vcontainer: add vpdmn Podman support

Add vpdmn - Podman CLI wrapper for cross-architecture container operations:

Scripts:
- vpdmn.sh: Podman CLI entry point (vpdmn-x86_64, vpdmn-aarch64)
- vpdmn-init.sh: Podman init script for QEMU guest

Recipes:
- vpdmn-native: Installs vpdmn CLI wrappers
- vpdmn-rootfs-image: Builds Podman rootfs with crun, netavark, skopeo
- vpdmn-initramfs-create: Creates bootable initramfs blob

The vpdmn CLI provides Podman-compatible commands executed inside a
QEMU-emulated environment. Unlike vdkr, Podman is daemonless which
simplifies the guest init process.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

7 files changed, 610 insertions, 0 deletions

diff --git a/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README b/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README
new file mode 100644
index 00000000..a4197779
--- /dev/null
+++ b/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README
@@ -0,0 +1,26 @@
+vpdmn aarch64 Blobs
+====================
+
+This directory should contain the boot blobs for vpdmn aarch64:
+
+Required files:
+  - Image              : Linux kernel for aarch64
+  - initramfs.cpio.gz  : Tiny initramfs for switch_root
+  - rootfs.img         : Ext4 root filesystem with Podman tools
+
+Build instructions:
+  1. Set MACHINE for aarch64:
+     MACHINE=qemuarm64
+
+  2. Build the blobs:
+     bitbake vpdmn-initramfs-create
+
+  3. Copy from deploy directory:
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/Image .
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/initramfs.cpio.gz .
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/rootfs.img .
+
+Once these files are present, vpdmn-native will automatically include them.
+
+Alternatively, set VPDMN_USE_DEPLOY = "1" in local.conf to use blobs
+directly from DEPLOY_DIR without copying to the layer.
diff --git a/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README b/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README
new file mode 100644
index 00000000..30ddb445
--- /dev/null
+++ b/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README
@@ -0,0 +1,26 @@
+vpdmn x86_64 Blobs
+===================
+
+This directory should contain the boot blobs for vpdmn x86_64:
+
+Required files:
+  - bzImage            : Linux kernel for x86_64
+  - initramfs.cpio.gz  : Tiny initramfs for switch_root
+  - rootfs.img         : Ext4 root filesystem with Podman tools
+
+Build instructions:
+  1. Set MACHINE for x86_64:
+     MACHINE=qemux86-64
+
+  2. Build the blobs:
+     bitbake vpdmn-initramfs-create
+
+  3. Copy from deploy directory:
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/bzImage .
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/initramfs.cpio.gz .
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/rootfs.img .
+
+Once these files are present, vpdmn-native will automatically include them.
+
+Alternatively, set VPDMN_USE_DEPLOY = "1" in local.conf to use blobs
+directly from DEPLOY_DIR without copying to the layer.
diff --git a/recipes-containers/vcontainer/files/vpdmn-init.sh b/recipes-containers/vcontainer/files/vpdmn-init.sh
new file mode 100755
index 00000000..52aa9129
--- /dev/null
+++ b/recipes-containers/vcontainer/files/vpdmn-init.sh
@@ -0,0 +1,181 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# vpdmn-init.sh
+# Init script for vpdmn: execute arbitrary podman commands in QEMU
+#
+# This script runs on a real ext4 filesystem after switch_root from initramfs.
+# The preinit script mounted /dev/vda (rootfs.img) and did switch_root to us.
+#
+# Drive layout (rootfs.img is always /dev/vda, mounted as /):
+#   /dev/vda = rootfs.img (this script runs from here, mounted as /)
+#   /dev/vdb = input disk (optional, OCI/tar/dir data)
+#   /dev/vdc = state disk (optional, persistent Podman storage)
+#
+# Kernel parameters:
+#   podman_cmd=<base64>    Base64-encoded podman command + args
+#   podman_input=<type>    Input type: none, oci, tar, dir (default: none)
+#   podman_output=<type>   Output type: text, tar, storage (default: text)
+#   podman_state=<type>    State type: none, disk (default: none)
+#   podman_network=1       Enable networking (configure eth0, DNS)
+#
+# Version: 1.1.0
+#
+# Note: Podman is daemonless - no containerd/dockerd required!
+
+# Set runtime-specific parameters before sourcing common code
+VCONTAINER_RUNTIME_NAME="vpdmn"
+VCONTAINER_RUNTIME_CMD="podman"
+VCONTAINER_RUNTIME_PREFIX="podman"
+VCONTAINER_STATE_DIR="/var/lib/containers/storage"
+VCONTAINER_SHARE_NAME="vpdmn_share"
+VCONTAINER_VERSION="1.1.0"
+
+# Source common init functions
+# When installed as /init, common file is at /vcontainer-init-common.sh
+. /vcontainer-init-common.sh
+
+# ============================================================================
+# Podman-Specific Functions
+# ============================================================================
+
+setup_podman_environment() {
+    # Podman needs XDG_RUNTIME_DIR
+    export XDG_RUNTIME_DIR="/run/user/0"
+    mkdir -p "$XDG_RUNTIME_DIR"
+    chmod 700 "$XDG_RUNTIME_DIR"
+}
+
+setup_podman_mounts() {
+    # Podman needs /dev/shm
+    mkdir -p /dev/shm
+    mount -t tmpfs tmpfs /dev/shm
+
+    # Mount /var/volatile for Yocto's volatile symlinks (/var/tmp -> volatile/tmp, etc.)
+    mkdir -p /var/volatile
+    mount -t tmpfs tmpfs /var/volatile
+    mkdir -p /var/volatile/tmp /var/volatile/log /var/volatile/run /var/volatile/cache
+
+    # Also mount /var/cache directly (not a symlink)
+    mount -t tmpfs tmpfs /var/cache
+}
+
+setup_podman_storage() {
+    mkdir -p /run/lock
+
+    # /var/lib/containers exists in rootfs.img (read-only), mount tmpfs over it
+    mount -t tmpfs tmpfs /var/lib/containers
+    mkdir -p /var/lib/containers/storage
+
+    # Handle Podman storage
+    if [ -n "$STATE_DISK" ] && [ -b "$STATE_DISK" ]; then
+        log "Mounting state disk $STATE_DISK as /var/lib/containers/storage..."
+        if mount -t ext4 "$STATE_DISK" /var/lib/containers/storage 2>&1; then
+            log "SUCCESS: Mounted $STATE_DISK as Podman storage"
+            log "Podman storage contents:"
+            [ "$QUIET_BOOT" = "0" ] && ls -la /var/lib/containers/storage/ 2>/dev/null || log "(empty)"
+        else
+            log "WARNING: Failed to mount state disk, using tmpfs fallback"
+            RUNTIME_STATE="none"
+        fi
+    else
+        log "Using tmpfs for Podman storage (ephemeral)..."
+    fi
+}
+
+verify_podman() {
+    # Podman is daemonless - just verify it's available
+    if [ -x "/usr/bin/podman" ]; then
+        log "Podman available: $(podman --version 2>/dev/null || echo 'version unknown')"
+    else
+        echo "===ERROR==="
+        echo "Podman not found at /usr/bin/podman"
+        sleep 2
+        reboot -f
+    fi
+}
+
+# Podman is daemonless - nothing to stop
+stop_runtime_daemons() {
+    :
+}
+
+handle_storage_output() {
+    # Export entire podman storage
+    # Tar from inside /var/lib/containers/storage so paths are vfs-images/... directly
+    echo "Packaging Podman storage..."
+    if ! cd /var/lib/containers/storage; then
+        echo "===ERROR==="
+        echo "Failed to cd to /var/lib/containers/storage"
+        echo "Contents of /var/lib/containers:"
+        ls -la /var/lib/containers/ 2>&1 || echo "(not found)"
+        poweroff -f
+        exit 1
+    fi
+    tar -cf /tmp/storage.tar .
+
+    STORAGE_SIZE=$(stat -c%s /tmp/storage.tar 2>/dev/null || echo "0")
+    echo "Storage size: $STORAGE_SIZE bytes"
+
+    if [ "$STORAGE_SIZE" -gt 1000 ]; then
+        dmesg -n 1
+        echo "===STORAGE_START==="
+        base64 /tmp/storage.tar
+        echo "===STORAGE_END==="
+        echo "===EXIT_CODE=$EXEC_EXIT_CODE==="
+    else
+        echo "===ERROR==="
+        echo "Storage too small"
+    fi
+}
+
+# ============================================================================
+# Main
+# ============================================================================
+
+# Initialize base environment
+setup_base_environment
+setup_podman_environment
+mount_base_filesystems
+
+# Check for quiet boot mode
+check_quiet_boot
+
+log "=== vpdmn Init ==="
+log "Version: $VCONTAINER_VERSION"
+
+# Mount tmpfs directories and Podman-specific mounts
+mount_tmpfs_dirs
+setup_podman_mounts
+setup_cgroups
+
+# Parse kernel command line
+parse_cmdline
+
+# Detect and configure disks
+detect_disks
+
+# Set up Podman storage (Podman-specific)
+setup_podman_storage
+
+# Mount input disk
+mount_input_disk
+
+# Configure networking
+configure_networking
+
+# Verify podman is available (no daemon to start)
+verify_podman
+
+# Handle daemon mode or single command execution
+if [ "$RUNTIME_DAEMON" = "1" ]; then
+    run_daemon_mode
+else
+    prepare_input_path
+    execute_command
+fi
+
+# Graceful shutdown
+graceful_shutdown
diff --git a/recipes-containers/vcontainer/files/vpdmn.sh b/recipes-containers/vcontainer/files/vpdmn.sh
new file mode 100755
index 00000000..30775d35
--- /dev/null
+++ b/recipes-containers/vcontainer/files/vpdmn.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# vpdmn: Podman-like interface for cross-architecture container operations
+#
+# This provides a familiar podman-like CLI that executes commands inside
+# a QEMU-emulated environment with the target architecture's Podman.
+#
+# Command naming convention:
+#   - Commands matching Podman's syntax/semantics use Podman's name (import, load, save, etc.)
+#   - Extended commands with non-Podman behavior use 'v' prefix (vimport)
+
+# Set runtime-specific parameters before sourcing common code
+VCONTAINER_RUNTIME_NAME="vpdmn"
+VCONTAINER_RUNTIME_CMD="podman"
+VCONTAINER_RUNTIME_PREFIX="VPDMN"
+VCONTAINER_IMPORT_TARGET="containers-storage:"
+VCONTAINER_STATE_FILE="podman-state.img"
+VCONTAINER_OTHER_PREFIX="VDKR"
+VCONTAINER_VERSION="1.2.0"
+
+# Source common implementation
+source "$(dirname "${BASH_SOURCE[0]}")/vcontainer-common.sh" "$@"
diff --git a/recipes-containers/vcontainer/vpdmn-initramfs-create_1.0.bb b/recipes-containers/vcontainer/vpdmn-initramfs-create_1.0.bb
new file mode 100644
index 00000000..2c500b30
--- /dev/null
+++ b/recipes-containers/vcontainer/vpdmn-initramfs-create_1.0.bb
@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: MIT
+#
+# vpdmn-initramfs-create_1.0.bb
+# ===========================================================================
+# Builds QEMU boot blobs for vpdmn (Podman CLI)
+# ===========================================================================
+#
+# This recipe packages the boot blobs for vpdmn:
+# - A tiny initramfs with just busybox for switch_root
+# - The rootfs.img squashfs image with Podman (built via multiconfig)
+# - The kernel
+#
+# Boot flow:
+#   QEMU boots kernel + tiny initramfs
+#   -> preinit mounts rootfs.img from /dev/vda
+#   -> switch_root into rootfs.img
+#   -> vpdmn-init.sh runs with a real root filesystem
+#   -> Podman executes container commands
+#
+# ===========================================================================
+# BUILD INSTRUCTIONS
+# ===========================================================================
+#
+# For aarch64 (multiconfig dependency is automatic):
+#   MACHINE=qemuarm64 bitbake vpdmn-initramfs-create
+#
+# For x86_64:
+#   MACHINE=qemux86-64 bitbake vpdmn-initramfs-create
+#
+# Blobs are deployed to: tmp-vruntime-*/deploy/images/${MACHINE}/vpdmn/
+#
+# To build the complete standalone tarball (recommended):
+#   MACHINE=qemux86-64 bitbake vcontainer-native -c create_tarball
+#
+# ===========================================================================
+
+SUMMARY = "Build QEMU blobs for vpdmn"
+DESCRIPTION = "Packages a tiny initramfs for switch_root and bundles the \
+               rootfs.img with Podman from multiconfig build for vpdmn."
+
+# Set the runtime before including shared code
+VCONTAINER_RUNTIME = "vpdmn"
+
+require vcontainer-initramfs-create.inc
diff --git a/recipes-containers/vcontainer/vpdmn-native_1.0.bb b/recipes-containers/vcontainer/vpdmn-native_1.0.bb
new file mode 100644
index 00000000..7aaa8b28
--- /dev/null
+++ b/recipes-containers/vcontainer/vpdmn-native_1.0.bb
@@ -0,0 +1,177 @@
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: MIT
+#
+# vpdmn-native_1.0.bb
+# ===========================================================================
+# Emulated Podman for cross-architecture container operations
+# ===========================================================================
+#
+# vpdmn provides a Podman-like CLI that executes arbitrary podman commands
+# inside a QEMU-emulated environment with the target architecture's Podman.
+# Commands like "podman load", "podman images", etc. are passed through to
+# Podman running inside QEMU and results streamed back.
+#
+# vpdmn shares the vrunner.sh runner with vdkr (it's runtime-agnostic).
+#
+# USAGE:
+#   vpdmn images                    # Uses detected default arch
+#   vpdmn -a aarch64 images         # Explicit arch
+#   vpdmn-aarch64 images            # Symlink (backwards compatible)
+#   vpdmn-x86_64 load -i myimage.tar
+#
+# Architecture detection (in priority order):
+#   1. --arch / -a flag
+#   2. Executable name (vpdmn-aarch64, vpdmn-x86_64)
+#   3. VPDMN_ARCH environment variable
+#   4. Config file: ~/.config/vpdmn/arch
+#   5. Host architecture (uname -m)
+#
+# DEPENDENCIES:
+#   - Kernel/initramfs blobs from vpdmn-initramfs-create
+#   - QEMU system emulator (qemu-system-native)
+#   - vrunner.sh (shared runner from vdkr-native)
+#
+# ===========================================================================
+
+SUMMARY = "Emulated Podman for cross-architecture container operations"
+DESCRIPTION = "Provides vpdmn CLI that executes podman commands inside \
+               QEMU-emulated environment. Useful for building/manipulating \
+               containers for target architectures on a different host."
+HOMEPAGE = "https://github.com/anthropics/meta-virtualization"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+inherit native
+
+# Dependencies - we use vdkr's runner script
+DEPENDS = "qemu-system-native coreutils-native socat-native vdkr-native"
+
+SRC_URI = "\
+    file://vpdmn.sh \
+"
+
+# Pre-built blobs are optional - they're checked into the layer after being
+# built by vpdmn-initramfs-create. If not present, vpdmn will still build
+# but will require --blob-dir at runtime.
+#
+# To build blobs:
+#   MACHINE=qemuarm64 bitbake vpdmn-initramfs-create
+#   MACHINE=qemux86-64 bitbake vpdmn-initramfs-create
+# Then copy from tmp/deploy/images/<machine>/vpdmn-initramfs/ to files/blobs/vpdmn/<arch>/
+
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
+
+# Layer directory containing optional blobs
+VPDMN_LAYER_BLOBS = "${THISDIR}/files/blobs/vpdmn"
+
+# Deploy directories (used when VPDMN_USE_DEPLOY = "1")
+VPDMN_DEPLOY_AARCH64 = "${DEPLOY_DIR}/images/qemuarm64/vpdmn-initramfs"
+VPDMN_DEPLOY_X86_64 = "${DEPLOY_DIR}/images/qemux86-64/vpdmn-initramfs"
+
+# Set to "1" in local.conf to prefer DEPLOY_DIR blobs over layer
+VPDMN_USE_DEPLOY ?= "0"
+
+S = "${UNPACKDIR}"
+
+do_install() {
+    # Install vpdmn main script and architecture symlinks
+    install -d ${D}${bindir}
+    install -d ${D}${bindir}/vpdmn-blobs/aarch64
+    install -d ${D}${bindir}/vpdmn-blobs/x86_64
+
+    # Install main vpdmn script (arch detected at runtime)
+    install -m 0755 ${S}/vpdmn.sh ${D}${bindir}/vpdmn
+
+    # Create backwards-compatible symlinks
+    ln -sf vpdmn ${D}${bindir}/vpdmn-aarch64
+    ln -sf vpdmn ${D}${bindir}/vpdmn-x86_64
+
+    # Note: vpdmn uses vrunner.sh from vdkr-native (it's runtime-agnostic)
+
+    # Determine blob source directories based on VPDMN_USE_DEPLOY
+    if [ "${VPDMN_USE_DEPLOY}" = "1" ]; then
+        AARCH64_SRC="${VPDMN_DEPLOY_AARCH64}"
+        X86_64_SRC="${VPDMN_DEPLOY_X86_64}"
+        bbwarn "============================================================"
+        bbwarn "VPDMN_USE_DEPLOY=1: Using blobs from DEPLOY_DIR"
+        bbwarn "This is for development only. For permanent use, copy blobs:"
+        bbwarn ""
+        bbwarn "  # For aarch64:"
+        bbwarn "  cp ${VPDMN_DEPLOY_AARCH64}/Image \\"
+        bbwarn "     ${VPDMN_LAYER_BLOBS}/aarch64/"
+        bbwarn "  cp ${VPDMN_DEPLOY_AARCH64}/initramfs.cpio.gz \\"
+        bbwarn "     ${VPDMN_LAYER_BLOBS}/aarch64/"
+        bbwarn ""
+        bbwarn "  # For x86_64:"
+        bbwarn "  cp ${VPDMN_DEPLOY_X86_64}/bzImage \\"
+        bbwarn "     ${VPDMN_LAYER_BLOBS}/x86_64/"
+        bbwarn "  cp ${VPDMN_DEPLOY_X86_64}/initramfs.cpio.gz \\"
+        bbwarn "     ${VPDMN_LAYER_BLOBS}/x86_64/"
+        bbwarn ""
+        bbwarn "Then remove VPDMN_USE_DEPLOY from local.conf"
+        bbwarn "============================================================"
+    else
+        AARCH64_SRC="${VPDMN_LAYER_BLOBS}/aarch64"
+        X86_64_SRC="${VPDMN_LAYER_BLOBS}/x86_64"
+    fi
+
+    # Install aarch64 blobs (if available)
+    # Requires: Image, initramfs.cpio.gz, rootfs.img
+    if [ -f "$AARCH64_SRC/Image" ] && [ -f "$AARCH64_SRC/rootfs.img" ]; then
+        install -m 0644 "$AARCH64_SRC/Image" ${D}${bindir}/vpdmn-blobs/aarch64/
+        install -m 0644 "$AARCH64_SRC/initramfs.cpio.gz" ${D}${bindir}/vpdmn-blobs/aarch64/
+        install -m 0644 "$AARCH64_SRC/rootfs.img" ${D}${bindir}/vpdmn-blobs/aarch64/
+        bbnote "Installed aarch64 blobs from $AARCH64_SRC"
+    else
+        bbnote "No aarch64 blobs found at $AARCH64_SRC"
+        bbnote "Required: Image, initramfs.cpio.gz, rootfs.img"
+    fi
+
+    # Install x86_64 blobs (if available)
+    # Requires: bzImage, initramfs.cpio.gz, rootfs.img
+    if [ -f "$X86_64_SRC/bzImage" ] && [ -f "$X86_64_SRC/rootfs.img" ]; then
+        install -m 0644 "$X86_64_SRC/bzImage" ${D}${bindir}/vpdmn-blobs/x86_64/
+        install -m 0644 "$X86_64_SRC/initramfs.cpio.gz" ${D}${bindir}/vpdmn-blobs/x86_64/
+        install -m 0644 "$X86_64_SRC/rootfs.img" ${D}${bindir}/vpdmn-blobs/x86_64/
+        bbnote "Installed x86_64 blobs from $X86_64_SRC"
+    else
+        bbnote "No x86_64 blobs found at $X86_64_SRC"
+        bbnote "Required: bzImage, initramfs.cpio.gz, rootfs.img"
+    fi
+}
+
+# Make available in native sysroot
+SYSROOT_DIRS += "${bindir}"
+
+# Task to print usage instructions
+# Run with: bitbake vpdmn-native -c print_usage
+python do_print_usage() {
+    import os
+    native_sysroot = d.getVar('STAGING_DIR_NATIVE')
+
+    bb.plain("")
+    bb.plain("=" * 70)
+    bb.plain("vpdmn Usage Instructions")
+    bb.plain("=" * 70)
+    bb.plain("")
+    bb.plain("Option 1: Add to PATH (recommended)")
+    bb.plain("-" * 40)
+    bb.plain("export PATH=\"%s:$PATH\"" % (native_sysroot + d.getVar('bindir')))
+    bb.plain("")
+    bb.plain("Then use:")
+    bb.plain("  vpdmn images              # Uses default arch (host or config)")
+    bb.plain("  vpdmn -a aarch64 images   # Explicit arch")
+    bb.plain("  vpdmn-x86_64 images       # Symlink (backwards compatible)")
+    bb.plain("")
+    bb.plain("Option 2: Set default architecture")
+    bb.plain("-" * 40)
+    bb.plain("mkdir -p ~/.config/vpdmn && echo 'aarch64' > ~/.config/vpdmn/arch")
+    bb.plain("")
+    bb.plain("Note: QEMU must be in PATH. If not found, also add:")
+    bb.plain("export PATH=\"%s:$PATH\"" % (d.getVar('STAGING_BINDIR_NATIVE')))
+    bb.plain("")
+    bb.plain("=" * 70)
+}
+addtask print_usage
+do_print_usage[nostamp] = "1"
diff --git a/recipes-containers/vcontainer/vpdmn-rootfs-image.bb b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
new file mode 100644
index 00000000..33647202
--- /dev/null
+++ b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
@@ -0,0 +1,129 @@
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: MIT
+#
+# vpdmn-rootfs-image.bb
+# Minimal Podman-capable image for vpdmn QEMU environment
+#
+# This image is built via multiconfig and used by vpdmn-initramfs-create
+# to provide a proper rootfs for running Podman in QEMU.
+#
+# Build with:
+#   bitbake mc:vpdmn-aarch64:vpdmn-rootfs-image
+#   bitbake mc:vpdmn-x86-64:vpdmn-rootfs-image
+
+SUMMARY = "Minimal Podman rootfs for vpdmn"
+DESCRIPTION = "A minimal image containing Podman tools for use with vpdmn. \
+               This image runs inside QEMU to provide Podman command execution."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+# Track init script changes via file-checksums
+# This adds the file content hash to the task signature
+do_rootfs[file-checksums] += "${THISDIR}/files/vpdmn-init.sh:True"
+do_rootfs[file-checksums] += "${THISDIR}/files/vcontainer-init-common.sh:True"
+
+# Force do_rootfs to always run (no stamp caching)
+# Combined with file-checksums, this ensures init script changes are picked up
+do_rootfs[nostamp] = "1"
+
+# Inherit from core-image-minimal for a minimal base
+inherit core-image
+
+# Use crun as the OCI runtime (not runc) - this prevents the conflict where
+# both crun (which creates /usr/bin/runc symlink) and runc package are installed
+VIRTUAL-RUNTIME_container_runtime = "crun"
+
+# Use netavark for container networking (pulled in via podman's RDEPENDS)
+VIRTUAL-RUNTIME_container_networking = "netavark"
+
+# Use aardvark-dns for container DNS
+VIRTUAL-RUNTIME_container_dns = "aardvark-dns"
+
+# We need Podman and container tools
+# Podman is daemonless - no containerd required!
+IMAGE_INSTALL = " \
+    packagegroup-core-boot \
+    podman \
+    skopeo \
+    conmon \
+    netavark \
+    aardvark-dns \
+    busybox \
+    iproute2 \
+    iptables \
+    util-linux \
+    ca-certificates \
+"
+
+# No extra features needed
+IMAGE_FEATURES = ""
+
+# Keep the image small
+IMAGE_ROOTFS_SIZE = "524288"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use squashfs for smaller size (~3x compression)
+# The preinit mounts squashfs read-only with tmpfs overlay for writes
+IMAGE_FSTYPES = "squashfs"
+
+# Install our init script
+ROOTFS_POSTPROCESS_COMMAND += "install_vpdmn_init;"
+
+install_vpdmn_init() {
+    # Install vpdmn-init.sh as /init and vcontainer-init-common.sh alongside it
+    install -m 0755 ${THISDIR}/files/vpdmn-init.sh ${IMAGE_ROOTFS}/init
+    install -m 0755 ${THISDIR}/files/vcontainer-init-common.sh ${IMAGE_ROOTFS}/vcontainer-init-common.sh
+
+    # Create required directories
+    install -d ${IMAGE_ROOTFS}/mnt/input
+    install -d ${IMAGE_ROOTFS}/mnt/state
+    install -d ${IMAGE_ROOTFS}/var/lib/containers
+    install -d ${IMAGE_ROOTFS}/run/containers
+
+    # Create skopeo/podman policy
+    install -d ${IMAGE_ROOTFS}/etc/containers
+    echo '{"default":[{"type":"insecureAcceptAnything"}]}' > ${IMAGE_ROOTFS}/etc/containers/policy.json
+
+    # Create registries.conf for podman
+    cat > ${IMAGE_ROOTFS}/etc/containers/registries.conf << 'EOF'
+# Search registries
+unqualified-search-registries = ["docker.io", "quay.io"]
+
+# Short name aliases
+[aliases]
+"alpine" = "docker.io/library/alpine"
+"busybox" = "docker.io/library/busybox"
+"nginx" = "docker.io/library/nginx"
+"ubuntu" = "docker.io/library/ubuntu"
+"debian" = "docker.io/library/debian"
+EOF
+
+    # Create storage.conf for podman
+    # IMPORTANT: Must use VFS driver, not overlay, because:
+    # - The storage tar is extracted into Yocto rootfs under pseudo (fakeroot)
+    # - Overlay storage has special files/symlinks that fail under pseudo
+    # - VFS extracts cleanly (simpler structure, no special filesystem features)
+    install -d ${IMAGE_ROOTFS}/etc/containers/storage.conf.d
+    cat > ${IMAGE_ROOTFS}/etc/containers/storage.conf << 'EOF'
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+
+[storage.options]
+additionalimagestores = []
+EOF
+
+    # Create containers.conf for podman engine settings
+    cat > ${IMAGE_ROOTFS}/etc/containers/containers.conf << 'EOF'
+[engine]
+# Location of helper binaries (netavark, aardvark-dns)
+helper_binaries_dir = ["/usr/libexec/podman"]
+
+[network]
+# Use netavark as the network backend
+network_backend = "netavark"
+EOF
+}