diff --git a/doc/toolbox-create.1.md b/doc/toolbox-create.1.md index ef53802a6..f85a819fc 100644 --- a/doc/toolbox-create.1.md +++ b/doc/toolbox-create.1.md @@ -5,6 +5,7 @@ toolbox\-create - Create a new toolbox container ## SYNOPSIS **toolbox create** [*--candidate-registry*] + [*--init*] [*--container NAME* | *-c NAME*] [*--image NAME* | *-i NAME*] [*--release RELEASE* | *-r RELEASE*] @@ -35,6 +36,11 @@ Pull the base image from `candidate-registry.fedoraproject.org`. This is useful for testing newly built images before they have moved to the stable registry at `registry.fedoraproject.org`. +**--init** + +Initialize container with system init running inside. It allows to run system +daemons inside but prevents accessing host daemons using systemd. + **--container** NAME, **-c** NAME Assign a different NAME to the toolbox container. This is useful for creating diff --git a/doc/toolbox-init-container.1.md b/doc/toolbox-init-container.1.md index ce3bc2fb8..c9b2e3bfc 100644 --- a/doc/toolbox-init-container.1.md +++ b/doc/toolbox-init-container.1.md @@ -11,6 +11,8 @@ toolbox\-init\-container - Initialize a running container *--shell SHELL* *--uid UID* *--user USER* + *--name TOOLBOX_NAME* + *--init* ## DESCRIPTION @@ -53,6 +55,14 @@ Create a user inside the toolbox container whose numerical user ID is UID. Create a user inside the toolbox container whose login name is LOGIN. +**--name TOOLBOX_NAME** + +Set the toolbox name, required for initialization. + +**--init** + +Run init inside container. + ## SEE ALSO `podman(1)`, `podman-create(1)`, `podman-start(1)` diff --git a/toolbox b/toolbox index f0dcceb65..519db9e3b 100755 --- a/toolbox +++ b/toolbox @@ -72,6 +72,7 @@ toolbox_image="" toolbox_runtime_directory="$XDG_RUNTIME_DIR"/toolbox user_id_real=$(id -ru 2>&3) verbose=false +init=false LGC='\033[1;32m' # Light Green Color @@ -1059,8 +1060,19 @@ create() spinner_directory="" fi + if $init; then + pid_ns="" + init_option="--init" + system_dbus_bind="" + else + pid_ns="--pid host" + init_option="" + system_dbus_bind="--volume $dbus_system_bus_path:$dbus_system_bus_path" + fi + # shellcheck disable=SC2086 $podman_command create \ + --tmpfs /run \ --dns none \ --env TOOLBOX_PATH="$TOOLBOX_PATH" \ --group-add "$group_for_sudo" \ @@ -1071,7 +1083,7 @@ create() --name $toolbox_container \ --network host \ --no-hosts \ - --pid host \ + $pid_ns \ --privileged \ --security-opt label=disable \ $ulimit_host \ @@ -1084,7 +1096,7 @@ create() --volume "$TOOLBOX_PATH":/usr/bin/toolbox:ro \ --volume "$XDG_RUNTIME_DIR":"$XDG_RUNTIME_DIR" \ --volume "$XDG_RUNTIME_DIR"/.flatpak-helper/monitor:/run/host/monitor \ - --volume "$dbus_system_bus_path":"$dbus_system_bus_path" \ + $system_dbus_bind \ --volume "$home_canonical":"$home_canonical":rslave \ --volume /etc:/run/host/etc \ --volume /dev:/dev:rslave \ @@ -1095,6 +1107,8 @@ create() --volume /var:/run/host/var:rslave \ "$base_toolbox_image_full" \ toolbox --verbose init-container \ + $init_option \ + --name $toolbox_container \ --home "$HOME" \ $home_link \ $media_link \ @@ -1146,6 +1160,8 @@ init_container() init_container_shell="$5" init_container_uid="$6" init_container_user="$7" + init_container_name="$8" + init_container_init="$9" if [ "$XDG_RUNTIME_DIR" = "" ] 2>&3; then echo "$base_toolbox_command: XDG_RUNTIME_DIR is unset" >&3 @@ -1156,7 +1172,7 @@ init_container() toolbox_runtime_directory="$XDG_RUNTIME_DIR"/toolbox fi - init_container_initialized_stamp="$toolbox_runtime_directory"/container-initialized-"$$" + init_container_initialized_stamp="$toolbox_runtime_directory"/container-initialized-"$init_container_name" echo "$base_toolbox_command: creating /run/.toolboxenv" >&3 @@ -1346,9 +1362,13 @@ EOF return 1 fi - echo "$base_toolbox_command: going to sleep" >&3 - - exec sleep +Inf + if $init_container_init; then + echo "$base_toolbox_command: starting /sbin/init" >&3 + exec /sbin/init + else + echo "$base_toolbox_command: going to sleep" >&3 + sleep +Inf + fi } @@ -1489,22 +1509,7 @@ run() if [ "$entry_point" = "toolbox" ] 2>&3; then echo "$base_toolbox_command: waiting for container $toolbox_container to finish initializing" >&3 - if ! entry_point_pid=$($podman_command inspect --format "{{.State.Pid}}" --type container "$toolbox_container" 2>&3); then - echo "$base_toolbox_command: failed to inspect entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - if ! is_integer "$entry_point_pid"; then - echo "$base_toolbox_command: failed to parse entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - if [ "$entry_point_pid" -le 0 ] 2>&3; then - echo "$base_toolbox_command: invalid entry point PID of container $toolbox_container" >&2 - exit 1 - fi - - container_initialized_stamp="$toolbox_runtime_directory/container-initialized-$entry_point_pid" + container_initialized_stamp="$toolbox_runtime_directory/container-initialized-$toolbox_container" container_initialized_timeout=25 #s i=0 @@ -2290,6 +2295,14 @@ if [ -f /run/.containerenv ] 2>&3; then exit_if_missing_argument --user "$1" init_container_user="$1" ;; + --name ) + shift + exit_if_missing_argument --name "$1" + init_container_name="$1" + ;; + --init ) + init_container_init=true + ;; * ) exit_if_unrecognized_option "$1" esac @@ -2302,7 +2315,9 @@ if [ -f /run/.containerenv ] 2>&3; then "$init_container_monitor_host" \ "$init_container_shell" \ "$init_container_uid" \ - "$init_container_user" + "$init_container_user" \ + "$init_container_name" \ + "$init_container_init" exit "$?" ;; reset ) @@ -2337,6 +2352,9 @@ case $op in --candidate-registry ) registry=$registry_candidate ;; + --init ) + init=true + ;; -c | --container ) shift exit_if_missing_argument --container "$1"