From 83f28c52e47c2d44acbc5c8454ea23ba70ecdb6f Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Wed, 25 Sep 2024 18:25:56 +0200 Subject: [PATCH 1/8] build: Notify distributors that the '-z now' linker flag is unsupported The '-z now' flag, which is the opposite of '-z lazy', is unsupported as an external linker flag [1], because of how the NVIDIA Container Toolkit stack uses dlopen(3) to load libcuda.so.1 and libnvidia-ml.so.1 at runtime [2,3]. The NVIDIA Container Toolkit stack doesn't use dlsym(3) to obtain the address of a symbol at runtime before using it. It links against undefined symbols at build-time available through a CUDA API definition embedded directly in the CGO code or a copy of nvml.h. It relies upon lazily deferring function call resolution to the point when dlopen(3) is able to load the shared libraries at runtime, instead of doing it when toolbox(1) is started. This is unlike how Toolbx itself uses dlopen(3) and dlsym(3) to load libsubid.so at runtime. Compare the output of: $ nm /path/to/toolbox | grep ' subid_init' ... with those from: $ nm /path/to/toolbox | grep ' nvmlGpuInstanceGetComputeInstanceProfileInfoV' U nvmlGpuInstanceGetComputeInstanceProfileInfoV $ nm /path/to/toolbox | grep ' nvmlDeviceGetAccountingPids' U nvmlDeviceGetAccountingPids Using '-z now' as an external linker flag forces the dynamic linker to resolve all symbols when toolbox(1) is started, and leads to: $ toolbox toolbox: symbol lookup error: toolbox: undefined symbol: nvmlGpuInstanceGetComputeInstanceProfileInfoV With the recent expansion of the test suite, it's necessary to increase the timeout for the Fedora nodes to prevent the CI from timing out. Fallout from 6e848b250b4cde98fb9a40b17421f1f54eacd8f3 [1] NVIDIA Container Toolkit commit 1407ace94ab7c150 https://github.com/NVIDIA/nvidia-container-toolkit/commit/1407ace94ab7c150 https://github.com/NVIDIA/go-nvml/issues/18 https://github.com/NVIDIA/nvidia-container-toolkit/issues/49 [2] https://github.com/NVIDIA/nvidia-container-toolkit/tree/main/internal/cuda [3] https://github.com/NVIDIA/go-nvml/blob/main/README.md https://github.com/NVIDIA/go-nvml/tree/main/pkg/dl https://github.com/NVIDIA/go-nvml/tree/main/pkg/nvml https://github.com/containers/toolbox/pull/1548 --- .zuul.yaml | 6 +++--- src/go-build-wrapper | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/.zuul.yaml b/.zuul.yaml index 637c38d0f..a09f85a95 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -51,7 +51,7 @@ - job: name: system-test-fedora-rawhide description: Run Toolbx's system tests in Fedora Rawhide - timeout: 7800 + timeout: 10800 nodeset: nodes: - name: fedora-rawhide @@ -62,7 +62,7 @@ - job: name: system-test-fedora-40 description: Run Toolbx's system tests in Fedora 40 - timeout: 7200 + timeout: 9000 nodeset: nodes: - name: fedora-40 @@ -73,7 +73,7 @@ - job: name: system-test-fedora-39 description: Run Toolbx's system tests in Fedora 39 - timeout: 7200 + timeout: 9000 nodeset: nodes: - name: fedora-39 diff --git a/src/go-build-wrapper b/src/go-build-wrapper index 13ddc127c..7968e3c9b 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper @@ -70,6 +70,48 @@ fi dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename" +# Note for distributors: +# +# The '-z now' flag, which is the opposite of '-z lazy', is unsupported as an +# external linker flag [1], because of how the NVIDIA Container Toolkit stack +# uses dlopen(3) to load libcuda.so.1 and libnvidia-ml.so.1 at runtime [2,3]. +# +# The NVIDIA Container Toolkit stack doesn't use dlsym(3) to obtain the address +# of a symbol at runtime before using it. It links against undefined symbols +# at build-time available through a CUDA API definition embedded directly in +# the CGO code or a copy of nvml.h. It relies upon lazily deferring function +# call resolution to the point when dlopen(3) is able to load the shared +# libraries at runtime, instead of doing it when toolbox(1) is started. +# +# This is unlike how Toolbx itself uses dlopen(3) and dlsym(3) to load +# libsubid.so at runtime. +# +# Compare the output of: +# $ nm /path/to/toolbox | grep ' subid_init' +# +# ... with those from: +# $ nm /path/to/toolbox | grep ' nvmlGpuInstanceGetComputeInstanceProfileInfoV' +# U nvmlGpuInstanceGetComputeInstanceProfileInfoV +# $ nm /path/to/toolbox | grep ' nvmlDeviceGetAccountingPids' +# U nvmlDeviceGetAccountingPids +# +# Using '-z now' as an external linker flag forces the dynamic linker to +# resolve all symbols when toolbox(1) is started, and leads to: +# $ toolbox +# toolbox: symbol lookup error: toolbox: undefined symbol: +# nvmlGpuInstanceGetComputeInstanceProfileInfoV +# +# [1] NVIDIA Container Toolkit commit 1407ace94ab7c150 +# https://github.com/NVIDIA/nvidia-container-toolkit/commit/1407ace94ab7c150 +# https://github.com/NVIDIA/go-nvml/issues/18 +# https://github.com/NVIDIA/nvidia-container-toolkit/issues/49 +# +# [2] https://github.com/NVIDIA/nvidia-container-toolkit/tree/main/internal/cuda +# +# [3] https://github.com/NVIDIA/go-nvml/blob/main/README.md +# https://github.com/NVIDIA/go-nvml/tree/main/pkg/dl +# https://github.com/NVIDIA/go-nvml/tree/main/pkg/nvml + # shellcheck disable=SC2086 go build \ $tags \ From 66280a617ae7eaa29113aeb8e76cbcee6ac04feb Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Tue, 24 Sep 2024 14:21:05 +0200 Subject: [PATCH 2/8] build: Use the same linker flags as NVIDIA Container Toolkit The previous commit explains how the NVIDIA Container Toolkit is sensitive to some linker flags. Therefore, use the same linker flags that are used by NVIDIA Container Toolkit to build the nvidia-cdi-hook, nvidia-ctk, etc. binaries, because they use the same Go APIs that toolbox(1) does [1]. It's better to use the same build configuration to prevent subtle bugs from creeping in. [1] NVIDIA Container Toolkit commit 772cf77dcc2347ce https://github.com/NVIDIA/nvidia-container-toolkit/commit/772cf77dcc2347ce https://github.com/NVIDIA/nvidia-container-toolkit/pull/333 https://github.com/containers/toolbox/pull/1548 --- src/go-build-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/go-build-wrapper b/src/go-build-wrapper index 7968e3c9b..a5a1a6a50 100755 --- a/src/go-build-wrapper +++ b/src/go-build-wrapper @@ -116,7 +116,7 @@ dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basen go build \ $tags \ -trimpath \ - -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ + -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \ -o "$2/$3" exit "$?" From 2eccaf821132b18565b1fe12e38e589ef1be78a1 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 19:21:47 +0200 Subject: [PATCH 3/8] README.md, images/fedora/f39: Tweak Use 'software development' instead of just 'development' when introducing Toolbx. The additional context makes it more understandable to the reader. https://github.com/containers/toolbox/pull/1549 --- README.md | 2 +- images/fedora/f39/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 6fe503f4f..baa3a602a 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ ![README](data/gfx/README.gif) [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the -use of interactive command line environments for development and +use of interactive command line environments for software development and troubleshooting the host operating system, without having to install software on the host. It is built on top of [Podman](https://podman.io/) and other standard container technologies from [OCI](https://opencontainers.org/). diff --git a/images/fedora/f39/README.md b/images/fedora/f39/README.md index feb1d7851..889f890c9 100644 --- a/images/fedora/f39/README.md +++ b/images/fedora/f39/README.md @@ -1,5 +1,5 @@ [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the -use of interactive command line environments for development and +use of interactive command line environments for software development and troubleshooting the host operating system, without having to install software on the host. It is built on top of [Podman](https://podman.io/) and other standard container technologies from [OCI](https://opencontainers.org/). From 85bed43a405301e0fbe4d283ac6416425756e83b Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 19:30:55 +0200 Subject: [PATCH 4/8] images/fedora/f39: Synchronize README.md Only the images for currently maintained Fedoras (ie., 39) were updated. https://github.com/containers/toolbox/pull/1549 --- images/fedora/f39/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/images/fedora/f39/README.md b/images/fedora/f39/README.md index 889f890c9..44a35b3a8 100644 --- a/images/fedora/f39/README.md +++ b/images/fedora/f39/README.md @@ -11,8 +11,8 @@ udev database, etc.. This is particularly useful on [OSTree](https://ostreedev.github.io/ostree/) based operating systems like -[Fedora CoreOS](https://coreos.fedoraproject.org/) and -[Silverblue](https://silverblue.fedoraproject.org/). The intention of these +[Fedora CoreOS](https://fedoraproject.org/coreos/) and +[Silverblue](https://fedoraproject.org/silverblue/). The intention of these systems is to discourage installation of software on the host, and instead install software as (or in) containers — they mostly don't even have package managers like DNF or YUM. This makes it difficult to set up a development From d731d8f087f6454c2154179ec6354498a6559c6e Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 19:38:23 +0200 Subject: [PATCH 5/8] cmd, doc, test/system: Synchronize the summary with the code repository https://github.com/containers/toolbox/pull/1549 --- doc/toolbox.1.md | 2 +- src/cmd/root.go | 2 +- src/cmd/utils.go | 2 +- test/system/002-help.bats | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/doc/toolbox.1.md b/doc/toolbox.1.md index 22261147c..052f0349d 100644 --- a/doc/toolbox.1.md +++ b/doc/toolbox.1.md @@ -1,7 +1,7 @@ % toolbox 1 ## NAME -toolbox - Tool for containerized command line environments on Linux +toolbox - Tool for interactive command line environments on Linux ## SYNOPSIS **toolbox** [*--assumeyes* | *-y*] diff --git a/src/cmd/root.go b/src/cmd/root.go index 31b6298db..9c2de2089 100644 --- a/src/cmd/root.go +++ b/src/cmd/root.go @@ -45,7 +45,7 @@ var ( rootCmd = &cobra.Command{ Use: "toolbox", - Short: "Tool for containerized command line environments on Linux", + Short: "Tool for interactive command line environments on Linux", PersistentPreRunE: preRun, RunE: rootRun, Version: version.GetVersion(), diff --git a/src/cmd/utils.go b/src/cmd/utils.go index c5c35235a..6b1519f24 100644 --- a/src/cmd/utils.go +++ b/src/cmd/utils.go @@ -467,7 +467,7 @@ func showManual(manual string) error { manBinary, err := exec.LookPath("man") if err != nil { if errors.Is(err, exec.ErrNotFound) { - fmt.Printf("toolbox - Tool for containerized command line environments on Linux\n") + fmt.Printf("toolbox - Tool for interactive command line environments on Linux\n") fmt.Printf("\n") fmt.Printf("Common commands are:\n") diff --git a/test/system/002-help.bats b/test/system/002-help.bats index 7750013a9..c118fa191 100644 --- a/test/system/002-help.bats +++ b/test/system/002-help.bats @@ -53,7 +53,7 @@ teardown() { assert_success assert_line --index 0 --partial "toolbox(1)" assert_line --index 0 --partial "General Commands Manual" - assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$" + assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$" assert [ ${#lines[@]} -gt 4 ] assert [ ${#stderr_lines[@]} -eq 0 ] } @@ -66,7 +66,7 @@ teardown() { run --keep-empty-lines --separate-stderr "$TOOLBX" help assert_success - assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux" + assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux" assert_line --index 2 "Common commands are:" assert_line --index 3 "create Create a new Toolbx container" assert_line --index 4 "enter Enter an existing Toolbx container" @@ -86,7 +86,7 @@ teardown() { assert_success assert_line --index 0 --partial "toolbox(1)" assert_line --index 0 --partial "General Commands Manual" - assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$" + assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$" assert [ ${#lines[@]} -gt 4 ] assert [ ${#stderr_lines[@]} -eq 0 ] } @@ -99,7 +99,7 @@ teardown() { run --keep-empty-lines --separate-stderr "$TOOLBX" --help assert_success - assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux" + assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux" assert_line --index 2 "Common commands are:" assert_line --index 3 "create Create a new Toolbx container" assert_line --index 4 "enter Enter an existing Toolbx container" From ebf693394addd515f739b08e7a730f387ddb452e Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 19:55:16 +0200 Subject: [PATCH 6/8] doc/toolbox: Tweak Mention that Toolbx is meant for system administrators to troubleshoot the host operating system. The word 'debugging' is often used in the context of software development, and hence most readers might not interpret it as 'troubleshooting'. https://github.com/containers/toolbox/pull/1549 --- doc/toolbox.1.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/toolbox.1.md b/doc/toolbox.1.md index 052f0349d..29e0f12e8 100644 --- a/doc/toolbox.1.md +++ b/doc/toolbox.1.md @@ -21,13 +21,13 @@ This is particularly useful on OSTree based operating systems like Fedora CoreOS and Silverblue. The intention of these systems is to discourage installation of software on the host, and instead install software as (or in) containers — they mostly don't even have package managers like DNF or YUM. -This makes it difficult to set up a development environment or install tools -for debugging in the usual way. +This makes it difficult to set up a development environment or troubleshoot +the operating system in the usual way. Toolbx solves this problem by providing a fully mutable container within -which one can install their favourite development and debugging tools, editors -and SDKs. For example, it's possible to do `yum install ansible` without -affecting the base operating system. +which one can install their favourite development and troubleshooting tools, +editors and SDKs. For example, it's possible to do `yum install ansible` +without affecting the base operating system. However, this tool doesn't *require* using an OSTree based system. It works equally well on Fedora Workstation and Server, and that's a useful way to From 861cf8546e73bb2f92d888860148647dc98f6481 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 20:00:20 +0200 Subject: [PATCH 7/8] doc/toolbox: Clarify that Toolbx isn't a security mechanism Using the word 'containerized' gives the false impression of heightened security. As if it's a mechanism to run untrusted software in a sandboxed environment without access to the user's private data (such as $HOME), hardware peripherals (such as cameras and microphones), etc.. That's not what Toolbx is for. Toolbx aims to offer an interactive command line environment for development and troubleshooting the host operating system, without having to install software on the host. That's all. It makes no promise about security beyond what's already available in the usual command line environment on the host that everybody is familiar with. https://github.com/containers/toolbox/issues/1020 --- doc/toolbox.1.md | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/doc/toolbox.1.md b/doc/toolbox.1.md index 29e0f12e8..6102e7b43 100644 --- a/doc/toolbox.1.md +++ b/doc/toolbox.1.md @@ -13,9 +13,15 @@ toolbox - Tool for interactive command line environments on Linux ## DESCRIPTION -Toolbx is a tool for Linux operating systems, which allows the use of -containerized command line environments. It is built on top of Podman and -other standard container technologies from OCI. +Toolbx is a tool for Linux, which allows the use of interactive command line +environments for software development and troubleshooting the host operating +system, without having to install software on the host. It is built on top of +Podman and other standard container technologies from OCI. + +Toolbx environments have seamless access to the user’s home directory, the +Wayland and X11 sockets, networking (including Avahi), removable devices (like +USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev +database, etc.. This is particularly useful on OSTree based operating systems like Fedora CoreOS and Silverblue. The intention of these systems is to discourage @@ -35,10 +41,11 @@ incrementally adopt containerization. The Toolbx environment is based on an OCI image. On Fedora this is the `fedora-toolbox` image. This image is used to create a Toolbx container that -seamlessly integrates with the rest of the operating system by providing -access to the user's home directory, the Wayland and X11 sockets, networking -(including Avahi), removable devices (like USB sticks), systemd journal, SSH -agent, D-Bus, ulimits, /dev and the udev database, etc.. +offers the interactive command line environment. + +Note that Toolbx makes no promise about security beyond what’s already +available in the usual command line environment on the host that everybody is +familiar with. ## Supported operating system distributions From 679bf87eb90a404deb32557b4617ab7431843513 Mon Sep 17 00:00:00 2001 From: Debarshi Ray Date: Thu, 26 Sep 2024 20:17:40 +0200 Subject: [PATCH 8/8] .zuul: Enable testing on Fedora 41 https://github.com/containers/toolbox/pull/1550 --- .zuul.yaml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.zuul.yaml b/.zuul.yaml index a09f85a95..fd16caec6 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -59,6 +59,17 @@ pre-run: playbooks/setup-env.yaml run: playbooks/system-test.yaml +- job: + name: system-test-fedora-41 + description: Run Toolbx's system tests in Fedora 41 + timeout: 9000 + nodeset: + nodes: + - name: fedora-41 + label: cloud-fedora-41 + pre-run: playbooks/setup-env.yaml + run: playbooks/system-test.yaml + - job: name: system-test-fedora-40 description: Run Toolbx's system tests in Fedora 40 @@ -85,6 +96,7 @@ periodic: jobs: - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39 check: @@ -93,6 +105,7 @@ - unit-test-migration-path-for-coreos-toolbox - unit-test-restricted - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39 gate: @@ -101,5 +114,6 @@ - unit-test-migration-path-for-coreos-toolbox - unit-test-restricted - system-test-fedora-rawhide + - system-test-fedora-41 - system-test-fedora-40 - system-test-fedora-39