1 files changed, 159 insertions, 0 deletions
diff --git a/recipes-core/vxn/README.md b/recipes-core/vxn/README.md
new file mode 100644
index 00000000..35802e31
--- /dev/null
+++ b/recipes-core/vxn/README.md
@@ -0,0 +1,159 @@
+# vxn — Docker CLI for Xen DomU Containers
+vxn runs OCI containers as Xen DomU guests. The VM IS the container — no
+Docker/Podman daemon runs inside the guest. The guest boots a minimal Linux,
+mounts the container's filesystem, and directly executes the entrypoint.
+## Packages
+| Package | Contents | Usage |
+|---------|----------|-------|
+| `vxn` | CLI, OCI runtime, blobs, containerd config | Base package (required) |
+| `vxn-vdkr` | `vdkr` — Docker-like CLI frontend | `IMAGE_INSTALL:append = " vxn-vdkr"` |
+| `vxn-vpdmn` | `vpdmn` — Podman-like CLI frontend | `IMAGE_INSTALL:append = " vxn-vpdmn"` |
+| `vxn-docker-config` | `/etc/docker/daemon.json` (vxn as default runtime) | `IMAGE_INSTALL:append = " vxn-docker-config"` |
+| `vxn-podman-config` | `/etc/containers/containers.conf.d/50-vxn-runtime.conf` | `IMAGE_INSTALL:append = " vxn-podman-config"` |
+## Execution Paths
+### 1. containerd (vctr/ctr) — recommended
+No additional packages needed beyond `vxn`. containerd is configured
+automatically via `/etc/containerd/config.toml`.
+```bash
+ctr image pull docker.io/library/alpine:latest
+vctr run --rm docker.io/library/alpine:latest test1 /bin/echo hello
+ctr run -t --rm --runtime io.containerd.vxn.v2 docker.io/library/alpine:latest tty1 /bin/sh
+```
+### 2. vdkr/vpdmn (Docker/Podman-like CLI, no daemon)
+Install `vxn-vdkr` or `vxn-vpdmn`. These are standalone frontends that
+auto-detect Xen (via `xl`) and manage containers without any daemon process.
+They handle OCI image pull/unpack on the host via skopeo.
+```bash
+vdkr run --rm alpine echo hello        # Docker-like
+vpdmn run --rm alpine echo hello       # Podman-like
+```
+Persistent DomU (memres) for faster subsequent runs:
+```bash
+vdkr vmemres start                     # Boot persistent DomU (~10s)
+vdkr run --rm alpine echo hello        # Hot-plug container (~1s)
+vdkr vmemres stop                      # Shutdown DomU
+```
+### 3. Native Docker with vxn runtime
+Install `vxn-docker-config` to register vxn-oci-runtime as Docker's default
+OCI runtime. Docker manages images (pull/tag/rmi) natively.
+```bash
+docker run --rm --network=none alpine echo hello
+docker run --rm --network=host alpine echo hello
+```
+**IMPORTANT: Networking** — Docker's default bridge networking is incompatible
+with VM-based runtimes. Docker tries to create veth pairs and move them into
+a Linux network namespace, but vxn containers are Xen DomUs with their own
+kernel network stack. You MUST use `--network=none` or `--network=host`.
+This is the same limitation as kata-containers. The long-term fix is a TAP
+bridge that connects Docker's network namespace to the DomU's vif (see TODO).
+For selective use (keep runc as default, use vxn per-run):
+```bash
+docker run --rm --runtime=vxn --network=none alpine echo hello
+```
+### 4. Native Podman with vxn runtime
+Install `vxn-podman-config` to register vxn-oci-runtime as Podman's default
+OCI runtime. Same networking constraints as Docker.
+```bash
+podman run --rm --network=none alpine echo hello
+```
+## Build Instructions
+```bash
+# Prerequisites in local.conf:
+DISTRO_FEATURES:append = " xen virtualization vcontainer"
+BBMULTICONFIG = "vruntime-aarch64 vruntime-x86-64"
+# Build (mcdepends auto-builds vruntime blobs)
+bitbake vxn
+# Dom0 image with containerd + Docker-like CLI
+IMAGE_INSTALL:append = " vxn vxn-vdkr"
+# Dom0 image with native Docker integration
+IMAGE_INSTALL:append = " vxn vxn-docker-config docker"
+bitbake xen-image-minimal
+```
+## Architecture
+```
+Docker/Podman/containerd → vxn-oci-runtime → xl create/unpause/destroy → Xen DomU
+                                                                            ↓
+                                                                      vxn-init.sh
+                                                                        mount rootfs
+                                                                        chroot + exec
+```
+The OCI runtime (`/usr/bin/vxn-oci-runtime`) implements the standard
+create/start/state/kill/delete lifecycle by mapping to xl commands:
+| OCI Command | xl Equivalent |
+|-------------|---------------|
+| create | xl create -p (paused) |
+| start | xl unpause |
+| state | xl list + monitor PID check |
+| kill SIGTERM | xl shutdown (10s grace) + xl destroy |
+| kill SIGKILL | xl destroy |
+| delete | xl destroy + cleanup state |
+## Networking Constraints (Native Docker/Podman)
+Docker and Podman's default bridge networking creates Linux veth pairs and
+moves one end into a container network namespace. This is fundamentally
+incompatible with VM-based runtimes where the "container" is a VM with its
+own kernel networking.
+**Current workarounds:**
+- `--network=none` — DomU uses its own xenbr0 networking
+- `--network=host` — Tells Docker/Podman to skip namespace setup
+**Future fix (TODO):**
+TAP bridge integration — read Docker's network namespace config from
+config.json, create a TAP device bridged to the DomU's vif. This is the
+approach kata-containers uses to provide Docker-compatible networking with
+VM isolation.
+**Not affected:**
+- `vctr`/`ctr` (containerd) — CNI is separate and opt-in
+- `vdkr`/`vpdmn` — Handle networking independently via xenbr0
+## Debugging
+```bash
+# OCI runtime log (all invocations)
+cat /var/log/vxn-oci-runtime.log
+# Per-container console capture (persists after container exit)
+ls /var/log/vxn-oci-runtime/containers/
+# Xen domain status
+xl list
+# Watch domain console
+xl console <domname>
+# Kill stuck domain
+xl destroy <domname>
+```

diff --git a/recipes-core/vxn/README.md b/recipes-core/vxn/README.md new file mode 100644 index 00000000..35802e31 --- /dev/null +++ b/recipes-core/vxn/README.md
@@ -0,0 +1,159 @@
	1	# vxn — Docker CLI for Xen DomU Containers
	2
	3	vxn runs OCI containers as Xen DomU guests. The VM IS the container — no
	4	Docker/Podman daemon runs inside the guest. The guest boots a minimal Linux,
	5	mounts the container's filesystem, and directly executes the entrypoint.
	6
	7	## Packages
	8
	9	\| Package \| Contents \| Usage \|
	10	\|---------\|----------\|-------\|
	11	\| `vxn` \| CLI, OCI runtime, blobs, containerd config \| Base package (required) \|
	12	\| `vxn-vdkr` \| `vdkr` — Docker-like CLI frontend \| `IMAGE_INSTALL:append = " vxn-vdkr"` \|
	13	\| `vxn-vpdmn` \| `vpdmn` — Podman-like CLI frontend \| `IMAGE_INSTALL:append = " vxn-vpdmn"` \|
	14	\| `vxn-docker-config` \| `/etc/docker/daemon.json` (vxn as default runtime) \| `IMAGE_INSTALL:append = " vxn-docker-config"` \|
	15	\| `vxn-podman-config` \| `/etc/containers/containers.conf.d/50-vxn-runtime.conf` \| `IMAGE_INSTALL:append = " vxn-podman-config"` \|
	16
	17	## Execution Paths
	18
	19	### 1. containerd (vctr/ctr) — recommended
	20
	21	No additional packages needed beyond `vxn`. containerd is configured
	22	automatically via `/etc/containerd/config.toml`.
	23
	24	```bash
	25	ctr image pull docker.io/library/alpine:latest
	26	vctr run --rm docker.io/library/alpine:latest test1 /bin/echo hello
	27	ctr run -t --rm --runtime io.containerd.vxn.v2 docker.io/library/alpine:latest tty1 /bin/sh
	28	```
	29
	30	### 2. vdkr/vpdmn (Docker/Podman-like CLI, no daemon)
	31
	32	Install `vxn-vdkr` or `vxn-vpdmn`. These are standalone frontends that
	33	auto-detect Xen (via `xl`) and manage containers without any daemon process.
	34	They handle OCI image pull/unpack on the host via skopeo.
	35
	36	```bash
	37	vdkr run --rm alpine echo hello # Docker-like
	38	vpdmn run --rm alpine echo hello # Podman-like
	39	```
	40
	41	Persistent DomU (memres) for faster subsequent runs:
	42	```bash
	43	vdkr vmemres start # Boot persistent DomU (~10s)
	44	vdkr run --rm alpine echo hello # Hot-plug container (~1s)
	45	vdkr vmemres stop # Shutdown DomU
	46	```
	47
	48	### 3. Native Docker with vxn runtime
	49
	50	Install `vxn-docker-config` to register vxn-oci-runtime as Docker's default
	51	OCI runtime. Docker manages images (pull/tag/rmi) natively.
	52
	53	```bash
	54	docker run --rm --network=none alpine echo hello
	55	docker run --rm --network=host alpine echo hello
	56	```
	57
	58	IMPORTANT: Networking — Docker's default bridge networking is incompatible
	59	with VM-based runtimes. Docker tries to create veth pairs and move them into
	60	a Linux network namespace, but vxn containers are Xen DomUs with their own
	61	kernel network stack. You MUST use `--network=none` or `--network=host`.
	62
	63	This is the same limitation as kata-containers. The long-term fix is a TAP
	64	bridge that connects Docker's network namespace to the DomU's vif (see TODO).
	65
	66	For selective use (keep runc as default, use vxn per-run):
	67	```bash
	68	docker run --rm --runtime=vxn --network=none alpine echo hello
	69	```
	70
	71	### 4. Native Podman with vxn runtime
	72
	73	Install `vxn-podman-config` to register vxn-oci-runtime as Podman's default
	74	OCI runtime. Same networking constraints as Docker.
	75
	76	```bash
	77	podman run --rm --network=none alpine echo hello
	78	```
	79
	80	## Build Instructions
	81
	82	```bash
	83	# Prerequisites in local.conf:
	84	DISTRO_FEATURES:append = " xen virtualization vcontainer"
	85	BBMULTICONFIG = "vruntime-aarch64 vruntime-x86-64"
	86
	87	# Build (mcdepends auto-builds vruntime blobs)
	88	bitbake vxn
	89
	90	# Dom0 image with containerd + Docker-like CLI
	91	IMAGE_INSTALL:append = " vxn vxn-vdkr"
	92
	93	# Dom0 image with native Docker integration
	94	IMAGE_INSTALL:append = " vxn vxn-docker-config docker"
	95
	96	bitbake xen-image-minimal
	97	```
	98
	99	## Architecture
	100
	101	```
	102	Docker/Podman/containerd → vxn-oci-runtime → xl create/unpause/destroy → Xen DomU
	103	↓
	104	vxn-init.sh
	105	mount rootfs
	106	chroot + exec
	107	```
	108
	109	The OCI runtime (`/usr/bin/vxn-oci-runtime`) implements the standard
	110	create/start/state/kill/delete lifecycle by mapping to xl commands:
	111
	112	\| OCI Command \| xl Equivalent \|
	113	\|-------------\|---------------\|
	114	\| create \| xl create -p (paused) \|
	115	\| start \| xl unpause \|
	116	\| state \| xl list + monitor PID check \|
	117	\| kill SIGTERM \| xl shutdown (10s grace) + xl destroy \|
	118	\| kill SIGKILL \| xl destroy \|
	119	\| delete \| xl destroy + cleanup state \|
	120
	121	## Networking Constraints (Native Docker/Podman)
	122
	123	Docker and Podman's default bridge networking creates Linux veth pairs and
	124	moves one end into a container network namespace. This is fundamentally
	125	incompatible with VM-based runtimes where the "container" is a VM with its
	126	own kernel networking.
	127
	128	Current workarounds:
	129	- `--network=none` — DomU uses its own xenbr0 networking
	130	- `--network=host` — Tells Docker/Podman to skip namespace setup
	131
	132	Future fix (TODO):
	133	TAP bridge integration — read Docker's network namespace config from
	134	config.json, create a TAP device bridged to the DomU's vif. This is the
	135	approach kata-containers uses to provide Docker-compatible networking with
	136	VM isolation.
	137
	138	Not affected:
	139	- `vctr`/`ctr` (containerd) — CNI is separate and opt-in
	140	- `vdkr`/`vpdmn` — Handle networking independently via xenbr0
	141
	142	## Debugging
	143
	144	```bash
	145	# OCI runtime log (all invocations)
	146	cat /var/log/vxn-oci-runtime.log
	147
	148	# Per-container console capture (persists after container exit)
	149	ls /var/log/vxn-oci-runtime/containers/
	150
	151	# Xen domain status
	152	xl list
	153
	154	# Watch domain console
	155	xl console <domname>
	156
	157	# Kill stuck domain
	158	xl destroy <domname>
	159	```