Mirror of git.yoctoproject.org/meta-virtualization https://git.enea.com/cgit/linux/meta-virtualization.git/atom?h=master 2026-05-10T13:58:45+00:00 2026-05-10T13:58:45+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-05-10T13:58:45+00:00 urn:sha1:cbe004439cae170ad5455fbb881495795e42bf5a The registry push script (container-registry-index.bb) treated all OCI directories as single-arch, calling 'skopeo copy oci:<dir>' which fails with "more than one image in oci, choose an image" when the directory contains a multi-arch image index. The original push implementation predated multi-arch OCI support and only handled the single-manifest case. Detect multi-arch OCI Image Index directories (both flat and nested layouts) in the direct-path push mode and use 'skopeo copy --all' to push the entire manifest list to the registry in one operation. This preserves the multi-platform structure so that clients pulling from the registry automatically get the correct architecture. Also strip the '-multiarch' suffix from directory names when deriving the registry image name, so container-base-multiarch-multiarch-oci pushes as 'container-base' rather than 'container-base-multiarch'. Add build-profiles.md documentation for the vcontainer distro, container multiconfigs, and multi-arch container build workflow. Add test_vcontainer_distro.py with 54 tests across three tiers: - Tier 1: Static file assertions (vruntime-base.inc, vcontainer.conf, multiconfigs, bbclass defaults, recipe structure) - Tier 2: Cross-file consistency (shared base, distro-MC alignment, bbclass-to-multiconfig file matching) - Tier 3: Build output verification (OCI index structure, platform entries, blob integrity, manifest validation) Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-03-11T23:20:07+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-03-11T23:20:07+00:00 urn:sha1:aa18b46a7a70a782510d8ba0b7fa5378c6d3630f Somehow we have two similar registry recipes that were developed from a different pont of view. We don't need both. container-registry-index is the mature, QA-compliant version that also generates the standalone container-registry.sh helper script. container-registry-populate is an older, simpler version that does only the push, so we drop it here Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-26T01:05:01+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-19T01:53:36+00:00 urn:sha1:035e0daebeb53880ea2a6bd0f0e31785f3ec9e55 Add vdkr/vpdmn as Dom0 target packages with Xen auto-detection, native Docker/Podman config sub-packages, and OCI runtime fixes for Docker compatibility (JSON logging, root.path, kill --all, monitor PID lifecycle). Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-10T21:04:20+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-10T19:10:52+00:00 urn:sha1:5ca92e99dc0706c1dcda0edd29aec46a3ccdd851 yocto-check-layer reports an error for any task between do_fetch and do_build that has network enabled. Two changes fix this: container-bundle.bbclass: Move do_fetch_containers from a standalone task into a do_fetch postfunc. When remote containers are configured, the anonymous function adds extend_recipe_sysroot as a do_fetch prefunc (so skopeo-native is available) and do_fetch_containers as a postfunc. Network access during do_fetch is permitted by the QA check. container-registry-index: Remove do_container_registry_index from the build dependency chain (drop "before do_build"). Registry push is a deployment action requiring explicit invocation: bitbake container-registry-index -c container_registry_index The default do_build task now prints usage instructions. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:34:12+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-09T03:19:29+00:00 urn:sha1:ff406688aef6eb0e89cfcb6698734a7e9e1e001c Add comprehensive test coverage and documentation for the secure registry infrastructure. Tests added: TestRegistryAuthentication - auth modes (none, home, authfile, credsfile, env, creds, token) for push and import TestSecureRegistryTLSOnly - TLS-only mode using running registry TestSecureRegistryWithAuth - isolated TLS+auth instance on port 5001 TestDockerRegistryConfig - static analysis of bbclass/recipe logic TestContainerCrossInstallSecure - auto IMAGE_INSTALL verification TestVcontainerSecureRegistry - script pattern verification for virtio-9p CA transport, daemon _9p=1, shared folder reads README.md: Document authentication modes (none, home, authfile, credsfile, env), secure registry setup, PKI generation, target integration, and CI/CD examples. conftest.py: Add --secure-registry pytest option and skip_secure fixture for tests requiring openssl/htpasswd. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:34:12+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-09T03:17:24+00:00 urn:sha1:52fc4ca7c75594fe8b3c92a9f88df19f8f4d0944 Install CA certificates and registry configuration into target images so they can pull from the secure registry at runtime. docker-registry-config.bb: When CONTAINER_REGISTRY_SECURE=1, install the CA cert to /etc/docker/certs.d/{host}/ca.crt instead of adding insecure-registries to daemon.json. Translates localhost/127.0.0.1 to 10.0.2.2 for QEMU targets where the host registry is accessed via slirp networking. container-oci-registry-config.bb: Same secure mode support for podman/CRI-O with insecure=false in registries.conf. container-registry-ca.bb: New recipe that installs the CA certificate to Docker, podman/CRI-O, and system trust store paths on the target. container-cross-install.bbclass: Auto-add docker-registry-config or container-oci-registry-config to IMAGE_INSTALL when CONTAINER_REGISTRY_SECURE=1, based on the configured container engine. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:34:12+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-02-09T03:17:13+00:00 urn:sha1:092aa81983335b2346a725eebd2a75fc785bb42b Add opt-in secure registry mode with auto-generated TLS certificates and htpasswd authentication. New BitBake variables: CONTAINER_REGISTRY_SECURE - Enable TLS (HTTPS) for local registry CONTAINER_REGISTRY_AUTH - Enable htpasswd auth (requires SECURE=1) CONTAINER_REGISTRY_USERNAME/PASSWORD - Credential configuration CONTAINER_REGISTRY_CERT_DAYS/CA_DAYS - Certificate validity CONTAINER_REGISTRY_CERT_SAN - Custom SAN entries The bbclass validates conflicting settings (AUTH without SECURE) and provides credential helper functions for skopeo push operations. PKI infrastructure (CA + server cert with SAN) is auto-generated at bitbake build time via openssl-native. The generated helper script supports both TLS-only and TLS+auth modes. The script now supports environment variable overrides for CONTAINER_REGISTRY_STORAGE, CONTAINER_REGISTRY_URL, and CONTAINER_REGISTRY_NAMESPACE, uses per-port PID files to allow multiple instances, and auto-generates config files when running from an overridden storage path. Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:32:52+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-01-15T21:50:27+00:00 urn:sha1:1c902059df8215731e9ee7210f6bbc4e19593761 Abstract registry configuration for Docker/Podman compatibility and add multi-directory scanning for easy multi-arch manifest list creation. - Support both DOCKER_REGISTRY_INSECURE and CONTAINER_REGISTRY_INSECURE - Add DEPLOY_DIR_IMAGES to scan all machine directories - Support push by path (single OCI) and push by name (all archs) - Add environment variable overrides for flexibility - Single 'push' command now creates multi-arch manifest lists Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:32:52+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-01-12T21:12:03+00:00 urn:sha1:68320b2c0a6751bf54ae9376d6e1e1dab30c0376 Registry management commands: - delete <image>:<tag>: Remove tagged images from registry - gc: Garbage collection with dry-run preview and confirmation - push <image> --tag: Explicit tags now require image name (prevents accidentally tagging all images with same version) Config improvements: - Copy config to storage directory with baked-in storage path - Fixes gc which reads config directly (not via env var) - All registry files now in ${TOPDIR}/container-registry/ Documentation: - Development Loop workflow (build, push, pull, test) - Build-time OCI labels (revision, branch, created) - Complete command reference Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com> 2026-02-09T03:32:52+00:00 Bruce Ashfield bruce.ashfield@gmail.com 2026-01-12T20:14:29+00:00 urn:sha1:1d8968199aa812d5c9bdc8089e0eb53da25cd877 Add comprehensive tag support for registry push operations: Tag strategies (CONTAINER_REGISTRY_TAG_STRATEGY): - sha/git: short git commit hash for traceability - branch: git branch name (sanitized) for dev workflows - semver: nested SemVer tags (1.2.3 -> 1.2.3, 1.2, 1) - timestamp: YYYYMMDD-HHMMSS format - version: single version tag from PV - latest: the "latest" tag - arch: append architecture suffix Helper script enhancements: - push --tag <tag>: explicit tags (repeatable) - push --strategy <strategies>: override tag strategy - push --version <ver>: version for semver strategy - Baked-in defaults from bitbake variables - Environment variable overrides supported This aligns with industry practices: - Git SHA for CI/CD traceability - SemVer nested tags for release management - Branch tags for feature development Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>