Give access to the CA certificates from the host

.github/workflows/ubuntu-tests.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -55,6 +55,9 @@ jobs:
             systemd \
             udisks2
 
+      - name: Ensure that 'p11-kit server' is absent
+        run: sudo rm /usr/libexec/p11-kit/p11-kit-server
+
       - name: Set up PATH for Go 1.21
         run: |
           echo "PATH=/usr/lib/go-1.21/bin:$PATH" >> "$GITHUB_ENV"
@@ -131,7 +134,7 @@ jobs:
         working-directory: containers/toolbox/src
 
       - name: Set up build directory
-        run: meson setup --fatal-meson-warnings builddir
+        run: meson setup builddir
         working-directory: containers/toolbox
 
       - name: Build

meson.build

@@ -23,6 +23,27 @@ bats = find_program('bats', required: false)
 codespell = find_program('codespell', required: false)
 htpasswd = find_program('htpasswd', required: false)
 openssl = find_program('openssl', required: false)
+
+p11kit_server_works = false
+p11kit = find_program('p11-kit', required: false)
+if p11kit.found()
+  res = run_command(p11kit, 'server', check: false)
+  if res.returncode() == 0
+    error('Command \'p11-kit server\' was supposed to fail')
+  endif
+
+  res_stdout = res.stdout()
+  if res_stdout.contains('--name') and res_stdout.contains('--provider')
+    p11kit_server_works = true
+  else
+    warning('Command \'p11-kit server\' doesn\'t work')
+  endif
+endif
+
+if not p11kit_server_works
+  warning('Containers won\'t have access to the CA certificates from the host')
+endif
+
 podman = find_program('podman', required: false)
 shellcheck = find_program('shellcheck', required: false)
 skopeo = find_program('skopeo', required: false)

playbooks/dependencies-centos-9-stream.yaml

@@ -38,6 +38,13 @@
       - codespell
       - fish
 
+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+
 - name: Download Go modules
   command: go mod download -x
   environment:

playbooks/dependencies-fedora-restricted.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright © 2023 – 2024 Red Hat, Inc.
+# Copyright © 2023 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -47,6 +47,15 @@
     update_cache: "{{ true if zuul.attempts > 1 else false }}"
     use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
 
+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+    update_cache: "{{ true if zuul.attempts > 1 else false }}"
+    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
+
 - name: Ensure that podman(1) is absent
   become: yes
   package:

playbooks/dependencies-fedora.yaml

@@ -1,5 +1,5 @@
 #
-# Copyright © 2022 – 2024 Red Hat, Inc.
+# Copyright © 2022 – 2025 Red Hat, Inc.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -39,6 +39,15 @@
       - udisks2
     use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
 
+- name: Ensure that 'p11-kit server' is absent
+  become: yes
+  package:
+    name:
+      - p11-kit-server
+    state: absent
+    update_cache: "{{ true if zuul.attempts > 1 else false }}"
+    use: "{{ 'dnf' if zuul.attempts > 1 else 'auto' }}"
+
 - name: Download Go modules
   command: go mod download -x
   environment:

playbooks/setup-env-migration-path-for-coreos-toolbox.yaml

@@ -20,6 +20,6 @@
     - include_tasks: dependencies-centos-9-stream.yaml
 
     - name: Set up build directory
-      command: meson -Dmigration_path_for_coreos_toolbox=true --fatal-meson-warnings builddir
+      command: meson -Dmigration_path_for_coreos_toolbox=true builddir
       args:
         chdir: '{{ zuul.project.src_dir }}'

playbooks/setup-env-restricted.yaml

@@ -20,6 +20,6 @@
     - include_tasks: dependencies-fedora-restricted.yaml
 
     - name: Set up build directory
-      command: meson setup --fatal-meson-warnings builddir
+      command: meson setup builddir
       args:
         chdir: '{{ zuul.project.src_dir }}'

playbooks/setup-env.yaml

@@ -20,6 +20,6 @@
     - include_tasks: dependencies-fedora.yaml
 
     - name: Set up build directory
-      command: meson setup --fatal-meson-warnings builddir
+      command: meson setup builddir
       args:
         chdir: '{{ zuul.project.src_dir }}'

src/cmd/initContainer.go

@@ -301,6 +301,10 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
+	if err := configurePKCS11(targetUser); err != nil {
+		return err
+	}
+
 	if err := configureRPM(); err != nil {
 		return err
 	}
@@ -569,6 +573,57 @@ func configureKerberos() error {
 	return nil
 }
 
+func configurePKCS11(targetUser *user.User) error {
+	const logPrefix = "Configuring PKCS #11 to read from the host"
+	logrus.Debugf("%s", logPrefix)
+
+	if path := "/etc/pkcs11/modules"; !utils.PathExists(path) {
+		logrus.Debugf("%s: directory %s not found", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	if ok, err := utils.IsP11KitClientPresent(); err != nil {
+		logrus.Debugf("%s: %s", logPrefix, err)
+
+		if !ok {
+			logrus.Debugf("%s: p11-kit-client.so not found", logPrefix)
+			logrus.Debugf("%s: skipping", logPrefix)
+			return nil
+		}
+	} else {
+		if !ok {
+			logrus.Debugf("%s: p11-kit-client.so not found", logPrefix)
+			logrus.Debugf("%s: skipping", logPrefix)
+			return nil
+		}
+	}
+
+	if path, err := utils.GetP11KitServerSocket(targetUser); err != nil {
+		return err
+	} else if !utils.PathExists(path) {
+		logrus.Debugf("%s: socket %s not found", logPrefix, path)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return nil
+	}
+
+	var builder strings.Builder
+	builder.WriteString("# Written by Toolbx\n")
+	builder.WriteString("# https://containertoolbx.org/\n")
+	builder.WriteString("\n")
+	builder.WriteString("module: p11-kit-client.so\n")
+
+	pkcs11ConfigString := builder.String()
+	pkcs11ConfigBytes := []byte(pkcs11ConfigString)
+	if err := renameio.WriteFile("/etc/pkcs11/modules/p11-kit-trust.module",
+		pkcs11ConfigBytes,
+		0644); err != nil {
+		return fmt.Errorf("failed to configure PKCS #11 to read from the host: %w", err)
+	}
+
+	return nil
+}
+
 func configureRPM() error {
 	if !utils.PathExists("/usr/lib/rpm/macros.d") {
 		return nil

src/cmd/root.go

@@ -263,21 +263,28 @@ func migrate(cmd *cobra.Command, args []string) error {
 
 	migrateLock := toolboxRuntimeDirectory + "/migrate.lock"
 
-	migrateLockFile, err := os.Create(migrateLock)
+	migrateLockFile, err := utils.Flock(migrateLock, syscall.LOCK_EX)
 	if err != nil {
-		logrus.Debugf("Migrating to newer Podman: failed to create migration lock file %s: %s", migrateLock, err)
-		return errors.New("failed to create migration lock file")
+		logrus.Debugf("Migrating to newer Podman: %s", err)
+
+		var errFlock *utils.FlockError
+
+		if errors.As(err, &errFlock) {
+			if errors.Is(err, utils.ErrFlockAcquire) {
+				err = utils.ErrFlockAcquire
+			} else if errors.Is(err, utils.ErrFlockCreate) {
+				err = utils.ErrFlockCreate
+			} else {
+				panicMsg := fmt.Sprintf("unexpected %T: %s", err, err)
+				panic(panicMsg)
+			}
+		}
+
+		return err
 	}
 
 	defer migrateLockFile.Close()
 
-	migrateLockFD := migrateLockFile.Fd()
-	migrateLockFDInt := int(migrateLockFD)
-	if err := syscall.Flock(migrateLockFDInt, syscall.LOCK_EX); err != nil {
-		logrus.Debugf("Migrating to newer Podman: failed to acquire migration lock on %s: %s", migrateLock, err)
-		return errors.New("failed to acquire migration lock")
-	}
-
 	stampBytes, err := ioutil.ReadFile(stampPath)
 	if err != nil {
 		if !errors.Is(err, os.ErrNotExist) {

src/cmd/run.go

@@ -27,6 +27,7 @@ import (
 	"path/filepath"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/containers/toolbox/pkg/nvidia"
@@ -283,6 +284,11 @@ func runCommand(container string,
 		cdiEnviron = append(cdiEnviron, cdiSpecForNvidia.ContainerEdits.Env...)
 	}
 
+	p11KitServerEnviron, err := startP11KitServer()
+	if err != nil {
+		return err
+	}
+
 	startContainerTimestamp := time.Unix(-1, 0)
 
 	if entryPointPID <= 0 {
@@ -335,10 +341,11 @@ func runCommand(container string,
 
 	logrus.Debugf("Container %s is initialized", container)
 
+	environ := append(cdiEnviron, p11KitServerEnviron...)
 	if err := runCommandWithFallbacks(container,
 		preserveFDs,
 		command,
-		cdiEnviron,
+		environ,
 		emitEscapeSequence,
 		fallbackToBash); err != nil {
 		return err
@@ -1033,6 +1040,68 @@ func startContainer(container string) error {
 	return nil
 }
 
+func startP11KitServer() ([]string, error) {
+	serverSocket, err := utils.GetP11KitServerSocket(currentUser)
+	if err != nil {
+		return nil, err
+	}
+
+	const logPrefix = "Starting 'p11-kit server'"
+	logrus.Debugf("%s with socket %s", logPrefix, serverSocket)
+
+	serverSocketLock, err := utils.GetP11KitServerSocketLock(currentUser)
+	if err != nil {
+		return nil, err
+	}
+
+	serverSocketLockFile, err := utils.Flock(serverSocketLock, syscall.LOCK_EX)
+	if err != nil {
+		logrus.Debugf("%s: %s", logPrefix, err)
+
+		var errFlock *utils.FlockError
+
+		if errors.As(err, &errFlock) {
+			if errors.Is(err, utils.ErrFlockAcquire) {
+				err = utils.ErrFlockAcquire
+			} else if errors.Is(err, utils.ErrFlockCreate) {
+				err = utils.ErrFlockCreate
+			} else {
+				panicMsg := fmt.Sprintf("unexpected %T: %s", err, err)
+				panic(panicMsg)
+			}
+		}
+
+		return nil, err
+	}
+
+	defer serverSocketLockFile.Close()
+
+	serverSocketAddress := fmt.Sprintf("P11_KIT_SERVER_ADDRESS=unix:path=%s", serverSocket)
+	serverEnviron := []string{
+		serverSocketAddress,
+	}
+
+	if utils.PathExists(serverSocket) {
+		logrus.Debugf("%s: socket %s already exists", logPrefix, serverSocket)
+		logrus.Debugf("%s: skipping", logPrefix)
+		return serverEnviron, nil
+	}
+
+	serverArgs := []string{
+		"server",
+		"--name", serverSocket,
+		"--provider", "p11-kit-trust.so",
+		"pkcs11:model=p11-kit-trust?write-protected=yes",
+	}
+
+	if err := shell.Run("p11-kit", nil, nil, nil, serverArgs...); err != nil {
+		logrus.Debugf("%s failed: %s", logPrefix, err)
+		return nil, nil
+	}
+
+	return serverEnviron, nil
+}
+
 func (err *entryPointError) Error() string {
 	return err.msg
 }

src/pkg/utils/arch.go

@@ -25,6 +25,11 @@ func getFullyQualifiedImageArch(image, release string) string {
 	return imageFull
 }
 
+func getP11KitClientPathsArch() []string {
+	paths := []string{"/usr/lib/pkcs11/p11-kit-client.so"}
+	return paths
+}
+
 func parseReleaseArch(release string) (string, error) {
 	if release != "latest" && release != "rolling" && release != "" {
 		return "", &ParseReleaseError{"The release must be 'latest'."}