vcontainer: add vpdmn Podman support

Add vpdmn - Podman CLI wrapper for cross-architecture container operations:

Scripts:
- vpdmn.sh: Podman CLI entry point (vpdmn-x86_64, vpdmn-aarch64)
- vpdmn-init.sh: Podman init script for QEMU guest

Recipes:
- vpdmn-native: Installs vpdmn CLI wrappers
- vpdmn-rootfs-image: Builds Podman rootfs with crun, netavark, skopeo
- vpdmn-initramfs-create: Creates bootable initramfs blob

The vpdmn CLI provides Podman-compatible commands executed inside a
QEMU-emulated environment. Unlike vdkr, Podman is daemonless which
simplifies the guest init process.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

4 files changed, 258 insertions, 0 deletions

diff --git a/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README b/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README
new file mode 100644
index 00000000..a4197779
--- /dev/null
+++ b/recipes-containers/vcontainer/files/blobs/vpdmn/aarch64/README
@@ -0,0 +1,26 @@
+vpdmn aarch64 Blobs
+====================
+
+This directory should contain the boot blobs for vpdmn aarch64:
+
+Required files:
+  - Image              : Linux kernel for aarch64
+  - initramfs.cpio.gz  : Tiny initramfs for switch_root
+  - rootfs.img         : Ext4 root filesystem with Podman tools
+
+Build instructions:
+  1. Set MACHINE for aarch64:
+     MACHINE=qemuarm64
+
+  2. Build the blobs:
+     bitbake vpdmn-initramfs-create
+
+  3. Copy from deploy directory:
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/Image .
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/initramfs.cpio.gz .
+     cp tmp/deploy/images/qemuarm64/vpdmn/aarch64/rootfs.img .
+
+Once these files are present, vpdmn-native will automatically include them.
+
+Alternatively, set VPDMN_USE_DEPLOY = "1" in local.conf to use blobs
+directly from DEPLOY_DIR without copying to the layer.
diff --git a/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README b/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README
new file mode 100644
index 00000000..30ddb445
--- /dev/null
+++ b/recipes-containers/vcontainer/files/blobs/vpdmn/x86_64/README
@@ -0,0 +1,26 @@
+vpdmn x86_64 Blobs
+===================
+
+This directory should contain the boot blobs for vpdmn x86_64:
+
+Required files:
+  - bzImage            : Linux kernel for x86_64
+  - initramfs.cpio.gz  : Tiny initramfs for switch_root
+  - rootfs.img         : Ext4 root filesystem with Podman tools
+
+Build instructions:
+  1. Set MACHINE for x86_64:
+     MACHINE=qemux86-64
+
+  2. Build the blobs:
+     bitbake vpdmn-initramfs-create
+
+  3. Copy from deploy directory:
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/bzImage .
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/initramfs.cpio.gz .
+     cp tmp/deploy/images/qemux86-64/vpdmn/x86_64/rootfs.img .
+
+Once these files are present, vpdmn-native will automatically include them.
+
+Alternatively, set VPDMN_USE_DEPLOY = "1" in local.conf to use blobs
+directly from DEPLOY_DIR without copying to the layer.
diff --git a/recipes-containers/vcontainer/files/vpdmn-init.sh b/recipes-containers/vcontainer/files/vpdmn-init.sh
new file mode 100755
index 00000000..52aa9129
--- /dev/null
+++ b/recipes-containers/vcontainer/files/vpdmn-init.sh
@@ -0,0 +1,181 @@
+#!/bin/sh
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# vpdmn-init.sh
+# Init script for vpdmn: execute arbitrary podman commands in QEMU
+#
+# This script runs on a real ext4 filesystem after switch_root from initramfs.
+# The preinit script mounted /dev/vda (rootfs.img) and did switch_root to us.
+#
+# Drive layout (rootfs.img is always /dev/vda, mounted as /):
+#   /dev/vda = rootfs.img (this script runs from here, mounted as /)
+#   /dev/vdb = input disk (optional, OCI/tar/dir data)
+#   /dev/vdc = state disk (optional, persistent Podman storage)
+#
+# Kernel parameters:
+#   podman_cmd=<base64>    Base64-encoded podman command + args
+#   podman_input=<type>    Input type: none, oci, tar, dir (default: none)
+#   podman_output=<type>   Output type: text, tar, storage (default: text)
+#   podman_state=<type>    State type: none, disk (default: none)
+#   podman_network=1       Enable networking (configure eth0, DNS)
+#
+# Version: 1.1.0
+#
+# Note: Podman is daemonless - no containerd/dockerd required!
+
+# Set runtime-specific parameters before sourcing common code
+VCONTAINER_RUNTIME_NAME="vpdmn"
+VCONTAINER_RUNTIME_CMD="podman"
+VCONTAINER_RUNTIME_PREFIX="podman"
+VCONTAINER_STATE_DIR="/var/lib/containers/storage"
+VCONTAINER_SHARE_NAME="vpdmn_share"
+VCONTAINER_VERSION="1.1.0"
+
+# Source common init functions
+# When installed as /init, common file is at /vcontainer-init-common.sh
+. /vcontainer-init-common.sh
+
+# ============================================================================
+# Podman-Specific Functions
+# ============================================================================
+
+setup_podman_environment() {
+    # Podman needs XDG_RUNTIME_DIR
+    export XDG_RUNTIME_DIR="/run/user/0"
+    mkdir -p "$XDG_RUNTIME_DIR"
+    chmod 700 "$XDG_RUNTIME_DIR"
+}
+
+setup_podman_mounts() {
+    # Podman needs /dev/shm
+    mkdir -p /dev/shm
+    mount -t tmpfs tmpfs /dev/shm
+
+    # Mount /var/volatile for Yocto's volatile symlinks (/var/tmp -> volatile/tmp, etc.)
+    mkdir -p /var/volatile
+    mount -t tmpfs tmpfs /var/volatile
+    mkdir -p /var/volatile/tmp /var/volatile/log /var/volatile/run /var/volatile/cache
+
+    # Also mount /var/cache directly (not a symlink)
+    mount -t tmpfs tmpfs /var/cache
+}
+
+setup_podman_storage() {
+    mkdir -p /run/lock
+
+    # /var/lib/containers exists in rootfs.img (read-only), mount tmpfs over it
+    mount -t tmpfs tmpfs /var/lib/containers
+    mkdir -p /var/lib/containers/storage
+
+    # Handle Podman storage
+    if [ -n "$STATE_DISK" ] && [ -b "$STATE_DISK" ]; then
+        log "Mounting state disk $STATE_DISK as /var/lib/containers/storage..."
+        if mount -t ext4 "$STATE_DISK" /var/lib/containers/storage 2>&1; then
+            log "SUCCESS: Mounted $STATE_DISK as Podman storage"
+            log "Podman storage contents:"
+            [ "$QUIET_BOOT" = "0" ] && ls -la /var/lib/containers/storage/ 2>/dev/null || log "(empty)"
+        else
+            log "WARNING: Failed to mount state disk, using tmpfs fallback"
+            RUNTIME_STATE="none"
+        fi
+    else
+        log "Using tmpfs for Podman storage (ephemeral)..."
+    fi
+}
+
+verify_podman() {
+    # Podman is daemonless - just verify it's available
+    if [ -x "/usr/bin/podman" ]; then
+        log "Podman available: $(podman --version 2>/dev/null || echo 'version unknown')"
+    else
+        echo "===ERROR==="
+        echo "Podman not found at /usr/bin/podman"
+        sleep 2
+        reboot -f
+    fi
+}
+
+# Podman is daemonless - nothing to stop
+stop_runtime_daemons() {
+    :
+}
+
+handle_storage_output() {
+    # Export entire podman storage
+    # Tar from inside /var/lib/containers/storage so paths are vfs-images/... directly
+    echo "Packaging Podman storage..."
+    if ! cd /var/lib/containers/storage; then
+        echo "===ERROR==="
+        echo "Failed to cd to /var/lib/containers/storage"
+        echo "Contents of /var/lib/containers:"
+        ls -la /var/lib/containers/ 2>&1 || echo "(not found)"
+        poweroff -f
+        exit 1
+    fi
+    tar -cf /tmp/storage.tar .
+
+    STORAGE_SIZE=$(stat -c%s /tmp/storage.tar 2>/dev/null || echo "0")
+    echo "Storage size: $STORAGE_SIZE bytes"
+
+    if [ "$STORAGE_SIZE" -gt 1000 ]; then
+        dmesg -n 1
+        echo "===STORAGE_START==="
+        base64 /tmp/storage.tar
+        echo "===STORAGE_END==="
+        echo "===EXIT_CODE=$EXEC_EXIT_CODE==="
+    else
+        echo "===ERROR==="
+        echo "Storage too small"
+    fi
+}
+
+# ============================================================================
+# Main
+# ============================================================================
+
+# Initialize base environment
+setup_base_environment
+setup_podman_environment
+mount_base_filesystems
+
+# Check for quiet boot mode
+check_quiet_boot
+
+log "=== vpdmn Init ==="
+log "Version: $VCONTAINER_VERSION"
+
+# Mount tmpfs directories and Podman-specific mounts
+mount_tmpfs_dirs
+setup_podman_mounts
+setup_cgroups
+
+# Parse kernel command line
+parse_cmdline
+
+# Detect and configure disks
+detect_disks
+
+# Set up Podman storage (Podman-specific)
+setup_podman_storage
+
+# Mount input disk
+mount_input_disk
+
+# Configure networking
+configure_networking
+
+# Verify podman is available (no daemon to start)
+verify_podman
+
+# Handle daemon mode or single command execution
+if [ "$RUNTIME_DAEMON" = "1" ]; then
+    run_daemon_mode
+else
+    prepare_input_path
+    execute_command
+fi
+
+# Graceful shutdown
+graceful_shutdown
diff --git a/recipes-containers/vcontainer/files/vpdmn.sh b/recipes-containers/vcontainer/files/vpdmn.sh
new file mode 100755
index 00000000..30775d35
--- /dev/null
+++ b/recipes-containers/vcontainer/files/vpdmn.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: GPL-2.0-only
+#
+# vpdmn: Podman-like interface for cross-architecture container operations
+#
+# This provides a familiar podman-like CLI that executes commands inside
+# a QEMU-emulated environment with the target architecture's Podman.
+#
+# Command naming convention:
+#   - Commands matching Podman's syntax/semantics use Podman's name (import, load, save, etc.)
+#   - Extended commands with non-Podman behavior use 'v' prefix (vimport)
+
+# Set runtime-specific parameters before sourcing common code
+VCONTAINER_RUNTIME_NAME="vpdmn"
+VCONTAINER_RUNTIME_CMD="podman"
+VCONTAINER_RUNTIME_PREFIX="VPDMN"
+VCONTAINER_IMPORT_TARGET="containers-storage:"
+VCONTAINER_STATE_FILE="podman-state.img"
+VCONTAINER_OTHER_PREFIX="VDKR"
+VCONTAINER_VERSION="1.2.0"
+
+# Source common implementation
+source "$(dirname "${BASH_SOURCE[0]}")/vcontainer-common.sh" "$@"