diff options
| author | Bruce Ashfield <bruce.ashfield@gmail.com> | 2026-02-19 16:08:45 +0000 |
|---|---|---|
| committer | Bruce Ashfield <bruce.ashfield@gmail.com> | 2026-02-26 01:05:01 +0000 |
| commit | c734621380aed127ee515839aeeb8126f2dcf9ad (patch) | |
| tree | 42b9ad081b4a9c627dc06d65262c9b2176f72d52 /recipes-core/vxn/vxn_1.0.bb | |
| parent | 035e0daebeb53880ea2a6bd0f0e31785f3ec9e55 (diff) | |
| download | meta-virtualization-c734621380aed127ee515839aeeb8126f2dcf9ad.tar.gz | |
vxn: add host-side OCI image cache and fix Docker iptables conflict
Add a host-side OCI image cache at ~/.vxn/images/ for the vdkr/vpdmn
standalone Xen path. Images pulled via skopeo are stored in a
content-addressed layout (refs/ symlinks + store/ OCI dirs) so
subsequent runs hit the cache without network access.
New commands on Xen: pull, images, rmi, tag, inspect, image <subcmd>.
The run path is unchanged — cache integration into hv_prepare_container
is deferred to a follow-up.
Also fix Docker iptables conflict: when docker-moby and vxn-docker-config
coexist on Dom0, Docker's default FORWARD DROP policy blocks DHCP for
Xen DomU vifs on xenbr0. Adding "iptables": false to daemon.json
prevents Docker from modifying iptables since VM-based containers
manage their own network stack.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Diffstat (limited to 'recipes-core/vxn/vxn_1.0.bb')
| -rw-r--r-- | recipes-core/vxn/vxn_1.0.bb | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/recipes-core/vxn/vxn_1.0.bb b/recipes-core/vxn/vxn_1.0.bb index a08dac09..278911d5 100644 --- a/recipes-core/vxn/vxn_1.0.bb +++ b/recipes-core/vxn/vxn_1.0.bb | |||
| @@ -228,12 +228,14 @@ do_install() { | |||
| 228 | install -m 0755 ${S}/vpdmn.sh ${D}${bindir}/vpdmn | 228 | install -m 0755 ${S}/vpdmn.sh ${D}${bindir}/vpdmn |
| 229 | 229 | ||
| 230 | # Docker daemon config: register vxn-oci-runtime (vxn-docker-config sub-package) | 230 | # Docker daemon config: register vxn-oci-runtime (vxn-docker-config sub-package) |
| 231 | # no-new-privileges=false is needed because vxn ignores Linux security features. | 231 | # iptables=false: Docker's default FORWARD DROP policy blocks DHCP and |
| 232 | # Users must use --network=none or --network=host with vxn containers since | 232 | # bridged traffic for Xen DomU vifs on xenbr0. Since vxn containers are |
| 233 | # Xen DomUs have their own kernel network stack and Docker's veth/namespace | 233 | # full VMs with their own network stack, Docker's iptables rules are |
| 234 | # setup is incompatible with VM-based runtimes. | 234 | # unnecessary and harmful. Note: bridge networking is left enabled so |
| 235 | # that 'docker pull' works (needs bridge for DNS). Users must pass | ||
| 236 | # --network=none for 'docker run' (veth/netns incompatible with VMs). | ||
| 235 | install -d ${D}${sysconfdir}/docker | 237 | install -d ${D}${sysconfdir}/docker |
| 236 | printf '{\n "runtimes": {\n "vxn": {\n "path": "/usr/bin/vxn-oci-runtime"\n }\n },\n "default-runtime": "vxn"\n}\n' \ | 238 | printf '{\n "runtimes": {\n "vxn": {\n "path": "/usr/bin/vxn-oci-runtime"\n }\n },\n "default-runtime": "vxn",\n "iptables": false\n}\n' \ |
| 237 | > ${D}${sysconfdir}/docker/daemon.json | 239 | > ${D}${sysconfdir}/docker/daemon.json |
| 238 | 240 | ||
| 239 | # Podman config: register vxn-oci-runtime (vxn-podman-config sub-package) | 241 | # Podman config: register vxn-oci-runtime (vxn-podman-config sub-package) |