container-yocto-builder: add Yocto build container with systemd

Multi-layer OCI container image that can compile the Yocto Project.
Three layers: systemd-base, build-tools, yocto-extras. Features
CROPS-style dynamic user creation matching /workdir volume owner
UID/GID.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

4 files changed, 232 insertions, 0 deletions

diff --git a/recipes-core/packagegroups/packagegroup-yocto-builder.bb b/recipes-core/packagegroups/packagegroup-yocto-builder.bb
new file mode 100644
index 00000000..f9cf8992
--- /dev/null
+++ b/recipes-core/packagegroups/packagegroup-yocto-builder.bb
@@ -0,0 +1,124 @@
+SUMMARY = "Packages for a self-hosting Yocto build container"
+DESCRIPTION = "Build tools required to compile the Yocto Project. \
+    Based on packagegroup-self-hosted but without x11/opengl requirements."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+PACKAGE_ARCH = "${TUNE_PKGARCH}"
+
+inherit packagegroup
+
+PACKAGES = "\
+    packagegroup-yocto-builder \
+    packagegroup-yocto-builder-base \
+    packagegroup-yocto-builder-toolchain \
+    packagegroup-yocto-builder-extras \
+"
+
+RDEPENDS:packagegroup-yocto-builder = "\
+    packagegroup-yocto-builder-base \
+    packagegroup-yocto-builder-toolchain \
+    packagegroup-yocto-builder-extras \
+"
+
+# Layer 1: systemd core + container basics
+RDEPENDS:packagegroup-yocto-builder-base = "\
+    base-files \
+    base-passwd \
+    netbase \
+    systemd \
+    dbus \
+    bash \
+    coreutils \
+    packagegroup-core-base-utils \
+    packagegroup-core-ssh-openssh \
+    container-systemd-config \
+    builder-container-config \
+    iproute2 \
+    iputils-ping \
+"
+
+# Layer 2: compiler toolchain + dev tools
+RDEPENDS:packagegroup-yocto-builder-toolchain = "\
+    autoconf \
+    automake \
+    binutils \
+    binutils-symlinks \
+    ccache \
+    cpp \
+    cpp-symlinks \
+    gcc \
+    gcc-symlinks \
+    g++ \
+    g++-symlinks \
+    make \
+    libtool \
+    pkgconfig \
+    ldd \
+    less \
+    file \
+    findutils \
+    quilt \
+    sed \
+    libstdc++ \
+    libstdc++-dev \
+    diffutils \
+    git \
+    git-perltools \
+    python3 \
+    python3-modules \
+    perl \
+    perl-modules \
+    perl-dev \
+    perl-misc \
+    perl-pod \
+    perl-module-re \
+    perl-module-text-wrap \
+    patch \
+    gawk \
+    grep \
+    tar \
+    gzip \
+    bzip2 \
+    xz \
+    zstd \
+    rpcsvc-proto \
+    ${@bb.utils.contains('TCLIBC', 'glibc', 'glibc-utils', '', d)} \
+"
+
+# Layer 3: Yocto-specific tools + utilities
+RDEPENDS:packagegroup-yocto-builder-extras = "\
+    python3-jinja2 \
+    python3-pexpect \
+    python3-pip \
+    python3-git \
+    lz4 \
+    chrpath \
+    diffstat \
+    texinfo \
+    socat \
+    cpio \
+    unzip \
+    zip \
+    wget \
+    curl \
+    tmux \
+    screen \
+    sudo \
+    ${@bb.utils.contains('TCLIBC', 'glibc', 'pseudo', '', d)} \
+    gdb \
+    rsync \
+    strace \
+    openssl \
+    openssh-scp \
+    openssh-sftp-server \
+    ${@bb.utils.contains('TCLIBC', 'glibc', 'glibc-localedata-en-us glibc-gconv-ibm850', '', d)} \
+    rpm \
+    opkg \
+    opkg-utils \
+    elfutils \
+    readline \
+    ncurses \
+    ncurses-terminfo-base \
+    subversion \
+"
diff --git a/recipes-extended/builder-container-config/builder-container-config_1.0.bb b/recipes-extended/builder-container-config/builder-container-config_1.0.bb
new file mode 100644
index 00000000..6b023caa
--- /dev/null
+++ b/recipes-extended/builder-container-config/builder-container-config_1.0.bb
@@ -0,0 +1,23 @@
+SUMMARY = "Entrypoint and user configuration for Yocto builder container"
+DESCRIPTION = "CROPS-style entrypoint script that creates a builder user \
+    matching the /workdir mount owner, then hands off to systemd."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+SRC_URI = "file://builder-entry.sh"
+
+S = "${UNPACKDIR}"
+RDEPENDS:${PN} = "bash sudo shadow"
+
+inherit allarch
+
+do_install() {
+    # Entrypoint script (CROPS-style user creation -> exec /sbin/init)
+    install -d ${D}${bindir}
+    install -m 0755 ${UNPACKDIR}/builder-entry.sh ${D}${bindir}/
+
+    # Create /workdir mount point
+    install -d ${D}/workdir
+}
+
+FILES:${PN} = "${bindir}/builder-entry.sh /workdir"
diff --git a/recipes-extended/builder-container-config/files/builder-entry.sh b/recipes-extended/builder-container-config/files/builder-entry.sh
new file mode 100644
index 00000000..a23d8dae
--- /dev/null
+++ b/recipes-extended/builder-container-config/files/builder-entry.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# builder-entry.sh - Container entrypoint for Yocto builder
+# Creates a 'builder' user matching the /workdir owner's UID/GID,
+# then exec's /sbin/init (systemd).
+#
+# Usage:
+#   docker run --privileged -v /home/user/yocto:/workdir builder-image
+#   docker run --privileged -e BUILDER_UID=1000 -e BUILDER_GID=1000 builder-image
+
+WORKDIR="/workdir"
+DEFAULT_UID=1000
+DEFAULT_GID=1000
+
+# Determine UID/GID
+if [ -n "$BUILDER_UID" ] && [ -n "$BUILDER_GID" ]; then
+    TARGET_UID="$BUILDER_UID"
+    TARGET_GID="$BUILDER_GID"
+elif [ -d "$WORKDIR" ] && [ "$(stat -c %u "$WORKDIR")" != "0" ]; then
+    TARGET_UID=$(stat -c %u "$WORKDIR")
+    TARGET_GID=$(stat -c %g "$WORKDIR")
+else
+    TARGET_UID=$DEFAULT_UID
+    TARGET_GID=$DEFAULT_GID
+fi
+
+# Refuse UID/GID 0 (root)
+[ "$TARGET_UID" = "0" ] && TARGET_UID=$DEFAULT_UID
+[ "$TARGET_GID" = "0" ] && TARGET_GID=$DEFAULT_GID
+
+# Create group and user if they don't exist
+if ! getent group builder >/dev/null 2>&1; then
+    groupadd -g "$TARGET_GID" builder 2>/dev/null || groupadd builder
+fi
+if ! getent passwd builder >/dev/null 2>&1; then
+    useradd -m -u "$TARGET_UID" -g builder -s /bin/bash builder
+fi
+
+# Ensure /workdir is accessible
+[ -d "$WORKDIR" ] && chown builder:builder "$WORKDIR"
+
+# Grant passwordless sudo
+if [ -d /etc/sudoers.d ]; then
+    echo "builder ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/builder
+    chmod 0440 /etc/sudoers.d/builder
+fi
+
+# Hand off to systemd
+exec /sbin/init "$@"
diff --git a/recipes-extended/images/container-yocto-builder.bb b/recipes-extended/images/container-yocto-builder.bb
new file mode 100644
index 00000000..0dba4c31
--- /dev/null
+++ b/recipes-extended/images/container-yocto-builder.bb
@@ -0,0 +1,37 @@
+SUMMARY = "Yocto Project builder container with systemd"
+DESCRIPTION = "A self-hosting Yocto build container. Includes compiler \
+    toolchain, Python 3, Git, and all tools needed to compile the Yocto \
+    Project. Uses systemd init and supports CROPS-style dynamic user \
+    creation for volume-mounted builds."
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+IMAGE_FSTYPES = "container oci"
+inherit image
+inherit image-oci
+
+# Multi-layer OCI image
+OCI_LAYER_MODE = "multi"
+OCI_LAYERS = "\
+    systemd-base:packages:packagegroup-yocto-builder-base \
+    build-tools:packages:packagegroup-yocto-builder-toolchain \
+    yocto-extras:packages:packagegroup-yocto-builder-extras \
+"
+
+# Entrypoint: user setup script -> systemd
+OCI_IMAGE_ENTRYPOINT = "/usr/bin/builder-entry.sh"
+
+# OCI metadata
+OCI_IMAGE_AUTHOR ?= "meta-virtualization"
+OCI_IMAGE_TAG ?= "latest"
+
+# All packages listed here to trigger builds (multi-layer requirement)
+IMAGE_INSTALL = "packagegroup-yocto-builder"
+
+# No kernel needed for container
+IMAGE_CONTAINER_NO_DUMMY = "1"
+
+# Minimize image
+IMAGE_FEATURES = ""
+IMAGE_LINGUAS = ""
+NO_RECOMMENDATIONS = "1"