containers
/
qm
mirror of https://github.com/containers/qm.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: containers:main
Branches Tags
containers:main
containers:libkrun
containers:specipc
containers:allowqmtoqm
containers:ipc-mounton
containers:bump_release_0_7_6
containers:doc-ipc
containers:v0.7.4
containers:selinux-ipc-macro
containers:selinux-ipc
containers:run-ipc
containers:issue-806
containers:cpuweight-idle
containers:qm-cpuweight
containers:fix-network-subnet
containers:fix-qm-selinux-mmap-dev-zero
containers:fix-selinux-packaging
containers:v0.7.6
containers:v0.7.5
containers:tags/v0.7.4
containers:v0.7.3
containers:v0.7.2
containers:v0.7.1
containers:v0.7.0
containers:v0.6.9
containers:v0.6.8
containers:v0.6.7
containers:v0.6.6-1
containers:v0.6.6
containers:v0.6.5
containers:v0.6.4
containers:v0.6.3
containers:v0.6.2
containers:v0.6.1
containers:v0.6.0
containers:v0.5.9
containers:v0.5.8
containers:v0.5.7
containers:v0.5.6
containers:v0.5.5
containers:v0.5.4
containers:v0.5.3
containers:v0.5.2
containers:v0.5.1
containers:v0.5.0
containers:v0.4.1
containers:v0.4.0
containers:v0.2.0
containers:v0.1.0
..
compare: containers:v0.7.5
Branches Tags
containers:libkrun
containers:main
containers:specipc
containers:allowqmtoqm
containers:ipc-mounton
containers:bump_release_0_7_6
containers:doc-ipc
containers:v0.7.4
containers:selinux-ipc-macro
containers:selinux-ipc
containers:run-ipc
containers:issue-806
containers:cpuweight-idle
containers:qm-cpuweight
containers:fix-network-subnet
containers:fix-qm-selinux-mmap-dev-zero
containers:fix-selinux-packaging
containers:v0.7.6
containers:v0.7.5
containers:tags/v0.7.4
containers:v0.7.3
containers:v0.7.2
containers:v0.7.1
containers:v0.7.0
containers:v0.6.9
containers:v0.6.8
containers:v0.6.7
containers:v0.6.6-1
containers:v0.6.6
containers:v0.6.5
containers:v0.6.4
containers:v0.6.3
containers:v0.6.2
containers:v0.6.1
containers:v0.6.0
containers:v0.5.9
containers:v0.5.8
containers:v0.5.7
containers:v0.5.6
containers:v0.5.5
containers:v0.5.4
containers:v0.5.3
containers:v0.5.2
containers:v0.5.1
containers:v0.5.0
containers:v0.4.1
containers:v0.4.0
containers:v0.2.0
containers:v0.1.0

No commits in common. "main" and "v0.7.5" have entirely different histories.
main ... v0.7.5

21 changed files with 602 additions and 1336 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,4 +6,3 @@ qm.pp.bz2
qm_file_contexts
*.8
tests/e2e/ContainerFile.template
__pycache__/

2
VERSION
View File

@ -1 +1 @@
0.7.6
0.7.5

109
docs/devel/README.developer.md
View File

@ -1,109 +0,0 @@
# Developers documentation
## Building QM rpm manually with changes
Building QM locally with changes for tests is a recommended practice,
especially for testing new features before submitting a pull request.
**1.** Prerequisite
```bash
dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
```
**2.** Clone the repo
```bash
git clone https://github.com/containers/qm.git && cd qm
```
**3.** Build the RPM
Select a QM version that is a higher number from the current one.
For example, if today's QM version is 0.6.2, set it to 1.0 so that
the RPM created is identifiable as yours.
```bash
make clean && VERSION=1.0 make rpm
```
The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
`${PWD}/rpmbuild/RPMS`.
You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
For example:
```bash
VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
```
## Building CentOS AutoSD and QM manually
During development, it is common to conduct integration tests to ensure your
changes work well with other components within the overall solution.
In our case, it's best to test against the CentOS Automotive Stream
Distribution (AutoSD) image.
Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
Example
```bash
ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
```
**2.** Download additional packages required by the image
```bash
sudo dnf download --destdir /root/rpmbuild/RPMS/noarch/ selinux-policy selinux-policy-any
```
**3.** Create a local repository with the new package
```bash
dnf install createrepo_c -y
cd /root/rpmbuild/RPMS/noarch/
createrepo .
```
**4.** Clone the CentOS Automotive distro for the build
Ensure you meet the requirements for the CentOS Automotive Stream by
referring to [this link](https://sigs.centos.org/automotive/building/).
The following commands will execute:
- Install the podman package
- Clone the sample-images repository and required submodules (automotive-image-builder)
- Cleanups before a fresh build
- Finally creates a new qcow2 image (BASED ON distro name, mode (ostree or regular) and uses the qemu-qm-container sample image)
NOTE:
- The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
- extra_rpms - useful for debug.
- ssh enabled
The command below utilises automotive-image-builder to produce a `qm-minimal` qcow2 image for cs9,
other example images such as `simple-qm-container` and the `simple-qm`
image can be found in the images directory of the sample-images repository.
```bash
dnf install podman -y && dnf clean all
git clone https://gitlab.com/CentOS/automotive/sample-images.git
git submodule update --init
cd sample-images/
rm -rf _build #Optional, only relevant after initial build
rm -rf *.qcow2 #Optional, only relevant after initial build
./automotive-image-builder/automotive-image-builder build --distro cs9 --mode package --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' --define 'extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}]' --define 'extra_rpms=["qm-1.0", "vim-enhanced", "openssh-server", "openssh-clients", "python3", "polkit", "rsync", "strace", "dnf", "gdb"]' --target qemu --export qcow2 images/qm-minimal.mpp.yml cs9-qemu-qm-container.x86_64.qcow2
```
If you would like more information on building automotive images with automotive-image-builder, please see the
[Automotive SIG pages for AutoSD](https://sigs.centos.org/automotive/getting-started/about-automotive-image-builder/)
Run the virtual machine, default user: root, pass: password.
To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
```bash
./automotive-image-builder/automotive-image-runner --nographics ./cs9-qemu-qm-container.x86_64.qcow2
```

21
docs/devel/README.maintainer.md
View File

@ -1,21 +0,0 @@
# Maintainer documentation
## Creating a new release
Initially, make sure to [bump **qm.te** and **VERSION** files in the git repo](https://github.com/containers/qm/pull/760) to the next release, i.e: *v0.7.5*.
After that, follow the steps below using GitHub UI.
**Create a new Release**
![Click on Releases](./pics/creatingreleases/00-Click-on-Releases.jpeg)
**Draft a new release**
![Draft a new release](./pics/creatingreleases/01-Draft-a-new-release.png)
**Create a new tag**
![Create a tag](./pics/creatingreleases/02-Create-a-tag.jpeg)
**Generate release notes**
![Generate release notes](./pics/creatingreleases/03-Generate-release-notes.jpeg)
**Publish Release**
![Click on publish release](./pics/creatingreleases/04-click-on-publish-release.jpeg)

190
docs/docs/usage.md → docs/devel/README.md
View File

@ -1,20 +1,172 @@
# Using QM
# Developers documentation
This section describes how to interact with QM.
## Table of contents
## Installing software inside QM partition
- [Building QM rpm manually with changes](#building-qm-rpm-manually-with-changes)
- [Building CentOS AutoSD and QM manually](#building-centos-autosd-and-qm-manually)
- [Creating Releases](#creating-releases)
- [Subpackages](#subpackages)
- [Useful Commands](#useful-commands)
- [Installing software inside QM partition](#installing-software-inside-qm-partition)
- [Removing software inside QM partition](#removing-software-inside-qm-partition)
- [Copying files to QM partition](#copying-files-to-qm-partition)
- [Listing QM service](#listing-qm-service)
- [List QM container via podman](#list-qm-container-via-podman)
- [Extend QM quadlet managed by podman](#extend-qm-quadlet-managed-by-podman)
- [Managing CPU usage](#managing-cpu-usage)
- [Connecting to QM container via podman](#connecting-to-qm-container-via-podman)
- [SSH guest CentOS Automotive Stream Distro](#ssh-guest-centos-automotive-stream-distro)
- [Check if HOST and Container are using different network namespace](#check-if-host-and-container-are-using-different-network-namespace)
- [Debugging with podman in QM using --root](#debugging-with-podman-in-qm)
- [Debugging with quadlet](#debugging-with-quadlet)
## Building QM rpm manually with changes
Building QM locally with changes for tests is a recommended practice,
especially for testing new features before submitting a pull request.
**1.** Prerequisite
```bash
dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
```
**2.** Clone the repo
```bash
git clone https://github.com/containers/qm.git && cd qm
```
**3.** Build the RPM
Select a QM version that is a higher number from the current one.
For example, if today's QM version is 0.6.2, set it to 1.0 so that
the RPM created is identifiable as yours.
```bash
make clean && VERSION=1.0 make rpm
```
The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
`${PWD}/rpmbuild/RPMS`.
You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
For example:
```bash
VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
```
## Building CentOS AutoSD and QM manually
During development, it is common to conduct integration tests to ensure your
changes work well with other components within the overall solution.
In our case, it's best to test against the CentOS Automotive Stream
Distribution (AutoSD) image.
Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
Example
```bash
ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
```
**2.** Download additional packages required by the image
```bash
sudo dnf download --destdir /root/rpmbuild/RPMS/noarch/ selinux-policy selinux-policy-any
```
**3.** Create a local repository with the new package
```bash
dnf install createrepo_c -y
cd /root/rpmbuild/RPMS/noarch/
createrepo .
```
**4.** Clone the CentOS Automotive distro for the build
Ensure you meet the requirements for the CentOS Automotive Stream by
referring to [this link](https://sigs.centos.org/automotive/building/).
The following commands will execute:
- Install the podman package
- Clone the sample-images repository and required submodules (automotive-image-builder)
- Cleanups before a fresh build
- Finally creates a new qcow2 image (BASED ON distro name, mode (ostree or regular) and uses the qemu-qm-container sample image)
NOTE:
- The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
- extra_rpms - useful for debug.
- ssh enabled
The command below utilises automotive-image-builder to produce a `qm-minimal` qcow2 image for cs9,
other example images such as `simple-qm-container` and the `simple-qm`
image can be found in the images directory of the sample-images repository.
```bash
dnf install podman -y && dnf clean all
git clone https://gitlab.com/CentOS/automotive/sample-images.git
git submodule update --init
cd sample-images/
rm -rf _build #Optional, only relevant after initial build
rm -rf *.qcow2 #Optional, only relevant after initial build
./automotive-image-builder/automotive-image-builder build --distro cs9 --mode package --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' --define 'extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}]' --define 'extra_rpms=["qm-1.0", "vim-enhanced", "openssh-server", "openssh-clients", "python3", "polkit", "rsync", "strace", "dnf", "gdb"]' --target qemu --export qcow2 images/qm-minimal.mpp.yml cs9-qemu-qm-container.x86_64.qcow2
```
If you would like more information on building automotive images with automotive-image-builder, please see the
[Automotive SIG pages for AutoSD](https://sigs.centos.org/automotive/getting-started/about-automotive-image-builder/)
Run the virtual machine, default user: root, pass: password.
To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
```bash
./automotive-image-builder/automotive-image-runner --nographics ./cs9-qemu-qm-container.x86_64.qcow2
```
## Creating Releases
Initially make sure to [bump **qm.te** and **VERSION** files in the git repo](https://github.com/containers/qm/pull/760) to the next release, i.e: *v0.7.5*.
After that, follow the steps below using GitHub UI.
**Create a new Release**
![Click on Releases](./pics/creatingreleases/00-Click-on-Releases.jpeg)
**Draft a new release**
![Draft a new release](./pics/creatingreleases/01-Draft-a-new-release.png)
**Create a new tag**
![Create a tag](./pics/creatingreleases/02-Create-a-tag.jpeg)
**Generate release notes**
![Generate release notes](./pics/creatingreleases/03-Generate-release-notes.jpeg)
**Publish Release**
![Click on publish release](./pics/creatingreleases/04-click-on-publish-release.jpeg)
## Subpackages
Subpackages are **experimental approach** to deliver in a single point (RPM) dropin files and additional requirements. [Click here for more information](experimental/SUBPACKAGES.md)
## Useful Commands
### Installing software inside QM partition
```bash
dnf --installroot /usr/lib/qm/rootfs/ install vim -y
```
## Removing software inside QM partition
### Removing software inside QM partition
```bash
dnf --installroot /usr/lib/qm/rootfs/ remove vim -y
```
## Copying files to QM partition
### Copying files to QM partition
Please note: This process is only applicable for regular images.
OSTree images are read-only, and any files must be included during the build process.
@ -29,7 +181,7 @@ bash-5.1> ls /root
file_to_be_copied
```
## Listing QM service
### Listing QM service
```bash
[root@localhost ~]# systemctl status qm -l
@ -57,7 +209,7 @@ e-id a83253ae278d7394cb38e975535590d7 --max-bytes 536870912 --max-fds 4096 --max
-matches 16384 --audit
```
## List QM container via podman
### List QM container via podman
```console
# podman ps
@ -65,7 +217,7 @@ CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS
a83253ae278d /sbin/init 38 seconds ago Up 38 seconds qm
```
## Extend QM quadlet managed by podman
### Extend QM quadlet managed by podman
QM quadlet file is shipped through rpm, refer the following file.
qm.container which is installed to /usr/share/containers/systemd/qm.container
@ -103,13 +255,13 @@ systemctl is-active qm
active
```
## Managing CPU usage
### Managing CPU usage
Using the steps below, it's possible to manage CPU usage of the `qm.service` by modifying service attributes and utilizing drop-in files.
### Setting the CPUWeight attribute
#### Setting the CPUWeight attribute
Modifying the `CPUWeight` attribute affects the priority of the `qm.service`. A higher value prioritizes the service, while a lower value deprioritizes it.
Modifying the `CPUWeight` attribute affects the priority the of `qm.service`. A higher value prioritizes the service, while a lower value deprioritizes it.
Inspect the current CPUWeight value:
@ -123,7 +275,7 @@ Set the CPUWeight value:
systemctl set-property qm.service CPUWeight=500
```
### Limiting CPUQuota
#### Limiting CPUQuota
It's also possible to limit the percentage of the CPU allocated to the `qm.service` by defining `CPUQuota`. The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time available on one CPU.
@ -180,14 +332,14 @@ Expected output:
1 root 20 0 65576 37904 11116 S 0.0 0.1 0:40.00 systemd
```
## Connecting to QM container via podman
### Connecting to QM container via podman
```console
# podman exec -it qm bash
bash-5.1#
```
## SSH guest CentOS Automotive Stream Distro
### SSH guest CentOS Automotive Stream Distro
Make sure the CentOS Automotive Stream Distro Virtual Machine/Container is running with SSHD enabled
and permits ssh connection from root user.
@ -219,23 +371,23 @@ connect-to-VM-via-SSH> ssh root@127.0.0.1 \
-oUserKnownHostsFile=/dev/null
```
## Check if HOST and Container are using different network namespace
### Check if HOST and Container are using different network namespace
### HOST
#### HOST
```console
[root@localhost ~]# ls -l /proc/self/ns/net
lrwxrwxrwx. 1 root root 0 May 1 04:33 /proc/self/ns/net -> 'net:[4026531840]'
```
### QM
#### QM
```console
bash-5.1# ls -l /proc/self/ns/net
lrwxrwxrwx. 1 root root 0 May 1 04:33 /proc/self/ns/net -> 'net:[4026532287]'
```
## Debugging with podman in QM
### Debugging with podman in QM
```console
bash-5.1# podman --root /usr/share/containers/storage pull alpine
@ -243,7 +395,7 @@ Error: creating runtime static files directory "/usr/share/containers/storage/li
mkdir /usr/share/containers/storage: read-only file system
```
## Debugging with quadlet
### Debugging with quadlet
Imagine a situation where you have a Quadlet container inside QM that isn't starting, and you're unsure why. The best approach is to log into the QM, run the ```quadlet --dryrun``` command, and analyze what's happening. Here's how you can troubleshoot the issue step by step.

47
docs/docs/experimental/subpackages.md → docs/devel/experimental/SUBPACKAGES.md
View File

@ -1,7 +1,20 @@
# Subpackages
# Topics
Subpackages are **experimental approach** to deliver in a single point (RPM) dropin files
and additional requirements.
1. [QM Sub-Packages](#qm-sub-packages)
- [Key Features of QM Sub-Packages](#key-features-of-qm-sub-packages)
- [Building QM Sub-Packages](#building-qm-sub-packages)
- [Installing QM Sub-Packages](#installing-qm-sub-packages)
- [Removing QM Sub-Packages](#removing-qm-sub-packages)
- [Creating Your Own Drop-In QM Sub-Package](#creating-your-own-drop-in-qm-sub-package)
- [QM Sub-Package Input](#qm-sub-package-input)
- [QM Sub-Package tty7](#qm-sub-package-tty7)
- [QM Sub-Package ttyUSB0](#qm-sub-package-ttyusb0)
- [QM Sub-Package Video](#qm-sub-package-video)
- [QM Sub-Package Sound](#qm-sub-package-sound)
- [QM Sub-Package ROS2](#qm-sub-package-ros2)
- [QM Sub-Package KVM](#qm-sub-package-kvm)
## QM Sub-packages
The qm project is designed to provide a flexible and modular environment for managing
Quality Management (QM) software in containerized environments. One of the key features
@ -11,20 +24,24 @@ to easily extend or customize their QM environment by adding specific configurat
tools, or scripts to the containerized QM ecosystem by simple installing or uninstalling
a RPM package into the system.
The key features of QM Sub-Packages are
## Key Features of QM Sub-Packages
- **Modularity**
- No configuration change, no typo or distribution rebuild/update.
- Just dnf install/remove from the traditional rpm schema.
- **Customizability**
- Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
- **Maintainability**
- Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
- **Simplicity**
- Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
### Modularity
!!! note
The following sections describe the currently available QM subpackages.
- No configuration change, no typo or distribution rebuild/update.
- Just dnf install/remove from the traditional rpm schema.
### Customizability
- Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
### Maintainability
- Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
### Simplicity
- Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
## Building QM sub-packages

0
docs/docs/getting_started.md → docs/docs/getting_started/installation.md
View File

72
docs/docs/ipc.md
View File

@ -1,72 +0,0 @@
# Setting up IPC
In systems where **Automotive Safety Integrity Level (ASIL)** and **Quality Management (QM)**
components coexist, strict separation is enforced to maintain safety and security boundaries via
**SELinux (Security-Enhanced Linux)**, which labels processes and files with security contexts
to control their interactions.
**IPC (Inter-Process Communication)** between ASIL and QM components must be tightly controlled.
To comply with SELinux policies and avoid permission denials, any socket-based communication
between ASIL and QM domains should be established in the dedicated directory such as /run/ipc
with ipc_var_run_t file context. It serves as a secure bridge for cross-domain communication
while maintaining SELinux isolation.
On the other hand, **IPC between QM services** (e.g., two services or containers within the same QM domain)
can occur as well. Since these components share the same SELinux type and context, they are allowed to
communicate using standard Unix domain sockets located in /run. This approach simplifies internal QM
communication without compromising the system's overall security posture. Such communication can be
orchestrated also using container orchestration patterns like **.pod (Podman pod definitions)** or
**.kube (Kubernetes pod manifests)**, which group related services in shared namespaces to support efficient
IPC within the same trust boundary.
## Example QM to QM app
## /etc/qm/containers/systemd/ipc_client.container
```console
[Unit]
Description=Demo client service container
Requires=ipc_server.socket
After=ipc_server.socket
[Container]
Image=quay.io/username/ipc-demo/ipc_client:latest
Network=none
Volume=/run/:/run/
SecurityLabelLevel=s0:c1,c2
[Service]
Restart=always
[Install]
WantedBy=multi-user.target
```
## /etc/qm/containers/systemd/ipc_server.container
```console
[Unit]
Description=Demo server service container
Requires=ipc_server.socket
After=ipc_server.socket
[Container]
Image=quay.io/username/ipc-demo/ipc_server:latest
Network=none
Volume=/run/:/run/
SecurityLabelLevel=s0:c1,c2
[Service]
Restart=always
Type=notify
[Install]
WantedBy=multi-user.target
```
## /etc/qm/systemd/system/ipc_server.socket
```console
[Unit]
Description=IPC Server Socket
[Socket]
ListenStream=%t/ipc_server.socket
SELinuxContextFromNet=yes
[Install]
WantedBy=sockets.target
```

14
docs/mkdocs.yml
View File

@ -7,15 +7,8 @@ edit_uri: blob/main/docs/docs/
copyright: Copyright Contributors to the QM project
nav:
- Home: index.md
- Getting Started: getting_started.md
- Using QM: usage.md
- Setting up IPC: ipc.md
- How To:
- Android container: how_tos/android.md
- Using network modes with QM: how_tos/network.md
- Changing variables in QM: how_tos/qm_variables.md
- Experimental:
- QM Subpackages: experimental/subpackages.md
- Getting Started:
- Installation: getting_started/installation.md
- Additional resources: resources.md
theme:
@ -24,6 +17,9 @@ theme:
- content.code.copy
- navigation.indexes
extra_javascript:
- assets/js/tab-sync.js
markdown_extensions:
- toc:
permalink: True

6
docs/docs/how_tos/qm_variables.md → docs/qm containers.conf/README.md
View File

@ -1,7 +1,11 @@
# Changing variables in qm containers.conf
# Title: How to change the variables in qm containers.conf
## Description
The `container.conf` file needs to be modified to allow pulling images larger than 1G from the repository on OStree images.
Input:
## Update container image_copy_tmp_dir if the image is an OStree
1. Create /var/qm/tmp.dir or differently named directory on host.

35
docs/quadlet-examples/network/README.md Normal file
View File

@ -0,0 +1,35 @@
# Here is an example of running a network-test container using quadlets for both --network=host and --network=private
You should place this file either in /usr/share/containers/systemd/ or /etc/containers/systemd/
```console
/usr/share/containers/systemd/
/etc/containers/systemd/
```
For rootless users:
```console
$HOME/.config/containers/systemd/
```
Host Network
```console
# network-test.container
[Container]
ContainerName=network-test
Image=localhost/local-audio-image
Network=host
```
Private Network
```console
# network-test.container
[Container]
ContainerName=network-test
Image=localhost/local-audio-image
Network=private
```

4
docs/docs/how_tos/android.md → docs/quadlet-examples/virtualization/android/README.md
View File

@ -1,6 +1,4 @@
# Virtualization: Android container with Quadlet
This is an example of an Android container running on top of kvm using quadlet and Wayland:
# An example of Android container running on top of kvm using quadlet and Wayland
```console
$ cat ~/.config/containers/systemd/android.container

50
docs/docs/how_tos/network.md → docs/tutorials/NETWORK.md
View File

@ -1,22 +1,20 @@
# Using network modes with QM
## Basics: Network Modes in Podman
# Network Modes in Podman
When running a container with Podman, you can specify the network mode using the `--network` flag. Two common options are `host` and `private`.
### Network=host
## Network=host
If you set `--network=host`, the container will use the host's network stack. This means the container will share the same network namespace as the host, and will be able to access the host's network interfaces, IP addresses, and ports.
In this mode, the container is not isolated from the host's network, and can potentially access sensitive network resources. This can be useful for certain use cases, such as running a container that needs to access a specific network interface or port on the host.
### Network=private (default)
## Network=private (default)
By default, Podman uses the `private` network mode. This means that the container will have its own isolated network namespace, and will not be able to access the host's network interfaces, IP addresses, or ports.
In this mode, the container is isolated from the host's network, and can only communicate with other containers on the same network. This provides a higher level of security, as the container is not able to access sensitive network resources on the host.
### Security Implications
## Security Implications
The reason `private` is the default network mode is due to security concerns. By isolating the container's network namespace, Podman prevents the container from accessing sensitive network resources on the host, such as:
@ -29,7 +27,7 @@ This helps to prevent potential security vulnerabilities, such as:
* Container escape: a container accessing sensitive resources on the host
* Lateral movement: a container accessing other containers on the host
### Example
## Example
To illustrate the difference, consider the following example:
@ -45,40 +43,4 @@ In the first example, the container will share the host's network namespace, whi
For more information, see the [Podman Networking Tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md).
For network modes configuration example using quadlets, see [Quadlet Network Example](https://github.com/containers/qm/blob/main/docs/quadlet-examples/network/README.md).
## Quadlet example running host and private networks
Here is an example of running a network-test container using quadlets for both --network=host and --network=private. You should place this file either in /usr/share/containers/systemd/ or /etc/containers/systemd/
```console
/usr/share/containers/systemd/
/etc/containers/systemd/
```
For rootless users:
```console
$HOME/.config/containers/systemd/
```
Host Network
```console
# network-test.container
[Container]
ContainerName=network-test
Image=localhost/local-audio-image
Network=host
```
Private Network
```console
# network-test.container
[Container]
ContainerName=network-test
Image=localhost/local-audio-image
Network=private
```
For network modes configuration example using quadlets, see [Qaudlet Network Example](https://github.com/containers/qm/blob/main/docs/quadlet-examples/network/README.md).

1
qm.fc
View File

@ -10,7 +10,6 @@
/etc/qm(/.*)? gen_context(system_u:object_r:qm_file_t,s0)
# File context for ipc programs
/usr/lib/qm/rootfs/run/ipc(/.*)? gen_context(system_u:object_r:ipc_var_run_t,s0)
/run/ipc(/.*)? gen_context(system_u:object_r:ipc_var_run_t,s0)
# File context for bluechi-agent inside QM

3
qm.if
View File

@ -15,7 +15,6 @@ template(`qm_domain_template',`
gen_require(`
class dbus { send_msg acquire_svc };
class passwd rootok;
class process setcurrent;
attribute container_domain;
attribute filesystem_type;
@ -61,7 +60,6 @@ template(`qm_domain_template',`
container_exec_share_files($1_t)
allow $1_t container_ro_file_t:file execmod;
allow $1_container_domain $1_file_type:chr_file { rw_inherited_file_perms };
allow $1_t self:process setcurrent;
attribute $1_file_type;
allow $1_file_type self:filesystem associate;
@ -85,7 +83,6 @@ template(`qm_domain_template',`
allow $1_t $1_file_type:chr_file mounton;
allow $1_t $1_file_type:sock_file mounton;
filetrans_pattern(ipc_t, $1_file_t, ipc_var_run_t, dir, "ipc")
list_dirs_pattern($1_t, ipc_var_run_t, ipc_var_run_t)
allow $1_t ipc_var_run_t:dir mounton;

2
qm.te
View File

@ -1,4 +1,4 @@
policy_module(qm, 0.7.6)
policy_module(qm, 0.7.5)
gen_require(`
attribute container_file_type;

9
rpm/qm.spec
View File

@ -16,11 +16,6 @@
# Format must contain '$x' somewhere to do anything useful
%global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %%1+=" "; done;
# RHEL < 10 and Fedora < 40 use file context entries in /var/run
%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
%define legacy_var_run 1
%endif
# copr_username is only set on copr environments, not on others like koji
# Check if copr is owned by rhcontainerbot
%if "%{?copr_username}" != "rhcontainerbot"
@ -95,10 +90,6 @@ use container tools like Podman.
sed -i 's/^install: man all/install:/' Makefile
%build
%if %{defined legacy_var_run}
sed -i 's|^/run/|/var/run/|' qm.fc
%endif
%{__make} all
%install

59
setup
View File

@ -35,41 +35,10 @@ CMDLINE_ARGUMENT_LIST=(
"skip-systemctl"
)
logger() {
{
local log_level="$1"
local message="$2"
local NC='\033[0m' # No Color
local log_col=$NC
} > /dev/null 2>&1
case "$log_level" in
INFO)
log_col='\033[0;36m' #BLUE
;;
WARNING)
log_col='\033[1;33m' #YELLOW
;;
ERROR)
log_col='\033[0;31m' #RED
;;
DEBUG)
log_col='\033[0;90m' #GREY
;;
SUCCESS)
log_col='\033[0;32m' #GREEN
;;
*)
echo -e "[\033[1;31mERROR\033[0m] Invalid log level: $log_level" >&2
return 1
;;
esac
echo -e "[$log_col${log_level}${NC}] $message"
}
root_check() {
if [ "$(id -u)" -ne 0 ];then
logger "WARNING" "Please run this script as root"
exit 1
echo "Please run this script as root"
exit 1
fi
}
@ -163,7 +132,7 @@ validate_qm_installation() {
for file in "${files[@]}"; do
if [[ ! -f "$file" ]]; then
logger "ERROR" "Exiting... '$file' not found. Try reinstall the QM package before continuing."
echo "Exiting... '$file' not found. Try reinstall the QM package before continue." >&2
exit 1
fi
done
@ -334,23 +303,15 @@ case "$1" in
if [ "$SYSTEMCTL_SKIP" == "N" ]; then
systemctl daemon-reload
systemctl start qm.service || {
logger "ERROR" "'systemctl start qm.service' has failed, see details below";
set +x
logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
set -x
exit 1;
}
if [ "$(systemctl is-active qm.service)" != "active" ]; then
logger "WARNING" "QM service is inactive, see details below:";
set +x
logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
set -x
exit 1
fi
systemctl start qm.service
if [ "$(systemctl is-active qm.service)" != "active" ]; then
journal=$(journalctl --no-pager -xu qm.service)
echo QM service is not up details:
echo "$journal"
exit 1
fi
else
/usr/libexec/podman/quadlet /run/systemd/generator/
fi
logger "SUCCESS" "Setup complete";
;;
esac

7
tests/qm-kvm-test/libkrun/check_libkrun.fmf
View File

@ -1,7 +0,0 @@
summary: Test libkrun in qm
test: /bin/bash ./check_libkrun.sh
duration: 10m
tier: 0
tag: [kvm,setup]
framework: shell

26
tests/qm-kvm-test/libkrun/check_libkrun.sh
View File

@ -1,26 +0,0 @@
#!/bin/bash -x
# shellcheck disable=SC1091
source ../../e2e/lib/utils
enable_repo() {
info_message "enable_repo(): enable repo"
exec_cmd "cd /etc/yum.repos.d/"
exec_cmd "dnf copr enable -y copr.fedorainfracloud.org/@centos-automotive-sig/libkrun centos-stream-9-$(arch)"
}
install_libkrun() {
info_message "install_libkrun(): install libkrun and crun-krun"
exec_cmd "dnf install --setopt=reposdir=/etc/yum.repos.d --installroot=/usr/lib/qm/rootfs -y libkrun crun-krun"
}
check_libkrun() {
info_message "check_libkrun(): run virtualization-isolated containers."
exec_cmd "podman exec -it qm podman run --runtime=krun --rm -it alpine echo 'Hello libkrun.'"
info_message "PASS: libkrun runs successfully."
}
enable_repo
install_libkrun
check_libkrun

1280
tools/qmctl/qmctl
View File

File diff suppressed because it is too large Load Diff