1 files changed, 63 insertions, 0 deletions
diff --git a/recipes-containers/vcontainer/files/vrunner.sh b/recipes-containers/vcontainer/files/vrunner.sh
index 4e99cba7..22e9229a 100755
--- a/recipes-containers/vcontainer/files/vrunner.sh
+++ b/recipes-containers/vcontainer/files/vrunner.sh
@@ -311,6 +311,10 @@ PORT_FORWARDS=()
 # Registry configuration
 DOCKER_REGISTRY=""
 INSECURE_REGISTRIES=()
+SECURE_REGISTRY="false"
+CA_CERT=""
+REGISTRY_USER=""
+REGISTRY_PASS=""
 # Batch import mode
 BATCH_IMPORT="false"
@@ -381,6 +385,26 @@ while [ $# -gt 0 ]; do
            INSECURE_REGISTRIES+=("$2")
            shift 2
            ;;
+        --secure-registry)
+            # Enable TLS verification for registry
+            SECURE_REGISTRY="true"
+            shift
+            ;;
+        --ca-cert)
+            # Path to CA certificate for TLS verification
+            CA_CERT="$2"
+            shift 2
+            ;;
+        --registry-user)
+            # Registry username
+            REGISTRY_USER="$2"
+            shift 2
+            ;;
+        --registry-pass)
+            # Registry password
+            REGISTRY_PASS="$2"
+            shift 2
+            ;;
        --interactive|-it)
            INTERACTIVE="true"
            shift
@@ -1153,6 +1177,22 @@ for reg in "${INSECURE_REGISTRIES[@]}"; do
    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_insecure_registry=$reg"
 done
+# Secure registry mode (TLS verification)
+# CA certificate is passed via virtio-9p share, not kernel cmdline (too large)
+if [ "$SECURE_REGISTRY" = "true" ]; then
+    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_secure=1"
+fi
+# Registry credentials
+if [ -n "$REGISTRY_USER" ]; then
+    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_user=$REGISTRY_USER"
+fi
+if [ -n "$REGISTRY_PASS" ]; then
+    # Base64 encode the password to handle special characters
+    REGISTRY_PASS_B64=$(echo -n "$REGISTRY_PASS" | base64 -w0)
+    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_pass=$REGISTRY_PASS_B64"
+fi
 # Tell init script if interactive mode
 if [ "$INTERACTIVE" = "true" ]; then
    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_interactive=1"
@@ -1246,6 +1286,8 @@ if [ "$DAEMON_MODE" = "start" ]; then
    # Use security_model=none for simplest file sharing (no permission mapping)
    # This allows writes from container (running as root) to propagate to host
    QEMU_OPTS="$QEMU_OPTS -virtfs local,path=$DAEMON_SHARE_DIR,mount_tag=$SHARE_TAG,security_model=none,id=$SHARE_TAG"
+    # Tell init script to mount the share
+    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_9p=1"
    # Add virtio-serial device for command channel
    # Using virtserialport creates /dev/vport0p1 in guest, host sees unix socket
@@ -1298,6 +1340,12 @@ if [ "$DAEMON_MODE" = "start" ]; then
        fi
    fi
+    # Copy CA certificate to shared folder (too large for kernel cmdline)
+    if [ -n "$CA_CERT" ] && [ -f "$CA_CERT" ]; then
+        cp "$CA_CERT" "$DAEMON_SHARE_DIR/ca.crt"
+        log "DEBUG" "CA certificate copied to shared folder"
+    fi
    log "INFO" "Starting daemon..."
    log "DEBUG" "PID file: $DAEMON_PID_FILE"
    log "DEBUG" "Socket: $DAEMON_SOCKET"
@@ -1406,6 +1454,21 @@ if [ "$DAEMON_MODE" = "start" ]; then
    fi
 fi
+# For non-daemon mode with CA cert, we need virtio-9p to pass the cert
+# (kernel cmdline is too small for base64-encoded certs)
+if [ -n "$CA_CERT" ] && [ -f "$CA_CERT" ]; then
+    # Create temp share dir for CA cert
+    CA_SHARE_DIR="$TEMP_DIR/ca_share"
+    mkdir -p "$CA_SHARE_DIR"
+    cp "$CA_CERT" "$CA_SHARE_DIR/ca.crt"
+    # Add virtio-9p mount for CA cert
+    SHARE_TAG="${TOOL_NAME}_share"
+    QEMU_OPTS="$QEMU_OPTS -virtfs local,path=$CA_SHARE_DIR,mount_tag=$SHARE_TAG,security_model=none,readonly=on,id=cashare"
+    KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_9p=1"
+    log "DEBUG" "CA certificate available via virtio-9p"
+fi
 log "INFO" "Starting QEMU..."
 log "DEBUG" "Command: $QEMU_CMD $QEMU_OPTS -append \"$KERNEL_APPEND\""

diff --git a/recipes-containers/vcontainer/files/vrunner.sh b/recipes-containers/vcontainer/files/vrunner.sh index 4e99cba7..22e9229a 100755 --- a/recipes-containers/vcontainer/files/vrunner.sh +++ b/recipes-containers/vcontainer/files/vrunner.sh
@@ -311,6 +311,10 @@ PORT_FORWARDS=()
311	# Registry configuration	311	# Registry configuration
312	DOCKER_REGISTRY=""	312	DOCKER_REGISTRY=""
313	INSECURE_REGISTRIES=()	313	INSECURE_REGISTRIES=()
		314	SECURE_REGISTRY="false"
		315	CA_CERT=""
		316	REGISTRY_USER=""
		317	REGISTRY_PASS=""
314		318
315	# Batch import mode	319	# Batch import mode
316	BATCH_IMPORT="false"	320	BATCH_IMPORT="false"
@@ -381,6 +385,26 @@ while [ $# -gt 0 ]; do
381	INSECURE_REGISTRIES+=("$2")	385	INSECURE_REGISTRIES+=("$2")
382	shift 2	386	shift 2
383	;;	387	;;
		388	--secure-registry)
		389	# Enable TLS verification for registry
		390	SECURE_REGISTRY="true"
		391	shift
		392	;;
		393	--ca-cert)
		394	# Path to CA certificate for TLS verification
		395	CA_CERT="$2"
		396	shift 2
		397	;;
		398	--registry-user)
		399	# Registry username
		400	REGISTRY_USER="$2"
		401	shift 2
		402	;;
		403	--registry-pass)
		404	# Registry password
		405	REGISTRY_PASS="$2"
		406	shift 2
		407	;;
384	--interactive\|-it)	408	--interactive\|-it)
385	INTERACTIVE="true"	409	INTERACTIVE="true"
386	shift	410	shift
@@ -1153,6 +1177,22 @@ for reg in "${INSECURE_REGISTRIES[@]}"; do
1153	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_insecure_registry=$reg"	1177	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_insecure_registry=$reg"
1154	done	1178	done
1155		1179
		1180	# Secure registry mode (TLS verification)
		1181	# CA certificate is passed via virtio-9p share, not kernel cmdline (too large)
		1182	if [ "$SECURE_REGISTRY" = "true" ]; then
		1183	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_secure=1"
		1184	fi
		1185
		1186	# Registry credentials
		1187	if [ -n "$REGISTRY_USER" ]; then
		1188	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_user=$REGISTRY_USER"
		1189	fi
		1190	if [ -n "$REGISTRY_PASS" ]; then
		1191	# Base64 encode the password to handle special characters
		1192	REGISTRY_PASS_B64=$(echo -n "$REGISTRY_PASS" \| base64 -w0)
		1193	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_registry_pass=$REGISTRY_PASS_B64"
		1194	fi
		1195
1156	# Tell init script if interactive mode	1196	# Tell init script if interactive mode
1157	if [ "$INTERACTIVE" = "true" ]; then	1197	if [ "$INTERACTIVE" = "true" ]; then
1158	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_interactive=1"	1198	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_interactive=1"
@@ -1246,6 +1286,8 @@ if [ "$DAEMON_MODE" = "start" ]; then
1246	# Use security_model=none for simplest file sharing (no permission mapping)	1286	# Use security_model=none for simplest file sharing (no permission mapping)
1247	# This allows writes from container (running as root) to propagate to host	1287	# This allows writes from container (running as root) to propagate to host
1248	QEMU_OPTS="$QEMU_OPTS -virtfs local,path=$DAEMON_SHARE_DIR,mount_tag=$SHARE_TAG,security_model=none,id=$SHARE_TAG"	1288	QEMU_OPTS="$QEMU_OPTS -virtfs local,path=$DAEMON_SHARE_DIR,mount_tag=$SHARE_TAG,security_model=none,id=$SHARE_TAG"
		1289	# Tell init script to mount the share
		1290	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_9p=1"
1249		1291
1250	# Add virtio-serial device for command channel	1292	# Add virtio-serial device for command channel
1251	# Using virtserialport creates /dev/vport0p1 in guest, host sees unix socket	1293	# Using virtserialport creates /dev/vport0p1 in guest, host sees unix socket
@@ -1298,6 +1340,12 @@ if [ "$DAEMON_MODE" = "start" ]; then
1298	fi	1340	fi
1299	fi	1341	fi
1300		1342
		1343	# Copy CA certificate to shared folder (too large for kernel cmdline)
		1344	if [ -n "$CA_CERT" ] && [ -f "$CA_CERT" ]; then
		1345	cp "$CA_CERT" "$DAEMON_SHARE_DIR/ca.crt"
		1346	log "DEBUG" "CA certificate copied to shared folder"
		1347	fi
		1348
1301	log "INFO" "Starting daemon..."	1349	log "INFO" "Starting daemon..."
1302	log "DEBUG" "PID file: $DAEMON_PID_FILE"	1350	log "DEBUG" "PID file: $DAEMON_PID_FILE"
1303	log "DEBUG" "Socket: $DAEMON_SOCKET"	1351	log "DEBUG" "Socket: $DAEMON_SOCKET"
@@ -1406,6 +1454,21 @@ if [ "$DAEMON_MODE" = "start" ]; then
1406	fi	1454	fi
1407	fi	1455	fi
1408		1456
		1457	# For non-daemon mode with CA cert, we need virtio-9p to pass the cert
		1458	# (kernel cmdline is too small for base64-encoded certs)
		1459	if [ -n "$CA_CERT" ] && [ -f "$CA_CERT" ]; then
		1460	# Create temp share dir for CA cert
		1461	CA_SHARE_DIR="$TEMP_DIR/ca_share"
		1462	mkdir -p "$CA_SHARE_DIR"
		1463	cp "$CA_CERT" "$CA_SHARE_DIR/ca.crt"
		1464
		1465	# Add virtio-9p mount for CA cert
		1466	SHARE_TAG="${TOOL_NAME}_share"
		1467	QEMU_OPTS="$QEMU_OPTS -virtfs local,path=$CA_SHARE_DIR,mount_tag=$SHARE_TAG,security_model=none,readonly=on,id=cashare"
		1468	KERNEL_APPEND="$KERNEL_APPEND ${CMDLINE_PREFIX}_9p=1"
		1469	log "DEBUG" "CA certificate available via virtio-9p"
		1470	fi
		1471
1409	log "INFO" "Starting QEMU..."	1472	log "INFO" "Starting QEMU..."
1410	log "DEBUG" "Command: $QEMU_CMD $QEMU_OPTS -append \"$KERNEL_APPEND\""	1473	log "DEBUG" "Command: $QEMU_CMD $QEMU_OPTS -append \"$KERNEL_APPEND\""
1411		1474