Add Podman-based container support

.gitmodules

@@ -6,3 +6,7 @@
 	path = meta-openembedded
 	url = https://github.com/openembedded/meta-openembedded.git
 	branch = scarthgap
+[submodule "meta-virtualization"]
+	path = meta-virtualization
+	url = https://github.com/lgirdk/meta-virtualization.git
+	branch = scarthgap

Makefile

@@ -34,11 +34,13 @@ build-inner:
 	@source poky/oe-init-build-env build/ && \
 		bitbake oasis-vm-stage1 && \
 		bitbake oasis-vm-stage2-basic && \
+		bitbake oasis-vm-stage2-podman && \
 		bitbake ovmf
 	@rm -rf $(FINAL_ARTIFACTS_DIR)
 	@mkdir -p $(FINAL_ARTIFACTS_DIR)
 	@cp $(INTERMEDIATE_ARTIFACTS_DIR)/ovmf.tdx.fd $(FINAL_ARTIFACTS_DIR)
 	@cp $(INTERMEDIATE_ARTIFACTS_DIR)/oasis-vm-stage2-basic-tdx.tar.bz2 $(FINAL_ARTIFACTS_DIR)/stage2-basic.tar.bz2
+	@cp $(INTERMEDIATE_ARTIFACTS_DIR)/oasis-vm-stage2-podman-tdx.tar.bz2 $(FINAL_ARTIFACTS_DIR)/stage2-podman.tar.bz2
 	@cp $(INTERMEDIATE_ARTIFACTS_DIR)/bzImage-initramfs-tdx.bin $(FINAL_ARTIFACTS_DIR)/stage1.bin
 
 # Cleanup.

build/conf/bblayers.conf

@@ -11,5 +11,9 @@ BBLAYERS ?= " \
   ${TOPDIR}/../poky/meta-poky \
   ${TOPDIR}/../poky/meta-yocto-bsp \
   ${TOPDIR}/../meta-openembedded/meta-oe \
+  ${TOPDIR}/../meta-openembedded/meta-filesystems \
+  ${TOPDIR}/../meta-openembedded/meta-networking \
+  ${TOPDIR}/../meta-openembedded/meta-python \
+  ${TOPDIR}/../meta-virtualization \
   ${TOPDIR}/../meta-oasis-vm \
   "

build/conf/conf-notes.txt

@@ -6,6 +6,7 @@ You can now run 'bitbake <target>'
 Common targets are:
     oasis-vm-stage1
     oasis-vm-stage2-basic
+    oasis-vm-stage2-podman
     ovmf
 
 Other commonly useful commands are:

build/conf/local.conf

@@ -20,3 +20,5 @@ BB_HASHSERVE = "auto"
 BB_SIGNATURE_HANDLER = "OEEquivHash"
 
 CONF_VERSION = "2"
+
+SKIP_META_VIRT_SANITY_CHECK = "1"

meta-oasis-vm/conf/distro/oasis-vm.conf

@@ -33,10 +33,13 @@ DISTRO_FEATURES_NET = "ipv4 ipv6"
 # Introduce a custom feature that can be used by other recipes to detect being
 # built for Oasis VM.
 DISTRO_FEATURES_OASISVM = "oasisvm"
+# Features needed for containers.
+DISTRO_FEATURES_CONTAINERS = "seccomp"
 
 DISTRO_FEATURES = "${DISTRO_FEATURES_TINY} \
                    ${DISTRO_FEATURES_NET} \
                    ${DISTRO_FEATURES_OASISVM} \
+                   ${DISTRO_FEATURES_CONTAINERS} \
                   "
 
 OASIS_VM_DISTRO_FEATURES_NATIVE = "acl debuginfod ext2 ipv4 ipv6 xattr nfs zeroconf pci vfat seccomp ptest"

meta-oasis-vm/conf/layer.conf

@@ -9,4 +9,5 @@ BBFILE_COLLECTIONS += "oasis-vm"
 BBFILE_PATTERN_oasis-vm := "^${LAYERDIR}/"
 BBFILE_PRIORITY_oasis-vm = "20"
 LAYERVERSION_oasis-vm = "1"
+LAYERDEPENDS_oasis-vm = "virtualization-layer"
 LAYERSERIES_COMPAT_oasis-vm = "scarthgap"

meta-oasis-vm/recipes-containers/container-host-config/container-host-config.bb

@@ -0,0 +1,23 @@
+HOMEPAGE = "https://git.yoctoproject.org/meta-virtualization"
+SUMMARY =  "Configuration Package for container hosts"
+DESCRIPTION = "Common / centralized configuration files for container hosts"
+
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+
+SRC_URI = " \
+    file://containers.conf \
+    file://storage.conf \
+    file://registries.conf \
+    file://policy.json \
+"
+
+do_install() {
+    install -d ${D}${sysconfdir}/containers
+    install -m 0644 ${WORKDIR}/containers.conf ${D}${sysconfdir}/containers/containers.conf
+    install -m 0644 ${WORKDIR}/storage.conf ${D}${sysconfdir}/containers/storage.conf
+    install -m 0644 ${WORKDIR}/registries.conf ${D}${sysconfdir}/containers/registries.conf
+    install -m 0644 ${WORKDIR}/policy.json ${D}${sysconfdir}/containers/policy.json
+}
+
+BBCLASSEXTEND = "native nativesdk"

meta-oasis-vm/recipes-containers/container-host-config/container-host-config/containers.conf

@@ -0,0 +1,10 @@
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger = "none"
+runtime = "runc"
+lock_type = "shm"
+no_pivot_root = true
+image_copy_tmp_dir = "storage"
+
+[network]
+network_config_dir = "/storage/containers/net"

meta-oasis-vm/recipes-containers/container-host-config/container-host-config/policy.json

@@ -0,0 +1,7 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ]
+}

meta-oasis-vm/recipes-containers/container-host-config/container-host-config/registries.conf

@@ -0,0 +1,25 @@
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to TOML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries.search', 'registries.insecure', 
+# and 'registries.block'.
+
+[registries.search]
+registries = ['docker.io', 'registry.fedoraproject.org', 'quay.io', 'registry.access.redhat.com']
+
+# If you need to access insecure registries, add the registry's fully-qualified name.
+# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
+[registries.insecure]
+registries = []
+
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#
+# Docker only
+[registries.block]
+registries = []

meta-oasis-vm/recipes-containers/container-host-config/container-host-config/storage.conf

@@ -0,0 +1,11 @@
+[storage]
+driver = "overlay"
+runroot = "/storage/containers/run"
+graphroot = "/storage/containers/graph"
+
+[storage.options]
+additionalimagestores = [
+]
+pull_options = { enable_partial_images = "false", use_hard_links = "false", ostree_repos = "" }
+
+[storage.options.overlay]

meta-oasis-vm/recipes-core/images/common.inc

@@ -0,0 +1,14 @@
+OASIS_BASIC_INSTALL = "stage2-base busybox libgcc libssl ca-certificates"
+
+IMAGE_FEATURES = ""
+IMAGE_NAME_SUFFIX ?= ""
+IMAGE_LINGUAS = ""
+
+LICENSE = "MIT"
+
+IMAGE_FSTYPES = "tar.bz2"
+
+inherit core-image
+
+IMAGE_ROOTFS_SIZE = "8192"
+IMAGE_ROOTFS_EXTRA_SPACE = "0"

meta-oasis-vm/recipes-core/images/oasis-vm-stage1.bb

@@ -27,6 +27,6 @@ COMPATIBLE_HOST = "x86_64.*-linux"
 # provide the console device.
 IMAGE_PREPROCESS_COMMAND:append = " stage1_prepare_rootfs"
 stage1_prepare_rootfs() {
-    mkdir ${IMAGE_ROOTFS}/dev
+    mkdir -p ${IMAGE_ROOTFS}/dev
     mknod -m 622 ${IMAGE_ROOTFS}/dev/console c 5 1
 }

meta-oasis-vm/recipes-core/images/oasis-vm-stage2-basic.bb

@@ -1,20 +1,7 @@
 DESCRIPTION = "Minimal root filesystem for a stage2."
 
-OASIS_BASIC_INSTALL = "stage2-base busybox libgcc libssl ca-certificates"
+require common.inc
 
 PACKAGE_INSTALL = "${OASIS_BASIC_INSTALL} ${VIRTUAL-RUNTIME_base-utils} ${ROOTFS_BOOTSTRAP_INSTALL}"
 
-IMAGE_FEATURES = ""
-
 export IMAGE_BASENAME = "oasis-vm-stage2-basic"
-IMAGE_NAME_SUFFIX ?= ""
-IMAGE_LINGUAS = ""
-
-LICENSE = "MIT"
-
-IMAGE_FSTYPES = "tar.bz2"
-
-inherit core-image
-
-IMAGE_ROOTFS_SIZE = "8192"
-IMAGE_ROOTFS_EXTRA_SPACE = "0"

meta-oasis-vm/recipes-core/images/oasis-vm-stage2-podman.bb

@@ -0,0 +1,9 @@
+DESCRIPTION = "Stage2 with Podman container support."
+
+require common.inc
+
+OASIS_PODMAN_INSTALL = "stage2-podman"
+
+PACKAGE_INSTALL = "${OASIS_BASIC_INSTALL} ${OASIS_PODMAN_INSTALL} ${VIRTUAL-RUNTIME_base-utils} ${ROOTFS_BOOTSTRAP_INSTALL}"
+
+export IMAGE_BASENAME = "oasis-vm-stage2-podman"

meta-oasis-vm/recipes-core/stage1-init/files/init

@@ -16,6 +16,9 @@ mount none -t devpts /dev/pts
 # in a different TD identity.
 stage2_root_hash=""
 stage2_hash_offset=""
+stage2_storage_mode=""
+stage2_storage_offset=""
+stage2_storage_size=""
 for cfg in $(cat /proc/cmdline | xargs -n1); do
 	case $cfg in
 		oasis.stage2.roothash=*)
@@ -26,6 +29,18 @@ for cfg in $(cat /proc/cmdline | xargs -n1); do
 			# Stage 2 hash offset.
 			stage2_hash_offset="${cfg//oasis.stage2.hash_offset=}"
 		;;
+		oasis.stage2.storage_mode=*)
+			# Stage 2 ephemeral storage mode.
+			stage2_storage_mode="${cfg//oasis.stage2.storage_mode=}"
+		;;
+		oasis.stage2.storage_offset=*)
+			# Stage 2 storage space offset.
+			stage2_storage_offset="${cfg//oasis.stage2.storage_offset=}"
+		;;
+		oasis.stage2.storage_size=*)
+			# Stage 2 storage space size.
+			stage2_storage_size="${cfg//oasis.stage2.storage_size=}"
+		;;
 	esac
 done
 
@@ -44,7 +59,67 @@ veritysetup open \
 	/dev/vda \
 	${stage2_root_hash}
 
-# Mount stage 2 root filesystem and switch into it.
+# Mount stage 2 root filesystem (read-only).
 mkdir -p /stage2
 mount /dev/mapper/stage2 /stage2
+
+# When stage 2 storage filesystem offset is configured, set up read-write ephemeral storage.
+if [[ -n "${stage2_storage_mode}" && -d /stage2/storage ]]; then
+	echo "Using ephemeral storage mode: ${stage2_storage_mode}"
+
+	case $stage2_storage_mode in
+		disk)
+			if [[ -z "${stage2_storage_offset}" || -z "${stage2_storage_size}" ]]; then
+				echo "Missing disk-backed stage 2 ephemeral storage configuration."
+				exit 1
+			fi
+
+			# Generate a random key (this is ephemeral storage).
+			storage_key=$(dd if=/dev/urandom bs=1024 count=1 2>/dev/null | tr -dc 'a-zA-Z0-9' | dd bs=1 count=64 2>/dev/null)
+			# Format block device with dm-integrity and dm-crypt setup.
+			echo -n "${storage_key}" | cryptsetup luksFormat \
+				--offset ${stage2_storage_offset} \
+				--type luks2 \
+				--integrity hmac-sha256 \
+				--integrity-no-wipe \
+				/dev/vda
+			# Open block device.
+			echo -n "${storage_key}" | cryptsetup open \
+				--offset ${stage2_storage_offset} \
+				--type luks2 \
+				/dev/vda \
+				storage
+			# Create and mount filesystem.
+			mkfs.ext4 /dev/mapper/storage
+			mount /dev/mapper/storage /stage2/storage
+		;;
+		ram)
+			if [[ -z "${stage2_storage_size}" ]]; then
+				echo "Missing ram-backed stage 2 ephemeral storage configuration."
+				exit 1
+			fi
+
+			# Just use tmpfs.
+			mount none -t tmpfs -o size=${stage2_storage_size} /stage2/storage
+		;;
+		*)
+			echo "Unsupported stage 2 ephemeral storage mode."
+			exit 1
+		;;
+	esac
+
+	# Point /run to ephemeral storage if it exists.
+	if [ -d /stage2/run ]; then
+		mkdir /stage2/storage/run
+		mount --bind /stage2/storage/run /stage2/run
+	fi
+	# Point /var to ephemeral storage if it exists.
+	if [ -d /stage2/var ]; then
+		mkdir /stage2/storage/var
+		mkdir -p /stage2/storage/var/{lib,cache}
+		mount --bind /stage2/storage/var /stage2/var
+	fi
+fi
+
+# Switch into the new root.
 exec switch_root /stage2 /init

meta-oasis-vm/recipes-core/stage2-base/files/00-network

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+# Abort on failure.
+set -e
+
+# Mount tmpfs so we will be able to update resolv.conf.
+mount none -t tmpfs /tmp
+
+# Start DHCP client to bring up the interfaces.
+udhcpc -i eth0 -q -n

meta-oasis-vm/recipes-core/stage2-base/files/init.post-registration

@@ -1,10 +1,9 @@
 #!/bin/sh
 
-# Abort on failure.
-set -e
+# Execute all registered handlers.
+for file in /etc/oasis/post-registration.d/*; do
+  if [ -f "$file" ]; then
+    $file
+  fi
+done
 
-# Mount tmpfs so we will be able to update resolv.conf.
-mount none -t tmpfs /tmp
-
-# Start DHCP client to bring up the interfaces.
-udhcpc -i eth0 -q -n

meta-oasis-vm/recipes-core/stage2-base/stage2-base.bb

@@ -3,6 +3,7 @@ LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
 SRC_URI = "file://init.post-registration \
+           file://00-network \
           "
 
 RDEPENDS:${PN} = "busybox busybox-udhcpc"
@@ -23,10 +24,25 @@ do_install() {
         install -d ${D}/sys
         install -d ${D}/dev
         install -d ${D}/tmp
-        install -d ${D}/etc/oasis
-        install -m 0755 ${WORKDIR}/init.post-registration ${D}/etc/oasis/init.post-registration
+        install -d ${D}/run
+        install -d ${D}/storage
+
+        install -d ${D}${sysconfdir}/oasis
+        install -d ${D}${sysconfdir}/oasis/post-registration.d
+        install -m 0755 ${WORKDIR}/init.post-registration ${D}${sysconfdir}/oasis/init.post-registration
+        install -m 0755 ${WORKDIR}/00-network ${D}${sysconfdir}/oasis/post-registration.d/00-network
+
         # Create a symlink to tmpfs as root is read-only.
         ln -s /tmp/resolv.conf ${D}${sysconfdir}/resolv.conf
 }
 
-FILES:${PN} = "/proc /sys /dev /lib64 /tmp /etc/oasis/init.post-registration ${sysconfdir}/resolv.conf"
+FILES:${PN} = "/proc \
+               /sys \
+               /dev \
+               /lib64 \
+               /tmp \
+               /run \
+               /storage \
+               ${sysconfdir}/oasis/post-registration.d/00-network \
+               ${sysconfdir}/oasis/init.post-registration \
+               ${sysconfdir}/resolv.conf"

meta-oasis-vm/recipes-core/stage2-podman/files/80-podman

@@ -0,0 +1,25 @@
+#!/bin/sh
+
+# Abort on failure.
+set -e
+
+# Mount cgroups.
+mount -t cgroup2 none /sys/fs/cgroup
+# Create /dev/shm for podman locks.
+mkdir -p /dev/shm
+mount -t tmpfs none /dev/shm
+
+# Create the necessary directories on ephemeral storage.
+mkdir -p /storage/containers/run
+mkdir -p /storage/containers/graph
+mkdir -p /storage/containers/graph/tmp
+mkdir -p /storage/containers/net
+
+# Update TUN device permissions.
+chmod 0666 /dev/net/tun
+
+# Use podman-compose to start up containers when defined.
+if [ -d "/etc/oasis/containers" ]; then
+	cd /etc/oasis/containers
+	podman-compose up --detach
+fi