.zuul: Enable testing on Fedora 41

.zuul.yaml

@@ -51,18 +51,29 @@
 - job:
     name: system-test-fedora-rawhide
     description: Run Toolbx's system tests in Fedora Rawhide
-    timeout: 7800
+    timeout: 10800
     nodeset:
       nodes:
         - name: fedora-rawhide
           label: cloud-fedora-rawhide
     pre-run: playbooks/setup-env.yaml
     run: playbooks/system-test.yaml
 
+- job:
+    name: system-test-fedora-41
+    description: Run Toolbx's system tests in Fedora 41
+    timeout: 9000
+    nodeset:
+      nodes:
+        - name: fedora-41
+          label: cloud-fedora-41
+    pre-run: playbooks/setup-env.yaml
+    run: playbooks/system-test.yaml
+
 - job:
     name: system-test-fedora-40
     description: Run Toolbx's system tests in Fedora 40
-    timeout: 7200
+    timeout: 9000
     nodeset:
       nodes:
         - name: fedora-40
@@ -73,7 +84,7 @@
 - job:
     name: system-test-fedora-39
     description: Run Toolbx's system tests in Fedora 39
-    timeout: 7200
+    timeout: 9000
     nodeset:
       nodes:
         - name: fedora-39
@@ -85,6 +96,7 @@
     periodic:
       jobs:
         - system-test-fedora-rawhide
+        - system-test-fedora-41
         - system-test-fedora-40
         - system-test-fedora-39
     check:
@@ -93,6 +105,7 @@
         - unit-test-migration-path-for-coreos-toolbox
         - unit-test-restricted
         - system-test-fedora-rawhide
+        - system-test-fedora-41
         - system-test-fedora-40
         - system-test-fedora-39
     gate:
@@ -101,5 +114,6 @@
         - unit-test-migration-path-for-coreos-toolbox
         - unit-test-restricted
         - system-test-fedora-rawhide
+        - system-test-fedora-41
         - system-test-fedora-40
         - system-test-fedora-39

README.md

@@ -1,7 +1,7 @@
 ![README](data/gfx/README.gif)
 
 [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the
-use of interactive command line environments for development and
+use of interactive command line environments for software development and
 troubleshooting the host operating system, without having to install software
 on the host. It is built on top of [Podman](https://podman.io/) and other
 standard container technologies from [OCI](https://opencontainers.org/).

doc/toolbox.1.md

@@ -1,7 +1,7 @@
 % toolbox 1
 
 ## NAME
-toolbox - Tool for containerized command line environments on Linux
+toolbox - Tool for interactive command line environments on Linux
 
 ## SYNOPSIS
 **toolbox** [*--assumeyes* | *-y*]
@@ -13,32 +13,39 @@ toolbox - Tool for containerized command line environments on Linux
 
 ## DESCRIPTION
 
-Toolbx is a tool for Linux operating systems, which allows the use of
-containerized command line environments. It is built on top of Podman and
-other standard container technologies from OCI.
+Toolbx is a tool for Linux, which allows the use of interactive command line
+environments for software development and troubleshooting the host operating
+system, without having to install software on the host. It is built on top of
+Podman and other standard container technologies from OCI.
+
+Toolbx environments have seamless access to the user’s home directory, the
+Wayland and X11 sockets, networking (including Avahi), removable devices (like
+USB sticks), systemd journal, SSH agent, D-Bus, ulimits, /dev and the udev
+database, etc..
 
 This is particularly useful on OSTree based operating systems like Fedora
 CoreOS and Silverblue. The intention of these systems is to discourage
 installation of software on the host, and instead install software as (or in)
 containers — they mostly don't even have package managers like DNF or YUM.
-This makes it difficult to set up a development environment or install tools
-for debugging in the usual way.
+This makes it difficult to set up a development environment or troubleshoot
+the operating system in the usual way.
 
 Toolbx solves this problem by providing a fully mutable container within
-which one can install their favourite development and debugging tools, editors
-and SDKs. For example, it's possible to do `yum install ansible` without
-affecting the base operating system.
+which one can install their favourite development and troubleshooting tools,
+editors and SDKs. For example, it's possible to do `yum install ansible`
+without affecting the base operating system.
 
 However, this tool doesn't *require* using an OSTree based system. It works
 equally well on Fedora Workstation and Server, and that's a useful way to
 incrementally adopt containerization.
 
 The Toolbx environment is based on an OCI image. On Fedora this is the
 `fedora-toolbox` image. This image is used to create a Toolbx container that
-seamlessly integrates with the rest of the operating system by providing
-access to the user's home directory, the Wayland and X11 sockets, networking
-(including Avahi), removable devices (like USB sticks), systemd journal, SSH
-agent, D-Bus, ulimits, /dev and the udev database, etc..
+offers the interactive command line environment.
+
+Note that Toolbx makes no promise about security beyond what’s already
+available in the usual command line environment on the host that everybody is
+familiar with.
 
 ## Supported operating system distributions
 

images/fedora/f39/README.md

@@ -1,5 +1,5 @@
 [Toolbx](https://containertoolbx.org/) is a tool for Linux, which allows the
-use of interactive command line environments for development and
+use of interactive command line environments for software development and
 troubleshooting the host operating system, without having to install software
 on the host. It is built on top of [Podman](https://podman.io/) and other
 standard container technologies from [OCI](https://opencontainers.org/).
@@ -11,8 +11,8 @@ udev database, etc..
 
 This is particularly useful on
 [OSTree](https://ostreedev.github.io/ostree/) based operating systems like
-[Fedora CoreOS](https://coreos.fedoraproject.org/) and
-[Silverblue](https://silverblue.fedoraproject.org/). The intention of these
+[Fedora CoreOS](https://fedoraproject.org/coreos/) and
+[Silverblue](https://fedoraproject.org/silverblue/). The intention of these
 systems is to discourage installation of software on the host, and instead
 install software as (or in) containers — they mostly don't even have package
 managers like DNF or YUM. This makes it difficult to set up a development

src/cmd/root.go

@@ -45,7 +45,7 @@ var (
 
 	rootCmd = &cobra.Command{
 		Use:               "toolbox",
-		Short:             "Tool for containerized command line environments on Linux",
+		Short:             "Tool for interactive command line environments on Linux",
 		PersistentPreRunE: preRun,
 		RunE:              rootRun,
 		Version:           version.GetVersion(),

src/cmd/utils.go

@@ -467,7 +467,7 @@ func showManual(manual string) error {
 	manBinary, err := exec.LookPath("man")
 	if err != nil {
 		if errors.Is(err, exec.ErrNotFound) {
-			fmt.Printf("toolbox - Tool for containerized command line environments on Linux\n")
+			fmt.Printf("toolbox - Tool for interactive command line environments on Linux\n")
 			fmt.Printf("\n")
 			fmt.Printf("Common commands are:\n")
 

src/go-build-wrapper

@@ -70,11 +70,53 @@ fi
 
 dynamic_linker="/run/host$dynamic_linker_canonical_dirname/$dynamic_linker_basename"
 
+# Note for distributors:
+#
+# The '-z now' flag, which is the opposite of '-z lazy', is unsupported as an
+# external linker flag [1], because of how the NVIDIA Container Toolkit stack
+# uses dlopen(3) to load libcuda.so.1 and libnvidia-ml.so.1 at runtime [2,3].
+#
+# The NVIDIA Container Toolkit stack doesn't use dlsym(3) to obtain the address
+# of a symbol at runtime before using it.  It links against undefined symbols
+# at build-time available through a CUDA API definition embedded directly in
+# the CGO code or a copy of nvml.h.  It relies upon lazily deferring function
+# call resolution to the point when dlopen(3) is able to load the shared
+# libraries at runtime, instead of doing it when toolbox(1) is started.
+#
+# This is unlike how Toolbx itself uses dlopen(3) and dlsym(3) to load
+# libsubid.so at runtime.
+#
+# Compare the output of:
+#   $ nm /path/to/toolbox | grep ' subid_init'
+#
+# ... with those from:
+#   $ nm /path/to/toolbox | grep ' nvmlGpuInstanceGetComputeInstanceProfileInfoV'
+#           U nvmlGpuInstanceGetComputeInstanceProfileInfoV
+#   $ nm /path/to/toolbox | grep ' nvmlDeviceGetAccountingPids'
+#           U nvmlDeviceGetAccountingPids
+#
+# Using '-z now' as an external linker flag forces the dynamic linker to
+# resolve all symbols when toolbox(1) is started, and leads to:
+#   $ toolbox
+#   toolbox: symbol lookup error: toolbox: undefined symbol:
+#       nvmlGpuInstanceGetComputeInstanceProfileInfoV
+#
+# [1] NVIDIA Container Toolkit commit 1407ace94ab7c150
+#     https://github.com/NVIDIA/nvidia-container-toolkit/commit/1407ace94ab7c150
+#     https://github.com/NVIDIA/go-nvml/issues/18
+#     https://github.com/NVIDIA/nvidia-container-toolkit/issues/49
+#
+# [2] https://github.com/NVIDIA/nvidia-container-toolkit/tree/main/internal/cuda
+#
+# [3] https://github.com/NVIDIA/go-nvml/blob/main/README.md
+#     https://github.com/NVIDIA/go-nvml/tree/main/pkg/dl
+#     https://github.com/NVIDIA/go-nvml/tree/main/pkg/nvml
+
 # shellcheck disable=SC2086
 go build \
         $tags \
         -trimpath \
-        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
+        -ldflags "-extldflags '-Wl,-dynamic-linker,$dynamic_linker -Wl,-rpath,/run/host$libc_dir_canonical_dirname -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files' -linkmode external -X github.com/containers/toolbox/pkg/version.currentVersion=$4" \
         -o "$2/$3"
 
 exit "$?"

test/system/002-help.bats

@@ -53,7 +53,7 @@ teardown() {
   assert_success
   assert_line --index 0 --partial "toolbox(1)"
   assert_line --index 0 --partial "General Commands Manual"
-  assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$"
+  assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$"
   assert [ ${#lines[@]} -gt 4 ]
   assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@@ -66,7 +66,7 @@ teardown() {
   run --keep-empty-lines --separate-stderr "$TOOLBX" help
 
   assert_success
-  assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux"
+  assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux"
   assert_line --index 2 "Common commands are:"
   assert_line --index 3 "create    Create a new Toolbx container"
   assert_line --index 4 "enter     Enter an existing Toolbx container"
@@ -86,7 +86,7 @@ teardown() {
   assert_success
   assert_line --index 0 --partial "toolbox(1)"
   assert_line --index 0 --partial "General Commands Manual"
-  assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for containerized command line environments on Linux$"
+  assert_line --index 3 --regexp "^[[:blank:]]+toolbox [‐-] Tool for interactive command line environments on Linux$"
   assert [ ${#lines[@]} -gt 4 ]
   assert [ ${#stderr_lines[@]} -eq 0 ]
 }
@@ -99,7 +99,7 @@ teardown() {
   run --keep-empty-lines --separate-stderr "$TOOLBX" --help
 
   assert_success
-  assert_line --index 0 "toolbox - Tool for containerized command line environments on Linux"
+  assert_line --index 0 "toolbox - Tool for interactive command line environments on Linux"
   assert_line --index 2 "Common commands are:"
   assert_line --index 3 "create    Create a new Toolbx container"
   assert_line --index 4 "enter     Enter an existing Toolbx container"