cmd/initContainer: Set up QEMU emulation for cross-arch containers

Add the --arch and --arch-emulator-path flags to the init-container
command, passed from the create command when creating a
cross-architecture container. The --arch flag defaults to the host
architecture ID so that existing native containers continue to work
without changes.

When the container's architecture differs from the host, the
init-container entry point configures QEMU emulation inside the
container before any foreign-architecture binaries can run:

1. Validate QEMU emulation by running the 'true' command, which fails
with ENOEXEC if the host's binfmt_misc registration is not working
(detected via RunWithExitCode2() added in [1]), because it is necessary
to have host emulation working to emulate the binfmt_misc registration
in the following step.

2. Mount a fresh binfmt_misc filesystem inside the container via
MountBinfmtMisc() (added in [2]) to create a sandboxed binfmt_misc
registration with the C flag.

3. Validate architecture support via IsArchSupportedOnInitialization()
(added in [3]), which verifies the QEMU interpreter at the host-mounted
path under /run/host.

4. Register the QEMU interpreter with the C flag via
RegisterBinfmtMisc() (added and explained in [2])

The binfmt_misc registration is performed inside the container rather
than relying on the host's registration, as explained in [2].

Update showEntryPointLog() in run.go to propagate lines prefixed with
'Warning:' to stderr on the host, instead of treating them as errors.
This is needed because the cross-architecture initialization may emit
warnings that should be visible to the user but are not fatal.

[1] #1780
[2] #1782
[3] #1783

#1788

Signed-off-by: Dalibor Kricka <dalidalk@seznam.cz>

Author: DaliborKr

src/cmd/create.go

@@ -449,6 +449,8 @@ func createContainer(container, image, release, authFile string, archConfig arch
 	entryPoint := []string{
 		"toolbox", "--log-level", "debug",
 		"init-container",
+		"--arch", fmt.Sprintf("%d", archConfig.ID),
+		"--arch-emulator-path", archConfig.QemuEmulatorPath,
 		"--gid", currentUser.Gid,
 		"--home", currentUserHomeDir,
 		"--shell", userShell,

src/cmd/initContainer.go

@@ -28,6 +28,7 @@ import (
 	"syscall"
 	"time"
 
+	"github.com/containers/toolbox/pkg/architecture"
 	"github.com/containers/toolbox/pkg/shell"
 	"github.com/containers/toolbox/pkg/utils"
 	"github.com/fsnotify/fsnotify"
@@ -41,6 +42,8 @@ import (
 
 var (
 	initContainerFlags struct {
+		archID      int
+		archInterp  string
 		gid         int
 		home        string
 		homeLink    bool
@@ -85,6 +88,16 @@ var initContainerCmd = &cobra.Command{
 func init() {
 	flags := initContainerCmd.Flags()
 
+	flags.IntVar(&initContainerFlags.archID,
+		"arch",
+		architecture.HostArchID,
+		"Specify the Toolbx container's architecture ID.")
+
+	flags.StringVar(&initContainerFlags.archInterp,
+		"arch-emulator-path",
+		"",
+		"Register an emulator using binfmt_misc with PATH as the interpreter for a non-native architecture container.")
+
 	flags.IntVar(&initContainerFlags.gid,
 		"gid",
 		0,
@@ -257,6 +270,31 @@ func initContainer(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	if !architecture.HasContainerNativeArch(initContainerFlags.archID) {
+		archName := architecture.GetArchNameOCI(initContainerFlags.archID)
+		interpreterPath := "/run/host" + initContainerFlags.archInterp
+
+		if err := validateCrossArchEmulation(initContainerFlags.archID); err != nil {
+			return err
+		}
+
+		logrus.Debugf("Mounting binfmt_misc file system in container for architecture %s", archName)
+		if err := architecture.MountBinfmtMisc(); err != nil {
+			return err
+		}
+
+		err := architecture.IsArchSupportedOnInitialization(initContainerFlags.archID, interpreterPath)
+		if err != nil {
+			errNotSupported := fmt.Errorf("Cannot run container for architecture %s:\n%s", archName, err)
+			return errNotSupported
+		}
+
+		logrus.Debugf("Registering QEMU emulator for architecture %s in binfmt_mist", archName)
+		if err := architecture.RegisterBinfmtMisc(initContainerFlags.archID, interpreterPath); err != nil {
+			return err
+		}
+	}
+
 	for _, mount := range initContainerMounts {
 		if err := mountBind(mount.containerPath, mount.source, mount.flags); err != nil {
 			return err
@@ -1223,6 +1261,28 @@ func updateTimeZoneFromLocalTime() error {
 	return nil
 }
 
+func validateCrossArchEmulation(archID int) error {
+	archName := architecture.GetArchNameOCI(archID)
+	logrus.Debugf("Testing QEMU emulation for architecture %s", archName)
+
+	_, err := shell.RunWithExitCode2("true", nil, nil, nil)
+
+	if err != nil {
+		if errors.Is(err, syscall.ENOEXEC) {
+			return fmt.Errorf(
+				"QEMU emulation for architecture %s is not working\n"+
+					"Please verify that:\n"+
+					"  1. QEMU user-mode emulation is installed on the host system: qemu-user-static package\n"+
+					"  2. binfmt_misc is properly configured on the host system",
+				archName)
+		}
+		return fmt.Errorf("failed to test QEMU emulation for architecture %s: %w", archName, err)
+	}
+
+	logrus.Debugf("Test of QEMU emulation for architecture %s has succeeded", archName)
+	return nil
+}
+
 func writeTimeZone(timeZone string) error {
 	const etcTimeZone = "/etc/timezone"
 

src/cmd/run.go

@@ -964,8 +964,15 @@ func showEntryPointLog(line string) error {
 	}
 
 	if !logLevelFound {
-		errMsg, _ := strings.CutPrefix(line, "Error: ")
-		return &entryPointError{errMsg}
+		// Messages sent to stderr with a 'Warning:' prefix in the entry point
+		// are propagated to stderr on the host
+		if strings.HasPrefix(line, "Warning:") {
+			fmt.Fprintf(os.Stderr, "%s\n", line)
+			return nil
+		} else {
+			errMsg, _ := strings.CutPrefix(line, "Error: ")
+			return &entryPointError{errMsg}
+		}
 	}
 
 	logger := logrus.StandardLogger()