vcontainer: add vpdmn Podman support

Add vpdmn - Podman CLI wrapper for cross-architecture container operations:

Scripts:
- vpdmn.sh: Podman CLI entry point (vpdmn-x86_64, vpdmn-aarch64)
- vpdmn-init.sh: Podman init script for QEMU guest

Recipes:
- vpdmn-native: Installs vpdmn CLI wrappers
- vpdmn-rootfs-image: Builds Podman rootfs with crun, netavark, skopeo
- vpdmn-initramfs-create: Creates bootable initramfs blob

The vpdmn CLI provides Podman-compatible commands executed inside a
QEMU-emulated environment. Unlike vdkr, Podman is daemonless which
simplifies the guest init process.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 129 insertions, 0 deletions

diff --git a/recipes-containers/vcontainer/vpdmn-rootfs-image.bb b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
new file mode 100644
index 00000000..33647202
--- /dev/null
+++ b/recipes-containers/vcontainer/vpdmn-rootfs-image.bb
@@ -0,0 +1,129 @@
+# SPDX-FileCopyrightText: Copyright (C) 2025 Bruce Ashfield
+#
+# SPDX-License-Identifier: MIT
+#
+# vpdmn-rootfs-image.bb
+# Minimal Podman-capable image for vpdmn QEMU environment
+#
+# This image is built via multiconfig and used by vpdmn-initramfs-create
+# to provide a proper rootfs for running Podman in QEMU.
+#
+# Build with:
+#   bitbake mc:vpdmn-aarch64:vpdmn-rootfs-image
+#   bitbake mc:vpdmn-x86-64:vpdmn-rootfs-image
+
+SUMMARY = "Minimal Podman rootfs for vpdmn"
+DESCRIPTION = "A minimal image containing Podman tools for use with vpdmn. \
+               This image runs inside QEMU to provide Podman command execution."
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+# Track init script changes via file-checksums
+# This adds the file content hash to the task signature
+do_rootfs[file-checksums] += "${THISDIR}/files/vpdmn-init.sh:True"
+do_rootfs[file-checksums] += "${THISDIR}/files/vcontainer-init-common.sh:True"
+
+# Force do_rootfs to always run (no stamp caching)
+# Combined with file-checksums, this ensures init script changes are picked up
+do_rootfs[nostamp] = "1"
+
+# Inherit from core-image-minimal for a minimal base
+inherit core-image
+
+# Use crun as the OCI runtime (not runc) - this prevents the conflict where
+# both crun (which creates /usr/bin/runc symlink) and runc package are installed
+VIRTUAL-RUNTIME_container_runtime = "crun"
+
+# Use netavark for container networking (pulled in via podman's RDEPENDS)
+VIRTUAL-RUNTIME_container_networking = "netavark"
+
+# Use aardvark-dns for container DNS
+VIRTUAL-RUNTIME_container_dns = "aardvark-dns"
+
+# We need Podman and container tools
+# Podman is daemonless - no containerd required!
+IMAGE_INSTALL = " \
+    packagegroup-core-boot \
+    podman \
+    skopeo \
+    conmon \
+    netavark \
+    aardvark-dns \
+    busybox \
+    iproute2 \
+    iptables \
+    util-linux \
+    ca-certificates \
+"
+
+# No extra features needed
+IMAGE_FEATURES = ""
+
+# Keep the image small
+IMAGE_ROOTFS_SIZE = "524288"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"
+
+# Use squashfs for smaller size (~3x compression)
+# The preinit mounts squashfs read-only with tmpfs overlay for writes
+IMAGE_FSTYPES = "squashfs"
+
+# Install our init script
+ROOTFS_POSTPROCESS_COMMAND += "install_vpdmn_init;"
+
+install_vpdmn_init() {
+    # Install vpdmn-init.sh as /init and vcontainer-init-common.sh alongside it
+    install -m 0755 ${THISDIR}/files/vpdmn-init.sh ${IMAGE_ROOTFS}/init
+    install -m 0755 ${THISDIR}/files/vcontainer-init-common.sh ${IMAGE_ROOTFS}/vcontainer-init-common.sh
+
+    # Create required directories
+    install -d ${IMAGE_ROOTFS}/mnt/input
+    install -d ${IMAGE_ROOTFS}/mnt/state
+    install -d ${IMAGE_ROOTFS}/var/lib/containers
+    install -d ${IMAGE_ROOTFS}/run/containers
+
+    # Create skopeo/podman policy
+    install -d ${IMAGE_ROOTFS}/etc/containers
+    echo '{"default":[{"type":"insecureAcceptAnything"}]}' > ${IMAGE_ROOTFS}/etc/containers/policy.json
+
+    # Create registries.conf for podman
+    cat > ${IMAGE_ROOTFS}/etc/containers/registries.conf << 'EOF'
+# Search registries
+unqualified-search-registries = ["docker.io", "quay.io"]
+
+# Short name aliases
+[aliases]
+"alpine" = "docker.io/library/alpine"
+"busybox" = "docker.io/library/busybox"
+"nginx" = "docker.io/library/nginx"
+"ubuntu" = "docker.io/library/ubuntu"
+"debian" = "docker.io/library/debian"
+EOF
+
+    # Create storage.conf for podman
+    # IMPORTANT: Must use VFS driver, not overlay, because:
+    # - The storage tar is extracted into Yocto rootfs under pseudo (fakeroot)
+    # - Overlay storage has special files/symlinks that fail under pseudo
+    # - VFS extracts cleanly (simpler structure, no special filesystem features)
+    install -d ${IMAGE_ROOTFS}/etc/containers/storage.conf.d
+    cat > ${IMAGE_ROOTFS}/etc/containers/storage.conf << 'EOF'
+[storage]
+driver = "vfs"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+
+[storage.options]
+additionalimagestores = []
+EOF
+
+    # Create containers.conf for podman engine settings
+    cat > ${IMAGE_ROOTFS}/etc/containers/containers.conf << 'EOF'
+[engine]
+# Location of helper binaries (netavark, aardvark-dns)
+helper_binaries_dir = ["/usr/libexec/podman"]
+
+[network]
+# Use netavark as the network backend
+network_backend = "netavark"
+EOF
+}