* [meta-virtualization][PATCH v2 1/4] slirp4netns: Runtime recommend the tun kernel module
@ 2022-07-11 18:53 Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 2/4] podman: Silence docker emulation warnings Andrei Gherzan
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Andrei Gherzan @ 2022-07-11 18:53 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
slirp4netns uses a TAP device to connect to the internet in an
unprivileged way. Without the required kernel support (TAP/TUN),
slirp4netns will fail at runtime.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
recipes-networking/slirp4netns/slirp4netns_git.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/recipes-networking/slirp4netns/slirp4netns_git.bb b/recipes-networking/slirp4netns/slirp4netns_git.bb
index a63871c..6526d39 100644
--- a/recipes-networking/slirp4netns/slirp4netns_git.bb
+++ b/recipes-networking/slirp4netns/slirp4netns_git.bb
@@ -18,4 +18,6 @@ DEPENDS = "glib-2.0 libcap libseccomp libslirp"
S = "${WORKDIR}/git"
+RRECOMMENDS:${PN} += "kernel-module-tun"
+
inherit autotools pkgconfig
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-virtualization][PATCH v2 2/4] podman: Silence docker emulation warnings
2022-07-11 18:53 [meta-virtualization][PATCH v2 1/4] slirp4netns: Runtime recommend the tun kernel module Andrei Gherzan
@ 2022-07-11 18:53 ` Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 3/4] podman: Add support for rootless mode Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 4/4] fuse-overlayfs: Fix buffer overflow bug on workdir path Andrei Gherzan
2 siblings, 0 replies; 4+ messages in thread
From: Andrei Gherzan @ 2022-07-11 18:53 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Podman can run in via a docker symlink emulating docker commands. By
default this generates a runtime warning. This change silences it via
the provided interface.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
recipes-containers/podman/podman_git.bb | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 547bc4e..961cd18 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -93,6 +93,10 @@ do_install() {
if ${@bb.utils.contains('PACKAGECONFIG', 'docker', 'true', 'false', d)}; then
oe_runmake install.docker DESTDIR="${D}"
fi
+
+ # Silence docker emulation warnings.
+ mkdir -p ${D}/etc/containers
+ touch ${D}/etc/containers/nodocker
}
FILES:${PN} += " \
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-virtualization][PATCH v2 3/4] podman: Add support for rootless mode
2022-07-11 18:53 [meta-virtualization][PATCH v2 1/4] slirp4netns: Runtime recommend the tun kernel module Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 2/4] podman: Silence docker emulation warnings Andrei Gherzan
@ 2022-07-11 18:53 ` Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 4/4] fuse-overlayfs: Fix buffer overflow bug on workdir path Andrei Gherzan
2 siblings, 0 replies; 4+ messages in thread
From: Andrei Gherzan @ 2022-07-11 18:53 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
This support is disabled by default and exposed via PACKAGECONFIG.
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
docs/00-INDEX | 3 +++
docs/podman.txt | 14 ++++++++++++++
docs/podman.txt.license | 3 +++
.../podman/podman/00-podman-rootless.conf | 6 ++++++
recipes-containers/podman/podman_git.bb | 11 ++++++++++-
5 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 docs/podman.txt
create mode 100644 docs/podman.txt.license
create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf
diff --git a/docs/00-INDEX b/docs/00-INDEX
index 5aa1b3c..6659fbe 100644
--- a/docs/00-INDEX
+++ b/docs/00-INDEX
@@ -11,5 +11,8 @@ alphabetical order as well.
openvswitch.txt
- example on how to setup openvswitch with qemu/kvm.
+podman.txt
+ - documentation on podman container engine integration.
+
xvisor.txt
- example on how to setup Xvisor for RISC-V QEMU.
diff --git a/docs/podman.txt b/docs/podman.txt
new file mode 100644
index 0000000..66a69b3
--- /dev/null
+++ b/docs/podman.txt
@@ -0,0 +1,14 @@
+Podman
+======
+
+Rootless mode
+-------------
+
+Podman is a daemonless container engine that has as one of its features the
+ability to run in rootless mode. This requires a set of configurations and
+additional components. The OE/Yocto integration configures podman with this
+support disabled by default. This can be changed via configuration files
+(distro, local.conf, etc.) or bbappends using the `PACKAGECONFIG` variable.
+
+To enable rootless support, add `rootless` to the `PACKAGECONFIG` podman
+recipe variable.
diff --git a/docs/podman.txt.license b/docs/podman.txt.license
new file mode 100644
index 0000000..c734870
--- /dev/null
+++ b/docs/podman.txt.license
@@ -0,0 +1,3 @@
+SPDX-FileCopyrightText: Huawei Inc.
+
+SPDX-License-Identifier: MIT
diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf
new file mode 100644
index 0000000..aaede0e
--- /dev/null
+++ b/recipes-containers/podman/podman/00-podman-rootless.conf
@@ -0,0 +1,6 @@
+# SPDX-FileCopyrightText: Huawei Inc.
+#
+# SPDX-License-Identifier: MIT
+
+# User namespaces are required for rootless containers.
+user.max_user_namespaces = 15000
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 961cd18..73d3c93 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -21,6 +21,7 @@ SRCREV = "cedbbfa543651a13055a1fe093a4d0a2a28ccdfd"
SRC_URI = " \
git://github.com/containers/libpod.git;branch=v4.1;protocol=https \
file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
+ ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
"
LICENSE = "Apache-2.0"
@@ -97,6 +98,11 @@ do_install() {
# Silence docker emulation warnings.
mkdir -p ${D}/etc/containers
touch ${D}/etc/containers/nodocker
+
+ if ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'true', 'false', d)}; then
+ install -d "${D}${sysconfdir}/sysctl.d"
+ install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d"
+ fi
}
FILES:${PN} += " \
@@ -112,6 +118,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket"
# that busybox is configured with nsenter
VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter"
-RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}"
+RDEPENDS:${PN} += "\
+ conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \
+ ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'fuse-overlayfs slirp4netns', '', d)} \
+"
RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment"
RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [meta-virtualization][PATCH v2 4/4] fuse-overlayfs: Fix buffer overflow bug on workdir path
2022-07-11 18:53 [meta-virtualization][PATCH v2 1/4] slirp4netns: Runtime recommend the tun kernel module Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 2/4] podman: Silence docker emulation warnings Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 3/4] podman: Add support for rootless mode Andrei Gherzan
@ 2022-07-11 18:53 ` Andrei Gherzan
2 siblings, 0 replies; 4+ messages in thread
From: Andrei Gherzan @ 2022-07-11 18:53 UTC (permalink / raw)
To: meta-virtualization; +Cc: andrei, Andrei Gherzan
From: Andrei Gherzan <andrei.gherzan@huawei.com>
Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
---
...-Fix-buffer-overflow-on-workdir-path.patch | 32 +++++++++++++++++++
.../fuse-overlayfs/fuse-overlayfs_0.6.4.bb | 5 ++-
2 files changed, 36 insertions(+), 1 deletion(-)
create mode 100644 recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch b/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
new file mode 100644
index 0000000..129423d
--- /dev/null
+++ b/recipes-extended/fuse-overlayfs/fuse-overlayfs/0001-Fix-buffer-overflow-on-workdir-path.patch
@@ -0,0 +1,32 @@
+From 7e5992d6121aed0cfcbfaf70472f28d87cff1426 Mon Sep 17 00:00:00 2001
+From: Andrei Gherzan <andrei.gherzan@huawei.com>
+Date: Mon, 11 Jul 2022 20:36:06 +0200
+Subject: [PATCH] Fix buffer overflow on workdir path
+
+We make sure that the path used for workdir is reallocated before
+appending. This was initially included in upstream as part of
+https://github.com/containers/fuse-overlayfs/commit/d5b725b6f18a437db66bfc1456d04c3bf658f66a.
+
+Signed-off-by: Andrei Gherzan <andrei.gherzan@huawei.com>
+Upstream-Status: Backport
+---
+ main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/main.c b/main.c
+index e5bdda1..118a6cb 100644
+--- a/main.c
++++ b/main.c
+@@ -5039,6 +5039,9 @@ main (int argc, char *argv[])
+ if (path == NULL)
+ goto err_out1;
+ mkdir (path, 0700);
++ path = realloc(path, strlen(path)+strlen("/work")+1);
++ if (!path)
++ error (EXIT_FAILURE, errno, "allocating workdir path");
+ strcat (path, "/work");
+ mkdir (path, 0700);
+ free (lo.workdir);
+--
+2.25.1
+
diff --git a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb b/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
index a02c1e6..4f793bd 100644
--- a/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
+++ b/recipes-extended/fuse-overlayfs/fuse-overlayfs_0.6.4.bb
@@ -6,7 +6,10 @@ LICENSE = "GPL-3.0-or-later"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SRCREV = "098d9ad79fdbb8538adde08628408aa32a8b4b17"
-SRC_URI = "git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https"
+SRC_URI = " \
+ git://github.com/containers/fuse-overlayfs.git;nobranch=1;protocol=https \
+ file://0001-Fix-buffer-overflow-on-workdir-path.patch \
+"
DEPENDS = "fuse3"
--
2.25.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-07-11 18:53 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-07-11 18:53 [meta-virtualization][PATCH v2 1/4] slirp4netns: Runtime recommend the tun kernel module Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 2/4] podman: Silence docker emulation warnings Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 3/4] podman: Add support for rootless mode Andrei Gherzan
2022-07-11 18:53 ` [meta-virtualization][PATCH v2 4/4] fuse-overlayfs: Fix buffer overflow bug on workdir path Andrei Gherzan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).