting the base operating system. However, this tool doesn't *require* using an OSTree based system. It works equally well on Fedora Workstation and Server, and that's a useful way to @@ -35,10 +41,11 @@ incrementally adopt containerization. The Toolbx environment is based on an OCI image. On Fedora this is the `fedora-toolbox` image. This image is used to create a Toolbx container that -seamlessly integrates with the rest of the operating system by providing -access to the user's home directory, the Wayland and X11 sockets, networking -(including Avahi), removable devices (like USB sticks), systemd journal, SSH -agent, D-Bus, ulimits, /dev and the udev database, etc.. +offers the interactive command line environment. + +Note that Toolbx makes no promise about security beyond what’s already +available in the usual command line environment on the host that everybody is +familiar with. ## Supported operating system distributions diff --git a/images/fedora/f39/README.md b/images/fedora/f39/README.md index feb1d7851..44a35b3a8 100644 --- a/images/fedora/f39/README.md +++ b/images/fedora/f39/README.md @@ -1,5 +1,5 @@ [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the -use of interactive command line environments for development and +use of interactive command line environments for software development and troubleshooting the host operating system, without having to install software on the host. It is built on top of [Podman](https://podman.io/) and other standard container technologies from [OCI](https://opencontainers.org/). @@ -11,8 +11,8 @@ udev database, etc.. This is particularly useful on [OSTree](https://ostreedev.github.io/ostree/) based operating systems like -[Fedora CoreOS](https://coreos.fedoraproject.org/) and -[Silverblue](https://silverblue.fedoraproject.org/). The intention of these +[Fedora CoreOS](https://fedoraproject.org/coreos/) and +[Silverblue](https://fedoraproject.org/silverblue/). The intention of these systems is to discourage installation of software on the host, and instead install software as (or in) containers — they mostly don't even have package managers like DNF or YUM. This makes it difficult to set up a development diff --git a/src/cmd/root.go b/src/cmd/root.go index 31b6298db..9c2de2089 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -45,7 +45,7 @@ var ( rootCmd = &cobra.Command{ Use: "toolbox", - Short: "Tool for containerized command line environments on Linux", + Short: "Tool for interactive command line environments on Linux", PersistentPreRunE: preRun, RunE: rootRun, Version: version.GetVersion(), diff --git a/src/cmd/utils.go b/src/cmd/utils.go index c5c35235a..6b1519f24 100644 --- a/src/cmd/utils.go +++ b/src/cmd/utils.go @@ -467,7 +467,7 @@ func showManual(manual string) error { manBinary, err := exec.LookPath("man") if err != nil { if errors.Is(err, exec.ErrNotFound) { - fmt.Printf("toolbox - Tool for containerized command line environments on Linux\n") + fmt.Printf("toolbox - Tool for interactive command line environments on Linux\n") fmt.Printf("\n") fmt.Printf("Common commands are:\n") diff --git a/src/go-build-wrapper b/src/go-build-wrapper index 13ddc127c..a5a1a6a50 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper @@ -70,11 +70,53 @@ fi dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" +# Note for distributors: +# +# The '-z now' flag, which is the opposite of '-z lazy', is unsupported as an +# external linker flag [1], because of how the NVIDIA Container Toolkit stack +# uses dlopen(3) to load libcuda.so.1 and libnvidia-ml.so.1 at runtime [2,3]. +# +# The NVIDIA Container Toolkit stack doesn't use dlsym(3) to obtain the address +# of a symbol at runtime before using it. It links against undefined symbols +# at build-time available through a CUDA API definition embedded directly in +# the CGO code or a copy of nvml.h. It relies upon lazily deferring function +# call resolution to the point when dlopen(3) is able to load the shared +# libraries at runtime, instead of doing it when toolbox(1) is started. +# +# This is unlike how Toolbx itself uses dlopen(3) and dlsym(3) to load +# libsubid.so at runtime. +# +# Compare the output of: +# $ nm /path/to/toolbox | grep ' subid_init' +# +# ... with those from: +# $ nm /path/to/toolbox | grep ' nvmlGpuInstanceGetComputeInstanceProfileInfoV' +# U nvmlGpuInstanceGetComputeInstanceProfileInfoV +# $ nm /path/to/toolbox | grep ' nvmlDeviceGetAccountingPids' +# U nvmlDeviceGetAccountingPids +# +# Using '-z now' as an external linker flag forces the dynamic linker to +# resolve all symbols when toolbox(1) is started, and leads to: +# $ toolbox +# toolbox: symbol lookup error: toolbox: undefined symbol: +# nvmlGpuInstanceGetComputeInstanceProfileInfoV +# +# [1] NVIDIA Container Toolkit commit 1407ace94ab7c150 +# https://github.com/NVIDIA/nvidia-container-toolkit/commit/1407ace94ab7c150 +# https://github.com/NVIDIA/go-nvml/issues/18 +# https://github.com/NVIDIA/nvidia-container-toolkit/issues/49 +# +# [2] https://github.com/NVIDIA/nvidia-container-toolkit/tree/main/internal/cuda +# +# [3] https://github.com/NVIDIA/go-nvml/blob/main/README.md +# https://github.com/NVIDIA/go-nvml/tree/main/pkg/dl +# https://github.com/NVIDIA/go-nvml/tree/main/pkg/nvml + # shellcheck disable=SC2086 go build \ $tags \ -trimpath \ - -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ + -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -o "$2/$3" exit "$?" diff --git a/test/system/002-help.bats b/test/system/002-help.bats index 7750013a9..c118fa191 100644 --- a/test/system/002-help.bats +++ b/test/system/002-help.bats @@ -53,7 +53,7 @@ teardown() { assert_success assert_line --index 0 --partial "toolbox(1)" assert_line --index 0 --partial "General Commands Manual" - assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$" + assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$" assert [ ${#lines[@]} -gt 4 ] assert [ ${#stderr_lines[@]} -eq 0 ] } @@ -66,7 +66,7 @@ teardown() { run --keep-empty-lines --separate-stderr "$TOOLBX" help assert_success - assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux" + assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux" assert_line --index 2 "Common commands are:" assert_line --index 3 "create Create a new Toolbx container" assert_line --index 4 "enter Enter an existing Toolbx container" @@ -86,7 +86,7 @@ teardown() { assert_success assert_line --index 0 --partial "toolbox(1)" assert_line --index 0 --partial "General Commands Manual" - assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$" + assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$" assert [ ${#lines[@]} -gt 4 ] assert [ ${#stderr_lines[@]} -eq 0 ] } @@ -99,7 +99,7 @@ teardown() { run --keep-empty-lines --separate-stderr "$TOOLBX" --help assert_success - assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux" + assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux" assert_line --index 2 "Common commands are:" assert_line --index 3 "create Create a new Toolbx container" assert_line --index 4 "enter Enter an existing Toolbx container"