49 Replies
GitHub
Consider adding apk based Image like Wolfi or Alpine · Issue #1474 ...
Both seem to be common choices for containers and currently there is no official image, that uses apk as package manager. Of course this can be done using distrobox, but having a more officially su...
good news, upstream toolbx-images is willing to accept wolfi, IMO we should "move" our wolfi-base there and maintain it there. As luck would have it, timothee maintains the images repo, and I've maintained alpine's images there already
cc @EyeCantCU @89luca89
https://github.com/toolbx-images/images
repo
and here's my alpine section
https://github.com/toolbx-images/images/tree/main/alpine/edge
https://github.com/toolbx-images/images/blob/main/.github/workflows/alpine.yaml
and here's the workflow. It'd be a quick copy and rename job, I'll try to work on it tonight unless someone else gets to it first
Our wolfi toolbox will now launch in toolbox, but there are two bugs.
1. User is not added to sudoers file.
2. Wolfi doesn't seem to have the xterm terminfo
Happy to help out with this though availability today will be scarce. Got a nightmare of images thrown my way
NeuVector has been... an experience lol
1. Unsure how toolbox sets sudoers compared to distrobox.
2. The ncurses package simply doesn't have the terminfo. Distrobox mounts in host term info under /usr/local
My demo to ya'll is on Monday, and even if it's just "we intend to do this" it'll be enough
just knowing that upstream would be receptive to wolfi at all is amazing. We build this, the sysext and a WSL image, and we'll have the Wolfi Subsystem for Linux.
I saw! Can't wait. Definitely awesome that they're receptive. Let's definitely get all this built out. Lol, it'd be funny to call the repo for Wolfi SL WSL...
I am literally going to call it that
WSL is the best undistro for WSL
1- no problem now Wolfi has "real" sudo and works well with dbox (and I assume toolbx)
2- this can be a non-issue with dbox but it's an issue with toolbx
btw I'm already using a wolfi container for some time now:
there are some missing packages (mainly utilities like cpupower) and I'd like to NOT use
go install (but these are plans for the future 😉 )Yepp real sudo is there. It looks like toolbox un comments the group wheel/sudo and doesn't do that for wolfi
do we think it's good enough as is to PR? I was thinking of getting it in there and then do some subsequent PRs, I found stuff that can be sliced out of ours to submit. We add things for like instant launch in distrobox that probably not go in this base image?
yea toolbx acts on /etc/sudoers.conf while dbox does an augmenting conf in /etc/sudoers.conf.d
btw it takes me about 5 minutes every 6 months to maintain the alpine images, and that's only because they release versions, with wolfi it'd be really low mainteance, I can commit to that part
instant launch is supported for sure, if we add the missing packages 👍
toolbox instant launches right?
Yepp. Our wolfi-toolbox is instant launch
toolbox always instant launcher, because it already assumes everything is there, and if it doesn't it's a you-problem
hah yeah
Just missing the 2 items I specified for it to work ootb without warnings
For distrobox, our image is instant launch
@j0rge I'm going to PR the wolfi images no problem 🙂
❤️ get that win!
there is only one thing i'd like to highlight
There is no escape, all will follow The Final Shape, even if you use toolbx.
all the -toolbx images do this:
RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/toolbox
this invalidates the fact that distrobox does NOT enable passwordless sudo on rootful containers, for security reasonsInteresting, that explains how sudo was being setup.
simple fix is to use /etc/sudoers.d/sudoers which is the file dbox uses, and that is deleted if the user is rootful
Yeah. Does toolbox even support rootful?
I'm remember it didn't a while ago and was a distrobox feature point
I think yes, but that is not a security concern with podman
podman is not a daemonful service, with the dedicated group to do rootful things
docker is
so for example, if an user is in the
docker group and not in wheel it could work around this by creating a rootful container, and doing sudo in it
instead dbox will respect wheel/sudo of the host system, and will not enable passwordless sudo for rootful containerman dude, a zstd:chunked wolfi ... smaller out of the box to begin with. bai2u multi gig ubuntu containers lol.
localhost/wolfi-toolbox latest de8a8aae537b 3 minutes ago 240 MB
registry.opensuse.org/opensuse/distrobox latest 049119b2494e 5 days ago 1.56 GB
not badman dude we should push a zstd tag too, even if it's just for testing.
latest and latest-zstd or something
then we'd be able to science the bandwidth savings asd they optimize it upstream, which they are working on activelyaltho, it is missing a single package
pinentry that would allow not only instant-entry, but also offline entry
right now it will do an apk-search for it, even if it fails and skips itantheas found a bunch of issues and reported them and they're already fixing them, this could be awesome.
can you send me some info about? so I can check
it's a quick add. New arg to buildah: https://github.com/ublue-os/toolboxes/pull/101/files
we reverted it because downstream builders are still ubuntu-22.04, they need to be 24.04 (which is in beta for runners). So we're keeping that unchanged. However if we have one workflow push normally and then another workflow.yml push to a new tag then we can serve both.
And then we'll just ask timothee, hey do you mind if we add this
latest-zstd tag to these so that we can help test zstd:chunked I'm reasonably certain he'd be up for that considering he's also working on it and it'd be nice to get more containers out there for us to bang on.
I can volunteer for posting in a PR or issue about that when we get there, heh.yea I'm opening the PR and tag you
so we can discuss there
but that should be after intial stuff, no need to do that up front.
GitHub
feat: add wolfi-toolbox images by 89luca89 · Pull Request #127 · to...
Add wolfi based toolbox images
This one also allows instant-enter on distrobox (has some extra packages)
Tagging @castrojo for additional discussion/requests
being rolling, it should be quite easy to mantain
IKR.
Ha, that was fast!
yea it was basically ready as I was already using it 😂
oh I appear to be in the maintainer group for this repo lol.
I had forgotten
Merged
OHHH YEAH!
looks like the push creds are wrong for quay.io
is it on my PR or on them?
it's on them
everything builds, it's the push to quay.io that needs creds
ah got it
didn't follow the CI
Awesome work throwing this together Luca!