vxn: add containerd OCI runtime integration

Add shell-based OCI runtime (vxn-oci-runtime) that enables containerd
to manage Xen DomU containers through the standard runc shim. Non-terminal
container output flows back to ctr via the shim's pipe mechanism.

New files:
- vxn-oci-runtime: OCI runtime (create/start/state/kill/delete/features/logs)
- vxn-sendtty.c: SCM_RIGHTS helper for terminal mode PTY passing
- containerd-shim-vxn-v2: PATH trick wrapper for runc shim coexistence
- containerd-config-vxn.toml: CRI config (vxn default, runc fallback)
- vctr: convenience wrapper injecting --runtime io.containerd.vxn.v2

Key design:
- Monitor subprocess uses wait on xl console (not sleep-polling) for
  instant reaction when domain dies, then extracts output markers and
  writes to stdout (shim pipe -> containerd FIFO -> ctr client)
- cmd_state checks monitor PID liveness (not domain status) to prevent
  premature cleanup race that killed monitor before output
- cmd_delete always destroys remnant domains (no --force needed)
- Coexists with runc: /usr/libexec/vxn/shim/runc symlink + PATH trick

Verified: vctr run --rm, vctr run -d, vxn standalone, vxn daemon mode.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 149 insertions, 47 deletions

diff --git a/recipes-core/vxn/vxn_1.0.bb b/recipes-core/vxn/vxn_1.0.bb
index 2a36274a..d16cbc77 100644
--- a/recipes-core/vxn/vxn_1.0.bb
+++ b/recipes-core/vxn/vxn_1.0.bb
@@ -14,9 +14,13 @@
 # - vcontainer-common.sh (shared CLI code)
 # - Kernel, initramfs, and rootfs blobs for booting DomU guests
 #
-# The blobs are sourced from the vxn-initramfs-create recipe which
-# reuses the same rootfs images built by vdkr/vpdmn (the init scripts
-# detect the hypervisor at boot time).
+# Blobs are sourced directly from the vruntime multiconfig deploy
+# directory. The rootfs squashfs is unsquashed, vxn init scripts are
+# injected, and it is re-squashed — all within do_compile. This keeps
+# the entire dependency chain in one recipe so that SRC_URI hash
+# tracking and mcdepends work correctly without relying on a separate
+# deploy-only recipe (which cannot be task-depended on from a packaged
+# recipe without breaking image do_rootfs sstate manifest checks).
 #
 # ===========================================================================
 # BUILD INSTRUCTIONS
@@ -49,21 +53,31 @@ LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda
 inherit features_check
 REQUIRED_DISTRO_FEATURES = "xen"
 
+# Host scripts + guest init scripts (all from the vcontainer files dir)
 SRC_URI = "\
     file://vxn.sh \
     file://vrunner.sh \
     file://vrunner-backend-xen.sh \
     file://vrunner-backend-qemu.sh \
     file://vcontainer-common.sh \
+    file://vxn-init.sh \
+    file://vcontainer-init-common.sh \
+    file://vxn-oci-runtime \
+    file://vxn-sendtty.c \
+    file://containerd-config-vxn.toml \
+    file://containerd-shim-vxn-v2 \
+    file://vctr \
 "
 
 FILESEXTRAPATHS:prepend := "${THISDIR}/../../recipes-containers/vcontainer/files:"
 
 S = "${UNPACKDIR}"
+B = "${WORKDIR}/build"
 
 # Runtime dependencies on Dom0
 RDEPENDS:${PN} = "\
     xen-tools-xl \
+    xen-tools-xenstore \
     bash \
     jq \
     socat \
@@ -73,23 +87,12 @@ RDEPENDS:${PN} = "\
     skopeo \
 "
 
-# Blobs are sourced from vxn-initramfs-create deploy output.
-# Build blobs first: bitbake vxn-initramfs-create
-# No task dependency here - vxn-initramfs-create is deploy-only (no packages).
-# Adding any dependency from a packaged recipe to a deploy-only recipe
-# breaks do_rootfs (sstate manifest not found for package_write_rpm).
-
-# Blobs come from DEPLOY_DIR which is untracked by sstate hash.
-# nostamp on do_install alone is insufficient — do_package and
-# do_package_write_rpm have unchanged sstate hashes so they restore
-# the OLD RPM from cache, discarding the fresh do_install output.
-# Force the entire install→package→RPM chain to always re-run.
-do_install[nostamp] = "1"
-do_package[nostamp] = "1"
-do_packagedata[nostamp] = "1"
-do_package_write_rpm[nostamp] = "1"
-do_package_write_ipk[nostamp] = "1"
-do_package_write_deb[nostamp] = "1"
+# squashfs-tools-native for unsquash/resquash of rootfs.img
+DEPENDS += "squashfs-tools-native"
+
+# ===========================================================================
+# Architecture and multiconfig helpers
+# ===========================================================================
 
 def vxn_get_blob_arch(d):
     arch = d.getVar('TARGET_ARCH')
@@ -109,15 +112,114 @@ def vxn_get_kernel_image_name(d):
         return 'zImage'
     return 'Image'
 
+def vxn_get_multiconfig_name(d):
+    arch = d.getVar('TARGET_ARCH')
+    if arch == 'aarch64':
+        return 'vruntime-aarch64'
+    elif arch in ['x86_64', 'i686', 'i586']:
+        return 'vruntime-x86-64'
+    return 'vruntime-aarch64'
+
 BLOB_ARCH = "${@vxn_get_blob_arch(d)}"
 KERNEL_IMAGETYPE_VXN = "${@vxn_get_kernel_image_name(d)}"
+VXN_MULTICONFIG = "${@vxn_get_multiconfig_name(d)}"
+VXN_RUNTIME = "vdkr"
+
+# Multiconfig deploy directory (where vdkr-rootfs-image deploys blobs)
+VXN_MC_DEPLOY = "${TOPDIR}/tmp-${VXN_MULTICONFIG}/deploy/images/${MACHINE}"
+
+# ===========================================================================
+# Multiconfig dependencies — ensures blobs are built before do_compile.
+# mcdepends are cross-config and don't pollute the same-config package
+# dependency tree, so they don't break image do_rootfs sstate checks.
+# ===========================================================================
+
+python () {
+    mc = d.getVar('VXN_MULTICONFIG')
+    runtime = d.getVar('VXN_RUNTIME')
+    bbmulticonfig = (d.getVar('BBMULTICONFIG') or "").split()
+    if mc in bbmulticonfig:
+        mcdeps = ' '.join([
+            'mc::%s:%s-tiny-initramfs-image:do_image_complete' % (mc, runtime),
+            'mc::%s:%s-rootfs-image:do_image_complete' % (mc, runtime),
+            'mc::%s:virtual/kernel:do_deploy' % mc,
+        ])
+        d.setVarFlag('do_compile', 'mcdepends', mcdeps)
+}
+
+# ===========================================================================
+# do_compile: source blobs from MC deploy, inject init scripts into rootfs
+# ===========================================================================
+# SRC_URI includes vxn-init.sh and vcontainer-init-common.sh, so their
+# content hashes are part of the task signature. When they change, this
+# task re-runs and produces a fresh rootfs.img with the updated scripts.
+
+do_compile() {
+    mkdir -p ${B}
+
+    # Compile vxn-sendtty (SCM_RIGHTS helper for OCI terminal mode)
+    ${CC} ${CFLAGS} ${S}/vxn-sendtty.c ${LDFLAGS} -o ${B}/vxn-sendtty
+
+    MC_DEPLOY="${VXN_MC_DEPLOY}"
+
+    # --- Initramfs ---
+    INITRAMFS_SRC="${MC_DEPLOY}/${VXN_RUNTIME}-tiny-initramfs-image-${MACHINE}.cpio.gz"
+    if [ ! -f "${INITRAMFS_SRC}" ]; then
+        bbfatal "Initramfs not found at ${INITRAMFS_SRC}. Build with: bitbake mc:${VXN_MULTICONFIG}:${VXN_RUNTIME}-tiny-initramfs-image"
+    fi
+    cp "${INITRAMFS_SRC}" ${B}/initramfs.cpio.gz
 
-VXN_DEPLOY = "${DEPLOY_DIR_IMAGE}"
+    # --- Rootfs (unsquash, inject scripts, resquash) ---
+    ROOTFS_SRC="${MC_DEPLOY}/${VXN_RUNTIME}-rootfs-image-${MACHINE}.rootfs.squashfs"
+    if [ ! -f "${ROOTFS_SRC}" ]; then
+        bbfatal "Rootfs not found at ${ROOTFS_SRC}. Build with: bitbake mc:${VXN_MULTICONFIG}:${VXN_RUNTIME}-rootfs-image"
+    fi
+
+    UNSQUASH_DIR="${B}/rootfs-unsquash"
+    rm -rf "${UNSQUASH_DIR}"
+    unsquashfs -d "${UNSQUASH_DIR}" "${ROOTFS_SRC}"
+
+    # Inject vxn init scripts (tracked via SRC_URI → task hash changes on edit)
+    install -m 0755 ${S}/vxn-init.sh ${UNSQUASH_DIR}/vxn-init.sh
+    install -m 0755 ${S}/vcontainer-init-common.sh ${UNSQUASH_DIR}/vcontainer-init-common.sh
+
+    rm -f ${B}/rootfs.img
+    mksquashfs "${UNSQUASH_DIR}" ${B}/rootfs.img -noappend -comp xz
+    rm -rf "${UNSQUASH_DIR}"
+
+    # --- Kernel ---
+    KERNEL_FILE="${DEPLOY_DIR_IMAGE}/${KERNEL_IMAGETYPE_VXN}"
+    if [ -f "${KERNEL_FILE}" ]; then
+        cp "${KERNEL_FILE}" ${B}/kernel
+    else
+        bbwarn "Kernel not found at ${KERNEL_FILE}"
+    fi
+}
+
+# ===========================================================================
+# do_install: install CLI scripts (from SRC_URI) and blobs (from do_compile)
+# ===========================================================================
 
 do_install() {
-    # Install CLI wrapper
+    # Install CLI wrapper, OCI runtime, and sendtty helper
     install -d ${D}${bindir}
     install -m 0755 ${S}/vxn.sh ${D}${bindir}/vxn
+    install -m 0755 ${S}/vxn-oci-runtime ${D}${bindir}/vxn-oci-runtime
+    install -m 0755 ${B}/vxn-sendtty ${D}${bindir}/vxn-sendtty
+
+    # Install containerd config (makes vxn-oci-runtime the default CRI runtime)
+    install -d ${D}${sysconfdir}/containerd
+    install -m 0644 ${S}/containerd-config-vxn.toml ${D}${sysconfdir}/containerd/config.toml
+
+    # Install vxn shim wrapper: PATH trick makes runc shim find vxn-oci-runtime
+    install -m 0755 ${S}/containerd-shim-vxn-v2 ${D}${bindir}/containerd-shim-vxn-v2
+
+    # Private shim dir: runc symlink so the runc shim execs vxn-oci-runtime
+    install -d ${D}${libexecdir}/vxn/shim
+    ln -sf ${bindir}/vxn-oci-runtime ${D}${libexecdir}/vxn/shim/runc
+
+    # Install vctr convenience wrapper
+    install -m 0755 ${S}/vctr ${D}${bindir}/vctr
 
     # Install shared scripts into libdir
     install -d ${D}${libdir}/vxn
@@ -126,39 +228,39 @@ do_install() {
     install -m 0755 ${S}/vrunner-backend-qemu.sh ${D}${libdir}/vxn/
     install -m 0644 ${S}/vcontainer-common.sh ${D}${libdir}/vxn/
 
-    # Install blobs from vxn-initramfs-create deployment
-    # Layout must match what vrunner backends expect: $BLOB_DIR/<arch>/{Image,initramfs.cpio.gz,rootfs.img}
+    # Install blobs from do_compile output
     install -d ${D}${datadir}/vxn/${BLOB_ARCH}
 
-    VXN_BLOB_SRC="${VXN_DEPLOY}/vxn/${BLOB_ARCH}"
-    if [ -d "${VXN_BLOB_SRC}" ]; then
-        if [ -f "${VXN_BLOB_SRC}/${KERNEL_IMAGETYPE_VXN}" ]; then
-            install -m 0644 "${VXN_BLOB_SRC}/${KERNEL_IMAGETYPE_VXN}" ${D}${datadir}/vxn/${BLOB_ARCH}/
-            bbnote "Installed kernel ${KERNEL_IMAGETYPE_VXN}"
-        else
-            bbwarn "Kernel not found at ${VXN_BLOB_SRC}/${KERNEL_IMAGETYPE_VXN}"
-        fi
-
-        if [ -f "${VXN_BLOB_SRC}/initramfs.cpio.gz" ]; then
-            install -m 0644 "${VXN_BLOB_SRC}/initramfs.cpio.gz" ${D}${datadir}/vxn/${BLOB_ARCH}/
-            bbnote "Installed initramfs"
-        else
-            bbwarn "Initramfs not found at ${VXN_BLOB_SRC}/initramfs.cpio.gz"
-        fi
-
-        if [ -f "${VXN_BLOB_SRC}/rootfs.img" ]; then
-            install -m 0644 "${VXN_BLOB_SRC}/rootfs.img" ${D}${datadir}/vxn/${BLOB_ARCH}/
-            bbnote "Installed rootfs.img"
-        else
-            bbwarn "Rootfs not found at ${VXN_BLOB_SRC}/rootfs.img"
-        fi
+    if [ -f "${B}/kernel" ]; then
+        install -m 0644 "${B}/kernel" ${D}${datadir}/vxn/${BLOB_ARCH}/${KERNEL_IMAGETYPE_VXN}
+        bbnote "Installed kernel ${KERNEL_IMAGETYPE_VXN}"
+    else
+        bbwarn "Kernel blob not found in build dir"
+    fi
+
+    if [ -f "${B}/initramfs.cpio.gz" ]; then
+        install -m 0644 "${B}/initramfs.cpio.gz" ${D}${datadir}/vxn/${BLOB_ARCH}/
+        bbnote "Installed initramfs"
+    else
+        bbwarn "Initramfs blob not found in build dir"
+    fi
+
+    if [ -f "${B}/rootfs.img" ]; then
+        install -m 0644 "${B}/rootfs.img" ${D}${datadir}/vxn/${BLOB_ARCH}/
+        bbnote "Installed rootfs.img"
     else
-        bbwarn "VXN blob directory not found at ${VXN_BLOB_SRC}. Build with: bitbake vxn-initramfs-create"
+        bbwarn "Rootfs blob not found in build dir"
     fi
 }
 
 FILES:${PN} = "\
     ${bindir}/vxn \
+    ${bindir}/vxn-oci-runtime \
+    ${bindir}/vxn-sendtty \
+    ${bindir}/containerd-shim-vxn-v2 \
+    ${bindir}/vctr \
+    ${libexecdir}/vxn/ \
+    ${sysconfdir}/containerd/config.toml \
     ${libdir}/vxn/ \
     ${datadir}/vxn/ \
 "