Pull request #19: integration of container image and container runtime based on podman

Merge in ICO/coreos from feat/podman to master

* commit 'b7fd85c8b08b56700255071c3025d6a9c61995ec':
  chore(submodule): move meta-openembedded and meta-virtualization to bitbucket clone
  feat(container): add podman as container runtime
  meta-belden-bsp: add containers machine

.gitmodules

@@ -6,3 +6,11 @@
 	path = layers/openembedded-core
 	url = ssh://git@bitbucket.gad.local:7999/ico/openembedded-core.git
 	branch = kirkstone
+[submodule "layers/meta-openembedded"]
+	path = layers/meta-openembedded
+	url = git clone ssh://git@bitbucket.gad.local:7999/ico/meta-openembedded.git
+	branch = kirkstone
+[submodule "layers/meta-virtualization"]
+	path = layers/meta-virtualization
+	url = git clone ssh://git@bitbucket.gad.local:7999/ico/meta-virtualization.git
+	branch = kirkstone

documentation/index.rst

@@ -23,6 +23,7 @@ same structures.
 
    Quick Build <quick-build>
    Setting up a CoreOS based distro <using-coreos>
+   Building and using a Container Image <using-container>
 
 .. toctree::
    :maxdepth: 1

documentation/ref-manual/index.rst

@@ -11,6 +11,7 @@ Belden CoreOS Reference Manual
 
    classes
    distro
+   machines
    images
    features
    variables

documentation/ref-manual/machines.rst

@@ -0,0 +1,76 @@
+********
+Machines
+********
+
+The CoreOS build system provides several machines:
+
+Generic Architecture
+====================
+
+Some machines generate code that are generic over a wide range of architecture.
+
+When this is the case, the machine name end with a CoreOS specific architecture
+suffix:
+
+x64
+---
+
+The x64 suffix is used for machine that generate code that can run on any modern
+AMD64 computer. This need at least a Core2 Duo processor.
+
+arm32
+-----
+
+The arm32 suffix is used to generate code that is compatible with any ARM
+processor that is compatible with the ARMv7a Architecture and both the NEON
+and VFPv3-D32 extension set.
+
+arm64
+-----
+
+The arm64 suffis is used to generate cade that is compatible with any ARM
+provessor that is compatible with the AArch64 architecture.
+
+.. _ref-machine-vm:
+
+Virtual Machines
+================
+
+Virtual machines can be used to boot an image on any UEFI compatible virtual
+machine hypervisor. The build system generates a virtual machine disk in the 
+`.vmdk` format by default.
+
+The following virtual machines are available:
+
+- vm-x64
+
+The `vm` machine override can be used on all these machines.
+
+.. hint::
+
+    When installing using the ISO file, UEFI secure boot should be desactived.
+    After the installation, or when using the `.vmdk` file directly, it is
+    recommanded to activate the UEFI Secure Boot on the (virtual) machine
+    firmware.
+
+    Public key needed by the firmware are available on the EFI partition of the
+    image.
+
+
+.. _ref-machine-container:
+
+Containers
+==========
+
+Container machine generate an OCI archive that can be imported on tools like
+Podman or Docker. The generate archive doesn't contain a kernel, neither an
+init system.
+
+The following container machines are available:
+
+- container-x64
+- container-arm32
+- container-arm64
+
+The `container` machine override can be used on all these machines.
+

documentation/using-container.rst

@@ -0,0 +1,84 @@
+************************************
+Building and Using a Container Image
+************************************
+
+Building a container image based on CoreOS is really easy. You have to set
+the machine to either of the following value in the `local.conf` file:
+
+- container-x64
+- container-arm64
+- container-arm32
+
+.. hint::
+
+    The machine can also be overwriting from the shell using
+    `MACHINE=<machine> bitbake`
+
+Then you can generate any image by running:
+
+.. code-block:: sh
+
+    $ bitbake <image>
+
+As an example, you can build the `coreos-image-minimal` as an OCI container
+for AMD64 machine with the following command:
+
+.. code-block:: sh
+
+    $ MACHINE=container-x64 bitbake core-image-minimal
+
+
+This will generate a container tarball in the tar.gz format.
+
+If you are using `podman`, you can import the container with:
+
+.. code-block:: sh
+
+    $ cd $BUILDDIR/tmp/deploy/images/container-x64
+    $ podman import coreos-image-container-container-x64.tar.bz2
+    Getting image source signatures
+    Copying blob 46c0b1c53d42 [--------------------------------------] 0.0b / 0.0b
+    Copying config 051856498a done  
+    Writing manifest to image destination
+    Storing signatures
+    051856498a59e0ae6349492539efaf915a33dd73e7a54ce9683b0414d1481fae
+
+Then you can use start any program included in the image with:
+
+.. code-block:: sh
+
+    $ podman run <PODMAN_ARGS> <IMAGE_ID> <COMMAND> <COMMAND_ARGS>
+
+To run an interactive shell, you can use:
+
+.. code-block:: sh
+
+    $ podman run -i <IMAGE_ID> ash --i
+    / # 
+
+The `<IMAGE_ID>` should be copied from the output of `podman import`. In this
+exemple, it was
+`051856498a59e0ae6349492539efaf915a33dd73e7a54ce9683b0414d1481fae`.
+
+You are now inside the container, try the following command:
+
+.. code-block:: sh
+
+    / # cat /etc/os-release
+    ID=belden-coreos
+    NAME="Belden CoreOS"
+    VERSION="0.0.1-feat/oci-image+75cf54e4b54b713d8ebeafddd122aeb615715ef9 (kirkstone)"
+    VERSION_ID=0.0.1-feat/oci-image-75cf54e4b54b713d8ebeafddd122aeb615715ef9
+    PRETTY_NAME="Belden CoreOS 0.0.1-feat/oci-image+75cf54e4b54b713d8ebeafddd122aeb615715ef9 (kirkstone)"
+    DISTRO_CODENAME="kirkstone"
+
+.. note::
+
+    Image generated using any container machines doesn't include the Linux
+    kernel neither many system componant that are usually not used on a container
+    like SystemD or udev. This is done inside the machine configuration by
+    settings all the `VIRTUAL_RUNTIME_<component>` to an empty string.
+
+    Any of these system component can be added to the image if needed, by adding
+    them by their real name (instead of using any `VIRTUAL_RUNTIME_` variables)
+    in the `IMAGE_INSTALL` variables.

layers/meta-belden-coreos-bsp/classes/coreos-bsp-config.bbclass

@@ -9,6 +9,7 @@
 
 # EFI is a requirement for CoreOS
 MACHINE_FEATURES:append = "efi"
+MACHINE_FEATURES:remove:container = "efi"
 
 # If a bootloader is used, it should be systemd-boot and not grub-efi as set
 # in packagegroup-core-boot by default.

layers/meta-belden-coreos-bsp/conf/machine/container-arm32.conf

@@ -0,0 +1,2 @@
+require include/coreos-generic-arch/arm32.inc
+require include/coreos-generic-machine/container.inc

layers/meta-belden-coreos-bsp/conf/machine/container-arm64.conf

@@ -0,0 +1,2 @@
+require include/coreos-generic-arch/arm64.inc
+require include/coreos-generic-machine/container.inc

layers/meta-belden-coreos-bsp/conf/machine/container-x64.conf

@@ -0,0 +1,2 @@
+require include/coreos-generic-arch/x64.inc
+require include/coreos-generic-machine/container.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-arch/arm32.inc

@@ -0,0 +1,3 @@
+# Container will require a host with at least an Armv7 CPU with VFPv3 and Neon. 
+DEFAULTTUNE ?= "armv7athf-neon"
+require conf/machine/include/arm/arch-armv7a.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-arch/arm64.inc

@@ -0,0 +1,2 @@
+DEFAULTTUNE ?= "aarch64"
+require conf/machine/include/arm/arch-arm64.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-arch/x64.inc

@@ -0,0 +1,2 @@
+DEFAULTTUNE ?= "core2-64"
+require conf/machine/include/x86/tune-core2.inc

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/container.inc

@@ -0,0 +1,20 @@
+
+IMAGE_FSTYPES += "container oci"
+IMGCLASSES:append = " image-oci"
+
+# Add an override that work for all container image
+MACHINEOVERRIDES =. "container:"
+
+# Containers don't need a kernel
+PREFERRED_PROVIDER_virtual/kernel = "linux-dummy"
+
+# Containers normaly don't need systemd or any of the VIRTUAL_RUNTIME.
+# One ways to remove it is to make a custome base image for container that don't
+# install any of the virtual runtime, the other ways is to use the same image
+# as for non-container machine and just set all the VIRTUAL_RUNTIME variables
+# to an empty string here:
+VIRTUAL-RUNTIME_dev_manager = ""
+VIRTUAL-RUNTIME_login_manager = ""
+VIRTUAL-RUNTIME_init_manager = ""
+VIRTUAL-RUNTIME_initscripts = ""
+VIRTUAL-RUNTIME_keymaps = ""

layers/meta-belden-coreos-bsp/conf/machine/include/coreos-generic-machine/vm.inc

@@ -3,12 +3,15 @@ require conf/machine/include/x86/qemuboot-x86.inc
 
 MACHINE_FEATURES += "wifi efi"
 
+# Add an override that work for all pc image
+MACHINEOVERRIDES =. "vm:"
+
 PREFERRED_VERSION_linux-yocto ?= "5.15%"
 PREFERRED_PROVIDER_virtual/kernel ?= "linux-yocto"
 
 MACHINE_EXTRA_RRECOMMENDS += "kernel-modules linux-firmware"
 
-IMAGE_FSTYPES += "ext4 wic wic.xz wic.bmap wic.vmdk iso"
+IMAGE_FSTYPES += "ext4 wic wic.bmap wic.vmdk"
 
 WKS_FILE ?= "generic-uefi.wks.in"
 do_image_wic[depends] += "gptfdisk-native:do_populate_sysroot"

layers/meta-belden-coreos-bsp/conf/machine/vm-x64.conf

@@ -2,10 +2,8 @@
 #@NAME: Generic x86_64
 #@DESCRIPTION: Machine configuration for generic x86_64 (64-bit) PCs and servers. Supports a moderately wide range of drivers that should boot and be usable on "typical" hardware.
 
-DEFAULTTUNE ?= "core2-64"
-require conf/machine/include/x86/tune-core2.inc
-require conf/machine/include/pc-common.inc
+require include/coreos-generic-arch/x64.inc
+require include/coreos-generic-machine/vm.inc
 
 SERIAL_CONSOLES_CHECK = "ttyS0"
-#For runqemu
 QB_SYSTEM_NAME = "qemu-system-x86_64"

layers/meta-belden-coreos-bsp/recipes-kernel/linux/linux-yocto_5.15.bbappend

@@ -1,8 +1,8 @@
-KMACHINE:pc-x64 ?= "common-pc-64"
-COMPATIBLE_MACHINE:pc-x64 = "pc-x64"
+KMACHINE:vm-x64 ?= "common-pc-64"
+COMPATIBLE_MACHINE:vm-x64 = "vm-x64"
 
 # Enable some kernel features related to virtualiuzation
-KERNEL_FEATURES:append:pc-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
+KERNEL_FEATURES:append:vm-x64=" cfg/virtio.scc cfg/paravirt_kvm.scc"
 
 KBRANCH:beaglebone = "v5.15/standard/beaglebone"
 KMACHINE:beaglebone ?= "beaglebone"

layers/meta-belden-coreos/classes/coreos-image.bbclass

@@ -6,6 +6,34 @@ FEATURE_PACKAGES_tools-debug = "packagegroup-core-tools-debug"
 FEATURE_PACKAGES_tools-profile = "packagegroup-core-tools-profile"
 FEATURE_PACKAGES_hwcodecs = "${MACHINE_HWCODECS}"
 
+FEATURE_PACKAGES_container = "packagegroup-coreos-container"
+FEATURE_PACKAGES_container-dev-tools = "packagegroup-coreos-container-dev-tools"
+FEATURE_PACKAGES_container-cockpit = "cockpit-podman"
+
+# The cockpit feature automatically install the corresponding
+# *-cockpit FEATURES_PACKAGES for any image features
+FEATURE_PACKAGES_cockpit = "packagegroup-coreos-cockpit ${@get_feature_packages_with_suffix('cockpit', d)}"
+
+# The dev-tools feature automatically install the corresponding
+# *-dev-tools FEATURES_PACKAGES for any image features
+FEATURE_PACKAGES_dev-tools = "${@get_feature_packages_with_suffix('dev-tool', d)}"
+
+def get_feature_packages_with_suffix(suffix, d):
+    """
+    For each feature inside IMAGE_FEATURES, look if a FEATURE_PACKAGE variable
+    exist for {feature}-{suffix}.
+
+    Return a list of all the value of the corresponding FEATURE_PACKAGE founded.
+    """
+    images_features = d.getVar('IMAGE_FEATURES').split()
+    result = ""
+
+    for feature in images_features:
+        tools = d.getVar(f'FEATURE_PACKAGES_{feature}-{suffix}')
+        if tools:
+            result += f" {tools}"    
+    return result
+
 MACHINE_HWCODECS ??= ""
 
 # These image features are CoreOS specifics:
@@ -21,6 +49,7 @@ FEATURE_PACKAGES_ssh-server = "packagegroup-core-ssh-dropbear"
 # see [Yocto #14858] for more information
 PACKAGE_EXCLUDE_COMPLEMENTARY:append = "${@bb.utils.contains_any('PACKAGE_INSTALL', 'packagegroup-core-ssh-dropbear dropbear', 'openssh', '' , d)}"
 
+
 # We can handle feature that conflicts with either:
 
 # IMAGE_FEATURES_REPLACES_foo = 'bar1 bar2'
@@ -36,7 +65,11 @@ COREOS_IMAGE_BASE_INSTALL = '\
     efibootmgr \
     efivar \
     os-release \
-    ${COREOS_IMAGE_EXTRA_INSTALL} \
+    '
+
+COREOS_IMAGE_BASE_INSTALL:container = '\
+    packagegroup-base \
+    os-release \
     '
 
 COREOS_IMAGE_EXTRA_INSTALL ?= ""

layers/meta-belden-coreos/classes/coreos-sanity.bbclass

@@ -24,7 +24,7 @@ python check_coreos_sanity_eventhandler() {
             " `require conf/distro/belden-coreos.conf`"
         )
 
-    if e.data.getVar('VIRTUAL-RUNTIME_init_manager') != "systemd":
+    if e.data.getVar('INIT_MANAGER') != "systemd":
         bb.fatal(
             "systemd is not set as `INIT_MANAGER`. "
             "Using SystemD is mandatory on CoreOS based distribution"

layers/meta-belden-coreos/conf/distro/belden-coreos.conf

@@ -13,9 +13,9 @@ DISTRO_CODENAME = "kirkstone"
 PACKAGE_CLASSES = "package_ipk"
 INIT_MANAGER = "systemd"
 
-DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi"
+DISTRO_FEATURES_DEFAULT ?= "bluetooth usbhost pci ipv4 ipv6 wifi multiarch usrmerge ptest efi pam"
 DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT}"
-DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio gobject-introspection-data ldconfig"
+DISTRO_FEATURES_BACKFILL_CONSIDERED = "pulseaudio ldconfig"
 DISTRO_EXTRA_RDEPENDS += "packagegroup-core-boot"
 
 # Build configuration
@@ -63,3 +63,12 @@ SDKPATHINSTALL = "/opt/${DISTRO}/${SDK_VERSION}"
 
 INHERIT += "coreos-bsp-config"
 INHERIT += "coreos-efi-secureboot"
+
+# Virtualization configuration
+# ==============================================================================
+
+# Use crun insted of runc as a OCI runtime. crun is faster and need less memory
+# than runc so it's a better fit for embedded
+#PREFERRED_PROVIDER_virtual/runc = "crun"
+PACKAGECONFIG:append:pn-podman = " rootless"
+DISTRO_FEATURES_DEFAULT += "virtualization seccomp ipv6"

layers/meta-belden-coreos/recipes-core/images/coreos-image-full-cmdline.bb

@@ -3,5 +3,5 @@ functionality installed."
 
 inherit coreos-image
 
-IMAGE_FEATURES += "ssh-server"
+IMAGE_FEATURES += "ssh-server container dev-tools cockpit"
 IMAGE_INSTALL:append = " packagegroup-core-full-cmdline"

layers/meta-belden-coreos/recipes-core/images/coreos-image-minimal-dev.bb

@@ -3,4 +3,4 @@ require coreos-image-minimal.bb
 DESCRIPTION = "A small image just capable of allowing a device to boot and \
 is suitable for development work."
 
-IMAGE_FEATURES += "dev-pkgs"
+IMAGE_FEATURES += "dev-pkgs dev-tools"

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-cockpit.bb

@@ -0,0 +1,21 @@
+SUMMARY = "Add cockpit web management"
+DESCRIPTION = "Cockpit makes it easy to administer your GNU/Linux servers via a web browser"
+
+inherit packagegroup
+
+
+PACKAGES = "\
+    ${PN} \
+"
+
+RDEPENDS:${PN} = "\
+    cockpit \
+    cockpit-ws \
+    cockpit-shell \
+    cockpit-systemd \
+    cockpit-users \
+    cockpit-dashboard \
+    cockpit-kdump \
+    cockpit-sosreport \
+    cockpit-tuned \
+"

layers/meta-belden-coreos/recipes-core/packagegroups/packagegroup-coreos-container.bb

@@ -0,0 +1,18 @@
+SUMMARY = "Add containers runtime and management"
+DESCRIPTION = "Add containers runtime and management"
+
+inherit packagegroup
+
+
+PACKAGES = "\
+    ${PN} \
+    ${PN}-dev-tools \
+"
+
+RDEPENDS:${PN} = "\
+    podman \
+"
+
+RDEPENDS:${PN}-dev-tools = "\
+    podman-tui \
+"

layers/meta-belden-coreos/recipes-webadmin/cockpit-podman/cockpit-podman_57.bb

@@ -0,0 +1,32 @@
+SUMMARY = "The Cockpit user interface for Podman containers."
+DESCRIPTION = "This is the Cockpit user interface for podman containers."
+
+LICENSE = "LGPL-2.1-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=4fbd65380cdd255951079008b364516c"
+
+SRC_URI += " \
+    https://github.com/cockpit-project/cockpit-podman/releases/download/${PV}/cockpit-podman-${PV}.tar.xz \
+    "
+SRC_URI[sha256sum] = "a42d7dfabdd1a058c5b0f502bfd9380542d9666f047316ea1ff114e7b1db0877"
+
+RDEPENDS:${PN} += "cockpit-bridge podman"
+
+inherit allarch gettext
+
+DEPENDS += "intltool-native virtual/gettext"
+
+S = "${WORKDIR}/${BPN}"
+
+
+FILES:${PN} += " \
+    ${datadir}/cockpit/podman \
+    ${datadir}/metainfo/org.cockpit-project.podman.metainfo.xml \
+"
+
+do_buid() {
+    :
+}
+
+do_install() {
+    oe_runmake install DESTDIR=${D}
+}

layers/meta-openembedded

@@ -0,0 +1 @@
+Subproject commit 50d4a8d2a983a68383ef1ffec2c8e21adf0c1a79

layers/meta-virtualization

@@ -0,0 +1 @@
+Subproject commit 9a487c1851aa2021cf24f951957e22fd429c8025