Re: [meta-virtualization][PATCH 3/7] recipes-containers/images: add app-container-mosquitto

[Bruce Ashfield <bruce.ashfield@gmail.com>]

Hi Tim,

A few comments — most are series-level patterns that show up here for
the first time. I won't repeat them later to not waste our time

On Fri, May 29, 2026 at 18:31 -0700, Tim Orling wrote:
> Add OCI container image recipe for the Eclipse Mosquitto MQTT broker.
> The image uses multi-layer mode with separate base and mosquitto layers,
> exposes standard MQTT (1883) and WebSocket (9001) ports, and launches
> mosquitto with its default config file as the entrypoint.
>
> Inherit container-nonroot-user to run as 'nonroot' with UID 65532.

> +OCI_LAYERS = "\
> +    base:packages:base-files+base-passwd+netbase \
> +    mosquitto:packages:mosquitto \
> +"
[...]
> +IMAGE_INSTALL = " \
> +    base-files \
> +    base-passwd \
> +    netbase \
> +    mosquitto \
> +"

Same point as 2/7 — image-oci.bbclass now folds packages: layers into
IMAGE_INSTALL automatically (I pushed to master-next). When you respin,
this block can go.

> +# Workaround /var/volatile for now
> +ROOTFS_POSTPROCESS_COMMAND += "rootfs_fixup_var_volatile ; "
> +rootfs_fixup_var_volatile () {
> +    install -m 1777 -d ${IMAGE_ROOTFS}/${localstatedir}/volatile/tmp
> +    install -m 755 -d ${IMAGE_ROOTFS}/${localstatedir}/volatile/log
> +}

This same function appears in 3/7 (mosquitto), 4/7 (valkey), 5/7
(nginx), and 7/7 (curl) — four near-identical copies. Worth factoring
into a small helper bbclass (e.g. container-volatile-fixup.bbclass) that
each recipe can inherit, or rolling it into container-nonroot-user.bbclass
since every recipe that uses the fixup also inherits the nonroot class.
Not blocking — but it's a smell that's easy to silence in v2.

> +OCI_IMAGE_ENTRYPOINT = "${sbindir}/mosquitto"
> +OCI_IMAGE_ENTRYPOINT_ARGS = "-c '${sysconfdir}/mosquitto/mosquitto.conf'"

Two questions about running mosquitto as our nonroot (uid 65532):

1. The mosquitto package usually creates a 'mosquitto' system user
   (low uid, varies by build) and ships a default config that
   references paths under /var/lib/mosquitto/ and /var/log/mosquitto/
   owned by that user. As nonroot we won't be the package's expected
   user. Does mosquitto -c on the stock config actually start cleanly
   for you, or did you need to tweak the conf?

   I assume it runs fie, since you've been testing it for a while

2. If persistence is enabled in the stock mosquitto.conf (persistence
   true; persistence_location /var/lib/mosquitto/), we need a
   writable /var/lib/mosquitto for our nonroot user — same flavour of
   gap the rootfs_fixup_var_volatile workaround addresses, just for
   a different path. If you've already validated that persistence is
   off in the stock conf (or that mosquitto degrades gracefully when
   the persistence dir isn't writable), a one-line comment in the
   recipe explaining the trade-off would save the next person from
   re-deriving it.

Bruce

> +OCI_IMAGE_PORTS = "1883/tcp 9001/tcp"
> +OCI_IMAGE_TAG = "latest"