Only when vmsep is enabled is qemu-firmware separated out from
the main qemu package. So we should make our dependency conditional
on that feature.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping containerd to version v2.0.0-rc.6-23-g1e6fdb531, which comprises the following commits:
0208cb58c go.mod: github.com/containerd/imgcrypt v2.0.0-rc-1
588b7a100 testutil: avoid conflict with continuity/testutil
181491032 build(deps): bump github.com/containerd/continuity from 0.4.3 to 0.4.4
497dc7bf3 build(deps): bump github.com/checkpoint-restore/checkpointctl
fddeb6f3c pkg/protobuf: fix typo in godoc
96a1e498f Update containerd plugin to v1.0.0
3b45a44cc Update to ttrpc v1.2.6 tag
3cc2343de local: avoid writing to content root on readonly store
778defa31 Add back ZFS snapshotter
d3ff3e2ff CI: move crun from Ubuntu to Fedora
5c65a3d7b Update version to v2.0.0-rc.6
9aa637b22 Update api vendor to latest
4b9d6c014 deps: bump github.com/containerd/nri
2535b187a Scope writer locks to each writer.
bc819bc97 docs: add command for finding schema 1 images
c86b2772c docs: update min version for deprecation warnings
a1ce18816 CI: bump up crun to 1.17
021895985 Update hcsshim version to v0.12.8
373311a84 build(deps): bump github.com/opencontainers/selinux
cf9cf8b5a build(deps): bump github.com/prometheus/client_golang
03860c208 build(deps): bump azure/CLI from 1.0.9 to 2.1.0
cf7218fb0 build(deps): bump actions/checkout from 4.1.1 to 4.2.1
78ec6ef02 build(deps): bump actions/upload-artifact from 4.1.0 to 4.4.3
bfe8fa330 build(deps): bump github/codeql-action from 3.24.0 to 3.26.13
38ba7f2f7 dedup BuildLabels
a5cd0d0a5 dedup GetPassthroughAnnotations
269997ac5 dedup GetRepoDigestAndTag
f61dbc2d0 dedup ParseImageReferences
530db2e8d Introduce two additional unit tests for two runtimes and pod annotations.
a21e379b6 Allow sections of Plugins to be merged, and not overwritten as entire sections.
2f24aa00a Update errdefs to 0.3.0
92d327af1 Update tracing docs for containerd 2.0
943b196ad Update NRI documentation for containerd 2.0
a6ceb4be0 containerd 2.0 guide: add image verifier plugins
347423a11 Request 'allow' setgroups when spawning new userns
249dd7474 Format link text in containerd 2.0 doc for readability
18e4ea9a6 Add After=dbus.service to containerd.service
3eea3536f docs/containerd-2.0.md: mention the removal of `cri-containerd-*.tar.gz`
f8d50f6e8 README.md: put a link to docs/containerd-2.0.md
b724b9f23 Add containerd 2.0 doc
fc5086a74 cri: remove sandbox controller from client
e4df672ab sandbox: add sandbox controller v2
4f2bc1580 build(deps): bump lycheeverse/lychee-action from 1.10.0 to 2.0.2
4bd3a71dd go.{mod,sum}: update NRI deps and re-vendor.
bff82e196 [StepSecurity] ci: Harden GitHub Actions
5eb0be994 build(deps): bump github.com/urfave/cli/v2 from 2.27.4 to 2.27.5
0742238cd Handle teardown failure to avoid blocking cleanup
c3d84a87f build(deps): bump the otel group with 8 updates
bfe59daae build(deps): bump github.com/klauspost/compress from 1.17.10 to 1.17.11
b7c333ce2 Revert "update runc binary to 1.1.15"
c6d089090 metrics: Use UnmarshalTo instead of UnmarshalAny
1db0064c6 CI: install OVMF for Vagrant
4d02217b5 CI: fix "Unable to find a source package for vagrant" error
38beeb359 Revert "use vagrant from jammy in noble"
e2daa20ed Revert "use older version of OVMF package"
ee921689f Switch from actuated.dev to GH Action runners for arm64
f89ed3c62 build(deps): bump golang.org/x/sys in the golang-x group
428df99db build(deps): bump google.golang.org/grpc from 1.67.0 to 1.67.1
72126a984 update sample go test commands
9c42dd959 build(deps): bump google.golang.org/protobuf from 1.34.2 to 1.35.1
f0f1bfca0 update runc binary to 1.1.15
46f5a0d93 update to go1.23.2,go1.22.8
7b1809851 Update runner images to macOS13
e479431e0 core/runtime: Fix a typo in error message
b85909cd4 shim: Move pprof server to plugin
b2681dfbd shim: Move ttrpc interceptors to plugins
d7f83034c Fix the race condition during GC of snapshots when client retries
24fe444eb script/setup/install-runc: Add trap statement to clean up tmp files
6ffdabf72 Makefile: fix shim tags overwritten
095131abf add use systemd cgroup e2e
2123855ee Add build tag to omit grpc
64d29ebe5 snapshots: core: Remove dependency on api types
11ffba3dc shim: Do not depend on pkg/oci
0d4e606bb Update hcsshim to v0.12.7
78e39f7c5 build(deps): bump github.com/intel/goresctrl from 0.7.0 to 0.8.0
17d4a1357 Propagate trace contexts to shims
bc4646067 Prepare release notes for v2.0.0-rc.5
ccb2a8d74 [cri] use 'UserSpecifiedImage' to set the image-name annotation
b7b6b324b Add check for CNI plugins before tearing down pod network
b5290726d Add timestamp to PodSandboxStatusResponse for kubernetes Evented PLEG
146a977f9 Move features section to a separate file
30f289335 core/mount: Only remove dirs if unmount succeeded
f8d84ecf9 core/mount: Prevent accidental removal of rootfs files
004f3951d core/mount: Use MNT_DETACH for umount of tmp layers
f7ca91fa3 build(deps): bump github.com/prometheus/client_golang
c75178d93 build(deps): bump google.golang.org/grpc from 1.66.2 to 1.67.0
519cbda1d build(deps): bump github.com/klauspost/compress from 1.17.9 to 1.17.10
d72051036 Enable the selinux on cri test
b03a3c5a2 build(deps): bump the k8s group with 4 updates
017efe05a build(deps): bump the otel group with 8 updates
7c89148a1 build(deps): bump google.golang.org/grpc from 1.65.0 to 1.66.2
6e2c4d00d build(deps): bump golang.org/x/mod
ee0ed75d6 internal/cri: simplify netns setup with pinned userns
fd3f3d5a1 pkg/sys: add GetUsernsForNamespace interface
490e45a08 pkg/sys: Add UnshareAfterEnterUserns function
83aaa89b6 update ctr run to support multiple uid/gid mappings
1dedcb784 build(deps): bump github.com/checkpoint-restore/go-criu/v7
7599d4df2 build(deps): bump github.com/prometheus/client_golang
9037069da update to go1.23.1, go1.22.7
6f43197c2 Remove cri SandboxInfo RuntimeHandler
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping libpod to version v5.2.3-4-g18e0d84c6c, which comprises the following commits:
daae27b7b0 vendor: update c/common to v0.60.4
f6a31e013d Bump to v5.2.4-dev
c5366a308e Bump to v5.2.3
b5ededbce5 Update release notes for v5.2.3
35d2fc8de6 [v5.2] Bump Buildah to v1.37.3
f0ddea707a pkg/specgen: allow pasta when running inside userns
aaf15f81c4 libpod: convert owner IDs only with :idmap
ec4ac087b4 docs: update read the docs changes
c60961839a allow exposed sctp ports
a995b6db5d libpod: setupNetNS() correctly mount netns
d2c2539ee0 vendor: update c/common to v0.60.3
a17fd8c0aa [skip-ci] Packit: split out ELN jobs and reuse fedora downstream targets
b9691547ca [skip-ci] Packit: Enable sidetags for bodhi updates
02d400e7b7 build: Update gvisor-tap-vsock to 0.7.5
5c856c81b0 CI: podman-machine: do not use cache registry
2f7011ab43 [CI:DOCS] Add v5.2.2 lib updates to RELEASE_NOTES.md
602f71991c Bump to v5.2.3-dev
fcee48106a Bump to v5.2.2
37af07836a Update RELEASE_NOTES for v5.2.2
570fbc49aa [v5.2] Bump Buildah to v1.37.2, c/common v0.60.2, c/image v5.32.2
458d15cf5d [v5.2] golangci-lint: make darwin linting happy
faf3edb5f4 [v5.2] golangci-lint: make windows linting happy
b96312af0f [v5.2] test/e2e: remove kernel version check
462c1c6d8e [v5.2] golangci-lint: remove most skip dirs
35290c9b32 [v5.2] set !remote build tags where needed
3ca3c1d456 [v5.2] update golangci-lint to 1.60.1
d61b5d9409 Packit: update targets for propose-downstream
dbdff97042 Create volume path before state initialization
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The xen host image reference needed signifant work to be
functional for launching and testing Xen domu guests.
Here we add additional tools to the host image, and allow
it to automatically bundle guests if the configuration
is enabled.
We also add systemd networking configuration to create
a xenbr0 which offeres connectivity to the entire reference
system.
See the recipes and the README for details on testing
and bundling.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
parsing errors occur if this fragment ends with .conf,
so we renamed it to make sure it is processed as a
conflist.
Tested with containerd + nerdctl
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This aren't needed for all plugins, but are required
for others. So we make them a rrecommends to ensure
they are more often than not installed with the main
package.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
As it turns out CNI needs iptables to configure some plugins,
and without it we get a silent fail. It will also be added
to the recipe as a RRECOMMENDS, but we also put it in the
packagegroup for more visibility.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Extends container-base to create a systemd enabled container that is
an appropriate starting point if a systemd applciation is being run
or a mulit-user style environment is required.
The application specified in SYSTEMD_CONTAINER_APP will be installed
and be available to be executed.
The rootfs of this container type is post processed to enable and
disable services as specified by the containeer definition. This allows
service that are not appropriate in a containerized environemnt to
be disabled (i.e. getty login)
The list of services can be found in the recipes themselves.
This container enables ssh by default, so that it can be executed
in the background and then accessed as a full environment.
Note: this is currently a priviledged container if run under docker.
There are multiple ways to add/remove permissions from the container,
and most are configurable during launch:
% root@qemuarm64-54:~# docker run -d --rm --name systemd_test --privileged --cap-add SYS_ADMIN \
--security-opt seccomp=unconfined --cgroup-parent=docker.slice --cgroupns private \
--tmpfs /tmp --tmpfs /run --tmpfs /run/lock zeddii/systemd-container-base
or
% docker run -d --rm --name systemd_test --privileged --cgroup-parent=docker.slice \
--cgroupns private zeddii/c3-systemd-container
% root@qemuarm64-54:~# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
4b07cc907e26 zeddii/c3-systemd-container "/sbin/init" 5 minutes ago Up 5 minutes systemd_test
% podman run -d --name systemd_test --privileged --cgroupns=host --tmpfs /tmp --tmpfs /run --tmpfs /run/lock \
-v /sys/fs/cgroup:/sys/fs/cgroup:ro zeddii/systemd-container-base
% ctr container create --privileged --runtime="io.containerd.runc.v2" \
--mount type=bind,src=/sys/fs/cgroup,dst=/sys/fs/cgroup,options=rbind:rw \
docker.io/zeddii/systemd-container-base:latest my_systemd_container /sbin/init
% ctr task start --detach my_systemd_container
% ctr task ls
TASK PID STATUS
my_systemd_container 690 RUNNING
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Includes container-base.
Provides an application container that installs a package (or packages) to
the container and make the specified command the OCI_IMAGE_ENTRYPOINT.
CONTAINER_APP_CMD : the binary to run via the OCI_IMAGE_ENTRYPOINT
CONATINER_APP: packages to install to the container
The default entry point is the "date" command.
% root@qemuarm64-54:~# docker run zeddii/container-app-base
Mon Oct 28 18:41:23 UTC 2024
% root@qemuarm64-54:~# docker run --entrypoint "du" zeddii/container-app-base -sh
2.6M .
% podman run docker.io/zeddii/container-app-base
Mon Oct 28 18:41:23 UTC 2024
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
includes container-base, and adds image features to make development
tools/headers available.
Anything added to CORE_DEV_IMAGE_EXTRA_INSTALL will be installed into
the image in it's development variant.
The container shell is changed to bash from busybox.
package-management is added to this image type, but by default there
is no package feed configured (since it must be pointed at a build)
% root@qemuarm64-54:~# docker run -it zeddii/container-devtools bash
bash-5.2# du -sh .
399M . bash-5.2# rpm -qa | wc -l
308
bash-5.2# gcc --version
gcc (GCC) 14.2.0
Copyright (C) 2024 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
When debugging or configuration networking for CNI and
containerd we should ensure that support utilties are present.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
When integrating into some container stacks (such as containerd),
the detailed configuration toml changes to change the container
runtime from runc to crun is not always trivial.
To avoid (for now) carrying configuration snippets as part of
the recipes, we can symlink runc to crun as crun is fully
compatible with runc.
Note: this means you can't have runc and crun installed on the
same image if the symlinking is done. Hence why this symlinking
is conditional.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
When running a containerd-only stack, we need a CNI configuration
to be available.
When running containerd as part of something like K3S, we expect
the orchestration package will provide that configuration.
This commit makes a containerd-cni package available that contains
a starting point configuration.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
containerd doesn't do native networking confguration, it relies
on CNI.
So ensure that CNI is specified in the containerd profile.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Adapt the demonstration helloworld appliication to fix a warning
about UNPACKDIR not being correct.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
These definitions are selected by setting: CONTAINER_PROFILE
Once selected the VIRTUAL_RUNTIME and other considerations for
the profile are configured and used by the images in meta-virt.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This image is a reference implementation to create a target platform
capable of running containers. This includes kernel configuration,
container runtimes, tools and other support applications.
The packages to install are largely described in the packagegroups
that are part of this layer. packagegroups are preferred as they can
easily be used to create similar images of different composition.
The recipes for the packages have their list of build and runtime
dependencies, as such, those dependencies are not part of the image
install or listed explicitly in the packgroups.
CNCF areas that have choices are described by VIRTUAL-RUNTIME
variables. These variables can be set individually (in a distro,
layer or local configuration file), or can be set by the setting of
a "CONTAINER_PROFILE". It is possible to select incompatible
packages if setting the VIRTUAL-RUNTIME variables individually.
container profiles have been created as valid / tested stacks of the
components in meta-virtualization.
The contents of the image are selected by testing the VIRTUAL-RUNTIME
values and mapping them to packagegroups.
The possible VIRTUAL-RUNTIME variables (and their values) are
currently:
engines: docker/docker-moby, virtual-containerd, cri-o, podman, lxc
VIRTUAL-RUNTIME_container_engine ??= "podman"
runtime: runc, crun, runv, runx
VIRTUAL-RUNTIME_container_runtime ??= "virtual-runc"
networking: cni, netavark
VIRTUAL-RUNTIME_container_networking ??= "cni"
dns: cni, aardvark-dns
VIRTUAL-RUNTIME_container_dns ??= "cni"
orchestration: k8s, k3s
VIRTUAL-RUNTIME_container_orchestration ??= "k3s"
Kubernetes terminology "components"
VIRTUAL-RUNTIME_cri ??= "virtual-containerd"
VIRTUAL-RUNTIME_cni ??= "cni"
To select a CONTAINER_PROFILE, set the variable in your local,
distro or layer configuration:
CONTAINER_PROFILE="<your value>"
The possible values for CONTAINER_PROFILE can be found in
conf/distro/include in the format of: meta-virt-container-<profile>.inc
default (docker)
containerd
podman
docker
k3s-host
k3s-node
This image will eventually be modified more as something that
can easily be inherited and re-used, but for now, it is a capture
of the best practices in a container host image.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
This .inc file is no longer the active one by default, so we
will use it a reference for the possible values. To make that
more obvious, we comment out the current values.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
nmap is not currently buidling for aarch64, so we disable it
as a ptest rdepends when that is our target arch. Some tests
may not work, but having a buildable stack is more important
than all tests working.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
These are used to set configuration for container and virtualization
stacks. We set a default to ensure that sane values are always
present.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Adding the following new pacakge groups:
packagegroup-cni
packagegroup-netavark
packagegroup-container-tools
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
cri-tools aims to provide a series of debugging and validation
tools for Kubelet CRI, which includes:
crictl: CLI for kubelet CRI.
critest: validation test suites for kubelet CRI.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping the SRCREV to pick up the following commits:
8650ed99 docker: enable ipvlan and build BRIDGE_VLAN_FILTERING into kernel
38e7c7aa docker: inherit base container and BPF configs
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
We are showing one warning on check-config that isn't valid,
as the option has been changed in kernels 6.1+. We tweak
the check-config script to make that conditional
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
qemu-system-i386 / firmware were added as RDEPENDS to xen.
While this is typically the right choice, we can make those
values defined by a variable in case other layers want to
override the default choice.
While we are at it, we change other references to qemu-system-i386
to allow a complete switch if the variable is changed.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The current RRRECOMMENDS can work, but isn't strong enough
since we explicitly configure system-i386 into 'xl' and
-system requires the bios files.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
* master was renamed to main long time ago
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The settings of CFLAGS:arm overrides the previous CFLAGS settings,
causing buildpaths QA error for arm. Use CFLAGS:append:arm instead
to fix this issue.
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
The EGREP in ptest/tests/atlocal contains the build paths.
The CFLAGS in ptest/tests/atlocal contains the build paths.
This change set fixs:
- set EGREP to "grep -E" in ptest/tests/atlocal
- set CFLAGS to " " in ptest/tests/atlocal
by updating the patch
openvswitch-add-ptest-71d553b995d0bd527d3ab1e9fbaf5a2ae34de2f3.patch.
Signed-off-by: Bin Lan <bin.lan.cn@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
lxc-net enabled the IPv6 by default since v6.0.0[1], when named enabled on
system, the lxc-net which based on dnsmasq would fail to bind the IPv6
address on lxcbrX interface, that cause lxc cannot work correctly.
Add the lxc-net default v6 address to named.conf.option to tell named don't
bind and listen that address.
[1] https://github.com/lxc/lxc/commit/e8888344
Signed-off-by: Xiangyu Chen <xiangyu.chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Bumping upx to version v4.2.4-62-g44e4bd0b, which comprises the following commits:
44e4bd0b CI updates
1427b813 CI updates
a9cb3542 CI and cmake updates
b4db17ab cmake update
ba969fb9 CI updates
87ac252c CI updates
ada9081e CI updates
d6a29e58 CI updates
03c41840 all: misc cleanups
The upx repository has invalid git commits for SRCREVs
greater than 4.2.4 (and for commits that used to work).
This was reported on the mailing list by Javier Tia <javier.tia@linaro.org>
Older commits seem to work, but we'd have issues updating
the recipe to newer values (tip fo the tree is also broken
for gitsm fetching).
So for now, we switch back to individual fetches that we
can use to control the SRCREVs precisely.
SRCREVs are from:
git submodule status | awk '{ commit_hash = $1; sub(/vendor\//, "", $2); gsub("-", "_", $2); printf "SRCREV_vendor_%s = \"%s\"\n", $2, commit_hash }'
with two substitions for invalid SRCREVs (hence why the gitsm fetcher
has issues)
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
When using externalsrc, the system will disable a number of tasks such as
do_validate_branches, do_unpack and do_patch. The do_kernel_metadata task
is configured to run after do_validate_branches do_unpack and before
do_patch. Since all of these have been removed, the task will never
run.
The do_kernel_metadata task is responsible for populating the
recipe-sysroot-native/kcfg directory via it's own dependency to
yocto-cfg-fragments-native:do_populate_sysroot.
Without do_kernel_metadata running, do_kernel_configme will fail to run
with errors like:
ERROR: linux-xlnx-6.6.40+git-r0 do_kernel_configme: Feature '../recipe-sysroot-native/kcfg/cfg/virtio.scc' not found, this will cause configuration failures.
ERROR: linux-xlnx-6.6.40+git-r0 do_kernel_configme: Check the SRC_URI for meta-data repositories or directories that may be missing
ERROR: linux-xlnx-6.6.40+git-r0 do_kernel_configme: Set KERNEL_DANGLING_FEATURES_WARN_ONLY to ignore this issue
Fix this issue by detecting if we're running with externalsrc, and then
adding the task do_kernel_metadata (from the current recipe) as a
dependency of do_kernel_configme.
To reproduce th original issue:
$ . ./oe-initbuild-env
$ bitbake linux-yocto -c patch
$ cp -r tmp/work-shared/<machine>/kernel-source linux-yocto
edit the conf/local.conf adding:
DISTRO_FEATURES:append = " virtualization"
INHERIT += "externalsrc"
EXTERNALSRC:pn-linux-yocto = "${TOPDIR}/linux-yocto"
$ rm -rf tmp
$ bitbake linux-yocto -c menuconfig
Signed-off-by: Mark Hatle <mark.hatle@amd.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
There's no sense adding a fragment dependency to kernels
that don't support merging. This commit restores the check
we previously had for an inherit of kernel-yocto before
adding the configuration fragmment dependency.
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
