15 files changed, 220 insertions, 8 deletions

diff --git a/conf/distro/include/container-host-containerd.conf b/conf/distro/include/container-host-containerd.conf
new file mode 100644
index 00000000..c4a68845
--- /dev/null
+++ b/conf/distro/include/container-host-containerd.conf
@@ -0,0 +1,14 @@
+# Container host configuration fragment: Containerd
+#
+# Include from local.conf to set up a containerd-based container host.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-containerd.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE and the DISTRO_FEATURES required by
+# container-image-host with the containerd engine stack.
+
+CONTAINER_PROFILE = "containerd"
diff --git a/conf/distro/include/container-host-docker.conf b/conf/distro/include/container-host-docker.conf
new file mode 100644
index 00000000..5bf29359
--- /dev/null
+++ b/conf/distro/include/container-host-docker.conf
@@ -0,0 +1,14 @@
+# Container host configuration fragment: Docker
+#
+# Include from local.conf to set up a Docker-based container host.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-docker.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE and the DISTRO_FEATURES required by
+# container-image-host with the Docker engine stack.
+
+CONTAINER_PROFILE = "docker"
diff --git a/conf/distro/include/container-host-incus.conf b/conf/distro/include/container-host-incus.conf
new file mode 100644
index 00000000..82e19d87
--- /dev/null
+++ b/conf/distro/include/container-host-incus.conf
@@ -0,0 +1,15 @@
+# Container host configuration fragment: Incus
+#
+# Include from local.conf to set up an Incus-based container host.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-incus.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE for Incus, a system container and VM manager
+# built on LXC. Incus replaces LXD as the community container manager
+# from linuxcontainers.org.
+
+CONTAINER_PROFILE = "incus"
diff --git a/conf/distro/include/container-host-k3s-node.conf b/conf/distro/include/container-host-k3s-node.conf
new file mode 100644
index 00000000..75580d71
--- /dev/null
+++ b/conf/distro/include/container-host-k3s-node.conf
@@ -0,0 +1,18 @@
+# Container host configuration fragment: K3s agent node
+#
+# Include from local.conf to set up a K3s agent (worker) node.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-k3s-node.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE and the DISTRO_FEATURES required by
+# container-image-host with K3s agent-only orchestration. The
+# k3s-node profile bundles the k3s agent, embedded containerd,
+# and CNI plugins. The node joins an existing k3s server cluster.
+
+CONTAINER_PROFILE = "k3s-node"
+
+DISTRO_FEATURES:append = " k3s"
diff --git a/conf/distro/include/container-host-k3s.conf b/conf/distro/include/container-host-k3s.conf
new file mode 100644
index 00000000..6e3733b1
--- /dev/null
+++ b/conf/distro/include/container-host-k3s.conf
@@ -0,0 +1,17 @@
+# Container host configuration fragment: K3s server
+#
+# Include from local.conf to set up a K3s server (control plane + agent).
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-k3s.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE and the DISTRO_FEATURES required by
+# container-image-host with K3s orchestration. The k3s-host profile
+# bundles the k3s server, embedded containerd, and CNI plugins.
+
+CONTAINER_PROFILE = "k3s-host"
+
+DISTRO_FEATURES:append = " k3s"
diff --git a/conf/distro/include/container-host-podman.conf b/conf/distro/include/container-host-podman.conf
new file mode 100644
index 00000000..7190e32b
--- /dev/null
+++ b/conf/distro/include/container-host-podman.conf
@@ -0,0 +1,17 @@
+# Container host configuration fragment: Podman
+#
+# Include from local.conf to set up a Podman-based container host.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/container-host-podman.conf
+#   MACHINE = "qemux86-64"
+#   bitbake container-image-host
+#
+# Sets CONTAINER_PROFILE and the DISTRO_FEATURES required by
+# container-image-host with the Podman engine stack.
+# Includes ipv6 which is required by the podman packagegroup.
+
+CONTAINER_PROFILE = "podman"
+
+DISTRO_FEATURES:append = " ipv6"
diff --git a/conf/distro/include/container-registry.conf b/conf/distro/include/container-registry.conf
new file mode 100644
index 00000000..357e7913
--- /dev/null
+++ b/conf/distro/include/container-registry.conf
@@ -0,0 +1,29 @@
+# Container registry configuration fragment
+#
+# Include from local.conf to enable a local development registry:
+#
+#   require conf/distro/include/container-registry.conf
+#
+# Defaults to an insecure (HTTP) registry at localhost:5000 with
+# namespace "yocto". Override any variable after the require line.
+#
+# This fragment enables the container-registry IMAGE_FEATURES, which
+# installs registry configuration into the target rootfs (daemon.json
+# for Docker, registries.conf.d/ for Podman/containerd).
+#
+# For a secure (TLS + authentication) registry, override these after
+# the require:
+#
+#   CONTAINER_REGISTRY_URL = "registry.example.com:5000"
+#   CONTAINER_REGISTRY_SECURE = "1"
+#   CONTAINER_REGISTRY_USERNAME = "myuser"
+#   # Optional: enable htpasswd authentication
+#   CONTAINER_REGISTRY_AUTH = "1"
+#   # Optional: custom namespace
+#   CONTAINER_REGISTRY_NAMESPACE = "myproject"
+
+CONTAINER_REGISTRY_URL ?= "localhost:5000"
+CONTAINER_REGISTRY_NAMESPACE ?= "yocto"
+CONTAINER_REGISTRY_INSECURE ?= "1"
+
+IMAGE_FEATURES:append = " container-registry"
diff --git a/conf/distro/include/meta-virt-container-incus.inc b/conf/distro/include/meta-virt-container-incus.inc
new file mode 100644
index 00000000..3792d58d
--- /dev/null
+++ b/conf/distro/include/meta-virt-container-incus.inc
@@ -0,0 +1,9 @@
+include meta-virt-container.inc
+
+# Incus is a system container and VM manager built on LXC.
+# It does not use the OCI container engine/runtime/networking model.
+VIRTUAL-RUNTIME_container_engine ??= "incus"
+VIRTUAL-RUNTIME_container_runtime ??= ""
+VIRTUAL-RUNTIME_container_networking ??= ""
+VIRTUAL-RUNTIME_container_dns ??= ""
+VIRTUAL-RUNTIME_container_orchestration ??= ""
diff --git a/conf/distro/include/meta-virt-container-k3s-host.inc b/conf/distro/include/meta-virt-container-k3s-host.inc
index 166d7cf1..f92cb956 100644
--- a/conf/distro/include/meta-virt-container-k3s-host.inc
+++ b/conf/distro/include/meta-virt-container-k3s-host.inc
@@ -1,7 +1,7 @@
 include meta-virt-container.inc
 
 VIRTUAL-RUNTIME_container_engine ?= ""
-VIRTUAL-RUNTIME_container_runtime ?= ""
+VIRTUAL-RUNTIME_container_runtime ?= "virtual-runc"
 VIRTUAL-RUNTIME_container_networking ?= ""
 VIRTUAL-RUNTIME_container_dns ?= ""
 VIRTUAL-RUNTIME_container_orchestration ?= "k3s-host"
diff --git a/conf/distro/include/meta-virt-dev.conf b/conf/distro/include/meta-virt-dev.conf
new file mode 100644
index 00000000..06dcbb95
--- /dev/null
+++ b/conf/distro/include/meta-virt-dev.conf
@@ -0,0 +1,28 @@
+# QEMU development and testing settings
+#
+# Include from local.conf when developing and testing with runqemu:
+#
+#   require conf/distro/include/meta-virt-dev.conf
+#
+# This is separate from the build profiles (container-host-*, xen-host-*)
+# and provides settings that only matter for QEMU-based development:
+# image format, memory, debug features, etc.
+#
+# Typical local.conf for QEMU-based k3s development:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   BUILD_PROFILE ?= "k3s"
+#   require conf/distro/include/container-host-${BUILD_PROFILE}.conf
+#   require conf/distro/include/meta-virt-dev.conf
+#   MACHINE = "qemux86-64"
+
+# Use raw ext4 for runqemu boot/test cycles.
+# Snapshot formats (qcow2) don't work well with repeated boots.
+IMAGE_FSTYPES = "ext4"
+
+# Xen QEMU settings: Dom0 memory cap and total VM memory
+QB_XEN_CMDLINE_EXTRA ?= "dom0_mem=512M"
+QB_MEM ?= "-m 1024"
+
+# Debug-friendly image features
+EXTRA_IMAGE_FEATURES ?= "allow-empty-password empty-root-password allow-root-login post-install-logging"
diff --git a/conf/distro/include/meta-virt-host.conf b/conf/distro/include/meta-virt-host.conf
new file mode 100644
index 00000000..99d5271e
--- /dev/null
+++ b/conf/distro/include/meta-virt-host.conf
@@ -0,0 +1,20 @@
+# Base virtualization host configuration fragment
+#
+# Common DISTRO_FEATURES for any virtualization work: containers, Xen,
+# k3s, or custom/mixed configurations.
+#
+# Use standalone for custom builds:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   MACHINE = "qemux86-64"
+#
+# Or let a specific profile (container-host-*, xen-host-*) inherit it.
+
+DISTRO_FEATURES:append = " virtualization systemd seccomp vmsep vcontainer"
+
+# Container runtime provider — the unified runc recipe provides both
+# runc-docker and runc-opencontainers via RPROVIDES
+PREFERRED_PROVIDER_virtual/runc ?= "runc"
+
+# Multiconfig for cross-arch vruntime builds (vdkr/vpdmn blobs)
+BBMULTICONFIG ?= "vruntime-aarch64 vruntime-x86-64"
diff --git a/conf/distro/include/vruntime-bbmask.inc b/conf/distro/include/vruntime-bbmask.inc
index 8eaf44df..eb46dbe9 100644
--- a/conf/distro/include/vruntime-bbmask.inc
+++ b/conf/distro/include/vruntime-bbmask.inc
@@ -35,7 +35,6 @@ BBMASK += "meta-virtualization/recipes-extended/upx/"
 BBMASK += "meta-virtualization/recipes-extended/uxen/"
 BBMASK += "meta-virtualization/recipes-extended/ipxe/"
 BBMASK += "meta-virtualization/recipes-extended/diod/"
-BBMASK += "meta-virtualization/recipes-extended/libibverbs/"
 BBMASK += "meta-virtualization/recipes-extended/virtiofsd/"
 
 # ---------------------------------------------------------------------------
diff --git a/conf/distro/include/xen-host.conf b/conf/distro/include/xen-host.conf
new file mode 100644
index 00000000..0d21cc63
--- /dev/null
+++ b/conf/distro/include/xen-host.conf
@@ -0,0 +1,17 @@
+# Xen host configuration fragment
+#
+# Include from local.conf for Xen Dom0 development and testing.
+# Requires meta-virt-host.conf to be included first:
+#
+#   require conf/distro/include/meta-virt-host.conf
+#   require conf/distro/include/xen-host.conf
+#   MACHINE = "qemux86-64"
+#   bitbake xen-image-minimal
+#
+# Enables Xen hypervisor support, vxn (Docker CLI for Xen), and containerd
+# for the OCI runtime path.
+
+DISTRO_FEATURES:append = " xen vxn"
+
+# Xen Dom0 image packages: vxn, containerd
+IMAGE_INSTALL:append:pn-xen-image-minimal = " vxn containerd-opencontainers"
diff --git a/conf/distro/vruntime.conf b/conf/distro/vruntime.conf
index 72958b7d..0ea43e62 100644
--- a/conf/distro/vruntime.conf
+++ b/conf/distro/vruntime.conf
@@ -37,12 +37,13 @@ DISTRO_VERSION = "1.0"
 # Explicitly NOT included: x11, wayland, pulseaudio, bluetooth, wifi, nfc, 3g, pcmcia
 DISTRO_FEATURES = "acl ext2 ipv4 ipv6 seccomp vfat pci vcontainer vxn"
 
-# Block backfill features not needed by container runtime environments.
-# OE-core's DISTRO_FEATURES_BACKFILL auto-appends these to DISTRO_FEATURES
-# unless explicitly listed here. Without this, gobject-introspection-data
-# enables python3-pygobject (which DEPENDS on cairo), and wayland enables
+# Opt out of default distro features not needed by container runtime
+# environments. Without this, gobject-introspection-data enables
+# python3-pygobject (which DEPENDS on cairo), and wayland enables
 # pygobject's cairo PACKAGECONFIG — both are masked in vruntime builds.
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio gobject-introspection-data opengl ptest multiarch wayland vulkan"
+# Note: OE-core replaced DISTRO_FEATURES_BACKFILL_CONSIDERED with
+# DISTRO_FEATURES_OPTED_OUT (commit 159148f4de2).
+DISTRO_FEATURES_OPTED_OUT = "pulseaudio gobject-introspection-data opengl ptest multiarch wayland vulkan"
 
 # Native and nativesdk classes need full features for build tools
 DISTRO_FEATURES:class-native = "${DISTRO_FEATURES_DEFAULT} ${POKY_DEFAULT_DISTRO_FEATURES}"
@@ -62,6 +63,11 @@ VIRTUAL-RUNTIME_login_manager = ""
 # Keep images small - no documentation or debug
 EXTRA_IMAGE_FEATURES = ""
 
+# Disable ptest for glib-2.0 — its -ptest RDEPENDS pulls
+# cairo → fontconfig → freetype (entire graphics stack) via
+# python3-dbusmock → python3-pygobject, all masked in vruntime.
+PTEST_ENABLED:pn-glib-2.0 = ""
+
 # =============================================================================
 # Container runtime: NOT SET
 # =============================================================================
@@ -74,3 +80,12 @@ EXTRA_IMAGE_FEATURES = ""
 # their required runtimes in IMAGE_INSTALL.
 # =============================================================================
 VIRTUAL-RUNTIME_container_runtime = ""
+VIRTUAL-RUNTIME_container_engine = ""
+VIRTUAL-RUNTIME_container_networking = ""
+VIRTUAL-RUNTIME_container_dns = ""
+VIRTUAL-RUNTIME_container_orchestration = ""
+
+# Ensure the unified runc recipe is the provider — vdkr-rootfs-image
+# RDEPENDS on runc directly. Strong assignment to override any stale
+# cache or weak defaults.
+PREFERRED_PROVIDER_virtual/runc = "runc"
diff --git a/conf/layer.conf b/conf/layer.conf
index a387d35e..eababe00 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -21,7 +21,7 @@ BBFILES_DYNAMIC += " \
 # This should only be incremented on significant changes that will
 # cause compatibility issues with other layers
 LAYERVERSION_virtualization-layer = "1"
-LAYERSERIES_COMPAT_virtualization-layer = "whinlatter"
+LAYERSERIES_COMPAT_virtualization-layer = "wrynose"
 LAYERDEPENDS_virtualization-layer = " \
     core \
     openembedded-layer \