From 39ef27d4587065132e0c3e1c9d5589ca4e726d04 Mon Sep 17 00:00:00 2001 From: Andrei Gherzan Date: Tue, 12 Jul 2022 16:20:00 +0200 Subject: [PATCH] podman: Add support for rootless mode This support is disabled by default and exposed via PACKAGECONFIG. Signed-off-by: Andrei Gherzan Signed-off-by: Bruce Ashfield --- docs/00-INDEX | 3 +++ docs/podman.txt | 14 ++++++++++++++ docs/podman.txt.license | 3 +++ .../podman/podman/00-podman-rootless.conf | 6 ++++++ recipes-containers/podman/podman_git.bb | 11 ++++++++++- 5 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 docs/podman.txt create mode 100644 docs/podman.txt.license create mode 100644 recipes-containers/podman/podman/00-podman-rootless.conf diff --git a/docs/00-INDEX b/docs/00-INDEX index 5aa1b3c5..6659fbee 100644 --- a/docs/00-INDEX +++ b/docs/00-INDEX @@ -11,5 +11,8 @@ alphabetical order as well. openvswitch.txt - example on how to setup openvswitch with qemu/kvm. +podman.txt + - documentation on podman container engine integration. + xvisor.txt - example on how to setup Xvisor for RISC-V QEMU. diff --git a/docs/podman.txt b/docs/podman.txt new file mode 100644 index 00000000..66a69b3c --- /dev/null +++ b/docs/podman.txt @@ -0,0 +1,14 @@ +Podman +====== + +Rootless mode +------------- + +Podman is a daemonless container engine that has as one of its features the +ability to run in rootless mode. This requires a set of configurations and +additional components. The OE/Yocto integration configures podman with this +support disabled by default. This can be changed via configuration files +(distro, local.conf, etc.) or bbappends using the `PACKAGECONFIG` variable. + +To enable rootless support, add `rootless` to the `PACKAGECONFIG` podman +recipe variable. diff --git a/docs/podman.txt.license b/docs/podman.txt.license new file mode 100644 index 00000000..c7348705 --- /dev/null +++ b/docs/podman.txt.license @@ -0,0 +1,3 @@ +SPDX-FileCopyrightText: Huawei Inc. + +SPDX-License-Identifier: MIT diff --git a/recipes-containers/podman/podman/00-podman-rootless.conf b/recipes-containers/podman/podman/00-podman-rootless.conf new file mode 100644 index 00000000..aaede0e1 --- /dev/null +++ b/recipes-containers/podman/podman/00-podman-rootless.conf @@ -0,0 +1,6 @@ +# SPDX-FileCopyrightText: Huawei Inc. +# +# SPDX-License-Identifier: MIT + +# User namespaces are required for rootless containers. +user.max_user_namespaces = 15000 diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb index 4693bd68..02d89214 100644 --- a/recipes-containers/podman/podman_git.bb +++ b/recipes-containers/podman/podman_git.bb @@ -21,6 +21,7 @@ SRCREV = "717edd7b844dcd66468f5d991991d87e9fc14c12" SRC_URI = " \ git://github.com/containers/libpod.git;branch=v4.0;protocol=https \ file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \ + ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \ " LICENSE = "Apache-2.0" @@ -97,6 +98,11 @@ do_install() { # Silence docker emulation warnings. mkdir -p ${D}/etc/containers touch ${D}/etc/containers/nodocker + + if ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'true', 'false', d)}; then + install -d "${D}${sysconfdir}/sysctl.d" + install -m 0644 "${WORKDIR}/00-podman-rootless.conf" "${D}${sysconfdir}/sysctl.d" + fi } FILES:${PN} += " \ @@ -112,6 +118,9 @@ SYSTEMD_SERVICE:${PN} = "podman.service podman.socket" # that busybox is configured with nsenter VIRTUAL-RUNTIME_base-utils-nsenter ?= "util-linux-nsenter" -RDEPENDS:${PN} += "conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter}" +RDEPENDS:${PN} += "\ + conmon virtual-runc iptables cni skopeo ${VIRTUAL-RUNTIME_base-utils-nsenter} \ + ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'fuse-overlayfs slirp4netns', '', d)} \ +" RRECOMMENDS:${PN} += "slirp4netns kernel-module-xt-masquerade kernel-module-xt-comment" RCONFLICTS:${PN} = "${@bb.utils.contains('PACKAGECONFIG', 'docker', 'docker', '', d)}"