From: Andrei Gherzan <andrei.gherzan@...>

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
...-Fix-buffer-overflow-on-workdir-path.patch | 32 -------------------
...erlayfs_0.6.4.bb => fuse-overlayfs_1.9.bb} | 7 ++--
2 files changed, 2 insertions(+), 37 deletions(-)
delete mode 100644 recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
rename recipes-extended/fuse-overlayfs/{fuse-overlayfs_0.6.4.bb => fuse-overlayfs_1.9.bb} (60%)

diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch b/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
deleted file mode 100644
index 129423d..0000000
--- a/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 7e5992d6121aed0cfcbfaf70472f28d87cff1426 Mon Sep 17 00:00:00 2001
-From: Andrei Gherzan <andrei.gherzan@...>
-Date: Mon, 11 Jul 2022 20:36:06 +0200
-Subject: [PATCH] Fix buffer overflow on workdir path
-
-We make sure that the path used for workdir is reallocated before
-appending. This was initially included in upstream as part of
-https://github.com/containers/fuse-overlayfs/commit/d5b725b6f18a437db66bfc1456d04c3bf658f66a.
-
-Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
-Upstream-Status: Backport
----
- main.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/main.c b/main.c
-index e5bdda1..118a6cb 100644
---- a/main.c
-+++ b/main.c
-@@ -5039,6 +5039,9 @@ main (int argc, char *argv[])
- if (path == NULL)
- goto err_out1;
- mkdir (path, 0700);
-+ path = realloc(path, strlen(path)+strlen("/work")+1);
-+ if (!path)
-+ error (EXIT_FAILURE, errno, "allocating workdir path");
- strcat (path, "/work");
- mkdir (path, 0700);
- free (lo.workdir);
---
-2.25.1
-
diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb b/recipes-extended/fuse-overlayfs/fuse-overlayfs_1.9.bb
similarity index 60%
rename from recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
rename to recipes-extended/fuse-overlayfs/fuse-overlayfs_1.9.bb
index 4f793bd..18e9dfa 100644
--- a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
+++ b/recipes-extended/fuse-overlayfs/fuse-overlayfs_1.9.bb
@@ -5,11 +5,8 @@ containers."
LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

-SRCREV = "098d9ad79fdbb8538adde08628408aa32a8b4b17"
-SRC_URI = " \
- git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https \
- file://0001-Fix-buffer-overflow-on-workdir-path.patch \
-"
+SRCREV = "51592ea406f48faeccab288f65dcba6c4a67cd90"
+SRC_URI = "git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https"

DEPENDS = "fuse3"

--
2.25.1

Skip the inclusion of the parent directory in the tar file.
Most tools expect a tar file without it. An example of this
use case is skopeo, where the skopeo copy oci-archive command
will not work with the generate tar file.

Signed-off-by: Vasileios Anagnostopoulos <vasileios.anagnostopoulos@...>
---
classes/image-oci-umoci.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/classes/image-oci-umoci.inc b/classes/image-oci-umoci.inc
index f941795..771f288 100644
--- a/classes/image-oci-umoci.inc
+++ b/classes/image-oci-umoci.inc
@@ -107,7 +107,7 @@ IMAGE_CMD:oci() {

# make a tar version of the image direcotry
if [ -n "${OCI_IMAGE_TAR_OUTPUT}" ]; then
- tar -cf "$image_name.tar" "$image_name"
+ tar -cf "$image_name.tar" -C "$image_name" .
fi

# We could make this optional, since the bundle is directly runnable via runc
--
2.34.1

Add an optional parameter that allows to override the stop
signal that is used.

Signed-off-by: Vasileios Anagnostopoulos <vasileios.anagnostopoulos@...>
---
classes/image-oci-umoci.inc | 4 ++++
classes/image-oci.bbclass | 1 +
2 files changed, 5 insertions(+)

diff --git a/classes/image-oci-umoci.inc b/classes/image-oci-umoci.inc
index b159614..f941795 100644
--- a/classes/image-oci-umoci.inc
+++ b/classes/image-oci-umoci.inc
@@ -82,6 +82,10 @@ IMAGE_CMD:oci() {
bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.workingdir ${OCI_IMAGE_WORKINGDIR}"
umoci config --image $image_name:${OCI_IMAGE_TAG} --config.workingdir ${OCI_IMAGE_WORKINGDIR}
fi
+ if [ -n "${OCI_IMAGE_STOPSIGNAL}" ]; then
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.stopsignal ${OCI_IMAGE_STOPSIGNAL}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.stopsignal ${OCI_IMAGE_STOPSIGNAL}
+ fi
if [ -n "${OCI_IMAGE_OS}" ]; then
bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --os ${OCI_IMAGE_OS}"
umoci config --image $image_name:${OCI_IMAGE_TAG} --os ${OCI_IMAGE_OS}
diff --git a/classes/image-oci.bbclass b/classes/image-oci.bbclass
index 7a39d27..9ddb88b 100644
--- a/classes/image-oci.bbclass
+++ b/classes/image-oci.bbclass
@@ -58,6 +58,7 @@ OCI_IMAGE_SUBARCH ?= "${@oci_map_subarch(d.getVar('TARGET_ARCH'), d.getVar('TUNE
OCI_IMAGE_ENTRYPOINT ?= "sh"
OCI_IMAGE_ENTRYPOINT_ARGS ?= ""
OCI_IMAGE_WORKINGDIR ?= ""
+OCI_IMAGE_STOPSIGNAL ?= ""

# List of ports to expose from a container running this image:
# PORT[/PROT]
--
2.34.1

From: Pascal Bach <pascal.bach@...>

Signed-off-by: Pascal Bach <pascal.bach@...>
---
classes/image-oci-umoci.inc | 34 +++++++++++++++++-----------------
1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/classes/image-oci-umoci.inc b/classes/image-oci-umoci.inc
index 4fe96ea..b159614 100644
--- a/classes/image-oci-umoci.inc
+++ b/classes/image-oci-umoci.inc
@@ -58,48 +58,48 @@ IMAGE_CMD:oci() {
bbdebug 1 "OCI: configuring image"
if [ -n "${OCI_IMAGE_LABELS}" ]; then
for l in ${OCI_IMAGE_LABELS}; do
- bbdebug 1 "OCI: umoci config --image $image_name --config.label $l"
- umoci config --image $image_name --config.label $l
+ bbdebug 1 "OCI: umoci config --image $image_name:${OCI_IMAGE_TAG} --config.label $l"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.label $l
done
fi
if [ -n "${OCI_IMAGE_ENV_VARS}" ]; then
for l in ${OCI_IMAGE_ENV_VARS}; do
- bbdebug 1 "umoci config --image $image_name --config.env $l"
- umoci config --image $image_name --config.env $l
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.env $l"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.env $l
done
fi
if [ -n "${OCI_IMAGE_PORTS}" ]; then
for l in ${OCI_IMAGE_PORTS}; do
- bbdebug 1 "umoci config --image $image_name --config.exposedports $l"
- umoci config --image $image_name --config.exposedports $l
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.exposedports $l"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.exposedports $l
done
fi
if [ -n "${OCI_IMAGE_RUNTIME_UID}" ]; then
- bbdebug 1 "umoci config --image $image_name --config.user ${OCI_IMAGE_RUNTIME_UID}"
- umoci config --image $image_name --config.user ${OCI_IMAGE_RUNTIME_UID}
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.user ${OCI_IMAGE_RUNTIME_UID}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.user ${OCI_IMAGE_RUNTIME_UID}
fi
if [ -n "${OCI_IMAGE_WORKINGDIR}" ]; then
- bbdebug 1 "umoci config --image $image_name --config.workingdir ${OCI_IMAGE_WORKINGDIR}"
- umoci config --image $image_name --config.workingdir ${OCI_IMAGE_WORKINGDIR}
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --config.workingdir ${OCI_IMAGE_WORKINGDIR}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.workingdir ${OCI_IMAGE_WORKINGDIR}
fi
if [ -n "${OCI_IMAGE_OS}" ]; then
- bbdebug 1 "umoci config --image $image_name --os ${OCI_IMAGE_OS}"
- umoci config --image $image_name --os ${OCI_IMAGE_OS}
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --os ${OCI_IMAGE_OS}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --os ${OCI_IMAGE_OS}
fi

- bbdebug 1 "umoci config --image $image_name --architecture ${OCI_IMAGE_ARCH}"
- umoci config --image $image_name --architecture ${OCI_IMAGE_ARCH}
+ bbdebug 1 "umoci config --image $image_name:${OCI_IMAGE_TAG} --architecture ${OCI_IMAGE_ARCH}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --architecture ${OCI_IMAGE_ARCH}
# NOTE: umoci doesn't currently expose setting the architecture variant,
# so if you need it use sloci instead
if [ -n "${OCI_IMAGE_SUBARCH}" ]; then
bbnote "OCI: image subarch is set to: ${OCI_IMAGE_SUBARCH}, but umoci does not"
bbnote " expose variants. use sloci instead if this is important"
fi
- umoci config --image $image_name --config.entrypoint ${OCI_IMAGE_ENTRYPOINT}
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.entrypoint ${OCI_IMAGE_ENTRYPOINT}
if [ -n "${OCI_IMAGE_ENTRYPOINT_ARGS}" ]; then
- umoci config --image $image_name --config.cmd "${OCI_IMAGE_ENTRYPOINT_ARGS}"
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --config.cmd "${OCI_IMAGE_ENTRYPOINT_ARGS}"
fi
- umoci config --image $image_name --author ${OCI_IMAGE_AUTHOR_EMAIL}
+ umoci config --image $image_name:${OCI_IMAGE_TAG} --author ${OCI_IMAGE_AUTHOR_EMAIL}

# make a tar version of the image direcotry
if [ -n "${OCI_IMAGE_TAR_OUTPUT}" ]; then
--
2.34.1

On Mon, Jul 11, 2022 at 2:13 PM Ralph Siemsen <ralph.siemsen@...> wrote:

Perhaps someone here can help point me to relevant documentation. I'm
wondering if there are some guidelines about which version(s) of
docker/containerd/runc are compatible. I've searched through the
docker manuals and release notes, without finding very many details.

Backing up a step further, the dunfell branch of meta-virtualization
has docker-moby 19.03.15, containerd-v1.2.14, and runc-1.0.0-rc8. This
combination seems to work fine, however there are several CVEs
flagged.

In a somewhat naive attempt to fix some of the CVEs, I updated
containerd from 1.2.x to v1.4.12. This version was picked primarily
because it was available in gatesgarth at the time, I could just copy
the recipe over. This compiles and runs hello-world and ubuntu test
images successfully.

FWIW, that's more than just bug fixes, so we wouldn't want that
much of a version bump on any of the -stable branches. They'd
stay within the .x series of a release.

However over time, an oddity has emerged: even with no images
downloaded and therefore no containers running (just the daemon
sitting idle), the system log shows a goroutine crashing periodically
with "fatal error: bad symbol table". It can take up to 10 hours, but
usually happens within an hour, on an otherwise idle system.

This did not happen with the original set of versions on the dunfell
branch. So I'm wondering what versions can be combined? What other
tests (besides downloading and starting a container) could be run to
check that the chosen versions are working together correctly?

What you are describing is exactly why you'll see me in the list archives
telling folks that there's no need to send updates to the individual
packages in master. I do unified testing on all the various components
in about the m3 timeframe of a release. The -stable branches are
updated for CVEs/bugs only and get updates at a much slower cadence.

The dependencies/versions are documented within the projects
themselves, but they aren't tightly coupled (for the most part) so
there is some flex. But honestly, it is often that the latest of all the
projects work together at any given point, so when I do the updates
that is fundamentally the known set of working versions. Otherwise,
you are into looking at the project and their documented dependencies
on the various components. (or looking at what other distros are doing,
etc).

The larger stacks (i.e. k3s) are what I use to drive more complex
and end to end testing with the components. But fetching a container
and running it is a good test and covers a lot of ground.

Bruce

Any hints or advice would be appreciated!
Ralph

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

From: Andrei Gherzan <andrei.gherzan@...>

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
...-Fix-buffer-overflow-on-workdir-path.patch | 32 +++++++++++++++++++
.../fuse-overlayfs/fuse-overlayfs_0.6.4.bb | 5 ++-
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch

diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch b/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
new file mode 100644
index 0000000..129423d
--- /dev/null
+++ b/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
@@ -0,0 +1,32 @@
+From 7e5992d6121aed0cfcbfaf70472f28d87cff1426 Mon Sep 17 00:00:00 2001
+From: Andrei Gherzan <andrei.gherzan@...>
+Date: Mon, 11 Jul 2022 20:36:06 +0200
+Subject: [PATCH] Fix buffer overflow on workdir path
+
+We make sure that the path used for workdir is reallocated before
+appending. This was initially included in upstream as part of
+https://github.com/containers/fuse-overlayfs/commit/d5b725b6f18a437db66bfc1456d04c3bf658f66a.
+
+Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
+Upstream-Status: Backport
+---
+ main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main.c b/main.c
+index e5bdda1..118a6cb 100644
+--- a/main.c
++++ b/main.c
+@@ -5039,6 +5039,9 @@ main (int argc, char *argv[])
+ if (path == NULL)
+ goto err_out1;
+ mkdir (path, 0700);
++ path = realloc(path, strlen(path)+strlen("/work")+1);
++ if (!path)
++ error (EXIT_FAILURE, errno, "allocating workdir path");
+ strcat (path, "/work");
+ mkdir (path, 0700);
+ free (lo.workdir);
+--
+2.25.1
+
diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb b/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
index a02c1e6..4f793bd 100644
--- a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
+++ b/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
@@ -6,7 +6,10 @@ LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"

SRCREV = "098d9ad79fdbb8538adde08628408aa32a8b4b17"
-SRC_URI = "git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https"
+SRC_URI = " \
+ git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https \
+ file://0001-Fix-buffer-overflow-on-workdir-path.patch \
+"

DEPENDS = "fuse3"

--
2.25.1

From: Andrei Gherzan <andrei.gherzan@...>

This support is disabled by default and exposed via PACKAGECONFIG.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 14 ++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 11 ++++++++++-
5 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf

diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.

+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..66a69b3
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,14 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support disabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbappends using the `PACKAGECONFIG` variable.
+
+To enable rootless support, add `rootless` to the `PACKAGECONFIG` podman
+recipe variable.
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..c734870
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: MIT
diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..aaede0e
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: MIT
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 961cd18..73d3c93 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,6 +21,7 @@ SRCREV = "cedbbfa543651a13055a1fe093a4d0a2a28ccdfd"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.1;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
+ ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
"

LICENSE = "Apache-2.0"
@@ -97,6 +98,11 @@ do_install() {
# Silence docker emulation warnings.
mkdir -p ${D}/etc/containers
touch ${D}/etc/containers/nodocker
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'true', 'false', d)}; then
+ install -d "${D}${sysconfdir}/sysctl.d"
+ install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
+ fi
}

FILES:${PN} += " \
@@ -112,6 +118,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
# that busybox is configured with nsenter
VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"

-RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
+RDEPENDS:${PN} += "\
+ conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'fuse-overlayfs slirp4netns', '', d)} \
+"
RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
--
2.25.1

From: Andrei Gherzan <andrei.gherzan@...>

Podman can run in via a docker symlink emulating docker commands. By
default this generates a runtime warning. This change silences it via
the provided interface.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
recipes-containers/podman/podman_git.bb | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 547bc4e..961cd18 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -93,6 +93,10 @@ do_install() {
if ${@bb.utils.contains('PACKAGECONFIG', 'docker', 'true', 'false', d)}; then
oe_runmake install.docker DESTDIR="${D}"
fi
+
+ # Silence docker emulation warnings.
+ mkdir -p ${D}/etc/containers
+ touch ${D}/etc/containers/nodocker
}

FILES:${PN} += " \
--
2.25.1

From: Andrei Gherzan <andrei.gherzan@...>

slirp4netns uses a TAP device to connect to the internet in an
unprivileged way. Without the required kernel support (TAP/TUN),
slirp4netns will fail at runtime.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
recipes-networking/slirp4netns/slirp4netns_git.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-networking/slirp4netns/slirp4netns_git.bb b/recipes-networking/slirp4netns/slirp4netns_git.bb
index a63871c..6526d39 100644
--- a/recipes-networking/slirp4netns/slirp4netns_git.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_git.bb
@@ -18,4 +18,6 @@ DEPENDS = "glib-2.0 libcap libseccomp libslirp"

S = "${WORKDIR}/git"

+RRECOMMENDS:${PN} += "kernel-module-tun"
+
inherit autotools pkgconfig
--
2.25.1

Perhaps someone here can help point me to relevant documentation. I'm
wondering if there are some guidelines about which version(s) of
docker/containerd/runc are compatible. I've searched through the
docker manuals and release notes, without finding very many details.

Backing up a step further, the dunfell branch of meta-virtualization
has docker-moby 19.03.15, containerd-v1.2.14, and runc-1.0.0-rc8. This
combination seems to work fine, however there are several CVEs
flagged.

In a somewhat naive attempt to fix some of the CVEs, I updated
containerd from 1.2.x to v1.4.12. This version was picked primarily
because it was available in gatesgarth at the time, I could just copy
the recipe over. This compiles and runs hello-world and ubuntu test
images successfully.

However over time, an oddity has emerged: even with no images
downloaded and therefore no containers running (just the daemon
sitting idle), the system log shows a goroutine crashing periodically
with "fatal error: bad symbol table". It can take up to 10 hours, but
usually happens within an hour, on an otherwise idle system.

This did not happen with the original set of versions on the dunfell
branch. So I'm wondering what versions can be combined? What other
tests (besides downloading and starting a container) could be run to
check that the chosen versions are working together correctly?

Any hints or advice would be appreciated!
Ralph

On Mon, 11 Jul 2022, at 14:42, Bruce Ashfield wrote:

On Mon, Jul 11, 2022 at 9:39 AM Andrei Gherzan <andrei@...> wrote:

On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:

This is new functionality ... and while we don't have a strict rule
about not adding new features to existing releases, this is stretching
the definition, since it does have the potential to cause issues.

It is definitely fine for master, but I'm not particularly keen to
start adding new features to kirkstone.

That makes sense. Would you accept it with a disabled default in kirkstone?

I think that's ok .. it's a balance between keeping kirkstone useful,
and not requiring folks to carry too many changes in their layers.
It's easy enough by inspection to show that the disabled feature won't
impact existing functionality or break anything.

On further thought, we should keep it disabled by default even in
master, so from that point of view, we can keep them in alignment.

Deal. I'll do this in the next v.

Andrei

On Mon, 11 Jul 2022, at 14:38, Bruce Ashfield wrote:

On Mon, Jul 11, 2022 at 9:00 AM Andrei Gherzan <andrei@...> wrote:

From: Andrei Gherzan <andrei.gherzan@...>

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 15 +++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 15 ++++++++++++++-
5 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf

diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.

+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..9f35501
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,15 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support enabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbaappends using the `PODMAN_ROOTLESS` variable.
+
+To disable rootless support set the variable to '0':
+
+PODMAN_ROOTLESS = "0"
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..940435e
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: Apache-2.0

I haven't been following along closely enough to the copyright thread
that Richard started, but these jumped out at me.

Aren't most of the .conf files considered MIT (i.e. part of the meta
data / recipe space) ? And are we putting copyright's in conf files
and .txt files now ? I'm definitely not an expert (at all!!) but that
doesn't seem quite right to me, when they are configuration files that
follow standard practices for the packages we are integrating.

That is definitely my bad. It should be MIT. I'll re-push with the changed license.

This is following the reuse.software compliance. I've used a separate license file for the txt one so that I don't affect the actual documentation if they get post-processed in any way afterwards - there is no standard for comments in txt files. This is basically saying that given that I don't want to touch file foo, I'll create a foo.license file with the extra SPDX metadata.

diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..2aca663
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 961cd18..2680f40 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -6,6 +6,10 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
`alias docker=podman`. \
"

+# podman can run in rootless mode with the help of additional components:
+# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
+PODMAN_ROOTLESS ?= "1"

Isn't there a way to do this with PACKAGECONFIG ? We could just as
easily check for the option in that, and then we have a place for
extra rdepends, etc,as required.

Good idea. I like that. I'll change it in the next v.

Andrei

On Mon, Jul 11, 2022 at 9:39 AM Andrei Gherzan <andrei@...> wrote:

On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:

This is new functionality ... and while we don't have a strict rule
about not adding new features to existing releases, this is stretching
the definition, since it does have the potential to cause issues.

It is definitely fine for master, but I'm not particularly keen to
start adding new features to kirkstone.

That makes sense. Would you accept it with a disabled default in kirkstone?

I think that's ok .. it's a balance between keeping kirkstone useful,
and not requiring folks to carry too many changes in their layers.
It's easy enough by inspection to show that the disabled feature won't
impact existing functionality or break anything.

On further thought, we should keep it disabled by default even in
master, so from that point of view, we can keep them in alignment.

Bruce

--
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Mon, 11 Jul 2022, at 14:26, Bruce Ashfield wrote:

On Mon, Jul 11, 2022 at 9:00 AM Andrei Gherzan <andrei@...> wrote:

From: Andrei Gherzan <andrei.gherzan@...>

slirp4netns uses a TAP device to connect to the internet in an
unprivileged way. Without the required kernel support (TAP/TUN),
slirp4netns will fail at runtime.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
recipes-networking/slirp4netns/slirp4netns_git.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-networking/slirp4netns/slirp4netns_git.bb b/recipes-networking/slirp4netns/slirp4netns_git.bb
index a63871c..4bf25b8 100644
--- a/recipes-networking/slirp4netns/slirp4netns_git.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_git.bb
@@ -18,4 +18,6 @@ DEPENDS = "glib-2.0 libcap libseccomp libslirp"

S = "${WORKDIR}/git"

+RDEPENDS:${PN} += "kernel-module-tun"

This needs to be a RRECOMMENDS, since we can suggest, but not enforce
a specific configuration.

Agreed.

--
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640

On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:

This is new functionality ... and while we don't have a strict rule
about not adding new features to existing releases, this is stretching
the definition, since it does have the potential to cause issues.

It is definitely fine for master, but I'm not particularly keen to
start adding new features to kirkstone.

That makes sense. Would you accept it with a disabled default in kirkstone?

--
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640

On Mon, Jul 11, 2022 at 9:00 AM Andrei Gherzan <andrei@...> wrote:

From: Andrei Gherzan <andrei.gherzan@...>

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 15 +++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 15 ++++++++++++++-
5 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf

diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.

+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..9f35501
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,15 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support enabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbaappends using the `PODMAN_ROOTLESS` variable.
+
+To disable rootless support set the variable to '0':
+
+PODMAN_ROOTLESS = "0"
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..940435e
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: Apache-2.0

I haven't been following along closely enough to the copyright thread
that Richard started, but these jumped out at me.

Aren't most of the .conf files considered MIT (i.e. part of the meta
data / recipe space) ? And are we putting copyright's in conf files
and .txt files now ? I'm definitely not an expert (at all!!) but that
doesn't seem quite right to me, when they are configuration files that
follow standard practices for the packages we are integrating.

diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..2aca663
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 961cd18..2680f40 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -6,6 +6,10 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
`alias docker=podman`. \
"

+# podman can run in rootless mode with the help of additional components:
+# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
+PODMAN_ROOTLESS ?= "1"

Isn't there a way to do this with PACKAGECONFIG ? We could just as
easily check for the option in that, and then we have a place for
extra rdepends, etc,as required.

Bruce

+
inherit features_check
REQUIRED_DISTRO_FEATURES ?= "seccomp ipv6"

@@ -21,6 +25,7 @@ SRCREV = "cedbbfa543651a13055a1fe093a4d0a2a28ccdfd"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.1;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'file://00-podman-rootless.conf', '', d)} \
"

LICENSE = "Apache-2.0"
@@ -97,6 +102,11 @@ do_install() {
# Silence docker emulation warnings.
mkdir -p ${D}/etc/containers
touch ${D}/etc/containers/nodocker
+
+ if [ "${PODMAN_ROOTLESS}" = "1" ]; then
+ install -d "${D}${sysconfdir}/sysctl.d"
+ install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
+ fi
}

FILES:${PN} += " \
@@ -112,6 +122,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
# that busybox is configured with nsenter
VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"

-RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
+RDEPENDS:${PN} += "\
+ conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'fuse-overlayfs slirp4netns', '', d)} \
+"
RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
--
2.25.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

This is new functionality ... and while we don't have a strict rule
about not adding new features to existing releases, this is stretching
the definition, since it does have the potential to cause issues.

It is definitely fine for master, but I'm not particularly keen to
start adding new features to kirkstone.

Bruce

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

On Mon, Jul 11, 2022 at 9:00 AM Andrei Gherzan <andrei@...> wrote:

From: Andrei Gherzan <andrei.gherzan@...>

slirp4netns uses a TAP device to connect to the internet in an
unprivileged way. Without the required kernel support (TAP/TUN),
slirp4netns will fail at runtime.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
recipes-networking/slirp4netns/slirp4netns_git.bb | 2 ++
1 file changed, 2 insertions(+)

diff --git a/recipes-networking/slirp4netns/slirp4netns_git.bb b/recipes-networking/slirp4netns/slirp4netns_git.bb
index a63871c..4bf25b8 100644
--- a/recipes-networking/slirp4netns/slirp4netns_git.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_git.bb
@@ -18,4 +18,6 @@ DEPENDS = "glib-2.0 libcap libseccomp libslirp"

S = "${WORKDIR}/git"

+RDEPENDS:${PN} += "kernel-module-tun"

This needs to be a RRECOMMENDS, since we can suggest, but not enforce
a specific configuration.

Bruce

+
inherit autotools pkgconfig
--
2.25.1

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

From: Andrei Gherzan <andrei.gherzan@...>

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 15 +++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 15 ++++++++++++++-
5 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf

diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.

+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..9f35501
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,15 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support enabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbaappends using the `PODMAN_ROOTLESS` variable.
+
+To disable rootless support set the variable to '0':
+
+PODMAN_ROOTLESS = "0"
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..940435e
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: Apache-2.0
diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..2aca663
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 4693bd6..4dcd0f2 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -6,6 +6,10 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
`alias docker=podman`. \
"

+# podman can run in rootless mode with the help of additional components:
+# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
+PODMAN_ROOTLESS ?= "1"
+
inherit features_check
REQUIRED_DISTRO_FEATURES ?= "seccomp ipv6"

@@ -21,6 +25,7 @@ SRCREV = "717edd7b844dcd66468f5d991991d87e9fc14c12"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'file://00-podman-rootless.conf', '', d)} \
"

LICENSE = "Apache-2.0"
@@ -97,6 +102,11 @@ do_install() {
# Silence docker emulation warnings.
mkdir -p ${D}/etc/containers
touch ${D}/etc/containers/nodocker
+
+ if [ "${PODMAN_ROOTLESS}" = "1" ]; then
+ install -d "${D}${sysconfdir}/sysctl.d"
+ install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
+ fi
}

FILES:${PN} += " \
@@ -112,6 +122,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
# that busybox is configured with nsenter
VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"

-RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
+RDEPENDS:${PN} += "\
+ conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'fuse-overlayfs slirp4netns', '', d)} \
+"
RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
--
2.25.1

From: Andrei Gherzan <andrei.gherzan@...>

Podman can run in via a docker symlink emulating docker commands. By
default this generates a runtime warning. This change silences it via
the provided interface.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
recipes-containers/podman/podman_git.bb | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 727a298..4693bd6 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -93,6 +93,10 @@ do_install() {
if ${@bb.utils.contains('PACKAGECONFIG', 'docker', 'true', 'false', d)}; then
oe_runmake install.docker DESTDIR="${D}"
fi
+
+ # Silence docker emulation warnings.
+ mkdir -p ${D}/etc/containers
+ touch ${D}/etc/containers/nodocker
}

FILES:${PN} += " \
--
2.25.1