-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
toolbox: init at 0.0.99 #110473
toolbox: init at 0.0.99 #110473
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cc @NixOS/podman
a2b54f2
to
f4ce744
Compare
Last couple thoughts:
For reference, these are my pertinent nixos settings:
|
I wouldn't add it for now, we can decide on that later.
Yeah, I'd like to wait at least until we see upstream is okay with the patch. |
This problem also happens in Fedora if the user shell is not Bash. |
@tfmoraes What is the case where /mnt won't exist? that requires this patch. I'll try to upstream it, but I'll need justification. diff --git a/src/cmd/create.go b/src/cmd/create.go
index 74e90b1..f977234 100644
--- a/src/cmd/create.go
+++ b/src/cmd/create.go
@@ -318,13 +318,15 @@ func createContainer(container, image, release string, showCommandToEnter bool)
var mntLink []string
var mntMount []string
- mntPath, _ := filepath.EvalSymlinks("/mnt")
- if mntPath == "/var/mnt" {
- logrus.Debug("/mnt is a symbolic link to /var/mnt")
- mntLink = []string{"--mnt-link"}
- } else {
- mntMount = []string{"--volume", "/mnt:/mnt:rslave"}
- }
+ if utils.PathExists("/mnt") {
+ mntPath, _ := filepath.EvalSymlinks("/mnt")
+ if mntPath == "/var/mnt" {
+ logrus.Debug("/mnt is a symbolic link to /var/mnt")
+ mntLink = []string{"--mnt-link"}
+ } else {
+ mntMount = []string{"--volume", "/mnt:/mnt:rslave"}
+ }
+ }
var runMediaMount []string
|
2a48a98
to
5640d99
Compare
@mjlbach my system doesn't have |
@mjlbach tested here. It's working! The only problem is that sudo doesn't have access to network, see: $ ping google.com # normal user
PING google.com (64.233.188.101) 56(84) bytes of data.
64 bytes from tk-in-f101.1e100.net (64.233.188.101): icmp_seq=1 ttl=101 time=287 ms
64 bytes from tk-in-f101.1e100.net (64.233.188.101): icmp_seq=2 ttl=101 time=286 ms
64 bytes from tk-in-f101.1e100.net (64.233.188.101): icmp_seq=3 ttl=101 time=287 ms
$ sudo ping google.com # super user
ping: google.com: Temporary failure in name resolution Because of that I can't use dnf to install things. |
That's odd, I don't have that issue on my system. |
I think it's because $ ls -l /etc/resolv.conf
lrwxrwxrwx 1 root root 32 Jan 22 17:39 /etc/resolv.conf -> /run/host/etc/static/resolv.conf
$ ls -l /run/host/etc/static/resolv.conf
ls: cannot access '/run/host/etc/static/resolv.conf': No such file or directory |
Oh weird, my symlink is correct. |
I fixed my case with this little patch https://gist.github.com/tfmoraes/583bb66269216768fbe72b4e57cdd221 In my system /etc/resolv.conf is a link:
And /etc/static is also a link |
Yeah, it's an upstream issue. You can follow it here: https://github.com/containers/toolbox/issues |
Ok. Figured out the container KDE sharing issue. It's actually an SDDM issue. SDDM, unlike GDM, doesn't use FamilyWild type xauth entries, so Xauth is sensitive to the hostname. This is why it works on gnome. There's this upstream PR for SDDM which would fix the issue here: sddm/sddm#1230 Fedora applies this patch to SDDM (same author): https://src.fedoraproject.org/rpms/sddm/blob/master/f/0001-Redesign-Xauth-handling.patch to use FamilyWild, I'm not sure if this causes enough issues/inconvenience to justify a patch in nixpkgs as well. I can confirm applying this patch to our sddm, that the problem is resolved as well. |
Also, realized one annoyance with this approach is I believe you will have to re-create the container everytime the glib patch changes, since that's added to the container at build-time :( One option would be for users to just pin the nixpkgs commit, the other might be to create a nixos module that updates all toolbox containers to point to the latest glibc on each rebuild. I could also try to patch the flags set to podman at runtime to always point to the latest version of glib. |
Run Toolbox inside a FHS Env is not a option? |
No, the problem is the bind mount info that's stored inside the container points to both toolbox and glibc, both of which paths will change on system upgrade. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Doing a non CGO build would seem to be the simplest solution, upstream was considering it themselves at one point but they went a different way. containers/toolbox#531 (review) |
That's true, but we still link the store path to toolbox into the container at build time. I have a patch which reads the store link to glibc and toolbox from an environmental variable (which toolbox would be wrapped with) at runtime, which I think is the best option? If we don't build with glibc, we could copy toolbox into the container at build time, but it would still require a patch then to remove the volume mount to the toolbox binary when building the container. |
Toolbox only requires the The idea is to enable using Note:
|
@debarshiray (thank you for your work!), responding to your comment on the issue re: glibc here. I'm not sure if you're familiar with nix, but it's a little strange in that when we compile toolbox, the toolbox binary has a hardcoded path to glibc which points to a non-fhs compliant location (under /nix/store/hash-unique-to-version-glibc), which is also where toolbox is located (at /nix/store/hash-unique-to-version-toolbox). To allow the toolbox binary to run, I have to bind-mount both of these volumes upon creation of a new toolbox , the path to the toolbox binary is handled automatically, but the glibc path which I do so with an in-tree nixpkgs specific patch here: Now we don't have the glibc or toolbox issue, and everything works perfectly! However, there is one big caveat. When the nix version of glibc and toolbox update, the bind mount that is mapped to these locations is no longer valid, as those locations in the nix store can be garbage collected at will. This means after (most) system upgrades, all toolbox containers will break without users manually updating the bind mount paths to both glibc and toolbox (since the hash-unique-to-version has changed). I've investigated a couple solutions, namely wrapping the toolbox start command to automatically update these paths on each run which is hacky but I think will work, but was curious if you had any thoughts. Solving this issue and upstreaming containers/toolbox#675 are the only two roadblocks to merging this (I believe) since you fixed and merged my other upstream pr. Also thank you so much for you work on toolbox, and stopping by to see how our packaging was going! :) |
No, I wasn't aware of the inner workings of Nix. So, thanks for the explanation! I should probably set up a NixOS VM to play with.
Normally, on a NixOS host, how does the
What do you mean by the toolbox binary is handled automatically?
Barring details, I think I agree with the overall direction of that PR. I am busy with some non-Toolbox things right now. I will get to it as soon as I can switch back. |
There is a symlink ~/.nix-profile that points to your current active profile, which is similar to a system image after a transactional update in silverblue. This is located somewhere in For reference, when toolbox is installed on my system: ❯ ls -alt ~/.nix-profile/bin/toolbox
lrwxrwxrwx 2 root root 70 Dec 31 1969 /home/mjlbach/.nix-profile/bin/toolbox -> /nix/store/dv0vwwx108sq52d9q7qanpzbbl2vjfnl-toolbox-0.0.99/bin/toolbox And the binds into the toolbox container. Note the hashes will change on every upgrade of glibc or toolbox (or if any of their input dependencies change due to the design of nix addressing derivations by their inputs rather than outputs) leading to a dead link into the container, which is the last remaining problem I'm mulling over.
Yes,
Terrific, and I'm happy to help out as much as possible. Getting toolbox support for nixos will be a huge boon for nixos users.
NixOS is very fun to play around with, and it's very cool to see how silverblue/nix/guix are all tackling packaging problems :) |
Upstream patches have been merged! 🥳 Once a new release is cut, I'll go ahead and update the version, remove the patches from this PR, and implement a solution for linking glibc/toolbox into the container such that it will be updated when the store paths change. |
I marked this as stale due to inactivity. → More info |
This is very important to me! 😹 |
I'm probably not going to finish this as I don't use nixos anymore |
So close! 😹 Neither do I, but I thought for nix itself it may prove useful! Otherwise I'd have to install it from the distro's official repositories. Which is fine, but I enjoy the uniformity of using a single package manager. |
This will likely never work reliably with your distro, as the last think I had left to do was add a systemd service to update all containers glibc bind mounts on rebuild (or patch toolbox to do so) |
Ah; makes sense. I'm running Ubuntu for the ZFS root, so I guess I'll just have to use |
I would be willing to bring this up to speed. I agree that toolbox is an amazing tool, and I would love to have access to it on Nix. |
buildFlagsArray = [ | ||
"-ldflags=-X github.com/containers/toolbox/pkg/version.currentVersion=${version}" | ||
]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
buildFlagsArray = [ | |
"-ldflags=-X github.com/containers/toolbox/pkg/version.currentVersion=${version}" | |
]; | |
ldflags = [ | |
"-X github.com/containers/toolbox/pkg/version.currentVersion=${version}" | |
"-s" "-w" | |
]; |
@ofborg eval |
Closing as the author stopped using If people want to see this packaged here I'd suggest working with upstream on making this a static binary (they have an open issue for this), that should resolve the last hurdle in getting this packaged. If someone really wants to try hacking around the |
Thanks for the work on this PR anyway. It would be very nice to see this on NixOS. If anyone is looking for a tool like Toolbox that works (mostly) on NixOS, check out Distrobox. I have been working upstream to improve support on NixOS with Distrobox, but I have yet to get it packaged, and if I remember correctly, I was seeing the same (edit): |
Found the issue. Opening a PR for distrobox. #160485 |
Motivation for this change
Closes #96115: Toolbox is a container tool, that gives an "escape" hatch for immutable systems like nix (and Silverblue).
Pending upstream patches: containers/toolbox#675 containers/toolbox#676Edit: have been merged!I also need to not hardcode the glibc nix store path.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)