vruntime, vrunner, conftest: fix multiconfig and batch import issues

vruntime.conf:
- Reset all VIRTUAL-RUNTIME_container_* variables to prevent
  CONTAINER_PROFILE selections from leaking into vruntime multiconfigs
  (e.g., podman profile pulling netavark into vruntime builds)
- Disable ptest for glib-2.0 — its -ptest RDEPENDS chain
  (python3-dbusmock -> python3-pygobject -> cairo -> fontconfig)
  pulls the entire graphics stack which is masked in vruntime
- OE-core commit 159148f4de2 replaced DISTRO_FEATURES_BACKFILL_CONSIDERED
  with DISTRO_FEATURES_OPTED_OUT. The old variable no longer has any
  effect, which meant ptest, gobject-introspection-data, wayland, and
  other features were no longer being blocked in vruntime builds. This
  caused glib-2.0's ptest RDEPENDS to pull in the cairo → fontconfig →
  freetype graphics stack, which is masked by the vruntime BBMASK.
- Set PREFERRED_PROVIDER_virtual/runc with strong assignment to
  ensure the unified runc recipe is used

vrunner.sh:
- Fix batch import exit code handling: wrap import chain in subshell
  and make the images listing best-effort. The previous '&& podman
  images' caused false failures when podman images couldn't initialize
  its network backend. Using 'exit' was also wrong as the command runs
  inside PID 1 init's eval — exit kills init causing kernel panic.

vpdmn-rootfs-image.bb:
- Switch from netavark to CNI networking — netavark's dependency chain
  (nmap -> libpcap -> bluez5 -> python3-pygobject -> cairo) cannot be
  built under the vruntime BBMASK environment
- Add nsswitch.conf override (files-only backend) to prevent
  libnss_systemd segfaults — the vruntime VM uses busybox init with
  no systemd running, but libnss_systemd.so is pulled in as a
  dependency and segfaults on NSS resolution

vdkr-rootfs-image.bb:
- Document skopeo requirement for batch import

conftest.py:
- Add --k3s-timeout option and k3s/multinode markers for upcoming
  K3s test suite

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

5 files changed, 66 insertions, 16 deletions

diff --git a/conf/distro/vruntime.conf b/conf/distro/vruntime.conf
index 72958b7d..0ea43e62 100644
--- a/conf/distro/vruntime.conf
+++ b/conf/distro/vruntime.conf
@@ -37,12 +37,13 @@ DISTRO_VERSION = "1.0"
 # Explicitly NOT included: x11, wayland, pulseaudio, bluetooth, wifi, nfc, 3g, pcmcia
 DISTRO_FEATURES = "acl ext2 ipv4 ipv6 seccomp vfat pci vcontainer vxn"
 
-# Block backfill features not needed by container runtime environments.
-# OE-core's DISTRO_FEATURES_BACKFILL auto-appends these to DISTRO_FEATURES
-# unless explicitly listed here. Without this, gobject-introspection-data
-# enables python3-pygobject (which DEPENDS on cairo), and wayland enables
+# Opt out of default distro features not needed by container runtime
+# environments. Without this, gobject-introspection-data enables
+# python3-pygobject (which DEPENDS on cairo), and wayland enables
 # pygobject's cairo PACKAGECONFIG — both are masked in vruntime builds.
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio gobject-introspection-data opengl ptest multiarch wayland vulkan"
+# Note: OE-core replaced DISTRO_FEATURES_BACKFILL_CONSIDERED with
+# DISTRO_FEATURES_OPTED_OUT (commit 159148f4de2).
+DISTRO_FEATURES_OPTED_OUT = "pulseaudio gobject-introspection-data opengl ptest multiarch wayland vulkan"
 
 # Native and nativesdk classes need full features for build tools
 DISTRO_FEATURES:class-native = "${DISTRO_FEATURES_DEFAULT} ${POKY_DEFAULT_DISTRO_FEATURES}"
@@ -62,6 +63,11 @@ VIRTUAL-RUNTIME_login_manager = ""
 # Keep images small - no documentation or debug
 EXTRA_IMAGE_FEATURES = ""
 
+# Disable ptest for glib-2.0 — its -ptest RDEPENDS pulls
+# cairo → fontconfig → freetype (entire graphics stack) via
+# python3-dbusmock → python3-pygobject, all masked in vruntime.
+PTEST_ENABLED:pn-glib-2.0 = ""
+
 # =============================================================================
 # Container runtime: NOT SET
 # =============================================================================
@@ -74,3 +80,12 @@ EXTRA_IMAGE_FEATURES = ""
 # their required runtimes in IMAGE_INSTALL.
 # =============================================================================
 VIRTUAL-RUNTIME_container_runtime = ""
+VIRTUAL-RUNTIME_container_engine = ""
+VIRTUAL-RUNTIME_container_networking = ""
+VIRTUAL-RUNTIME_container_dns = ""
+VIRTUAL-RUNTIME_container_orchestration = ""
+
+# Ensure the unified runc recipe is the provider — vdkr-rootfs-image
+# RDEPENDS on runc directly. Strong assignment to override any stale
+# cache or weak defaults.
+PREFERRED_PROVIDER_virtual/runc = "runc"
diff --git a/recipes-containers/vcontainer/files/vrunner.sh b/recipes-containers/vcontainer/files/vrunner.sh
index b6455330..f1fb4d2b 100755
--- a/recipes-containers/vcontainer/files/vrunner.sh
+++ b/recipes-containers/vcontainer/files/vrunner.sh
@@ -956,11 +956,15 @@ if [ "$BATCH_IMPORT" = "true" ]; then
         fi
     done
 
-    # Add final images command to show what was imported
+    # Show what was imported (informational only).
+    # IMPORTANT: Must not use 'exit' — the command runs inside PID 1 init's
+    # eval, and exit kills init → kernel panic. The import chain runs in a
+    # subshell so its exit code is captured without risk. The images listing
+    # is best-effort and doesn't affect the result.
     if [ "$RUNTIME" = "docker" ]; then
-        COMPOUND_CMD="$COMPOUND_CMD && docker images"
+        COMPOUND_CMD="( $COMPOUND_CMD ); docker images 2>/dev/null; true"
     else
-        COMPOUND_CMD="$COMPOUND_CMD && podman images"
+        COMPOUND_CMD="( $COMPOUND_CMD ); podman images 2>/dev/null; true"
     fi
 
     log "DEBUG" "Batch command: $COMPOUND_CMD"
diff --git a/recipes-containers/vcontainer/vdkr-rootfs-image.bb b/recipes-containers/vcontainer/vdkr-rootfs-image.bb
index e2921ec7..64054376 100644
--- a/recipes-containers/vcontainer/vdkr-rootfs-image.bb
+++ b/recipes-containers/vcontainer/vdkr-rootfs-image.bb
@@ -47,6 +47,8 @@ inherit core-image
 # We need Docker and container tools
 # Note: runc is explicitly listed because vruntime distro sets
 # VIRTUAL-RUNTIME_container_runtime="" to avoid runc/crun conflicts.
+# Note: skopeo is required inside the guest for batch import
+# (skopeo copy oci:... containers-storage:...).
 IMAGE_INSTALL = " \
     packagegroup-core-boot \
     docker-moby \
diff --git a/recipes-containers/vcontainer/vpdmn-rootfs-image.bb b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
index 8808e6b2..f061ce08 100644
--- a/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
+++ b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
@@ -42,14 +42,15 @@ inherit core-image
 # Podman is daemonless - no containerd required!
 # Note: crun is explicitly listed because vruntime distro sets
 # VIRTUAL-RUNTIME_container_runtime="" to avoid runc/crun conflicts.
+# Note: skopeo is required inside the guest for batch import
+# (skopeo copy oci:... containers-storage:...).
 IMAGE_INSTALL = " \
     packagegroup-core-boot \
     podman \
     crun \
     skopeo \
     conmon \
-    netavark \
-    aardvark-dns \
+    cni \
     busybox \
     iproute2 \
     iptables \
@@ -120,13 +121,27 @@ additionalimagestores = []
 EOF
 
     # Create containers.conf for podman engine settings
+    # Use CNI instead of netavark — netavark's dependency chain
+    # (nmap → libpcap → bluez5 → python3-pygobject → cairo) is too
+    # heavy for the vruntime BBMASK environment.
     cat > ${IMAGE_ROOTFS}/etc/containers/containers.conf << 'EOF'
-[engine]
-# Location of helper binaries (netavark, aardvark-dns)
-helper_binaries_dir = ["/usr/libexec/podman"]
-
 [network]
-# Use netavark as the network backend
-network_backend = "netavark"
+network_backend = "cni"
+cni_plugin_dirs = ["/opt/cni/bin", "/usr/libexec/cni"]
+EOF
+
+    # Prevent libnss_systemd segfaults — systemd is not running in the
+    # vruntime VM (busybox init), but libnss_systemd.so is installed as
+    # a dependency. Override nsswitch.conf to use only files/compat.
+    cat > ${IMAGE_ROOTFS}/etc/nsswitch.conf << 'EOF'
+passwd:     files
+group:      files
+shadow:     files
+hosts:      files dns
+networks:   files
+protocols:  files
+services:   files
+ethers:     files
+rpc:        files
 EOF
 }
diff --git a/tests/conftest.py b/tests/conftest.py
index 5f54c369..56047929 100644
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -226,6 +226,14 @@ def pytest_addoption(parser):
         default=24.0,
         help="Max rootfs age in hours before warning (default: 24)",
     )
+    # K3s options
+    parser.addoption(
+        "--k3s-timeout",
+        action="store",
+        type=int,
+        default=300,
+        help="Timeout in seconds for k3s readiness (default: 300)",
+    )
     # Container registry options
     parser.addoption(
         "--registry-url",
@@ -589,6 +597,12 @@ def pytest_configure(config):
     config.addinivalue_line(
         "markers", "boot: marks tests that boot a QEMU image (requires built image)"
     )
+    config.addinivalue_line(
+        "markers", "k3s: marks k3s runtime tests"
+    )
+    config.addinivalue_line(
+        "markers", "multinode: marks multi-node tests (requires two QEMU VMs)"
+    )
 
 
 @pytest.fixture