[meta-virtualization][kirkstone][PATCH 01/10] cri-o: remove meta-security check

[meta-virtualization][kirkstone][PATCH 01/10] cri-o: remove meta-security check

[Chen Qi]

libseccomp is not in oe-core. There's no need to check
meta-security any more.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/cri-o/cri-o_git.bb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index 7940bbd..ee5906e 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -46,7 +46,7 @@ RDEPENDS:${PN} = " \
     libdevmapper \
     "
 
-SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'security', bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', 'Depends on libselinux from meta-selinux which is not included', d), 'Depends on libseccomp from meta-security which is not included', d)}"
+SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', 'Depends on libselinux from meta-selinux which is not included', d)}"
 
 PACKAGES =+ "${PN}-config"
 
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 02/10] cri-o: use PACKAGECONFIG to handle selinux

[Chen Qi]

For cri-o, libselinux is optional, this can be seen from
its Makefile. So let's make selinux optional by using PACKAGECONFIG,
whose default value is determined by the DISTRO_FEATURES. In this
way, meta-selinux dependency is not necessary.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/cri-o/cri-o_git.bb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index ee5906e..ca155a7 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -39,14 +39,14 @@ DEPENDS = " \
     ostree \
     libdevmapper \
     libseccomp \
-    libselinux \
     "
 RDEPENDS:${PN} = " \
     cni \
     libdevmapper \
     "
 
-SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', 'Depends on libselinux from meta-selinux which is not included', d)}"
+PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'selinux', d)}"
+PACKAGECONFIG[selinux] = ",,libselinux"
 
 PACKAGES =+ "${PN}-config"
 
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 03/10] cri-o: create /var/lib/crio

[Chen Qi]

crio.service now reports the following error messages:

  level=error msg="Writing clean shutdown supported file: \
      open /var/lib/crio/clean.shutdown.supported: no such file or directory"
  level=error msg="Failed to sync parent directory of clean \
      shutdown file: open /var/lib/crio: no such file or directory"

Create /var/lib/crio to avoid such error message.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 recipes-containers/cri-o/cri-o_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index ca155a7..2597942 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -96,6 +96,8 @@ do_install() {
     install -m 0644 ${S}/src/import/contrib/systemd/crio.service  ${D}${systemd_unitdir}/system/
     install -m 0644 ${S}/src/import/contrib/systemd/crio-shutdown.service  ${D}${systemd_unitdir}/system/
     install -m 0644 ${S}/src/import/contrib/systemd/crio-wipe.service  ${D}${systemd_unitdir}/system/
+
+    install -d ${D}${localstatedir}/lib/crio
 }
 
 FILES:${PN}-config = "${sysconfdir}/crio/config/*"
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 04/10] cri-o: update crio.conf to match the current version 1.23

[Chen Qi]

The old crio.conf file can cause cri-o start failure. The error
message is as below.

  validating runtime config: runtime validation: failed to \
  translate monitor fields for runtime runc: cgroupfs manager \
  conmon cgroup should be 'pod' or empty

Use new crio.conf file to solve this issue. The file is generated
by 'crio --config="" config --default' command, as indicated in
the old crio.conf file.

With this config file update, the crio.service can now start correctly.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 recipes-containers/cri-o/files/crio.conf | 604 +++++++++++++++++++----
 1 file changed, 507 insertions(+), 97 deletions(-)

diff --git a/recipes-containers/cri-o/files/crio.conf b/recipes-containers/cri-o/files/crio.conf
index 899d255..d48ddae 100644
--- a/recipes-containers/cri-o/files/crio.conf
+++ b/recipes-containers/cri-o/files/crio.conf
@@ -1,146 +1,556 @@
 # generated via: crio --config="" config --default
 
-# The "crio" table contains all of the server options.
+# The CRI-O configuration file specifies all of the available configuration
+# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
+# daemon, but in a TOML format that can be more easily modified and versioned.
+#
+# Please refer to crio.conf(5) for details of all configuration options.
+
+# CRI-O supports partial configuration reload during runtime, which can be
+# done by sending SIGHUP to the running process. Currently supported options
+# are explicitly mentioned with: 'This option supports live configuration
+# reload'.
+
+# CRI-O reads its storage defaults from the containers-storage.conf(5) file
+# located at /etc/containers/storage.conf. Modify this storage configuration if
+# you want to change the system's defaults. If you want to modify storage just
+# for CRI-O, you can change the storage configuration options here.
 [crio]
 
-# root is a path to the "root directory". CRIO stores all of its data,
-# including container images, in this directory.
+# Path to the "root directory". CRI-O stores all of its data, including
+# containers images, in this directory.
 root = "/var/lib/containers/storage"
 
-# run is a path to the "run directory". CRIO stores all of its state
-# in this directory.
-runroot = "/var/run/containers/storage"
+# Path to the "run directory". CRI-O stores all of its state in this directory.
+runroot = "/run/containers/storage"
 
-# storage_driver select which storage driver is used to manage storage
-# of images and containers.
-storage_driver = ""
+# Storage driver used to manage the storage of images and containers. Please
+# refer to containers-storage.conf(5) to see all available storage drivers.
+storage_driver = "overlay"
 
-# storage_option is used to pass an option to the storage driver.
+# List to pass options to the storage driver. Please refer to
+# containers-storage.conf(5) to see all available storage options.
 storage_option = [
+	"overlay.mountopt=nodev",
 ]
 
-# The "crio.api" table contains settings for the kubelet/gRPC
-# interface (which is also used by crioctl).
+# The default log directory where all logs will go unless directly specified by
+# the kubelet. The log directory specified must be an absolute directory.
+log_dir = "/var/log/crio/pods"
+
+# Location for CRI-O to lay down the temporary version file.
+# It is used to check if crio wipe should wipe containers, which should
+# always happen on a node reboot
+version_file = "/var/run/crio/version"
+
+# Location for CRI-O to lay down the persistent version file.
+# It is used to check if crio wipe should wipe images, which should
+# only happen when CRI-O has been upgraded
+version_file_persist = "/var/lib/crio/version"
+
+# InternalWipe is whether CRI-O should wipe containers and images after a reboot when the server starts.
+# If set to false, one must use the external command 'crio wipe' to wipe the containers and images in these situations.
+internal_wipe = true
+
+# Location for CRI-O to lay down the clean shutdown file.
+# It is used to check whether crio had time to sync before shutting down.
+# If not found, crio wipe will clear the storage directory.
+clean_shutdown_file = "/var/lib/crio/clean.shutdown"
+
+# The crio.api table contains settings for the kubelet/gRPC interface.
 [crio.api]
 
-# listen is the path to the AF_LOCAL socket on which crio will listen.
+# Path to AF_LOCAL socket on which CRI-O will listen.
 listen = "/var/run/crio/crio.sock"
 
-# stream_address is the IP address on which the stream server will listen
-stream_address = ""
+# IP address on which the stream server will listen.
+stream_address = "127.0.0.1"
+
+# The port on which the stream server will listen. If the port is set to "0", then
+# CRI-O will allocate a random free port number.
+stream_port = "0"
+
+# Enable encrypted TLS transport of the stream server.
+stream_enable_tls = false
 
-# stream_port is the port on which the stream server will listen
-stream_port = "10010"
+# Length of time until open streams terminate due to lack of activity
+stream_idle_timeout = ""
 
-# file_locking is whether file-based locking will be used instead of
-# in-memory locking
-file_locking = true
+# Path to the x509 certificate file used to serve the encrypted stream. This
+# file can change, and CRI-O will automatically pick up the changes within 5
+# minutes.
+stream_tls_cert = ""
 
-# The "crio.runtime" table contains settings pertaining to the OCI
-# runtime used and options for how to set up and manage the OCI runtime.
+# Path to the key file used to serve the encrypted stream. This file can
+# change and CRI-O will automatically pick up the changes within 5 minutes.
+stream_tls_key = ""
+
+# Path to the x509 CA(s) file used to verify and authenticate client
+# communication with the encrypted stream. This file can change and CRI-O will
+# automatically pick up the changes within 5 minutes.
+stream_tls_ca = ""
+
+# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
+grpc_max_send_msg_size = 83886080
+
+# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
+grpc_max_recv_msg_size = 83886080
+
+# The crio.runtime table contains settings pertaining to the OCI runtime used
+# and options for how to set up and manage the OCI runtime.
 [crio.runtime]
 
-# runtime is the OCI compatible runtime used for trusted container workloads.
-# This is a mandatory setting as this runtime will be the default one
-# and will also be used for untrusted container workloads if
-# runtime_untrusted_workload is not set.
-runtime = "/usr/bin/runc"
-
-# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
-# container workloads. This is an optional setting, except if
-# default_container_trust is set to "untrusted".
-runtime_untrusted_workload = ""
-
-# default_workload_trust is the default level of trust crio puts in container
-# workloads. It can either be "trusted" or "untrusted", and the default
-# is "trusted".
-# Containers can be run through different container runtimes, depending on
-# the trust hints we receive from kubelet:
-# - If kubelet tags a container workload as untrusted, crio will try first to
-# run it through the untrusted container workload runtime. If it is not set,
-# crio will use the trusted runtime.
-# - If kubelet does not provide any information about the container workload trust
-# level, the selected runtime will depend on the default_container_trust setting.
-# If it is set to "untrusted", then all containers except for the host privileged
-# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
-# containers are by definition trusted and will always use the trusted container
-# runtime. If default_container_trust is set to "trusted", crio will use the trusted
-# container runtime for all containers.
-default_workload_trust = "trusted"
-
-# conmon is the path to conmon binary, used for managing the runtime.
-conmon = "/usr/bin/conmon"
-
-# conmon_env is the environment variable list for conmon process,
-# used for passing necessary environment variable to conmon or runtime.
+# A list of ulimits to be set in containers by default, specified as
+# "<ulimit name>=<soft limit>:<hard limit>", for example:
+# "nofile=1024:2048"
+# If nothing is set here, settings will be inherited from the CRI-O daemon
+default_ulimits = [
+]
+
+# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
+no_pivot = false
+
+# decryption_keys_path is the path where the keys required for
+# image decryption are stored. This option supports live configuration reload.
+decryption_keys_path = "/etc/crio/keys/"
+
+# Path to the conmon binary, used for monitoring the OCI runtime.
+# Will be searched for using $PATH if empty.
+conmon = ""
+
+# Cgroup setting for conmon
+conmon_cgroup = "system.slice"
+
+# Environment variable list for the conmon process, used for passing necessary
+# environment variables to conmon or the runtime.
 conmon_env = [
 	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 ]
 
-# selinux indicates whether or not SELinux will be used for pod
-# separation on the host. If you enable this flag, SELinux must be running
-# on the host.
-selinux = false
+# Additional environment variables to set for all the
+# containers. These are overridden if set in the
+# container image spec or in the container runtime configuration.
+default_env = [
+]
 
-# seccomp_profile is the seccomp json profile path which is used as the
-# default for the runtime.
-seccomp_profile = "/etc/crio/seccomp.json"
+# If true, SELinux will be used for pod separation on the host.
+selinux = false
 
-# apparmor_profile is the apparmor profile name which is used as the
-# default for the runtime.
+# Path to the seccomp.json profile which is used as the default seccomp profile
+# for the runtime. If not specified, then the internal default seccomp profile
+# will be used. This option supports live configuration reload.
+seccomp_profile = ""
+
+# Changes the meaning of an empty seccomp profile. By default
+# (and according to CRI spec), an empty profile means unconfined.
+# This option tells CRI-O to treat an empty profile as the default profile,
+# which might increase security.
+seccomp_use_default_when_empty = false
+
+# Used to change the name of the default AppArmor profile of CRI-O. The default
+# profile name is "crio-default". This profile only takes effect if the user
+# does not specify a profile via the Kubernetes Pod's metadata annotation. If
+# the profile is set to "unconfined", then this equals to disabling AppArmor.
+# This option supports live configuration reload.
 apparmor_profile = "crio-default"
 
-# cgroup_manager is the cgroup management implementation to be used
-# for the runtime.
-cgroup_manager = "cgroupfs"
+# Path to the blockio class configuration file for configuring
+# the cgroup blockio controller.
+blockio_config_file = ""
+
+# Used to change irqbalance service config file path which is used for configuring
+# irqbalance daemon.
+irqbalance_config_file = "/etc/sysconfig/irqbalance"
+
+# Path to the RDT configuration file for configuring the resctrl pseudo-filesystem.
+# This option supports live configuration reload.
+rdt_config_file = ""
+
+# Cgroup management implementation used for the runtime.
+cgroup_manager = "systemd"
+
+# Specify whether the image pull must be performed in a separate cgroup.
+separate_pull_cgroup = ""
+
+# List of default capabilities for containers. If it is empty or commented out,
+# only the capabilities defined in the containers json file by the user/kube
+# will be added.
+default_capabilities = [
+	"CHOWN",
+	"DAC_OVERRIDE",
+	"FSETID",
+	"FOWNER",
+	"SETGID",
+	"SETUID",
+	"SETPCAP",
+	"NET_BIND_SERVICE",
+	"KILL",
+]
+
+# List of default sysctls. If it is empty or commented out, only the sysctls
+# defined in the container json file by the user/kube will be added.
+default_sysctls = [
+]
+
+# List of devices on the host that a
+# user can specify with the "io.kubernetes.cri-o.Devices" allowed annotation.
+allowed_devices = [
+	"/dev/fuse",
+]
+
+# List of additional devices. specified as
+# "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
+# If it is empty or commented out, only the devices
+# defined in the container json file by the user/kube will be added.
+additional_devices = [
+]
+
+# Change the default behavior of setting container devices uid/gid from CRI's
+# SecurityContext (RunAsUser/RunAsGroup) instead of taking host's uid/gid.
+# Defaults to false.
+device_ownership_from_security_context = false
 
-# hooks_dir_path is the oci hooks directory for automatically executed hooks
-hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+# Path to OCI hooks directories for automatically executed hooks. If one of the
+# directories does not exist, then CRI-O will automatically skip them.
+hooks_dir = [
+	"/usr/share/containers/oci/hooks.d",
+]
 
-# pids_limit is the number of processes allowed in a container
+# Path to the file specifying the defaults mounts for each container. The
+# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
+# its default mounts from the following two files:
+#
+#   1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
+#      override file, where users can either add in their own default mounts, or
+#      override the default mounts shipped with the package.
+#
+#   2) /usr/share/containers/mounts.conf: This is the default file read for
+#      mounts. If you want CRI-O to read from a different, specific mounts file,
+#      you can change the default_mounts_file. Note, if this is done, CRI-O will
+#      only add mounts it finds in this file.
+#
+default_mounts_file = ""
+
+# Maximum number of processes allowed in a container.
 pids_limit = 1024
 
-# The "crio.image" table contains settings pertaining to the
-# management of OCI images.
+# Maximum sized allowed for the container log file. Negative numbers indicate
+# that no size limit is imposed. If it is positive, it must be >= 8192 to
+# match/exceed conmon's read buffer. The file is truncated and re-opened so the
+# limit is never exceeded.
+log_size_max = -1
+
+# Whether container output should be logged to journald in addition to the kuberentes log file
+log_to_journald = false
+
+# Path to directory in which container exit files are written to by conmon.
+container_exits_dir = "/var/run/crio/exits"
+
+# Path to directory for container attach sockets.
+container_attach_socket_dir = "/var/run/crio"
+
+# The prefix to use for the source of the bind mounts.
+bind_mount_prefix = ""
+
+# If set to true, all containers will run in read-only mode.
+read_only = false
+
+# Changes the verbosity of the logs based on the level it is set to. Options
+# are fatal, panic, error, warn, info, debug and trace. This option supports
+# live configuration reload.
+log_level = "info"
+
+# Filter the log messages by the provided regular expression.
+# This option supports live configuration reload.
+log_filter = ""
+
+# The UID mappings for the user namespace of each container. A range is
+# specified in the form containerUID:HostUID:Size. Multiple ranges must be
+# separated by comma.
+uid_mappings = ""
+
+# The GID mappings for the user namespace of each container. A range is
+# specified in the form containerGID:HostGID:Size. Multiple ranges must be
+# separated by comma.
+gid_mappings = ""
+
+# If set, CRI-O will reject any attempt to map host UIDs below this value
+# into user namespaces.  A negative value indicates that no minimum is set,
+# so specifying mappings will only be allowed for pods that run as UID 0.
+minimum_mappable_uid = -1
+
+# If set, CRI-O will reject any attempt to map host GIDs below this value
+# into user namespaces.  A negative value indicates that no minimum is set,
+# so specifying mappings will only be allowed for pods that run as UID 0.
+minimum_mappable_gid = -1
+
+# The minimal amount of time in seconds to wait before issuing a timeout
+# regarding the proper termination of the container. The lowest possible
+# value is 30s, whereas lower values are not considered by CRI-O.
+ctr_stop_timeout = 30
+
+# drop_infra_ctr determines whether CRI-O drops the infra container
+# when a pod does not have a private PID namespace, and does not use
+# a kernel separating runtime (like kata).
+# It requires manage_ns_lifecycle to be true.
+drop_infra_ctr = true
+
+# infra_ctr_cpuset determines what CPUs will be used to run infra containers.
+# You can use linux CPU list format to specify desired CPUs.
+# To get better isolation for guaranteed pods, set this parameter to be equal to kubelet reserved-cpus.
+infra_ctr_cpuset = ""
+
+# The directory where the state of the managed namespaces gets tracked.
+# Only used when manage_ns_lifecycle is true.
+namespaces_dir = "/var/run"
+
+# pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle
+pinns_path = ""
+
+# default_runtime is the _name_ of the OCI runtime to be used as the default.
+# The name is matched against the runtimes map below. If this value is changed,
+# the corresponding existing entry from the runtimes map below will be ignored.
+default_runtime = "runc"
+
+# A list of paths that, when absent from the host,
+# will cause a container creation to fail (as opposed to the current behavior being created as a directory).
+# This option is to protect from source locations whose existence as a directory could jepordize the health of the node, and whose
+# creation as a file is not desired either.
+# An example is /etc/hostname, which will cause failures on reboot if it's created as a directory, but often doesn't exist because
+# the hostname is being managed dynamically.
+absent_mount_sources_to_reject = [
+]
+
+# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
+# The runtime to use is picked based on the runtime handler provided by the CRI.
+# If no runtime handler is provided, the runtime will be picked based on the level
+# of trust of the workload. Each entry in the table should follow the format:
+#
+#[crio.runtime.runtimes.runtime-handler]
+#  runtime_path = "/path/to/the/executable"
+#  runtime_type = "oci"
+#  runtime_root = "/path/to/the/root"
+#  privileged_without_host_devices = false
+#  allowed_annotations = []
+# Where:
+# - runtime-handler: name used to identify the runtime
+# - runtime_path (optional, string): absolute path to the runtime executable in
+#   the host filesystem. If omitted, the runtime-handler identifier should match
+#   the runtime executable name, and the runtime executable should be placed
+#   in $PATH.
+# - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If
+#   omitted, an "oci" runtime is assumed.
+# - runtime_root (optional, string): root directory for storage of containers
+#   state.
+# - runtime_config_path (optional, string): the path for the runtime configuration
+#   file. This can only be used with when using the VM runtime_type.
+# - privileged_without_host_devices (optional, bool): an option for restricting
+#   host devices from being passed to privileged containers.
+# - allowed_annotations (optional, array of strings): an option for specifying
+#   a list of experimental annotations that this runtime handler is allowed to process.
+#   The currently recognized values are:
+#   "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod.
+#   "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw" for mounting cgroups writably when set to "true".
+#   "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
+#   "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
+#   "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container.
+#   "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook.
+#   "io.kubernetes.cri.rdt-class" for setting the RDT class of a container
+
+
+[crio.runtime.runtimes.runc]
+runtime_path = ""
+runtime_type = "oci"
+runtime_root = "/run/runc"
+runtime_config_path = ""
+
+
+allowed_annotations = [
+	"io.containers.trace-syscall",
+]
+
+
+
+# crun is a fast and lightweight fully featured OCI runtime and C library for
+# running containers
+#[crio.runtime.runtimes.crun]
+
+# Kata Containers is an OCI runtime, where containers are run inside lightweight
+# VMs. Kata provides additional isolation towards the host, minimizing the host attack
+# surface and mitigating the consequences of containers breakout.
+
+# Kata Containers with the default configured VMM
+#[crio.runtime.runtimes.kata-runtime]
+
+# Kata Containers with the QEMU VMM
+#[crio.runtime.runtimes.kata-qemu]
+
+# Kata Containers with the Firecracker VMM
+#[crio.runtime.runtimes.kata-fc]
+
+# The workloads table defines ways to customize containers with different resources
+# that work based on annotations, rather than the CRI.
+# Note, the behavior of this table is EXPERIMENTAL and may change at any time.
+# Each workload, has a name, activation_annotation, annotation_prefix and set of resources it supports mutating.
+# The currently supported resources are "cpu" (to configure the cpu shares) and "cpuset" to configure the cpuset.
+# Each resource can have a default value specified, or be empty.
+# For a container to opt-into this workload, the pod should be configured with the annotation $activation_annotation (key only, value is ignored).
+# To customize per-container, an annotation of the form $annotation_prefix.$resource/$ctrName = "value" can be specified
+# signifying for that resource type to override the default value.
+# If the annotation_prefix is not present, every container in the pod will be given the default values.
+# Example:
+# [crio.runtime.workloads.workload-type]
+# activation_annotation = "io.crio/workload"
+# annotation_prefix = "io.crio.workload-type"
+# [crio.runtime.workloads.workload-type.resources]
+# cpuset = 0
+# cpushares = "0-1"
+# Where:
+# The workload name is workload-type.
+# To specify, the pod must have the "io.crio.workload" annotation (this is a precise string match).
+# This workload supports setting cpuset and cpu resources.
+# annotation_prefix is used to customize the different resources.
+# To configure the cpu shares a container gets in the example above, the pod would have to have the following annotation:
+# "io.crio.workload-type/$container_name = {"cpushares": "value"}"
+
+
+# The crio.image table contains settings pertaining to the management of OCI images.
+#
+# CRI-O reads its configured registries defaults from the system wide
+# containers-registries.conf(5) located in /etc/containers/registries.conf. If
+# you want to modify just CRI-O, you can change the registries configuration in
+# this file. Otherwise, leave insecure_registries and registries commented out to
+# use the system's defaults from /etc/containers/registries.conf.
 [crio.image]
 
-# default_transport is the prefix we try prepending to an image name if the
-# image name as we receive it can't be parsed as a valid source reference
+# Default transport for pulling images from a remote container storage.
 default_transport = "docker://"
 
-# pause_image is the image which we use to instantiate infra containers.
-pause_image = "kubernetes/pause"
+# The path to a file containing credentials necessary for pulling images from
+# secure registries. The file is similar to that of /var/lib/kubelet/config.json
+global_auth_file = ""
 
-# pause_command is the command to run in a pause_image to have a container just
-# sit there.  If the image contains the necessary information, this value need
-# not be specified.
+# The image used to instantiate infra containers.
+# This option supports live configuration reload.
+pause_image = "k8s.gcr.io/pause:3.6"
+
+# The path to a file containing credentials specific for pulling the pause_image from
+# above. The file is similar to that of /var/lib/kubelet/config.json
+# This option supports live configuration reload.
+pause_image_auth_file = ""
+
+# The command to run to have a container stay in the paused state.
+# When explicitly set to "", it will fallback to the entrypoint and command
+# specified in the pause image. When commented out, it will fallback to the
+# default: "/pause". This option supports live configuration reload.
 pause_command = "/pause"
 
-# signature_policy is the name of the file which decides what sort of policy we
-# use when deciding whether or not to trust an image that we've pulled.
-# Outside of testing situations, it is strongly advised that this be left
-# unspecified so that the default system-wide policy will be used.
+# Path to the file which decides what sort of policy we use when deciding
+# whether or not to trust an image that we've pulled. It is not recommended that
+# this option be used, as the default behavior of using the system-wide default
+# policy (i.e., /etc/containers/policy.json) is most often preferred. Please
+# refer to containers-policy.json(5) for more details.
 signature_policy = ""
 
-# image_volumes controls how image volumes are handled.
-# The valid values are mkdir and ignore.
-image_volumes = "mkdir"
-
-# insecure_registries is used to skip TLS verification when pulling images.
+# List of registries to skip TLS verification for pulling images. Please
+# consider configuring the registries via /etc/containers/registries.conf before
+# changing them here.
 insecure_registries = [
 ]
 
-# registries is used to specify a comma separated list of registries to be used
-# when pulling an unqualified image (e.g. fedora:rawhide).
-registries = ['docker.io', 'registry.fedoraproject.org', 'registry.access.redhat.com']
+# Controls how image volumes are handled. The valid values are mkdir, bind and
+# ignore; the latter will ignore volumes entirely.
+image_volumes = "mkdir"
+
+# Temporary directory to use for storing big files
+big_files_temporary_dir = ""
 
-# The "crio.network" table contains settings pertaining to the
-# management of CNI plugins.
+# The crio.network table containers settings pertaining to the management of
+# CNI plugins.
 [crio.network]
 
-# network_dir is is where CNI network configuration
-# files are stored.
+# The default CNI network name to be selected. If not set or "", then
+# CRI-O will pick-up the first one found in network_dir.
+# cni_default_network = ""
+
+# Path to the directory where CNI configuration files are located.
 network_dir = "/etc/cni/net.d/"
 
-# plugin_dir is is where CNI plugin binaries are stored.
-plugin_dir = "/opt/cni/bin"
+# Paths to directories where CNI plugin binaries are located.
+plugin_dirs = [
+	"/opt/cni/bin/",
+]
+
+# A necessary configuration for Prometheus based metrics retrieval
+[crio.metrics]
+
+# Globally enable or disable metrics support.
+enable_metrics = false
+
+# Specify enabled metrics collectors.
+# Per default all metrics are enabled.
+# It is possible, to prefix the metrics with "container_runtime_" and "crio_".
+# For example, the metrics collector "operations" would be treated in the same
+# way as "crio_operations" and "container_runtime_crio_operations".
+metrics_collectors = [
+	"operations",
+	"operations_latency_microseconds_total",
+	"operations_latency_microseconds",
+	"operations_errors",
+	"image_pulls_by_digest",
+	"image_pulls_by_name",
+	"image_pulls_by_name_skipped",
+	"image_pulls_failures",
+	"image_pulls_successes",
+	"image_pulls_layer_size",
+	"image_layer_reuse",
+	"containers_oom_total",
+	"containers_oom",
+	"processes_defunct",
+	"operations_total",
+	"operations_latency_seconds",
+	"operations_latency_seconds_total",
+	"operations_errors_total",
+	"image_pulls_bytes_total",
+	"image_pulls_skipped_bytes_total",
+	"image_pulls_failure_total",
+	"image_pulls_success_total",
+	"image_layer_reuse_total",
+	"containers_oom_count_total",
+]
+
+# The port on which the metrics server will listen.
+metrics_port = 9090
+
+# Local socket path to bind the metrics server to
+metrics_socket = ""
+
+# The certificate for the secure metrics server.
+# If the certificate is not available on disk, then CRI-O will generate a
+# self-signed one. CRI-O also watches for changes of this path and reloads the
+# certificate on any modification event.
+metrics_cert = ""
+
+# The certificate key for the secure metrics server.
+# Behaves in the same way as the metrics_cert.
+metrics_key = ""
+
+# A necessary configuration for OpenTelemetry trace data exporting
+[crio.tracing]
+
+# Globally enable or disable exporting OpenTelemetry traces.
+enable_tracing = false
+
+# Address on which the gRPC trace collector listens on.
+tracing_endpoint = "0.0.0.0:4317"
+
+# Number of samples to collect per million spans.
+tracing_sampling_rate_per_million = 0
+
+# Necessary information pertaining to container and pod stats reporting.
+[crio.stats]
+
+# The number of seconds between collecting pod and container stats.
+# If set to 0, the stats are collected on-demand instead.
+stats_collection_period = 0
+
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 05/10] containers: introduce container-host class

[Chen Qi]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Introducing a small (at the moment) class that represents configuration
and processing required to prepare a target image to be a container
host.

A recipe that requires container configuration should inherit this
class, and the container-host-config package will be added as a
RDEPENDS, and install common configuration files.

In the future, additional functionality or dependencies will be added
here to synchronize the configuration of multiple container host
packages.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 classes/container-host.bbclass | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 classes/container-host.bbclass

diff --git a/classes/container-host.bbclass b/classes/container-host.bbclass
new file mode 100644
index 0000000..99a75fe
--- /dev/null
+++ b/classes/container-host.bbclass
@@ -0,0 +1,15 @@
+# This class is the collection point for automatic dependencies,
+# package installs, rootfs postprocessing, etc, that are used
+# by container host images and recipes.
+
+# It currently is largely empty, and simply adds RDEPENDS, but
+# will expand to CRI/CNI configurations in the future.
+#
+
+RDEPENDS:${PN}:append = " container-host-config"
+
+do_install:append() {
+    # placeholder for additional package install, or configuration
+    # of the rootfs
+    true
+}
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 06/10] containers: add container-host-config recipe

[Chen Qi]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

This is a configuration only recipe that produces a package which
installs some common configuration files.

In this introduction we have both registries.conf and storage.conf.

Packages that require these files should RDEPEND on this package
(or inherit container-host.bbclass) and the files will be installed.

If conflicting requirements for these global configuration files
arise, they can be resolved through additions to this recipe, or by
providing a higher priority version of the .conf files.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../container-host-config.bb                  |  18 ++
 .../container-host-config/registries.conf     |  25 +++
 .../container-host-config/storage.conf        | 195 ++++++++++++++++++
 3 files changed, 238 insertions(+)
 create mode 100644 recipes-containers/container-host-config/container-host-config.bb
 create mode 100644 recipes-containers/container-host-config/container-host-config/registries.conf
 create mode 100644 recipes-containers/container-host-config/container-host-config/storage.conf

diff --git a/recipes-containers/container-host-config/container-host-config.bb b/recipes-containers/container-host-config/container-host-config.bb
new file mode 100644
index 0000000..c762dea
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config.bb
@@ -0,0 +1,18 @@
+HOMEPAGE = "https://git.yoctoproject.org/meta-virtualization"
+SUMMARY =  "Configuration Package for container hosts"
+DESCRIPTION = "Common / centralized configuration files for container hosts"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = " \
+    file://storage.conf \
+    file://registries.conf \
+"
+
+do_install() {
+	install -d ${D}/${sysconfdir}/containers
+
+	install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
+	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
+}
diff --git a/recipes-containers/container-host-config/container-host-config/registries.conf b/recipes-containers/container-host-config/container-host-config/registries.conf
new file mode 100644
index 0000000..ba6c3f6
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config/registries.conf
@@ -0,0 +1,25 @@
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to TOML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries.search', 'registries.insecure', 
+# and 'registries.block'.
+
+[registries.search]
+registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
+
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[registries.insecure]
+registries = []
+
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#
+# Docker only
+[registries.block]
+registries = []
diff --git a/recipes-containers/container-host-config/container-host-config/storage.conf b/recipes-containers/container-host-config/container-host-config/storage.conf
new file mode 100644
index 0000000..722750c
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config/storage.conf
@@ -0,0 +1,195 @@
+# This file is is the configuration file for all tools
+# that use the containers/storage library.
+# See man 5 containers-storage.conf for more information
+# The "container storage" table contains all of the server options.
+[storage]
+
+# Default Storage Driver, Must be set for proper operation.
+driver = "overlay"
+
+# Temporary storage location
+runroot = "/run/containers/storage"
+
+# Primary Read/Write location of container storage
+graphroot = "/var/lib/containers/storage"
+
+# Storage path for rootless users
+#
+# rootless_storage_path = "$HOME/.local/share/containers/storage"
+
+[storage.options]
+# Storage options to be passed to underlying storage drivers
+
+# AdditionalImageStores is used to pass paths to additional Read/Only image stores
+# Must be comma separated list.
+additionalimagestores = [
+]
+
+# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
+# a container, to the UIDs/GIDs as they should appear outside of the container,
+# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
+# listed and will be heeded by libraries, but there are limits to the number of
+# mappings which the kernel will allow when you later attempt to run a
+# container.
+#
+# remap-uids = 0:1668442479:65536
+# remap-gids = 0:1668442479:65536
+
+# Remap-User/Group is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
+# with an in-container ID of 0 and then a host-level ID taken from the lowest
+# range that matches the specified name, and using the length of that range.
+# Additional ranges are then assigned, using the ranges which specify the
+# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
+# until all of the entries have been used for maps.
+#
+# remap-user = "containers"
+# remap-group = "containers"
+
+# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
+# to containers configured to create automatically a user namespace.  Containers
+# configured to automatically create a user namespace can still overlap with containers
+# having an explicit mapping set.
+# This setting is ignored when running as rootless.
+# root-auto-userns-user = "storage"
+#
+# Auto-userns-min-size is the minimum size for a user namespace created automatically.
+# auto-userns-min-size=1024
+#
+# Auto-userns-max-size is the minimum size for a user namespace created automatically.
+# auto-userns-max-size=65536
+
+[storage.options.overlay]
+# ignore_chown_errors can be set to allow a non privileged user running with
+# a single UID within a user namespace to run containers. The user can pull
+# and use any image even those with multiple uids.  Note multiple UIDs will be
+# squashed down to the default uid in the container.  These images will have no
+# separation between the users in the container. Only supported for the overlay
+# and vfs drivers.
+#ignore_chown_errors = "false"
+
+# Inodes is used to set a maximum inodes of the container image.
+# inodes = ""
+
+# Path to an helper program to use for mounting the file system instead of mounting it
+# directly.
+#mount_program = "/usr/bin/fuse-overlayfs"
+
+# mountopt specifies comma separated list of extra mount options
+mountopt = "nodev"
+
+# Set to skip a PRIVATE bind mount on the storage home directory.
+# skip_mount_home = "false"
+
+# Size is used to set a maximum size of the container image.
+# size = ""
+
+# ForceMask specifies the permissions mask that is used for new files and
+# directories.
+#
+# The values "shared" and "private" are accepted.
+# Octal permission masks are also accepted.
+#
+#  "": No value specified.
+#     All files/directories, get set with the permissions identified within the
+#     image.
+#  "private": it is equivalent to 0700.
+#     All files/directories get set with 0700 permissions.  The owner has rwx
+#     access to the files. No other users on the system can access the files.
+#     This setting could be used with networked based homedirs.
+#  "shared": it is equivalent to 0755.
+#     The owner has rwx access to the files and everyone else can read, access
+#     and execute them. This setting is useful for sharing containers storage
+#     with other users.  For instance have a storage owned by root but shared
+#     to rootless users as an additional store.
+#     NOTE:  All files within the image are made readable and executable by any
+#     user on the system. Even /etc/shadow within your image is now readable by
+#     any user.
+#
+#   OCTAL: Users can experiment with other OCTAL Permissions.
+#
+#  Note: The force_mask Flag is an experimental feature, it could change in the
+#  future.  When "force_mask" is set the original permission mask is stored in
+#  the "user.containers.override_stat" xattr and the "mount_program" option must
+#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
+#  extended attribute permissions to processes within containers rather then the
+#  "force_mask"  permissions.
+#
+# force_mask = ""
+
+[storage.options.thinpool]
+# Storage Options for thinpool
+
+# autoextend_percent determines the amount by which pool needs to be
+# grown. This is specified in terms of % of pool size. So a value of 20 means
+# that when threshold is hit, pool will be grown by 20% of existing
+# pool size.
+# autoextend_percent = "20"
+
+# autoextend_threshold determines the pool extension threshold in terms
+# of percentage of pool size. For example, if threshold is 60, that means when
+# pool is 60% full, threshold has been hit.
+# autoextend_threshold = "80"
+
+# basesize specifies the size to use when creating the base device, which
+# limits the size of images and containers.
+# basesize = "10G"
+
+# blocksize specifies a custom blocksize to use for the thin pool.
+# blocksize="64k"
+
+# directlvm_device specifies a custom block storage device to use for the
+# thin pool. Required if you setup devicemapper.
+# directlvm_device = ""
+
+# directlvm_device_force wipes device even if device already has a filesystem.
+# directlvm_device_force = "True"
+
+# fs specifies the filesystem type to use for the base device.
+# fs="xfs"
+
+# log_level sets the log level of devicemapper.
+# 0: LogLevelSuppress 0 (Default)
+# 2: LogLevelFatal
+# 3: LogLevelErr
+# 4: LogLevelWarn
+# 5: LogLevelNotice
+# 6: LogLevelInfo
+# 7: LogLevelDebug
+# log_level = "7"
+
+# min_free_space specifies the min free space percent in a thin pool require for
+# new device creation to succeed. Valid values are from 0% - 99%.
+# Value 0% disables
+# min_free_space = "10%"
+
+# mkfsarg specifies extra mkfs arguments to be used when creating the base
+# device.
+# mkfsarg = ""
+
+# metadata_size is used to set the `pvcreate --metadatasize` options when
+# creating thin devices. Default is 128k
+# metadata_size = ""
+
+# Size is used to set a maximum size of the container image.
+# size = ""
+
+# use_deferred_removal marks devicemapper block device for deferred removal.
+# If the thinpool is in use when the driver attempts to remove it, the driver
+# tells the kernel to remove it as soon as possible. Note this does not free
+# up the disk space, use deferred deletion to fully remove the thinpool.
+# use_deferred_removal = "True"
+
+# use_deferred_deletion marks thinpool device for deferred deletion.
+# If the device is busy when the driver attempts to delete it, the driver
+# will attempt to delete device every 30 seconds until successful.
+# If the program using the driver exits, the driver will continue attempting
+# to cleanup the next time the driver is used. Deferred deletion permanently
+# deletes the device and all data stored in device will be lost.
+# use_deferred_deletion = "True"
+
+# xfs_nospace_max_retries specifies the maximum number of retries XFS should
+# attempt to complete IO when ENOSPC (no space) error is returned by
+# underlying storage device.
+# xfs_nospace_max_retries = "0"
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 07/10] skopeo: use container-host bbclass to provide configuration

[Chen Qi]

From: Bruce Ashfield <bruce.ashfield@gmail.com>

Instead of providing storage and registries configuration files
in this package, we inherit container-host which will provide a
common definition of these configs.

This allows multiple packages to ensure that the configuration
files are present, and not conflict in their installation.

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../skopeo/files/registries.conf              |  25 ---
 recipes-containers/skopeo/files/storage.conf  | 195 ------------------
 recipes-containers/skopeo/skopeo_git.bb       |   7 +-
 3 files changed, 2 insertions(+), 225 deletions(-)
 delete mode 100644 recipes-containers/skopeo/files/registries.conf
 delete mode 100644 recipes-containers/skopeo/files/storage.conf

diff --git a/recipes-containers/skopeo/files/registries.conf b/recipes-containers/skopeo/files/registries.conf
deleted file mode 100644
index ba6c3f6..0000000
--- a/recipes-containers/skopeo/files/registries.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to TOML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries.search', 'registries.insecure', 
-# and 'registries.block'.
-
-[registries.search]
-registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
-
-# If you need to access insecure registries, add the registry's fully-qualified name.
-# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
-[registries.insecure]
-registries = []
-
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#
-# Docker only
-[registries.block]
-registries = []
diff --git a/recipes-containers/skopeo/files/storage.conf b/recipes-containers/skopeo/files/storage.conf
deleted file mode 100644
index 722750c..0000000
--- a/recipes-containers/skopeo/files/storage.conf
+++ /dev/null
@@ -1,195 +0,0 @@
-# This file is is the configuration file for all tools
-# that use the containers/storage library.
-# See man 5 containers-storage.conf for more information
-# The "container storage" table contains all of the server options.
-[storage]
-
-# Default Storage Driver, Must be set for proper operation.
-driver = "overlay"
-
-# Temporary storage location
-runroot = "/run/containers/storage"
-
-# Primary Read/Write location of container storage
-graphroot = "/var/lib/containers/storage"
-
-# Storage path for rootless users
-#
-# rootless_storage_path = "$HOME/.local/share/containers/storage"
-
-[storage.options]
-# Storage options to be passed to underlying storage drivers
-
-# AdditionalImageStores is used to pass paths to additional Read/Only image stores
-# Must be comma separated list.
-additionalimagestores = [
-]
-
-# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
-# a container, to the UIDs/GIDs as they should appear outside of the container,
-# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
-# listed and will be heeded by libraries, but there are limits to the number of
-# mappings which the kernel will allow when you later attempt to run a
-# container.
-#
-# remap-uids = 0:1668442479:65536
-# remap-gids = 0:1668442479:65536
-
-# Remap-User/Group is a user name which can be used to look up one or more UID/GID
-# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
-# with an in-container ID of 0 and then a host-level ID taken from the lowest
-# range that matches the specified name, and using the length of that range.
-# Additional ranges are then assigned, using the ranges which specify the
-# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
-# until all of the entries have been used for maps.
-#
-# remap-user = "containers"
-# remap-group = "containers"
-
-# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
-# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
-# to containers configured to create automatically a user namespace.  Containers
-# configured to automatically create a user namespace can still overlap with containers
-# having an explicit mapping set.
-# This setting is ignored when running as rootless.
-# root-auto-userns-user = "storage"
-#
-# Auto-userns-min-size is the minimum size for a user namespace created automatically.
-# auto-userns-min-size=1024
-#
-# Auto-userns-max-size is the minimum size for a user namespace created automatically.
-# auto-userns-max-size=65536
-
-[storage.options.overlay]
-# ignore_chown_errors can be set to allow a non privileged user running with
-# a single UID within a user namespace to run containers. The user can pull
-# and use any image even those with multiple uids.  Note multiple UIDs will be
-# squashed down to the default uid in the container.  These images will have no
-# separation between the users in the container. Only supported for the overlay
-# and vfs drivers.
-#ignore_chown_errors = "false"
-
-# Inodes is used to set a maximum inodes of the container image.
-# inodes = ""
-
-# Path to an helper program to use for mounting the file system instead of mounting it
-# directly.
-#mount_program = "/usr/bin/fuse-overlayfs"
-
-# mountopt specifies comma separated list of extra mount options
-mountopt = "nodev"
-
-# Set to skip a PRIVATE bind mount on the storage home directory.
-# skip_mount_home = "false"
-
-# Size is used to set a maximum size of the container image.
-# size = ""
-
-# ForceMask specifies the permissions mask that is used for new files and
-# directories.
-#
-# The values "shared" and "private" are accepted.
-# Octal permission masks are also accepted.
-#
-#  "": No value specified.
-#     All files/directories, get set with the permissions identified within the
-#     image.
-#  "private": it is equivalent to 0700.
-#     All files/directories get set with 0700 permissions.  The owner has rwx
-#     access to the files. No other users on the system can access the files.
-#     This setting could be used with networked based homedirs.
-#  "shared": it is equivalent to 0755.
-#     The owner has rwx access to the files and everyone else can read, access
-#     and execute them. This setting is useful for sharing containers storage
-#     with other users.  For instance have a storage owned by root but shared
-#     to rootless users as an additional store.
-#     NOTE:  All files within the image are made readable and executable by any
-#     user on the system. Even /etc/shadow within your image is now readable by
-#     any user.
-#
-#   OCTAL: Users can experiment with other OCTAL Permissions.
-#
-#  Note: The force_mask Flag is an experimental feature, it could change in the
-#  future.  When "force_mask" is set the original permission mask is stored in
-#  the "user.containers.override_stat" xattr and the "mount_program" option must
-#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
-#  extended attribute permissions to processes within containers rather then the
-#  "force_mask"  permissions.
-#
-# force_mask = ""
-
-[storage.options.thinpool]
-# Storage Options for thinpool
-
-# autoextend_percent determines the amount by which pool needs to be
-# grown. This is specified in terms of % of pool size. So a value of 20 means
-# that when threshold is hit, pool will be grown by 20% of existing
-# pool size.
-# autoextend_percent = "20"
-
-# autoextend_threshold determines the pool extension threshold in terms
-# of percentage of pool size. For example, if threshold is 60, that means when
-# pool is 60% full, threshold has been hit.
-# autoextend_threshold = "80"
-
-# basesize specifies the size to use when creating the base device, which
-# limits the size of images and containers.
-# basesize = "10G"
-
-# blocksize specifies a custom blocksize to use for the thin pool.
-# blocksize="64k"
-
-# directlvm_device specifies a custom block storage device to use for the
-# thin pool. Required if you setup devicemapper.
-# directlvm_device = ""
-
-# directlvm_device_force wipes device even if device already has a filesystem.
-# directlvm_device_force = "True"
-
-# fs specifies the filesystem type to use for the base device.
-# fs="xfs"
-
-# log_level sets the log level of devicemapper.
-# 0: LogLevelSuppress 0 (Default)
-# 2: LogLevelFatal
-# 3: LogLevelErr
-# 4: LogLevelWarn
-# 5: LogLevelNotice
-# 6: LogLevelInfo
-# 7: LogLevelDebug
-# log_level = "7"
-
-# min_free_space specifies the min free space percent in a thin pool require for
-# new device creation to succeed. Valid values are from 0% - 99%.
-# Value 0% disables
-# min_free_space = "10%"
-
-# mkfsarg specifies extra mkfs arguments to be used when creating the base
-# device.
-# mkfsarg = ""
-
-# metadata_size is used to set the `pvcreate --metadatasize` options when
-# creating thin devices. Default is 128k
-# metadata_size = ""
-
-# Size is used to set a maximum size of the container image.
-# size = ""
-
-# use_deferred_removal marks devicemapper block device for deferred removal.
-# If the thinpool is in use when the driver attempts to remove it, the driver
-# tells the kernel to remove it as soon as possible. Note this does not free
-# up the disk space, use deferred deletion to fully remove the thinpool.
-# use_deferred_removal = "True"
-
-# use_deferred_deletion marks thinpool device for deferred deletion.
-# If the device is busy when the driver attempts to delete it, the driver
-# will attempt to delete device every 30 seconds until successful.
-# If the program using the driver exits, the driver will continue attempting
-# to cleanup the next time the driver is used. Deferred deletion permanently
-# deletes the device and all data stored in device will be lost.
-# use_deferred_deletion = "True"
-
-# xfs_nospace_max_retries specifies the maximum number of retries XFS should
-# attempt to complete IO when ENOSPC (no space) error is returned by
-# underlying storage device.
-# xfs_nospace_max_retries = "0"
diff --git a/recipes-containers/skopeo/skopeo_git.bb b/recipes-containers/skopeo/skopeo_git.bb
index d32c525..12a24b0 100644
--- a/recipes-containers/skopeo/skopeo_git.bb
+++ b/recipes-containers/skopeo/skopeo_git.bb
@@ -22,8 +22,6 @@ RDEPENDS:${PN} = " \
 SRC_URI = " \
     git://github.com/containers/skopeo;branch=main;protocol=https \
     file://0001-Makefile-use-pkg-config-instead-of-gpgme-config.patch \
-    file://storage.conf \
-    file://registries.conf \
 "
 
 SRCREV = "3e2defd6d37b742adde2aac6cb01f6c3c17da8e2"
@@ -35,6 +33,8 @@ S = "${WORKDIR}/git"
 inherit goarch
 inherit pkgconfig
 
+inherit container-host
+
 # This CVE was fixed in the container image go library skopeo is using.
 # See:
 # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
@@ -81,9 +81,6 @@ do_install() {
 
 	install ${S}/src/import/bin/skopeo ${D}/${sbindir}/
 	install ${S}/src/import/default-policy.json ${D}/${sysconfdir}/containers/policy.json
-
-	install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
-	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
 }
 
 do_install:append:class-native() {
-- 
2.37.1

Re: [meta-virtualization][kirkstone][PATCH 07/10] skopeo: use container-host bbclass to provide configuration

[Bruce Ashfield]

These are arguably new functionality, so shouldn't be backported.

But they are quite simple and make the series much simpler to apply, so I ended up taking the change.

Bruce

In message: [meta-virtualization][kirkstone][PATCH 07/10] skopeo: use container-host bbclass to provide configuration
on 01/03/2023 Chen Qi wrote:

> From: Bruce Ashfield <bruce.ashfield@gmail.com>
> 
> Instead of providing storage and registries configuration files
> in this package, we inherit container-host which will provide a
> common definition of these configs.
> 
> This allows multiple packages to ensure that the configuration
> files are present, and not conflict in their installation.
> 
> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
> ---
>  .../skopeo/files/registries.conf              |  25 ---
>  recipes-containers/skopeo/files/storage.conf  | 195 ------------------
>  recipes-containers/skopeo/skopeo_git.bb       |   7 +-
>  3 files changed, 2 insertions(+), 225 deletions(-)
>  delete mode 100644 recipes-containers/skopeo/files/registries.conf
>  delete mode 100644 recipes-containers/skopeo/files/storage.conf
> 
> diff --git a/recipes-containers/skopeo/files/registries.conf b/recipes-containers/skopeo/files/registries.conf
> deleted file mode 100644
> index ba6c3f6..0000000
> --- a/recipes-containers/skopeo/files/registries.conf
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -# This is a system-wide configuration file used to
> -# keep track of registries for various container backends.
> -# It adheres to TOML format and does not support recursive
> -# lists of registries.
> -
> -# The default location for this configuration file is /etc/containers/registries.conf.
> -
> -# The only valid categories are: 'registries.search', 'registries.insecure', 
> -# and 'registries.block'.
> -
> -[registries.search]
> -registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com', 'registry.centos.org']
> -
> -# If you need to access insecure registries, add the registry's fully-qualified name.
> -# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
> -[registries.insecure]
> -registries = []
> -
> -
> -# If you need to block pull access from a registry, uncomment the section below
> -# and add the registries fully-qualified name.
> -#
> -# Docker only
> -[registries.block]
> -registries = []
> diff --git a/recipes-containers/skopeo/files/storage.conf b/recipes-containers/skopeo/files/storage.conf
> deleted file mode 100644
> index 722750c..0000000
> --- a/recipes-containers/skopeo/files/storage.conf
> +++ /dev/null
> @@ -1,195 +0,0 @@
> -# This file is is the configuration file for all tools
> -# that use the containers/storage library.
> -# See man 5 containers-storage.conf for more information
> -# The "container storage" table contains all of the server options.
> -[storage]
> -
> -# Default Storage Driver, Must be set for proper operation.
> -driver = "overlay"
> -
> -# Temporary storage location
> -runroot = "/run/containers/storage"
> -
> -# Primary Read/Write location of container storage
> -graphroot = "/var/lib/containers/storage"
> -
> -# Storage path for rootless users
> -#
> -# rootless_storage_path = "$HOME/.local/share/containers/storage"
> -
> -[storage.options]
> -# Storage options to be passed to underlying storage drivers
> -
> -# AdditionalImageStores is used to pass paths to additional Read/Only image stores
> -# Must be comma separated list.
> -additionalimagestores = [
> -]
> -
> -# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
> -# a container, to the UIDs/GIDs as they should appear outside of the container,
> -# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
> -# listed and will be heeded by libraries, but there are limits to the number of
> -# mappings which the kernel will allow when you later attempt to run a
> -# container.
> -#
> -# remap-uids = 0:1668442479:65536
> -# remap-gids = 0:1668442479:65536
> -
> -# Remap-User/Group is a user name which can be used to look up one or more UID/GID
> -# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
> -# with an in-container ID of 0 and then a host-level ID taken from the lowest
> -# range that matches the specified name, and using the length of that range.
> -# Additional ranges are then assigned, using the ranges which specify the
> -# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
> -# until all of the entries have been used for maps.
> -#
> -# remap-user = "containers"
> -# remap-group = "containers"
> -
> -# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
> -# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
> -# to containers configured to create automatically a user namespace.  Containers
> -# configured to automatically create a user namespace can still overlap with containers
> -# having an explicit mapping set.
> -# This setting is ignored when running as rootless.
> -# root-auto-userns-user = "storage"
> -#
> -# Auto-userns-min-size is the minimum size for a user namespace created automatically.
> -# auto-userns-min-size=1024
> -#
> -# Auto-userns-max-size is the minimum size for a user namespace created automatically.
> -# auto-userns-max-size=65536
> -
> -[storage.options.overlay]
> -# ignore_chown_errors can be set to allow a non privileged user running with
> -# a single UID within a user namespace to run containers. The user can pull
> -# and use any image even those with multiple uids.  Note multiple UIDs will be
> -# squashed down to the default uid in the container.  These images will have no
> -# separation between the users in the container. Only supported for the overlay
> -# and vfs drivers.
> -#ignore_chown_errors = "false"
> -
> -# Inodes is used to set a maximum inodes of the container image.
> -# inodes = ""
> -
> -# Path to an helper program to use for mounting the file system instead of mounting it
> -# directly.
> -#mount_program = "/usr/bin/fuse-overlayfs"
> -
> -# mountopt specifies comma separated list of extra mount options
> -mountopt = "nodev"
> -
> -# Set to skip a PRIVATE bind mount on the storage home directory.
> -# skip_mount_home = "false"
> -
> -# Size is used to set a maximum size of the container image.
> -# size = ""
> -
> -# ForceMask specifies the permissions mask that is used for new files and
> -# directories.
> -#
> -# The values "shared" and "private" are accepted.
> -# Octal permission masks are also accepted.
> -#
> -#  "": No value specified.
> -#     All files/directories, get set with the permissions identified within the
> -#     image.
> -#  "private": it is equivalent to 0700.
> -#     All files/directories get set with 0700 permissions.  The owner has rwx
> -#     access to the files. No other users on the system can access the files.
> -#     This setting could be used with networked based homedirs.
> -#  "shared": it is equivalent to 0755.
> -#     The owner has rwx access to the files and everyone else can read, access
> -#     and execute them. This setting is useful for sharing containers storage
> -#     with other users.  For instance have a storage owned by root but shared
> -#     to rootless users as an additional store.
> -#     NOTE:  All files within the image are made readable and executable by any
> -#     user on the system. Even /etc/shadow within your image is now readable by
> -#     any user.
> -#
> -#   OCTAL: Users can experiment with other OCTAL Permissions.
> -#
> -#  Note: The force_mask Flag is an experimental feature, it could change in the
> -#  future.  When "force_mask" is set the original permission mask is stored in
> -#  the "user.containers.override_stat" xattr and the "mount_program" option must
> -#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
> -#  extended attribute permissions to processes within containers rather then the
> -#  "force_mask"  permissions.
> -#
> -# force_mask = ""
> -
> -[storage.options.thinpool]
> -# Storage Options for thinpool
> -
> -# autoextend_percent determines the amount by which pool needs to be
> -# grown. This is specified in terms of % of pool size. So a value of 20 means
> -# that when threshold is hit, pool will be grown by 20% of existing
> -# pool size.
> -# autoextend_percent = "20"
> -
> -# autoextend_threshold determines the pool extension threshold in terms
> -# of percentage of pool size. For example, if threshold is 60, that means when
> -# pool is 60% full, threshold has been hit.
> -# autoextend_threshold = "80"
> -
> -# basesize specifies the size to use when creating the base device, which
> -# limits the size of images and containers.
> -# basesize = "10G"
> -
> -# blocksize specifies a custom blocksize to use for the thin pool.
> -# blocksize="64k"
> -
> -# directlvm_device specifies a custom block storage device to use for the
> -# thin pool. Required if you setup devicemapper.
> -# directlvm_device = ""
> -
> -# directlvm_device_force wipes device even if device already has a filesystem.
> -# directlvm_device_force = "True"
> -
> -# fs specifies the filesystem type to use for the base device.
> -# fs="xfs"
> -
> -# log_level sets the log level of devicemapper.
> -# 0: LogLevelSuppress 0 (Default)
> -# 2: LogLevelFatal
> -# 3: LogLevelErr
> -# 4: LogLevelWarn
> -# 5: LogLevelNotice
> -# 6: LogLevelInfo
> -# 7: LogLevelDebug
> -# log_level = "7"
> -
> -# min_free_space specifies the min free space percent in a thin pool require for
> -# new device creation to succeed. Valid values are from 0% - 99%.
> -# Value 0% disables
> -# min_free_space = "10%"
> -
> -# mkfsarg specifies extra mkfs arguments to be used when creating the base
> -# device.
> -# mkfsarg = ""
> -
> -# metadata_size is used to set the `pvcreate --metadatasize` options when
> -# creating thin devices. Default is 128k
> -# metadata_size = ""
> -
> -# Size is used to set a maximum size of the container image.
> -# size = ""
> -
> -# use_deferred_removal marks devicemapper block device for deferred removal.
> -# If the thinpool is in use when the driver attempts to remove it, the driver
> -# tells the kernel to remove it as soon as possible. Note this does not free
> -# up the disk space, use deferred deletion to fully remove the thinpool.
> -# use_deferred_removal = "True"
> -
> -# use_deferred_deletion marks thinpool device for deferred deletion.
> -# If the device is busy when the driver attempts to delete it, the driver
> -# will attempt to delete device every 30 seconds until successful.
> -# If the program using the driver exits, the driver will continue attempting
> -# to cleanup the next time the driver is used. Deferred deletion permanently
> -# deletes the device and all data stored in device will be lost.
> -# use_deferred_deletion = "True"
> -
> -# xfs_nospace_max_retries specifies the maximum number of retries XFS should
> -# attempt to complete IO when ENOSPC (no space) error is returned by
> -# underlying storage device.
> -# xfs_nospace_max_retries = "0"
> diff --git a/recipes-containers/skopeo/skopeo_git.bb b/recipes-containers/skopeo/skopeo_git.bb
> index d32c525..12a24b0 100644
> --- a/recipes-containers/skopeo/skopeo_git.bb
> +++ b/recipes-containers/skopeo/skopeo_git.bb
> @@ -22,8 +22,6 @@ RDEPENDS:${PN} = " \
>  SRC_URI = " \
>      git://github.com/containers/skopeo;branch=main;protocol=https \
>      file://0001-Makefile-use-pkg-config-instead-of-gpgme-config.patch \
> -    file://storage.conf \
> -    file://registries.conf \
>  "
>  
>  SRCREV = "3e2defd6d37b742adde2aac6cb01f6c3c17da8e2"
> @@ -35,6 +33,8 @@ S = "${WORKDIR}/git"
>  inherit goarch
>  inherit pkgconfig
>  
> +inherit container-host
> +
>  # This CVE was fixed in the container image go library skopeo is using.
>  # See:
>  # https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10214
> @@ -81,9 +81,6 @@ do_install() {
>  
>  	install ${S}/src/import/bin/skopeo ${D}/${sbindir}/
>  	install ${S}/src/import/default-policy.json ${D}/${sysconfdir}/containers/policy.json
> -
> -	install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
> -	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
>  }
>  
>  do_install:append:class-native() {
> -- 
> 2.37.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7917): https://lists.yoctoproject.org/g/meta-virtualization/message/7917
> Mute This Topic: https://lists.yoctoproject.org/mt/97311053/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

[meta-virtualization][kirkstone][PATCH 08/10] README: remove some cri-o specific layer dependencies

[Chen Qi]

ostree is in meta-oe, libseccomp is in oe-core. So remove these two.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 README | 2 --
 1 file changed, 2 deletions(-)

diff --git a/README b/README
index 1c75f4a..7a848bb 100644
--- a/README
+++ b/README
@@ -68,9 +68,7 @@ revision: HEAD
 prio: default
 
 Required for cri-o:
-URI: git://github.com/advancedtelematic/meta-updater 
 URI: git://git.yoctoproject.org/meta-selinux
-URI: git://git.yoctoproject.org/meta-security
 branch: master
 revision: HEAD
 prio: default
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 09/10] container-host-config: provide /etc/containers/policy.json

[Chen Qi]

The /etc/containers/policy.json[1] file is used to specify verification
policy. For now, we can see it's used by both cri-o and skopeo. To avoid
conflict, we use container-host-config to provide this file and make both
skopeo and cri-o depend on it.

[1] https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../container-host-config/container-host-config.bb         | 2 ++
 .../container-host-config/policy.json                      | 7 +++++++
 recipes-containers/cri-o/cri-o_git.bb                      | 1 +
 recipes-containers/skopeo/skopeo_git.bb                    | 1 -
 4 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100755 recipes-containers/container-host-config/container-host-config/policy.json

diff --git a/recipes-containers/container-host-config/container-host-config.bb b/recipes-containers/container-host-config/container-host-config.bb
index c762dea..c2f17bf 100644
--- a/recipes-containers/container-host-config/container-host-config.bb
+++ b/recipes-containers/container-host-config/container-host-config.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384
 SRC_URI = " \
     file://storage.conf \
     file://registries.conf \
+    file://policy.json \
 "
 
 do_install() {
@@ -15,4 +16,5 @@ do_install() {
 
 	install ${WORKDIR}/storage.conf ${D}/${sysconfdir}/containers/storage.conf
 	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
+	install ${WORKDIR}/policy.json ${D}/${sysconfdir}/containers/policy.json
 }
diff --git a/recipes-containers/container-host-config/container-host-config/policy.json b/recipes-containers/container-host-config/container-host-config/policy.json
new file mode 100755
index 0000000..bb26e57
--- /dev/null
+++ b/recipes-containers/container-host-config/container-host-config/policy.json
@@ -0,0 +1,7 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ]
+}
diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
index 2597942..d74a17f 100644
--- a/recipes-containers/cri-o/cri-o_git.bb
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -57,6 +57,7 @@ inherit systemd
 inherit go
 inherit goarch
 inherit pkgconfig
+inherit container-host
 
 EXTRA_OEMAKE="BUILDTAGS=''"
 
diff --git a/recipes-containers/skopeo/skopeo_git.bb b/recipes-containers/skopeo/skopeo_git.bb
index 12a24b0..e396e3a 100644
--- a/recipes-containers/skopeo/skopeo_git.bb
+++ b/recipes-containers/skopeo/skopeo_git.bb
@@ -80,7 +80,6 @@ do_install() {
 	install -d ${D}/${sysconfdir}/containers
 
 	install ${S}/src/import/bin/skopeo ${D}/${sbindir}/
-	install ${S}/src/import/default-policy.json ${D}/${sysconfdir}/containers/policy.json
 }
 
 do_install:append:class-native() {
-- 
2.37.1

[meta-virtualization][kirkstone][PATCH 10/10] container-host-config: extend to native and nativesdk

[Chen Qi]

skopeo rdepends on it, and skopeo has been extended to native and
nativesdk, so container-host-config needs also be extended.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
---
 .../container-host-config/container-host-config.bb              | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-containers/container-host-config/container-host-config.bb b/recipes-containers/container-host-config/container-host-config.bb
index c2f17bf..80abddf 100644
--- a/recipes-containers/container-host-config/container-host-config.bb
+++ b/recipes-containers/container-host-config/container-host-config.bb
@@ -18,3 +18,5 @@ do_install() {
 	install ${WORKDIR}/registries.conf ${D}/${sysconfdir}/containers/registries.conf
 	install ${WORKDIR}/policy.json ${D}/${sysconfdir}/containers/policy.json
 }
+
+BBCLASSEXTEND = "native nativesdk"
-- 
2.37.1

Re: [meta-virtualization][kirkstone][PATCH 01/10] cri-o: remove meta-security check

[Bruce Ashfield]

All 10 have now been cherry-picked to kirkstone.

Bruce

In message: [meta-virtualization][kirkstone][PATCH 01/10] cri-o: remove meta-security check
on 01/03/2023 Chen Qi wrote:

> libseccomp is not in oe-core. There's no need to check
> meta-security any more.
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
> ---
>  recipes-containers/cri-o/cri-o_git.bb | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
> index 7940bbd..ee5906e 100644
> --- a/recipes-containers/cri-o/cri-o_git.bb
> +++ b/recipes-containers/cri-o/cri-o_git.bb
> @@ -46,7 +46,7 @@ RDEPENDS:${PN} = " \
>      libdevmapper \
>      "
>  
> -SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'security', bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', 'Depends on libselinux from meta-selinux which is not included', d), 'Depends on libseccomp from meta-security which is not included', d)}"
> +SKIP_RECIPE[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', 'Depends on libselinux from meta-selinux which is not included', d)}"
>  
>  PACKAGES =+ "${PN}-config"
>  
> -- 
> 2.37.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#7911): https://lists.yoctoproject.org/g/meta-virtualization/message/7911
> Mute This Topic: https://lists.yoctoproject.org/mt/97311047/1050810
> Group Owner: meta-virtualization+owner@lists.yoctoproject.org
> Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [bruce.ashfield@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>