An image for a fedora-toolbox container

rishi · 2018-08-23T17:10:11.834Z

As part of the Silverblue effort, we are working on some tools to provide users with pet toolbox containers. This is similar to coreos/toolbox, except that we are using buildah, podman, etc. and are aiming to run rootless.

The idea is to:

Create a container that’s tailored to the user’s host environment - same user name and UID, shared HOME and XDG_RUNTIME_DIR, etc.; and is optimized for an interactive CLI experience that’s at par with the host.
Have a simple command that can be used as SHELL on the locked down Silverblue host to get an actual shell inside the RPM-based container.

To simplify creating this container, I’m planning to have a more generic fedora-toolbox image hosted on the Fedora registry that doesn’t have any of the user-specific bits, but takes care of adding all the necessary RPMs to bring the stock fedora image closer to the Silverblue host in terms of the CLI. I wonder if you’d have any comments on the recipe for this image.

Here’s the Dockerfile:

FROM docker://registry.fedoraproject.org/fedora:28

ENV NAME=fedora-toolbox VERSION=28 RELEASE=1
LABEL com.redhat.component="$NAME" \
      name="$FGC/$NAME" \
      version="$VERSION" \
      release="$RELEASE.$DISTTAG" \
      summary="Base image for creating Fedora toolbox containers"

RUN sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
RUN dnf -y upgrade
RUN dnf -y swap coreutils-single coreutils-full

COPY extra-packages /
RUN packages=; while read -r package; do packages="$packages $package"; done \
        <extra-packages; \
    dnf -y install $packages
RUN rm /extra-packages

Here’s the list of packages (ie. extra-packages) that get added to the stock fedora image:

bash-completion
bzip2
diffutils
findutils
git-core
hostname
iputils
jwhois
keyutils
less
lsof
man-db
man-pages
mlocate
mtr
openssh-clients
passwd
pigz
procps-ng
sudo
time
traceroute
tree
vte-profile
wget
which
words
xz
zip

Comments welcome.

ttomecek · 2018-08-28T07:06:19.225Z

What’s the size of the image?

Please drop release label and env var, we are in a process of moving away from those.

Also I’m not sure if images build in Fedora are squashed. If not, then this is pointless to do:

RUN rm /extra-packages

The file would still be present in the previous layer.

rishi · 2018-08-28T14:50:55.736Z

The size of the image is 541 MB.

rishi · 2018-08-28T15:12:25.730Z

Ok, I have removed the release label and the RELEASE environment variable locally.

I am happy to embed the list of package names in the Dockerfile itself, if that’s better. I used a separate text file because I thought it would be easier to tweak the list, but I am not very attached to it.

cverna · 2018-08-29T13:30:49.940Z

OSBS is squashing the images

ttomecek · 2018-09-04T14:33:13.291Z

LGTM, feel free to open a container review request.

rishi · 2018-09-14T11:07:21.006Z

Thanks. Review submitted:
https://bugzilla.redhat.com/show_bug.cgi?id=1628914

blaise · 2018-12-16T16:48:36.229Z

Thank you @rishi, I think this is great, please let me know if you need help.

blaise · 2018-12-17T01:18:52.323Z

@rishi , do you know if fedora-toolbox will work on Atomic host fc29?
Or is it Silverblue only?
I keep getting failed to create container errors on fc29
I have

runc version 1.0.0-rc5+dev
commit: ff195010cbfd3c62a98a3fd2f7a1e1594afdda1a
spec: 1.0.1-dev

refi64 · 2018-12-17T04:32:50.602Z

Not a fedora-toolbox dev, but what was the error message?

blaise · 2018-12-17T06:23:55.401Z

Hi @refi64,

$ fedora-toolbox -v create
error looking up container "fedora-toolbox-bpabon:29": no container with name or ID fedora-toolbox-bpabon:29 found: no such container
invalid host path, must be an absolute path ""
/usr/bin/fedora-toolbox: failed to create container fedora-toolbox-bpabon:29

So I look at my list of containers:

$ buildah containers
CONTAINER ID  BUILDER  IMAGE ID     IMAGE NAME                       CONTAINER NAME
16f58f8915fd     *     032b427fbbf7 registry.fedoraproject.org/f29/fedora-toolbox:latest fedora-toolbox-working-container

I can’t seem to create the toolbox container.

Oh!, I just read the Dockerfile at the beginng of the post!
I will try to buildah with this file and see what happens.

refi64 · 2018-12-17T19:23:29.819Z

What’s the output of bash -x $(which fedora-toolbox) create? This should show each command as its being run.
Does using --sudo work?

blaise · 2018-12-17T19:47:16.270Z

refi64:

bash -x $(which fedora-toolbox) create

Interesting… they both fail, but differently…

this is the output as a user:

[bpabon@Gigabyte-nuc toolbox]$ bash -x $(which fedora-toolbox) create
+ source /etc/os-release
++ NAME=Fedora
++ VERSION='29.20181113.0 (Atomic Host)'
++ ID=fedora
++ VERSION_ID=29
++ PLATFORM_ID=platform:f29
++ PRETTY_NAME='Fedora 29.20181113.0 (Atomic Host)'
++ ANSI_COLOR='0;34'
++ CPE_NAME=cpe:/o:fedoraproject:fedora:29
++ HOME_URL=https://fedoraproject.org/
++ DOCUMENTATION_URL=https://docs.fedoraproject.org/en-US/fedora/f29/system-administrators-guide/
++ SUPPORT_URL=https://fedoraproject.org/wiki/Communicating_and_getting_help
++ BUG_REPORT_URL=https://bugzilla.redhat.com/
++ REDHAT_BUGZILLA_PRODUCT=Fedora
++ REDHAT_BUGZILLA_PRODUCT_VERSION=29
++ REDHAT_SUPPORT_PRODUCT=Fedora
++ REDHAT_SUPPORT_PRODUCT_VERSION=29
++ PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
++ VARIANT='Atomic Host'
++ VARIANT_ID=atomic.host
++ OSTREE_VERSION=29.20181113.0
+ release=29
+ prefix_sudo=
+ registry=registry.fedoraproject.org
+ registry_candidate=candidate-registry.fedoraproject.org
+ toolbox_prompt='🔹[\u@\h \W]\$ '
+ exec
+ [[ create = -* ]]
+ fgc=f29
+ '[' '' = '' ']'
+ toolbox_container=fedora-toolbox-bpabon:29
+ base_toolbox_image=fedora-toolbox:29
+ toolbox_image=fedora-toolbox-bpabon:29
+ '[' create = '' ']'
+ op=create
+ shift
+ case $op in
+ [[ '' = -* ]]
+ exit_if_extra_operand
+ '[' '' '!=' '' ']'
+ create
+ dbus_system_bus_address=unix:path=/var/run/dbus/system_bus_socket
+ tmpfs_size=67108864
++ uuidgen --time
+ working_container_name=fedora-toolbox-working-container-b17ca1ce-0233-11e9-96c8-e0d55e1b4301
+ buildah inspect --type image fedora-toolbox-bpabon:29
+ podman inspect --type container fedora-toolbox-bpabon:29
++ awk '( $1 == "MemTotal:" ) { print $2 }' /proc/meminfo
+ total_ram=16289836
+ is_integer 16289836
+ '[' 16289836 '!=' '' ']'
+ '[' 16289836 -eq 16289836 ']'
+ return 0
+ tmpfs_size=8340396032
+ max_uid_count=65536
+ max_minus_uid=64536
+ uid_plus_one=1001
+ podman create --group-add wheel --hostname toolbox --interactive --name fedora-toolbox-bpabon:29 --network host --privileged --security-opt label=disable --tmpfs /dev/shm:size=8340396032 --tty --uidmap 1000:0:1 --uidmap 0:1:1000 --uidmap 1001:1001:64536 --volume /home/bpabon:/home/bpabon --volume /run/user/1000:/run/user/1000 --volume : --volume /dev/dri:/dev/dri fedora-toolbox-bpabon:29 /bin/sh
+ echo '/usr/bin/fedora-toolbox: failed to create container fedora-toolbox-bpabon:29'
/usr/bin/fedora-toolbox: failed to create container fedora-toolbox-bpabon:29
+ exit 1
+ exit

As `sudo`, it runs buildah for a few minutes, then fails:

[bpabon@Gigabyte-nuc toolbox]$ sudo bash -x $(which fedora-toolbox) create
[sudo] password for bpabon:
+ source /etc/os-release
++ NAME=Fedora
++ VERSION='29.20181113.0 (Atomic Host)'
++ ID=fedora
++ VERSION_ID=29
++ PLATFORM_ID=platform:f29
++ PRETTY_NAME='Fedora 29.20181113.0 (Atomic Host)'
++ ANSI_COLOR='0;34'
++ CPE_NAME=cpe:/o:fedoraproject:fedora:29
++ HOME_URL=https://fedoraproject.org/
++ DOCUMENTATION_URL=https://docs.fedoraproject.org/en-US/fedora/f29/system-administrators-guide/
++ SUPPORT_URL=https://fedoraproject.org/wiki/Communicating_and_getting_help
++ BUG_REPORT_URL=https://bugzilla.redhat.com/
++ REDHAT_BUGZILLA_PRODUCT=Fedora
++ REDHAT_BUGZILLA_PRODUCT_VERSION=29
++ REDHAT_SUPPORT_PRODUCT=Fedora
++ REDHAT_SUPPORT_PRODUCT_VERSION=29
++ PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
++ VARIANT='Atomic Host'
++ VARIANT_ID=atomic.host
++ OSTREE_VERSION=29.20181113.0
+ release=29
+ prefix_sudo=
+ registry=registry.fedoraproject.org
+ registry_candidate=candidate-registry.fedoraproject.org
+ toolbox_prompt='🔹[\u@\h \W]\$ '
+ exec
+ [[ create = -* ]]
+ fgc=f29
+ '[' '' = '' ']'
+ toolbox_container=fedora-toolbox-root:29
+ base_toolbox_image=fedora-toolbox:29
+ toolbox_image=fedora-toolbox-root:29
+ '[' create = '' ']'
+ op=create
+ shift
+ case $op in
+ [[ '' = -* ]]
+ exit_if_extra_operand
+ '[' '' '!=' '' ']'
+ create
+ dbus_system_bus_address=unix:path=/var/run/dbus/system_bus_socket
+ tmpfs_size=67108864
++ uuidgen --time
+ working_container_name=fedora-toolbox-working-container-cadd2e36-0233-11e9-a76b-e0d55e1b4301
+ buildah inspect --type image fedora-toolbox-root:29
+ buildah from --name fedora-toolbox-working-container-cadd2e36-0233-11e9-a76b-e0d55e1b4301 localhost/fedora-toolbox:29
+ buildah from --name fedora-toolbox-working-container-cadd2e36-0233-11e9-a76b-e0d55e1b4301 registry.fedoraproject.org/f29/fedora-toolbox:29
+ buildah run fedora-toolbox-working-container-cadd2e36-0233-11e9-a76b-e0d55e1b4301 -- useradd --no-create-home --shell /bin/bash --uid 0 --groups wheel root
+ buildah rmi fedora-toolbox-working-container-cadd2e36-0233-11e9-a76b-e0d55e1b4301
+ echo '/usr/bin/fedora-toolbox: failed to create user root with UID 0'
/usr/bin/fedora-toolbox: failed to create user root with UID 0
+ exit 1
+ exit

rishi · 2018-12-17T19:52:07.852Z

What version of podman and buildah have you got?

blaise · 2018-12-18T03:27:43.498Z

rishi:

What version of podman and buildah have you got?

podman version 0.10.1.3
buildah version 1.5 (image-spec 1.0.0, runtime-spec 1.0.0)
● ostree://fedora-atomic-29:89bfa708d349a5856cc5cd3be441c07e1f96d0be2aa97e2b676f6004e7f6abed
                   Version: 29.20181113.0 (2018-11-13T00:42:40Z)
                BaseCommit: 89bfa708d349a5856cc5cd3be441c07e1f96d0be2aa97e2b676f6004e7f6abed
              GPGSignature: Valid signature by 5A03B4DD8254ECA02FDA1637A20AA56B429476B4
           LayeredPackages: buildah cockpit dnf dnf-plugins-core fedora-packager fedora-toolbox git htop openvas-cli openvas-gsa
                            openvas-manager openvas-scanner vim virt-install

refi64 · 2018-12-18T04:16:22.501Z

I think I see the issue, which appears to be a fedora-toolbox bug when the image already exists. Try running:

sudo buildah rmi fedora-toolbox-bpabon:29

Then re-run bash -x $(which fedora-toolbox) create.

I’ve filed an issue for this.

jonathanduntalan · 2019-05-24T06:20:15.664Z

Hi, I’m having the same issue in my machine however I don’t have any buildah or podman images. I executed “toolbox -v create” in a freshly-installed Fedora 30 Silverblue PC. Any additional tips? Thanks. (Please refer to attached screenshot below. Another screenshot is provided in a different Reply post below)

Desktop_SilverBlueFC30_toolbox_Issue.png1920×1080 202 KB

jonathanduntalan · 2019-05-24T06:43:17.193Z

Here’s another screenshot (this time using a non-root user). There were no errors but toolbox creation was still unsuccessful.:

Desktop_SilverBlueFC30_toolbox_Issue2.png1920×1080 209 KB

jakfrost · 2019-05-24T11:36:54.287Z

Maybe try this…
sudo chown -R $USER ~/.local/share/containers/storage/overlay-containers
If you have already created the container but cannot enter it, that will help. If you are having difficulty creating the toolbox container you could also remove the local container storage with sudo rm -r ~/.local/share/containers. It seems to be a libpod issue.
For what it is worth mentioning, all containers on Silverblue are intended to run rootless, so sudo is never needed to create or enter them. Sudo can be used inside of the toolbox container though if necessary, like when installing things with dnf. Buildah is the container creation tool used in Silverblue and Podman is the container manager, plus skopeo for monitoring your running containers. All of this is intended to be used rootless in most use cases.