[Buildroot] [PATCH 1/9 v3] support/testing: set date in emulated machine

[Buildroot] [PATCH 1/9 v3] support/testing: set date in emulated machine

[Yann E. MORIN]

When time comes to check certificates, the date and time in the emulated
machine should be close enough to the actual values, so that certificate
validity can be checked.

Set the date to the date of the system. This is going to be accurate to
the second, which is, by far, enough for our purpose.

The Emulator() class doesn't inherit from unittest.TestCase, so we can't
call any of the usual self.assertXXX() methods; instead, we just raise
a standard exception, like is done a few lines above to detect the login
prompt.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Ricardo Martincoski <ricardo.martincoski@datacom.com.br>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

---
Changes v1 -> v2:
  - catch failure to set the date
---
 support/testing/infra/emulator.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/support/testing/infra/emulator.py b/support/testing/infra/emulator.py
index ef5be2a19e..9be1143944 100644
--- a/support/testing/infra/emulator.py
+++ b/support/testing/infra/emulator.py
@@ -5,6 +5,7 @@ import os
 
 import pexpect
 import pexpect.replwrap
+import time
 
 import infra
 
@@ -152,6 +153,10 @@ class Emulator(object):
 
         self.connect_shell()
 
+        output, exit_code = self.run(f"date @{int(time.time())}")
+        if exit_code:
+            raise SystemError("Cannot set date in virtual machine")
+
     def connect_shell(self):
         extra_init_cmd = " && ".join([
             'export PAGER=cat',
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/9 v3] package/shadow: install to staging for subids

[Yann E. MORIN]

When the subids feature is enabled, shadow will install a library and a
header:

    $ sort output/build/shadow-4.16.0/.files-list.txt
    [...]
    shadow,./lib/libsubid.la
    shadow,./lib/libsubid.so
    shadow,./lib/libsubid.so.5
    shadow,./lib/libsubid.so.5.0.0
    [...]
    shadow,./usr/include/shadow/subid.h
    [...]

Install to staging in that case.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Raphael Pavlidis <raphael.pavlidis@gmail.com>
---
 package/shadow/shadow.mk | 1 +
 1 file changed, 1 insertion(+)

diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
index cea984012d..c598ad88fd 100644
--- a/package/shadow/shadow.mk
+++ b/package/shadow/shadow.mk
@@ -46,6 +46,7 @@ SHADOW_CONF_OPTS += --disable-account-tools-setuid
 endif
 
 ifeq ($(BR2_PACKAGE_SHADOW_SUBORDINATE_IDS),y)
+SHADOW_INSTALL_STAGING = YES
 SHADOW_CONF_OPTS += --enable-subordinate-ids
 define SHADOW_SUBORDINATE_IDS_PERMISSIONS
 	/usr/bin/newuidmap f 4755 0 0 - - - - -
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/9 v3] package/conmon: depends on systemd when enabled

[Yann E. MORIN]

When it detects it runs under systemd, conmon will want to log to the
journal. However, it needs to be linked with libsystemd to do so and if
not, will error out:

    Feb 22 11:10:03 buildroot conmon[199]: conmon 3b462ce6f2cc64f75c42 <error>: Include journald in compilation path to log to systemd journal

This prevents starting any container.

Add a dependency to systemd when it is enabled.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
---
 package/conmon/conmon.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/package/conmon/conmon.mk b/package/conmon/conmon.mk
index 1e57786686..ed1a2554fa 100644
--- a/package/conmon/conmon.mk
+++ b/package/conmon/conmon.mk
@@ -18,6 +18,10 @@ else
 CONMON_DISABLE_SECCOMP = 1
 endif
 
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+CONMON_DEPENDENCIES += systemd
+endif
+
 define CONMON_CONFIGURE_CMDS
 	printf '#!/bin/bash\necho "$(CONMON_DISABLE_SECCOMP)"\n' > \
 		$(@D)/hack/seccomp-notify.sh
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 4/9 v3] package/slirp4netns: needs TUN support in the kernel

[Yann E. MORIN]

slirp4netns needs a kernel with TUN support, so enable that and the few
options it depends on.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Raphael Pavlidis <raphael.pavlidis@gmail.com>
---
 package/slirp4netns/slirp4netns.mk | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/package/slirp4netns/slirp4netns.mk b/package/slirp4netns/slirp4netns.mk
index ffcd334ab6..5923957c25 100644
--- a/package/slirp4netns/slirp4netns.mk
+++ b/package/slirp4netns/slirp4netns.mk
@@ -12,4 +12,13 @@ SLIRP4NETNS_DEPENDENCIES = libcap libglib2 libseccomp slirp
 
 SLIRP4NETNS_AUTORECONF = YES
 
+define SLIRP4NETNS_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETDEVICES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_TUN)
+endef
+
 $(eval $(autotools-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 5/9 v3] package/skopeo: add target variant

[Yann E. MORIN]

Skopeo can be used to manipulate container images, and so can be usefull
on target devices that are going to be used as a host to run containers.

So, add a target variant for skopeo.

... with a runtime test while at it.

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Christian Stewart <christian@aperture.us>
Cc: Yann E. MORIN <yann.morin@orange.com>
---
 package/Config.in                            |  1 +
 package/skopeo/Config.in                     | 25 ++++++++++++
 package/skopeo/skopeo.mk                     | 10 +++++
 support/testing/tests/package/test_skopeo.py | 41 ++++++++++++++++++++
 4 files changed, 77 insertions(+)
 create mode 100644 package/skopeo/Config.in
 create mode 100644 support/testing/tests/package/test_skopeo.py

diff --git a/package/Config.in b/package/Config.in
index 4a81a62ec4..33fcfd0597 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2892,6 +2892,7 @@ menu "System tools"
 	source "package/sdbusplus/Config.in"
 	source "package/seatd/Config.in"
 	source "package/shadow/Config.in"
+	source "package/skopeo/Config.in"
 	source "package/smack/Config.in"
 	source "package/start-stop-daemon/Config.in"
 	source "package/supervisor/Config.in"
diff --git a/package/skopeo/Config.in b/package/skopeo/Config.in
new file mode 100644
index 0000000000..f1acc3a50f
--- /dev/null
+++ b/package/skopeo/Config.in
@@ -0,0 +1,25 @@
+config BR2_PACKAGE_SKOPEO
+	bool "skopeo"
+	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_USE_MMU  # btrfs-progs, libgpgme, lvm2
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgpgme
+	depends on BR2_TOOLCHAIN_HAS_THREADS  # btrfs-progs, lvm2
+	depends on !BR2_STATIC_LIBS  # lvm2
+	select BR2_PACKAGE_HOST_GO
+	select BR2_PACKAGE_BTRFS_PROGS
+	select BR2_PACKAGE_LIBGPGME
+	select BR2_PACKAGE_LVM2
+	help
+	  skopeo is a command line utility that performs various
+	  operations on container images and image repositories.
+
+	  https://github.com/containers/skopeo
+
+comment "skopeo needs a toolchain w/ threads, sahred libs"
+	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_GO_TARGET_CGO_LINKING_SUPPORTS
+	depends on BR2_USE_MMU
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+	depends on !BR2_TOOLCHAIN_HAS_THREADS \
+		|| BR2_STATIC_LIBS
diff --git a/package/skopeo/skopeo.mk b/package/skopeo/skopeo.mk
index 8e3a302e8d..b3b213983f 100644
--- a/package/skopeo/skopeo.mk
+++ b/package/skopeo/skopeo.mk
@@ -11,13 +11,23 @@ SKOPEO_LICENSE = Apache-2.0
 SKOPEO_LICENSE_FILES = LICENSE
 SKOPEO_CPE_ID_VALID = YES
 
+SKOPEO_DEPENDENCIES = \
+	host-pkgconf \
+	btrfs-progs \
+	libgpgme \
+	lvm2
+
 HOST_SKOPEO_DEPENDENCIES = \
 	host-btrfs-progs \
 	host-libgpgme \
 	host-lvm2 \
 	host-pkgconf
 
+SKOPEO_GO_ENV = PKG_CONFIG_PATH=$(HOST_DIR)/lib/pkgconfig
+SKOPEO_BUILD_TARGETS = cmd/skopeo
+
 HOST_SKOPEO_GO_ENV = PKG_CONFIG_PATH=$(HOST_DIR)/lib/pkgconfig
 HOST_SKOPEO_BUILD_TARGETS = cmd/skopeo
 
+$(eval $(golang-package))
 $(eval $(host-golang-package))
diff --git a/support/testing/tests/package/test_skopeo.py b/support/testing/tests/package/test_skopeo.py
new file mode 100644
index 0000000000..79c3da8b3d
--- /dev/null
+++ b/support/testing/tests/package/test_skopeo.py
@@ -0,0 +1,41 @@
+import infra.basetest
+import json
+import os
+
+
+class TestSkopeo(infra.basetest.BRTest):
+    config = infra.basetest.BASIC_TOOLCHAIN_CONFIG + \
+        """
+        BR2_PER_PACKAGE_DIRECTORIES=y
+        BR2_SYSTEM_DHCP="eth0"
+        BR2_PACKAGE_CA_CERTIFICATES=y
+        BR2_PACKAGE_SKOPEO=y
+        BR2_PACKAGE_HOST_GO_BIN=y
+        BR2_TARGET_ROOTFS_CPIO=y
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def test_run(self):
+        cpio_file = os.path.join(self.builddir, "images", "rootfs.cpio")
+        self.emulator.boot(arch="armv5",
+                           kernel="builtin",
+                           options=["-initrd", cpio_file, "-nic", "user,model=rtl8139"])
+        self.emulator.login()
+
+        self.assertRunOk("skopeo --version", timeout=30)
+
+        # First, check we can reach the default registry: docker.io
+        output, _ = self.emulator.run(
+            "skopeo inspect docker://busybox:latest",
+            timeout=60,
+        )
+        bb_info = json.loads("".join(output))
+        self.assertEqual(bb_info["Name"], "docker.io/library/busybox")
+
+        # Now, check we can reach an arbitrary registry: quay.io
+        output, _ = self.emulator.run(
+            "skopeo inspect docker://quay.io/quay/busybox:latest",
+            timeout=60,
+        )
+        skopeo_info = json.loads("".join(output))
+        self.assertEqual(skopeo_info["Name"], "quay.io/quay/busybox")
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 0/9 v3] package/podman: new package (branch yem/podman)

[Yann E. MORIN]

Hello All!

This series introduce podman, an alternative to Docker. Podman is
daemon-less, and does not need root either.

The series starts with preparatory commits in existing packages and the
testing infra: then it introduces new packages on which podman will
rely.

Not required by podman, skopeo is made a target package as well, as it
was of help debugging podman (and Docker in a separate series).

Changes v1 -> v2:
  - add licensing info for netavark and podman  (Julien)

Changes v2 -> v3:
  - make rootless actually work (Raphael)

Regards,
Yann E. MORIN.


----------------------------------------------------------------
Yann E. MORIN (9):
      support/testing: set date in emulated machine
      package/shadow: install to staging for subids
      package/conmon: depends on systemd when enabled
      package/slirp4netns: needs TUN support in the kernel
      package/skopeo: add target variant
      package/cgroupfs-mount: tweak the kernel config
      package/cgroupfs-v2-mount: new package
      package/netavark: new package
      package/podman: new package

 package/Config.in                              |   4 +
 package/cgroupfs-mount/Config.in               |  12 +-
 package/cgroupfs-mount/cgroupfs-mount.mk       |  11 ++
 package/cgroupfs-v2-mount/Config.in            |  10 ++
 package/cgroupfs-v2-mount/S30cgroupfs2         |  44 ++++++++
 package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk |  20 ++++
 package/conmon/conmon.mk                       |   4 +
 package/netavark/Config.in                     |  10 ++
 package/netavark/netavark.hash                 |   3 +
 package/netavark/netavark.mk                   |  19 ++++
 package/podman/Config.in                       |  41 +++++++
 package/podman/containers.conf                 |   2 +
 package/podman/podman.hash                     |   3 +
 package/podman/podman.mk                       | 114 +++++++++++++++++++
 package/podman/policy.json                     |   7 ++
 package/podman/registries.conf                 |   1 +
 package/shadow/shadow.mk                       |   1 +
 package/skopeo/Config.in                       |  25 +++++
 package/skopeo/skopeo.mk                       |  10 ++
 package/slirp4netns/slirp4netns.mk             |   9 ++
 support/testing/infra/emulator.py              |   5 +
 support/testing/tests/package/test_podman.py   | 147 +++++++++++++++++++++++++
 support/testing/tests/package/test_skopeo.py   |  41 +++++++
 23 files changed, 532 insertions(+), 11 deletions(-)
 create mode 100644 package/cgroupfs-v2-mount/Config.in
 create mode 100644 package/cgroupfs-v2-mount/S30cgroupfs2
 create mode 100644 package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk
 create mode 100644 package/netavark/Config.in
 create mode 100644 package/netavark/netavark.hash
 create mode 100644 package/netavark/netavark.mk
 create mode 100644 package/podman/Config.in
 create mode 100644 package/podman/containers.conf
 create mode 100644 package/podman/podman.hash
 create mode 100644 package/podman/podman.mk
 create mode 100644 package/podman/policy.json
 create mode 100644 package/podman/registries.conf
 create mode 100644 package/skopeo/Config.in
 create mode 100644 support/testing/tests/package/test_podman.py
 create mode 100644 support/testing/tests/package/test_skopeo.py

--
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 6/9 v3] package/cgroupfs-mount: tweak the kernel config

[Yann E. MORIN]

When it was introduced in 2016 with commit 0e1547a87cfd (cgroupfs-mount:
new package), we did not yet have the infrastrucutre for package to set
kernel config options, which only came 4 years later with commit
0aed4c2dae76 (linux: allow packages to set kernel config options).

So at that time, the requirements for cgroupfs-mount were documented in
the help for the Kconfig symbol.

But now that we do have tha infrastructure in place, actually use it to
set the required options, and drop the list from the Lconfig entry (that
would be duplication, prone to bit-rot with time, and other packages do
not document their requirements in LKconfig, they just use the infra to
set the options).

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
 package/cgroupfs-mount/Config.in         | 12 +-----------
 package/cgroupfs-mount/cgroupfs-mount.mk | 11 +++++++++++
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/package/cgroupfs-mount/Config.in b/package/cgroupfs-mount/Config.in
index 0b2e4ba1e7..29a40c93d1 100644
--- a/package/cgroupfs-mount/Config.in
+++ b/package/cgroupfs-mount/Config.in
@@ -4,16 +4,6 @@ config BR2_PACKAGE_CGROUPFS_MOUNT
 	help
 	  cgroupfs mount and umount scripts.
 
-	  requires a Linux kernel >= 3.0 with the following options
-	  enabled:
-
-	  - CONFIG_BLK_CGROUP
-	  - CONFIG_CGROUPS
-	  - CONFIG_CGROUP_CPUACCT
-	  - CONFIG_CGROUP_DEVICE
-	  - CONFIG_CGROUP_FREEZER
-	  - CONFIG_CGROUP_WRITEBACK
-	  - CONFIG_CGROUP_SCHED
-	  - CONFIG_CGROUP_PIDS
+	  Requires a Linux kernel >= 3.0
 
 	  https://github.com/tianon/cgroupfs-mount
diff --git a/package/cgroupfs-mount/cgroupfs-mount.mk b/package/cgroupfs-mount/cgroupfs-mount.mk
index 5af87629ea..156d584266 100644
--- a/package/cgroupfs-mount/cgroupfs-mount.mk
+++ b/package/cgroupfs-mount/cgroupfs-mount.mk
@@ -10,6 +10,17 @@ CGROUPFS_MOUNT_LICENSE = GPL-3.0+
 CGROUPFS_MOUNT_LICENSE_FILES = debian/copyright
 CGROUPFS_MOUNT_CPE_ID_VALID = YES
 
+define CGROUPFS_MOUNT_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BLK_CGROUP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_WRITEBACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PIDS)
+endef
+
 define CGROUPFS_MOUNT_INSTALL_TARGET_CMDS
 	$(INSTALL) -D -m 0755 $(@D)/cgroupfs-mount $(TARGET_DIR)/usr/bin/cgroupfs-mount
 	$(INSTALL) -D -m 0755 $(@D)/cgroupfs-umount $(TARGET_DIR)/usr/bin/cgroupfs-umount
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 7/9 v3] package/cgroupfs-v2-mount: new package

[Yann E. MORIN]

Currently, the cgroupfs-mount package only mounts a cgroup v1 hierarchy,
but v1 is considered legacy and obsolete, while v2 has ben around for a
while now, and is required by some packages (e.g. podman whines about
v1).

cgroupfs-mount has not had a release in almost 8 years now, and only the
occasional commit since then and until more than 3 years ago. It's not
going to evolve...

Add a new package with a simple-enough sysv startup script, that mounts
the cgroup v2 hierarchy filesystem. For systemd, there's nothing to do,
as systemd handles the mount by itself.

Since both cgroup v1 and v2 use the same mountpoint, we can't have both
enabled at the same time, and thus we restrict the v2 to be hidden when
v1 is enabled (quite a few packages select the v1; changing those would
require that they be validated against v2 first...)

Note that, due to limitations in Kconfig, cgroupfs-v2-mount will appear
indented below cgroupfs-mount, because it has a (negative) dependnecy on
it. This spurious indentation is unfortunate and annoying, but benign;
fixing that would require breaking the dependency with a random Kconfig
symbole, which we dont have, and which we decided not to introduce jsut
for this one use-case (well, there's host-gnupg and host-gnupg2 that
have the exact same issue, but meh...)

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Fiona Klute <fiona.klute@gmx.de>
Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

---
Changes v2 -> v3;
  - enable cgroups in the kernel
  - really unmount on stop, rather than mounting again
---
 package/Config.in                             |  1 +
 package/cgroupfs-v2-mount/Config.in           | 10 +++++
 package/cgroupfs-v2-mount/S30cgroupfs2        | 44 +++++++++++++++++++
 .../cgroupfs-v2-mount/cgroupfs-v2-mount.mk    | 20 +++++++++
 4 files changed, 75 insertions(+)
 create mode 100644 package/cgroupfs-v2-mount/Config.in
 create mode 100644 package/cgroupfs-v2-mount/S30cgroupfs2
 create mode 100644 package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk

diff --git a/package/Config.in b/package/Config.in
index 33fcfd0597..a152268209 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2808,6 +2808,7 @@ menu "System tools"
 	source "package/balena-engine/Config.in"
 	source "package/bubblewrap/Config.in"
 	source "package/cgroupfs-mount/Config.in"
+	source "package/cgroupfs-v2-mount/Config.in"
 	source "package/circus/Config.in"
 	source "package/conmon/Config.in"
 	source "package/containerd/Config.in"
diff --git a/package/cgroupfs-v2-mount/Config.in b/package/cgroupfs-v2-mount/Config.in
new file mode 100644
index 0000000000..2dd2dbc089
--- /dev/null
+++ b/package/cgroupfs-v2-mount/Config.in
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_CGROUPFS_V2_MOUNT
+	bool "cgroupfs-v2-mount"
+	depends on !BR2_INIT_SYSTEMD
+	depends on !BR2_PACKAGE_CGROUPFS_MOUNT
+	help
+	  Mount the cgroup v2 hierarchy filesystem.
+
+comment "cgroupfs-v2-mount is incompatible with cgroupfs-mount"
+	depends on !BR2_INIT_SYSTEMD
+	depends on BR2_PACKAGE_CGROUPFS_MOUNT
diff --git a/package/cgroupfs-v2-mount/S30cgroupfs2 b/package/cgroupfs-v2-mount/S30cgroupfs2
new file mode 100644
index 0000000000..42839ef921
--- /dev/null
+++ b/package/cgroupfs-v2-mount/S30cgroupfs2
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+DAEMON=cgroupfs2
+
+start() {
+	printf 'Mounting %s: ' "${DAEMON}"
+	mkdir -p /sys/fs/cgroup
+	mount -t cgroup2 none /sys/fs/cgroup
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Unmounting %s: ' "${DAEMON}"
+	umount /sys/fs/cgroup
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac
diff --git a/package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk b/package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk
new file mode 100644
index 0000000000..10e18d8d41
--- /dev/null
+++ b/package/cgroupfs-v2-mount/cgroupfs-v2-mount.mk
@@ -0,0 +1,20 @@
+################################################################################
+#
+# cgroupfs-v2-mount
+#
+################################################################################
+
+CGROUPFS_V2_MOUNT_VERSION =
+CGROUPFS_V2_MOUNT_SITE =
+
+define CGROUPFS_V2_MOUNT_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
+endef
+
+define CGROUPFS_V2_MOUNT_INSTALL_INIT_SYSV
+	$(INSTALL) -m 0755 -D \
+		$(CGROUPFS_V2_MOUNT_PKGDIR)/S30cgroupfs2 \
+		$(TARGET_DIR)/etc/init.d/S30cgroupfs2
+endef
+
+$(eval $(generic-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 8/9 v3] package/netavark: new package

[Yann E. MORIN]

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Julien Olivain <ju.o@free.fr>

---
Changes v1 -> v2:
  - add licensing information  (Julien)
---
 package/Config.in              |  1 +
 package/netavark/Config.in     | 10 ++++++++++
 package/netavark/netavark.hash |  3 +++
 package/netavark/netavark.mk   | 19 +++++++++++++++++++
 4 files changed, 33 insertions(+)
 create mode 100644 package/netavark/Config.in
 create mode 100644 package/netavark/netavark.hash
 create mode 100644 package/netavark/netavark.mk

diff --git a/package/Config.in b/package/Config.in
index a152268209..460955cb90 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2559,6 +2559,7 @@ endif
 	source "package/ndisc6/Config.in"
 	source "package/net-tools/Config.in"
 	source "package/netatalk/Config.in"
+	source "package/netavark/Config.in"
 	source "package/netcalc/Config.in"
 	source "package/netcat/Config.in"
 	source "package/netcat-openbsd/Config.in"
diff --git a/package/netavark/Config.in b/package/netavark/Config.in
new file mode 100644
index 0000000000..caac3c4872
--- /dev/null
+++ b/package/netavark/Config.in
@@ -0,0 +1,10 @@
+config BR2_PACKAGE_NETAVARK
+	bool "netavark"
+	depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS
+	select BR2_PACKAGE_HOST_RUSTC
+	help
+	  Netavark is a rust based network stack for containers. It
+	  is being designed to work with Podman but is also applicable
+	  for other OCI container management applications.
+
+	  https://github.com/containers/netavark
diff --git a/package/netavark/netavark.hash b/package/netavark/netavark.hash
new file mode 100644
index 0000000000..585763be42
--- /dev/null
+++ b/package/netavark/netavark.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  09471bd116fdebfd3f7a8100b37809e3a306d0f18e5feee8445ed1e01a22e0aa  netavark-v1.14.0-git4-cargo2.tar.gz
+sha256  c71d239df91726fc519c6eb72d318ec65820627232b2f796219e87dcf35d0ab4  LICENSE
diff --git a/package/netavark/netavark.mk b/package/netavark/netavark.mk
new file mode 100644
index 0000000000..b2508bb5a8
--- /dev/null
+++ b/package/netavark/netavark.mk
@@ -0,0 +1,19 @@
+################################################################################
+#
+# netavark
+#
+################################################################################
+
+NETAVARK_VERSION = v1.14.0
+NETAVARK_SITE = https://github.com/containers/netavark
+NETAVARK_SITE_METHOD = git
+
+NETAVARK_LICENSE = Apache-2.0
+NETAVARK_LICENSE_FILES = LICENSE
+
+# For protoc
+NETAVARK_DEPENDENCIES = host-protobuf
+
+NETAVARK_CARGO_ENV = PROTOC=$(HOST_DIR)/bin/protoc
+
+$(eval $(cargo-package))
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

Podman is a container manager not unlike Docker, but is daemon-less.

Similalry to docker-engine, quite a few kernel config options are
required; as they are very similar in goals and features, the options
from docker-engine ahve been duplicated for podman. As that was not
enough, a few additional options have been added after trial-and-error
testing (they are not explicitly listed in the documentaion).

The documentation [0] states that seccomp can be disabled (i.e. not
enabled), but we were unable to start a container without seccomp
support in podman. So we make that mandatory.

Podman can run either as the root user, in which case it would need
netavark as a network helper (not sure why, but it missing is a hard
error for podman), or it can run rootless, i.e. by a non-root user,
which hrequires a bit of setup (see below, in the runtime test) and a
few other dependencies: slirp4netns [1] (network backend), and support
for subordinate UIDs and GIDs with the shadow library. Rootless mode is
one of the main selling point for podman, so we decided that this would
not be configurable in Buildroot.

Similar to Docker, podman can inject a minimalist init as PID1 in
containers, and like Docker, this is optional; podman however can only
use catatonit as such an init [2]. Given the size of catatonit (1.3%
that of podman!), we do not bother to make it optional, and always
enable it as well.

Podman requires at least three config files; they can be either per-user
or system-wide:
  - containers.conf [3]: defines various settings for the container
    runtimes;
  - policy.json [4]: defines what signature to accept to validate
    images; without one such file, podman just refuses to pull images;
  - registries.conf [5]: defines where to pull iamges from; without it,
    podman does not know how to pull un-qualified images (i.e. images
    where the registry is not specified in the path, and which Docker
    would fetch from the Docker Hub, e.g. "busybox:latest").

For those three files, we provide a very minimal default that (in the
same order as above):
  - uses the slirp4netns network backend for rootless operation (the
    default in podman is to use pasta [1], so we need to explicitly
    configure it to use slirp4netns);
  - allows pulling images which signature can't be verified;
  - pulls unqualified images from the Docker Hub, as is traditional.

Providing actual files is going to be use-case dependent, and interested
parties will have to provide their own config files, e.g. in a rootfs
overlay.

Finally, we add a runtime test for podman. The official busybox image on
the Docker Hub supports a lot of architectures, of which armv7 which we
use for this runtime test. Finding a small image that also supports
armv7 on other registries was a bit of a challenge; we eventually found
one busybox image on quay.io, but it is not an official busybox image;
still, it fits the bill, so we use it.

The default kernel used in runtime tests is missing a lot of features,
so we need to build our own. We can't use cpio either, because we need a
filesystem that can be used as a lower and upper of overlayfs, which is
not possible with the filesystem the cpio is extracted into; ext2 fits
the bill, so we use that. We need a bit of space to store images and
stuff, so let's be generous and allocate 256M.

To test rootless operation, we need a non-root user that has some
special setup [6]; it is easier to run the commands from the infra
rather than carry a user-definition table and a rootfs overlay. We need
that user to have the same prompts (main and continuation) so that the
REPLWrapper still detects those; it has the unfortunate side effect that
it is not immediately obvious whether a command was run as root or not,
and one has to look back up in the run-log to see whether there was a
transition to another user earlier.

There is no runtime test with systemd, as this requires quite some
additional setup that does not look very trivial to do; when it detects
it is running under systemd in rootless mode, podman expects that a full
user session exists, or it whines about it every time it is started,
reverting to non-systemd behaviour; getting a full user session does not
look to be that trivial (PAM?), so this would not exercise the actual
integration with systemd, so the test would not be meaningful, so it is
not provided. This is left as an exercise to an interested party to
extend the tests.

PS: Hat-tip to Raphael, who provided some pointers and hints on this
change, especially for rootless mode. Thanks! 👍

[0] https://podman.io/docs/installation#get-source-code
[1] it is possible to use another backend, but it is not packaged in
in Buildroot yet: https://passt.top/passt/about/#pasta-pack-a-subtle-tap-abstraction
[2] podman expects a 'catatonit' helper in /usr/libexec/podman, so even
if tini would be usable instead, it would not feel right to use it to
impersonate catatonit. So let's assume that only catatonit is supported.
[3] https://github.com/containers/common/blob/main/docs/containers.conf.5.md
[4] https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md
[5] https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md
[6] https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md

Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Cc: Raphael Pavlidis <raphael.pavlidis@gmail.com>
Cc: Christian Stewart <christian@aperture.us>
Cc: Julien Olivain <ju.o@free.fr>

---
Changes v1 -> v2:
  - add licensing information  (Julien)

Changes v2 -> v3:
  - make it work with rootless
---
 package/Config.in                            |   1 +
 package/podman/Config.in                     |  41 ++++++
 package/podman/containers.conf               |   2 +
 package/podman/podman.hash                   |   3 +
 package/podman/podman.mk                     | 114 ++++++++++++++
 package/podman/policy.json                   |   7 +
 package/podman/registries.conf               |   1 +
 support/testing/tests/package/test_podman.py | 147 +++++++++++++++++++
 8 files changed, 316 insertions(+)
 create mode 100644 package/podman/Config.in
 create mode 100644 package/podman/containers.conf
 create mode 100644 package/podman/podman.hash
 create mode 100644 package/podman/podman.mk
 create mode 100644 package/podman/policy.json
 create mode 100644 package/podman/registries.conf
 create mode 100644 support/testing/tests/package/test_podman.py

diff --git a/package/Config.in b/package/Config.in
index 460955cb90..65c458bfa9 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -2868,6 +2868,7 @@ menu "System tools"
 	source "package/openvmtools/Config.in"
 	source "package/pamtester/Config.in"
 	source "package/petitboot/Config.in"
+	source "package/podman/Config.in"
 	source "package/polkit/Config.in"
 	source "package/powerpc-utils/Config.in"
 	source "package/procps-ng/Config.in"
diff --git a/package/podman/Config.in b/package/podman/Config.in
new file mode 100644
index 0000000000..21ece13a91
--- /dev/null
+++ b/package/podman/Config.in
@@ -0,0 +1,41 @@
+config BR2_PACKAGE_PODMAN
+	bool "podman"
+	depends on BR2_USE_MMU  # fork()
+	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS  # host-go
+	depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS  # netavark
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS  # libgpgme
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS  # libseccomp, slirp4netns
+	depends on BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_17  # libseccomp, slirp4netns
+	depends on BR2_TOOLCHAIN_HAS_THREADS  # conmon, slirp4netns
+	depends on BR2_USE_WCHAR  # conmon, slirp4netns
+	select BR2_PACKAGE_HOST_GO
+	select BR2_PACKAGE_CA_CERTIFICATES  # runtime
+	select BR2_PACKAGE_CATATONIT  # runtime
+	select BR2_PACKAGE_CGROUPFS_V2_MOUNT if !BR2_PACKAGE_CGROUPFS_MOUNT && !BR2_INIT_SYSTEMD  # runtime
+	select BR2_PACKAGE_CONMON  # runtime
+	select BR2_PACKAGE_IPTABLES  # runtime
+	select BR2_PACKAGE_LIBGPGME
+	select BR2_PACKAGE_LIBSECCOMP
+	select BR2_PACKAGE_NETAVARK  # runtime
+	select BR2_PACKAGE_RUNC if !BR2_PACKAGE_CRUN  # runtime
+	select BR2_PACKAGE_SHADOW
+	select BR2_PACKAGE_SHADOW_SUBORDINATE_IDS
+	select BR2_PACKAGE_SLIRP4NETNS  # runtime
+	help
+	  The best free & open source container tools
+
+	  Manage containers, pods, and images with Podman. Seamlessly
+	  work with containers and Kubernetes from your local
+	  environment.
+
+	  https://podman.io/
+
+comment "podman needs a toolchain w/ headers >= 3.17, threads, wchar"
+	depends on BR2_USE_MMU
+	depends on BR2_PACKAGE_HOST_GO_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_HOST_RUSTC_TARGET_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_LIBGPG_ERROR_ARCH_SUPPORTS
+	depends on BR2_PACKAGE_LIBSECCOMP_ARCH_SUPPORTS
+	depends on !BR2_TOOLCHAIN_HEADERS_AT_LEAST_3_17 \
+		|| !BR2_TOOLCHAIN_HAS_THREADS \
+		|| !BR2_USE_WCHAR
diff --git a/package/podman/containers.conf b/package/podman/containers.conf
new file mode 100644
index 0000000000..1db48c1905
--- /dev/null
+++ b/package/podman/containers.conf
@@ -0,0 +1,2 @@
+[network]
+default_rootless_network_cmd = "slirp4netns"
diff --git a/package/podman/podman.hash b/package/podman/podman.hash
new file mode 100644
index 0000000000..4cbba59dc0
--- /dev/null
+++ b/package/podman/podman.hash
@@ -0,0 +1,3 @@
+# Locally computed
+sha256  e5cae3433931e6d6259b72d8d6513661f70cb083ea338068604c47fff5666127  podman-v5.4.0-git4-go2.tar.gz
+sha256  62fb8a3a9621dc2388174caaabe9c2317b694bb9a1d46c98bcf5655b68f51be3  LICENSE
diff --git a/package/podman/podman.mk b/package/podman/podman.mk
new file mode 100644
index 0000000000..afa2c1b0ad
--- /dev/null
+++ b/package/podman/podman.mk
@@ -0,0 +1,114 @@
+################################################################################
+#
+# podman
+#
+################################################################################
+
+PODMAN_VERSION = v5.4.0
+PODMAN_SITE = https://github.com/containers/podman
+PODMAN_SITE_METHOD = git
+
+PODMAN_LICENSE = Apache-2.0
+PODMAN_LICENSE_FILES = LICENSE
+
+PODMAN_DEPENDENCIES = host-pkgconf libgpgme
+
+PODMAN_GOMOD = github.com/containers/podman/v5
+PODMAN_BUILD_TARGETS = cmd/podman
+PODMAN_TAGS = selinux
+
+# https://podman.io/docs/installation#get-source-code mandates that flag be
+# set, as device-mapper is not officially supported.
+PODMAN_TAGS += exclude_graphdriver_devicemapper
+
+# This is supposedly optional, but a basic (busybox:latest) image does not
+# even start without seccomp support
+PODMAN_DEPENDENCIES += libseccomp
+PODMAN_TAGS += seccomp
+
+# This is required for rootless containers, i.e containers started by non-root
+PODMAN_DEPENDENCIES += shadow
+PODMAN_TAGS += libsubid
+
+ifeq ($(BR2_PACKAGE_BTRFS_PROGS),y)
+PODMAN_DEPENDENCIES += btrfs-progs
+define PODMAN_LINUX_CONFIG_FIXUPS_BTRFS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BTRFS_FS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BTRFS_FS_POSIX_ACL)
+endef
+else
+PODMAN_TAGS += exclude_graphdriver_btrfs
+endif
+
+ifeq ($(BR2_PACKAGE_LIBAPPARMOR),y)
+PODMAN_DEPENDENCIES += libapparmor
+PODMAN_TAGS += apparmor
+endif
+
+ifeq ($(BR2_PACKAGE_SYSTEMD),y)
+PODMAN_DEPENDENCIES += systemd
+PODMAN_TAGS += systemd
+endif
+
+define PODMAN_LINUX_CONFIG_FIXUPS
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CPUSETS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BPF_SYSCALL)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_POSIX_MQUEUE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_MEMCG)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUPS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_SCHED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_FREEZER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_DEVICE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_CPUACCT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_PIDS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_CGROUP_BPF)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NAMESPACES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_UTS_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IPC_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_PID_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_USER_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_NS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_SECCOMP)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_ADVANCED)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_ADDRTYPE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_COMMENT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_CONNTRACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MARK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NETFILTER_XT_MATCH_IPVS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NF_CONNTRACK)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_IPTABLES)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_FILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_NAT)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_IP_NF_TARGET_MASQUERADE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_BRIDGE_NETFILTER)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_VETH)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_OVERLAY_FS)
+	$(call KCONFIG_ENABLE_OPT,CONFIG_KEYS)
+	$(PODMAN_LINUX_CONFIG_FIXUPS_BTRFS)
+endef
+
+define PODMAN_CONFIG
+	$(Q)$(INSTALL) -D -m 0644 \
+		$(PODMAN_PKGDIR)/containers.conf \
+		$(TARGET_DIR)/etc/containers/containers.conf
+	$(Q)$(INSTALL) -D -m 0644 \
+		$(PODMAN_PKGDIR)/policy.json \
+		$(TARGET_DIR)/etc/containers/policy.json
+	$(Q)$(INSTALL) -D -m 0644 \
+		$(PODMAN_PKGDIR)/registries.conf \
+		$(TARGET_DIR)/etc/containers/registries.conf
+endef
+PODMAN_POST_INSTALL_TARGET_HOOKS += PODMAN_CONFIG
+
+define PODMAN_HELPERS
+	$(Q)mkdir -p $(TARGET_DIR)/usr/libexec/podman
+	$(Q)ln -sf ../../bin/netavark $(TARGET_DIR)/usr/libexec/podman/netavark
+	$(Q)ln -sf ../../bin/catatonit $(TARGET_DIR)/usr/libexec/podman/catatonit
+endef
+PODMAN_POST_INSTALL_TARGET_HOOKS += PODMAN_HELPERS
+
+$(eval $(golang-package))
diff --git a/package/podman/policy.json b/package/podman/policy.json
new file mode 100644
index 0000000000..9333053f93
--- /dev/null
+++ b/package/podman/policy.json
@@ -0,0 +1,7 @@
+{
+  "default": [
+    {
+      "type": "insecureAcceptAnything"
+    }
+  ]
+}
diff --git a/package/podman/registries.conf b/package/podman/registries.conf
new file mode 100644
index 0000000000..d44d892da3
--- /dev/null
+++ b/package/podman/registries.conf
@@ -0,0 +1 @@
+unqualified-search-registries = ["docker.io"]
diff --git a/support/testing/tests/package/test_podman.py b/support/testing/tests/package/test_podman.py
new file mode 100644
index 0000000000..9e5be98b00
--- /dev/null
+++ b/support/testing/tests/package/test_podman.py
@@ -0,0 +1,147 @@
+import infra.basetest
+import json
+import os
+
+
+class TestPodman(infra.basetest.BRTest):
+    config = \
+        """
+        BR2_arm=y
+        BR2_cortex_a9=y
+        BR2_ARM_ENABLE_VFP=y
+        BR2_TOOLCHAIN_EXTERNAL=y
+        BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
+        BR2_PER_PACKAGE_DIRECTORIES=y
+        BR2_SYSTEM_DHCP="eth0"
+        BR2_LINUX_KERNEL=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
+        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.202"
+        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
+        BR2_LINUX_KERNEL_DTS_SUPPORT=y
+        BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9"
+        BR2_PACKAGE_PODMAN=y
+        BR2_PACKAGE_UTIL_LINUX=y
+        BR2_PACKAGE_UTIL_LINUX_MOUNT=y
+        BR2_PACKAGE_HOST_GO_BIN=y
+        BR2_TARGET_ROOTFS_EXT2=y
+        BR2_TARGET_ROOTFS_EXT2_SIZE="256M"
+        # BR2_TARGET_ROOTFS_TAR is not set
+        """
+
+    def test_run(self):
+        kernel_file = os.path.join(self.builddir, 'images', 'zImage')
+        dtb_file = os.path.join(self.builddir, 'images', 'vexpress-v2p-ca9.dtb')
+        ext2_file = os.path.join(self.builddir, 'images', 'rootfs.ext2')
+        self.emulator.boot(
+            arch='armv5',
+            kernel=kernel_file,
+            kernel_cmdline=[
+                'root=/dev/mmcblk0',
+                'rootwait',
+                'console=ttyAMA0',
+            ],
+            options=[
+                '-M', 'vexpress-a9',
+                '-dtb', dtb_file,
+                '-drive', f'file={ext2_file},if=sd,format=raw',
+            ]
+        )
+        self.emulator.login()
+
+        # Do some preparation for rootless use
+        self.assertRunOk("mount --make-shared /")
+        self.assertRunOk("chmod 666 /dev/net/tun")
+        self.assertRunOk("useradd -d /home/foo -m -s /bin/sh -u 1000 foo")
+        self.assertRunOk("touch /etc/subuid /etc/subgid")
+        self.assertRunOk("usermod --add-subuids 10000-75535 foo")
+        self.assertRunOk("usermod --add-subgids 10000-75535 foo")
+
+        # First, test podman as root (the current user)
+        self.do_podman()
+
+        # Now, test podman as non-root. We need a bit of setup
+        # We need to use the same prompts for the user as used for root, so that the
+        # REPLWrapper still detects the prompts. This means it is going to be a bit
+        # difficut to directly see that it was a user that executed a command.
+        self.assertRunOk('su -s /usr/bin/env - foo PS1="${PS1}" PS2="${PS2}" /bin/sh')
+        output, _ = self.emulator.run("id -u")
+        self.assertEqual(output[0], "1000", "Could not switch to non-root")
+        self.do_podman()
+
+    def do_podman(self):
+        # The podman binary is huge, so it takes time to load...
+        # Next calls will be faster, though, as it is going to be cached.
+        self.assertRunOk('podman --version', timeout=30)
+
+        # Check for an empty image store
+        output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
+        img_info = json.loads("".join(output))
+        self.assertEqual(len(img_info), 0, f"{len(img_info)} image(s) already present")
+
+        # Pull an image; it can take time: network, hash checksums...
+        self.assertRunOk('podman image pull busybox:1.37.0', timeout=60)
+        output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
+        img_info = json.loads("".join(output))
+        self.assertEqual(len(img_info), 1, f"{len(img_info)} image(s), expecting 1")
+        self.assertTrue("Id" in img_info[0], '"Id" not in img_info[0]')
+        self.assertTrue("Digest" in img_info[0], '"Digest" not in img_info[0]')
+        self.assertEqual(img_info[0]["Names"][0], "docker.io/library/busybox:1.37.0")
+
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "", "Already in a container")
+
+        # Spawn the container; that can take a bit of time
+        # Propagate the prompt so that the REPLWrapper detects it
+        self.assertRunOk(
+            "podman container run --rm -ti -e PS1 -e br_container=podman busybox:1.37.0",
+            timeout=60,
+        )
+        # Twist! The command above is still running, but the shell it
+        # started exposes the same prompt we expect. This is all what we want.
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "podman", "Not in a podman container")
+
+        # Check that pid1 is the shell
+        output, _ = self.emulator.run('readlink /proc/1/exe')
+        self.assertEqual(output[0], "/bin/sh", f"PID1 is {output[0]}, should be /bin/sh")
+
+        # Exit the container
+        self.assertRunOk("exit 0")
+        # Twist, take two! We are now back to the shell in the VM.
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "", "Still in a container")
+
+        # Spawn a container, round two, but with an injected init this time
+        self.assertRunOk("podman container run --rm -ti -e PS1 --init -e br_container=podman busybox:1.37.0", timeout=60)
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "podman", "Not in a podman container")
+
+        # Check that pid1 is the init injected by podman
+        output, _ = self.emulator.run('readlink /proc/1/exe')
+        self.assertEqual(output[0], "/run/podman-init", f"PID1 is {output[0]}, should be /run/podman-init")
+
+        # Exit the container
+        self.assertRunOk("exit 0")
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "", "Still in a container")
+
+        # Remove the image
+        self.assertRunOk('podman image rm busybox:1.37.0')
+        output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
+        img_info = json.loads("".join(output))
+        self.assertEqual(len(img_info), 0, f"{len(img_info)} image(s) still present, expecting 0")
+
+        # Use an image from another registry, spawn without pulling first
+        self.assertRunOk(
+            "podman container run --rm -ti -e PS1 -e br_container=podman quay.io/prometheus/busybox:latest",
+            timeout=60,
+        )
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "podman", "Not in a podman container")
+        self.assertRunOk("exit 0")
+        output, _ = self.emulator.run('echo ${br_container}')
+        self.assertEqual(output[0], "", "Still in a container")
+        self.assertRunOk('podman image prune -af')
+        output, exit_code = self.emulator.run("podman image ls --format '{{ json }}'")
+        img_info = json.loads("".join(output))
+        self.assertEqual(len(img_info), 0, f"{len(img_info)} image(s) still present, expecting 0")
-- 
2.47.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/9 v3] package/shadow: install to staging for subids

[Raphael Pavlidis]

Hello Yann,
the changes looks good.

Thanks you.

Regards,
Raphael


On 3/1/25 16:05, Yann E. MORIN wrote:
> When the subids feature is enabled, shadow will install a library and a
> header:
> 
>      $ sort output/build/shadow-4.16.0/.files-list.txt
>      [...]
>      shadow,./lib/libsubid.la
>      shadow,./lib/libsubid.so
>      shadow,./lib/libsubid.so.5
>      shadow,./lib/libsubid.so.5.0.0
>      [...]
>      shadow,./usr/include/shadow/subid.h
>      [...]
> 
> Install to staging in that case.
> 
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
> Cc: Raphael Pavlidis <raphael.pavlidis@gmail.com>
> ---
>   package/shadow/shadow.mk | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/package/shadow/shadow.mk b/package/shadow/shadow.mk
> index cea984012d..c598ad88fd 100644
> --- a/package/shadow/shadow.mk
> +++ b/package/shadow/shadow.mk
> @@ -46,6 +46,7 @@ SHADOW_CONF_OPTS += --disable-account-tools-setuid
>   endif
>   
>   ifeq ($(BR2_PACKAGE_SHADOW_SUBORDINATE_IDS),y)
> +SHADOW_INSTALL_STAGING = YES
>   SHADOW_CONF_OPTS += --enable-subordinate-ids
>   define SHADOW_SUBORDINATE_IDS_PERMISSIONS
>   	/usr/bin/newuidmap f 4755 0 0 - - - - -

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 4/9 v3] package/slirp4netns: needs TUN support in the kernel

[Raphael Pavlidis]

Hello Yann,
the changes looks good.

On 3/1/25 16:05, Yann E. MORIN wrote:
[snip]
>   
> +define SLIRP4NETNS_LINUX_CONFIG_FIXUPS
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_NETDEVICES)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_NET_CORE)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_INET)
> +	$(call KCONFIG_ENABLE_OPT,CONFIG_TUN)
> +endef

Yes, you are right; those kernel configurations have to be applied.

Thank you for the trial and error. ;)

[snip]

Regards,
Raphael

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Raphael Pavlidis]

Hello Yann, All,

On 3/1/25 16:05, Yann E. MORIN wrote:
[snip]
> 
> The documentation [0] states that seccomp can be disabled (i.e. not
> enabled), but we were unable to start a container without seccomp
> support in podman. So we make that mandatory.

You can start a container without seccomp by passing the
--security-opt=seccomp=unconfined` option. But it is okay for me if it 
is mandatory.

> 
[snip]
> 
> Similar to Docker, podman can inject a minimalist init as PID1 in
> containers, and like Docker, this is optional; podman however can only
> use catatonit as such an init [2]. Given the size of catatonit (1.3%
> that of podman!), we do not bother to make it optional, and always
> enable it as well.

I think systemd can also be used as a init. According to the 
documentation [1].

[snip]
> +	select BR2_PACKAGE_IPTABLES  # runtime

I am sure that you do not need iptables if you are using nftables.

[snip]
> +		$(PODMAN_PKGDIR)/containers.conf \
> +		$(TARGET_DIR)/etc/containers/containers.conf
> +	$(Q)$(INSTALL) -D -m 0644 \
> +		$(PODMAN_PKGDIR)/policy.json \
> +		$(TARGET_DIR)/etc/containers/policy.json
> +	$(Q)$(INSTALL) -D -m 0644 \
> +		$(PODMAN_PKGDIR)/registries.conf \
> +		$(TARGET_DIR)/etc/containers/registries.conf

Just for curiosity, why not installing those files under 
/usr/share/containers?

[snip]

Thanks for your good work.

Regards,
Raphael Pavlidis

[1]: 
https://docs.podman.io/en/latest/markdown/podman-run.1.html#systemd-true-false-always

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/9 v3] support/testing: set date in emulated machine

[Julien Olivain]

Hi Yann, all,

On 01/03/2025 16:05, Yann E. MORIN wrote:
> When time comes to check certificates, the date and time in the 
> emulated
> machine should be close enough to the actual values, so that 
> certificate
> validity can be checked.
> 
> Set the date to the date of the system. This is going to be accurate to
> the second, which is, by far, enough for our purpose.
> 
> The Emulator() class doesn't inherit from unittest.TestCase, so we 
> can't
> call any of the usual self.assertXXX() methods; instead, we just raise
> a standard exception, like is done a few lines above to detect the 
> login
> prompt.
> 
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
> Cc: Ricardo Martincoski <ricardo.martincoski@datacom.com.br>
> Cc: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
> 
> ---
> Changes v1 -> v2:
>   - catch failure to set the date
> ---
>  support/testing/infra/emulator.py | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/support/testing/infra/emulator.py 
> b/support/testing/infra/emulator.py
> index ef5be2a19e..9be1143944 100644
> --- a/support/testing/infra/emulator.py
> +++ b/support/testing/infra/emulator.py
> @@ -5,6 +5,7 @@ import os
> 
>  import pexpect
>  import pexpect.replwrap
> +import time
> 
>  import infra
> 
> @@ -152,6 +153,10 @@ class Emulator(object):
> 
>          self.connect_shell()
> 
> +        output, exit_code = self.run(f"date @{int(time.time())}")
> +        if exit_code:
> +            raise SystemError("Cannot set date in virtual machine")
> +

Is this really needed?

Arm and Aarch64 qemu machines includes a pl031 RTC.
x86/x86_64 includes a mc146818 RTC.
RISC-V has a Goldfish RTC.

If we revert this patch, the podman runtime test still succeed.
In the runtime log "TestPodman-run.log", when the kernel boots,
we see:

...
rtc-pl031 10017000.rtc: registered as rtc0
rtc-pl031 10017000.rtc: setting system clock to 2025-03-07T17:38:24 UTC 
(1741369104)
...

I understand that it is not always guaranteed that the qemu machine
has a rtc and the used kernel has a driver for it, which is why we
would like to set the date like this. But this could be left to the
test implementer to make sure this is properly handled. And in the
podman test case, you did.

What do you think?

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Julien Olivain]

Hi Yann, all,

On 01/03/2025 16:05, Yann E. MORIN wrote:
> Podman is a container manager not unlike Docker, but is daemon-less.

[...]

> diff --git a/support/testing/tests/package/test_podman.py 
> b/support/testing/tests/package/test_podman.py
> new file mode 100644
> index 0000000000..9e5be98b00
> --- /dev/null
> +++ b/support/testing/tests/package/test_podman.py
> @@ -0,0 +1,147 @@
> +import infra.basetest
> +import json
> +import os
> +
> +
> +class TestPodman(infra.basetest.BRTest):
> +    config = \
> +        """
> +        BR2_arm=y
> +        BR2_cortex_a9=y
> +        BR2_ARM_ENABLE_VFP=y
> +        BR2_TOOLCHAIN_EXTERNAL=y
> +        BR2_TOOLCHAIN_EXTERNAL_BOOTLIN=y
> +        BR2_PER_PACKAGE_DIRECTORIES=y
> +        BR2_SYSTEM_DHCP="eth0"
> +        BR2_LINUX_KERNEL=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION=y
> +        BR2_LINUX_KERNEL_CUSTOM_VERSION_VALUE="5.10.202"
> +        BR2_LINUX_KERNEL_DEFCONFIG="vexpress"
> +        BR2_LINUX_KERNEL_DTS_SUPPORT=y
> +        BR2_LINUX_KERNEL_INTREE_DTS_NAME="vexpress-v2p-ca9"
> +        BR2_PACKAGE_PODMAN=y
> +        BR2_PACKAGE_UTIL_LINUX=y
> +        BR2_PACKAGE_UTIL_LINUX_MOUNT=y
> +        BR2_PACKAGE_HOST_GO_BIN=y
> +        BR2_TARGET_ROOTFS_EXT2=y
> +        BR2_TARGET_ROOTFS_EXT2_SIZE="256M"
> +        # BR2_TARGET_ROOTFS_TAR is not set
> +        """
> +
> +    def test_run(self):
> +        kernel_file = os.path.join(self.builddir, 'images', 'zImage')
> +        dtb_file = os.path.join(self.builddir, 'images', 
> 'vexpress-v2p-ca9.dtb')
> +        ext2_file = os.path.join(self.builddir, 'images', 
> 'rootfs.ext2')
> +        self.emulator.boot(
> +            arch='armv5',
> +            kernel=kernel_file,
> +            kernel_cmdline=[
> +                'root=/dev/mmcblk0',
> +                'rootwait',
> +                'console=ttyAMA0',
> +            ],
> +            options=[
> +                '-M', 'vexpress-a9',
> +                '-dtb', dtb_file,
> +                '-drive', f'file={ext2_file},if=sd,format=raw',
> +            ]
> +        )
> +        self.emulator.login()
> +
> +        # Do some preparation for rootless use
> +        self.assertRunOk("mount --make-shared /")
> +        self.assertRunOk("chmod 666 /dev/net/tun")
> +        self.assertRunOk("useradd -d /home/foo -m -s /bin/sh -u 1000 
> foo")

It would be nice to keep tests idempotent. This can be useful
while debugging tests, and avoid rebuilding everything at each
attempt. It is even more useful in tests with a long build time
like this one.

In the current state, running the test once with the command:

     utils/docker-run support/testing/run-tests \
         -k -d dl -o output_folder \
         tests.package.test_podman

succeeds. But running it a second time, it fails with error:

     useradd: user 'foo' already exists

This because this tests emulates a persistent storage.

If possible, could you improve the test to make sure it can run
at least two time in a row with the run-tests "-k" option, please?

For example, with a construct like:

id -u foo || useradd ... foo

There is possibly few other places that might need cleanup too.

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Christian Stewart via buildroot]

[-- Attachment #1.1: Type: text/plain, Size: 1190 bytes --]

Hi,

On Fri, Mar 7, 2025, 5:40 AM Raphael Pavlidis <raphael.pavlidis@gmail.com>
wrote:

> Hello Yann, All,
>
> On 3/1/25 16:05, Yann E. MORIN wrote:
>
> I am sure that you do not need iptables if you are using nftables.
>
> [snip]
> > +             $(PODMAN_PKGDIR)/containers.conf \
> > +             $(TARGET_DIR)/etc/containers/containers.conf
> > +     $(Q)$(INSTALL) -D -m 0644 \
> > +             $(PODMAN_PKGDIR)/policy.json \
> > +             $(TARGET_DIR)/etc/containers/policy.json
> > +     $(Q)$(INSTALL) -D -m 0644 \
> > +             $(PODMAN_PKGDIR)/registries.conf \
> > +             $(TARGET_DIR)/etc/containers/registries.conf
>
> Just for curiosity, why not installing those files under
> /usr/share/containers?
>

I agree that as far as the defaults we install with the package, they
should go to /usr/share/containers

https://github.com/containers/common/blob/main/docs/containers.conf.5.md

Container engines read the /usr/share/containers/containers.conf,
/etc/containers/containers.conf, and
/etc/containers/containers.conf.d/*.conf for global configuration that
effects all users.

Otherwise looks good!

Best,
Christian

[-- Attachment #1.2: Type: text/html, Size: 1919 bytes --]

[-- Attachment #2: Type: text/plain, Size: 150 bytes --]

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

Raphael, All,

On 2025-03-07 14:40 +0100, Raphael Pavlidis spake thusly:
> On 3/1/25 16:05, Yann E. MORIN wrote:
> > The documentation [0] states that seccomp can be disabled (i.e. not
> > enabled), but we were unable to start a container without seccomp
> > support in podman. So we make that mandatory.
> You can start a container without seccomp by passing the
> --security-opt=seccomp=unconfined` option. But it is okay for me if it is
> mandatory.

Ok, good to know. But it means that, by default, podman uses seccomp,
and there is no way (that I could find, like in containers/conf for
example) to disble it unless with a non-trivial --option. Also, having
seccomp support does not preclude not using it. So I would still
consider that, for the Buildroot integration, we can make it mandatory.

Thanks for the hint about the --option!

> > Similar to Docker, podman can inject a minimalist init as PID1 in
> > containers, and like Docker, this is optional; podman however can only
> > use catatonit as such an init [2]. Given the size of catatonit (1.3%
> > that of podman!), we do not bother to make it optional, and always
> > enable it as well.
> I think systemd can also be used as a init. According to the documentation
> [1].

    https://docs.podman.io/en/latest/markdown/podman-run.1.html#init

As far as I understand it, using --init is what will cause catatonit to
be mounted into the container, and then called as PID 1, with catatonit
then spawning the actual command (or entrypoing etc...).

Using --systemd=XXX is "just" a way to tell podman to automatically do
a few preliminary setup (mounting tmpfs where needed, etc...) before
spawning the command in the container (i.e. either the one specified on
the podman copmmand line, or the entrypoint etc...) With --systemd=true
the setup is done if the commadn is systemd, /usr/sbin/init, /sbin/init
or /usr/local/sbin/init (whether those are actually systemd or not, by
the way!); with --systemd=false, the setup is never done, and with
--systemd=always, the setup is always done.

Of course, I would expect that using --init (and thus catatonit as PID
1), with a systemd in the container, will not play nicely, as systemd
would not be PID 1...

So, I think the catatonit init is unrelated to systemd, and one can not
use systemd as the process used by podman --init. Of course, it is
entirely possible that I misunderstood that part of podman too. ;-)

> > +	select BR2_PACKAGE_IPTABLES  # runtime
> I am sure that you do not need iptables if you are using nftables.

I briefly tried with nftables, it did not work, so I did not investigate
further; IIRC it was before I had to write containers.conf, so maybe we
can specify the firewall driver there... Ah, yes, it seems we can do
that:

    firewall_driver=""

    The firewall driver to be used by netavark. [...] supported drivers
    are "iptables", "nftables" [...]

I can regive it a spin, and add a blurb in the commit log if the outcome
is still negative.

But either way, it can be an improvement afterwards, once the series is
applied.

> > +		$(PODMAN_PKGDIR)/containers.conf \
> > +		$(TARGET_DIR)/etc/containers/containers.conf
> > +	$(Q)$(INSTALL) -D -m 0644 \
> > +		$(PODMAN_PKGDIR)/policy.json \
> > +		$(TARGET_DIR)/etc/containers/policy.json
> > +	$(Q)$(INSTALL) -D -m 0644 \
> > +		$(PODMAN_PKGDIR)/registries.conf \
> > +		$(TARGET_DIR)/etc/containers/registries.conf
> Just for curiosity, why not installing those files under
> /usr/share/containers?

The first such file I wrote was policy.json, and the documentation for it
states [0]:

    By default, the policy is read from $HOME/.config/containers/policy.json,
    if it exists, otherwise from /etc/containers/policy.json ; [...]

So I did not look further and put it in /etc/containers/. Then I had to
write registries.conf (for seemless access to the docker hub), and again
the documentation also states [1]:

    By default, the policy is read from $HOME/.config/containers/policy.json,
    if it exists, otherwise from /etc/containers/policy.json ; [...]

So again, I put it /etc/containers/ without much ado. And when it came
to write containers.conf to use slirp4netns instead of pasta, it seemed
like a good idea to pu it there too, and as the documentatiopn also
states this is a valid location [2], I decided to put all config files
together.

I now looked at my Fedora, and policy.json and registries.json are
indeed in /etc, but containers.conf is in /usr/share/. I'll move it.

Thanks for the good and interesting feedback! :-)

Regards,
Yann E. MORIN.

[0] https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md#description
[1] https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#description
[2] https://github.com/containers/common/blob/main/docs/containers.conf.5.md#description

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

Christian, All,

On 2025-03-07 11:38 -0800, Christian Stewart spake thusly:
> On Fri, Mar 7, 2025, 5:40 AM Raphael Pavlidis <[1]raphael.pavlidis@gmail.com>
> wrote:
>     On 3/1/25 16:05, Yann E. MORIN wrote:
>     > +             $(PODMAN_PKGDIR)/containers.conf \
>     > +             $(TARGET_DIR)/etc/containers/containers.conf
>     > +     $(Q)$(INSTALL) -D -m 0644 \
>     > +             $(PODMAN_PKGDIR)/policy.json \
>     > +             $(TARGET_DIR)/etc/containers/policy.json
>     > +     $(Q)$(INSTALL) -D -m 0644 \
>     > +             $(PODMAN_PKGDIR)/registries.conf \
>     > +             $(TARGET_DIR)/etc/containers/registries.conf
>     Just for curiosity, why not installing those files under
>     /usr/share/containers?
> I agree that as far as the defaults we install with the package, they should go
> to /usr/share/containers
> [2]https://github.com/containers/common/blob/main/docs/containers.conf.5.md
> 
> Container engines read the /usr/share/containers/containers.conf, /etc/
> containers/containers.conf, and /etc/containers/containers.conf.d/*.conf for
> global configuration that effects all users.

See my reply to Raphael, that explains why I choose those locations for
those files.

I'll move the contrainers.conf file to its primary location, in
/usr/share/, in the next respin.

Thanks!

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/9 v3] support/testing: set date in emulated machine

[Yann E. MORIN]

Julien, All,

On 2025-03-07 19:49 +0100, Julien Olivain spake thusly:
> On 01/03/2025 16:05, Yann E. MORIN wrote:
> > When time comes to check certificates, the date and time in the emulated
> > machine should be close enough to the actual values, so that certificate
> > validity can be checked.
> > 
> > Set the date to the date of the system. This is going to be accurate to
> > the second, which is, by far, enough for our purpose.
[--SNIP--]
> > +        output, exit_code = self.run(f"date @{int(time.time())}")
> > +        if exit_code:
> > +            raise SystemError("Cannot set date in virtual machine")
> > +
> Is this really needed?

Yes: the skopeo test added in this series would otherwise fail with
(lines wrapped for readability):

    [BRTEST# skopeo --version
    skopeo version 1.18.0
    [BRTEST# echo $?
    0
    [BRTEST# skopeo inspect docker://busybox:latest
    FATA[0000] Error parsing image name "docker://busybox:latest":
        pinging container registry registry-1.docker.io:
        Get "https://registry-1.docker.io/v2/": tls: failed to verify
        certificate: x509: certificate has expired or is not yet valid:
        current time 1970-01-01T00:00:11Z is before 2025-03-05T00:00:00Z

> Arm and Aarch64 qemu machines includes a pl031 RTC.
> x86/x86_64 includes a mc146818 RTC.
> RISC-V has a Goldfish RTC.

The skopeo test uses the bundeled kernel with the "default" virtual
machine, and in that machine, the date is not set on boot: there is no
RTC regferenced in the kernel log, at least.

> If we revert this patch, the podman runtime test still succeed.

The reason to introduce this patch was not for podman, but for skopeo.

[--SNIP--]
> I understand that it is not always guaranteed that the qemu machine
> has a rtc and the used kernel has a driver for it, which is why we
> would like to set the date like this.

Exactly.

> But this could be left to the
> test implementer to make sure this is properly handled. And in the
> podman test case, you did.
> 
> What do you think?

I think that setting the time is a generic topic, and that tests should
not need to do that.

Regards,
Yann E. MORIN.


-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

Julien, All,

On 2025-03-07 19:55 +0100, Julien Olivain spake thusly:
> On 01/03/2025 16:05, Yann E. MORIN wrote:
> > Podman is a container manager not unlike Docker, but is daemon-less.
[--SNIP--]
> > +        self.assertRunOk("useradd -d /home/foo -m -s /bin/sh -u 1000
> > foo")
> It would be nice to keep tests idempotent. This can be useful
> while debugging tests, and avoid rebuilding everything at each
> attempt.

You know that you can just remove the "build-done" filestamp in the test
build directory, to just rebuild the image and not the whole thing,
right? ;-)

    $ rm -f run-tests/TestSkopeo/build-done

> It is even more useful in tests with a long build time
> like this one.

Well, you'd get other issues as well in case the tests are failing: if
the test fails to remove the images from local storage, then restarting
the test will fail even earlier, as it expects an empty local storage to
start with...

Furthermore, the virtual machine is abruptly terminated when the test
ends (the qemu process is killed without letting the VM a chance to
shutdown), the filesystem will be inconsistent, leaving all sorts of
false negative (or positives) if restarting the test anyway (e.g.
removing the images from local storage, even is sucessful, might not
have had a chance to hit the disk yet).

> If possible, could you improve the test to make sure it can run
> at least two time in a row with the run-tests "-k" option, please?
> For example, with a construct like:
> id -u foo || useradd ... foo

Sorry, but this is not a good idea I believe. The tests should be run
from a clean build, or at the very least from a clean image (which is
easy to do, see above).

In retrospect, I believe the build should always be restarted to always
start the test from a clean image, and so the "build-done" filestamp is
in fact counter-productive: we _want_ to rebuild the rootfs image before
starting tests.

> There is possibly few other places that might need cleanup too.

There are so many other tests that are probably not idempotent either,
unfortunately, as soon as they do not use the CPIO or do not use a
read-only persistent storage.

For example, the docker-compose test is not idempotent, as the image
will remain on the disk (but OK, the second run would not fail, just the
download would not happen, which means though that the second run would
not test the same thing as the first run).

So, I am not very inclined in making this one test idempotent.

Instead, I think we should really just get rid of build-done.

Thanks for the review! :-)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/9 v3] support/testing: set date in emulated machine

[Julien Olivain]

Hi Yann, All,

On 08/03/2025 12:07, Yann E. MORIN wrote:
> Julien, All,
> 
> On 2025-03-07 19:49 +0100, Julien Olivain spake thusly:
>> On 01/03/2025 16:05, Yann E. MORIN wrote:
>> > When time comes to check certificates, the date and time in the emulated
>> > machine should be close enough to the actual values, so that certificate
>> > validity can be checked.
>> >
>> > Set the date to the date of the system. This is going to be accurate to
>> > the second, which is, by far, enough for our purpose.
> [--SNIP--]
>> > +        output, exit_code = self.run(f"date @{int(time.time())}")
>> > +        if exit_code:
>> > +            raise SystemError("Cannot set date in virtual machine")
>> > +
>> Is this really needed?
> 
> Yes: the skopeo test added in this series would otherwise fail with
> (lines wrapped for readability):
> 
>     [BRTEST# skopeo --version
>     skopeo version 1.18.0
>     [BRTEST# echo $?
>     0
>     [BRTEST# skopeo inspect docker://busybox:latest
>     FATA[0000] Error parsing image name "docker://busybox:latest":
>         pinging container registry registry-1.docker.io:
>         Get "https://registry-1.docker.io/v2/": tls: failed to verify
>         certificate: x509: certificate has expired or is not yet valid:
>         current time 1970-01-01T00:00:11Z is before 
> 2025-03-05T00:00:00Z
> 
>> Arm and Aarch64 qemu machines includes a pl031 RTC.
>> x86/x86_64 includes a mc146818 RTC.
>> RISC-V has a Goldfish RTC.
> 
> The skopeo test uses the bundeled kernel with the "default" virtual
> machine, and in that machine, the date is not set on boot: there is no
> RTC regferenced in the kernel log, at least.
> 
>> If we revert this patch, the podman runtime test still succeed.
> 
> The reason to introduce this patch was not for podman, but for skopeo.
> 
> [--SNIP--]
>> I understand that it is not always guaranteed that the qemu machine
>> has a rtc and the used kernel has a driver for it, which is why we
>> would like to set the date like this.
> 
> Exactly.
> 
>> But this could be left to the
>> test implementer to make sure this is properly handled. And in the
>> podman test case, you did.
>> 
>> What do you think?
> 
> I think that setting the time is a generic topic, and that tests should
> not need to do that.

Thanks for the explanations. I agree with you that we should keep
this patch.

If you send another version of this patch, could you add
small comment in the commit log about why we are not using qemu
RTCs here? Something like:
"""
Some Qemu machines includes an emulated RTC which could be used to
pass the host time to the guest. For example, arm vexpress-a9
has a pl031 rtc. The Kernel has to include the driver for this to
work.

Since the Buildroot bundled default test kernel does not have this
support, and also to avoid handling the complexity of which
architectures/machines/kernels is supported, those emulated RTCs
are not used here and the date is simply set with the "date" command.
"""

> Regards,
> Yann E. MORIN.

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Julien Olivain]

Hi Yann,

On 08/03/2025 12:34, Yann E. MORIN wrote:
> Julien, All,
> 
> On 2025-03-07 19:55 +0100, Julien Olivain spake thusly:
>> On 01/03/2025 16:05, Yann E. MORIN wrote:
>> > Podman is a container manager not unlike Docker, but is daemon-less.
> [--SNIP--]
>> > +        self.assertRunOk("useradd -d /home/foo -m -s /bin/sh -u 1000
>> > foo")
>> It would be nice to keep tests idempotent. This can be useful
>> while debugging tests, and avoid rebuilding everything at each
>> attempt.
> 
> You know that you can just remove the "build-done" filestamp in the 
> test
> build directory, to just rebuild the image and not the whole thing,
> right? ;-)
> 
>     $ rm -f run-tests/TestSkopeo/build-done
> 
>> It is even more useful in tests with a long build time
>> like this one.
> 
> Well, you'd get other issues as well in case the tests are failing: if
> the test fails to remove the images from local storage, then restarting
> the test will fail even earlier, as it expects an empty local storage 
> to
> start with...
> 
> Furthermore, the virtual machine is abruptly terminated when the test
> ends (the qemu process is killed without letting the VM a chance to
> shutdown), the filesystem will be inconsistent, leaving all sorts of
> false negative (or positives) if restarting the test anyway (e.g.
> removing the images from local storage, even is sucessful, might not
> have had a chance to hit the disk yet).
> 
>> If possible, could you improve the test to make sure it can run
>> at least two time in a row with the run-tests "-k" option, please?
>> For example, with a construct like:
>> id -u foo || useradd ... foo
> 
> Sorry, but this is not a good idea I believe. The tests should be run
> from a clean build, or at the very least from a clean image (which is
> easy to do, see above).
> 
> In retrospect, I believe the build should always be restarted to always
> start the test from a clean image, and so the "build-done" filestamp is
> in fact counter-productive: we _want_ to rebuild the rootfs image 
> before
> starting tests.
> 
>> There is possibly few other places that might need cleanup too.
> 
> There are so many other tests that are probably not idempotent either,
> unfortunately, as soon as they do not use the CPIO or do not use a
> read-only persistent storage.
> 
> For example, the docker-compose test is not idempotent, as the image
> will remain on the disk (but OK, the second run would not fail, just 
> the
> download would not happen, which means though that the second run would
> not test the same thing as the first run).
> 
> So, I am not very inclined in making this one test idempotent.
> 
> Instead, I think we should really just get rid of build-done.

You are right. It is probably the "run-tests -k" command which might
need to be idempotent (rather than the test itself).

So, forget about my change suggestions in this test. I'm taking a
note about a possible future improvement on run-tests, instead.

> Thanks for the review! :-)
> 
> Regards,
> Yann E. MORIN.

Best regards,

Julien.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

Raphael, All,

On 2025-03-08 12:00 +0100, Yann E. MORIN spake thusly:
> On 2025-03-07 14:40 +0100, Raphael Pavlidis spake thusly:
> > On 3/1/25 16:05, Yann E. MORIN wrote:
[--SNIP--]
> > > +		$(PODMAN_PKGDIR)/containers.conf \
> > > +		$(TARGET_DIR)/etc/containers/containers.conf
> > > +	$(Q)$(INSTALL) -D -m 0644 \
> > > +		$(PODMAN_PKGDIR)/policy.json \
> > > +		$(TARGET_DIR)/etc/containers/policy.json
> > > +	$(Q)$(INSTALL) -D -m 0644 \
> > > +		$(PODMAN_PKGDIR)/registries.conf \
> > > +		$(TARGET_DIR)/etc/containers/registries.conf
> > Just for curiosity, why not installing those files under
> > /usr/share/containers?
> The first such file I wrote was policy.json, and the documentation for it
> states [0]:
>     By default, the policy is read from $HOME/.config/containers/policy.json,
>     if it exists, otherwise from /etc/containers/policy.json ; [...]
> So I did not look further and put it in /etc/containers/. Then I had to
> write registries.conf (for seemless access to the docker hub), and again
> the documentation also states [1]:
>     By default, the policy is read from $HOME/.config/containers/policy.json,
>     if it exists, otherwise from /etc/containers/policy.json ; [...]

Sorry, that second excerpt should have been:

    Container engines will use the $HOME/.config/containers/registries.conf
    if it exists, otherwise they will use /etc/containers/registries.conf

> [1] https://github.com/containers/image/blob/main/docs/containers-registries.conf.5.md#description

Sorry for the confusion...

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 9/9 v3] package/podman: new package

[Yann E. MORIN]

raphael, All,

On 2025-03-08 12:00 +0100, Yann E. MORIN spake thusly:
> On 2025-03-07 14:40 +0100, Raphael Pavlidis spake thusly:
> > On 3/1/25 16:05, Yann E. MORIN wrote:
[--SNIP--]
> > > +	select BR2_PACKAGE_IPTABLES  # runtime
> > I am sure that you do not need iptables if you are using nftables.
> I briefly tried with nftables, it did not work, so I did not investigate
> further; IIRC it was before I had to write containers.conf, so maybe we
> can specify the firewall driver there... Ah, yes, it seems we can do
> that:
>     firewall_driver=""
>     The firewall driver to be used by netavark. [...] supported drivers
>     are "iptables", "nftables" [...]

Doing so was not enough to use nftables. Even with every NFT modules
enabled in the kernel, netavark would still whine than nft would fail to
list rules, or apply them.

So, I eventually got to the bottom of the issue: netavark requires that
nftables be build with support for JSON output. Once this is done, then
it all magically works (magically, as with all the tears ands sweat and
swearwords as the trinkets and incatation needed for such a spell...)

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot