ybox 0.9.10__py3-none-any.whl → 0.9.11__py3-none-any.whl

ybox/__init__.py

@@ -1,2 +1,2 @@
 """`ybox` is a tool to easily manage linux distributions in containers"""
-__version__ = "0.9.10"
+__version__ = "0.9.11"

ybox/conf/profiles/apps.ini

@@ -1,6 +1,7 @@
 [base]
 name = Profile for CLI and GUI apps
 includes = basic.ini
+ssh_agent = on
 
 [security]
 # SYS_PTRACE may be required by mesa which is invoked indirectly by both firefox and chromium.
@@ -9,6 +10,9 @@ includes = basic.ini
 caps_add = SYS_PTRACE
 
 [mounts]
+# export the host's ssh keys for use by ssh-agent in the container as required ("ro" mode
+#   implies that known_hosts and other files within ~/.ssh cannot be changed)
+ssh = $HOME/.ssh:$TARGET_HOME/.ssh:ro
 music = $HOME/Music:$TARGET_HOME/Music:ro
 pictures = $HOME/Pictures:$TARGET_HOME/Pictures:ro
 videos = $HOME/Videos:$TARGET_HOME/Videos:ro
@@ -19,8 +23,9 @@ videos = $HOME/Videos:$TARGET_HOME/Videos:ro
 
 [app_flags]
 # These flags will be added to Exec line of google-chrome.desktop when it is copied to host.
-# /dev/shm usage is disabled for chrome because that requires ipc=host or mounting host
-# /dev/shm in read-write mode which can be insecure.
-google-chrome = !p --disable-dev-shm-usage !a
-google-chrome-beta = !p --disable-dev-shm-usage !a
-google-chrome-unstable = !p --disable-dev-shm-usage !a
+
+# the --disable-dev-shm-usage flag in chrome/chromium based browsers disables use of /dev/shm
+# which can reduce memory footprint at the cost of performance and increased disk activity
+#google-chrome = !p --disable-dev-shm-usage !a
+#google-chrome-beta = !p --disable-dev-shm-usage !a
+#google-chrome-unstable = !p --disable-dev-shm-usage !a

ybox/conf/profiles/basic.ini

@@ -20,8 +20,8 @@
 #   - YBOX_SYS_CONF_DIR: path to system configuration directory where configuration directory
 #                        shipped with ybox is installed (or the string form of
 #                          the directory if it is not on filesystem like an egg or similar)
-#   - TARGET_HOME: set to the home directory of the container user as it exists on the host
-#                  (i.e. the expanded value of the "home" key in the [base] section)
+#   - TARGET_HOME: set to the home directory of the container user in the container
+#                  (which is same as the host user's $HOME for podman and /root for docker)
 # Additionally a special notation can be used for current date+time with this notation:
 #   ${NOW:<fmt>}. The <fmt> uses the format supported by python strftime
 # (https://docs.python.org/3/library/datetime.html#datetime.datetime.strftime)
@@ -67,7 +67,7 @@ includes =
 # to freely create as many containers as desired to achieve best isolation without worrying
 # about dramatic increase in disk and/or memory usage.
 shared_root = $HOME/.local/share/ybox/SHARED_ROOTS/$YBOX_DISTRIBUTION_NAME
-# Bind mount the container $HOME to this local path (aka $TARGET_HOME). This makes it
+# Bind mount the container $HOME to this local path. This makes it
 # easier for backup software and otherwise to read useful container data.
 # If not provided then you should explicitly mount required directories in the [mounts]
 # section otherwise home will remain completely ephemeral which is not recommended.
@@ -100,6 +100,16 @@ pulseaudio = on
 dbus = on
 # If enabled then the system dbus from the host is available to the container.
 dbus_sys = off
+# If enabled then the socket for SSH agent, if present, is made available to the container.
+# The $SSH_AUTH_SOCK environment variables must be set in the host environment for this to work.
+# You can also mount $HOME/.ssh with appropriate flags ("ro" if possible) in the [mounts]
+# section to enable the container use the host's ssh keys.
+ssh_agent = off
+# If enabled then the socket for GPG agent, if present, is made available to the container.
+# The $GPG_AGENT_INFO environment variable must be set in the host environment for this to work.
+# You can also mount $HOME/.gnupg with appropriate flags ("ro" if possible) in the [mounts]
+# section to enable the container use the host's gpg keys.
+gpg_agent = off
 # If enabled then Direct Rendering Infrastructure for accelerated graphics is available to
 # the container.
 dri = on
@@ -123,8 +133,8 @@ nvidia = off
 #
 # This will take precedence if both "nvidia" and "nvidia_ctk" are enabled.
 nvidia_ctk = off
-# default podman/docker shm-size is 64m which can be insufficient for many apps
-shm_size = 1g
+# default podman/docker shm-size is only 64m which can be insufficient for many apps
+shm_size = 2g
 # Limit the maximum number of processes in the container (to avoid stuff like fork bombs).
 pids_limit = 2048
 # Logging driver to use. Default for podman/docker is to use journald in modern Linux
@@ -137,6 +147,9 @@ log_driver = json-file
 # Example for docker that does not support `path`
 log_opts = max-size=10m,max-file=3
 
+# Comma separated list of additional devices that should be made available to the container using
+# the --device option to podman/docker run. Example: devices = /dev/video0,/dev/ttyUSB0
+devices =
 
 # The security-opt and other security options passed to podman/docker.
 # You should restrict these as required.
@@ -227,9 +240,10 @@ documents = $HOME/Documents:$TARGET_HOME/Documents:ro
 # in the [base] section.
 #
 # Note: The LHS should typically have a path having $HOME while RHS will be relative to the
-#       target's home inside the container. Do not use $TARGET_HOME on RHS (or LHS for that matter)
-#       which is the target's home as on the host and not the one inside the container.
+#       target's home inside the container. Do not use $TARGET_HOME on RHS since path the assumed
+#       to be a relative one and $TARGET_HOME already inserted as required.
 [configs]
+env_conf = $HOME/.config/environment.d -> .config/environment.d
 bashrc = $HOME/.bashrc -> .bashrc
 starship = $HOME/.config/starship.toml -> .config/starship.toml
 # replicate fish configuration directory with copy of fish_variables but symlinks for the rest
@@ -303,14 +317,12 @@ XMODIFIERS
 [app_flags]
 # These flags/arguments will be added to Exec line of chromium.desktop when it is copied to
 # host as well as in the wrapper chromium executable created on the host.
-# You can use "!p" here for the first argument in the 'Exec='/'TryExec=' line in the desktop
+# You can use "!p" here for the first argument in the 'Exec=' line in the desktop
 # file and '!a' for rest of the arguments. When linking to an executable program, '!p' will
 # refer to the full path of the executable while '!a' will be replaced by "$@" in the shell
 # script. Use '!!p' for a literal '!p' and '!!a' for a literal '!a'.
 
-# /dev/shm usage is disabled for chromium because that requires ipc=host or mounting host
-# /dev/shm in read-write mode which is quite insecure.
-chromium = !p --disable-dev-shm-usage --enable-chrome-browser-cloud-management !a
+chromium = !p --enable-chrome-browser-cloud-management !a
 
 
 # Startup programs you want to run when starting the container. These are run using

ybox/conf/profiles/dev.ini

@@ -1,6 +1,7 @@
 [base]
 name = Profile for creating development environment
 includes = basic.ini
+ssh_agent = on
 
 [security]
 # SYS_PTRACE is required by mesa and without this, the following warning can be seen:
@@ -8,6 +9,9 @@ includes = basic.ini
 caps_add = SYS_PTRACE
 
 [mounts]
+# export the host's ssh keys for use by ssh-agent in the container as required ("ro" mode
+#   implies that known_hosts and other files within ~/.ssh cannot be changed)
+ssh = $HOME/.ssh:$TARGET_HOME/.ssh:ro
 # add your projects and other directories having source code
 #projects = $HOME/projects:$TARGET_HOME/projects
 #pyenv = $HOME/.pyenv:$TARGET_HOME/.pyenv:ro

ybox/conf/resources/entrypoint-cp.sh

@@ -28,5 +28,5 @@ echo_color "$fg_purple" "Copying data from container to shared root mounted on '
 IFS="," read -ra shared_dirs_arr <<< "$shared_dirs"
 for dir in "${shared_dirs_arr[@]}"; do
   echo_color "$fg_orange" "Copying $dir to $shared_bind$dir"
-  cp -a "$dir" "$shared_bind$dir"
+  cp -an "$dir" "$shared_bind$dir"
 done

ybox/conf/resources/entrypoint-root.sh

@@ -10,9 +10,9 @@ source "$SCRIPT_DIR/entrypoint-common.sh"
 
 export HOME=/root
 echo_color "$fg_cyan" "Copying prime-run, run-in-dir and run-user-bash-cmd" >> $status_file
-cp -a "$SCRIPT_DIR/prime-run" /usr/local/bin/prime-run
-cp -a "$SCRIPT_DIR/run-in-dir" /usr/local/bin/run-in-dir
-cp -a "$SCRIPT_DIR/run-user-bash-cmd" /usr/local/bin/run-user-bash-cmd
+cp -af "$SCRIPT_DIR/prime-run" /usr/local/bin/prime-run
+cp -af "$SCRIPT_DIR/run-in-dir" /usr/local/bin/run-in-dir
+cp -af "$SCRIPT_DIR/run-user-bash-cmd" /usr/local/bin/run-user-bash-cmd
 chmod 0755 /usr/local/bin/prime-run /usr/local/bin/run-in-dir /usr/local/bin/run-user-bash-cmd
 
 # invoke the NVIDIA setup script if present

ybox/conf/resources/entrypoint.sh

@@ -57,19 +57,12 @@ function replicate_config_files() {
       home_file="$HOME/${BASH_REMATCH[2]}"
       dest_file="$config_dir/${BASH_REMATCH[2]}"
       # only replace the file if it is already a link (assuming the link target may
-      #   have changed in the config_list file), or a directory containing links
+      #   have changed in the config_list file), or a directory containing only links
       if [ -e "$dest_file" ]; then
         if [ -L "$home_file" ]; then
           rm -f "$home_file"
         elif [ -d "$home_file" ]; then
-          do_rmdir=true
-          for f in "$home_file"/*; do
-            if [ -e "$f" -a ! -L "$f" ]; then
-              do_rmdir=false
-              break
-            fi
-          done
-          if [ "$do_rmdir" = true ]; then
+          if [ -z $(find "$home_file" -type f -print -quit) ]; then
             rm -rf "$home_file"
           fi
         fi

ybox/conf/resources/run-in-dir

@@ -9,24 +9,34 @@ if [ -n "$dir" -a -d "$dir" ]; then
   cd "$dir"
 fi
 
-# XAUTHORITY file can change after a re-login or a restart, so search for the passed one
-# by podman/docker exec in the mount point of its parent directory
-if [ -n "$XAUTHORITY" -a -n "$XAUTHORITY_ORIG" -a ! -r "$XAUTHORITY" ]; then
-  # XAUTHORITY is assumed to be either in /run/user or in /tmp
-  run_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
-  if [[ "$XAUTHORITY" == $run_dir/* ]]; then
-    host_dir="$run_dir"
-  elif [[ "$XAUTHORITY" == /tmp/* ]]; then
-    host_dir=/tmp
+# XAUTHORITY, SSH_AUTH_SOCK and GPG_AGENT_INFO files can change after a re-login or a restart,
+# so search for the passed one by podman/docker exec in the mount point of its parent directory
+for env_var in XAUTHORITY SSH_AUTH_SOCK GPG_AGENT_INFO; do
+  env_var_orig=${env_var}_ORIG
+  var_val=${!env_var}
+  var_val_orig=${!env_var_orig}
+  if [ -n "$var_val" -a -n "$var_val_orig" ]; then
+    if [ ! -r "$var_val" ]; then
+      # the value should be in /run/user/<uid> or in /tmp, or else the parent directory is used
+      run_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
+      if [[ "$var_val" == $run_dir/* ]]; then
+        host_dir="$run_dir"
+      elif [[ "$var_val" == /tmp/* ]]; then
+        host_dir=/tmp
+      else
+        host_dir="$(dirname "$var_val")"
+      fi
+      new_val="${var_val/#$host_dir/${host_dir}-host}" # replace $host_dir by ${host_dir}-host
+      if [ ! -r "$new_val" ]; then
+        new_val="$var_val_orig"
+      fi
+      export $env_var="$new_val"
+    fi
   else
-    host_dir="$(dirname "$XAUTHORITY")"
+    # remove unset variable in the container else apps can misbehave
+    unset $env_var
   fi
-  XAUTHORITY="${XAUTHORITY/#$host_dir/${host_dir}-host}" # replace $host_dir by ${host_dir}-host
-  if [ ! -r "$XAUTHORITY" ]; then
-    XAUTHORITY="$XAUTHORITY_ORIG"
-  fi
-  export XAUTHORITY
-fi
+done
 
 # In case NVIDIA driver has been updated, the updated libraries and other files may need to be
 # linked again, so check for a missing library file and invoke the setup script if present

ybox/conf/resources/ybox-systemd.template

@@ -8,15 +8,17 @@ Wants=network-online.target
 After=network-online.target
 {docker_requires}
 [Service]
-EnvironmentFile={env_file}
-Type=forking
+Environment=PATH={sys_path}:{ybox_bin_dir}
+EnvironmentFile=%h/.config/systemd/user/{env_file}
+Type=notify
+NotifyAccess=all
 Restart=on-failure
-TimeoutStopSec=70
 # sleep to allow for initialization of the user's login/graphical environment
 ExecStartPre=/usr/bin/sleep $SLEEP_SECS
-ExecStart=/bin/sh -c 'ybox-control start {name}'
+ExecStart=/bin/sh -c 'ybox-control start {name} && systemd-notify --ready && exec ybox-control wait {name}'
 ExecStop=/bin/sh -c 'ybox-control stop -t 20 --ignore-stopped {name}'
 ExecStopPost=/bin/sh -c 'ybox-control stop -t 20 --ignore-stopped {name}'
-{pid_file}
+TimeoutStopSec=60
+
 [Install]
 WantedBy=default.target

ybox/env.py

@@ -60,34 +60,41 @@ class Environ:
         :param home_dir: if a non-default user home directory has to be set
         """
         self._home_dir = home_dir or os.path.expanduser("~")
+        self._home_dir = self._home_dir.rstrip("/")
         self._docker_cmd = docker_cmd or get_docker_command()
         cmd_version = subprocess.check_output([self._docker_cmd, "--version"])
         self._uses_podman = "podman" in cmd_version.decode("utf-8").lower()
         # local user home might be in a different location than /home but target user in the
         # container will always be in /home with podman else /root for the root user with docker
         # as ensured by entrypoint-base.sh script
-        target_uid = 0
+        current_user = getpass.getuser()
+        current_uid = pwd.getpwnam(current_user).pw_uid
         if self._uses_podman:
-            self._target_user = getpass.getuser()
-            target_uid = pwd.getpwnam(self._target_user).pw_uid
+            self._target_user = current_user
+            target_uid = current_uid
             self._target_home = f"/home/{self._target_user}"
         else:
             self._target_user = "root"
+            target_uid = 0
             self._target_home = "/root"
             # confirm that docker is being used in rootless mode (not required for podman because
             #   it runs as rootless when run by a non-root user in any case without explicit sudo
             #   which the ybox tools don't use)
             if (docker_ctx := subprocess.check_output(
                     [self._docker_cmd, "context", "show"]).decode("utf-8")).strip() != "rootless":
-                raise NotSupportedError("docker should use the rootless mode (see "
-                                        "https://docs.docker.com/engine/security/rootless/) "
-                                        f"but the current context is '{docker_ctx}'")
+                # check for DOCKER_HOST environment variable
+                expected_docker_host = f"unix:///run/user/{current_uid}/docker.sock"
+                if not docker_ctx or os.environ.get("DOCKER_HOST", "") != expected_docker_host:
+                    raise NotSupportedError("docker should use the rootless mode (see "
+                                            "https://docs.docker.com/engine/security/rootless/) "
+                                            f"but the current context is '{docker_ctx}' and "
+                                            f"$DOCKER_HOST is not set to '{expected_docker_host}'")
         os.environ["TARGET_HOME"] = self._target_home
         self._user_base = user_base = site.getuserbase()
         target_user_base = f"{self._target_home}/.local"
         self._data_dir = f"{user_base}/share/ybox"
         self._target_data_dir = f"{target_user_base}/share/ybox"
-        self._xdg_rt_dir = os.environ.get("XDG_RUNTIME_DIR", "")
+        self._xdg_rt_dir = os.environ.get("XDG_RUNTIME_DIR", "").rstrip("/")
         # the container user's one can be different because it is the root user for docker
         self._target_xdg_rt_dir = f"/run/user/{target_uid}"
         self._now = datetime.now()
@@ -148,6 +155,10 @@ class Environ:
         """if podman is the container manager being used"""
         return self._uses_podman
 
+    def systemd_user_conf_dir(self) -> str:
+        """standard configuration directory location of user specific systemd services"""
+        return f"{self._home_dir}/.config/systemd/user"
+
     @property
     def target_user(self) -> str:
         """username of the container user (which is the same as the current user for podman

ybox/migrate/{0.9.0-0.9.7:0.9.8.py → 0.9.0-0.9.10:0.9.11.py}

@@ -20,11 +20,12 @@ copy_ybox_scripts_to_container(static_conf, distro_conf)
 
 # rename PKGMGR_CLEANUP to PKGMGR_CLEAN in pkgmgr.conf
 scripts_dir = static_conf.scripts_dir
-pkgmgr_conf = f"{scripts_dir}/pkgmgr.conf"
-with open(pkgmgr_conf, "r", encoding="utf-8") as pkgmgr_file:
-    pkgmgr_data = pkgmgr_file.read()
-with open(pkgmgr_conf, "w", encoding="utf-8") as pkgmgr_file:
-    pkgmgr_file.write(pkgmgr_data.replace("PKGMGR_CLEANUP", "PKGMGR_CLEAN"))
+pkgmgr_conf = Path(f"{scripts_dir}/pkgmgr.conf")
+if pkgmgr_conf.exists():
+    with pkgmgr_conf.open("r", encoding="utf-8") as pkgmgr_file:
+        pkgmgr_data = pkgmgr_file.read()
+    with pkgmgr_conf.open("w", encoding="utf-8") as pkgmgr_file:
+        pkgmgr_file.write(pkgmgr_data.replace("PKGMGR_CLEANUP", "PKGMGR_CLEAN"))
 # run entrypoint-root.sh again to refresh scripts and configuration
 subprocess.run([static_conf.env.docker_cmd, "exec", "-it", static_conf.box_name, "/usr/bin/sudo",
                 "/bin/bash", f"{static_conf.target_scripts_dir}/entrypoint-root.sh"])

ybox/pkg/inst.py

@@ -24,11 +24,16 @@ from ybox.state import (CopyType, DependencyType, RuntimeConfiguration,
 from ybox.util import check_package, ini_file_reader, select_item_from_menu
 
 # match both "Exec=" and "TryExec=" lines (don't capture trailing newline)
-_EXEC_RE = re.compile(r"^(\s*(Try)?Exec\s*=\s*)(\S+)\s*(.*?)\s*$")
+_EXEC_PATTERN = r"\s*((Try)?Exec\s*=\s*)(\S+)\s*(.*?)\s*"
+# pattern to match icons with absolute paths and change them to just names
+_ICON_PATH_PATTERN = r"\s*Icon\s*=\s*(/usr/share/(icons|pixmaps)/\S+)\s*"
+# regex to match either of the two above
+_EXEC_ICON_RE = re.compile(f"^{_EXEC_PATTERN}|{_ICON_PATH_PATTERN}$")
 # match !p and !a to replace executable program (third group above) and arguments respectively
 _FLAGS_RE = re.compile("![ap]")
 # environment variables passed through from host environment to podman/docker executable
 _PASSTHROUGH_ENVVARS = ("XAUTHORITY", "DISPLAY", "WAYLAND_DISPLAY", "FREETYPE_PROPERTIES",
+                        "SSH_AUTH_SOCK", "GPG_AGENT_INFO",
                         "__NV_PRIME_RENDER_OFFLOAD", "__GLX_VENDOR_LIBRARY_NAME",
                         "__VK_LAYER_NV_optimus", "VK_ICD_FILES", "VK_ICD_FILENAMES")
 
@@ -156,7 +161,8 @@ def _install_package(package: str, args: argparse.Namespace, install_cmd: str, l
             if not skip_desktop_files:
                 copy_type |= CopyType.DESKTOP
             if not skip_executables:
-                resp = input("Create application executable(s)? (Y/n) ") if quiet == 0 else "Y"
+                resp = input("Create wrapper(s) for application executable(s) of package "
+                             f"'{package}'? (Y/n) ") if quiet == 0 else "Y"
                 if resp.strip().lower() != "n":
                     copy_type |= CopyType.EXECUTABLE
         # TODO: wrappers for newly installed required dependencies should also be created;
@@ -436,9 +442,9 @@ def docker_cp_action(docker_cmd: str, box_name: str, src: str,
 def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticConfiguration,
                        app_flags: dict[str, str], wrapper_files: list[str]) -> None:
     """
-    For a desktop file, add "podman/docker exec ..." to its Exec/TryExec lines. Also read
-    the additional flags for the command passed in `app_flags` and add them to an appropriate
-    position in the Exec/TryExec lines.
+    For a desktop file, add "podman/docker exec ..." to its `Exec` lines. Also read the additional
+    flags for the command passed in `app_flags` and add them to an appropriate position in the
+    `Exec` lines. Also removes the `TryExec` lines that do not work in some desktop environments.
 
     :param filename: name of the desktop file being wrapped
     :param file: full path of the desktop file being wrapped
@@ -451,7 +457,13 @@ def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticCo
     # container name is added to desktop file to make it unique
     wrapper_name = f"ybox.{conf.box_name}.{filename}"
 
-    def replace_executable(match: re.Match[str]) -> str:
+    def replace_exec_icon(match: re.Match[str]) -> str:
+        """replace Exec, TryExec and Icon lines appropriately for the host system"""
+        if not (exec_word := match.group(1)):  # check for the case of `Icon=/usr/...`
+            return f"Icon={os.path.basename(match.group(5))}\n"
+        # remove TryExec lines that don't work in some desktop environments (like KDE plasma 5)
+        if match.group(2):
+            return ""
         program = match.group(3)
         args = match.group(4)
         # check for additional flags to be added
@@ -464,7 +476,7 @@ def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticCo
             full_cmd = program
         # pseudo-tty cannot be allocated with rootless docker outside of a terminal app
         env_vars = " -e=".join(_PASSTHROUGH_ENVVARS)
-        return (f'{match.group(1)}{docker_cmd} exec -e={env_vars} {conf.box_name} '
+        return (f'{exec_word}{docker_cmd} exec -e={env_vars} {conf.box_name} '
                 f'/usr/local/bin/run-in-dir "" {full_cmd}\n')
 
     # the destination will be $HOME/.local/share/applications
@@ -476,7 +488,7 @@ def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticCo
     def write_desktop_file(src: str) -> None:
         with open(wrapper_file, "w", encoding="utf-8") as wrapper_fd:
             with open(src, "r", encoding="utf-8") as src_fd:
-                wrapper_fd.writelines(_EXEC_RE.sub(replace_executable, line) for line in src_fd)
+                wrapper_fd.writelines(_EXEC_ICON_RE.sub(replace_exec_icon, line) for line in src_fd)
     if docker_cp_action(docker_cmd, conf.box_name, file, write_desktop_file) == 0:
         wrapper_files.append(wrapper_file)
 
@@ -545,8 +557,8 @@ def _copy_app_icons(selected_icons: dict[str, tuple[float, str]], docker_cmd: st
         # copy from temporary file over the existing one, if any, to overwrite rather than move
         # (which will preserve all of its hard links, for example)
         exists = os.path.exists(target_icon_path)
-        if docker_cp_action(docker_cmd, conf.box_name, icon_path,
-                            lambda src, dest=target_icon_path: shutil.copy2(src, dest)) == 0:
+        if docker_cp_action(docker_cmd, conf.box_name, icon_path, lambda src, dest=target_icon_path:
+                            None if shutil.copy2(src, dest) else None) == 0:  # "if" for pyright
             # skip registration of icon file it already existed and was overwritten so that
             # it is not removed on package uninstall
             if not exists:

ybox/pkg/mark.py

@@ -30,7 +30,7 @@ def mark_package(args: argparse.Namespace, pkgmgr: SectionProxy, docker_cmd: str
     mark_explicit: bool = args.explicit
     mark_dependency_of: str = args.dependency_of or ""
     if not mark_explicit ^ bool(mark_dependency_of):
-        print_error("ybox-pkg mark: exactly one of -e or -D option must be specified "
+        print_error("ybox-pkg mark: exactly one of -e or -d option must be specified "
                     f"(explicit={mark_explicit}, dependency-of={mark_dependency_of})")
         return 1
     # check that the package(s) are installed and replace with actual installed name

ybox/run/control.py

@@ -32,7 +32,7 @@ def start_container(docker_cmd: str, args: argparse.Namespace):
     container_name = args.container
     if status := get_ybox_state(docker_cmd, container_name, (), exit_on_error=False):
         if status[0] == "running":
-            print_color(f"Ybox container '{container_name}' already active", fg=fgcolor.cyan)
+            print_color(f"ybox container '{container_name}' already active", fg=fgcolor.cyan)
         else:
             print_color(f"Starting ybox container '{container_name}'", fg=fgcolor.cyan)
             run_command([docker_cmd, "container", "start", container_name],
@@ -107,6 +107,17 @@ def show_container_status(docker_cmd: str, args: argparse.Namespace) -> None:
         print_error(f"No ybox container '{container_name}' found")
 
 
+def wait_for_container_stop(docker_cmd: str, args: argparse.Namespace) -> None:
+    """
+    Wait for an active container to stop.
+
+    :param docker_cmd: the podman/docker executable to use
+    :param args: arguments having all attributes passed by the user
+    """
+    while check_active_ybox(docker_cmd, args.container):
+        time.sleep(2)
+
+
 def main_argv(argv: list[str]) -> None:
     """
     Main entrypoint of `ybox-control` that takes a list of arguments which are usually the
@@ -138,7 +149,7 @@ def parse_args(argv: list[str]) -> argparse.Namespace:
     stop = operations.add_parser("stop", help="stop a ybox container")
     _add_subparser_args(stop, 10,
                         "time in seconds to wait for a container to stop before killing it")
-    stop.add_argument("--ignore-stopped", action="store_true",
+    stop.add_argument("-I", "--ignore-stopped", action="store_true",
                       help="don't fail on an already stopped container")
     stop.set_defaults(func=stop_container)
 
@@ -150,6 +161,10 @@ def parse_args(argv: list[str]) -> argparse.Namespace:
     _add_subparser_args(status, 0, "")
     status.set_defaults(func=show_container_status)
 
+    wait = operations.add_parser("wait", help="wait for an active ybox container to stop")
+    _add_subparser_args(wait, 0, "")
+    wait.set_defaults(func=wait_for_container_stop)
+
     parser_version_check(parser, argv)
     return parser.parse_args(argv)
 

ybox/run/create.py

@@ -27,9 +27,11 @@ from ybox.filelock import FileLock
 from ybox.pkg.inst import install_package, wrap_container_files
 from ybox.print import (bgcolor, fgcolor, print_color, print_error, print_info,
                         print_notice, print_warn)
-from ybox.run.destroy import get_all_containers, remove_orphans_from_db
+from ybox.run.destroy import (get_all_containers, remove_orphans_from_db,
+                              ybox_systemd_service_prefix)
 from ybox.run.graphics import (add_env_option, add_mount_option, enable_dri,
-                               enable_nvidia, enable_wayland, enable_x11)
+                               enable_nvidia, enable_wayland, enable_x11,
+                               handle_variable_mount)
 from ybox.run.pkg import parse_args as pkg_parse_args
 from ybox.state import RuntimeConfiguration, YboxStateManagement
 from ybox.util import (EnvInterpolation, config_reader,
@@ -195,10 +197,16 @@ def main_argv(argv: list[str]) -> None:
     Path(f"{conf.scripts_dir}/{Consts.entrypoint_init_done_file()}").touch(mode=0o644)
     wait_msg = ("Waiting for the container to be ready "
                 f"(see ybox-logs -f {box_name}' for detailed progress)")
-    if args.systemd_service and (sys_path := os.pathsep.join(Consts.sys_bin_dirs())) and (
-            systemctl := shutil.which("systemctl", path=sys_path)):
+    if not args.skip_systemd_service and (sys_path := os.pathsep.join(Consts.sys_bin_dirs())) and (
+            systemctl := shutil.which("systemctl", path=sys_path)) and run_command(
+                [systemctl, "--user", "--quiet", "is-enabled", "default.target"],
+                exit_on_error=False) == 0:
         create_and_start_service(box_name, env, systemctl, sys_path, wait_msg)
     else:
+        if not args.skip_systemd_service:
+            print_warn("Skipping user systemd service generation due to missing systemctl in "
+                       f"PATH={os.pathsep.join(Consts.sys_bin_dirs())} or failure in "
+                       "'systemctl --user is-enabled default.target'")
         start_container(docker_cmd, conf)
         print_info(wait_msg)
         wait_for_ybox_container(docker_cmd, conf, 120)
@@ -268,9 +276,12 @@ def parse_args(argv: list[str]) -> argparse.Namespace:
     parser.add_argument("-n", "--name", type=str,
                         help="name of the ybox; default is ybox-<distribution>_<profile> "
                              "if not provided (removing the .ini suffix from <profile> file)")
-    parser.add_argument("-S", "--systemd-service", action="store_true",
-                        help="create/overwrite user systemd service file for the container in "
-                             "~/.config/systemd/user and enable it by default")
+    parser.add_argument("-S", "--skip-systemd-service", action="store_true",
+                        help="skip creation of user systemd service file for the ybox container; "
+                             "by default a user systemd service file is created and enabled in "
+                             "~/.config/systemd/user with the name 'ybox-<name>.service' if the "
+                             "<name> does not begin with 'ybox-' prefix else '<name>.service' if "
+                             "it already has 'ybox-' prefix")
     parser.add_argument("-F", "--force-own-orphans", action="store_true",
                         help="force ownership of orphan packages on the same shared root even "
                              "if container configuration does not match, meaning the packages "
@@ -607,6 +618,12 @@ def process_base_section(base_section: SectionProxy, profile: PathName, conf: St
         elif key == "dbus":
             if _get_boolean(val):
                 enable_dbus(docker_args, base_section.getboolean("dbus_sys", fallback=False), env)
+        elif key == "ssh_agent":
+            if _get_boolean(val):
+                enable_ssh_agent(docker_args, env)
+        elif key == "gpg_agent":
+            if _get_boolean(val):
+                enable_gpg_agent(docker_args, env)
         elif key == "dri":
             dri = _get_boolean(val)
         elif key == "nvidia":
@@ -629,6 +646,9 @@ def process_base_section(base_section: SectionProxy, profile: PathName, conf: St
                         (re.match("^--log-opt=path=(.*)/.*$", path) for path in docker_args) if mt]
             for log_dir in log_dirs:
                 os.makedirs(log_dir, mode=Consts.default_directory_mode(), exist_ok=True)
+        elif key == "devices":
+            if val:
+                add_multi_opt(docker_args, "device", val)
         elif key not in ("name", "dbus_sys", "includes"):
             raise NotSupportedError(f"Unknown key '{key}' in the [base] of {profile} "
                                     "or its includes")
@@ -685,21 +705,51 @@ def enable_dbus(docker_args: list[str], sys_enable: bool, env: Environ) -> None:
                        to the user dbus message bus
     :param env: an instance of the current :class:`Environ`
     """
-    def replace_target_dir(src: str) -> str:
-        return src.replace(f"{env.xdg_rt_dir}/", f"{env.target_xdg_rt_dir}/")
     if dbus_session := os.environ.get("DBUS_SESSION_BUS_ADDRESS"):
         dbus_user = dbus_session[dbus_session.find("=") + 1:]
         if (dbus_opts_idx := dbus_user.find(",")) != -1:
             dbus_user = dbus_user[:dbus_opts_idx]
-        add_mount_option(docker_args, dbus_user, replace_target_dir(dbus_user))
-        add_env_option(docker_args, "DBUS_SESSION_BUS_ADDRESS", replace_target_dir(dbus_session))
+        add_mount_option(docker_args, dbus_user, _replace_xdg_rt_dir(dbus_user, env))
+        add_env_option(docker_args, "DBUS_SESSION_BUS_ADDRESS",
+                       _replace_xdg_rt_dir(dbus_session, env))
     if sys_enable:
-        dbus_sys = "/run/dbus/system_bus_socket"
-        dbus_sys2 = "/var/run/dbus/system_bus_socket"
-        if os.access(dbus_sys, os.W_OK):
-            add_mount_option(docker_args, dbus_sys, dbus_sys)
-        elif os.access(dbus_sys2, os.W_OK):
-            add_mount_option(docker_args, dbus_sys2, dbus_sys)
+        for dbus_sys in ("/run/dbus/system_bus_socket", "/var/run/dbus/system_bus_socket"):
+            if os.access(dbus_sys, os.W_OK):
+                add_mount_option(docker_args, dbus_sys, dbus_sys)
+                break
+
+
+def enable_ssh_agent(docker_args: list[str], env: Environ) -> None:
+    """
+    Append options to podman/docker arguments to share host machine's ssh agent socket
+    with the new ybox container.
+
+    :param docker_args: list of podman/docker arguments to which the options have to be appended
+    :param env: an instance of the current :class:`Environ`
+    """
+    if ssh_auth_sock := os.environ.get("SSH_AUTH_SOCK"):
+        target_ssh_auth_sock = handle_variable_mount(docker_args, env, ssh_auth_sock)
+        add_env_option(docker_args, "SSH_AUTH_SOCK", target_ssh_auth_sock)
+        add_env_option(docker_args, "SSH_AUTH_SOCK_ORIG", target_ssh_auth_sock)
+
+
+def enable_gpg_agent(docker_args: list[str], env: Environ) -> None:
+    """
+    Append options to podman/docker arguments to share host machine's gpg agent sockets
+    with the new ybox container.
+
+    :param docker_args: list of podman/docker arguments to which the options have to be appended
+    :param env: an instance of the current :class:`Environ`
+    """
+    if gpg_agent_info := os.environ.get("GPG_AGENT_INFO"):
+        target_gpg_agent_info = handle_variable_mount(docker_args, env, gpg_agent_info)
+        add_env_option(docker_args, "GPG_AGENT_INFO", target_gpg_agent_info)
+        add_env_option(docker_args, "GPG_AGENT_INFO_ORIG", target_gpg_agent_info)
+
+
+def _replace_xdg_rt_dir(src: str, env: Environ) -> str:
+    """replace host's $XDG_RUNTIME_DIR in `src` with that of container user's $XDG_RUNTIME_DIR"""
+    return src.replace(env.xdg_rt_dir + "/", env.target_xdg_rt_dir + "/")
 
 
 def add_multi_opt(docker_args: list[str], opt: str, val: Optional[str]) -> None:
@@ -712,7 +762,7 @@ def add_multi_opt(docker_args: list[str], opt: str, val: Optional[str]) -> None:
     """
     if val:
         for opt_val in val.split(","):
-            docker_args.append(f"--{opt}={opt_val}")
+            docker_args.append(f"--{opt}={opt_val.strip()}")
 
 
 def process_security_section(sec_section: SectionProxy, profile: PathName,
@@ -790,8 +840,7 @@ def process_configs_section(configs_section: SectionProxy, config_hardlinks: boo
     # this is refreshed on every container start
 
     # always recreate the directory to pick up any changes
-    if os.path.isdir(conf.configs_dir):
-        shutil.rmtree(conf.configs_dir)
+    shutil.rmtree(conf.configs_dir, ignore_errors=True)
     os.makedirs(conf.configs_dir, mode=Consts.default_directory_mode(), exist_ok=True)
     if config_hardlinks:
         print_info("Creating hard links to paths specified in [configs]  ...")
@@ -812,10 +861,7 @@ def process_configs_section(configs_section: SectionProxy, config_hardlinks: boo
             dest_path = f"{conf.configs_dir}/{dest_rel_path}"
             if os.access(src_path, os.R_OK):
                 if os.path.exists(dest_path):
-                    if os.path.isdir(dest_path):
-                        shutil.rmtree(dest_path)
-                    else:
-                        os.unlink(dest_path)
+                    shutil.rmtree(dest_path, ignore_errors=True)
                 else:
                     os.makedirs(os.path.dirname(dest_path),
                                 mode=Consts.default_directory_mode(), exist_ok=True)
@@ -842,7 +888,7 @@ def process_configs_section(configs_section: SectionProxy, config_hardlinks: boo
                 print_warn(f"Skipping inaccessible configuration path '{src_path}'")
     print_info("DONE.")
     # finally mount the configs directory to corresponding directory in the target container
-    add_mount_option(docker_args, conf.configs_dir, conf.target_configs_dir, "ro")
+    add_mount_option(docker_args, conf.configs_dir, conf.target_configs_dir)
 
 
 def process_env_section(env_section: SectionProxy, docker_args: list[str]) -> None:
@@ -927,13 +973,16 @@ def copytree(src_path: str, dest: str, hardlink: bool = False,
     Note: this function only handles regular files and directories (and hard/symbolic links to
     them) and will skip special files like device files, fifos etc.
 
-    :param src_path: the resolved source directory (using `os.path.realpath` or `Path.resolve`)
-    :param dest: the destination directory which should exist
+    :param src_path: the source directory to be copied (should have been resolved using
+                     `os.path.realpath` or `Path.resolve` if `src_root` argument is not supplied)
+    :param dest: the destination directory which should not already exist (but its parent should)
     :param hardlink: if True then create hard links to the files in the source (so it should
                        be in the same filesystem) else copy the files, defaults to False
-    :param src_root: the resolved root source directory (same as `src_path` if `None`)
+    :param src_root: the resolved root source directory (same as `src_path` if `None` which is
+                     assumed to have been resolved using `os.path.realpath` or `Path.resolve`)
     """
     src_root = src_root or src_path
+    src_root = src_root.rstrip("/")
     os.mkdir(dest, mode=stat.S_IMODE(os.stat(src_path).st_mode))
     # follow symlink if it leads to outside the "src" tree, else copy as a symlink which
     # ensures that all destination files are always accessible regardless of source going
@@ -951,7 +1000,7 @@ def copytree(src_path: str, dest: str, hardlink: bool = False,
                         os.symlink(l_name, dest_path)
                         continue
                     entry_path = os.path.realpath(entry.path)
-                    if entry_path.startswith(src_root) and entry_path[len(src_root)] == "/":
+                    if entry_path.startswith(src_root + "/"):
                         rpath = entry_path[len(src_root) + 1:]
                         os.symlink(("../" * rpath.count("/")) + rpath, dest_path)
                         continue
@@ -974,6 +1023,8 @@ def copytree(src_path: str, dest: str, hardlink: bool = False,
             except OSError as err:
                 # ignore permission and related errors and continue
                 print_warn(f"Skipping copy/link of '{entry_path}' due to error: {err}")
+        # TODO: SW: check for success in all copytree's else return False, then check at caller
+        # to print a bold warning
 
 
 def setup_ybox_scripts(conf: StaticConfiguration, distro_config: ConfigParser) -> None:
@@ -1138,8 +1189,8 @@ def run_container(docker_full_cmd: list[str], current_user: str, shared_root: st
         programs from less secure containers; the `ybox-pkg` tool provided a convenient high-level
         package manager that users should use for managing packages in the containers which will
         help in exposing packages only in designated containers
-      * systemd user service file can be generated for podman/docker to start the container
-        automatically on user login when -S/--systemd-service option has been provided
+      * systemd user service file is generated for podman/docker to start the container
+        automatically on user login (in absence of -S/--skip-systemd-service option)
 
     :param docker_full_cmd: the `docker`/`podman run -itd` command with all the options filled
                             in from the container profile specification as a list of string
@@ -1207,26 +1258,28 @@ def create_and_start_service(box_name: str, env: Environ, systemctl: str, sys_pa
     svc_file = env.search_config_path("resources/ybox-systemd.template", only_sys_conf=True)
     with svc_file.open("r", encoding="utf-8") as svc_fd:
         svc_tmpl = svc_fd.read()
-    pid_file = ""
     if env.uses_podman:
         manager_name = "Podman"
         docker_requires = ""
-        res = run_command([env.docker_cmd, "container", "inspect", "--format={{.ConmonPidFile}}",
-                           box_name], capture_output=True, exit_on_error=False)
-        if isinstance(res, str):
-            pid_file = f"PIDFile={res}"
     else:
         manager_name = "Docker"
         docker_requires = "After=docker.service\nRequires=docker.service\n"
-    systemd_dir = f"{env.home}/.config/systemd/user"
-    ybox_svc = f"ybox-{box_name}.service"
-    ybox_env = f"{systemd_dir}/.ybox-{box_name}.env"
+    systemd_dir = env.systemd_user_conf_dir()
+    ybox_svc_prefix = ybox_systemd_service_prefix(box_name)
+    ybox_svc = f"{ybox_svc_prefix}.service"
+    ybox_env = f".{ybox_svc_prefix}.env"
     formatted_now = env.now.astimezone().strftime("%a %d %b %Y %H:%M:%S %Z")
+    # get the path of ybox-control and replace $HOME by %h to keep it generic
+    if ybox_ctrl_path := shutil.which("ybox-control"):
+        ybox_bin_dir = os.path.dirname(ybox_ctrl_path)
+        if ybox_bin_dir.startswith(env.home + "/"):
+            ybox_bin_dir = f"%h{ybox_bin_dir[len(env.home):]}"
+    else:
+        ybox_bin_dir = "%h/.local/bin"
     svc_content = svc_tmpl.format(name=box_name, version=product_version, date=formatted_now,
                                   manager_name=manager_name, docker_requires=docker_requires,
-                                  env_file=ybox_env, pid_file=pid_file)
+                                  sys_path=sys_path, ybox_bin_dir=ybox_bin_dir, env_file=ybox_env)
     env_content = f"""
-        PATH={sys_path}:{env.home}/.local/bin
         SLEEP_SECS={{sleep_secs}}
         # set the container manager to the one configured during ybox-create
         YBOX_CONTAINER_MANAGER={env.docker_cmd}
@@ -1235,15 +1288,15 @@ def create_and_start_service(box_name: str, env: Environ, systemctl: str, sys_pa
     print_color(f"Generating user systemd service '{ybox_svc}' and reloading daemon", fgcolor.cyan)
     with open(f"{systemd_dir}/{ybox_svc}", "w", encoding="utf-8") as svc_fd:
         svc_fd.write(svc_content)
-    with open(ybox_env, "w", encoding="utf-8") as env_fd:
+    with open(f"{systemd_dir}/{ybox_env}", "w", encoding="utf-8") as env_fd:
         env_fd.write(dedent(env_content.format(sleep_secs=0)))  # don't sleep for the start below
     run_command([systemctl, "--user", "daemon-reload"], exit_on_error=False)
     run_command([systemctl, "--user", "enable", ybox_svc], exit_on_error=True)
     print_info(wait_msg)
     run_command([systemctl, "--user", "start", ybox_svc], exit_on_error=True)
-    # change SLEEP_SECS to 7 for subsequent starts
-    with open(ybox_env, "w", encoding="utf-8") as env_fd:
-        env_fd.write(dedent(env_content.format(sleep_secs=7)))
+    # change SLEEP_SECS to 5 for subsequent starts
+    with open(f"{systemd_dir}/{ybox_env}", "w", encoding="utf-8") as env_fd:
+        env_fd.write(dedent(env_content.format(sleep_secs=5)))
 
 
 def start_container(docker_cmd: str, conf: StaticConfiguration) -> None:

ybox/run/destroy.py

@@ -5,6 +5,7 @@ Code for the `ybox-destroy` script that is used to destroy an active or stopped
 import argparse
 import os
 import shutil
+import subprocess
 import sys
 
 from ybox.cmd import check_ybox_exists, parser_version_check, run_command
@@ -36,15 +37,12 @@ def main_argv(argv: list[str]) -> None:
     check_ybox_exists(docker_cmd, container_name, exit_on_error=True)
     print_color(f"Stopping ybox container '{container_name}'", fg=fgcolor.cyan)
     # check if there is a systemd service for the container
-    systemd_dir = f"{env.home}/.config/systemd/user"
-    ybox_svc = f"ybox-{container_name}.service"
-    ybox_svc_path = ""
-    if (systemctl := shutil.which("systemctl", path=os.pathsep.join(Consts.sys_bin_dirs()))) and \
-            not os.access(ybox_svc_path := f"{systemd_dir}/{ybox_svc}", os.R_OK):
-        ybox_svc_path = ""
+    ybox_svc_prefix = ybox_systemd_service_prefix(container_name)
+    ybox_svc = f"{ybox_svc_prefix}.service"
+    systemctl = check_systemd_service_present(ybox_svc)
 
     # continue even if this fails since the container may already be in stopped state
-    if systemctl and ybox_svc_path:
+    if systemctl:
         run_command([systemctl, "--user", "stop", ybox_svc],
                     exit_on_error=False, error_msg=f"stopping '{container_name}'")
     else:
@@ -59,12 +57,16 @@ def main_argv(argv: list[str]) -> None:
     run_command(rm_args, error_msg=f"removing '{container_name}'")
 
     # remove systemd service file and reload daemon
-    if systemctl and ybox_svc_path:
+    if systemctl:
         print_color(f"Removing systemd service '{ybox_svc}' and reloading daemon", fg=fgcolor.cyan)
         run_command([systemctl, "--user", "disable", ybox_svc], exit_on_error=False)
-        os.unlink(ybox_svc_path)
+        systemd_dir = env.systemd_user_conf_dir()
+        try:
+            os.unlink(f"{systemd_dir}/{ybox_svc}")
+        except OSError:
+            pass
         try:
-            os.unlink(f"{systemd_dir}/.ybox-{container_name}.env")
+            os.unlink(f"{systemd_dir}/.{ybox_svc_prefix}.env")
         except OSError:
             pass
         run_command([systemctl, "--user", "daemon-reload"], exit_on_error=False)
@@ -97,6 +99,26 @@ def parse_args(argv: list[str]) -> argparse.Namespace:
     return parser.parse_args(argv)
 
 
+def ybox_systemd_service_prefix(container_name: str) -> str:
+    """systemd service name prefix for given ybox container name"""
+    return container_name if container_name.startswith("ybox-") else f"ybox-{container_name}"
+
+
+def check_systemd_service_present(user_svc: str) -> str:
+    """
+    Check if the given user systemd service is present and return the PATH of system installed
+    `systemctl` tool if true, else return empty string.
+
+    :param user_svc: name the user systemd service file
+    :return: full path of `systemctl` if installed and user systemd service is available else empty
+    """
+    if (systemctl := shutil.which("systemctl", path=os.pathsep.join(Consts.sys_bin_dirs()))) and \
+            subprocess.run([systemctl, "--user", "--quiet", "list-unit-files", user_svc],
+                           check=False, capture_output=True).returncode == 0:
+        return systemctl
+    return ""
+
+
 def get_all_containers(docker_cmd: str) -> list[str]:
     """
     Get all the valid containers as known to the container manager.

ybox/run/graphics.py

@@ -20,7 +20,8 @@ _STD_LIB_DIR_PATTERNS = ["&/usr/lib/*-linux-gnu", "&/lib/*-linux-gnu", "&/usr/li
                          "&/lib64/*-linux-gnu", "&/usr/lib32/*-linux-gnu", "&/lib32/*-linux-gnu"]
 _STD_LD_LIB_PATH_VARS = ["LD_LIBRARY_PATH", "LD_LIBRARY_PATH_64", "LD_LIBRARY_PATH_32"]
 _NVIDIA_LIB_PATTERNS = ["*nvidia*.so*", "*NVIDIA*.so*", "libcuda*.so*", "libnvcuvid*.so*",
-                        "libnvoptix*.so*", "gbm/*nvidia*.so*", "vdpau/*nvidia*.so*"]
+                        "libnvoptix*.so*", "gbm/*nvidia*.so*", "vdpau/*nvidia*.so*",
+                        "libXNVCtrl.so*"]
 _NVIDIA_BIN_PATTERNS = ["nvidia-smi", "nvidia-cuda*", "nvidia-debug*", "nvidia-bug*"]
 # note that the code below assumes that file name pattern below is always of the form *nvidia*
 # (while others are directories), so if that changes then update _process_nvidia_data_files
@@ -45,7 +46,8 @@ def add_env_option(docker_args: list[str], env_var: str, env_val: Optional[str]
         docker_args.append(f"-e={env_var}={env_val}")
 
 
-def add_mount_option(docker_args: list[str], src: str, dest: str, flags: str = "") -> None:
+def add_mount_option(docker_args: list[str], src: str, dest: str, flags: str = "",
+                     check_exists: bool = False) -> None:
     """
     Add option to the list of podman/docker arguments to bind mount a source directory to
     given destination directory.
@@ -54,11 +56,40 @@ def add_mount_option(docker_args: list[str], src: str, dest: str, flags: str = "
     :param src: the source directory in the host system
     :param dest: the destination directory in the container
     :param flags: any additional flags to be passed to `-v` podman/docker argument, defaults to ""
+    :param check_exists: check if the bind mount was already added (and skip if so)
     """
-    if flags:
-        docker_args.append(f"-v={src}:{dest}:{flags}")
+    mount_arg = f"-v={src}:{dest}:{flags}" if flags else f"-v={src}:{dest}"
+    if not check_exists or mount_arg not in docker_args:
+        docker_args.append(mount_arg)
+
+
+def handle_variable_mount(docker_args: list[str], env: Environ, mount_path: str) -> str:
+    """
+    Handle the case where a mount point may change in different starts or even within the same
+    started container instance. In these cases the "base" directory of the mount point is
+    mounted instead which should normally be `/tmp` or `$XDG_RUNTIME_DIR`. The variable values
+    are assumed to lie between these two, or the parent directory of the mount point if it does
+    not lie within these two base directories. The actual passing of the required environment
+    variable (that can change) is handled by the `run-in-dir` script that will adjust the variable
+    value to reflect that mount point added by this method.
+
+    :param docker_args: list of podman/docker arguments to which the options have to be appended
+    :param env: an instance of the current :class:`Environ`
+    :param mount_path: the variable path which is usually the value of an environment variable
+    :return: the result mount point inside the container for the `mount_path`
+    """
+    base_dir = os.path.dirname(mount_path)
+    # check if parent_dir is in $XDG_RUNTIME_DIR or /tmp
+    if not env.xdg_rt_dir:
+        base_dirs = {base_dir, "/tmp"}
+    elif mount_path.startswith(env.xdg_rt_dir + "/") or mount_path.startswith("/tmp/"):
+        base_dirs = (env.xdg_rt_dir, "/tmp")
+        base_dir = "/tmp" if base_dir.startswith("/tmp") else env.xdg_rt_dir
     else:
-        docker_args.append(f"-v={src}:{dest}")
+        base_dirs = (base_dir, env.xdg_rt_dir, "/tmp")
+    for b_dir in base_dirs:
+        add_mount_option(docker_args, b_dir, f"{b_dir}-host", "ro", check_exists=True)
+    return mount_path.replace(base_dir, f"{base_dir}-host")
 
 
 def enable_x11(docker_args: list[str], env: Environ) -> None:
@@ -82,18 +113,7 @@ def enable_x11(docker_args: list[str], env: Environ) -> None:
         # parent can cause trouble if one changes the display manager, for example, which
         # uses an entirely different mount point (e.g. gdm uses /run/user/... while sddm
         #   uses /tmp)
-        parent_dir = os.path.dirname(xauth)
-        # check if parent_dir is in $XDG_RUNTIME_DIR or /tmp
-        if not env.xdg_rt_dir:
-            parent_dirs = {parent_dir, "/tmp"}
-        elif xauth.startswith(f"{env.xdg_rt_dir}/") or xauth.startswith("/tmp/"):
-            parent_dirs = (env.xdg_rt_dir, "/tmp")
-            parent_dir = "/tmp" if parent_dir.startswith("/tmp") else env.xdg_rt_dir
-        else:
-            parent_dirs = (parent_dir, env.xdg_rt_dir, "/tmp")
-        for p_dir in parent_dirs:
-            add_mount_option(docker_args, p_dir, f"{p_dir}-host", "ro")
-        target_xauth = xauth.replace(parent_dir, f"{parent_dir}-host")
+        target_xauth = handle_variable_mount(docker_args, env, xauth)
         add_env_option(docker_args, "XAUTHORITY", target_xauth)
         add_env_option(docker_args, "XAUTHORITY_ORIG", target_xauth)
 

ybox/run/pkg.py

@@ -392,11 +392,11 @@ def add_mark(subparser: argparse.ArgumentParser) -> None:
     subparser.add_argument("-e", "--explicit", action="store_true",
                            help="mark the package as explicitly installed; the package will "
                                 "henceforth be managed by `ybox-pkg` if not already; "
-                                "exactly one of -e or -D option must be specified")
-    subparser.add_argument("-D", "--dependency-of", type=str,
+                                "exactly one of -e or -d option must be specified")
+    subparser.add_argument("-d", "--dependency-of", type=str,
                            help="mark the package as a dependency of given package; both the "
                                 "packages will henceforth be managed by `ybox-pkg` if not "
-                                "already; exactly one of -e or -D option must be specified")
+                                "already; exactly one of -e or -d option must be specified")
     subparser.add_argument("package", type=str, help="the package to be marked")
     subparser.set_defaults(func=mark_package)
 

{ybox-0.9.10.dist-info → ybox-0.9.11.dist-info}/METADATA

@@ -1,6 +1,6 @@
-Metadata-Version: 2.2
+Metadata-Version: 2.4
 Name: ybox
-Version: 0.9.10
+Version: 0.9.11
 Summary: Securely run Linux distribution inside a container
 Author-email: Sumedh Wale <sumwale@yahoo.com>, Vishal Rao <vishalrao@gmail.com>
 License: Copyright (c) 2024-2025 Sumedh Wale and contributors
@@ -25,7 +25,7 @@ License: Copyright (c) 2024-2025 Sumedh Wale and contributors
         
 Project-URL: Homepage, https://github.com/sumwale/ybox
 Project-URL: Issues, https://github.com/sumwale/ybox/issues
-Keywords: Linux in container,toolbox
+Keywords: Linux in container,toolbox,distrobox
 Classifier: Development Status :: 4 - Beta
 Classifier: Intended Audience :: End Users/Desktop
 Classifier: License :: OSI Approved :: MIT License
@@ -42,6 +42,7 @@ License-File: LICENSE
 Requires-Dist: packaging
 Requires-Dist: simple-term-menu
 Requires-Dist: tabulate>=0.9.0
+Dynamic: license-file
 
 ## Introduction
 
@@ -99,7 +100,7 @@ So, for example, if you want to run the latest and greatest Intellij IDEA commun
 to do is:
 
 ```sh
-# create an Arch Linux based container
+# create an Arch Linux based container and generate systemd service file (if possible)
 ybox-create arch
 # then select an appropriate built-in profile e.g. "dev.ini" from the menu
 
@@ -197,6 +198,8 @@ to point to the full path of the podman or docker executable.
 ybox-create
 ```
 
+By default this will also generate a user systemd service if possible (add `-S` or
+  `--skip-systemd-service` option to skip creation of a user systemd service).
 This will allow choosing from supported distributions, then from the available profiles.
 You can start with the Arch Linux distribution and `apps.ini` profile to try it out. The container
 will have a name like `ybox-<distribution>_<profile>` by default like `ybox-arch_apps` for the
@@ -269,7 +272,7 @@ ybox-pkg list -o
 ```
 To show more details of the packages (combine with -a/-o as required):
 ```sh
-ybox-pkg list -o
+ybox-pkg list -v
 ```
 
 List all the files installed by the package:
@@ -309,6 +312,8 @@ Clean package cache, temporary downloads etc:
 ```sh
 ybox-pkg clean
 ```
+Add `-q` option to answer yes for any questions automatically if all your containers use
+the same shared root.
 
 Mark a package as explicitly installed (also registers with `ybox-pkg` if not present):
 ```sh
@@ -317,7 +322,7 @@ ybox-pkg mark firefox -e
 
 Mark a package as a dependency of another (also registers with `ybox-pkg` if not present):
 ```sh
-ybox-pkg mark qt5ct -D zoom  # mark qt5ct as an optional dependency of zoom
+ybox-pkg mark qt5ct -d zoom  # mark qt5ct as an optional dependency of zoom
 ```
 
 Repair package installation after a failure or interrupt:
@@ -437,26 +442,32 @@ for a ybox container. See the full set of options with `ybox-control -h/--help`.
 ### Auto-starting containers
 
 Containers can be auto-started as per the usual way for rootless podman/docker services.
-This is triggered by systemd on user login which is exactly what we want for ybox
+This is triggered by systemd on user login which is exactly what is required for ybox
 containers so that the container applications are available on login and are stopped on
-session logout. For docker the following should suffice:
+session logout. All the tested Linux distributions support this and provide for user
+systemd daemon on user login.
 
-```sh
-systemctl --user enable docker
-```
+The `ybox-create` command  autogenerates the systemd service file (in absence of `-S` or
+  `--skip-systemd-service` option) which is also removed by `ybox-destroy` automatically.
+The name of the generated service is `ybox-<NAME>` where `<NAME>` is the name of the
+container if `<NAME>` does not start with `ybox-` prefix, else it is just `<NAME>`.
 
-See [docker docs](https://docs.docker.com/engine/security/rootless/#daemon) for details.
-
-For podman you will need to explicitly generate systemd service file for each container and
-copy to your systemd configuration directory since podman does not use a background daemon.
-For the `ybox-arch_apps` container in the examples before:
+With a user service installed, the `systemctl` commands can be used to control the
+ybox container (`<SERVICE_NAME>` is `ybox-<NAME>/<NAME>` mentioned above):
 
 ```sh
-mkdir -p ~/.config/systemd/user/
-podman generate systemd --name ybox-arch_apps > ~/.config/systemd/user/container-ybox-arch_apps.service
-systemctl --user enable container-ybox-arch_apps.service
+systemctl --user status <SERVICE_NAME>  # show status of the service
+systemctl --user stop <SERVICE_NAME>    # stop the service
+systemctl --user start <SERVICE_NAME>   # start the service
 ```
 
+If your Linux distribution does not use systemd, then the autostart has to be handled
+manually as per the distribution's preferred way. For instance an appropriate desktop
+file can be added to `~/.config/autostart` directory to start a ybox container on
+graphical login, though performing a clean stop can be hard with this approach.
+Note that the preferred way to start/stop a ybox container is using the `ybox-control`
+command rather than directly using podman/docker.
+
 
 ## Development
 

{ybox-0.9.10.dist-info → ybox-0.9.11.dist-info}/RECORD

@@ -1,7 +1,7 @@
-ybox/__init__.py,sha256=jQDT4EtS19JjBbrvOVG5G0Vzpcw9ZsATD9wt6wNRr1s,97
+ybox/__init__.py,sha256=DJW4aoiXY2arxFg1eBQPfjHm19Ur_tXdLu332z66Esw,97
 ybox/cmd.py,sha256=RaNZ7LBqUNwpqQkitR29WLoItjkMfZmaFEeryLTR_tM,14962
 ybox/config.py,sha256=inmuUhlAZb6EKLGYWdymsqoHggtiLd58kc125l25ACA,9943
-ybox/env.py,sha256=vfHuvTOpApR4fLx1vePWRrTYxzo50c-7dFcnm1-vDHo,8738
+ybox/env.py,sha256=6o0tJ163KWhVZHnhDRWw_16nMMYoy4-2yAHSJYBSL-0,9420
 ybox/filelock.py,sha256=nWBp3jvbtrNziRzNcWm6FVVA_lhMccLwgLCVT2IDK5c,3185
 ybox/print.py,sha256=hAQjTb6JmtjWh0sF4GdZHcKRph5iMKP5x23s8LE85q4,4343
 ybox/state.py,sha256=QSAfa4LGy7oDZVe6muBXFIylKB7CMalv3OgEQ3VtmAo,50174
@@ -27,27 +27,27 @@ ybox/conf/distros/deb-oldstable/distro.ini,sha256=lr7140ftndEvs3Liavf3hg3v0qHHWA
 ybox/conf/distros/deb-stable/distro.ini,sha256=xyQ31mLOpj3Z1MK-UYuc_9NfEkb7Gy10MdDKXMgnqDo,1100
 ybox/conf/distros/ubuntu2204/distro.ini,sha256=3Pw1Q30USyKMUcHp_cvlqhwyU0FPo8O2AHWkgd0cdE4,1105
 ybox/conf/distros/ubuntu2404/distro.ini,sha256=ra4_EteDsHrw9UcehP4qLGTn98gAHc4JCb56CDzz1Wo,1102
-ybox/conf/profiles/apps.ini,sha256=9GCZJvdB5yOfx-mXyti3M-YQjeLnugrhOp43sQQvqQ0,1001
-ybox/conf/profiles/basic.ini,sha256=mQuksPFcIoi1K-tsZxIpKhbNGe8Ltjquo0MacPoUUwE,18952
-ybox/conf/profiles/dev.ini,sha256=joSqLKrtokX4Tabn-EcxB4t7YhXlIV6ZnX3imCAPGaI,755
+ybox/conf/profiles/apps.ini,sha256=vxVVy9oUw31to8CaagNZj9MQpGHIK2xARN4nzHy4vZ0,1270
+ybox/conf/profiles/basic.ini,sha256=FGSDOooI4meXhQlwFpPo_RxZ62it3bvdjqWkpVVDcA4,19713
+ybox/conf/profiles/dev.ini,sha256=Qicas_96ZoG3nsm1MSE1urarlBzIj9kBGmUqrk_cD3g,976
 ybox/conf/profiles/games.ini,sha256=FiBILNFOMpjKhrIR9nPbPj9QDUeI5h9wZaNXIb6Z7dc,1792
 ybox/conf/resources/entrypoint-base.sh,sha256=hcW8ZLHM-jlHx7McoKTo8HIFz_VBBPD0I3WqlX7LjHs,4890
 ybox/conf/resources/entrypoint-common.sh,sha256=fMopKBLeGuVV0ukANXh_ZHGTR1yGq108CTN_M2MNPyQ,461
-ybox/conf/resources/entrypoint-cp.sh,sha256=4R1UA2YLcKH_tUcyiioHSJA5B_t7GT1Z9gVFnCMi2a0,813
-ybox/conf/resources/entrypoint-root.sh,sha256=YhCftc4hYh3qKw0uEgYhHgitGY-KFGfHCxrHIMw9lHA,703
+ybox/conf/resources/entrypoint-cp.sh,sha256=jemWFCqfme9blVtfVxqBzCsCp7b-bN2aFLajruF0GGQ,814
+ybox/conf/resources/entrypoint-root.sh,sha256=58xcDX58ZtEFSr7ZSUFmzKt1OyGU29OrxjOmDiR6V8Q,706
 ybox/conf/resources/entrypoint-user.sh,sha256=Tps_UyQGyGn30LbgKm3gpzZtjOHnJpnlKx-px2GAd7A,698
-ybox/conf/resources/entrypoint.sh,sha256=jD4_C-2YtGwJ4pe2KfxfOtJll2Kv3F4YBU0WuhFQg9w,8716
+ybox/conf/resources/entrypoint.sh,sha256=jbfFfUprU7ycp0moZLXNdnxk_bhtDxAk6byEiPMNz-s,8560
 ybox/conf/resources/prime-run,sha256=en8wEspc2Hzod9rq8KKnPQrjIPTLjUk44TqmtX-g0sw,339
-ybox/conf/resources/run-in-dir,sha256=WyYwCE56yuaMqoI1wGeil6UzycnlI6xxfy2iC92LDt4,1934
+ybox/conf/resources/run-in-dir,sha256=-Xnwp4n6TK_2yPeBhGX6agenztyOtZ0316-vUlfOIag,2299
 ybox/conf/resources/run-user-bash-cmd,sha256=LMlPoHtzYNDcOI885ouBha9xGRnQ6AWCFVsSu2dxy10,1065
-ybox/conf/resources/ybox-systemd.template,sha256=-6Ui-J3GgW0VGoBdHlL7KCcGIrIgylXSKQvyzrKk7yE,647
-ybox/migrate/0.9.0-0.9.7:0.9.8.py,sha256=N7O7HtoMh_l404v2bHG5Od-_4fCDFMUBZ1SeT1P9F4M,1582
+ybox/conf/resources/ybox-systemd.template,sha256=bA-bJOmc07Be-mQYtoFzl0yq4SJACv-FkAoKscPTh3g,779
+ybox/migrate/0.9.0-0.9.10:0.9.11.py,sha256=WHvIWvUhXnruzSYwWYnv2zPNOlkXfAyaaJ_nZwG2wwE,1627
 ybox/pkg/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ybox/pkg/clean.py,sha256=UlsrJLfZOyKg-7BE8s9xPvAyuUXSwvU5x-E7MMjGJSE,1219
 ybox/pkg/info.py,sha256=HoEsiAi-iPEnAOWBMy9SsA4TOfyqHonRURU8k5EeAWA,1607
-ybox/pkg/inst.py,sha256=MxOfkY166En8vzyBN1FysXlpopxb4_0u5bAdmL7jgmw,36046
+ybox/pkg/inst.py,sha256=wxFJo1GNrUGyjIqtEtOc_44Ty7zdZKj-qHcs9RdZudQ,36912
 ybox/pkg/list.py,sha256=Sk5THAmF132HKEZxJVDlqLLR8Z2w1wRA_E-gBsxlesQ,10097
-ybox/pkg/mark.py,sha256=cdTOKpo7Vb8j8lM0oZxdvAsJpIktnskyHWd6vEt-pG0,3748
+ybox/pkg/mark.py,sha256=Hb1FaowdBx8x3GFcakXsq4ERNqI60Gjljr24qXsDGR8,3748
 ybox/pkg/repair.py,sha256=rCwXXJbilJYU73feIIVWGFdbkh6SDcquxgiEnYV6pNs,8080
 ybox/pkg/repo.py,sha256=25gQgGMPeHgX83iqqWXyG6V6rIZ4i_KEnIbNG-CrxTk,13677
 ybox/pkg/search.py,sha256=GKfonxCLHtH-kojZpRJlRfe0qf768wUehVv20nM4lKY,2526
@@ -55,13 +55,13 @@ ybox/pkg/uninst.py,sha256=ndqZ_WYr9HE5jVL1tQ_tTmSPyTFM6OJRCTLLmG-Qm4w,5338
 ybox/pkg/update.py,sha256=M-1MC8oh-baTHdSPWUUSTU_AhN3eu2nTCSge3bb6GmI,3269
 ybox/run/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 ybox/run/cmd.py,sha256=a77RMC14Vovx2NV3LgdAzXVZXStC1TucgjcHPz4x03A,2105
-ybox/run/control.py,sha256=9-ETodWye6A6eUNGKYWrXtNGCHz0eC452N_ZQNXiIiI,7006
-ybox/run/create.py,sha256=DXEs1bXlC7tDK4PKNI2_O8PzRaDwuwmgN9Hy0CFDSV4,70109
-ybox/run/destroy.py,sha256=nbF0dvjTqqepFo2c3a0IlUxDuLrBtFqPqP-z96eRMH4,5467
-ybox/run/graphics.py,sha256=635Ry0sXIKCpM14ZPDHsQfw-xHNARbvaaAFNDpx3oo4,18991
+ybox/run/control.py,sha256=Lvew2tqtWy5xcZMPXuh5sTrM2K92MykXfdMfBuKsIDc,7540
+ybox/run/create.py,sha256=N2ULSoBsMWamBcm_JMLeZQdvMPhilhzFeM1aMkPDw7s,73062
+ybox/run/destroy.py,sha256=i3N2zRCgrQM_lGA6W28O6Y-D1NIwBP64PA1e6vhOkL4,6315
+ybox/run/graphics.py,sha256=mKQFU0la83Rv2V5l9TS25KIbqYmMnZjGQgGghLlfQp8,20309
 ybox/run/logs.py,sha256=pIdMWgNBNl-MgixArbMryUuBNNbi5JvDFP62IZ7jwr8,2050
 ybox/run/ls.py,sha256=7ylyxOOYEsVWK8baM0GaZcUlVQBwpdGiF7EhU09xf2s,2787
-ybox/run/pkg.py,sha256=dmv0iW-0KmcG400lRCcxQ1QCiiWJTda2kGJ1dRwyP_k,27219
+ybox/run/pkg.py,sha256=6pes_wpVmPDiFYGfr8568GpyMByzor4dK5DSWaYmdsE,27219
 ybox/schema/0.9.1-added.sql,sha256=1rGp2DczZmmC_xwjmheeZNPSbDpFzasu6LO3tpTy3zI,1049
 ybox/schema/0.9.6-added.sql,sha256=Qcho6dP5OUpPUW3IBWl_kv88agMPHzueUAKqnZPnt3U,809
 ybox/schema/init.sql,sha256=fei8lPvjb-EIjm5zuA_XkEdjsIE3vtROhgRPt7QMlSs,1599
@@ -69,9 +69,9 @@ ybox/schema/migrate/0.9.0:0.9.1.sql,sha256=e9JGwrjFZXdWKGv2JQZlKcWz8DmOuUARpToSs
 ybox/schema/migrate/0.9.1:0.9.2.sql,sha256=X5J3unDS0eLeVvYKxQgx-iUBoAOk9T2suO34pWlQ-lE,362
 ybox/schema/migrate/0.9.2:0.9.3.sql,sha256=Y7GeBSuEEs7Hs9hh-KYDARgeeMgwQwercvTB5P_-k6I,102
 ybox/schema/migrate/0.9.5:0.9.6.sql,sha256=wqYhmputlUQzBI5zfP7O5kqIFWAbZQ05kolyHK4714A,70
-ybox-0.9.10.dist-info/LICENSE,sha256=7GbFgERMXSwD1VyLA5bo_XHvJipmNEUhDW5Sy51TFeY,1077
-ybox-0.9.10.dist-info/METADATA,sha256=oRc9oG6OSP28XaYhfRtp3sAXXqjkPKDEamSCtU-NHLk,24759
-ybox-0.9.10.dist-info/WHEEL,sha256=jB7zZ3N9hIM9adW7qlTAyycLYW9npaWKLRzaoVcLKcM,91
-ybox-0.9.10.dist-info/entry_points.txt,sha256=xDlI_84Hl3ytYO_ERyt0rkJ4ioUF8Z1r49Hx1xL28Rk,243
-ybox-0.9.10.dist-info/top_level.txt,sha256=DYX7jvndHcBaJXLJ8vDyKrq0_KWoSeXXFq8r0d5L6Nk,5
-ybox-0.9.10.dist-info/RECORD,,
+ybox-0.9.11.dist-info/licenses/LICENSE,sha256=7GbFgERMXSwD1VyLA5bo_XHvJipmNEUhDW5Sy51TFeY,1077
+ybox-0.9.11.dist-info/METADATA,sha256=64TAyPzQLQVg4KBazcBTshFP8OPYS5D1npAgIvu9QDQ,25772
+ybox-0.9.11.dist-info/WHEEL,sha256=CmyFI0kx5cdEMTLiONQRbGQwjIoR1aIYB7eCAQ4KPJ0,91
+ybox-0.9.11.dist-info/entry_points.txt,sha256=xDlI_84Hl3ytYO_ERyt0rkJ4ioUF8Z1r49Hx1xL28Rk,243
+ybox-0.9.11.dist-info/top_level.txt,sha256=DYX7jvndHcBaJXLJ8vDyKrq0_KWoSeXXFq8r0d5L6Nk,5
+ybox-0.9.11.dist-info/RECORD,,

{ybox-0.9.10.dist-info → ybox-0.9.11.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (75.8.2)
+Generator: setuptools (78.1.0)
 Root-Is-Purelib: true
 Tag: py3-none-any