1998191 – Suggest a way forward if coreos/toolbox was used

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1998191 - Suggest a way forward if coreos/toolbox was used

Summary: Suggest a way forward if coreos/toolbox was used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	toolbox
Sub Component:
Version:	8.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Debarshi Ray
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2000914 2009626
TreeView+	depends on / blocked

Reported:	2021-08-26 14:45 UTC by Alex Jia
Modified:	2021-11-09 19:57 UTC (History)
CC List:	5 users (show)
Fixed In Version:	container-tools-rhel8-8050020210902170952.faa19cc5
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2000914 2009626 (view as bug list)
Environment:
Last Closed:	2021-11-09 17:40:16 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-95332	None	None	None	2021-08-26 14:47:56 UTC
Red Hat Knowledge Base (Solution)	6315471	None	None	None	2021-09-07 15:07:05 UTC
Red Hat Product Errata	RHSA-2021:4154	None	None	None	2021-11-09 17:40:54 UTC

Description Alex Jia 2021-08-26 14:45:47 UTC

Description of problem:
This issue is found by Debarshi, we never talked about backwards
compatibility with existing containers created by the older
implementation.

Version-Release number of selected component (if applicable):

[root@kvm-07-guest10 ~]# cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.5 Beta (Ootpa)

[root@kvm-07-guest10 ~]# rpm -q toolbox podman runc kernel
toolbox-0.0.99.3-0.1.module+el8.5.0+12381+e822eb26.x86_64
podman-3.3.1-1.module+el8.5.0+12381+e822eb26.x86_64
runc-1.0.2-1.module+el8.5.0+12381+e822eb26.x86_64
kernel-4.18.0-335.el8.x86_64

upgrading toolbox, podman, runc, ...

[root@kvm-07-guest10 ~]# rpm -q toolbox podman runc kernel
toolbox-0.0.99.3-0.3.module+el8.5.0+12372+12f82d56.x86_64
podman-4.0.0-0.1.module+el8.5.0+12372+12f82d56.x86_64
runc-1.0.1-5.module+el8.5.0+12234+e4609207.x86_64
kernel-4.18.0-335.el8.x86_64

How reproducible:
always

Steps to Reproduce:
1. creating support-tools container by an old toolbox version
2. upgrade toolbox to an new version
3. toolbox enter previous existing support-tools container
4. podman rm -f support-tools
5. toolbox create --image registry.redhat.io/rhel8/support-tools
6. toolbox enter

Actual results:

1. toolbox-0.0.99.3-0.1.module+el8.5.0+12381+e822eb26

[root@kvm-07-guest10 ~]# podman images
REPOSITORY                              TAG         IMAGE ID      CREATED      SIZE
registry.redhat.io/rhel8/support-tools  latest      6ad911cd1a8b  3 weeks ago  279 MB

[root@kvm-07-guest10 ~]# toolbox create --image registry.redhat.io/rhel8/support-tools
Created container: support-tools
Enter with: toolbox enter support-tools
[root@kvm-07-guest10 ~]# toolbox enter support-tools
⬢[root@toolbox ~]# ls /run/host
bin  boot  dev	etc  home  lib	lib64  media  mnt  opt	proc  root  run  sbin  srv  sys  tmp  usr  var

2. upgrading toolbox to 0.0.99.3-0.3.module+el8.5.0+12372+12f82d56

[root@kvm-07-guest10 ~]# toolbox create --image registry.redhat.io/rhel8/support-tools
Error: TOOLBOX_PATH not set

[root@kvm-07-guest10 ~]# rm -rf /run/.containerenv
[root@kvm-07-guest10 ~]# toolbox create --image registry.redhat.io/rhel8/support-tools
Error: container support-tools already exists
Enter with: toolbox enter support-tools
Run 'toolbox --help' for usage.

[root@kvm-07-guest10 ~]# toolbox enter support-tools
Error: container support-tools is too old and no longer supported 
Recreate it with Toolbox version 0.0.17 or newer.

[root@kvm-07-guest10 ~]# podman ps
CONTAINER ID  IMAGE                                          COMMAND        CREATED       STATUS            PORTS       NAMES
26b987c9d039  registry.redhat.io/rhel8/support-tools:latest  /usr/bin/bash  11 hours ago  Up 7 minutes ago              support-tools

[root@kvm-07-guest10 ~]# podman exec -i support-tools cat /etc/redhat-release 
Red Hat Enterprise Linux release 8.4 (Ootpa)

[root@kvm-07-guest10 ~]# toolbox create --image registry.access.redhat.com/ubi8 
Error: TOOLBOX_PATH not set

[root@kvm-07-guest10 ~]# podman rm -f support-tools
WARN[0000] lstat /sys/fs/cgroup/devices/machine.slice/libpod-26b987c9d039968bb4e3206ff572d08c5d4d886eee079922a419f5bfb398c827.scope: no such file or directory 
26b987c9d039968bb4e3206ff572d08c5d4d886eee079922a419f5bfb398c827

[root@kvm-07-guest10 ~]# toolbox create --image registry.redhat.io/rhel8/support-tools
Error: TOOLBOX_PATH not set

[root@kvm-07-guest10 ~]# ls /run/.containerenv  -lah
-rwxr-xr-x. 1 root root 0 Aug 26 09:40 /run/.containerenv
[root@kvm-07-guest10 ~]# rpm -qf /run/.containerenv
file /run/.containerenv is not owned by any package
[root@kvm-07-guest10 ~]# rm -rf /run/.containerenv
[root@kvm-07-guest10 ~]# toolbox create --image registry.redhat.io/rhel8/support-tools
Created container: support-tools
Enter with: toolbox enter support-tools
[root@kvm-07-guest10 ~]# toolbox enter support-tools
⬢[root@toolbox ~]# echo $HOST
/run/host

Expected results:
fix it.

Additional info:

Currently, on a freshly booted system, we will get:
    # toolbox enter toolbox-root
    Error: container toolbox-root is too old and no longer supported
    Recreate it with Toolbox version 0.0.17 or newer.

If the system isn't freshly booted, and the older implementation was
used, then we will get less elegant failure:
    # toolbox enter toolbox-root
    Error: TOOLBOX_PATH not set

Comment 1 Alex Jia 2021-08-26 14:55:50 UTC

(In reply to Alex Jia from comment #0)
> [root@kvm-07-guest10 ~]# podman rm -f support-tools
> WARN[0000] lstat
> /sys/fs/cgroup/devices/machine.slice/libpod-
> 26b987c9d039968bb4e3206ff572d08c5d4d886eee079922a419f5bfb398c827.scope: no
> such file or directory 
> 26b987c9d039968bb4e3206ff572d08c5d4d886eee079922a419f5bfb398c827
> 

BTW, is it a necessary WARN in here?

Comment 2 Tomas Popela 2021-08-27 10:14:46 UTC

I actually think that this was touched during one of the meetings that we had in past about the rebase with Derrick and Scott. My impression was that the backwards compatibility is not a problem if it's documented. On the other hand if it would be easy to somehow maintain the backwards compatibility, then it would be appreciated by our customers.

Comment 3 Derrick Ornelas 2021-09-01 12:57:18 UTC

The new toolbox will completely error out if old toolbox was ever run on the system.  

Reproducer:

1. Run old bash script toolbox once and exit:

# /tmp/rhcos-toolbox 
Spawning a container 'toolbox-root' with image 'registry.redhat.io/rhel8/support-tools'
Detected RUN label in the container image. Using that as the default...

[root@rhel84 /]# exit
exit


2.  Run new toolbox:

# rpm -q toolbox
toolbox-0.0.99.3-0.3.module+el8.5.0+12372+12f82d56.x86_64

# toolbox --version
toolbox version 0.0.99.2

# toolbox create
Error: TOOLBOX_PATH not set



The cause is that using old toolbox we mounted host /run to container /run (-v /run:/run), and the container creates a /run/.containerenv file that's supposed to only live in the container.  We basically leaked it out of the container.
Removing the file on the host fixes the problem:

# rm -f /run/.containerenv 

# toolbox create
Created container: support-tools-latest
Enter with: toolbox enter



We essentially break everyone that's used toolbox before. I feel like we should handle this in some way.  The backwards compatibility discussions we had previously were around the config options and UX/CLI changes.  Those are acceptable changes.

Comment 4 Debarshi Ray 2021-09-01 14:54:19 UTC

> We essentially break everyone that's used toolbox before.
> I feel like we should handle this in some way.  The backwards
> compatibility discussions we had previously were around
> the config options and UX/CLI changes.  Those are acceptable
> changes.

How do you want to handle it?

Is it enough if the following error message said something else:
  [root@kvm-07-guest10 ~]# toolbox enter support-tools
  Error: container support-tools is too old and no longer supported 
  Recreate it with Toolbox version 0.0.17 or newer.

The fact that a /run/.containerenv gets placed on the host is a bit thorny. We might be able to carefully side-step it, but it depends on what we exactly decide to do.

Comment 5 Derrick Ornelas 2021-09-01 17:08:18 UTC

I think the simplest solution might be: if env variables $TOOLBOX_PATH and $container are not set and file /run/.containerenv exists, then print an error indicating the user may need to manually remove /run/.containerenv from their system.  

This at least hints at how to resolve the issue.  We'll likely create a kbase solution customers can search for that will explain the issue in more detail.

Comment 6 Debarshi Ray 2021-09-01 18:36:35 UTC

> I think the simplest solution might be: if env variables
> $TOOLBOX_PATH and $container are not set and file
> /run/.containerenv exists, then print an error indicating
> the user may need to manually remove /run/.containerenv
> from their system.

Ok, this sounds doable.

Comment 11 Debarshi Ray 2021-09-02 12:41:07 UTC

I got a patch that does:
  [root@kvm-07-guest10 ~]# toolbox enter support-tools
  Error: /run/.containerenv found on what looks like the host
  If this is the host, then remove /run/.containerenv and try again.
  Otherwise, contact your system administrator or file a bug.

Does it look OK?

Comment 12 Derrick Ornelas 2021-09-02 12:46:23 UTC

Looks good to me, thanks!

Comment 14 Debarshi Ray 2021-09-02 18:16:58 UTC

Built toolbox-0.0.99.3-0.3.module+el8.5.0+12477+44413d02:
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1717786

Comment 15 Alex Jia 2021-09-03 03:03:55 UTC

This bug has been verified on toolbox-0.0.99.3-0.3.module+el8.5.0+12477+44413d02.

[root@hpe-dl380pgen8-02-vm-8 ~]# rpm -q toolbox
toolbox-0.0.99.3-0.3.module+el8.5.0+12477+44413d02.x86_64

[root@hpe-dl380pgen8-02-vm-8 ~]# toolbox
Error: /run/.containerenv found on what looks like the host
If this is the host, then remove /run/.containerenv and try again.
Otherwise, contact your system administrator or file a bug.
[root@hpe-dl380pgen8-02-vm-8 ~]# rm -rf /run/.containerenv
[root@hpe-dl380pgen8-02-vm-8 ~]# toolbox
⬢[root@toolbox ~]# echo $HOST
/run/host
⬢[root@toolbox ~]# exit
logout
[root@hpe-dl380pgen8-02-vm-8 ~]# echo $?
0

Comment 18 Alex Jia 2021-09-04 09:08:55 UTC

Closing this bug as VERIFIED per Comment 15.

Comment 20 errata-xmlrpc 2021-11-09 17:40:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: container-tools:rhel8 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4154

Note You need to log in before you can comment on or make changes to this bug.