[Buildroot] [PATCH v3 0/7] Container - Guest

[Buildroot] [PATCH v3 0/7] Container - Guest

[Francois Perrad]

Buildroot supports some OS-level virtualization tools: Docker, LXC, systemd-nspawn.
These tools are built on an host image.

This series introduces a set of defconfig in order to create a guest image.

After some experiments, packages docker & systemd need some tweaks.

v2 -> v3:
  - more examples in readme.txt (including Dockerfile from SkiffOS)
  - select BR2_PACKAGE_CGROUPFS_MOUNT conditional

RFC -> v2:
  - refactor with FOO_LINUX_CONFIG_FIXUPS (new in 2020.05)
  - add option BR2_PACKAGE_SYSTEMD_GUEST

Francois Perrad (7):
  configs/guest_*: some new defconfig
  board/guest: documentation and sample files
  package/docker-engine: needs some kernel options
  package/docker-engine: needs more runtime dependencies
  package/systemd: needs kernel options
  package/systemd: add an option BR2_PACKAGE_SYSTEMD_GUEST
  configs/guest_*: use BR2_PACKAGE_SYSTEMD_GUEST

 DEVELOPERS                             |   2 +
 board/guest/Dockerfile                 |   2 +
 board/guest/readme.txt                 | 143 +++++++++++++++++++++++++
 configs/guest_arm_a7_defconfig         |  29 +++++
 configs/guest_arm_a9_defconfig         |  31 ++++++
 configs/guest_x86_64_defconfig         |  28 +++++
 package/docker-engine/Config.in        |   1 +
 package/docker-engine/docker-engine.mk |  67 ++++++++++++
 package/systemd/Config.in              |  14 ++-
 package/systemd/systemd.mk             |  17 ++-
 10 files changed, 328 insertions(+), 6 deletions(-)
 create mode 100644 board/guest/Dockerfile
 create mode 100644 board/guest/readme.txt
 create mode 100644 configs/guest_arm_a7_defconfig
 create mode 100644 configs/guest_arm_a9_defconfig
 create mode 100644 configs/guest_x86_64_defconfig

-- 
2.25.1

[Buildroot] [PATCH v3 1/7] configs/guest_*: some new defconfig

[Francois Perrad]

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 DEVELOPERS                     |  1 +
 configs/guest_arm_a7_defconfig | 16 ++++++++++++++++
 configs/guest_arm_a9_defconfig | 18 ++++++++++++++++++
 configs/guest_x86_64_defconfig | 15 +++++++++++++++
 4 files changed, 50 insertions(+)
 create mode 100644 configs/guest_arm_a7_defconfig
 create mode 100644 configs/guest_arm_a9_defconfig
 create mode 100644 configs/guest_x86_64_defconfig

diff --git a/DEVELOPERS b/DEVELOPERS
index efb97c739..035a75358 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -906,6 +906,7 @@ F:	package/ser2net/
 N:	Francois Perrad <francois.perrad@gadz.org>
 F:	board/olimex/a20_olinuxino
 F:	board/olimex/imx233_olinuxino/
+F:	configs/guest_*
 F:	configs/olimex_a20_olinuxino_*
 F:	configs/olimex_imx233_olinuxino_defconfig
 F:	package/4th/
diff --git a/configs/guest_arm_a7_defconfig b/configs/guest_arm_a7_defconfig
new file mode 100644
index 000000000..efe9a1369
--- /dev/null
+++ b/configs/guest_arm_a7_defconfig
@@ -0,0 +1,16 @@
+# Architecture
+BR2_arm=y
+BR2_cortex_a7=y
+
+# Toolchain
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+BR2_KERNEL_HEADERS_VERSION=y
+BR2_DEFAULT_KERNEL_VERSION="4.15"
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
+
+# System
+BR2_INIT_SYSTEMD=y
+# BR2_TARGET_GENERIC_GETTY is not set
+
+# Filesystem
+BR2_TARGET_ROOTFS_TAR=y
diff --git a/configs/guest_arm_a9_defconfig b/configs/guest_arm_a9_defconfig
new file mode 100644
index 000000000..02c3d302d
--- /dev/null
+++ b/configs/guest_arm_a9_defconfig
@@ -0,0 +1,18 @@
+# Architecture
+BR2_arm=y
+BR2_cortex_a9=y
+BR2_ARM_ENABLE_NEON=y
+BR2_ARM_ENABLE_VFP=y
+
+# Toolchain
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+BR2_KERNEL_HEADERS_VERSION=y
+BR2_DEFAULT_KERNEL_VERSION="4.15"
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
+
+# System
+BR2_INIT_SYSTEMD=y
+# BR2_TARGET_GENERIC_GETTY is not set
+
+# Filesystem
+BR2_TARGET_ROOTFS_TAR=y
diff --git a/configs/guest_x86_64_defconfig b/configs/guest_x86_64_defconfig
new file mode 100644
index 000000000..42d1d659a
--- /dev/null
+++ b/configs/guest_x86_64_defconfig
@@ -0,0 +1,15 @@
+# Architecture
+BR2_x86_64=y
+
+# Toolchain
+BR2_TOOLCHAIN_BUILDROOT_GLIBC=y
+BR2_KERNEL_HEADERS_VERSION=y
+BR2_DEFAULT_KERNEL_VERSION="4.15"
+BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
+
+# System
+BR2_INIT_SYSTEMD=y
+# BR2_TARGET_GENERIC_GETTY is not set
+
+# Filesystem
+BR2_TARGET_ROOTFS_TAR=y
-- 
2.25.1

[Buildroot] [PATCH v3 2/7] board/guest: documentation and sample files

[Francois Perrad]

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 DEVELOPERS             |   1 +
 board/guest/Dockerfile |   2 +
 board/guest/readme.txt | 143 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 146 insertions(+)
 create mode 100644 board/guest/Dockerfile
 create mode 100644 board/guest/readme.txt

diff --git a/DEVELOPERS b/DEVELOPERS
index 035a75358..2ec84e611 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -904,6 +904,7 @@ N:	Francisco Gonzalez <gzmorell@gmail.com>
 F:	package/ser2net/
 
 N:	Francois Perrad <francois.perrad@gadz.org>
+F:	board/guest/
 F:	board/olimex/a20_olinuxino
 F:	board/olimex/imx233_olinuxino/
 F:	configs/guest_*
diff --git a/board/guest/Dockerfile b/board/guest/Dockerfile
new file mode 100644
index 000000000..d218acad1
--- /dev/null
+++ b/board/guest/Dockerfile
@@ -0,0 +1,2 @@
+FROM scratch
+ADD rootfs.tar /
diff --git a/board/guest/readme.txt b/board/guest/readme.txt
new file mode 100644
index 000000000..31087ef38
--- /dev/null
+++ b/board/guest/readme.txt
@@ -0,0 +1,143 @@
+Container - Guest
+
+Intro
+=====
+
+Buildroot supports some OS-level virtualization tools: Docker, LXC, systemd-nspawn.
+These tools are built on an host image.
+
+A container could be created from a rootfs (guest image) built by Buildroot with a guest_*_defconfig
+
+The following defconfig are available:
+    - guest_arm_a7_defconfig
+    - guest_arm_a9_defconfig
+    - guest_x86_64_defconfig
+
+The artifact produced by these defconfig is the file output/images/rootfs.tar.
+The guest has no bootloader, no kernel.
+
+How to with Docker
+==================
+
+A Docker image could created with a Dockerfile and few commands are needed:
+
+    # dockerd &
+
+    $ cat Dockerfile
+    FROM scratch
+    ADD rootfs.tar /
+    $ docker build --tag br:guest .
+    $ docker images
+    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+    br                  guest               0c54c85a3452        42 seconds ago      1.75MB
+
+The Docker image could be exported and imported with the commands `docker save` and `docker load`.
+
+And the Docker image could be launched in interactive mode:
+
+    $ docker run -it br:guest /bin/ash
+        / # ls -l /bin/ash
+        lrwxrwxrwx    1 root     root             7 Mar 11 15:46 /bin/ash -> busybox
+        / # exit
+
+This Docker image is like a toy, for serious thinks like running in daemon mode with a systemd init,
+another Dockerfile is needed, see the following example adapted from [SkiffOS](https://github.com/paralin/SkiffOS)
+
+    $ cat Dockerfile
+    FROM scratch
+
+    ENV container docker
+    ENV init /lib/systemd/systemd
+    ENV LC_ALL C
+
+    ADD rootfs.tar /
+
+    USER root
+    RUN find /etc/systemd/system \
+             /usr/lib/systemd/system \
+             \( -path '*.wants/*' \
+             -name '*swapon*' \
+             -or -name '*ntpd*' \
+             -or -name '*resolved*' \
+             -or -name '*udev*' \
+             -or -name '*rdisc*' \
+             -or -name '*freedesktop*' \
+             -or -name '*persist-resize*' \
+             -or -name '*NetworkManager*' \
+             -or -name '*remount-fs*' \
+             -or -name '*getty*' \
+             -or -name '*.mount' \
+             -or -name '*remote-fs*' \) \
+             -exec echo \{} \; \
+             -exec rm \{} \;
+
+    VOLUME [ "/sys/fs/cgroup" ]
+    ENTRYPOINT ["/usr/lib/systemd/systemd"]
+
+    $ docker build --tag br:guest .
+    $ docker images
+    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
+    br                  guest               0ce72ab89517        10 seconds ago      19.9MB
+
+Running in daemon mode:
+
+    $ docker run -d \
+        --privileged \
+        --cap-add=NET_ADMIN \
+        --security-opt seccomp=unconfined \
+        --stop-signal=SIGRTMIN+3 \
+        --tmpfs /run \
+        --tmpfs /run/lock \
+        -t \
+        -v /sys/fs/cgroup:/sys/fs/cgroup:ro \
+        br:guest
+    $ docker ps
+    CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS               NAMES
+    14cc7dabc0c2        br:guest            "/usr/lib/systemd/sy..." 5 seconds ago       Up 5 seconds                            distracted_chaum
+
+Execute an interactive command in the running container:
+
+    $ docker exec -it 14cc7dabc0c2 /bin/ash
+    / # ps
+    PID   USER     COMMAND
+        1 root     /usr/lib/systemd/systemd
+       15 root     /usr/lib/systemd/systemd-journald
+       24 dbus     /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
+       38 root     /bin/ash
+       44 root     ps
+    / #
+    / # exit
+
+Finally, stoping the container:
+
+    $ docker stop 14cc7dabc0c2
+
+
+How to with systemd-nspawn
+==========================
+
+On the host side, BR2_PACKAGE_SYSTEMD_MACHINED is needed (or run systemd-nspawn with --register=no).
+
+Extract rootfs.tar in a directory /usr/lib/machines/container.
+
+Running in interactive mode:
+
+    # systemd-nspawn --machine=container
+        # ps
+        PID   USER     COMMAND
+            1 root     -sh
+            3 root     ps
+        # exit
+
+Running in daemon mode (with the guest systemd init):
+
+    # systemd-nspawn --machine=container --boot
+        # ps
+        PID   USER     COMMAND
+            1 root     /usr/lib/systemd/systemd
+           11 root     /usr/lib/systemd/systemd-journald
+           20 systemd- /usr/lib/systemd/systemd-resolved
+           23 root     -sh
+           24 dbus     /usr/bin/dbud-daemon --system --address=systemd: --nofork --nopi
+           33 root     ps
+        # halt
-- 
2.25.1

[Buildroot] [PATCH v3 3/7] package/docker-engine: needs some kernel options

[Francois Perrad]

according to https://wiki.gentoo.org/wiki/Docker#Kernel

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 package/docker-engine/docker-engine.mk | 67 ++++++++++++++++++++++++++
 1 file changed, 67 insertions(+)

diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
index 78f6c1261..41600486c 100644
--- a/package/docker-engine/docker-engine.mk
+++ b/package/docker-engine/docker-engine.mk
@@ -79,4 +79,71 @@ define DOCKER_ENGINE_USERS
 	- - docker -1 * - - - Docker Application Container Framework
 endef
 
+ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_DRIVER_BTRFS),y)
+define DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BTRFS_FS)
+endef
+endif
+
+define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG_SWAP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_CGROUP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_FAIR_GROUP_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CFS_BANDWIDTH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_RT_GROUP_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PIDS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CPUSETS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PROC_PID_CPUSET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PERF)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BLOCK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_THROTTLING)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE_NETFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CLS_CGROUP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_L3_MASTER_DEV)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_NET_PRIO)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_NETCLASSID)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MD)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_DM)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MD_THIN_PROVISIONING)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_DUMMY)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MACVLAN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IPVLAN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_VXLAN)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_VETH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_OVERLAY_FS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_KEYS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PERSISTENT_KEYRINGS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_ENCRYPTED_KEYS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_KEY_DH_OPERATIONS)
+	$(DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS)
+endef
+
 $(eval $(golang-package))
-- 
2.25.1

[Buildroot] [PATCH v3 4/7] package/docker-engine: needs more runtime dependencies

[Francois Perrad]

fix error:
	failed to start daemon: Devices cgroup isn't mounted

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 package/docker-engine/Config.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/docker-engine/Config.in b/package/docker-engine/Config.in
index 1fd229fcb..4fe6956ab 100644
--- a/package/docker-engine/Config.in
+++ b/package/docker-engine/Config.in
@@ -5,6 +5,7 @@ config BR2_PACKAGE_DOCKER_ENGINE
 	depends on BR2_TOOLCHAIN_HAS_THREADS
 	depends on !BR2_TOOLCHAIN_USES_UCLIBC # docker-containerd -> runc
 	depends on BR2_USE_MMU # docker-containerd
+	select BR2_PACKAGE_CGROUPFS_MOUNT if !BR2_PACKAGE_SYSTEMD # runtime dependency
 	select BR2_PACKAGE_DOCKER_CONTAINERD # runtime dependency
 	select BR2_PACKAGE_DOCKER_PROXY # runtime dependency
 	select BR2_PACKAGE_IPTABLES # runtime dependency
-- 
2.25.1

[Buildroot] [PATCH v3 5/7] package/systemd: needs kernel options

[Francois Perrad]

according to https://wiki.gentoo.org/wiki/Systemd#Kernel

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 package/systemd/systemd.mk | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 8e01a0db5..b7213dd12 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -565,9 +565,18 @@ SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
 SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
 
 define SYSTEMD_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
-	$(call KCONFIG_ENABLE_OPT,CONFIG_INOTIFY_USER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_BPF)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_FHANDLE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_EPOLL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SIGNALFD)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_TIMERFD)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BPF_SYSCALL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_DEVTMPFS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INOTIFY_USER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PROC_FS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SYSFS)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_AUTOFS4_FS)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_POSIX_ACL)
 	$(call KCONFIG_ENABLE_OPT,CONFIG_TMPFS_XATTR)
-- 
2.25.1

[Buildroot] [PATCH v3 6/7] package/systemd: add an option BR2_PACKAGE_SYSTEMD_GUEST

[Francois Perrad]

this option allows a systemd tailored for a guest/container

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 package/systemd/Config.in  | 14 ++++++++++----
 package/systemd/systemd.mk |  6 +++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index dd3b8c534..a8595dce8 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -35,10 +35,10 @@ menuconfig BR2_PACKAGE_SYSTEMD
 	select BR2_PACKAGE_UTIL_LINUX_MOUNT
 	select BR2_PACKAGE_UTIL_LINUX_NOLOGIN
 	select BR2_PACKAGE_UTIL_LINUX_FSCK
-	select BR2_PACKAGE_KMOD
-	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # kmod-tools
-	select BR2_PACKAGE_KMOD_TOOLS
-	select BR2_TARGET_TZ_INFO
+	select BR2_PACKAGE_KMOD if !BR2_PACKAGE_SYSTEMD_GUEST
+	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS if !BR2_PACKAGE_SYSTEMD_GUEST # kmod-tools
+	select BR2_PACKAGE_KMOD_TOOLS if !BR2_PACKAGE_SYSTEMD_GUEST
+	select BR2_TARGET_TZ_INFO if !BR2_PACKAGE_SYSTEMD_GUEST
 	select BR2_NEEDS_HOST_UTF8_LOCALE
 	select BR2_PACKAGE_HOST_SYSTEMD # for systemctl preset-all, during target-finalize
 	help
@@ -90,6 +90,12 @@ if BR2_PACKAGE_SYSTEMD
 config BR2_PACKAGE_PROVIDES_UDEV
 	default "systemd"
 
+config BR2_PACKAGE_SYSTEMD_GUEST
+	bool "systemd-guest"
+	default n
+	help
+	  this option allows a systemd tailored for a guest/container.
+
 config BR2_PACKAGE_SYSTEMD_BOOT
 	bool "systemd-boot"
 	depends on BR2_i386 || BR2_x86_64
diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index b7213dd12..c5572c369 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -13,11 +13,15 @@ SYSTEMD_DEPENDENCIES = \
 	$(BR2_COREUTILS_HOST_DEPENDENCY) \
 	$(if $(BR2_PACKAGE_BASH_COMPLETION),bash-completion) \
 	host-gperf \
-	kmod \
 	libcap \
 	util-linux \
 	$(TARGET_NLS_DEPENDENCIES)
 
+ifneq ($(BR2_PACKAGE_SYSTEMD_GUEST),y)
+	SYSTEMD_DEPENDENCIES += kmod
+endif
+
+
 SYSTEMD_PROVIDES = udev
 
 SYSTEMD_CONF_OPTS += \
-- 
2.25.1

[Buildroot] [PATCH v3 7/7] configs/guest_*: use BR2_PACKAGE_SYSTEMD_GUEST

[Francois Perrad]

Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
---
 configs/guest_arm_a7_defconfig | 13 +++++++++++++
 configs/guest_arm_a9_defconfig | 13 +++++++++++++
 configs/guest_x86_64_defconfig | 13 +++++++++++++
 3 files changed, 39 insertions(+)

diff --git a/configs/guest_arm_a7_defconfig b/configs/guest_arm_a7_defconfig
index efe9a1369..2a9081edf 100644
--- a/configs/guest_arm_a7_defconfig
+++ b/configs/guest_arm_a7_defconfig
@@ -11,6 +11,19 @@ BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
 # System
 BR2_INIT_SYSTEMD=y
 # BR2_TARGET_GENERIC_GETTY is not set
+# BR2_TARGET_TZ_INFO is not set
 
 # Filesystem
 BR2_TARGET_ROOTFS_TAR=y
+
+# Packages
+# BR2_PACKAGE_BUSYBOX_SHOW_OTHERS is not set
+# BR2_PACKAGE_KMOD is not set
+BR2_PACKAGE_SYSTEMD_GUEST=y
+# BR2_PACKAGE_SYSTEMD_PSTORE is not set
+# BR2_PACKAGE_SYSTEMD_HOSTNAMED is not set
+# BR2_PACKAGE_SYSTEMD_HWDB is not set
+# BR2_PACKAGE_SYSTEMD_MYHOSTNAME is not set
+# BR2_PACKAGE_SYSTEMD_NETWORKD is not set
+# BR2_PACKAGE_SYSTEMD_TIMEDATED is not set
+# BR2_PACKAGE_SYSTEMD_TIMESYNCD is not set
diff --git a/configs/guest_arm_a9_defconfig b/configs/guest_arm_a9_defconfig
index 02c3d302d..2d19a31cd 100644
--- a/configs/guest_arm_a9_defconfig
+++ b/configs/guest_arm_a9_defconfig
@@ -13,6 +13,19 @@ BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
 # System
 BR2_INIT_SYSTEMD=y
 # BR2_TARGET_GENERIC_GETTY is not set
+# BR2_TARGET_TZ_INFO is not set
 
 # Filesystem
 BR2_TARGET_ROOTFS_TAR=y
+
+# Packages
+# BR2_PACKAGE_BUSYBOX_SHOW_OTHERS is not set
+# BR2_PACKAGE_KMOD is not set
+BR2_PACKAGE_SYSTEMD_GUEST=y
+# BR2_PACKAGE_SYSTEMD_PSTORE is not set
+# BR2_PACKAGE_SYSTEMD_HOSTNAMED is not set
+# BR2_PACKAGE_SYSTEMD_HWDB is not set
+# BR2_PACKAGE_SYSTEMD_MYHOSTNAME is not set
+# BR2_PACKAGE_SYSTEMD_NETWORKD is not set
+# BR2_PACKAGE_SYSTEMD_TIMEDATED is not set
+# BR2_PACKAGE_SYSTEMD_TIMESYNCD is not set
diff --git a/configs/guest_x86_64_defconfig b/configs/guest_x86_64_defconfig
index 42d1d659a..4e19d23e5 100644
--- a/configs/guest_x86_64_defconfig
+++ b/configs/guest_x86_64_defconfig
@@ -10,6 +10,19 @@ BR2_PACKAGE_HOST_LINUX_HEADERS_CUSTOM_4_15=y
 # System
 BR2_INIT_SYSTEMD=y
 # BR2_TARGET_GENERIC_GETTY is not set
+# BR2_TARGET_TZ_INFO is not set
 
 # Filesystem
 BR2_TARGET_ROOTFS_TAR=y
+
+# Packages
+# BR2_PACKAGE_BUSYBOX_SHOW_OTHERS is not set
+# BR2_PACKAGE_KMOD is not set
+BR2_PACKAGE_SYSTEMD_GUEST=y
+# BR2_PACKAGE_SYSTEMD_PSTORE is not set
+# BR2_PACKAGE_SYSTEMD_HOSTNAMED is not set
+# BR2_PACKAGE_SYSTEMD_HWDB is not set
+# BR2_PACKAGE_SYSTEMD_MYHOSTNAME is not set
+# BR2_PACKAGE_SYSTEMD_NETWORKD is not set
+# BR2_PACKAGE_SYSTEMD_TIMEDATED is not set
+# BR2_PACKAGE_SYSTEMD_TIMESYNCD is not set
-- 
2.25.1

[Buildroot] [PATCH v3 4/7] package/docker-engine: needs more runtime dependencies

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > fix error:
 > 	failed to start daemon: Devices cgroup isn't mounted

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>

Committed, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 2/7] board/guest: documentation and sample files

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 > ---
 >  DEVELOPERS             |   1 +
 >  board/guest/Dockerfile |   2 +
 >  board/guest/readme.txt | 143 +++++++++++++++++++++++++++++++++++++++++
 >  3 files changed, 146 insertions(+)
 >  create mode 100644 board/guest/Dockerfile
 >  create mode 100644 board/guest/readme.txt

..

 > +How to with Docker
 > +==================
 > +
 > +A Docker image could created with a Dockerfile and few commands are needed:
 > +
 > +    # dockerd &
 > +
 > +    $ cat Dockerfile
 > +    FROM scratch
 > +    ADD rootfs.tar /
 > +    $ docker build --tag br:guest .
 > +    $ docker images
 > +    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
 > +    br                  guest               0c54c85a3452        42 seconds ago      1.75MB

NIT: Why not just use docker import rootfs.tar br:test?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 1/7] configs/guest_*: some new defconfig

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 > ---
 >  DEVELOPERS                     |  1 +
 >  configs/guest_arm_a7_defconfig | 16 ++++++++++++++++
 >  configs/guest_arm_a9_defconfig | 18 ++++++++++++++++++
 >  configs/guest_x86_64_defconfig | 15 +++++++++++++++

Like Christian, I am not really convinced these defconfigs add any real
value.

You have decided to use glibc / 4.15 headers / systemd, which seems
pretty random to me.

If anything, the should build with the oldest kernel headers version we
support, so you can use the final docker image on older distributions
without getting the dreaded:

FATAL: kernel too old

From glibc.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 6/7] package/systemd: add an option BR2_PACKAGE_SYSTEMD_GUEST

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > this option allows a systemd tailored for a guest/container
 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 > ---
 >  package/systemd/Config.in  | 14 ++++++++++----
 >  package/systemd/systemd.mk |  6 +++++-
 >  2 files changed, 15 insertions(+), 5 deletions(-)

 > diff --git a/package/systemd/Config.in b/package/systemd/Config.in
 > index dd3b8c534..a8595dce8 100644
 > --- a/package/systemd/Config.in
 > +++ b/package/systemd/Config.in
 > @@ -35,10 +35,10 @@ menuconfig BR2_PACKAGE_SYSTEMD
 >  	select BR2_PACKAGE_UTIL_LINUX_MOUNT
 >  	select BR2_PACKAGE_UTIL_LINUX_NOLOGIN
 >  	select BR2_PACKAGE_UTIL_LINUX_FSCK
 > -	select BR2_PACKAGE_KMOD
 > -	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # kmod-tools
 > -	select BR2_PACKAGE_KMOD_TOOLS
 > -	select BR2_TARGET_TZ_INFO
 > +	select BR2_PACKAGE_KMOD if !BR2_PACKAGE_SYSTEMD_GUEST
 > +	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS if !BR2_PACKAGE_SYSTEMD_GUEST # kmod-tools
 > +	select BR2_PACKAGE_KMOD_TOOLS if !BR2_PACKAGE_SYSTEMD_GUEST

If kmod isn't REQUIRED, then I am fine with only pulling it in depending
on BR2_PACKAGE_KMOD, E.G. for a non-modular kernel.

 > +	select BR2_TARGET_TZ_INFO if !BR2_PACKAGE_SYSTEMD_GUEST

This I don't get. Why would the timezone info not be needed in a guest?

Docker at least afaik doesn't do anything special to expose timezone to
guests:

date
Mon Jul 27 11:57:54 CEST 2020

docker run --rm -it debian:latest date
Mon Jul 27 09:57:56 UTC 2020

Care to send a patch to just make kmod optional instead of this _GUEST
option?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 3/7] package/docker-engine: needs some kernel options

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > according to https://wiki.gentoo.org/wiki/Docker#Kernel

A better source is docker-engine/contrib/check-config.sh. See below for
the suggestions from it.

 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 > ---
 >  package/docker-engine/docker-engine.mk | 67 ++++++++++++++++++++++++++
 >  1 file changed, 67 insertions(+)

 > diff --git a/package/docker-engine/docker-engine.mk b/package/docker-engine/docker-engine.mk
 > index 78f6c1261..41600486c 100644
 > --- a/package/docker-engine/docker-engine.mk
 > +++ b/package/docker-engine/docker-engine.mk
 > @@ -79,4 +79,71 @@ define DOCKER_ENGINE_USERS
 >  	- - docker -1 * - - - Docker Application Container Framework
 >  endef
 
 > +ifeq ($(BR2_PACKAGE_DOCKER_ENGINE_DRIVER_BTRFS),y)
 > +define DOCKER_ENGINE_DRIVER_BTRFS_LINUX_CONFIG_FIXUPS
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BTRFS_FS)

check-config.sh also mentions xattr support for btrfs, so I've added:

  $(call KCONFIG_ENABLE_OPT,CONFIG_BTRFS_FS_POSIX_ACL)

 > +endef
 > +endif
 > +
 > +define DOCKER_ENGINE_LINUX_CONFIG_FIXUPS
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG_SWAP)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_CGROUP)

MEMCG_SWAP and BLK_CGROUP are optional (E.G. you may be running from an
initramfs or without swap). I've dropped them.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_FAIR_GROUP_SCHED)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CFS_BANDWIDTH)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_RT_GROUP_SCHED)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PIDS)

Same for these.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_PROC_PID_CPUSET)

And this.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PERF)

This is afaik not used by docker.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)

User namespace is optional.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BLOCK)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_THROTTLING)

Same for BLK_CGROUP.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)

check-config.sh also mentions CONFIG_NETFILTER_XT_MATCH_IPVS. This
depends on IPVS support in the kernel to get used. I've added
_XT_MATCH_IPVS so it gets enabled if IPVS support is turned on.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_NETMAP)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_REDIRECT)

These are (afaik) not needed.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_SCHED)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CLS_CGROUP)

Optional.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_L3_MASTER_DEV)

(afaik) not used.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_NET_PRIO)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_NETCLASSID)

Optional.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_MD)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_DEV_DM)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_MD_THIN_PROVISIONING)

These are only needed for the non-default devicemapper support, so I
moved them to a DOCKER_ENGINE_DRIVER_DM_LINUX_CONFIG_FIXUPS conditional.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_PERSISTENT_KEYRINGS)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_ENCRYPTED_KEYS)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_KEY_DH_OPERATIONS)

These are (afaik) not used, so dropped.

Committed with these fixes, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 5/7] package/systemd: needs kernel options

[Peter Korsgaard]

>>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:

 > according to https://wiki.gentoo.org/wiki/Systemd#Kernel
 > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 > ---
 >  package/systemd/systemd.mk | 11 ++++++++++-
 >  1 file changed, 10 insertions(+), 1 deletion(-)

 > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
 > index 8e01a0db5..b7213dd12 100644
 > --- a/package/systemd/systemd.mk
 > +++ b/package/systemd/systemd.mk
 > @@ -565,9 +565,18 @@ SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
 >  SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
 
 >  define SYSTEMD_LINUX_CONFIG_FIXUPS
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)

I don't see any reference to this anywhere in the systemd code or
README, so I've dropped this.

 >  	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
 > -	$(call KCONFIG_ENABLE_OPT,CONFIG_INOTIFY_USER)
 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_BPF)

According to the README this is only required for IPAddressDeny= and
IPAddressAllow= in resource control unit settings, which I don't think
is used by anuy of the "standard" services - Dropped.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_BPF_SYSCALL)

Same for this one.

 > +	$(call KCONFIG_ENABLE_OPT,CONFIG_DEVTMPFS)

This is already taken care of by linux/linux.mk, dropped.

Committed with these changes, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 2/7] board/guest: documentation and sample files

[François Perrad]

Le lun. 27 juil. 2020 ? 11:46, Peter Korsgaard <peter@korsgaard.com> a
?crit :

> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>
>  > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
>  > ---
>  >  DEVELOPERS             |   1 +
>  >  board/guest/Dockerfile |   2 +
>  >  board/guest/readme.txt | 143 +++++++++++++++++++++++++++++++++++++++++
>  >  3 files changed, 146 insertions(+)
>  >  create mode 100644 board/guest/Dockerfile
>  >  create mode 100644 board/guest/readme.txt
>
> ..
>
>  > +How to with Docker
>  > +==================
>  > +
>  > +A Docker image could created with a Dockerfile and few commands are
> needed:
>  > +
>  > +    # dockerd &
>  > +
>  > +    $ cat Dockerfile
>  > +    FROM scratch
>  > +    ADD rootfs.tar /
>  > +    $ docker build --tag br:guest .
>  > +    $ docker images
>  > +    REPOSITORY          TAG                 IMAGE ID
> CREATED             SIZE
>  > +    br                  guest               0c54c85a3452        42
> seconds ago      1.75MB
>
> NIT: Why not just use docker import rootfs.tar br:test?
>

Good point.

Fran?ois


>
> --
> Bye, Peter Korsgaard
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200727/55df6638/attachment.html>

[Buildroot] [PATCH v3 1/7] configs/guest_*: some new defconfig

[François Perrad]

Le lun. 27 juil. 2020 ? 11:49, Peter Korsgaard <peter@korsgaard.com> a
?crit :

> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
>
>  > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
>  > ---
>  >  DEVELOPERS                     |  1 +
>  >  configs/guest_arm_a7_defconfig | 16 ++++++++++++++++
>  >  configs/guest_arm_a9_defconfig | 18 ++++++++++++++++++
>  >  configs/guest_x86_64_defconfig | 15 +++++++++++++++
>
> Like Christian, I am not really convinced these defconfigs add any real
> value.
>
>
The documentation is the 2nd patch is the most valuable part.
Can we add board/guest/readme.txt without introducing some
configs/guest_*_defconfig ?

Fran?ois


> You have decided to use glibc / 4.15 headers / systemd, which seems
> pretty random to me.
>
> If anything, the should build with the oldest kernel headers version we
> support, so you can use the final docker image on older distributions
> without getting the dreaded:
>
> FATAL: kernel too old
>
> From glibc.
>
> --
> Bye, Peter Korsgaard
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200727/a1ecc0d6/attachment.html>

[Buildroot] [PATCH v3 1/7] configs/guest_*: some new defconfig

[Peter Korsgaard]

>>>>> "Fran?ois" == Fran?ois Perrad <francois.perrad@gadz.org> writes:

 > Le lun. 27 juil. 2020 ? 11:49, Peter Korsgaard <peter@korsgaard.com> a
 > ?crit :

 >> >>>>> "Francois" == Francois Perrad <fperrad@gmail.com> writes:
 >> 
 >> > Signed-off-by: Francois Perrad <francois.perrad@gadz.org>
 >> > ---
 >> >  DEVELOPERS                     |  1 +
 >> >  configs/guest_arm_a7_defconfig | 16 ++++++++++++++++
 >> >  configs/guest_arm_a9_defconfig | 18 ++++++++++++++++++
 >> >  configs/guest_x86_64_defconfig | 15 +++++++++++++++
 >> 
 >> Like Christian, I am not really convinced these defconfigs add any real
 >> value.
 >> 
 >> 
 > The documentation is the 2nd patch is the most valuable part.
 > Can we add board/guest/readme.txt without introducing some
 > configs/guest_*_defconfig ?

Sure, but it might be a bit hard to find. Would it not fit better in the
manual?

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH v3 2/7] board/guest: documentation and sample files

[Christian Stewart]

Peter,

On Mon, Jul 27, 2020 at 2:46 AM Peter Korsgaard <peter@korsgaard.com> wrote:
>  > +    $ docker build --tag br:guest .
>  > +    $ docker images
>  > +    REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
>  > +    br                  guest               0c54c85a3452        42 seconds ago      1.75MB
>
> NIT: Why not just use docker import rootfs.tar br:test?

This works too, but I tend to add some adjustments to the image in the
Dockerfile. Of course, these could be added in the build process, and
probably would be better suited there.

Dockerfile:

FROM scratch

ENV container docker
ENV init /lib/systemd/systemd
ENV LC_ALL C

ADD rootfs.tar /

USER root
RUN find /etc/systemd/system \
         /usr/lib/systemd/system \
         \( -path '*.wants/*' \
         -name '*swapon*' \
         -or -name '*ntpd*' \
         -or -name '*resolved*' \
         -or -name '*udev*' \
         -or -name '*rdisc*' \
         -or -name '*freedesktop*' \
         -or -name '*persist-resize*' \
         -or -name '*NetworkManager*' \
         -or -name '*remount-fs*' \
         -or -name '*getty*' \
         -or -name '*.mount' \
         -or -name '*remote-fs*' \) \
         -exec echo \{} \; \
         -exec rm \{} \;

RUN systemctl set-default multi-user.target && \
    systemctl mask tmp.mount && \
    touch /etc/skip-skiff-mounts && \
    touch /etc/skip-skiff-journal-mounts
COPY fstab /etc/fstab

VOLUME [ "/sys/fs/cgroup", "/mnt/persist", "/mnt/rootfs" ]
ENTRYPOINT ["/usr/lib/systemd/systemd"]

Best,
Christian Stewart