[meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Diego Sueiro]

The libseccomp package is only available if seccomp is in DISTRO_FEATURES.

Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
 recipes-containers/podman/podman_git.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 9dcb21c..351f38b 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
     `alias docker=podman`. \
     "
 
+inherit features_check
+REQUIRED_DISTRO_FEATURES ?= "seccomp"
+
 DEPENDS = " \
     go-metalinter-native \
     go-md2man-native \
-- 
2.17.1

[meta-virtualization][PATCH 2/3] packagegroup-container: Include podman if seccomp is in DISTRO_FEATURES

[Diego Sueiro]

Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
 recipes-core/packagegroups/packagegroup-container.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/recipes-core/packagegroups/packagegroup-container.bb b/recipes-core/packagegroups/packagegroup-container.bb
index d425ac5..89b9c01 100644
--- a/recipes-core/packagegroups/packagegroup-container.bb
+++ b/recipes-core/packagegroups/packagegroup-container.bb
@@ -9,7 +9,8 @@ PACKAGES = "\
     packagegroup-lxc \
     packagegroup-docker \
     packagegroup-oci \
-    packagegroup-podman \
+    ${@bb.utils.contains('DISTRO_FEATURES', 'seccomp', \
+                         'packagegroup-podman', '', d)} \
     packagegroup-containerd \
     "
 
-- 
2.17.1

[meta-virtualization][PATCH 3/3] slirp4netns: Add seccomp as REQUIRED_DISTRO_FEATURES

[Diego Sueiro]

The libseccomp package is only available if seccomp is in DISTRO_FEATURES.

Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
---
 recipes-networking/slirp4netns/slirp4netns_0.4.1.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb b/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb
index b47df96..6349aac 100644
--- a/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb
@@ -9,6 +9,9 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=1e2efd29c201480c6be2744d9edade26"
 SRCREV = "4d38845e2e311b684fc8d1c775c725bfcd5ddc27"
 SRC_URI = "git://github.com/rootless-containers/slirp4netns.git;nobranch=1"
 
+inherit features_check
+REQUIRED_DISTRO_FEATURES ?= "seccomp"
+
 DEPENDS = "glib-2.0 libcap libseccomp"
 
 S = "${WORKDIR}/git"
-- 
2.17.1

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

What branch are you working with ?

Now that seccomp is in core, we no longer have those restrictions, so
I assume this is on an older branch ?

Bruce

On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com> wrote:
>
> The libseccomp package is only available if seccomp is in DISTRO_FEATURES.
>
> Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> ---
>  recipes-containers/podman/podman_git.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index 9dcb21c..351f38b 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
>      `alias docker=podman`. \
>      "
>
> +inherit features_check
> +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> +
>  DEPENDS = " \
>      go-metalinter-native \
>      go-md2man-native \
> --
> 2.17.1
>
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Thu, Jun 24, 2021 at 3:45 PM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>
> What branch are you working with ?
>
> Now that seccomp is in core, we no longer have those restrictions, so
> I assume this is on an older branch ?

aha. never mind, I misread the change.

That being said, I honestly think this is a bug. If the main
libseccomp is dependent on a distro feature, each and every recipe
that has a hard dependency on it, should not have to do the distro
check.

so for now, I'm going to not apply these while I look for a better method.

Bruce

>
> Bruce
>
> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com> wrote:
> >
> > The libseccomp package is only available if seccomp is in DISTRO_FEATURES.
> >
> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > ---
> >  recipes-containers/podman/podman_git.bb | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> > index 9dcb21c..351f38b 100644
> > --- a/recipes-containers/podman/podman_git.bb
> > +++ b/recipes-containers/podman/podman_git.bb
> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
> >      `alias docker=podman`. \
> >      "
> >
> > +inherit features_check
> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > +
> >  DEPENDS = " \
> >      go-metalinter-native \
> >      go-md2man-native \
> > --
> > 2.17.1
> >
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 1704 bytes --]

This change is correct, libseccomp still requires seccomp in
DISTRO_FEATURES, so anything depending on it should have the same
restriction.

seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
feature, so many existing DISTROs didn't get it automatically added and
requiring it is the right way to automatically skip such recipes.

On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield <bruce.ashfield@gmail.com>
wrote:

> What branch are you working with ?
>
> Now that seccomp is in core, we no longer have those restrictions, so
> I assume this is on an older branch ?
>
> Bruce
>
> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com> wrote:
> >
> > The libseccomp package is only available if seccomp is in
> DISTRO_FEATURES.
> >
> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > ---
> >  recipes-containers/podman/podman_git.bb | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/recipes-containers/podman/podman_git.bb
> b/recipes-containers/podman/podman_git.bb
> > index 9dcb21c..351f38b 100644
> > --- a/recipes-containers/podman/podman_git.bb
> > +++ b/recipes-containers/podman/podman_git.bb
> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container engine
> for developing, \
> >      `alias docker=podman`. \
> >      "
> >
> > +inherit features_check
> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > +
> >  DEPENDS = " \
> >      go-metalinter-native \
> >      go-md2man-native \
> > --
> > 2.17.1
> >
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
> 
>
>

[-- Attachment #2: Type: text/html, Size: 2694 bytes --]

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com> wrote:
>
> This change is correct, libseccomp still requires seccomp in DISTRO_FEATURES, so anything depending on it should have the same restriction.
>

Right, I understand how/why it works like this .. but it is super
clunky when we can't just depend on something that is now in core,
without needing to sprinkle distro checks everywhere.

As the list of recipes gets larger with that check, it really isn't an
optional distro feature for using meta virt at all, and it would be
nice if we could just do the check once and be done with it.

Bruce

> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL feature, so many existing DISTROs didn't get it automatically added and requiring it is the right way to automatically skip such recipes.
>
> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
>>
>> What branch are you working with ?
>>
>> Now that seccomp is in core, we no longer have those restrictions, so
>> I assume this is on an older branch ?
>>
>> Bruce
>>
>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com> wrote:
>> >
>> > The libseccomp package is only available if seccomp is in DISTRO_FEATURES.
>> >
>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
>> > ---
>> >  recipes-containers/podman/podman_git.bb | 3 +++
>> >  1 file changed, 3 insertions(+)
>> >
>> > diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
>> > index 9dcb21c..351f38b 100644
>> > --- a/recipes-containers/podman/podman_git.bb
>> > +++ b/recipes-containers/podman/podman_git.bb
>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
>> >      `alias docker=podman`. \
>> >      "
>> >
>> > +inherit features_check
>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
>> > +
>> >  DEPENDS = " \
>> >      go-metalinter-native \
>> >      go-md2man-native \
>> > --
>> > 2.17.1
>> >
>> >
>> >
>> >
>>
>>
>> --
>> - Thou shalt not follow the NULL pointer, for chaos and madness await
>> thee at its end
>> - "Use the force Harry" - Gandalf, Star Trek II
>>
>> 
>>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Diego Sueiro]

>-----Original Message-----
>From: Bruce Ashfield <bruce.ashfield@gmail.com>
>Sent: 25 June 2021 03:49
>To: Martin Jansa <martin.jansa@gmail.com>
>Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
>virtualization@lists.yoctoproject.org; nd <nd@arm.com>
>Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
>REQUIRED_DISTRO_FEATURES
>
>On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
>wrote:
>>
>> This change is correct, libseccomp still requires seccomp in
>DISTRO_FEATURES, so anything depending on it should have the same
>restriction.
>>
>
>Right, I understand how/why it works like this .. but it is super clunky when we
>can't just depend on something that is now in core, without needing to
>sprinkle distro checks everywhere.
>
>As the list of recipes gets larger with that check, it really isn't an optional distro
>feature for using meta virt at all, and it would be nice if we could just do the
>check once and be done with it.

Just a side note that these patches fix issues with yocto-check-layer.

Diego

>
>Bruce
>
>> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
>feature, so many existing DISTROs didn't get it automatically added and
>requiring it is the right way to automatically skip such recipes.
>>
>> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
><bruce.ashfield@gmail.com> wrote:
>>>
>>> What branch are you working with ?
>>>
>>> Now that seccomp is in core, we no longer have those restrictions, so
>>> I assume this is on an older branch ?
>>>
>>> Bruce
>>>
>>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
>wrote:
>>> >
>>> > The libseccomp package is only available if seccomp is in
>DISTRO_FEATURES.
>>> >
>>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
>>> > ---
>>> >  recipes-containers/podman/podman_git.bb | 3 +++
>>> >  1 file changed, 3 insertions(+)
>>> >
>>> > diff --git a/recipes-containers/podman/podman_git.bb
>>> > b/recipes-containers/podman/podman_git.bb
>>> > index 9dcb21c..351f38b 100644
>>> > --- a/recipes-containers/podman/podman_git.bb
>>> > +++ b/recipes-containers/podman/podman_git.bb
>>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
>engine for developing, \
>>> >      `alias docker=podman`. \
>>> >      "
>>> >
>>> > +inherit features_check
>>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
>>> > +
>>> >  DEPENDS = " \
>>> >      go-metalinter-native \
>>> >      go-md2man-native \
>>> > --
>>> > 2.17.1
>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> - Thou shalt not follow the NULL pointer, for chaos and madness await
>>> thee at its end
>>> - "Use the force Harry" - Gandalf, Star Trek II
>>>
>>> 
>>>
>
>
>--
>- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
>its end
>- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
>
> >-----Original Message-----
> >From: Bruce Ashfield <bruce.ashfield@gmail.com>
> >Sent: 25 June 2021 03:49
> >To: Martin Jansa <martin.jansa@gmail.com>
> >Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> >virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> >REQUIRED_DISTRO_FEATURES
> >
> >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> >wrote:
> >>
> >> This change is correct, libseccomp still requires seccomp in
> >DISTRO_FEATURES, so anything depending on it should have the same
> >restriction.
> >>
> >
> >Right, I understand how/why it works like this .. but it is super clunky when we
> >can't just depend on something that is now in core, without needing to
> >sprinkle distro checks everywhere.
> >
> >As the list of recipes gets larger with that check, it really isn't an optional distro
> >feature for using meta virt at all, and it would be nice if we could just do the
> >check once and be done with it.
>
> Just a side note that these patches fix issues with yocto-check-layer.

I've disagreed with check-layer before (and we've changed how it works)

That being said, the layer is checked on the AB, and Richard hasn't
reported any issues. So clearly there's something wrong with the AB
test or with something else.

Bruce

>
> Diego
>
> >
> >Bruce
> >
> >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> >feature, so many existing DISTROs didn't get it automatically added and
> >requiring it is the right way to automatically skip such recipes.
> >>
> >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> ><bruce.ashfield@gmail.com> wrote:
> >>>
> >>> What branch are you working with ?
> >>>
> >>> Now that seccomp is in core, we no longer have those restrictions, so
> >>> I assume this is on an older branch ?
> >>>
> >>> Bruce
> >>>
> >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
> >wrote:
> >>> >
> >>> > The libseccomp package is only available if seccomp is in
> >DISTRO_FEATURES.
> >>> >
> >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> >>> > ---
> >>> >  recipes-containers/podman/podman_git.bb | 3 +++
> >>> >  1 file changed, 3 insertions(+)
> >>> >
> >>> > diff --git a/recipes-containers/podman/podman_git.bb
> >>> > b/recipes-containers/podman/podman_git.bb
> >>> > index 9dcb21c..351f38b 100644
> >>> > --- a/recipes-containers/podman/podman_git.bb
> >>> > +++ b/recipes-containers/podman/podman_git.bb
> >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> >engine for developing, \
> >>> >      `alias docker=podman`. \
> >>> >      "
> >>> >
> >>> > +inherit features_check
> >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> >>> > +
> >>> >  DEPENDS = " \
> >>> >      go-metalinter-native \
> >>> >      go-md2man-native \
> >>> > --
> >>> > 2.17.1
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> >>> thee at its end
> >>> - "Use the force Harry" - Gandalf, Star Trek II
> >>>
> >>> 
> >>>
> >
> >
> >--
> >- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> >its end
> >- "Use the force Harry" - Gandalf, Star Trek II



-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Richard Purdie]

On Fri, 2021-06-25 at 08:46 -0400, Bruce Ashfield wrote:
> On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> > 
> > > -----Original Message-----
> > > From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > > Sent: 25 June 2021 03:49
> > > To: Martin Jansa <martin.jansa@gmail.com>
> > > Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> > > virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > > Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> > > REQUIRED_DISTRO_FEATURES
> > > 
> > > On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> > > wrote:
> > > > 
> > > > This change is correct, libseccomp still requires seccomp in
> > > DISTRO_FEATURES, so anything depending on it should have the same
> > > restriction.
> > > > 
> > > 
> > > Right, I understand how/why it works like this .. but it is super clunky when we
> > > can't just depend on something that is now in core, without needing to
> > > sprinkle distro checks everywhere.
> > > 
> > > As the list of recipes gets larger with that check, it really isn't an optional distro
> > > feature for using meta virt at all, and it would be nice if we could just do the
> > > check once and be done with it.
> > 
> > Just a side note that these patches fix issues with yocto-check-layer.
> 
> I've disagreed with check-layer before (and we've changed how it works)
> 
> That being said, the layer is checked on the AB, and Richard hasn't
> reported any issues. So clearly there's something wrong with the AB
> test or with something else.

https://autobuilder.yoctoproject.org/typhoon/#/builders/121/builds/110

Says green...

Obviously we just tweak the css :)

Cheers,

Richard

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 3976 bytes --]

AB would use the new default DISTRO_FEATURES which already contain seccomp.

On Fri, Jun 25, 2021 at 2:46 PM Bruce Ashfield <bruce.ashfield@gmail.com>
wrote:

> On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> >
> > >-----Original Message-----
> > >From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > >Sent: 25 June 2021 03:49
> > >To: Martin Jansa <martin.jansa@gmail.com>
> > >Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> > >virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> > >REQUIRED_DISTRO_FEATURES
> > >
> > >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> > >wrote:
> > >>
> > >> This change is correct, libseccomp still requires seccomp in
> > >DISTRO_FEATURES, so anything depending on it should have the same
> > >restriction.
> > >>
> > >
> > >Right, I understand how/why it works like this .. but it is super
> clunky when we
> > >can't just depend on something that is now in core, without needing to
> > >sprinkle distro checks everywhere.
> > >
> > >As the list of recipes gets larger with that check, it really isn't an
> optional distro
> > >feature for using meta virt at all, and it would be nice if we could
> just do the
> > >check once and be done with it.
> >
> > Just a side note that these patches fix issues with yocto-check-layer.
>
> I've disagreed with check-layer before (and we've changed how it works)
>
> That being said, the layer is checked on the AB, and Richard hasn't
> reported any issues. So clearly there's something wrong with the AB
> test or with something else.
>
> Bruce
>
> >
> > Diego
> >
> > >
> > >Bruce
> > >
> > >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> > >feature, so many existing DISTROs didn't get it automatically added and
> > >requiring it is the right way to automatically skip such recipes.
> > >>
> > >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> > ><bruce.ashfield@gmail.com> wrote:
> > >>>
> > >>> What branch are you working with ?
> > >>>
> > >>> Now that seccomp is in core, we no longer have those restrictions, so
> > >>> I assume this is on an older branch ?
> > >>>
> > >>> Bruce
> > >>>
> > >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
> > >wrote:
> > >>> >
> > >>> > The libseccomp package is only available if seccomp is in
> > >DISTRO_FEATURES.
> > >>> >
> > >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > >>> > ---
> > >>> >  recipes-containers/podman/podman_git.bb | 3 +++
> > >>> >  1 file changed, 3 insertions(+)
> > >>> >
> > >>> > diff --git a/recipes-containers/podman/podman_git.bb
> > >>> > b/recipes-containers/podman/podman_git.bb
> > >>> > index 9dcb21c..351f38b 100644
> > >>> > --- a/recipes-containers/podman/podman_git.bb
> > >>> > +++ b/recipes-containers/podman/podman_git.bb
> > >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> > >engine for developing, \
> > >>> >      `alias docker=podman`. \
> > >>> >      "
> > >>> >
> > >>> > +inherit features_check
> > >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > >>> > +
> > >>> >  DEPENDS = " \
> > >>> >      go-metalinter-native \
> > >>> >      go-md2man-native \
> > >>> > --
> > >>> > 2.17.1
> > >>> >
> > >>> >
> > >>> >
> > >>> >
> > >>>
> > >>>
> > >>> --
> > >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> > >>> thee at its end
> > >>> - "Use the force Harry" - Gandalf, Star Trek II
> > >>>
> > >>> 
> > >>>
> > >
> > >
> > >--
> > >- Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at
> > >its end
> > >- "Use the force Harry" - Gandalf, Star Trek II
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>

[-- Attachment #2: Type: text/html, Size: 6502 bytes --]

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Diego Sueiro]

[-- Attachment #1: Type: text/plain, Size: 5531 bytes --]

I was getting the following when passing `--machines mymachine`:
```
ERROR: Nothing PROVIDES 'libseccomp' (but meta-virtualization/recipes-containers/podman/podman_git.bb, meta-virtualization/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb DEPENDS on or otherwise requires it)
libseccomp was skipped: missing required distro feature 'seccomp' (not in DISTRO_FEATURES)
```

In a deeper investigation I found that the way mymachine was setting the DISTRO_FEATURES (with `+=`) it was preventing the inclusion of the `DISTRO_FEATURES_DEFAULT`

But still, since in `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb` we have `REQUIRED_DISTRO_FEATURES = "seccomp"` don’t we need to add this check on the recipes that depends on it?
In a quick grep on meta-virt, I suppose that if this is the case, we will also need to update for cri-o_git.bb and crun_git.bb recipes.

Or we can just remove `REQUIRED_DISTRO_FEATURES = "seccomp"` from `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb`?

--
Diego

From: Martin Jansa <martin.jansa@gmail.com>
Sent: 25 June 2021 13:49
To: Bruce Ashfield <bruce.ashfield@gmail.com>
Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-virtualization@lists.yoctoproject.org; nd <nd@arm.com>
Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

AB would use the new default DISTRO_FEATURES which already contain seccomp.

On Fri, Jun 25, 2021 at 2:46 PM Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>> wrote:
On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com<mailto:Diego.Sueiro@arm.com>> wrote:
>
> >-----Original Message-----
> >From: Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>
> >Sent: 25 June 2021 03:49
> >To: Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
> >Cc: Diego Sueiro <Diego.Sueiro@arm.com<mailto:Diego.Sueiro@arm.com>>; meta-
> >virtualization@lists.yoctoproject.org<mailto:virtualization@lists.yoctoproject.org>; nd <nd@arm.com<mailto:nd@arm.com>>
> >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> >REQUIRED_DISTRO_FEATURES
> >
> >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com<mailto:martin.jansa@gmail.com>>
> >wrote:
> >>
> >> This change is correct, libseccomp still requires seccomp in
> >DISTRO_FEATURES, so anything depending on it should have the same
> >restriction.
> >>
> >
> >Right, I understand how/why it works like this .. but it is super clunky when we
> >can't just depend on something that is now in core, without needing to
> >sprinkle distro checks everywhere.
> >
> >As the list of recipes gets larger with that check, it really isn't an optional distro
> >feature for using meta virt at all, and it would be nice if we could just do the
> >check once and be done with it.
>
> Just a side note that these patches fix issues with yocto-check-layer.

I've disagreed with check-layer before (and we've changed how it works)

That being said, the layer is checked on the AB, and Richard hasn't
reported any issues. So clearly there's something wrong with the AB
test or with something else.


Bruce

>
> Diego
>
> >
> >Bruce
> >
> >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> >feature, so many existing DISTROs didn't get it automatically added and
> >requiring it is the right way to automatically skip such recipes.
> >>
> >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> ><bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>> wrote:
> >>>
> >>> What branch are you working with ?
> >>>
> >>> Now that seccomp is in core, we no longer have those restrictions, so
> >>> I assume this is on an older branch ?
> >>>
> >>> Bruce
> >>>
> >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com<mailto:diego.sueiro@arm.com>>
> >wrote:
> >>> >
> >>> > The libseccomp package is only available if seccomp is in
> >DISTRO_FEATURES.
> >>> >
> >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com<mailto:diego.sueiro@arm.com>>
> >>> > ---
> >>> >  recipes-containers/podman/podman_git.bb<http://podman_git.bb> | 3 +++
> >>> >  1 file changed, 3 insertions(+)
> >>> >
> >>> > diff --git a/recipes-containers/podman/podman_git.bb<http://podman_git.bb>
> >>> > b/recipes-containers/podman/podman_git.bb<http://podman_git.bb>
> >>> > index 9dcb21c..351f38b 100644
> >>> > --- a/recipes-containers/podman/podman_git.bb<http://podman_git.bb>
> >>> > +++ b/recipes-containers/podman/podman_git.bb<http://podman_git.bb>
> >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> >engine for developing, \
> >>> >      `alias docker=podman`. \
> >>> >      "
> >>> >
> >>> > +inherit features_check
> >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> >>> > +
> >>> >  DEPENDS = " \
> >>> >      go-metalinter-native \
> >>> >      go-md2man-native \
> >>> > --
> >>> > 2.17.1
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>>
> >>> --
> >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> >>> thee at its end
> >>> - "Use the force Harry" - Gandalf, Star Trek II
> >>>
> >>> 
> >>>
> >
> >
> >--
> >- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> >its end
> >- "Use the force Harry" - Gandalf, Star Trek II



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

[-- Attachment #2: Type: text/html, Size: 50716 bytes --]

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Fri, Jun 25, 2021 at 10:16 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
>
> I was getting the following when passing `--machines mymachine`:
> ```
> ERROR: Nothing PROVIDES 'libseccomp' (but meta-virtualization/recipes-containers/podman/podman_git.bb, meta-virtualization/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb DEPENDS on or otherwise requires it)
>
> libseccomp was skipped: missing required distro feature 'seccomp' (not in DISTRO_FEATURES)
> ```
>
>
>
> In a deeper investigation I found that the way mymachine was setting the DISTRO_FEATURES (with `+=`) it was preventing the inclusion of the `DISTRO_FEATURES_DEFAULT`
>
>
>
> But still, since in `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb` we have `REQUIRED_DISTRO_FEATURES = "seccomp"` don’t we need to add this check on the recipes that depends on it?
> In a quick grep on meta-virt, I suppose that if this is the case, we will also need to update for cri-o_git.bb and crun_git.bb recipes.
>

Yes .. exactly :D

>
>
> Or we can just remove `REQUIRED_DISTRO_FEATURES = "seccomp"` from `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb`?
>

That is the core of what I was asking. A package that is now in core,
why is it only enabled by a distro feature ?

That is causing the proliferation of checks in meta-virt (and other
layers as well). With CNCF, seccomp is becoming required for proper
operation on many different runtimes, so it really isn't optional.

I was hoping for something centralized in the layer, but that of
course forces seccomp on kvm/lxc/xen and other use cases that still
(but I bet they will) don't need seccomp.

Alternatively, I was thinking the core distro feature could drop, or
that a backfill could be used .. but neither of those solve the short
term issue with a no-seccomp distro.

So I'm coming up empty in my search for something better, and will
likely just apply the patch and continue to see about those other
options.

Bruce

>
>
> --
>
> Diego
>
>
>
> From: Martin Jansa <martin.jansa@gmail.com>
> Sent: 25 June 2021 13:49
> To: Bruce Ashfield <bruce.ashfield@gmail.com>
> Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES
>
>
>
> AB would use the new default DISTRO_FEATURES which already contain seccomp.
>
>
>
> On Fri, Jun 25, 2021 at 2:46 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
>
> On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> >
> > >-----Original Message-----
> > >From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > >Sent: 25 June 2021 03:49
> > >To: Martin Jansa <martin.jansa@gmail.com>
> > >Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> > >virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> > >REQUIRED_DISTRO_FEATURES
> > >
> > >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> > >wrote:
> > >>
> > >> This change is correct, libseccomp still requires seccomp in
> > >DISTRO_FEATURES, so anything depending on it should have the same
> > >restriction.
> > >>
> > >
> > >Right, I understand how/why it works like this .. but it is super clunky when we
> > >can't just depend on something that is now in core, without needing to
> > >sprinkle distro checks everywhere.
> > >
> > >As the list of recipes gets larger with that check, it really isn't an optional distro
> > >feature for using meta virt at all, and it would be nice if we could just do the
> > >check once and be done with it.
> >
> > Just a side note that these patches fix issues with yocto-check-layer.
>
> I've disagreed with check-layer before (and we've changed how it works)
>
> That being said, the layer is checked on the AB, and Richard hasn't
> reported any issues. So clearly there's something wrong with the AB
> test or with something else.
>
>
>
> Bruce
>
> >
> > Diego
> >
> > >
> > >Bruce
> > >
> > >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> > >feature, so many existing DISTROs didn't get it automatically added and
> > >requiring it is the right way to automatically skip such recipes.
> > >>
> > >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> > ><bruce.ashfield@gmail.com> wrote:
> > >>>
> > >>> What branch are you working with ?
> > >>>
> > >>> Now that seccomp is in core, we no longer have those restrictions, so
> > >>> I assume this is on an older branch ?
> > >>>
> > >>> Bruce
> > >>>
> > >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
> > >wrote:
> > >>> >
> > >>> > The libseccomp package is only available if seccomp is in
> > >DISTRO_FEATURES.
> > >>> >
> > >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > >>> > ---
> > >>> >  recipes-containers/podman/podman_git.bb | 3 +++
> > >>> >  1 file changed, 3 insertions(+)
> > >>> >
> > >>> > diff --git a/recipes-containers/podman/podman_git.bb
> > >>> > b/recipes-containers/podman/podman_git.bb
> > >>> > index 9dcb21c..351f38b 100644
> > >>> > --- a/recipes-containers/podman/podman_git.bb
> > >>> > +++ b/recipes-containers/podman/podman_git.bb
> > >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> > >engine for developing, \
> > >>> >      `alias docker=podman`. \
> > >>> >      "
> > >>> >
> > >>> > +inherit features_check
> > >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > >>> > +
> > >>> >  DEPENDS = " \
> > >>> >      go-metalinter-native \
> > >>> >      go-md2man-native \
> > >>> > --
> > >>> > 2.17.1
> > >>> >
> > >>> >
> > >>> >
> > >>> >
> > >>>
> > >>>
> > >>> --
> > >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> > >>> thee at its end
> > >>> - "Use the force Harry" - Gandalf, Star Trek II
> > >>>
> > >>> 
> > >>>
> > >
> > >
> > >--
> > >- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> > >its end
> > >- "Use the force Harry" - Gandalf, Star Trek II
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Fri, Jun 25, 2021 at 11:18 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>
> On Fri, Jun 25, 2021 at 10:16 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> >
> > I was getting the following when passing `--machines mymachine`:
> > ```
> > ERROR: Nothing PROVIDES 'libseccomp' (but meta-virtualization/recipes-containers/podman/podman_git.bb, meta-virtualization/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb DEPENDS on or otherwise requires it)
> >
> > libseccomp was skipped: missing required distro feature 'seccomp' (not in DISTRO_FEATURES)
> > ```
> >
> >
> >
> > In a deeper investigation I found that the way mymachine was setting the DISTRO_FEATURES (with `+=`) it was preventing the inclusion of the `DISTRO_FEATURES_DEFAULT`
> >
> >
> >
> > But still, since in `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb` we have `REQUIRED_DISTRO_FEATURES = "seccomp"` don’t we need to add this check on the recipes that depends on it?
> > In a quick grep on meta-virt, I suppose that if this is the case, we will also need to update for cri-o_git.bb and crun_git.bb recipes.
> >
>
> Yes .. exactly :D
>
> >
> >
> > Or we can just remove `REQUIRED_DISTRO_FEATURES = "seccomp"` from `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb`?
> >
>
> That is the core of what I was asking. A package that is now in core,
> why is it only enabled by a distro feature ?
>

And for clarity, I realize that the systemd recipe checks for the
systemd distro feature .. so that is similar. But systemd is one of
many init managers, so I can see why it is used.

Bruce

> That is causing the proliferation of checks in meta-virt (and other
> layers as well). With CNCF, seccomp is becoming required for proper
> operation on many different runtimes, so it really isn't optional.
>
> I was hoping for something centralized in the layer, but that of
> course forces seccomp on kvm/lxc/xen and other use cases that still
> (but I bet they will) don't need seccomp.
>
> Alternatively, I was thinking the core distro feature could drop, or
> that a backfill could be used .. but neither of those solve the short
> term issue with a no-seccomp distro.
>
> So I'm coming up empty in my search for something better, and will
> likely just apply the patch and continue to see about those other
> options.
>
> Bruce
>
> >
> >
> > --
> >
> > Diego
> >
> >
> >
> > From: Martin Jansa <martin.jansa@gmail.com>
> > Sent: 25 June 2021 13:49
> > To: Bruce Ashfield <bruce.ashfield@gmail.com>
> > Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES
> >
> >
> >
> > AB would use the new default DISTRO_FEATURES which already contain seccomp.
> >
> >
> >
> > On Fri, Jun 25, 2021 at 2:46 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
> >
> > On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> > >
> > > >-----Original Message-----
> > > >From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > > >Sent: 25 June 2021 03:49
> > > >To: Martin Jansa <martin.jansa@gmail.com>
> > > >Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> > > >virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > > >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> > > >REQUIRED_DISTRO_FEATURES
> > > >
> > > >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> > > >wrote:
> > > >>
> > > >> This change is correct, libseccomp still requires seccomp in
> > > >DISTRO_FEATURES, so anything depending on it should have the same
> > > >restriction.
> > > >>
> > > >
> > > >Right, I understand how/why it works like this .. but it is super clunky when we
> > > >can't just depend on something that is now in core, without needing to
> > > >sprinkle distro checks everywhere.
> > > >
> > > >As the list of recipes gets larger with that check, it really isn't an optional distro
> > > >feature for using meta virt at all, and it would be nice if we could just do the
> > > >check once and be done with it.
> > >
> > > Just a side note that these patches fix issues with yocto-check-layer.
> >
> > I've disagreed with check-layer before (and we've changed how it works)
> >
> > That being said, the layer is checked on the AB, and Richard hasn't
> > reported any issues. So clearly there's something wrong with the AB
> > test or with something else.
> >
> >
> >
> > Bruce
> >
> > >
> > > Diego
> > >
> > > >
> > > >Bruce
> > > >
> > > >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> > > >feature, so many existing DISTROs didn't get it automatically added and
> > > >requiring it is the right way to automatically skip such recipes.
> > > >>
> > > >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> > > ><bruce.ashfield@gmail.com> wrote:
> > > >>>
> > > >>> What branch are you working with ?
> > > >>>
> > > >>> Now that seccomp is in core, we no longer have those restrictions, so
> > > >>> I assume this is on an older branch ?
> > > >>>
> > > >>> Bruce
> > > >>>
> > > >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
> > > >wrote:
> > > >>> >
> > > >>> > The libseccomp package is only available if seccomp is in
> > > >DISTRO_FEATURES.
> > > >>> >
> > > >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > > >>> > ---
> > > >>> >  recipes-containers/podman/podman_git.bb | 3 +++
> > > >>> >  1 file changed, 3 insertions(+)
> > > >>> >
> > > >>> > diff --git a/recipes-containers/podman/podman_git.bb
> > > >>> > b/recipes-containers/podman/podman_git.bb
> > > >>> > index 9dcb21c..351f38b 100644
> > > >>> > --- a/recipes-containers/podman/podman_git.bb
> > > >>> > +++ b/recipes-containers/podman/podman_git.bb
> > > >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> > > >engine for developing, \
> > > >>> >      `alias docker=podman`. \
> > > >>> >      "
> > > >>> >
> > > >>> > +inherit features_check
> > > >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > > >>> > +
> > > >>> >  DEPENDS = " \
> > > >>> >      go-metalinter-native \
> > > >>> >      go-md2man-native \
> > > >>> > --
> > > >>> > 2.17.1
> > > >>> >
> > > >>> >
> > > >>> >
> > > >>> >
> > > >>>
> > > >>>
> > > >>> --
> > > >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> > > >>> thee at its end
> > > >>> - "Use the force Harry" - Gandalf, Star Trek II
> > > >>>
> > > >>>
> > > >>>
> > > >
> > > >
> > > >--
> > > >- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> > > >its end
> > > >- "Use the force Harry" - Gandalf, Star Trek II
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Fri, Jun 25, 2021 at 11:21 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
>
> On Fri, Jun 25, 2021 at 11:18 AM Bruce Ashfield via
> lists.yoctoproject.org
> <bruce.ashfield=gmail.com@lists.yoctoproject.org> wrote:
> >
> > On Fri, Jun 25, 2021 at 10:16 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> > >
> > > I was getting the following when passing `--machines mymachine`:
> > > ```
> > > ERROR: Nothing PROVIDES 'libseccomp' (but meta-virtualization/recipes-containers/podman/podman_git.bb, meta-virtualization/recipes-networking/slirp4netns/slirp4netns_0.4.1.bb DEPENDS on or otherwise requires it)
> > >
> > > libseccomp was skipped: missing required distro feature 'seccomp' (not in DISTRO_FEATURES)
> > > ```
> > >
> > >
> > >
> > > In a deeper investigation I found that the way mymachine was setting the DISTRO_FEATURES (with `+=`) it was preventing the inclusion of the `DISTRO_FEATURES_DEFAULT`
> > >
> > >
> > >
> > > But still, since in `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb` we have `REQUIRED_DISTRO_FEATURES = "seccomp"` don’t we need to add this check on the recipes that depends on it?
> > > In a quick grep on meta-virt, I suppose that if this is the case, we will also need to update for cri-o_git.bb and crun_git.bb recipes.
> > >
> >
> > Yes .. exactly :D
> >
> > >
> > >
> > > Or we can just remove `REQUIRED_DISTRO_FEATURES = "seccomp"` from `meta/recipes-support/libseccomp/libseccomp_2.5.1.bb`?
> > >
> >
> > That is the core of what I was asking. A package that is now in core,
> > why is it only enabled by a distro feature ?
> >
>
> And for clarity, I realize that the systemd recipe checks for the
> systemd distro feature .. so that is similar. But systemd is one of
> many init managers, so I can see why it is used.

I still don't have a better solution to this, and while I see about
getting seccomp behaviour changed in core, I can get this into the
tree.

I've added the extra seccomp dependent recipes and expect to merge
this on Wednesday.

Bruce

>
> Bruce
>
> > That is causing the proliferation of checks in meta-virt (and other
> > layers as well). With CNCF, seccomp is becoming required for proper
> > operation on many different runtimes, so it really isn't optional.
> >
> > I was hoping for something centralized in the layer, but that of
> > course forces seccomp on kvm/lxc/xen and other use cases that still
> > (but I bet they will) don't need seccomp.
> >
> > Alternatively, I was thinking the core distro feature could drop, or
> > that a backfill could be used .. but neither of those solve the short
> > term issue with a no-seccomp distro.
> >
> > So I'm coming up empty in my search for something better, and will
> > likely just apply the patch and continue to see about those other
> > options.
> >
> > Bruce
> >
> > >
> > >
> > > --
> > >
> > > Diego
> > >
> > >
> > >
> > > From: Martin Jansa <martin.jansa@gmail.com>
> > > Sent: 25 June 2021 13:49
> > > To: Bruce Ashfield <bruce.ashfield@gmail.com>
> > > Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > > Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES
> > >
> > >
> > >
> > > AB would use the new default DISTRO_FEATURES which already contain seccomp.
> > >
> > >
> > >
> > > On Fri, Jun 25, 2021 at 2:46 PM Bruce Ashfield <bruce.ashfield@gmail.com> wrote:
> > >
> > > On Fri, Jun 25, 2021 at 4:11 AM Diego Sueiro <Diego.Sueiro@arm.com> wrote:
> > > >
> > > > >-----Original Message-----
> > > > >From: Bruce Ashfield <bruce.ashfield@gmail.com>
> > > > >Sent: 25 June 2021 03:49
> > > > >To: Martin Jansa <martin.jansa@gmail.com>
> > > > >Cc: Diego Sueiro <Diego.Sueiro@arm.com>; meta-
> > > > >virtualization@lists.yoctoproject.org; nd <nd@arm.com>
> > > > >Subject: Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as
> > > > >REQUIRED_DISTRO_FEATURES
> > > > >
> > > > >On Thu, Jun 24, 2021 at 5:01 PM Martin Jansa <martin.jansa@gmail.com>
> > > > >wrote:
> > > > >>
> > > > >> This change is correct, libseccomp still requires seccomp in
> > > > >DISTRO_FEATURES, so anything depending on it should have the same
> > > > >restriction.
> > > > >>
> > > > >
> > > > >Right, I understand how/why it works like this .. but it is super clunky when we
> > > > >can't just depend on something that is now in core, without needing to
> > > > >sprinkle distro checks everywhere.
> > > > >
> > > > >As the list of recipes gets larger with that check, it really isn't an optional distro
> > > > >feature for using meta virt at all, and it would be nice if we could just do the
> > > > >check once and be done with it.
> > > >
> > > > Just a side note that these patches fix issues with yocto-check-layer.
> > >
> > > I've disagreed with check-layer before (and we've changed how it works)
> > >
> > > That being said, the layer is checked on the AB, and Richard hasn't
> > > reported any issues. So clearly there's something wrong with the AB
> > > test or with something else.
> > >
> > >
> > >
> > > Bruce
> > >
> > > >
> > > > Diego
> > > >
> > > > >
> > > > >Bruce
> > > > >
> > > > >> seccomp is now in default DISTRO_FEATURES, but not through BACKFILL
> > > > >feature, so many existing DISTROs didn't get it automatically added and
> > > > >requiring it is the right way to automatically skip such recipes.
> > > > >>
> > > > >> On Thu, Jun 24, 2021 at 12:45 PM Bruce Ashfield
> > > > ><bruce.ashfield@gmail.com> wrote:
> > > > >>>
> > > > >>> What branch are you working with ?
> > > > >>>
> > > > >>> Now that seccomp is in core, we no longer have those restrictions, so
> > > > >>> I assume this is on an older branch ?
> > > > >>>
> > > > >>> Bruce
> > > > >>>
> > > > >>> On Thu, Jun 24, 2021 at 3:00 PM Diego Sueiro <diego.sueiro@arm.com>
> > > > >wrote:
> > > > >>> >
> > > > >>> > The libseccomp package is only available if seccomp is in
> > > > >DISTRO_FEATURES.
> > > > >>> >
> > > > >>> > Signed-off-by: Diego Sueiro <diego.sueiro@arm.com>
> > > > >>> > ---
> > > > >>> >  recipes-containers/podman/podman_git.bb | 3 +++
> > > > >>> >  1 file changed, 3 insertions(+)
> > > > >>> >
> > > > >>> > diff --git a/recipes-containers/podman/podman_git.bb
> > > > >>> > b/recipes-containers/podman/podman_git.bb
> > > > >>> > index 9dcb21c..351f38b 100644
> > > > >>> > --- a/recipes-containers/podman/podman_git.bb
> > > > >>> > +++ b/recipes-containers/podman/podman_git.bb
> > > > >>> > @@ -6,6 +6,9 @@ DESCRIPTION = "Podman is a daemonless container
> > > > >engine for developing, \
> > > > >>> >      `alias docker=podman`. \
> > > > >>> >      "
> > > > >>> >
> > > > >>> > +inherit features_check
> > > > >>> > +REQUIRED_DISTRO_FEATURES ?= "seccomp"
> > > > >>> > +
> > > > >>> >  DEPENDS = " \
> > > > >>> >      go-metalinter-native \
> > > > >>> >      go-md2man-native \
> > > > >>> > --
> > > > >>> > 2.17.1
> > > > >>> >
> > > > >>> >
> > > > >>> >
> > > > >>> >
> > > > >>>
> > > > >>>
> > > > >>> --
> > > > >>> - Thou shalt not follow the NULL pointer, for chaos and madness await
> > > > >>> thee at its end
> > > > >>> - "Use the force Harry" - Gandalf, Star Trek II
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >
> > > > >
> > > > >--
> > > > >- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> > > > >its end
> > > > >- "Use the force Harry" - Gandalf, Star Trek II
> > >
> > >
> > >
> > > --
> > > - Thou shalt not follow the NULL pointer, for chaos and madness await
> > > thee at its end
> > > - "Use the force Harry" - Gandalf, Star Trek II
> >
> >
> >
> > --
> > - Thou shalt not follow the NULL pointer, for chaos and madness await
> > thee at its end
> > - "Use the force Harry" - Gandalf, Star Trek II
> >
> >
> >
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Richard Purdie]

On Tue, 2021-06-29 at 23:27 -0400, Bruce Ashfield wrote:
> On Fri, Jun 25, 2021 at 11:21 AM Bruce Ashfield via
> lists.yoctoproject.org
> > > That is the core of what I was asking. A package that is now in core,
> > > why is it only enabled by a distro feature ?
> > > 
> > 
> > And for clarity, I realize that the systemd recipe checks for the
> > systemd distro feature .. so that is similar. But systemd is one of
> > many init managers, so I can see why it is used.
> 
> I still don't have a better solution to this, and while I see about
> getting seccomp behaviour changed in core, I can get this into the
> tree.
> 
> I've added the extra seccomp dependent recipes and expect to merge
> this on Wednesday.

The reason for the distro_feature is to have a way to configure multiple
packageconfigs on/off centrally. Some platforms don't support seccomp
at all (riscv/arc) so forcing it on everywhere isn't possible.

I think we can remove the DISTRO_FEATURE restriction in the seccomp recipe itself
in core and replace it with a COMPATIBLE_HOST declaration.

We could also add the option to the default distro backfill.

Cheers,

Richard

Re: [meta-virtualization][PATCH 1/3] podman: Add seccomp as REQUIRED_DISTRO_FEATURES

[Bruce Ashfield]

On Wed, Jun 30, 2021 at 3:58 AM Richard Purdie
<richard.purdie@linuxfoundation.org> wrote:
>
> On Tue, 2021-06-29 at 23:27 -0400, Bruce Ashfield wrote:
> > On Fri, Jun 25, 2021 at 11:21 AM Bruce Ashfield via
> > lists.yoctoproject.org
> > > > That is the core of what I was asking. A package that is now in core,
> > > > why is it only enabled by a distro feature ?
> > > >
> > >
> > > And for clarity, I realize that the systemd recipe checks for the
> > > systemd distro feature .. so that is similar. But systemd is one of
> > > many init managers, so I can see why it is used.
> >
> > I still don't have a better solution to this, and while I see about
> > getting seccomp behaviour changed in core, I can get this into the
> > tree.
> >
> > I've added the extra seccomp dependent recipes and expect to merge
> > this on Wednesday.
>
> The reason for the distro_feature is to have a way to configure multiple
> packageconfigs on/off centrally. Some platforms don't support seccomp
> at all (riscv/arc) so forcing it on everywhere isn't possible.
>
> I think we can remove the DISTRO_FEATURE restriction in the seccomp recipe itself
> in core and replace it with a COMPATIBLE_HOST declaration.

That would be preferable on my end, since these recipes that depend on
seccomp unconditionally, are also incompatible with that same set of
hosts (I state the obvious here).

>
> We could also add the option to the default distro backfill.
>

I'm not as familiar with the backfill and when it should be used, but
I'll have a look at doing both of these for the seccomp work, and then
update the meta-virt recipes that can be simplified.

Bruce

> Cheers,
>
> Richard
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II