linux/meta-virtualization.git/recipes-containers/vcontainer/files, branch master

vcontainer-common: support nested OCI layout and fix vimport shell errors

2026-05-10T13:58:27+00:00

The multi-arch OCI functions (is_oci_image_index, get_oci_platforms, select_platform_manifest) only checked index.json directly for platform information. With the skopeo-compatible nested OCI layout — where index.json references a single image index blob that in turn contains the per-platform manifests — the functions failed to detect multi-arch images because index.json no longer contains platform entries. Add _resolve_oci_platform_file() helper that handles both layouts: - Flat: platform info directly in index.json (legacy/simple case) - Nested: index.json → image index blob → platform manifests All three multi-arch functions now use this single helper, eliminating the layout resolution logic that would otherwise be duplicated in each. Also fixes two issues in the vimport case block: - 'local' keyword used outside a function (bash error on line 1879). The vimport handler is in a case statement in the main script body, not inside a function, so 'local' is invalid. The original multi-arch code was written assuming it would be inside a function. - OCI_SELECTED_PLATFORM was blank in output because select_platform_manifest sets it inside a $() subshell, where variable assignments are lost. Use normalize_arch_to_oci directly for the display message instead. Signed-off-by: Bruce Ashfield

vcontainer: add --config / VDKR_CONFIG for docker/podman auth credentials

2026-04-29T20:15:49+00:00

Add a VDKR_CONFIG / VPDMN_CONFIG env var and a matching --config CLI flag that passes an existing docker config.json / podman auth.json into the QEMU-hosted container runtime so pulls from private registries work without having to retype --registry-user / --registry-pass on every command. Security posture (defence in depth): - Host-side pre-flight validation in vrunner.sh (validate_auth_config): reject symlinks, non-regular files, missing / unreadable files, files smaller than 2 bytes (minimum "{}") or larger than 1 MiB, and any permissions other than 0400 / 0600 / 0200. WARN if not owned by the invoking user. - Stage the file into a dedicated per-invocation directory under $TEMP_DIR at mode 0400 inside a 0700 parent; auto-cleanup rides the existing EXIT/INT/TERM trap. - Expose the staged file over a *separate* read-only virtio-9p tag ("${TOOL_NAME}_auth") so credentials cannot leak into the general /mnt/share input/output directory or into storage.tar outputs. - Only a boolean flag ("${CMDLINE_PREFIX}_auth=1") is appended to the kernel cmdline - never the path, the env var name, or the contents. - Guest mounts /mnt/auth ro,nosuid,nodev,noexec, copies to the runtime's canonical path, then unmounts immediately so neither the runtime nor user workloads keep a reference to the host staging directory. vrunner.sh: - Initialise AUTH_CONFIG from $VDKR_CONFIG / $VPDMN_CONFIG - Parse --config (overrides the env vars) - Add validate_auth_config() and setup_auth_share() with the rules above - Call setup_auth_share in both the daemon start path and the non-daemon / batch-import path vcontainer-init-common.sh: - Default RUNTIME_AUTH="0" and parse ${VCONTAINER_RUNTIME_PREFIX}_auth=* from the kernel cmdline - Define mount_auth_share() / unmount_auth_share() using the per-runtime "${VCONTAINER_RUNTIME_NAME}_auth" 9p tag, mounted at /mnt/auth with ro,nosuid,nodev,noexec vdkr-init.sh: - install_auth_config() copies /mnt/auth/config.json to /root/.docker/config.json (mode 0600; parent dir 0700) - Called after install_registry_ca in main flow so --config takes precedence over --registry-user / --registry-pass; logs a NOTE when both mechanisms are supplied - Unmounts /mnt/auth after copy vpdmn-init.sh: - install_auth_config() copies to /run/containers/0/auth.json (the rootful podman canonical path) and exports REGISTRY_AUTH_FILE so the creds are picked up regardless of podman's search order - Mode 0600 on the file, 0700 on the containing directory - Unmounts /mnt/auth after copy vcontainer-common.sh: - Honour $VDKR_CONFIG / $VPDMN_CONFIG, parse --config, and forward AUTH_CONFIG to vrunner.sh via --config in build_runner_args - Document the flag and env vars in show_usage README.md: - New "Passing an existing docker/podman auth file (--config)" section with examples for both runtimes, a table of target paths, and the full security model AI-Generated: Claude Cowork Opus 4.7 Signed-off-by: Tim Orling Signed-off-by: Bruce Ashfield

vcontainer-common: fix vstorage commands with --state-dir

2026-04-29T19:31:05+00:00

vstorage list/df/clean scanned DEFAULT_STATE_DIR (~/.vpdmn/) for arch subdirectories, ignoring --state-dir. On CI where tests use --state-dir ~/.vpdmn-test/x86_64, the default directory doesn't exist so vstorage list reports "(no storage directories found)" and test_vstorage_shows_memres_status fails. Derive VSTORAGE_ROOT from the parent of STATE_DIR when --state-dir is set, so all vstorage subcommands scan the correct storage root. Signed-off-by: Bruce Ashfield

vcontainer: detach background-process stdio from memres start caller

2026-04-22T20:17:55+00:00

The memres start operation spawns long-running background processes (host-side idle watchdog and Xen domain monitor) that persist beyond the vrunner.sh script. These processes inherited file descriptors 0/1/2 from the parent shell without redirection. When invoked through a harness capturing output via pipes—such as pytest's subprocess.run(..., capture_output=True)—the inherited pipe write-ends kept the caller's read/communicate() operations blocked until memres stop executed, potentially for up to 30 minutes (IDLE_TIMEOUT default). The fix fully detaches stdio from three background spawners: - vrunner.sh: Watchdog subshell now redirects stdin from /dev/null, stdout/stderr to /dev/null, and uses disown - vrunner-backend-qemu.sh: Adds stdin redirection from /dev/null to existing log file redirections - vrunner-backend-xen.sh: Applies same detachment plus disown for daemon mode; redirects stdin for ephemeral-mode console reader From: Tim Orling Signed-off-by: Bruce Ashfield

vcontainer: fix registry login and TLS certificate chain

2026-04-13T01:08:31+00:00

vcontainer-common.sh: - Fix docker/podman login hanging silently in daemon mode. The login command requires interactive stdin for the password prompt, which the non-interactive daemon-send channel cannot provide. Use daemon-interactive mode (same as vshell/exec -it) which provides TTY passthrough via the virtio-serial + socat + expect channel. ca-certificates bbappend: - Add Let's Encrypt E8 (ECDSA) and R11 (RSA) intermediate certificates via a ca-certificates bbappend. Certs are fetched at build time from letsencrypt.org and installed into the standard CA certificate path. update-ca-certificates incorporates them into the system CA bundle. - Some registries (e.g., registry.yocto.io) don't send the full certificate chain, causing TLS verification to fail with Go programs (Docker, skopeo, podman) even though the root CAs are present. vdkr-rootfs-image.bb: - Add ca-certificates to IMAGE_INSTALL Signed-off-by: Bruce Ashfield

vruntime, vrunner, conftest: fix multiconfig and batch import issues

2026-04-06T23:48:37+00:00

vruntime.conf: - Reset all VIRTUAL-RUNTIME_container_* variables to prevent CONTAINER_PROFILE selections from leaking into vruntime multiconfigs (e.g., podman profile pulling netavark into vruntime builds) - Disable ptest for glib-2.0 — its -ptest RDEPENDS chain (python3-dbusmock -> python3-pygobject -> cairo -> fontconfig) pulls the entire graphics stack which is masked in vruntime - OE-core commit 159148f4de2 replaced DISTRO_FEATURES_BACKFILL_CONSIDERED with DISTRO_FEATURES_OPTED_OUT. The old variable no longer has any effect, which meant ptest, gobject-introspection-data, wayland, and other features were no longer being blocked in vruntime builds. This caused glib-2.0's ptest RDEPENDS to pull in the cairo → fontconfig → freetype graphics stack, which is masked by the vruntime BBMASK. - Set PREFERRED_PROVIDER_virtual/runc with strong assignment to ensure the unified runc recipe is used vrunner.sh: - Fix batch import exit code handling: wrap import chain in subshell and make the images listing best-effort. The previous '&& podman images' caused false failures when podman images couldn't initialize its network backend. Using 'exit' was also wrong as the command runs inside PID 1 init's eval — exit kills init causing kernel panic. vpdmn-rootfs-image.bb: - Switch from netavark to CNI networking — netavark's dependency chain (nmap -> libpcap -> bluez5 -> python3-pygobject -> cairo) cannot be built under the vruntime BBMASK environment - Add nsswitch.conf override (files-only backend) to prevent libnss_systemd segfaults — the vruntime VM uses busybox init with no systemd running, but libnss_systemd.so is pulled in as a dependency and segfaults on NSS resolution vdkr-rootfs-image.bb: - Document skopeo requirement for batch import conftest.py: - Add --k3s-timeout option and k3s/multinode markers for upcoming K3s test suite Signed-off-by: Bruce Ashfield

vcontainer: fix daemon mode missing shared directory for 9p

2026-02-26T01:05:01+00:00

DAEMON_SHARE_DIR was referenced in the CA certificate copy and idle watchdog paths but never assigned, causing 'cp: cannot create regular file /ca.crt: Permission denied' when starting the daemon. Create the share directory under DAEMON_SOCKET_DIR and register it as a 9p mount, matching the path expected by daemon_run(). Signed-off-by: Bruce Ashfield

vxn: add host-side OCI image cache and fix Docker iptables conflict

2026-02-26T01:05:01+00:00

Add a host-side OCI image cache at ~/.vxn/images/ for the vdkr/vpdmn standalone Xen path. Images pulled via skopeo are stored in a content-addressed layout (refs/ symlinks + store/ OCI dirs) so subsequent runs hit the cache without network access. New commands on Xen: pull, images, rmi, tag, inspect, image . The run path is unchanged — cache integration into hv_prepare_container is deferred to a follow-up. Also fix Docker iptables conflict: when docker-moby and vxn-docker-config coexist on Dom0, Docker's default FORWARD DROP policy blocks DHCP for Xen DomU vifs on xenbr0. Adding "iptables": false to daemon.json prevents Docker from modifying iptables since VM-based containers manage their own network stack. Signed-off-by: Bruce Ashfield

vxn: add Docker/Podman integration and CLI frontends

2026-02-26T01:05:01+00:00

Add vdkr/vpdmn as Dom0 target packages with Xen auto-detection, native Docker/Podman config sub-packages, and OCI runtime fixes for Docker compatibility (JSON logging, root.path, kill --all, monitor PID lifecycle). Signed-off-by: Bruce Ashfield

vxn: add controlling terminal and clean up interactive output

2026-02-26T01:05:01+00:00

Use setsid -c to establish a controlling terminal for the container shell, fixing "can't access tty; job control turned off" and enabling Ctrl-C signal delivery. Run in a subshell so setsid() succeeds without forking (PID 1 is already a session leader). Remove [vxn] diagnostic markers from interactive output now that terminal mode is working. Suppress mount warning on read-only input disk. Signed-off-by: Bruce Ashfield