ybox 0.9.8.1__py3-none-any.whl → 0.9.11__py3-none-any.whl

ybox/__init__.py

@@ -1,2 +1,2 @@
 """`ybox` is a tool to easily manage linux distributions in containers"""
-__version__ = "0.9.8.1"
+__version__ = "0.9.11"

ybox/cmd.py

@@ -10,6 +10,7 @@ import sys
 from enum import Enum
 from typing import Callable, Iterable, Optional, Union
 
+from ybox import __version__ as product_version
 from ybox.config import Consts
 
 from .print import print_error, print_info, print_notice, print_warn
@@ -207,7 +208,7 @@ def run_command(cmd: Union[str, list[str]], capture_output: bool = False,
             sys.exit(result.returncode)
         else:
             return result.returncode
-    if capture_output and result.stderr:
+    if capture_output and result.stderr and error_msg != "SKIP":
         print_warn(result.stderr.decode("utf-8"), file=sys.stderr)
     return result.stdout.decode("utf-8") if capture_output else result.returncode
 
@@ -221,6 +222,21 @@ def _print_subprocess_output(result: subprocess.CompletedProcess[bytes]) -> None
         print_warn(result.stderr.decode("utf-8"), file=sys.stderr)
 
 
+def parser_version_check(parser: argparse.ArgumentParser, argv: list[str]) -> None:
+    """
+    Update command-line parser to add `--version` option to existing ones that will output the
+    ybox product version and exit if specified in the given list of arguments.
+
+    :param parser: instance of :class:`argparse.ArgumentParser` having the command-line parser
+    :param argv: the list of arguments to be parsed
+    """
+    parser.add_argument("--version", action="store_true", help="output ybox version")
+    # argv may have required positional arguments, hence check for --version separately
+    if "--version" in argv:
+        print(product_version)
+        sys.exit(0)
+
+
 def parse_opt_deps_args(argv: list[str]) -> argparse.Namespace:
     """
     Common command-line parser for `opt_deps` utilities (see [pkgmgr] section of distro.ini)

ybox/conf/completions/ybox.fish

@@ -29,6 +29,8 @@ end
 complete -f -c ybox-create -s h -l help -d "show help"
 complete -c ybox-create -s n -l name -d "name of the ybox container" -r
 complete -f -c ybox-create -s F -l force-own-orphans -d "force ownership of orphans on shared root"
+complete -f -c ybox-create -s C -l distribution-config -d "path to custom distribution configuration file"
+complete -f -c ybox-create -l distribution-image -d "custom container image"
 complete -f -c ybox-create -s q -l quiet -d "skip interactive questions"
 complete -f -c ybox-create -n "not __fish_seen_subcommand_from (__fish_ybox_complete_distributions)" -a "(__fish_ybox_complete_distributions)"
 

ybox/conf/distros/arch/init-user.sh

@@ -10,8 +10,8 @@ current_user="$(id -un)"
 # install binaries for paru from paru-bin (paru takes too long to compile)
 PARU="paru --noconfirm"
 echo_color "$fg_cyan" "Installing AUR helper 'paru'" >> $status_file
-export HOME="$(eval echo "~$current_user")"
-cd ~
+export HOME=$(getent passwd "$current_user" | cut -d: -f6)
+cd "$HOME"
 rm -rf paru-bin
 git clone https://aur.archlinux.org/paru-bin.git
 cd paru-bin

ybox/conf/distros/arch/init.sh

@@ -6,6 +6,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "$SCRIPT_DIR/entrypoint-common.sh"
 
+export HOME=/root
 # pacman configuration
 PAC="pacman --noconfirm"
 echo_color "$fg_cyan" "Configuring pacman" >> $status_file

ybox/conf/distros/arch/pkgdeps.py

@@ -17,6 +17,8 @@ where:
                   newlines in the description
 """
 
+# TODO: SW: this is returning back installed packages too which should be skipped
+
 import gzip
 import os
 import re

ybox/conf/distros/deb-generic/pkgdeps.py

@@ -11,7 +11,7 @@ where:
             and so on; resolution of level > 2 is not required since caller currently ignores those
  * <order>: this is a simple counter assigned to the dependencies where the value itself is of no
             significance but if multiple dependencies have the same value then it means that they
-            are ORed dependencies and only one of them should normlly be selected for installation
+            are ORed dependencies and only one of them need to be selected for installation
  * <installed>: true if the dependency already installed and false otherwise
  * <description>: detailed description of the dependency; it can contain literal \n to indicate
                   newlines in the description
@@ -69,6 +69,7 @@ class PkgDetail(Enum):
     OPTIONAL_DEP = 5
 
 
+# noinspection PyUnusedLocal
 def process_next_item(line: str, parse_line: Callable[[str], tuple[PkgDetail, str]],
                       parse_dep: Callable[[str], Iterable[tuple[str, str, Optional[str]]]],
                       installed: Callable[[str], bool], max_level: int,

ybox/conf/profiles/apps.ini

@@ -1,6 +1,7 @@
 [base]
 name = Profile for CLI and GUI apps
 includes = basic.ini
+ssh_agent = on
 
 [security]
 # SYS_PTRACE may be required by mesa which is invoked indirectly by both firefox and chromium.
@@ -9,6 +10,9 @@ includes = basic.ini
 caps_add = SYS_PTRACE
 
 [mounts]
+# export the host's ssh keys for use by ssh-agent in the container as required ("ro" mode
+#   implies that known_hosts and other files within ~/.ssh cannot be changed)
+ssh = $HOME/.ssh:$TARGET_HOME/.ssh:ro
 music = $HOME/Music:$TARGET_HOME/Music:ro
 pictures = $HOME/Pictures:$TARGET_HOME/Pictures:ro
 videos = $HOME/Videos:$TARGET_HOME/Videos:ro
@@ -19,8 +23,9 @@ videos = $HOME/Videos:$TARGET_HOME/Videos:ro
 
 [app_flags]
 # These flags will be added to Exec line of google-chrome.desktop when it is copied to host.
-# /dev/shm usage is disabled for chrome because that requires ipc=host or mounting host
-# /dev/shm in read-write mode which can be insecure.
-google-chrome = !p --disable-dev-shm-usage !a
-google-chrome-beta = !p --disable-dev-shm-usage !a
-google-chrome-unstable = !p --disable-dev-shm-usage !a
+
+# the --disable-dev-shm-usage flag in chrome/chromium based browsers disables use of /dev/shm
+# which can reduce memory footprint at the cost of performance and increased disk activity
+#google-chrome = !p --disable-dev-shm-usage !a
+#google-chrome-beta = !p --disable-dev-shm-usage !a
+#google-chrome-unstable = !p --disable-dev-shm-usage !a

ybox/conf/profiles/basic.ini

@@ -20,7 +20,8 @@
 #   - YBOX_SYS_CONF_DIR: path to system configuration directory where configuration directory
 #                        shipped with ybox is installed (or the string form of
 #                          the directory if it is not on filesystem like an egg or similar)
-#   - TARGET_HOME: set to the home directory of the container user
+#   - TARGET_HOME: set to the home directory of the container user in the container
+#                  (which is same as the host user's $HOME for podman and /root for docker)
 # Additionally a special notation can be used for current date+time with this notation:
 #   ${NOW:<fmt>}. The <fmt> uses the format supported by python strftime
 # (https://docs.python.org/3/library/datetime.html#datetime.datetime.strftime)
@@ -66,7 +67,7 @@ includes =
 # to freely create as many containers as desired to achieve best isolation without worrying
 # about dramatic increase in disk and/or memory usage.
 shared_root = $HOME/.local/share/ybox/SHARED_ROOTS/$YBOX_DISTRIBUTION_NAME
-# Bind mount the container $HOME to this local path (aka $TARGET_HOME). This makes it
+# Bind mount the container $HOME to this local path. This makes it
 # easier for backup software and otherwise to read useful container data.
 # If not provided then you should explicitly mount required directories in the [mounts]
 # section otherwise home will remain completely ephemeral which is not recommended.
@@ -99,6 +100,16 @@ pulseaudio = on
 dbus = on
 # If enabled then the system dbus from the host is available to the container.
 dbus_sys = off
+# If enabled then the socket for SSH agent, if present, is made available to the container.
+# The $SSH_AUTH_SOCK environment variables must be set in the host environment for this to work.
+# You can also mount $HOME/.ssh with appropriate flags ("ro" if possible) in the [mounts]
+# section to enable the container use the host's ssh keys.
+ssh_agent = off
+# If enabled then the socket for GPG agent, if present, is made available to the container.
+# The $GPG_AGENT_INFO environment variable must be set in the host environment for this to work.
+# You can also mount $HOME/.gnupg with appropriate flags ("ro" if possible) in the [mounts]
+# section to enable the container use the host's gpg keys.
+gpg_agent = off
 # If enabled then Direct Rendering Infrastructure for accelerated graphics is available to
 # the container.
 dri = on
@@ -115,15 +126,15 @@ nvidia = off
 # works well on most Linux distros (https://wiki.archlinux.org/title/docker or
 #    https://wiki.archlinux.org/title/podman), and the official NVIDIA docs:
 #  https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
-# For example on ubuntu with podman, configure the apt repository from the previous link
+# For example, on ubuntu with podman, configure the apt repository from the previous link
 # and install the package as noted there, then run
 # `sudo nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml`.
 # This will need to be repeated if nvidia driver version is upgraded.
 #
 # This will take precedence if both "nvidia" and "nvidia_ctk" are enabled.
 nvidia_ctk = off
-# default podman/docker shm-size is 64m which can be insufficient for many apps
-shm_size = 1g
+# default podman/docker shm-size is only 64m which can be insufficient for many apps
+shm_size = 2g
 # Limit the maximum number of processes in the container (to avoid stuff like fork bombs).
 pids_limit = 2048
 # Logging driver to use. Default for podman/docker is to use journald in modern Linux
@@ -136,6 +147,9 @@ log_driver = json-file
 # Example for docker that does not support `path`
 log_opts = max-size=10m,max-file=3
 
+# Comma separated list of additional devices that should be made available to the container using
+# the --device option to podman/docker run. Example: devices = /dev/video0,/dev/ttyUSB0
+devices =
 
 # The security-opt and other security options passed to podman/docker.
 # You should restrict these as required.
@@ -200,29 +214,41 @@ documents = $HOME/Documents:$TARGET_HOME/Documents:ro
 #   section) to a directory that is mounted read-only.
 #
 # The value has two parts separated by "->" with the LHS of this being the source that
-# is to be copied while the RHS is the required relative path in the target directory.
-# On the target container the same is used to symlink from the target on RHS to source on LHS.
+# is to be copied while the RHS is the required relative path in the container's home directory.
+# Any spaces around "->" are excluded from the LHS and RHS names.
 # Source is skipped if it does not exist or not readable with a message on standard output.
 #
 # Typically this will contain shell, vim and other common configuration files.
 # These can be either files or directories and are skipped if they do not exist.
-# The keys here have no special significance other than the fact that they should be
-# unique and can be used to override in later files that include this one.
+# The keys here should be unique and can be used to override in later files that include this one.
 #
-# Note: The files are symlinks in the container user area and are mounted on a read-only
-# mount by default, so if you need to change a file within a container then you will
-# need to first remove the symlink and make a copy of the file. This will remove the
+# Two special suffixes can be used in the key names:
+#  1) ":dir" : this suffix indicates that the source is a directory and entire directory structure
+#              should be replicated in the target with symlinks only for the individual files;
+#              this helps in cases where user needs to make a separate copy of a file inside
+#              the directory (using either ":copy" suffix or manually)
+#  2) ":copy": this suffix indicates that the source should be copied to the target; if a
+#              file/directory to be copied lies inside another directory that is being linked,
+#              then it should be mentioned before this and marked with ":dir" so that directory
+#              structure is replicated in the target (see example of fish shell config below)
+#
+# Note: The files from the host are mounted read-only by default in the target container, so if
+# you need to change a file within a container then you can use the ":copy" suffix in the key name
+# or manually remove the symlink and make a copy of the file. This will remove the
 # direct sharing between the two which has to be done manually thereon if required.
 # The sharing behavior also depends on "config_hardlinks" as described in its comment above
 # in the [base] section.
 #
-# Note: The HOME environment variable here will be evaluated both in the host
-# session (for the source to be transferred) and inside the container session
-# (for the target). Do not use TARGET_HOME here which can be incorrect for the host session.
+# Note: The LHS should typically have a path having $HOME while RHS will be relative to the
+#       target's home inside the container. Do not use $TARGET_HOME on RHS since path the assumed
+#       to be a relative one and $TARGET_HOME already inserted as required.
 [configs]
+env_conf = $HOME/.config/environment.d -> .config/environment.d
 bashrc = $HOME/.bashrc -> .bashrc
 starship = $HOME/.config/starship.toml -> .config/starship.toml
-fishrc = $HOME/.config/fish -> .config/fish
+# replicate fish configuration directory with copy of fish_variables but symlinks for the rest
+fish_conf:dir = $HOME/.config/fish -> .config/fish
+fish_vars:copy = $HOME/.config/fish/fish_variables -> .config/fish/fish_variables
 omf = $HOME/.config/omf -> .config/omf
 omf_data = $HOME/.local/share/omf -> .local/share/omf
 zshrc = $HOME/.zshrc -> .zshrc
@@ -261,10 +287,11 @@ speechconf = $HOME/.config/speech-dispatcher -> .config/speech-dispatcher
 [env]
 TERM
 TERMINFO_DIRS = /usr/share/terminfo:/var/lib/terminfo
-XDG_CURRENT_DESKTOP
-XDG_SESSION_DESKTOP
+# always pretend desktop to be GNOME since KDE/*DE apps required by xdg-* are not installed
+XDG_CURRENT_DESKTOP = GNOME
+XDG_SESSION_DESKTOP = GNOME
+DESKTOP_SESSION = gnome
 XDG_SESSION_TYPE
-DESKTOP_SESSION
 GTK_IM_MODULE
 QT_IM_MODULE
 SDL_IM_MODULE
@@ -290,14 +317,12 @@ XMODIFIERS
 [app_flags]
 # These flags/arguments will be added to Exec line of chromium.desktop when it is copied to
 # host as well as in the wrapper chromium executable created on the host.
-# You can use "!p" here for the first argument in the 'Exec='/'TryExec=' line in the desktop
+# You can use "!p" here for the first argument in the 'Exec=' line in the desktop
 # file and '!a' for rest of the arguments. When linking to an executable program, '!p' will
 # refer to the full path of the executable while '!a' will be replaced by "$@" in the shell
 # script. Use '!!p' for a literal '!p' and '!!a' for a literal '!a'.
 
-# /dev/shm usage is disabled for chromium because that requires ipc=host or mounting host
-# /dev/shm in read-write mode which is quite insecure.
-chromium = !p --disable-dev-shm-usage --enable-chrome-browser-cloud-management !a
+chromium = !p --enable-chrome-browser-cloud-management !a
 
 
 # Startup programs you want to run when starting the container. These are run using

ybox/conf/profiles/dev.ini

@@ -1,6 +1,7 @@
 [base]
 name = Profile for creating development environment
 includes = basic.ini
+ssh_agent = on
 
 [security]
 # SYS_PTRACE is required by mesa and without this, the following warning can be seen:
@@ -8,16 +9,13 @@ includes = basic.ini
 caps_add = SYS_PTRACE
 
 [mounts]
+# export the host's ssh keys for use by ssh-agent in the container as required ("ro" mode
+#   implies that known_hosts and other files within ~/.ssh cannot be changed)
+ssh = $HOME/.ssh:$TARGET_HOME/.ssh:ro
 # add your projects and other directories having source code
 #projects = $HOME/projects:$TARGET_HOME/projects
 #pyenv = $HOME/.pyenv:$TARGET_HOME/.pyenv:ro
 
-[env]
-# always pretend desktop to be GNOME since KDE apps required by xdg-* are not installed
-XDG_CURRENT_DESKTOP = GNOME
-XDG_SESSION_DESKTOP = GNOME
-DESKTOP_SESSION = gnome
-
 [apps]
 # some packages for Arch Linux - uncomment and update for your distribution as required
 #ides = intellij-idea-community-edition-jre,visual-studio-code-bin,zed

ybox/conf/resources/entrypoint-cp.sh

@@ -28,5 +28,5 @@ echo_color "$fg_purple" "Copying data from container to shared root mounted on '
 IFS="," read -ra shared_dirs_arr <<< "$shared_dirs"
 for dir in "${shared_dirs_arr[@]}"; do
   echo_color "$fg_orange" "Copying $dir to $shared_bind$dir"
-  cp -a "$dir" "$shared_bind$dir"
+  cp -an "$dir" "$shared_bind$dir"
 done

ybox/conf/resources/entrypoint-root.sh

@@ -8,10 +8,11 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 source "$SCRIPT_DIR/entrypoint-common.sh"
 
+export HOME=/root
 echo_color "$fg_cyan" "Copying prime-run, run-in-dir and run-user-bash-cmd" >> $status_file
-cp -a "$SCRIPT_DIR/prime-run" /usr/local/bin/prime-run
-cp -a "$SCRIPT_DIR/run-in-dir" /usr/local/bin/run-in-dir
-cp -a "$SCRIPT_DIR/run-user-bash-cmd" /usr/local/bin/run-user-bash-cmd
+cp -af "$SCRIPT_DIR/prime-run" /usr/local/bin/prime-run
+cp -af "$SCRIPT_DIR/run-in-dir" /usr/local/bin/run-in-dir
+cp -af "$SCRIPT_DIR/run-user-bash-cmd" /usr/local/bin/run-user-bash-cmd
 chmod 0755 /usr/local/bin/prime-run /usr/local/bin/run-in-dir /usr/local/bin/run-user-bash-cmd
 
 # invoke the NVIDIA setup script if present

ybox/conf/resources/entrypoint-user.sh

@@ -13,9 +13,11 @@ mkdir -p "$user_home/.gnupg" && chmod 0700 "$user_home/.gnupg"
 echo "keyserver $DEFAULT_GPG_KEY_SERVER" > "$user_home/.gnupg/dirmngr.conf"
 rm -f "$user_home"/.gnupg/*/*.lock
 
-echo_color "$fg_cyan" "Enabling python pip installation for $current_user" >> $status_file
-mkdir -p "$user_home/.config/pip"
-cat > "$user_home/.config/pip/pip.conf" << EOF
+if [ ! -e "$user_home/.config/pip/pip.conf" ]; then
+  echo_color "$fg_cyan" "Enabling python pip installation for $current_user" >> $status_file
+  mkdir -p "$user_home/.config/pip"
+  cat > "$user_home/.config/pip/pip.conf" << EOF
 [global]
 break-system-packages = true
 EOF
+fi

ybox/conf/resources/entrypoint.sh

@@ -22,7 +22,7 @@ echo -n > $status_file
 # the current user as well as the group of the normal user
 uid="$(id -u)"
 gid="$(id -g)"
-chown $uid:$YBOX_HOST_GID $status_file
+chown $uid:${YBOX_HOST_GID:-$gid} $status_file
 chmod 0660 $status_file
 if [ "$uid" -eq 0 ]; then
   SUDO=""
@@ -47,31 +47,22 @@ function show_usage() {
   echo "  -h               show this help message and exit"
 }
 
-# link the configuration files in HOME to the target directory having the required files
-function link_config_files() {
+# copy/link the configuration files in HOME to the target directory having the required files
+function replicate_config_files() {
   # line is of the form <src> -> <dest>; pattern below matches this while trimming spaces
   echo_color "$fg_orange" "Linking configuration files from $config_dir to user's home" >> $status_file
-  pattern='(.*[^[:space:]]+)[[:space:]]*->[[:space:]]*(.*)'
+  pattern='(COPY|LINK_DIR|LINK):(.*)'
   while read -r config; do
     if [[ "$config" =~ $pattern ]]; then
-      home_file="${BASH_REMATCH[1]}"
-      # expand env variables
-      eval home_file="$home_file"
+      home_file="$HOME/${BASH_REMATCH[2]}"
       dest_file="$config_dir/${BASH_REMATCH[2]}"
       # only replace the file if it is already a link (assuming the link target may
-      #   have changed in the config_list file), or a directory containing links
+      #   have changed in the config_list file), or a directory containing only links
       if [ -e "$dest_file" ]; then
         if [ -L "$home_file" ]; then
           rm -f "$home_file"
         elif [ -d "$home_file" ]; then
-          do_rmdir=true
-          for f in "$home_file"/*; do
-            if [ -e "$f" -a ! -L "$f" ]; then
-              do_rmdir=false
-              break
-            fi
-          done
-          if [ "$do_rmdir" = true ]; then
+          if [ -z $(find "$home_file" -type f -print -quit) ]; then
             rm -rf "$home_file"
           fi
         fi
@@ -80,7 +71,15 @@ function link_config_files() {
           mkdir -p "$home_filedir"
         fi
         if [ ! -e "$home_file" ]; then
-          ln -s "$dest_file" "$home_file"
+          if [ "${BASH_REMATCH[1]}" = "COPY" ]; then
+            cp -r "$dest_file" "$home_file"
+          elif [ "${BASH_REMATCH[1]}" = "LINK_DIR" ]; then
+            # if dest_file is a directory, then replicate the directory structure in home and
+            # symlink individual files which is accomplished with "cp -sr"
+            cp -sr "$dest_file" "$home_file"
+          else  # "${BASH_REMATCH[1]}" = "LINK"
+            ln -s "$dest_file" "$home_file"
+          fi
         fi
       fi
     else
@@ -180,7 +179,7 @@ run_dir=${XDG_RUNTIME_DIR:-/run/user/$uid}
 if [ -d $run_dir ]; then
   $SUDO chown $uid:$gid $run_dir 2>/dev/null || true
 fi
-if [ -n "$(ls $run_dir 2>/dev/null)" ]; then
+if compgen -G "$run_dir/*" >/dev/null; then
   $SUDO chown $uid:$gid $run_dir/* 2>/dev/null || true
 fi
 
@@ -212,7 +211,7 @@ fi
 
 # process config files, application installs and invoke startup apps
 if [ -n "$config_list" ]; then
-  link_config_files
+  replicate_config_files
 fi
 if [ -n "$app_list" ]; then
   install_apps
@@ -231,14 +230,17 @@ function cleanup() {
   # clear status file first just in case other operations do not finish before SIGKILL comes
   echo -n > $status_file
   # first send SIGTERM to all "docker exec" processes that will have parent PID as 0 or 1
+  kill_sent=0
   exec_pids="$(ps -e -o ppid=,pid= | \
     awk '{ if (($1 == 0 || $1 == 1) && $2 != 1 && $2 != '$childPID') print $2 }')"
   for pid in $exec_pids; do
-    echo "Sending SIGTERM to $pid"
-    kill -TERM $pid
+    if kill -TERM $pid 2>/dev/null; then
+      kill_sent=1
+      echo "Sent SIGTERM to $pid"
+    fi
   done
   # sleep a bit for $exec_pids to finish
-  [ -n "$exec_pids" ] && sleep 3
+  [ $kill_sent -eq 1 ] && sleep 3
   # lastly kill the infinite tail process
   kill -TERM $childPID
 }

ybox/conf/resources/prime-run

@@ -1,7 +1,5 @@
 #!/bin/sh
 
-set -e
-
 __NV_PRIME_RENDER_OFFLOAD=1
 __GLX_VENDOR_LIBRARY_NAME=nvidia
 __VK_LAYER_NV_optimus=NVIDIA_only

ybox/conf/resources/run-in-dir

@@ -9,24 +9,34 @@ if [ -n "$dir" -a -d "$dir" ]; then
   cd "$dir"
 fi
 
-# XAUTHORITY file can change after a re-login or a restart, so search for the passed one
-# by podman/docker exec in the mount point of its parent directory
-if [ -n "$XAUTHORITY" -a -n "$XAUTHORITY_ORIG" -a ! -r "$XAUTHORITY" ]; then
-  # XAUTHORITY is assumed to be either in /run/user or in /tmp
-  run_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
-  if [[ "$XAUTHORITY" == $run_dir/* ]]; then
-    host_dir="$run_dir"
-  elif [[ "$XAUTHORITY" == /tmp/* ]]; then
-    host_dir=/tmp
+# XAUTHORITY, SSH_AUTH_SOCK and GPG_AGENT_INFO files can change after a re-login or a restart,
+# so search for the passed one by podman/docker exec in the mount point of its parent directory
+for env_var in XAUTHORITY SSH_AUTH_SOCK GPG_AGENT_INFO; do
+  env_var_orig=${env_var}_ORIG
+  var_val=${!env_var}
+  var_val_orig=${!env_var_orig}
+  if [ -n "$var_val" -a -n "$var_val_orig" ]; then
+    if [ ! -r "$var_val" ]; then
+      # the value should be in /run/user/<uid> or in /tmp, or else the parent directory is used
+      run_dir="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
+      if [[ "$var_val" == $run_dir/* ]]; then
+        host_dir="$run_dir"
+      elif [[ "$var_val" == /tmp/* ]]; then
+        host_dir=/tmp
+      else
+        host_dir="$(dirname "$var_val")"
+      fi
+      new_val="${var_val/#$host_dir/${host_dir}-host}" # replace $host_dir by ${host_dir}-host
+      if [ ! -r "$new_val" ]; then
+        new_val="$var_val_orig"
+      fi
+      export $env_var="$new_val"
+    fi
   else
-    host_dir="$(dirname "$XAUTHORITY")"
-  fi
-  XAUTHORITY="${XAUTHORITY/#$host_dir/${host_dir}-host}" # replace $host_dir by ${host_dir}-host
-  if [ ! -r "$XAUTHORITY" ]; then
-    XAUTHORITY="$XAUTHORITY_ORIG"
+    # remove unset variable in the container else apps can misbehave
+    unset $env_var
   fi
-  export XAUTHORITY
-fi
+done
 
 # In case NVIDIA driver has been updated, the updated libraries and other files may need to be
 # linked again, so check for a missing library file and invoke the setup script if present
@@ -49,6 +59,7 @@ if [ -e "$nvidia_setup" ]; then
       flock -x -w 60 $lock_fd || /bin/true
       trap "flock -u $lock_fd || /bin/true" 0 1 2 3 4 5 6 7 8 10 11 12 13 14 15
       if ! is_nvidia_valid; then
+        # set umask for root execution to ensure that other users have read/execute permissions
         umask 022
         sudo /bin/bash "$nvidia_setup" || /bin/true
       fi
@@ -57,4 +68,7 @@ if [ -e "$nvidia_setup" ]; then
   fi
 fi
 
+# reset to more conservative umask setting
+umask 027
+
 exec "$@"

ybox/conf/resources/run-user-bash-cmd

@@ -1,5 +1,11 @@
 #!/bin/bash
 
+# This script either runs a given command using bash directly, or if YBOX_HOST_UID environment
+# variable is set to something other than the UID of the current user, then uses sudo to run
+# the command as that UID (plus YBOX_HOST_GID as the GID). This latter case happens for rootless
+# docker where the ybox container runs as the root user (due to absence of --userns=keep-id like
+#   in podman) but some commands need to be run as a normal user like Arch's paru/yay AUR helpers.
+
 set -e
 
 if [ "$#" -ne 1 ]; then
@@ -8,7 +14,17 @@ if [ "$#" -ne 1 ]; then
 fi
 
 if [ "$(id -u)" -eq 0 -a -n "$YBOX_HOST_UID" ] && getent passwd $YBOX_HOST_UID > /dev/null; then
-  exec sudo -u "#$YBOX_HOST_UID" -g "#$YBOX_HOST_GID" /bin/bash -c "$1"
+  sudo -u "#$YBOX_HOST_UID" -g "#$YBOX_HOST_GID" /bin/bash -c "$1"
+  status=$?
+  if [ $status -ne 0 ]; then
+    echo "FAILED (exit code = $status) in sudo execution of: $1"
+    exit $status
+  fi
 else
   eval "$1"
+  status=$?
+  if [ $status -ne 0 ]; then
+    echo "FAILED (exit code = $status) in execution of: $1"
+    exit $status
+  fi
 fi

ybox/conf/resources/ybox-systemd.template

@@ -0,0 +1,24 @@
+# ybox-{name}.service
+#
+# Autogenerated by ybox-create {version} on {date}
+
+[Unit]
+Description={manager_name} ybox-{name}.service
+Wants=network-online.target
+After=network-online.target
+{docker_requires}
+[Service]
+Environment=PATH={sys_path}:{ybox_bin_dir}
+EnvironmentFile=%h/.config/systemd/user/{env_file}
+Type=notify
+NotifyAccess=all
+Restart=on-failure
+# sleep to allow for initialization of the user's login/graphical environment
+ExecStartPre=/usr/bin/sleep $SLEEP_SECS
+ExecStart=/bin/sh -c 'ybox-control start {name} && systemd-notify --ready && exec ybox-control wait {name}'
+ExecStop=/bin/sh -c 'ybox-control stop -t 20 --ignore-stopped {name}'
+ExecStopPost=/bin/sh -c 'ybox-control stop -t 20 --ignore-stopped {name}'
+TimeoutStopSec=60
+
+[Install]
+WantedBy=default.target

ybox/config.py

@@ -142,6 +142,9 @@ class Consts:
     Defines fixed file/path and other names used by ybox that are not configurable.
     """
 
+    # standard system executable paths
+    _SYS_BIN_DIRS = ("/usr/bin", "/bin", "/usr/sbin", "/sbin", "/usr/local/bin", "/usr/local/sbin")
+    # regex pattern to match all manual page directories
     _MAN_DIRS_PATTERN = re.compile(r"/usr(/local)?(/share)?/man(/[^/]*)?/man[0-9][a-zA-Z_]*")
 
     @staticmethod
@@ -216,13 +219,18 @@ class Consts:
     @staticmethod
     def container_bin_dirs() -> Iterable[str]:
         """directories on the container that has executables that may need to be wrapped"""
-        return ("/usr/bin", "/usr/sbin", "/bin", "/sbin", "/usr/local/bin", "/usr/local/sbin")
+        return Consts._SYS_BIN_DIRS
 
     @staticmethod
     def container_man_dir_pattern() -> re.Pattern[str]:
         """directory regex pattern on the container having man-pages that may need to be linked"""
         return Consts._MAN_DIRS_PATTERN
 
+    @staticmethod
+    def sys_bin_dirs() -> Iterable[str]:
+        """standard directories to search for system installed executables"""
+        return Consts._SYS_BIN_DIRS
+
     @staticmethod
     def nvidia_target_base_dir() -> str:
         """base directory path where NVIDIA libs/data are linked in the container"""