ybox 0.9.11.1__tar.gz → 0.9.12__tar.gz

{ybox-0.9.11.1/src/ybox.egg-info → ybox-0.9.12}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ybox
-Version: 0.9.11.1
+Version: 0.9.12
 Summary: Securely run Linux distribution inside a container
 Author-email: Sumedh Wale <sumwale@yahoo.com>, Vishal Rao <vishalrao@gmail.com>
 License: Copyright (c) 2024-2025 Sumedh Wale and contributors

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/__init__.py

@@ -1,2 +1,2 @@
 """`ybox` is a tool to easily manage linux distributions in containers"""
-__version__ = "0.9.11.1"
+__version__ = "0.9.12"

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/distros/arch/distro.ini

@@ -50,12 +50,12 @@ recommended_deps = intel-media-driver libva-mesa-driver vulkan-intel vulkan-mesa
 # optional packages for enhanced experience in shell and GUI apps
 # (for some reason TERMINFO_DIRS does not work for root user, so explicitly installing terminfo
 #  packages for other terminal emulators available in arch which occupy only a tiny space)
-suggested = cantarell-fonts ttf-fira-code noto-fonts neovim eza ncdu fd bat
+suggested = cantarell-fonts ttf-fira-code noto-fonts neovim eza ncdu fd bat gnome-settings-daemon
             kitty-terminfo rxvt-unicode-terminfo realtime-privileges tree starship
 # dependencies of the `suggested` packages
 suggested_deps = xsel
 # additional packages that are in AUR and installed by paru in init-user.sh
-extra = neovim-symlinks tinyxxd autojump
+extra = neovim-symlinks tinyxxd
 
 
 # The commands here will be run as normal userns mapped user, so use sudo if the command

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/distros/deb-generic/distro.ini

@@ -53,7 +53,7 @@ recommended_deps = xauth netbase xdg-user-dirs intel-media-va-driver-non-free me
                    mesa-vulkan-drivers libfribidi0 fonts-dejavu-core sensible-utils libpam-cap
 # optional packages for enhanced experience in shell and GUI apps
 suggested = fonts-cantarell fonts-firacode fonts-noto-core neovim ncdu fd-find bat
-            kitty-terminfo tree autojump
+            gnome-settings-daemon-common kitty-terminfo tree
 # dependencies of the `suggested` packages
 suggested_deps = xsel xxd
 

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/profiles/basic.ini

@@ -151,6 +151,12 @@ log_opts = max-size=10m,max-file=3
 # the --device option to podman/docker run. Example: devices = /dev/video0,/dev/ttyUSB0
 devices =
 
+# Additional options passed as such to the podman/docker run command.
+# These are parsed using `shlex.split()`, so use POSIX shell quotes and escape characters for
+# spaces and other special characters in an option.
+custom_options =
+
+
 # The security-opt and other security options passed to podman/docker.
 # You should restrict these as required.
 # If these have to be relaxed for some apps, then it is highly recommended to put
@@ -189,10 +195,29 @@ label = type:container_runtime_t
 # --ulimit=host is only available for podman which copies host ulimits by default
 # ulimits = host
 # default is private IPC
-# WARNING: setting this to 'host' can open a major security attack vector
+# WARNING: setting this to 'host' can open a significant security attack vector
 ipc = private
 
 
+# Networking related options passed to podman/docker. Available keys are:
+#    mode: set the networking mode, passed as --network=...
+#    expose: comma-separated container ports to expose, passed as --expose=...
+#    publish: comma-separated container ports to publish to the host, passed as --publish=...
+#    publish_all: publish all exposed ports to the host, value can be empty which means enable
+#                 or explicit boolean (true/false, on/off, 1/0) and is passed as -P when enabled
+#    host: host name for the container, passed as --hostname=...
+#    ip: ipv4 address of the container, passed as --ip=...
+#    ip6: ipv6 address of the container, passed as --ip6=...
+#    dns: custom DNS servers, passed as --dns=...
+#    dns_option: custom DNS options, passed as --dns-option=...
+#    dns_search: custom DNS search domain, passed as --dns-search=...
+#    mac: custom MAC address for the network interface of the container, passed as --mac-address=...
+#    alias: network scoped alias for the container, passed as --network-alias=...
+[network]
+# WARNING: setting this to 'host' can open significant security attack vectors
+mode =
+
+
 # These are podman/docker volumes that can use either the format of --mount or -v options
 # (the scripts make a quick guess by searching for = or ,).
 # These will typically include some directories from your home like Downloads.
@@ -256,6 +281,7 @@ zsh_p10 = $HOME/.p10k.zsh -> .p10k.zsh
 dir_colors = $HOME/.dir_colors -> .dir_colors
 vimrc = $HOME/.vimrc -> .vimrc
 nvimrc = $HOME/.config/nvim -> .config/nvim
+dconf = $HOME/.config/dconf -> .config/dconf
 themes = $HOME/.themes -> .themes
 cursors = $HOME/.icons -> .icons
 icons = $HOME/.local/share/icons -> .local/share/icons
@@ -264,8 +290,7 @@ gitconf = $HOME/.gitconfig -> .gitconfig
 gtk2rc = $HOME/.gtkrc-2.0 -> .gtkrc-2.0
 gtk3rc = $HOME/.config/gtk-3.0 -> .config/gtk-3.0
 gtk4rc = $HOME/.config/gtk-4.0 -> .config/gtk-4.0
-qt5conf = $HOME/.config/Trolltech.conf -> .config/Trolltech.conf
-qt5ctconf = $HOME/.config/qt5ct/qt5ct.conf -> .config/qt5ct/qt5ct.conf
+qtconf = $HOME/.config/Trolltech.conf -> .config/Trolltech.conf
 ariaconf = $HOME/.config/aria2/aria2.conf -> .config/aria2/aria2.conf
 speechconf = $HOME/.config/speech-dispatcher -> .config/speech-dispatcher
 
@@ -325,11 +350,14 @@ XMODIFIERS
 chromium = !p --enable-chrome-browser-cloud-management !a
 
 
-# Startup programs you want to run when starting the container. These are run using
-# /bin/bash shell of the container, so you can use shell variables if required.
+# Startup programs to run in background when starting the container. Each command is run using
+# `nohup` and in background with logs in `$HOME/.local/share/ybox/logs/app-<number>_{out|err}.log`
+# (`_out.log` suffix for standard output and `_err.log` for standard error). The number is the
+# 1-based index of the command in the list in the section below.
+#
 # These programs are run as normal container user, so if you need to run using root
-# account then add 'sudo' before the command.
+# account then add 'sudo' before the command. The commands (i.e. the values of the keys)
+# should be in a single line and cannot contain newlines.
 [startup]
 # for example you can avoid sharing dbus of the original session rather start a separate one
 #dbus = /usr/bin/dbus-daemon --session
-#dbus_sys = sudo /usr/bin/dbus-daemon --system

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/resources/entrypoint-user.sh

@@ -10,7 +10,7 @@ current_user="$(id -un)"
 user_home="$(getent passwd "$current_user" | cut -d: -f6)"
 # set gpg keyserver to an available one
 mkdir -p "$user_home/.gnupg" && chmod 0700 "$user_home/.gnupg"
-echo "keyserver $DEFAULT_GPG_KEY_SERVER" > "$user_home/.gnupg/dirmngr.conf"
+echo "keyserver $DEFAULT_GPG_KEY_SERVER" > "$user_home/.gnupg/dirmngr.conf" || /bin/true
 rm -f "$user_home"/.gnupg/*/*.lock
 
 if [ ! -e "$user_home/.config/pip/pip.conf" ]; then

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/resources/entrypoint.sh

@@ -110,11 +110,12 @@ function install_apps() {
 function invoke_startup_apps() {
   log_dir="$HOME/.local/share/ybox/logs"
   log_no=1
+  mkdir -p "$log_dir"
   # start apps in the order listed in the file
   while read -r app_line; do
-    mkdir -p "$log_dir"
     echo_color "$fg_orange" "Starting: ${app_line:0:40} ..." >> $status_file
     nohup $app_line >> "$log_dir/app-${log_no}_out.log" 2>> "$log_dir/app-${log_no}_err.log" &
+    ((log_no++))
     sleep 1
   done < "$startup_list"
 }
@@ -176,6 +177,7 @@ done
 # change ownership of user's /run/user/<uid> tree which may have root ownership due to the
 # docker bind mounts
 run_dir=${XDG_RUNTIME_DIR:-/run/user/$uid}
+host_run_dir=${run_dir}-host
 if [ -d $run_dir ]; then
   $SUDO chown $uid:$gid $run_dir 2>/dev/null || true
 fi
@@ -183,6 +185,11 @@ if compgen -G "$run_dir/*" >/dev/null; then
   $SUDO chown $uid:$gid $run_dir/* 2>/dev/null || true
 fi
 
+# link wayland sockets/locks if enabled
+if [ "$ENABLE_WAYLAND" = true ] && compgen -G "$host_run_dir/wayland-*" >/dev/null; then
+  ln -sf $host_run_dir/wayland-* $run_dir/.
+fi
+
 # run actions requiring root access
 $SUDO /bin/bash "$SCRIPT_DIR/entrypoint-root.sh"
 
@@ -210,13 +217,13 @@ if [ ! -e "$SCRIPT_DIR/ybox-init.done" ]; then
 fi
 
 # process config files, application installs and invoke startup apps
-if [ -n "$config_list" ]; then
+if [ -n "$config_list" -a -s "$config_list" ]; then
   replicate_config_files
 fi
-if [ -n "$app_list" ]; then
+if [ -n "$app_list" -a -s "$app_list" ]; then
   install_apps
 fi
-if [ -n "$startup_list" ]; then
+if [ -n "$startup_list" -a -s "$startup_list" ]; then
   invoke_startup_apps
 fi
 # update the status file to indicate successful startup

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/conf/resources/run-in-dir

@@ -64,7 +64,6 @@ if [ -e "$nvidia_setup" ]; then
         sudo /bin/bash "$nvidia_setup" || /bin/true
       fi
     ) 100>"$lock_file"
-    break
   fi
 fi
 

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/config.py

@@ -44,6 +44,7 @@ class StaticConfiguration:
         self._status_file = f"{container_dir}/status"
         self._config_list = f"{self._scripts_dir}/config.list"
         self._app_list = f"{self._scripts_dir}/app.list"
+        self._startup_list = f"{self._scripts_dir}/startup.list"
 
     @property
     def env(self) -> Environ:
@@ -123,8 +124,6 @@ class StaticConfiguration:
         """local status file to communicate when the container is ready for use"""
         return self._status_file
 
-    # file containing list of configuration files to be linked on that container to host
-    # as mentioned in the [configs] section
     @property
     def config_list(self) -> str:
         """file containing list of configuration files to be linked on that container to host
@@ -136,6 +135,11 @@ class StaticConfiguration:
         """file containing list of applications to be installed in the container"""
         return self._app_list
 
+    @property
+    def startup_list(self) -> str:
+        """file containing list of commands to be executed in the container on startup"""
+        return self._startup_list
+
 
 class Consts:
     """

ybox-0.9.12/src/ybox/pkg/clean.py

@@ -0,0 +1,43 @@
+"""
+Clean package cache and related intermediate files of an active ybox container.
+"""
+
+import argparse
+from configparser import SectionProxy
+
+from ybox.cmd import (PkgMgr, build_shell_command, check_active_ybox,
+                      run_command)
+from ybox.config import StaticConfiguration
+from ybox.print import print_info
+from ybox.state import RuntimeConfiguration, YboxStateManagement
+
+
+# noinspection PyUnusedLocal
+def clean_cache(args: argparse.Namespace, pkgmgr: SectionProxy, docker_cmd: str,
+                conf: StaticConfiguration, runtime_conf: RuntimeConfiguration,
+                state: YboxStateManagement) -> int:
+    # pylint: disable=unused-argument
+    """
+    Clean package cache and related intermediate files.
+
+    :param args: arguments having `package` and all other attributes passed by the user
+    :param pkgmgr: the `[pkgmgr]` section from `distro.ini` configuration file of the distribution
+    :param docker_cmd: the podman/docker executable to use
+    :param conf: the :class:`StaticConfiguration` for the container
+    :param runtime_conf: the `RuntimeConfiguration` of the container
+    :param state: instance of `YboxStateManagement` having the state of all ybox containers
+    :return: integer exit status of clean command where 0 represents success
+    """
+    clean_cmd = pkgmgr[PkgMgr.CLEAN.value] if args.ask else pkgmgr[PkgMgr.CLEAN_QUIET.value]
+    # run clean for each container since it can involve actions that are container specific
+    # apart from the generic ones for the shared root (e.g. AUR cache cleaning for Arch Linux)
+    code = 0
+    for container in state.get_containers(shared_root=runtime_conf.shared_root):
+        if not check_active_ybox(docker_cmd, container):
+            continue
+        print_info(f"Cleaning package cache in container '{container}'")
+        if (c := int(run_command(build_shell_command(docker_cmd, container, clean_cmd),
+                                 exit_on_error=False, error_msg="cleaning package cache"))) != 0:
+            code = c
+        print()
+    return code

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/pkg/inst.py

@@ -32,10 +32,16 @@ _EXEC_ICON_RE = re.compile(f"{_EXEC_PATTERN}|{_ICON_PATH_PATTERN}")
 # match !p and !a to replace executable program (third group above) and arguments respectively
 _FLAGS_RE = re.compile("![ap]")
 # environment variables passed through from host environment to podman/docker executable
-_PASSTHROUGH_ENVVARS = ("XAUTHORITY", "DISPLAY", "WAYLAND_DISPLAY", "FREETYPE_PROPERTIES",
+_PASSTHROUGH_ENVVARS = ("XAUTHORITY", "DISPLAY", "XDG_SESSION_TYPE", "FREETYPE_PROPERTIES",
                         "SSH_AUTH_SOCK", "GPG_AGENT_INFO",
                         "__NV_PRIME_RENDER_OFFLOAD", "__GLX_VENDOR_LIBRARY_NAME",
                         "__VK_LAYER_NV_optimus", "VK_ICD_FILES", "VK_ICD_FILENAMES")
+# environment variables passed from host to podman/docker executable with empty if not set;
+# note that these variables are assumed to have values that don't need quoting by /bin/sh
+# else code will need to be updated to quote $<var> value when passing to the shell
+_PASSTHRU_EMPTY_ENVVARS = ("WAYLAND_DISPLAY", "QT_QPA_PLATFORM")
+# characters that need to be escaped in quoted string of Exec/TryExec line
+_DESKTOP_ESCAPE_RE = re.compile(r'["`$\\]')
 
 
 def install_package(args: argparse.Namespace, pkgmgr: SectionProxy, docker_cmd: str,
@@ -356,9 +362,9 @@ def wrap_container_files(package: str, copy_type: CopyType, app_flags: dict[str,
                     # clear EXECUTABLE mask so that no wrapper executable is created
                     copy_type &= ~CopyType.EXECUTABLE
 
-    # the "-it" flag is used for both desktop file and executable for podman/docker exec
-    # since it is safe (unless the app may need stdin in which case Terminal must be true
-    #   in its desktop file in which case a terminal will be opened during execution)
+    # the "-i" flag is used in the wrapper executable for podman/docker exec which is safe;
+    # if the app needs stdin then Terminal must be true in its desktop file in which case
+    # a terminal will be opened during execution
     for file_dir, filename, file in file_paths:
         # check if this is a .desktop directory and copy it over adding appropriate
         # "docker exec" prefix to the command
@@ -454,8 +460,6 @@ def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticCo
                       container configuration
     :param wrapper_files: the accumulated list of all wrapper files so far
     """
-    # container name is added to desktop file to make it unique
-    wrapper_name = f"ybox.{conf.box_name}.{filename}"
 
     def replace_exec_icon(match: re.Match[str]) -> str:
         """replace Exec, TryExec and Icon lines appropriately for the host system"""
@@ -475,14 +479,20 @@ def _wrap_desktop_file(filename: str, file: str, docker_cmd: str, conf: StaticCo
         else:
             full_cmd = program
         # pseudo-tty cannot be allocated with rootless docker outside of a terminal app
-        env_vars = " -e=".join(_PASSTHROUGH_ENVVARS)
-        return (f'{exec_word}{docker_cmd} exec -e={env_vars} {conf.box_name} '
-                f'/usr/local/bin/run-in-dir "" {full_cmd}\n')
+        ev1 = " -e=".join(_PASSTHROUGH_ENVVARS)
+        ev2 = " -e=".join((f"{k}=\\\\${k}" for k in _PASSTHRU_EMPTY_ENVVARS))
+        full_cmd = _DESKTOP_ESCAPE_RE.sub(r'\\\g<0>', full_cmd)
+        # TODO: SW: add "-i" flag if Terminal is true
+        return (f'{exec_word}/bin/sh -c "{docker_cmd} exec -e={ev1} -e={ev2} {conf.box_name} '
+                f'/usr/local/bin/run-in-dir \\\\"\\\\" {full_cmd}"\n')
 
     # the destination will be $HOME/.local/share/applications
     os.makedirs(conf.env.user_applications_dir, mode=Consts.default_directory_mode(),
                 exist_ok=True)
-    wrapper_file = f"{conf.env.user_applications_dir}/{wrapper_name}"
+    wrapper_file = f"{conf.env.user_applications_dir}/{filename}"
+    if os.path.exists(wrapper_file):
+        # container name is added to desktop file to make it unique
+        wrapper_file = f"{conf.env.user_applications_dir}/ybox.{conf.box_name}.{filename}"
     print_notice(f"Linking container desktop file {file} to {wrapper_file}")
 
     def write_desktop_file(src: str) -> None:
@@ -622,9 +632,12 @@ def _wrap_executable(filename: str, file: str, docker_cmd: str, conf: StaticConf
             lambda f_match: _replace_flags(f_match, flags, f'"{file}"', '"$@"'), flags)
     else:
         full_cmd = f'/usr/local/bin/run-in-dir "`pwd`" "{file}" "$@"'
-    env_vars = " -e=".join(_PASSTHROUGH_ENVVARS)
+    ev1 = " -e=".join(_PASSTHROUGH_ENVVARS)
+    ev2 = " -e=".join((f"{k}=${k}" for k in _PASSTHRU_EMPTY_ENVVARS))
+    # TODO: some apps like those asking for password from terminal (e.g. ssh/ykman) also
+    # need pseudo-terminal i.e. "-t", so allow for an cmdline option to add "-t" here
     exec_content = ("#!/bin/sh\n",
-                    f"exec {docker_cmd} exec -it -e={env_vars} {conf.box_name} ", full_cmd)
+                    f"exec {docker_cmd} exec -i -e={ev1} -e={ev2} {conf.box_name} ", full_cmd)
     with open(wrapper_exec, "w", encoding="utf-8") as wrapper_fd:
         wrapper_fd.writelines(exec_content)
     os.chmod(wrapper_exec, mode=0o755, follow_symlinks=True)

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/run/create.py

@@ -8,6 +8,7 @@ import grp
 import os
 import pwd
 import re
+import shlex
 import shutil
 import stat
 import subprocess
@@ -491,16 +492,20 @@ def process_sections(profile: PathName, conf: StaticConfiguration, pkgmgr: Secti
     for section in config.sections():
         if section == "security":
             process_security_section(config["security"], profile, docker_args)
+        elif section == "network":
+            process_network_section(config["network"], profile, docker_args)
         elif section == "mounts":
             process_mounts_section(config["mounts"], docker_args)
         elif section == "env":
-            process_env_section(config["env"], docker_args)
+            process_env_section(config["env"], conf, docker_args)
         elif section == "configs":
             if config_hardlinks is not None:
                 process_configs_section(config["configs"], config_hardlinks, conf, docker_args)
         elif section == "apps":
             apps_with_deps = process_apps_section(config["apps"], conf, pkgmgr)
-        elif section not in ("base", "app_flags", "startup"):
+        elif section == "startup":
+            process_startup_section(config["startup"], conf)
+        elif section not in ("base", "app_flags"):
             raise NotSupportedError(f"Unknown section [{section}] in '{profile}' "
                                     "or one of its includes")
     return shared_root, config, apps_with_deps
@@ -649,8 +654,11 @@ def process_base_section(base_section: SectionProxy, profile: PathName, conf: St
         elif key == "devices":
             if val:
                 add_multi_opt(docker_args, "device", val)
+        elif key == "custom_options":
+            if val:
+                docker_args.extend(shlex.split(val))
         elif key not in ("name", "dbus_sys", "includes"):
-            raise NotSupportedError(f"Unknown key '{key}' in the [base] of {profile} "
+            raise NotSupportedError(f"Unknown key '{key}' in the [base] section of {profile} "
                                     "or its includes")
     if config_locale:
         for lang_var in ("LANG", "LANGUAGE"):
@@ -796,7 +804,38 @@ def process_security_section(sec_section: SectionProxy, profile: PathName,
             if _get_boolean(val):
                 docker_args.append("--security-opt=no-new-privileges")
         else:
-            raise NotSupportedError(f"Unknown key '{key}' in the [security] of {profile} "
+            raise NotSupportedError(f"Unknown key '{key}' in the [security] section of {profile} "
+                                    "or its includes")
+
+
+def process_network_section(net_section: SectionProxy, profile: PathName,
+                            docker_args: list[str]) -> None:
+    """
+    Process the `[network]` section in the container profile to append required podman/docker
+    options in the list that has been passed.
+
+    :param net_section: an object of :class:`SectionProxy` from parsing the `[network]` section
+    :param profile: the profile file returned by :func:`select_profile` to use for ybox container
+                    configuration as a `Path` or resource file from importlib (`Traversable`)
+    :param docker_args: list of podman/docker arguments to which required options as per the
+                        configuration in the `[network]` section are appended
+    :raises NotSupportedError: if there is an unknown key in the `[network]` section
+    """
+    net_options = {"mode": "network", "host": "hostname", "dns": "dns", "dns_option": "dns-option",
+                   "dns_search": "dns-search", "ip": "ip", "ip6": "ip6", "mac": "mac-address",
+                   "alias": "network-alias"}
+    multi_options = {"expose": "expose", "publish": "publish"}
+    for key, val in net_section.items():
+        if opt := net_options.get(key):
+            if val:
+                docker_args.append(f"--{opt}={val}")
+        elif opt := multi_options.get(key):
+            add_multi_opt(docker_args, opt, val)
+        elif key == "publish_all":
+            if not val or _get_boolean(val):  # empty value means enable
+                docker_args.append("-P")
+        else:
+            raise NotSupportedError(f"Unknown key '{key}' in the [network] section of {profile} "
                                     "or its includes")
 
 
@@ -811,7 +850,7 @@ def process_mounts_section(mounts_section: SectionProxy, docker_args: list[str])
     """
     # keys here are only symbolic names and serve no purpose other than allowing
     # later profile files to override previous ones
-    for _, val in mounts_section.items():
+    for val in mounts_section.values():
         if val:
             if "=" in val or "," in val:
                 docker_args.append(f"--mount={val}")
@@ -861,7 +900,10 @@ def process_configs_section(configs_section: SectionProxy, config_hardlinks: boo
             dest_path = f"{conf.configs_dir}/{dest_rel_path}"
             if os.access(src_path, os.R_OK):
                 if os.path.exists(dest_path):
-                    shutil.rmtree(dest_path, ignore_errors=True)
+                    if os.path.isdir(dest_path):
+                        shutil.rmtree(dest_path)
+                    else:
+                        os.unlink(dest_path)
                 else:
                     os.makedirs(os.path.dirname(dest_path),
                                 mode=Consts.default_directory_mode(), exist_ok=True)
@@ -891,15 +933,27 @@ def process_configs_section(configs_section: SectionProxy, config_hardlinks: boo
     add_mount_option(docker_args, conf.configs_dir, conf.target_configs_dir)
 
 
-def process_env_section(env_section: SectionProxy, docker_args: list[str]) -> None:
+def process_env_section(env_section: SectionProxy, conf: StaticConfiguration,
+                        docker_args: list[str]) -> None:
     """
     Process the `[env]` section in the container profile to append required podman/docker
     options in the list that has been passed.
 
     :param env_section: an object of :class:`SectionProxy` from parsing the `[env]` section
+    :param conf: the :class:`StaticConfiguration` for the container
     :param docker_args: list of podman/docker arguments to which required options as per the
                         configuration in the `[env]` section are appended
     """
+    # add a TMPDIR to share between host and container since some apps require TMPDIR to be
+    # visible on the host (e.g. electron uses it to expose the app/tray icon available via dbus)
+    if "TMPDIR" not in env_section:
+        # use /var/tmp rather than /tmp since latter is a tmpfs system in many setups that will not
+        # retain the created tmpdir after a reboot
+        tmpdir = f"/var/tmp/ybox.{conf.box_name}"
+        os.makedirs(tmpdir, exist_ok=True)
+        os.chmod(tmpdir, 0o1777)
+        add_mount_option(docker_args, tmpdir, tmpdir)
+        add_env_option(docker_args, "TMPDIR", tmpdir)
     for key, val in env_section.items():
         add_env_option(docker_args, key, val)
 
@@ -939,7 +993,7 @@ def process_apps_section(apps_section: SectionProxy, conf: StaticConfiguration,
         return dep
 
     with open(conf.app_list, "w", encoding="utf-8") as apps_fd:
-        for _, val in apps_section.items():
+        for val in apps_section.values():
             apps = [app.strip() for app in val.split(",")]
             deps = [capture_dep(match) for dep in apps if (match := _DEP_SUFFIX.match(dep))]
             if deps:
@@ -952,6 +1006,21 @@ def process_apps_section(apps_section: SectionProxy, conf: StaticConfiguration,
     return apps_with_deps
 
 
+def process_startup_section(startup_section: SectionProxy, conf: StaticConfiguration) -> None:
+    """
+    Process the `[startup]` section in the container profile to write the list of commands to be
+    executed (in background) in the container on startup.
+
+    :param startup_section: an object of :class:`SectionProxy` from parsing the `[startup]` section
+    :param conf: the :class:`StaticConfiguration` for the container
+    """
+    if not startup_section:
+        return
+    with open(conf.startup_list, "w", encoding="utf-8") as startup_fd:
+        for val in startup_section.values():
+            startup_fd.write(val + "\n")
+
+
 # The shutil.copytree(...) method does not work correctly for "symlinks=False" (or at least
 #   not like 'cp -aL' or 'cp -alL') where it does not create the source symlinked file rather
 # only the target one in the destination directory, and neither does it provide the option to
@@ -1236,6 +1305,9 @@ def run_container(docker_full_cmd: list[str], current_user: str, shared_root: st
     if os.access(conf.app_list, os.R_OK):
         docker_full_cmd.append("-a")
         docker_full_cmd.append(f"{conf.target_scripts_dir}/app.list")
+    if os.access(conf.startup_list, os.R_OK):
+        docker_full_cmd.append("-s")
+        docker_full_cmd.append(f"{conf.target_scripts_dir}/startup.list")
     docker_full_cmd.append(conf.box_name)
 
     if (code := int(run_command(docker_full_cmd, exit_on_error=False,

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/run/destroy.py

@@ -56,6 +56,11 @@ def main_argv(argv: list[str]) -> None:
     rm_args.append(container_name)
     run_command(rm_args, error_msg=f"removing '{container_name}'")
 
+    # remove shared TMPDIR if present
+    tmpdir = f"/var/tmp/ybox.{container_name}"
+    if os.path.isdir(tmpdir) and os.access(tmpdir, os.W_OK):
+        shutil.rmtree(tmpdir)
+
     # remove systemd service file and reload daemon
     if systemctl:
         print_color(f"Removing systemd service '{ybox_svc}' and reloading daemon", fg=fgcolor.cyan)

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/run/graphics.py

@@ -126,12 +126,11 @@ def enable_wayland(docker_args: list[str], env: Environ) -> None:
     :param docker_args: list of podman/docker arguments to which the options have to be appended
     :param env: an instance of the current :class:`Environ`
     """
-    if env.xdg_rt_dir and (wayland_display := os.environ.get("WAYLAND_DISPLAY")):
-        add_env_option(docker_args, "WAYLAND_DISPLAY", wayland_display)
-        wayland_sock = f"{env.xdg_rt_dir}/{wayland_display}"
-        if os.access(wayland_sock, os.W_OK):
-            add_mount_option(docker_args, wayland_sock,
-                             f"{env.target_xdg_rt_dir}/{wayland_display}")
+    if env.xdg_rt_dir:
+        add_env_option(docker_args, "WAYLAND_DISPLAY")
+        # don't bind wayland sockets rather link in entrypoint so that it works even
+        # when run in X11 setup after being created in Wayland setup
+        add_env_option(docker_args, "ENABLE_WAYLAND", "true")
 
 
 def enable_dri(docker_args: list[str]) -> None:

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox/run/pkg.py

@@ -376,7 +376,8 @@ def add_clean(subparser: argparse.ArgumentParser) -> None:
 
     :param subparser: the :class:`argparse.ArgumentParser` object for the sub-command
     """
-    subparser.set_defaults(needs_state=False)
+    subparser.add_argument("-A", "--ask", action="store_true",
+                           help="ask before each action else silently clean everything")
     subparser.set_defaults(group_by_shared_root=True)
     subparser.set_defaults(func=clean_cache)
 

{ybox-0.9.11.1 → ybox-0.9.12/src/ybox.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: ybox
-Version: 0.9.11.1
+Version: 0.9.12
 Summary: Securely run Linux distribution inside a container
 Author-email: Sumedh Wale <sumwale@yahoo.com>, Vishal Rao <vishalrao@gmail.com>
 License: Copyright (c) 2024-2025 Sumedh Wale and contributors

{ybox-0.9.11.1 → ybox-0.9.12}/src/ybox.egg-info/SOURCES.txt

@@ -79,6 +79,7 @@ src/ybox/schema/migrate/0.9.0:0.9.1.sql
 src/ybox/schema/migrate/0.9.1:0.9.2.sql
 src/ybox/schema/migrate/0.9.2:0.9.3.sql
 src/ybox/schema/migrate/0.9.5:0.9.6.sql
+tests/create-all-migration-dbs.sh
 tests/create_migration_db.py
 tests/functional/__init__.py
 tests/functional/distro_base.py

ybox-0.9.12/tests/create-all-migration-dbs.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+# create test migration databases for all versions listed in test_state.py#test_migration
+
+set -e
+
+# use only standard system paths for all utilities
+export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+
+SCRIPT="$(basename "${BASH_SOURCE[0]}")"
+PROJ_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && cd .. && pwd)"
+
+# keep this in sync with the list in test_state.py#test_migration
+all_versions="0.9.0 0.9.1 0.9.2 0.9.5 0.9.6 0.9.7 0.9.10"
+
+# checkout the repository in a temporary path
+tmp_co_dir="$PROJ_DIR/tmp-ybox"
+rm -rf "$tmp_co_dir" && mkdir -p "$tmp_co_dir"
+git clone https://github.com/sumwale/ybox.git "$tmp_co_dir/"
+
+pushd "$tmp_co_dir"
+rm -f "$PROJ_DIR/tests/resources/migration"/*
+
+# for all versions, checkout the tag, copy latest test artifacts and profiles used by
+# test_migration, and run the create_migration_db.py script to create the db for the tag
+for ver in $all_versions; do
+  git reset --hard
+  rm -rf tests src/ybox/conf/profiles
+  git checkout v$ver
+  rm -rf tests src/ybox/conf/profiles
+  cp -r "$PROJ_DIR/tests" tests
+  cp -r "$PROJ_DIR/src/ybox/conf/profiles" src/ybox/conf/profiles
+  find . -name __pycache__ -type d -print0 | xargs -0 -r rm -rf
+  echo
+  echo "Creating test migration database for ybox version:"
+  tail -n1 src/ybox/__init__.py
+  echo
+  PYTHONPATH=./src python3 ./tests/create_migration_db.py "$PROJ_DIR/tests/resources/migration/"
+done
+
+popd
+rm -rf "$tmp_co_dir"
+
+exit 0

{ybox-0.9.11.1 → ybox-0.9.12}/tests/unit/test_config.py

@@ -78,6 +78,7 @@ def test_properties(env: Environ, config: static_conf):
     assert config.status_file == f"{env.data_dir}/{_TEST_CONTAINER}/status"
     assert config.config_list == f"{env.data_dir}/{_TEST_CONTAINER}/ybox-scripts/config.list"
     assert config.app_list == f"{env.data_dir}/{_TEST_CONTAINER}/ybox-scripts/app.list"
+    assert config.startup_list == f"{env.data_dir}/{_TEST_CONTAINER}/ybox-scripts/startup.list"
 
 
 def test_consts():

ybox-0.9.11.1/src/ybox/pkg/clean.py

@@ -1,27 +0,0 @@
-"""
-Clean package cache and related intermediate files of an active ybox container.
-"""
-
-import argparse
-from configparser import SectionProxy
-
-from ybox.cmd import PkgMgr, build_shell_command, run_command
-from ybox.config import StaticConfiguration
-from ybox.print import print_info
-
-
-def clean_cache(args: argparse.Namespace, pkgmgr: SectionProxy, docker_cmd: str,
-                conf: StaticConfiguration) -> int:
-    """
-    Clean package cache and related intermediate files.
-
-    :param args: arguments having `quiet` and all other attributes passed by the user
-    :param pkgmgr: the `[pkgmgr]` section from `distro.ini` configuration file of the distribution
-    :param docker_cmd: the podman/docker executable to use
-    :param conf: the :class:`StaticConfiguration` for the container
-    :return: integer exit status of clean command where 0 represents success
-    """
-    print_info(f"Cleaning package cache in container '{conf.box_name}'")
-    clean_cmd = pkgmgr[PkgMgr.CLEAN_QUIET.value] if args.quiet else pkgmgr[PkgMgr.CLEAN.value]
-    return int(run_command(build_shell_command(docker_cmd, conf.box_name, clean_cmd),
-                           exit_on_error=False, error_msg="cleaning package cache"))