Google Git
Sign in
cos / third_party / toolbox / refs/heads/release-R117
commitdb1048d38b70245c2b37b40de1d06fee822d5a8a[log] [tgz]
authorKevin Berry <kpberry@google.com>Wed Apr 02 20:12:17 2025 +0000
committerKevin Berry <kpberry@google.com>Wed Apr 02 13:56:22 2025 -0700
tree9c6f9a48350714607e3eda8435a1af5c4a43c184
parent6c9de90c910c1e7bf00dd242316ab726db36ce9f [diff]
toolbox: Force systemd-nspawn to use unified hierarchy

Because the toolbox image doesn't have systemd installed, systemd-nspawn
assumes it must run in legacy cgroup v1 mode instead of in cgroup v2
mode. This results in both cgroup v1 and v2 being used on an instance,
regardless of the systemd.unified_cgroup_hierarchy setting. This default
behavior was fixed in
https://github.com/systemd/systemd/commit/d89ee0fcf983ae765aab9629349225ca036482f1,
but applying that systemd patch could technically break users.

As a mitigation for existing COS milestones, we can set
SYSTEMD_NSPAWN_UNIFIED_HIERARCHY=yes for the systemd-nspawn call to
force toolbox to spawn with the unified v2 hierarchy, if possible. We
can defer applying the systemd patch to COS 125 and above.

BUG=b/406594194,b/407615979
TEST=presubmit, run modified toolbox script and ensure that it does not
result in hybrid cgroups, run modified toolbox on an instance using
hybrid cgroups and ensure that it doesn't error
RELEASE_NOTE=Modified toolbox to use unified cgroup hierarchy mode instead of hybrid mode when possible.

cos-patch: bug
Change-Id: Ic4834396055cbea6fcfb8d464c089db4adc4d243
1 file changed
tree: 9c6f9a48350714607e3eda8435a1af5c4a43c184
  1. CONTRIBUTING.md
  2. DCO
  3. LICENSE
  4. NOTICE
  5. README.md
  6. toolbox
README.md

toolbox - bring your tools with you

toolbox is a small script that launches a container to let you bring in your favorite debugging or admin tools.

Usage

$ /usr/bin/toolbox
Spawning container core-fedora-latest on /var/lib/toolbox/core-fedora-latest.
Press ^] three times within 1s to kill container.
-bash-4.3# yum install tcpdump
...
-bash-4.3# tcpdump -i ens3
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens3, link-type EN10MB (Ethernet), capture size 65535 bytes

Advanced Usage

Use a custom image

toolbox uses a Fedora-based userspace environment by default, but this can be changed to any Docker image. Simply override environment variables in $HOME/.toolboxrc:

core@core-01 ~ $ cat ~/.toolboxrc
TOOLBOX_DOCKER_IMAGE=ubuntu-debootstrap
TOOLBOX_DOCKER_TAG=14.04
core@core-01 ~ $ toolbox
Spawning container core-ubuntu-debootstrap-14.04 on /var/lib/toolbox/core-ubuntu-debootstrap-14.04.
Press ^] three times within 1s to kill container.
root@core-01:~# apt-get update && apt-get install tcpdump

Automatically enter toolbox on login

Set an /etc/passwd entry for one of the users to /usr/bin/toolbox:

useradd bob -m -p '*' -s /usr/bin/toolbox -U -G sudo,docker

Now when SSHing into the system as that user, toolbox will automatically be started:

$ ssh bob@hostname.example.com
CoreOS alpha (633.1.0)
...
Spawning container core-fedora-latest on /var/lib/toolbox/core-fedora-latest.
-bash-4.3 # yum install emacs
-bash-4.3 # emacs /media/root/etc/systemd/system/docker.service

Bugs

Please use the CoreOS issue tracker to report all bugs, issues, and feature requests.