* [meta-virtualization][kirkstone][PATCH 1/3] slirp4netns: Require tun kernel module
@ 2022-07-11 13:01 Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 2/3] podman: Silence docker emulation warnings Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode Andrei Gherzan
0 siblings, 2 replies; 7+ messages in thread
From: Andrei Gherzan @ 2022-07-11 13:01 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
slirp4netns uses a TAP device to connect to the internet in an
unprivileged way. Without the required kernel support (TAP/TUN),
slirp4netns will fail at runtime.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
recipes-networking/slirp4netns/slirp4netns_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-networking/slirp4netns/slirp4netns_git.bb b/recipes-networking/slirp4netns/slirp4netns_git.bb
index a63871c..4bf25b8 100644
--- a/recipes-networking/slirp4netns/slirp4netns_git.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_git.bb
@@ -18,4 +18,6 @@ DEPENDS = "glib-2.0 libcap libseccomp libslirp"
S = "${WORKDIR}/git"
+RDEPENDS:${PN} += "kernel-module-tun"
+
inherit autotools pkgconfig
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-virtualization][kirkstone][PATCH 2/3] podman: Silence docker emulation warnings
2022-07-11 13:01 [meta-virtualization][kirkstone][PATCH 1/3] slirp4netns: Require tun kernel module Andrei Gherzan
@ 2022-07-11 13:01 ` Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode Andrei Gherzan
1 sibling, 0 replies; 7+ messages in thread
From: Andrei Gherzan @ 2022-07-11 13:01 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Podman can run in via a docker symlink emulating docker commands. By
default this generates a runtime warning. This change silences it via
the provided interface.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
recipes-containers/podman/podman_git.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 727a298..4693bd6 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -93,6 +93,10 @@ do_install() {
if ${@bb.utils.contains('PACKAGECONFIG', 'docker', 'true', 'false', d)}; then
oe_runmake install.docker DESTDIR="${D}"
fi
+
+ # Silence docker emulation warnings.
+ mkdir -p ${D}/etc/containers
+ touch ${D}/etc/containers/nodocker
}
FILES:${PN} += " \
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode
2022-07-11 13:01 [meta-virtualization][kirkstone][PATCH 1/3] slirp4netns: Require tun kernel module Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 2/3] podman: Silence docker emulation warnings Andrei Gherzan
@ 2022-07-11 13:01 ` Andrei Gherzan
2022-07-11 13:31 ` Bruce Ashfield
1 sibling, 1 reply; 7+ messages in thread
From: Andrei Gherzan @ 2022-07-11 13:01 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 15 +++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 15 ++++++++++++++-
5 files changed, 41 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf
diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.
+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..9f35501
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,15 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support enabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbaappends using the `PODMAN_ROOTLESS` variable.
+
+To disable rootless support set the variable to '0':
+
+PODMAN_ROOTLESS = "0"
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..940435e
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: Apache-2.0
diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..2aca663
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 4693bd6..4dcd0f2 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -6,6 +6,10 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
`alias docker=podman`. \
"
+# podman can run in rootless mode with the help of additional components:
+# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
+PODMAN_ROOTLESS ?= "1"
+
inherit features_check
REQUIRED_DISTRO_FEATURES ?= "seccomp ipv6"
@@ -21,6 +25,7 @@ SRCREV = "717edd7b844dcd66468f5d991991d87e9fc14c12"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'file://00-podman-rootless.conf', '', d)} \
"
LICENSE = "Apache-2.0"
@@ -97,6 +102,11 @@ do_install() {
# Silence docker emulation warnings.
mkdir -p ${D}/etc/containers
touch ${D}/etc/containers/nodocker
+
+ if [ "${PODMAN_ROOTLESS}" = "1" ]; then
+ install -d "${D}${sysconfdir}/sysctl.d"
+ install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
+ fi
}
FILES:${PN} += " \
@@ -112,6 +122,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
# that busybox is configured with nsenter
VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"
-RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
+RDEPENDS:${PN} += "\
+ conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
+ ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'fuse-overlayfs slirp4netns', '', d)} \
+"
RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
--
2.25.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode Andrei Gherzan
@ 2022-07-11 13:31 ` Bruce Ashfield
2022-07-11 13:38 ` Andrei Gherzan
0 siblings, 1 reply; 7+ messages in thread
From: Bruce Ashfield @ 2022-07-11 13:31 UTC (permalink / raw)
To: Andrei Gherzan; +Cc: meta-virtualization, Andrei Gherzan
This is new functionality ... and while we don't have a strict rule
about not adding new features to existing releases, this is stretching
the definition, since it does have the potential to cause issues.
It is definitely fine for master, but I'm not particularly keen to
start adding new features to kirkstone.
Bruce
On Mon, Jul 11, 2022 at 9:01 AM Andrei Gherzan <andrei@gherzan.com> wrote:
>
> From: Andrei Gherzan <andrei.gherzan@huawei.com>
>
> Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
> ---
> docs/00-INDEX | 3 +++
> docs/podman.txt | 15 +++++++++++++++
> docs/podman.txt.license | 3 +++
> .../podman/podman/00-podman-rootless.conf | 6 ++++++
> recipes-containers/podman/podman_git.bb | 15 ++++++++++++++-
> 5 files changed, 41 insertions(+), 1 deletion(-)
> create mode 100644 docs/podman.txt
> create mode 100644 docs/podman.txt.license
> create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf
>
> diff --git a/docs/00-INDEX b/docs/00-INDEX
> index 5aa1b3c..6659fbe 100644
> --- a/docs/00-INDEX
> +++ b/docs/00-INDEX
> @@ -11,5 +11,8 @@ alphabetical order as well.
> openvswitch.txt
> - example on how to setup openvswitch with qemu/kvm.
>
> +podman.txt
> + - documentation on podman container engine integration.
> +
> xvisor.txt
> - example on how to setup Xvisor for RISC-V QEMU.
> diff --git a/docs/podman.txt b/docs/podman.txt
> new file mode 100644
> index 0000000..9f35501
> --- /dev/null
> +++ b/docs/podman.txt
> @@ -0,0 +1,15 @@
> +Podman
> +======
> +
> +Rootless mode
> +-------------
> +
> +Podman is a daemonless container engine that has as one of its features the
> +ability to run in rootless mode. This requires a set of configurations and
> +additional components. The OE/Yocto integration configures podman with this
> +support enabled by default. This can be changed via configuration files
> +(distro, local.conf, etc.) or bbaappends using the `PODMAN_ROOTLESS` variable.
> +
> +To disable rootless support set the variable to '0':
> +
> +PODMAN_ROOTLESS = "0"
> diff --git a/docs/podman.txt.license b/docs/podman.txt.license
> new file mode 100644
> index 0000000..940435e
> --- /dev/null
> +++ b/docs/podman.txt.license
> @@ -0,0 +1,3 @@
> +SPDX-FileCopyrightText: Huawei Inc.
> +
> +SPDX-License-Identifier: Apache-2.0
> diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
> new file mode 100644
> index 0000000..2aca663
> --- /dev/null
> +++ b/recipes-containers/podman/podman/00-podman-rootless.conf
> @@ -0,0 +1,6 @@
> +# SPDX-FileCopyrightText: Huawei Inc.
> +#
> +# SPDX-License-Identifier: Apache-2.0
> +
> +# User namespaces are required for rootless containers.
> +user.max_user_namespaces = 15000
> diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
> index 4693bd6..4dcd0f2 100644
> --- a/recipes-containers/podman/podman_git.bb
> +++ b/recipes-containers/podman/podman_git.bb
> @@ -6,6 +6,10 @@ DESCRIPTION = "Podman is a daemonless container engine for developing, \
> `alias docker=podman`. \
> "
>
> +# podman can run in rootless mode with the help of additional components:
> +# https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md
> +PODMAN_ROOTLESS ?= "1"
> +
> inherit features_check
> REQUIRED_DISTRO_FEATURES ?= "seccomp ipv6"
>
> @@ -21,6 +25,7 @@ SRCREV = "717edd7b844dcd66468f5d991991d87e9fc14c12"
> SRC_URI = " \
> git://github.com/containers/libpod.git;branch=v4.0;protocol=https \
> file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
> + ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'file://00-podman-rootless.conf', '', d)} \
> "
>
> LICENSE = "Apache-2.0"
> @@ -97,6 +102,11 @@ do_install() {
> # Silence docker emulation warnings.
> mkdir -p ${D}/etc/containers
> touch ${D}/etc/containers/nodocker
> +
> + if [ "${PODMAN_ROOTLESS}" = "1" ]; then
> + install -d "${D}${sysconfdir}/sysctl.d"
> + install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
> + fi
> }
>
> FILES:${PN} += " \
> @@ -112,6 +122,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
> # that busybox is configured with nsenter
> VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"
>
> -RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
> +RDEPENDS:${PN} += "\
> + conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
> + ${@bb.utils.contains('PODMAN_ROOTLESS', '1', 'fuse-overlayfs slirp4netns', '', d)} \
> +"
> RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
> RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
> --
> 2.25.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7426): https://lists.yoctoproject.org/g/meta-virtualization/message/7426
> Mute This Topic: https://lists.yoctoproject.org/mt/92309185/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode
2022-07-11 13:31 ` Bruce Ashfield
@ 2022-07-11 13:38 ` Andrei Gherzan
2022-07-11 13:42 ` Bruce Ashfield
0 siblings, 1 reply; 7+ messages in thread
From: Andrei Gherzan @ 2022-07-11 13:38 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization, Andrei Gherzan
On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:
> This is new functionality ... and while we don't have a strict rule
> about not adding new features to existing releases, this is stretching
> the definition, since it does have the potential to cause issues.
>
> It is definitely fine for master, but I'm not particularly keen to
> start adding new features to kirkstone.
That makes sense. Would you accept it with a disabled default in kirkstone?
--
Andrei Gherzan
gpg: rsa4096/D4D94F67AD0E9640
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode
2022-07-11 13:38 ` Andrei Gherzan
@ 2022-07-11 13:42 ` Bruce Ashfield
2022-07-11 13:44 ` Andrei Gherzan
0 siblings, 1 reply; 7+ messages in thread
From: Bruce Ashfield @ 2022-07-11 13:42 UTC (permalink / raw)
To: Andrei Gherzan; +Cc: meta-virtualization, Andrei Gherzan
On Mon, Jul 11, 2022 at 9:39 AM Andrei Gherzan <andrei@gherzan.com> wrote:
>
> On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:
> > This is new functionality ... and while we don't have a strict rule
> > about not adding new features to existing releases, this is stretching
> > the definition, since it does have the potential to cause issues.
> >
> > It is definitely fine for master, but I'm not particularly keen to
> > start adding new features to kirkstone.
>
> That makes sense. Would you accept it with a disabled default in kirkstone?
I think that's ok .. it's a balance between keeping kirkstone useful,
and not requiring folks to carry too many changes in their layers.
It's easy enough by inspection to show that the disabled feature won't
impact existing functionality or break anything.
On further thought, we should keep it disabled by default even in
master, so from that point of view, we can keep them in alignment.
Bruce
>
> --
> Andrei Gherzan
> gpg: rsa4096/D4D94F67AD0E9640
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode
2022-07-11 13:42 ` Bruce Ashfield
@ 2022-07-11 13:44 ` Andrei Gherzan
0 siblings, 0 replies; 7+ messages in thread
From: Andrei Gherzan @ 2022-07-11 13:44 UTC (permalink / raw)
To: Bruce Ashfield; +Cc: meta-virtualization, Andrei Gherzan
On Mon, 11 Jul 2022, at 14:42, Bruce Ashfield wrote:
> On Mon, Jul 11, 2022 at 9:39 AM Andrei Gherzan <andrei@gherzan.com> wrote:
>>
>> On Mon, 11 Jul 2022, at 14:31, Bruce Ashfield wrote:
>> > This is new functionality ... and while we don't have a strict rule
>> > about not adding new features to existing releases, this is stretching
>> > the definition, since it does have the potential to cause issues.
>> >
>> > It is definitely fine for master, but I'm not particularly keen to
>> > start adding new features to kirkstone.
>>
>> That makes sense. Would you accept it with a disabled default in kirkstone?
>
> I think that's ok .. it's a balance between keeping kirkstone useful,
> and not requiring folks to carry too many changes in their layers.
> It's easy enough by inspection to show that the disabled feature won't
> impact existing functionality or break anything.
>
> On further thought, we should keep it disabled by default even in
> master, so from that point of view, we can keep them in alignment.
Deal. I'll do this in the next v.
Andrei
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-07-11 13:45 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-11 13:01 [meta-virtualization][kirkstone][PATCH 1/3] slirp4netns: Require tun kernel module Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 2/3] podman: Silence docker emulation warnings Andrei Gherzan
2022-07-11 13:01 ` [meta-virtualization][kirkstone][PATCH 3/3] podman: Add support for rootless mode Andrei Gherzan
2022-07-11 13:31 ` Bruce Ashfield
2022-07-11 13:38 ` Andrei Gherzan
2022-07-11 13:42 ` Bruce Ashfield
2022-07-11 13:44 ` Andrei Gherzan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).