-
Notifications
You must be signed in to change notification settings - Fork 214
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support 'sudo toolbox ...' #267
Comments
This works with https://github.com/cgwalters/coretoolbox |
Considering we decided that we don't want to have two implementations and that we'll work together on |
Where was that decided? |
Well it seems like we've discussed "toolbox" a lot. In coreos/fedora-coreos-tracker#38 and https://github.com/debarshiray/toolbox/issues/8 and coreos/fedora-coreos-tracker#90. @mike-nguyen and @yuqi-zhang have been working together with @debarshiray IIUC to align the efforts. We have not added it to our design document so I guess we are missing a formal agreement, but in the meeting a week ago I didn't hear anyone dissenting on including |
I dissent until we have resolved the discussion in https://github.com/debarshiray/toolbox/issues/265 |
Toolbox might be used as root or rootless. Including the real user ID in the debug output can help understand bugs or oddities caused by differences in root versus rootless scenarios. https://github.com/debarshiray/toolbox/issues/267
The /etc/subgid and /etc/subuid files are only meant to be used when running rootless, and hence don't have an entry for root. https://github.com/debarshiray/toolbox/issues/267
That's caused by an explicit sanity check in Toolbox to ensure that people have sane Clearly this check needs to be skipped when running as root. :) I can imagine a few more things that might cause problems when running as root. eg., |
https://github.com/debarshiray/toolbox/pull/273 solves this specific issue, but we still need to work through the other differences between root and rootless scenarios. |
You were right! I now hit this:
because of |
Just found an old issue from Podman where they were solving this kind of problem: containers/podman#427. Their solution was to create /run/containers instead of /run/user/UID/containers. |
Workaround:
|
Next issue:
so we'd need to figure out how to launch dbus without X11 $DISPLAY variable |
I ran into this today. It makes Fedora CoreOS much more difficult to use because if you need to operate on the host, you have to either |
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like o.fd.Flatpak.SessionHelper. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like o.fd.Flatpak.SessionHelper. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like o.fd.Flatpak.SessionHelper. The code is forgiving to runtime errors when reacting to file system events because it's not worth abruptly terminating the entry point because of what might be a passing error. However, it's a lot stricter when initially configuring the container because the failure mode isn't as surprising for the user and it's worth starting from a valid state. containers#267
It's no longer used to keep /etc/localtime and /etc/timezone synchronized with the host. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like o.fd.Flatpak.SessionHelper. The code is forgiving to runtime errors when reacting to file system events because it's not worth abruptly terminating the entry point because of what might be a passing error. However, it's a lot stricter when initially configuring the container because the failure mode isn't as surprising for the user and it's worth starting from a valid state. containers#267
It's no longer used to keep /etc/localtime and /etc/timezone synchronized with the host. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like org.freedesktop.Flatpak.SessionHelper. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like org.freedesktop.Flatpak.SessionHelper. The code is forgiving to runtime errors when reacting to file system events because it's not worth abruptly terminating the entry point because of what might be a passing error. However, it's a lot stricter when initially configuring the container because the failure mode isn't as surprising for the user and it's worth starting from a valid state. containers#267
It's no longer used to keep /etc/localtime and /etc/timezone synchronized with the host. containers#267
A subsequent will need to inspect the container to know whether it needs the org.freedesktop.Flatpak.SessionHelper D-Bus service to be running. Since the container is already being inspected to get its entry point, the same JSON can be used for this. containers#267
... that were created to have a bind mount at /run/host/monitor. Newly created containers no longer need org.freedesktop.Flatpak.SessionHelper and hence the D-Bus service doesn't need to be started for them. containers#267
... that were created to have a bind mount at /run/host/monitor. Newly created containers no longer need org.freedesktop.Flatpak.SessionHelper and hence the D-Bus service doesn't need to be started for them. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like org.freedesktop.Flatpak.SessionHelper. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox ...' there's no user or session D-Bus instance available for the root user, which prevents the use of D-Bus services like org.freedesktop.Flatpak.SessionHelper. The code is forgiving to runtime errors when reacting to file system events because it's not worth abruptly terminating the entry point because of what might be a passing error. However, it's a lot stricter when initially configuring the container because the failure mode isn't as surprising for the user and it's worth starting from a valid state. containers#267
It's no longer used to keep /etc/localtime and /etc/timezone synchronized with the host. containers#267
... that were created to have a bind mount at /run/host/monitor. Newly created containers no longer need org.freedesktop.Flatpak.SessionHelper and hence the D-Bus service doesn't need to be started for them. containers#267
Currently, XDG_RUNTIME_DIR only gets propagated into the toolbox container from the host during 'enter'. This means that the container's entry point doesn't know about it. So, there's code in 'init-container' that sets XDG_RUNTIME_DIR to /run/user/UID. However, this assumption might not always hold true for all host operating systems. Given that XDG_RUNTIME_DIR plays a crucial role in synchronizing the container's entry point with the user-facing 'enter' command running on the host, it's wise to try a bit harder to propagate the value of XDG_RUNTIME_DIR into the container. Note that it can still go wrong if the value of XDG_RUNTIME_DIR changes after the container was created because the entry point will still have the old value. Fortunately, this isn't something that happens too often under normal operation. The value of XDG_RUNTIME_DIR is still propagated during 'enter' to retain compatibility with existing toolbox containers. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox' there's no XDG_RUNTIME_DIR available for the root user. Neither the environment variable nor the directory are present. XDG_RUNTIME_DIR is used for two reasons. First, to place the 'lock' file to synchronize Podman migrations and the initialization stamp file to synchronize the container's entry point with the user-facing 'enter' command running on the host. Second, it's used to propagate things like the user D-Bus, Pipewire and Wayland sockets. The first use-case is important for toolbox(1) itself to work. When running as root, XDG_RUNTIME_DIR is replaced with /run/toolbox for this purpose. The second use-case is mostly ignored because sudo(8) doesn't create a full-fledged user session. Graphical applications can still work by connecting to a X11 server over the local abstract socket or the file system socket in /tmp/.X11-unix. containers#267
A subsequent commit will add another argument to the OSC 777 escape sequence to specify the user ID that toolbox(1) is running as. Unlike the NAME and RUNTIME arguments, the UID argument won't be optional when popping. Therefore it's nicer to spell everything out for the sake of completeness. This shouldn't cause any user-visible change. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox enter', GNOME Terminal might choose not to preserve the current toolbox container when opening a new terminal. This is similar to how the current working directory of a 'su -' session isn't preserved when opening a new terminal. containers#267
A subsequent commit will add another argument to the OSC 777 escape sequence to specify the user ID that toolbox(1) is running as. Unlike the NAME and RUNTIME arguments, the UID argument won't be optional when popping. Therefore it's nicer to spell everything out for the sake of completeness. This change relies on VTE reading in all the remaining arguments when popping. Otherwise, the argument(s) might get spuriously displayed in the terminal. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox enter', GNOME Terminal might choose not to preserve the current toolbox container when opening a new terminal. This is similar to how the current working directory of a 'su -' session isn't preserved when opening a new terminal. containers#267
Currently, XDG_RUNTIME_DIR only gets propagated into the toolbox container from the host during 'enter'. This means that the container's entry point doesn't know about it. So, there's code in 'init-container' that sets XDG_RUNTIME_DIR to /run/user/UID. However, this assumption might not always hold true for all host operating systems. Given that XDG_RUNTIME_DIR plays a crucial role in synchronizing the container's entry point with the user-facing 'enter' command running on the host, it's wise to try a bit harder to propagate the value of XDG_RUNTIME_DIR into the container. Note that it can still go wrong if the value of XDG_RUNTIME_DIR changes after the container was created because the entry point will still have the old value. Fortunately, this isn't something that happens too often under normal operation. The value of XDG_RUNTIME_DIR is still propagated during 'enter' to retain compatibility with existing toolbox containers. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox' there's no XDG_RUNTIME_DIR available for the root user. Neither the environment variable nor the directory are present. XDG_RUNTIME_DIR is used for two reasons. First, to place the 'lock' file to synchronize Podman migrations and the initialization stamp file to synchronize the container's entry point with the user-facing 'enter' command running on the host. Second, it's used to propagate things like the user D-Bus, Pipewire and Wayland sockets. The first use-case is important for toolbox(1) itself to work. When running as root, XDG_RUNTIME_DIR is replaced with /run/toolbox for this purpose. The second use-case is mostly ignored because sudo(8) doesn't create a full-fledged user session. Graphical applications can still work by connecting to a X11 server over the local abstract socket or the file system socket in /tmp/.X11-unix. containers#267
Currently, XDG_RUNTIME_DIR only gets propagated into the toolbox container from the host during 'enter'. This means that the container's entry point doesn't know about it. So, there's code in 'init-container' that sets XDG_RUNTIME_DIR to /run/user/UID. However, this assumption might not always hold true for all host operating systems. Given that XDG_RUNTIME_DIR plays a crucial role in synchronizing the container's entry point with the user-facing 'enter' command running on the host, it's wise to try a bit harder to propagate the value of XDG_RUNTIME_DIR into the container. Note that it can still go wrong if the value of XDG_RUNTIME_DIR changes after the container was created because the entry point will still have the old value. Fortunately, this isn't something that happens too often under normal operation. The value of XDG_RUNTIME_DIR is still propagated during 'enter' to retain compatibility with existing toolbox containers. containers#267
This is one more step towards enabling toolbox(1) to be run as root. When invoked as 'sudo toolbox' there's no XDG_RUNTIME_DIR available for the root user. Neither the environment variable nor the directory are present. XDG_RUNTIME_DIR is used for two reasons. First, to place the 'lock' file to synchronize Podman migrations and the initialization stamp file to synchronize the container's entry point with the user-facing 'enter' command running on the host. Second, it's used to propagate things like the user D-Bus, Pipewire and Wayland sockets. The first use-case is important for toolbox(1) itself to work. When running as root, XDG_RUNTIME_DIR is replaced with /run/toolbox for this purpose. The second use-case is mostly ignored because sudo(8) doesn't create a full-fledged user session. Graphical applications can still work by connecting to a X11 server over the local abstract socket or the file system socket in /tmp/.X11-unix. containers#267
One of the biggest advantages of running as root is the ability to have all the UIDs from the host operating system mapped into the container by using the host's user namespace. This can be a big help when faced with permission problems. containers#267
I think this can be closed now. Any follow-up issues with |
One of the use cases from running toolbox on Fedora CoreOS is to debug the system (not development). When running as
root
I see an error:Is this expected?
The text was updated successfully, but these errors were encountered: