toolbox status and expected usage

[dghubble]

I recently wanted to use toolbox and I'm unsure of the status. I remember some discussions about different flavors and now I see its marked done.

$ toolbox                                                                                                                                                       
toolbox: TOOLBOX_PATH not set                                                                                                                                                                 
$ export TOOLBOX_PATH=/usr/bin/toolbox
$ toolbox
toolbox: missing command

These are some common commands:
create    Create a new toolbox container
enter     Enter an existing toolbox container
list      List all existing toolbox containers and images

Try 'toolbox --help' for more information.
$ toolbox --help
toolbox: this is not a toolbox container
$ toolbox create
toolbox: this is not a toolbox container

I must be doing something very wrong or maybe this isn't supposed to work yet. Admittedly, I'm approaching this having only ever used CoreOS Container Linux toolbox (never the RPM) and infrequently.

Versions

rpm-ostree status
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora:fedora/x86_64/coreos/stable
                   Version: 31.20200323.3.2 (2020-04-08T14:30:14Z)
                    Commit: 9b322b9cead87ebf80881b75560e481b6e5a26966814b01bf0c12b61fa363708
              GPGSignature: Valid signature by 7D22D5867F2A4236474BF7B850CB390B3C3359C4

Name        : toolbox
Version     : 0.0.18
Release     : 1.fc31
Architecture: noarch
Install Date: Wed 08 Apr 2020 02:28:06 PM UTC
Group       : Unspecified
Size        : 119658
License     : ASL 2.0
Signature   : RSA/SHA256, Tue 14 Jan 2020 04:01:34 PM UTC, Key ID 50cb390b3c3359c4
Source RPM  : toolbox-0.0.18-1.fc31.src.rpm
Build Date  : Tue 14 Jan 2020 03:56:29 PM UTC
Build Host  : buildvm-06.phx2.fedoraproject.org
Packager    : Fedora Project
Vendor      : Fedora Project
URL         : https://github.com/containers/toolbox
Bug URL     : https://bugz.fedoraproject.org/toolbox
Summary     : Unprivileged development environment

[lucab]

@dghubble my understanding of #38 is that it has been basically acknowledged that original toolbox script in Container Linux has been taken to a new home under https://github.com/containers/toolbox and a dedicated upstream development, and it gets back into FCOS like any other normal RPM.

One side effect of this is that it does not have to follow the same command-line arguments as the CL one, and any further bugs or UX friction you see would be better reported directly upstream (unless it's some integration woe).

[dghubble]

Ok, I created an issue over there. I'm not too worried over what the syntax is, just that it be able to do something for me (and for linking to as a way to use hack/special case tools that don't belong on-host).

[dghubble]

Ok to close if you like! I'll wait on their reply and close too.

[lucab]

@dghubble that makes sense.
Digging around, I've seen that somebody else already experienced exactly the same issues: containers/toolbox#265 (comment).

I think that the real missing thing on our side is a docpage showing 1) that there is a toolbox command 2) it has a different syntax compared to the CL script 3) how it can be used for quick debugging
That is, we need to port https://coreos.com/os/docs/latest/install-debugging-tools.html.

[masterzen]

Unfortunately https://github.com/containers/toolbox doesn't run on FCOS.
For instance:

[core@ip-10-100-53-159 ~]$ toolbox create
Image required to create toolbox container.
Download registry.fedoraproject.org/f31/fedora-toolbox:31 (500MB)? [y/N]: y
Created container: fedora-toolbox-31
Enter with: toolbox enter
[core@ip-10-100-53-159 ~]$ toolbox enter
toolbox: failed to start container fedora-toolbox-31

This fails because the fedora-toolbox-31 image doesn't have a sudo group:

...
time="2020-04-28T12:33:31Z" level=error msg="unable to start container \"fedora-toolbox-31\": error looking up supplemental groups for container 6f3ab8ac98b097c3b4449b25072f88dc7f0b284206032a8a598636697a857989: Unable to find group sudo"
toolbox: failed to start container fedora-toolbox-31

The FCOS core user is part of the sudo group to be able to sudo without a password.

Then if you go past this error (by using your own image), the tool is almost unusable to troubleshoot network issues as it runs in a rootless setup in which for instance it is impossible to run tcpdump or other privileged commands.

[dghubble]

I think I ended up just using podman directly.

Maybe there is a case for recommending podman and funneling feature requests there? The original CL toolbox (systemd-nspawn as I recall) handled weird edge case needs, but that was before container engines had features they do today. I can't actually put my finger on what features I'd want toolbox to have anymore (edit: it may have cool abilities I'm unaware of)

[masterzen]

We've finally resorted to use an adapted version of https://github.com/coreos/toolbox/blob/master/rhcos-toolbox. No more rootless podman FTW :)

[dghubble]

In the gentlest way, if toolbox hasn't been usable, maybe the package isn't required?

I originally only turned to toolbox out of debugging habbit from using the original CoreOS toolbox. But podman by itself has been quite capable of handing my needs in debugging scenarios. Run containers with nearly any constraint dropped in a pinch for tcpdump, ipvsadm, etc.

sudo podman run -it --privileged --net host fedora:32 /bin/bash

The way forward is providing a podman example or two to drop different namespace isolation?

[lucab]

In the gentlest way, if toolbox hasn't been usable, maybe the package isn't required?
The way forward is providing a podman example or two to drop different namespace isolation?

I honestly do share this feeling. At the same time there has been some heated debate in the past, and I don't feel comfortable personally spearheading this. I could help improving our docs side though.

As an additional datapoint, toolbox having evolved into another full fledged container runtime is causing confusion to newcomers, see https://discussion.fedoraproject.org/t/toolbox-not-working-after-fresh-installation/21485.