Restructure qmctl (#839)

* Added QMCTL class

This MR I added QMCTL class wich will be responsiable to run all the
command function and return the result. Also added all the imports
needed to all the file

Signed-off-by: Artiom Divak <adivak@redhat.com>

* Adding ArgumentParserWithDefaults and SubcommandInitializer

ArgumentParserWithDefaults class automatically adds default values to the help text of arguments
SubcommandInitializer is a generic class to initialize subparsers for command-line applications

Signed-off-by: Artiom Divak <adivak@redhat.com>

* Added the core of QMCTL

This commits adds the main function the init of the subcommand and the
handle function for the subcommand with other vital function.

Signed-off-by: Artiom Divak <adivak@redhat.com>

---------

Signed-off-by: Artiom Divak <adivak@redhat.com>
Co-authored-by: Douglas Landgraf <dougsland@redhat.com>

.github/CODEOWNERS

@@ -2,4 +2,4 @@
 # https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners
 
 # Default to all maintainers if nothing more specific matches
-* @rhatdan @lsm5 @dougsland @yarboa @sandrobonazzola @nsednev @aesteve-rh @pengshanyu @kleinffm
+* @rhatdan @dougsland @yarboa @nsednev @aesteve-rh @pengshanyu @kleinffm

.github/workflows/check-subpackages.yml

@@ -0,0 +1,42 @@
+name: Build Subpackages
+
+on:
+  pull_request
+
+jobs:
+  build-subpackages:
+    runs-on: ubuntu-latest
+    container:
+      image: fedora:latest  # Use Fedora as the container image
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install dependencies
+        run: sudo dnf install -y git make rpmdevtools rpmbuild
+
+
+      - name: Run make for each subsystem
+        run: |
+          subsystem_build_failures=()
+          for dir in subsystems/*; do
+              if [ -d "$dir" ]; then
+                  subsystem=$(basename "$dir")
+                  echo "Running make for $subsystem..."
+                  make TARGETS=$subsystem subpackages
+                  if [ $? -ne 0 ]; then
+                      subsystem_build_failures+=("$subsystem")
+                      echo "❌ Make failed for $subsystem" >&2
+                  fi
+              fi
+          done
+          if (( ${#subsystem_build_failures[@]} == 0 )); then
+              echo "✅ All subsystems built successfully"; \
+              exit 0;
+          else
+              echo "❌ The following subsystems failed to build: ";
+              echo -e "\t${subsystem_build_failures[@]}" | tr ' ' ', ';
+              exit 1;
+          fi
+

.github/workflows/check-with-bandit.yml

@@ -32,7 +32,7 @@ jobs:
 
     - name: Upload Bandit report
       if: always()
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: bandit-report
         path: bandit-output.txt

.github/workflows/drop-in-target-build-only.yml

@@ -1,56 +0,0 @@
-name: Execute make qm_dropin targets
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-    branches:
-      - main
-
-jobs:
-  run_qm_dropin_targets:
-    runs-on: ubuntu-latest
-
-    container:
-      image: fedora:40   # Use Fedora as the container for this job
-      #options: --privileged  # Enable privileged mode for nested containers if necessary (optional)
-
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v2
-
-      - name: Install required tools and Podman
-        run: |
-          dnf group install -y "Development Tools"
-          dnf install -y make bzip2 grep sed podman rpm-build selinux-policy-devel selinux-policy container-selinux golang-github-cpuguy83-md2man
-
-      - name: Get qm_dropin targets
-        id: get_targets
-        run: |
-          # Extract all qm_dropin targets from Makefile
-          targets=$(grep -oE '^qm_dropin_[a-zA-Z0-9_-]+:' Makefile | sed 's/://g')
-          if [ -z "$targets" ]; then
-            echo "No qm_dropin targets found."
-            exit 0
-          fi
-          # Replace newlines with spaces to create a single-line environment variable
-          targets=$(echo "$targets" | tr '\n' ' ')
-          echo "Found qm_dropin targets: $targets"
-          echo "targets=$targets" >> $GITHUB_ENV
-
-      - name: Run qm_dropin targets
-        run: |
-          # Execute all qm_dropin targets
-          for target in ${{ env.targets }}; do
-            echo "Running target: $target"
-            make $target || exit 1
-          done
-
-      - name: Notify success
-        if: success()
-        run: echo "All qm_dropin targets executed successfully."
-
-      - name: Notify failure
-        if: failure()
-        run: echo "One or more qm_dropin targets failed." && exit 1

.github/workflows/mkdocs-check.yml

@@ -0,0 +1,30 @@
+name: MkDocs Build Check
+
+on:
+  pull_request:
+    paths:
+      - 'docs/**'
+      - '**.md'
+
+jobs:
+  mkdocs-build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install MkDocs and dependencies
+        run: |
+          pip install \
+            mkdocs \
+            mkdocs-material \
+            pymdown-extensions
+
+      - name: Build MkDocs site
+        run: mkdocs build -f docs/mkdocs.yml --strict

.gitignore

@@ -6,3 +6,4 @@ qm.pp.bz2
 qm_file_contexts
 *.8
 tests/e2e/ContainerFile.template
+__pycache__/

.packit.sh

@@ -32,3 +32,8 @@ sed -i "s/^Release:.*/Release: ${PACKIT_RPMSPEC_RELEASE}%{?dist}/" ${SPEC_FILE}
 
 # Update Source tarball name in spec
 sed -i "s/^Source0:.*.tar.gz/Source0: %{name}-${HEAD_VERSION}.tar.gz/" ${SPEC_FILE}
+
+# Add update create additional subpackages in spec
+# Please refer `Let automation create/publish PR sub-packages` of docs/devel/README.md
+sed -i 's/\(enable_qm_mount_bind_kvm \).*/\11/' ${SPEC_FILE}
+

.packit.yaml

@@ -23,6 +23,9 @@ jobs:
       epel-9:
         additional_repos:
           - copr://@centos-automotive-sig/bluechi-snapshot
+      epel-10:
+        additional_repos:
+          - copr://@centos-automotive-sig/bluechi-snapshot
 
   # Run on commit to main branch
   - &copr
@@ -42,6 +45,9 @@ jobs:
       - epel-9-aarch64
       - epel-9-ppc64le
       - epel-9-x86_64
+      - epel-10-aarch64
+      - epel-10-ppc64le
+      - epel-10-x86_64
 
   - job: tests
     trigger: pull_request
@@ -87,28 +93,59 @@ jobs:
     identifier: qm-tier-0
     tmt_plan: /plans/e2e/tier-0
     targets:
-      - fedora-latest
       - epel-9-x86_64
     tf_extra_params:
       environments:
         - artifacts:
           - *bluechi_copr_repo
+          hardware:
+            disk:
+             - size: ">= 20 GB"
+
+  - job: tests
+    trigger: pull_request
+    identifier: kvm-tier-0
+    tmt_plan: /plans/e2e/kvm-tier-0
+    targets:
+      # TBF: fedora-latest -eq 42 no published to public-tf
+      - fedora-41
+      - epel-9-x86_64
+    tf_extra_params:
+      environments:
+        - artifacts:
           - *bluechi_copr_repo_fedora
           hardware:
             disk:
              - size: ">= 20 GB"
+            virtualization:
+             is-supported: true
+
+  - job: tests
+    trigger: pull_request
+    identifier: automotive-image-builder
+    tmt_plan: /plans/e2e/aib
+    targets:
+      - epel-9-x86_64
+    tf_extra_params:
+      environments:
+          hardware:
+            disk:
+             - size: ">= 20 GB"
+
 
   - job: propose_downstream
     trigger: release
     dist_git_branches:
       - fedora-all
       - epel-9
+      - epel-10
 
   - job: koji_build
     trigger: commit
     dist_git_branches:
       - fedora-all
       - epel-9
+      - epel-10
 
   - job: bodhi_update
     trigger: commit
@@ -116,3 +153,4 @@ jobs:
       # rawhide updates are created automatically
       - fedora-branched
       - epel-9
+      - epel-10

.readthedocs.yaml

@@ -0,0 +1,20 @@
+# .readthedocs.yaml
+# Read the Docs configuration file
+# See https://docs.readthedocs.io/en/stable/config-file/v2.html for details
+
+# Required
+version: 2
+
+# Set the version of Python and other tools you might need
+build:
+  os: ubuntu-22.04
+  tools:
+    python: "3.11"
+
+mkdocs:
+  configuration: docs/mkdocs.yml
+
+# Optionally declare the Python requirements required to build your docs
+python:
+   install:
+   - requirements: docs/requirements.txt

Makefile

@@ -9,72 +9,7 @@ QMDIR=/usr/lib/qm
 SPECFILE=rpm/qm.spec
 RPM_TOPDIR ?= $(PWD)/rpmbuild
 VERSION ?= $(shell cat VERSION)
-
-###########################################
-# subpackage QM - img_tempdir             #
-###########################################
-# use img temp dir as /var/tmp            #
-###########################################
-# export EN_QM_DROP_IMG_TMPDIR=1
-EN_QM_DROP_IMG_TMPDIR ?= 0
-
-#######################################################################
-# subpackage QM - mount bind /dev/tty7                                #
-#######################################################################
-# mount bind /dev/tty7 from host to nested containers as /dev/tty7:rw #
-# Please note: /dev/tty7 is typically the virtual terminal associated #
-# with the graphical user interface (GUI) on Linux systems.           #
-# It is where the X server or the Wayland display server usually runs,#
-# handling the graphical display, input, and windowing environment.   #
-# When you start a graphical session (such as GNOME, KDE, etc.),      #
-# it usually runs on this virtual console.                            #
-#######################################################################
-# export EN_QM_MNT_BIND_TTY7=1
-EN_QM_MNT_BIND_TTY7 ?= 0
-
-############################################
-# subpackage QM - mount bind audio device  #
-# from host to container and nested        #
-# container enabling sound                 #
-############################################
-# export EN_QM_MNT_BIND_SOUND=1
-EN_QM_MNT_BIND_SOUND ?= 0
-
-############################################
-# subpackage QM - ros2-rolling             #
-############################################
-# export EN_QM_ROS2_ROLLING=1
-EN_QM_ROS2_ROLLING ?= 0
-
-###########################################
-# subpackage QM - Enable Window Manager   #
-###########################################
-# export EN_QM_WINDOW_MGR=1
-EN_QM_WINDOW_MGR ?= 0
-
-###########################################
-# subpackage QM - mount bind /dev/ttyUSB0 #
-###########################################
-# export EN_QM_MNT_BIND_TTY_USB=1
-EN_QM_MNT_BIND_TTY_USB ?= 0
-
-###########################################
-# subpackage QM - mount bind /dev/kvm #
-###########################################
-# export EN_QM_MNT_BIND_KVM=1
-EN_QM_MNT_BIND_KVM ?= 0
-
-###########################################
-# subpackage QM - input devices           #
-###########################################
-# export EN_QM_MNT_BIND_INPUT=1
-EN_QM_MNT_BIND_INPUT ?= 0
-
-###########################################
-# subpackage QM - input video             #
-###########################################
-# export EN_QM_MNT_BIND_VIDEO=1
-EN_QM_MNT_BIND_VIDEO ?= 0
+ROOTDIR ?= $(PWD)
 
 # Default help target
 .PHONY: help
@@ -135,67 +70,15 @@ rpm: clean dist ##             - Creates a local RPM package, useful for develop
 	tools/version-update -v ${VERSION}
 	cp ./rpm/v${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
 	rpmbuild -ba \
-		--define="u_enable_qm_dropin_img_tempdir ${EN_QM_DROP_IMG_TMPDIR}" \
-		--define="u_enable_qm_window_manager ${EN_QM_WINDOW_MGR}" \
-		--define="u_enable_qm_mount_bind_tty7 ${EN_QM_MNT_BIND_TTY7}" \
-		--define="u_enable_qm_mount_bind_ttyUSB0 ${EN_QM_MNT_BIND_TTY_USB}" \
-		--define="u_enable_qm_mount_bind_sound ${EN_QM_MNT_BIND_SOUND}" \
-		--define="u_enable_qm_mount_bind_kvm ${EN_QM_MNT_BIND_KVM}" \
-		--define="u_enable_qm_mount_bind_input ${EN_QM_MNT_BIND_INPUT}" \
-		--define="u_enable_qm_mount_bind_video ${EN_QM_MNT_BIND_VIDEO}" \
-		--define="u_enable_qm_dropin_ros2_rolling ${EN_QM_ROS2_ROLLING}" \
 		--define="_topdir ${RPM_TOPDIR}" \
 		--define="version ${VERSION}" \
 		${SPECFILE}
 
-# ostree target is a helper for everything required for ostree
-.PHONY: ostree
-ostree: qm_dropin_img_tempdir ##             - A helper for creating QM packages for ostree based distros
-
-.PHONY: qm_dropin_window_manager
-qm_dropin_window_manager: qm_dropin_mount_bind_kvm qm_dropin_mount_bind_sound qm_dropin_mount_bind_tty7 qm_dropin_mount_bind_input ##         - QM RPM sub-package qm_dropin_window_manager
-	sed -i 's/%define enable_qm_window_manager 0/%define enable_qm_window_manager 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_img_tempdir
-qm_dropin_img_tempdir: ##            - QM RPM sub-package qm_dropin_img_tempdir
-	sed -i 's/%define enable_qm_dropin_img_tempdir 0/%define enable_qm_dropin_img_tempdir 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_ros2_rolling
-qm_dropin_ros2_rolling: ##           - QM RPM sub-package to creating a quadlet container with ROS2 rolling env
-	sed -i 's/%define enable_qm_ros2_rolling 0/%define enable_qm_ros2_rolling 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_ttyUSB0
-qm_dropin_mount_bind_ttyUSB0: ##     - QM RPM sub-package to mount bind /dev/ttyUSB0 in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_ttyUSB0 0/%define enable_qm_mount_bind_ttyUSB0 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_video0
-qm_dropin_mount_bind_video0: ##      - QM RPM sub-package to mount bind /dev/video0 in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_video 0/%define enable_qm_mount_bind_video 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_kvm
-qm_dropin_mount_bind_kvm: ##         - QM RPM sub-package to mount bind /dev/kvm in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_kvm 0/%define enable_qm_mount_bind_kvm 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_sound
-qm_dropin_mount_bind_sound: ##       - QM RPM sub-package to mount bind /dev/snd in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_sound 0/%define enable_qm_mount_bind_sound 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_tty7
-qm_dropin_mount_bind_tty7: ##        - QM RPM sub-package to mount bind /dev/tty7 in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_tty7 0/%define enable_qm_mount_bind_tty7 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
-
-.PHONY: qm_dropin_mount_bind_input
-qm_dropin_mount_bind_input: ##       - QM RPM sub-package to mount bind /dev/input in the nested containers
-	sed -i 's/%define enable_qm_mount_bind_input 0/%define enable_qm_mount_bind_input 1/' ${SPECFILE}
-	$(MAKE) VERSION=${VERSION} rpm
+.PHONY: subpackages
+subpackages: $(TARGETS)
+$(TARGETS):
+	@echo "Entering directory: subsystem/$@"
+	make -f subsystems/$@/Makefile $@
 
 install-policy: all ##             - Install selinux policies only
 	semodule -i ${TARGETS}.pp.bz2

README.md

@@ -1,72 +1,58 @@
 # Topics
 
-1. [QM is a containerized environment for running Functional Safety QM (Quality Management) software](#qm-is-a-containerized-environment-for-running-functional-safety-qm-quality-management-software)
-2. [SELinux Policy](#selinux-policy)
-3. [BlueChi](#bluechi)
-4. [RPM Building Dependencies](#rpm-building-dependencies)
-5. [How the OOM Score Adjustment is Used in QM](#how-the-oom-score-adjustment-is-used-in-qm)
-    - [Why Use oom score adj in QM?](#why-use-oomscoreadj-in-qm)
-    - [OOM Score Adjustment in QM](#oom-score-adjustment-in-qm)
-    - [Nested Containers](#nested-containers)
-    - [QM Process](#qm-process)
-    - [ASIL Applications](#asil-applications)
-    - [Highlights](#highlights)
-    - [ASCII Diagram](#ascii-diagram)
-6. [QM Sub-Packages](#qm-sub-packages)
-    - [Key Features of QM Sub-Packages](#key-features-of-qm-sub-packages)
-    - [Building QM Sub-Packages](#building-qm-sub-packages)
-    - [Installing QM Sub-Packages](#installing-qm-sub-packages)
-    - [Removing QM Sub-Packages](#removing-qm-sub-packages)
-    - [Creating Your Own Drop-In QM Sub-Package](#creating-your-own-drop-in-qm-sub-package)
-    - [QM Sub-Package ROS2](#qm-sub-package-ros2)
-    - [QM Sub-Package KVM](#qm-sub-package-kvm)
-    - [QM Sub-Package Sound](#qm-sub-package-sound)
-    - [QM Sub-Package Video](#qm-sub-package-video)
-7. [Examples](#examples)
-8. [Development](#development)
-9. [Talks and Videos](#talks-and-videos)
-    - [Paving the Way for Uninterrupted Car Operations - DevConf Boston 2024](https://www.youtube.com/watch?v=jTrLqpw7E6Q)
-    - [Security - Sample Risk Analysis according to ISO26262](https://www.youtube.com/watch?v=jTrLqpw7E6Q&t=1268s)
-    - [ASIL and QM - Simulation and Service Monitoring using bluechi and podman](https://www.youtube.com/watch?v=jTrLqpw7E6Q&t=1680s)
-    - [Containers in a Car - DevConf.CZ 2023](https://www.youtube.com/watch?v=FPxka5uDA_4)
-10. [RPM Mirrors](#rpm-mirrors)
+- [Topics](#topics)
+  - [QM is a containerized environment for running functional safety Quality Management software](#qm-is-a-containerized-environment-for-running-functional-safety-quality-management-software)
+  - [QM SELinux policy](#qm-selinux-policy)
+  - [BlueChi](#bluechi)
+  - [RPM building dependencies](#rpm-building-dependencies)
+  - [How OOM score adjustment is used in QM](#how-oom-score-adjustment-is-used-in-qm)
+    - [Priority process of OOM killer in the QM context](#priority-process-of-oom-killer-in-the-qm-context)
+  - [Contributing to the QM project](#contributing-to-the-qm-project)
+  - [Realtime](#realtime)
+  - [Talks and videos](#talks-and-videos)
+  - [RPM mirrors](#rpm-mirrors)
+  - [Configuring QM](#configuring-qm)
+    - [Modifying the `MemoryHigh` variable](#modifying-the-memoryhigh-variable)
 
-## QM is a containerized environment for running Functional Safety QM (Quality Management) software
+## QM is a containerized environment for running functional safety Quality Management software
 
-The main purpose of this package is allow users to setup an environment which
-prevents applications and container tools from interfering with other processes
-on the system. For example ASIL (Automotive Safety Integrity Level) environments.
+The main purpose of the Quality Management (QM) environment is to allow users to configure
+an environment that prevents applications and container tools from interfering with
+other processes on the system, such as in Automotive Safety Integrity Level (ASIL)
+processes and applications. AutoSD is not a certified safety product. In the context of
+AutoSD, QM is not for use in production environments but for research and learning purposes only.
 
-The QM environment uses containerization tools like cgroups, namespaces, and
-security isolation to prevent accidental interference by processes in the qm.
+The QM environment uses containerization tools, such as cgroups, namespaces, and
+security isolation, to prevent accidental interference by processes in the QM.
 
-The QM will run its own version of systemd and Podman to isolate not only the
-applications and containers launched by systemd and Podman but systemd and
+The QM runs its own version of systemd and Podman to isolate not only the
+applications and containers launched by systemd and Podman, but also systemd and
 Podman commands themselves.
 
 This package requires the Podman package to establish the containerized
-environment and uses quadlet to set it up.
+environment and uses Quadlet to set it up. Refer to the [docs directory](docs/quadlet-examples/)
+for example Quadlet files.
 
-Software install into the qm environment under /usr/lib/qm/rootfs will
-be automatically isolated from the host. But if developers want to further
-isolate these processes from other processes in the QM they can use container
-tools like Podman to further isolate.
+Software installed in the QM environment under `/usr/lib/qm/rootfs` is
+automatically isolated from the host. To further isolate these processes
+from other processes in the QM, developers can use container tools, such as Podman.
 
-## SELinux Policy
+## QM SELinux policy
 
-This policy is used to isolate Quality Management parts of the operating system
-from the other Domain-Specific Functional Safety Levels (ASIL).
+The QM SELinux policy isolates QM parts of the operating system
+from the other domain-specific functional safety levels, such as ASIL.
 
-The main purpose of this policy is to prevent applications and container tools
-with interfering with other processes on the system. The QM needs to support
-further isolate containers run within the qm from the qm_t process and from
-each other.
+The main purpose of this policy is to prevent applications and container
+tools from interfering with other processes on the system. The QM must
+isolate containers from `qm_t` processes as well as from other containers.
 
-For now all of the control processes in the qm other then containers will run
-with the same qm_t type.
+For now, all of the control processes in the QM other than containers run
+with the same `qm_t` type. For more information, refer to `man qm_selinux`.
 
-Still would like to discuss about a specific selinux prevision?
-Please open an [QM issue](https://github.com/containers/qm/issues) with the output of selinux error from a recent operation related to QM. The output of the following commands are appreciated for understanding the root cause.
+For support with a specific SELinux issue, open a [QM issue](https://github.com/containers/qm/issues)
+and include the SELinux error output from a recent QM-related operation.
+
+The following commands yield output that can help determine the root cause of the issue:
 
 ```console
 ausearch -m avc -ts recent | audit2why
@@ -74,436 +60,66 @@ journalctl -t setroubleshoot
 sealert -a /var/log/audit/audit.log
 ```
 
-## Bluechi
+## BlueChi
 
 - [BlueChi](https://github.com/containers/qm/pull/57)
 
-The package configures the bluechi agent within the QM.
+The package configures the bluechi-agent within the QM.
 
-BlueChi is a systemd service controller intended for multi-node environments with
-a predefined number of nodes and with a focus on highly regulated ecosystems such
-as those requiring functional safety. Potential use cases can be found in domains
-such as transportation, where services need to be controlled across different
-edge devices and where traditional orchestration tools are not compliant with
+BlueChi is a systemd service controller intended for use in highly regulated
+ecosystems that feature multi-node environments with a predefined number of nodes.
+Potential use cases can be found in industries that require functional safety,
+such as the transportation industry in which services must be controlled across different
+edge devices and where traditional orchestration tools do not comply with
 regulatory requirements.
 
-Systems with QM installed will have two systemd's running on them. The QM bluechi-agent
-is based on the hosts /etc/bluechi/agent.conf file. By default any changes to the
-systems agent.conf file are reflected into the QM /etc/bluechi/agent.conf. You can
-further customize the QM bluechi agent by adding content to the
-/usr/lib/qm/rootfs/etc/bluechi/agent.conf.d/ directory.
+Systems with QM installed have two systemd processes running on them. The QM
+bluechi-agent is based on the hosts `/etc/bluechi/agent.conf` file. By default, any
+changes to the system's `agent.conf` file are reflected in the QM `/etc/bluechi/agent.conf` file.
+You can further customize the QM bluechi-agent by adding content to the
+`/usr/lib/qm/rootfs/etc/bluechi/agent.conf.d/` directory.
 
 ```console
 # dnf install -y python3-dnf-plugins-core
 # dnf config-manager --set-enabled crb
 ```
 
-## QM Sub-packages
-
-The qm project is designed to provide a flexible and modular environment for managing
-Quality Management (QM) software in containerized environments. One of the key features
-of the qm package is its support for sub-package(s), such as the qm-dropin sub-packages.
-These sub-packages are not enabled by default and are optional. However,  allow users
-to easily extend or customize their QM environment by adding specific configurations,
-tools, or scripts to the containerized QM ecosystem by simple installing or uninstalling
-a RPM package into the system.
-
-## Key Features of QM Sub-Packages
-
-### Modularity
-
-- No configuration change, no typo or distribution rebuild/update.
-- Just dnf install/remove from the tradicional rpm schema.
-
-### Customizability
-
-- Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
-
-### Maintainability
-
-- Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
-
-### Simplicity
-
-- Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
-
-## Building QM sub-packages
-
-Choose one of the following sub-packages and build using make.
-
-```bash
-$ git clone git@github.com:containers/qm.git && cd qm
-$ make | grep qm_dropin
-qm_dropin_img_tempdir            - Creates a QM RPM sub-package qm_dropin_img_tempdir
-qm_dropin_mount_bind_tty7        - Creates a QM RPM sub-package to mount bind /dev/tty7 in the nested containers
-qm_dropin_mount_bind_input       - Creates a QM RPM sub-package to mount bind input in the nested containers
-
-$ make qm_dropin_mount_bind_input
-$ ls rpmbuild/RPMS/noarch/
-qm-0.6.7-1.fc40.noarch.rpm  qm_mount_bind_input-0.6.7-1.fc40.noarch.rpm
-```
-
-## Installing QM sub-packages
-
-```bash
-$ sudo dnf install ./rpmbuild/RPMS/noarch/qm_mount_bind_input-0.6.7-1.fc40.noarch.rpm
-<SNIP>
-Complete!
-```
-
-If QM is already running, restart or reload your QM container environment to apply the new configurations.
-
-```bash
-sudo podman restart qm
-```
-
-## Removing QM sub-packages
-
-```bash
-sudo rpm -e qm_mount_bind_input
-```
-
-## QM sub-package Video
-
-The video sub-package exposes `/dev/video0` (or many video devices required) to the container. This feature is useful for demonstrating how to share a camera from the host system into a container using Podman drop-in. To showcase this functionality, we provide the following demo:
-
-### Building the video sub-package, installing, and restarting QM
-
-```bash
-host> make qm_dropin_mount_bind_video0
-host> sudo podman restart qm
-host> sudo dnf install ./rpmbuild/RPMS/noarch/qm_mount_bind_video-0.6.7-1.fc40.noarch.rpm
-```
-
-This simulates a rear camera when the user shifts into reverse gear.
-
-In this simulation, we created a systemd service that, every time it is started, captures a snapshot from the webcam, simulating the action of a rear camera. (Feel free to start and restart the service multiple times!)
-
-```bash
-host> sudo podman exec -it qm bash
-
-bash-5.2# systemctl daemon-reload
-bash-5.2# systemctl start rear-camera
-
-# ls -la /tmp/screenshot.jpg
--rw-r--r--. 1 root root 516687 Oct 13 04:05 /tmp/screenshot.jpg
-bash-5.2#
-```
-
-### Copy the screenshot to the host and view it
-
-```bash
-host> sudo podman cp qm:/tmp/screenshot.jpg .
-```
-
-Great job! Now imagine all the possibilities this opens up!
-
-## QM sub-package Sound
-
-### Step 1: Install the QM Mount Bind Sound Package
-
-To set up sound cards in a QM environment using Podman, follow the steps below:
-Run the following commands to install the `qm_mount_bind_sound` package and restart QM (if previously in use):
-
-```bash
-# Build and install the RPM for QM sound
-git clone https://github.com/containers/qm.git && cd qm
-make qm_dropin_mount_bind_sound
-sudo dnf install -y rpmbuild/RPMS/noarch/qm_mount_bind_sound-0.6.7-1.fc40.noarch.rpm
-
-# Restart QM container (if already running)
-sudo podman restart qm
-
-### Step 2: Identify Sound Cards
-
-After installing the drop-in and restarting QM, you need to identify which sound card in the Linux system will be used in QM. If you're familiar with your sound card setup feel free to skip this step.
-
-To list the sound cards available on your system (in our case, we will pick the number 1):
-
-```bash
-cat /proc/asound/cards
-```
-
-**Example Output**:
-
-```bash
- 0 [NVidia         ]: HDA-Intel - HDA NVidia
-                      HDA NVidia at 0x9e000000 irq 17
- 1 [sofhdadsp      ]: sof-hda-dsp - sof-hda-dsp
-                      LENOVO-20Y5000QUS-ThinkPadX1ExtremeGen4i
- 2 [USB            ]: USB-Audio - USB Audio Device
-                      Generic USB Audio at usb-0000:00:14.0-5, full speed
-```
-
-### Detecting Channels and Sample Rates
-
-To list the supported number of channels and samples use `pactl` command:
-
-```bash
-pactl list sinks | grep -i 48000 | uniq
-    Sample Specification: s24-32le 2ch 48000Hz
-```
-
-### Verify Sample Rate Support
-
-To show the supported sample rates for a specific sound card codec, you can also inspect the codec details:
-
-```bash
-cat /proc/asound/card1/codec#0 | grep -i rates
-```
-
-This will output the supported sample rates for the codec associated with `card1`.
-
-### Differentiating Between Cards
-
-Accessing Card 1 (sof-hda-dsp)
-
-```bash
-cat /proc/asound/cards | grep -A 1 '^ 1 '
-```
-
-Accessing Card 2 (USB Audio Device)
-
-```bash
-cat /proc/asound/cards | grep -A 1 '^ 2 '
-```
-
-### Step 3: Testing audio inside QM
-
-Inside QM, run the following command:
-
-```bash
-podman exec -it qm bash
-bash-# podman ps
-CONTAINER ID  IMAGE                           COMMAND         CREATED      STATUS      PORTS       NAMES
-76dacaa9a89e  quay.io/qm-images/audio:latest  sleep infinity  7 hours ago  Up 7 hours              systemd-audio
-
-
-bash-# podman exec -it systemd-audio bash
-
-Execute the audio test within the nested container, and the sound will be output through the physical speakers of your computer—or, in this case, the car's multimedia soundbox.
-bash-# speaker-test -D hw:1,0 -c 2 -r 48000
-```
-
-Params:
-
-```bash
-hw:1,0: sound card 1, device 0
--c 2: two channels (stereo)
--r 48000: sample rate of 48 kHz
-```
-
-## Creating your own drop-in QM sub-package
-
-We recommend using the existing drop-in files as a guide and adapting them to your specific needs. However, here are the step-by-step instructions:
-
-1) Create a drop-in file in the directory: `etc/qm/containers/containers.conf.d`
-2) Add it as a sub-package to `rpm/qm.spec`
-3) Test it by running: `make clean && VERSION=YOURVERSIONHERE make rpm`
-4) Additionally, test it with and without enabling the sub-package using (by default it should be disabled but there are cases where it will be enabled by default if QM community decide):
-
-Example changing the spec and triggering the build via make (feel free to automate via sed, awk etc):
-
-```bash
-# Define the feature flag: 1 to enable, 0 to disable
-# By default it's disabled: 0
-%define enable_qm_dropin_img_tempdir 1
-
-$ make clean && VERSION=YOURVERSIONHERE make rpm
-```
-
-## QM sub-package ROS2
-
-The QM sub-package ROS2 (a.k.a "The Robot Operating System" or middleware for robots) is widely used by open-source projects, enterprises, companies, edge env and government agencies, including NASA, to advance robotics and autonomous systems. Enabled by Quadlet in QM, ROS2 on top of QM provides a secure environment where robots can operate and communicate safely, benefiting from QM's "Freedom from Interference" frequently tested layer. This ensures robots can function without external interference, enhancing their reliability and security.
-
-The types of robots compatible with this environment are extensive, ranging from medical devices and aerial drones to aqua drones and space rockets. ROS2 within QM supports high availability, meaning these robotic systems can maintain continuous operations, crucial for mission-critical and industrial applications. This versatility makes it ideal for environments that demand robust communication and operational safety, from healthcare and aerospace to underwater exploration and autonomous land vehicles.
-
-How to test this env?
-
-```bash
-$host> git clone https://github.com/containers/qm.git && cd qm
-$host> make qm_dropin_ros2_rolling
-$host> sudo dnf install rpmbuild/RPMS/noarch/qm_ros2_rolling-0.6.7-1.fc40.noarch.rpm  -y
-$host> sudo podman restart qm  # if you have qm already running
-
-Testing using talked and listener examples
-$host> sudo podman exec -it qm bash
-QM> ros2 run demo_nodes_cpp talker &
-QM> ros2 run demo_nodes_cpp listener
-```
-
-## QM sub-package KVM
-
-The QM sub-package KVM includes drop-in configuration that enables the integration of Kernel-based Virtual Machine (KVM) management into the QM (Quality Management) container environment. This configuration allows users to easily configure and manage KVM virtual machines within the QM system, streamlining virtualization tasks in containerized setups.
-
-Below example step by step:
-
-Step 1:  clone QM repo, install libvirt packages, prepare some files inside QM and start the libvirt daemon.
-
-```bash
-$host> git clone https://github.com/containers/qm.git && cd qm
-$host> make qm_dropin_mount_bind_kvm
-$host> sudo dnf install rpmbuild/RPMS/noarch/qm_mount_bind_kvm-0.6.7-1.fc40.noarch.rpm
-$host> sudo podman restart qm  # if you have qm already running
-$host> sudo dnf --installroot /usr/lib/qm/rootfs/ install virt-install libvirt-daemon libvirt-daemon-qemu libvirt-daemon-kvm -y
-
-# Copy default network settings to /root dir inside QM (/usr/lib/qm/rootfs/root)
-$host> sudo cp /usr/share/libvirt/networks/default.xml /usr/lib/qm/rootfs/root
-
-Step 2: Preparing cloudinit files inside QM (/usr/lib/qm/rootfs/root)
-
-# Cloud-init files
-------------------------------
-$host> cd /usr/lib/qm/rootfs/root/
-$host> cat meta-data
-instance-id: fedora-cloud
-local-hostname: fedora-vm
-
-# We are setting to user fedora the default password as fedora
-$host> cd /usr/lib/qm/rootfs/root/
-$host> cat user-data
-#cloud-config
-password: fedora
-chpasswd: { expire: False }
-ssh_pwauth: True
-
-# Download the Fedora Cloud image for tests and save it /usr/lib/qm/rootfs/var/lib/libvirt/images/
-$ wget -O /usr/lib/qm/rootfs/root/Fedora-Cloud-Base-Generic.qcow2 https://download.fedoraproject.org/pub/fedora/linux/releases/40/Cloud/x86_64/images/Fedora-Cloud-Base-Generic.x86_64-40-1.14.qcow2
-
-# Generate the cloud-init.iso and move it to /usr/lib/qm/rootfs/var/lib/libvirt/images/
-$host> cloud-localds cloud-init.iso user-data meta-data
-$host> mv cloud-init.iso /usr/lib/qm/rootfs/var/lib/libvirt/images/
-
-# Change permission to qemu:qemu
-$host> chown qemu:qemu /usr/lib/qm/rootfs/var/lib/libvirt/*
-
-Step 3: Starting libvirtd and checking if it's active inside QM
-
-##################################################################
-# Keep in mind for the next steps:
-# Depending on the distro you are running SELinux might complain
-# about libvirtd running on QM / udev errors
-##################################################################
-
-# Going inside QM
-$ sudo podman exec -it qm bash
-
-# Starting libvirtd
-bash-5.2# systemctl start libvirt
-
-# Check if it's running:
-bash-5.2# systemctl is-active libvirtd
-active
-```
-
-Step 4: Creating a script inside QM and running the VM
-
-```bash
-$host> cd /usr/lib/qm/rootfs/root/
-$host> vi run
-##### START SCRIPT ############
-# Set .cache to /tmp
-export XDG_CACHE_HOME=/tmp/.cache
-
-# Remove previous instance
-virsh destroy fedora-cloud-vm 2> /dev/null
-virsh undefine fedora-cloud-vm 2> /dev/null
-
-# Network
-virsh net-define ./default.xml 2> /dev/null
-virsh net-start default 2> /dev/null
-virsh net-autostart default 2> /dev/null
-
-# Install
-virt-install \
---name fedora-cloud-vm \
---memory 20048 \
---vcpus 4 \
---disk path=/var/lib/libvirt/images/Fedora-Cloud-Base-Generic.qcow2,format=qcow2 \
---disk path=/var/lib/libvirt/images/cloud-init.iso,device=cdrom \
---os-variant fedora-unknown \
---network network=default \
---import \
---graphics none \
---console pty,target_type=serial \
---noautoconsole
-
-##### END SCRIPT ############
-```
-
-Step 5: Running the script
-
-```bash
-qm$ sudo podman exec -it qm bash
-bash-5.2# cd /root
-bash-5.2# ./run
-Domain 'fedora-cloud-vm' destroyed
-
-Domain 'fedora-cloud-vm' has been undefined
-
-Network default marked as autostarted
-
-Starting install...
-Creating domain...                                                                                        |    0 B  00:00:00
-Domain creation completed.
-bash-5.2# virsh list
- Id   Name              State
----------------------------------
- 4    fedora-cloud-vm   running
-
-bash-5.2# virsh console fedora-cloud-vm
-
-fedora-vm login: fedora
-Password:
-
-Last login: Tue Oct  8 06:01:18 on ttyS0
-[fedora@fedora-vm ~]$
-```
-
 ## RPM building dependencies
 
-In order to build qm package on CentOS Stream 9 you'll need Code Ready Builder
-repository enabled in order to provide `golang-github-cpuguy83-md2man` package.
+To build QM packages on CentOS Stream 9, enable the Code Ready Builder
+repository for access to the `golang-github-cpuguy83-md2man` package.
 
-## How the OOM Score Adjustment is used in QM
+## How OOM score adjustment is used in QM
 
-The om_score_adj refers to the "Out of Memory score adjustment" in Linux operating systems. This parameter is used by the Out of Memory (OOM) killer to decide which processes to terminate when the system is critically low on memory.
+The Linux host kernel controls ASIL and QM processes. The Out-of-Memory (OOM) Killer is part of the Linux
+kernel's memory management subsystem. OOM Killer terminates processes to release RAM in memory-constrained conditions.
+The `oom_score_adj` parameter refers to the Out-of-Memory score adjustment in Linux operating systems.
+The OOM Killer uses the `oom_score_adj` parameter to decide which processes to terminate when the system is
+critically low on memory.
 
-### Why use oomscoreadj in QM?
+By fine-tuning which processes are more likely to be terminated during low-memory situations,
+critical processes can be protected, which enhances the overall stability of the system.
 
-By fine-tuning which processes are more likely to be terminated during low memory situations, critical processes can be protected, thereby enhancing the overall stability of the system. For instance only, ASIL (Automotive Safety Integrity Level) applications, which are critical for ensuring functional safety in automotive systems, will be preserved in case of low resources.
+- For example, ASIL applications are essential to maintaining functional safety in automotive systems.
+You can set their OOM score adjustment value from *-1* to *-1000*. To prioritize their operation
+even in low-memory situations, setting the value to *-1000* makes the process immune to the OOM killer
+and ensures that ASIL applications are the last to be terminated.
 
-### OOM Score Adjustment in QM
-
-#### Nested Containers
-
-- All nested containers created inside QM will have their OOM score adjustment set to *750*.
-
-```console
-$ cat /usr/share/qm/containers.conf | grep oom_score_adj
-oom_score_adj = 750
-```
-
-#### QM Process
-
-- The QM process has a default OOM score adjustment value set to *500*, configured via the *qm.container* file.
+- The QM process has a default OOM score adjustment value set to *500*, configured via the `qm.container` file.
 
 ```console
 cat /usr/share/containers/systemd/qm.container | grep OOMScoreAdjust
 # OOMScoreAdjust=500
 ```
 
-### ASIL Applications
+- All nested containers created inside the QM have a default OOM score adjustment of *750*.
 
-If we consider the example of ASIL (Automotive Safety Integrity Level) applications, which are essential for maintaining functional safety in automotive systems, their OOM score adjustment values can range from -1 to -1000. Setting the value to -1000 makes the process immune to the OOM killer. This ensures that ASIL applications are the last to be terminated by the OOM killer, thus prioritizing their operation even in low memory situations.
+```console
+$ cat /usr/share/qm/containers.conf | grep oom_score_adj
+oom_score_adj = 750
+```
 
-#### Highlights
-
-- Nested Containers inside QM: OOM score adjustment set to 750. (/usr/share/qm/containers.conf)
-- QM Process: OOM score adjustment value set to 500, configured via the qm.container file.
-- ASIL Applications: Can explore a range from -1 to -1000, with -1000 making the process immune to the OOM killer.
-
-#### ASCII Diagram
+### Priority process of OOM killer in the QM context
 
 ```txt
 +-------------------------------------------------------------+
@@ -562,7 +178,7 @@ If we consider the example of ASIL (Automotive Safety Integrity Level) applicati
          |                                                             |
          | Compared to other processes with the default adjustment     |
          | value of 0, nested containers are still more likely to be   |
-         | terminated first, ensuring the system and ASIL Apps are     |
+         | terminated first, ensuring the system and ASIL apps are     |
          | kept as safe as possible.                                   |
          |                                                             |
          +-------------------------------------------------------------+
@@ -572,22 +188,116 @@ If we consider the example of ASIL (Automotive Safety Integrity Level) applicati
 ------------------------------------ Kernel space -----------------------------------------------
 ```
 
-## Examples
+## Contributing to the QM project
 
-Looking for quadlet examples files? See our [docs dir](docs/quadlet-examples/).
+For information about how to contribute to the QM project, see the [Developers documentation README](docs/devel/README.md).
 
-## Development
+## Realtime
 
-If your looking for contribute to the project use our [development README guide](docs/devel/README.md) as start point.
+To enable real-time removal of sched_* blockage via seccomp, use the following schema:
 
-## Talks and Videos
+```bash
+cat << EOF >> /etc/containers/systemd/qm.container.d/rt.conf
+> [Container]
+SeccompProfile=""
+> EOF
+```
 
-Let's spread the knowledge regarding QM, if you have any interesting video regarding any
-technology related to QM please with us.
+## Talks and videos
 
-## RPM Mirrors
+Let's spread the knowledge regarding QM. If you have interesting content pertaining to
+QM-related technology, please share it with us.
 
-Looking for a specific version of QM?
-Search in the mirrors list below.
+## RPM mirrors
 
-[CentOS Automotive SIG - qm package - noarch](https://mirror.stream.centos.org/SIGs/9-stream/automotive/aarch64/packages-main/Packages/q/)
+Looking for a specific version of QM? Search the [CentOS Automotive SIG Stream Mirror](https://mirror.stream.centos.org/SIGs/9-stream/automotive/aarch64/packages-main/Packages/q/). The packages in CentOS Automotive SIG Stream Mirror are for experimentation only.
+
+## Configuring QM
+
+To run QM on an immutable OSTree-based OS, we use systemd units with Podman Quadlet.
+For more information on how `podman-systemd.unit` works, refer to the manual:
+
+`man podman-systemd.unit`
+
+The default QM configuration drop-in file is located in `/usr/share/containers/systemd/qm.container`.
+Modifying the original service file is not an option. Instead, create drop-in files to
+modify the default configuration.
+
+**NOTE:** The configuration is built in alphabetical order of the drop-in files.
+
+### Modifying the `MemoryHigh` variable
+
+To override the default settings, create a new drop-in `.conf` file in the
+`/etc/containers/systemd/qm.container.d/` directory. This method ensures that QM memory
+usage is controlled without modifying the base system configuration.
+
+1. Check the current memory limit:
+
+```bash
+
+systemctl show -P MemoryHigh qm
+
+infinity
+
+```
+
+The command output `infinity` indicates that `MemoryHigh` is unlimited. You can
+see this setting in `/usr/share/containers/systemd/qm.container`.
+
+1. Create a directory for the new drop-in file:
+
+```bash
+
+mkdir -p /etc/containers/systemd/qm.container.d/
+
+```
+
+1. Create a new drop-in file:
+
+```bash
+vim /etc/containers/systemd/qm.container.d/100-MemoryMax.conf
+```
+
+In this example, the new drop-in file is named `100-MemoryMax.conf`. You can choose a different name,
+but be aware that the configuration is built in alphabetical order of the drop-in files.
+
+1. Edit the file to add the following content:
+
+```bash
+
+[Service]
+
+MemoryHigh=2G
+
+```
+
+`MemoryHigh` is specified in gigabytes. 2G means 2 gigabytes.
+
+1. Preview the updated systemd configuration:
+
+```bash
+
+/usr/lib/systemd/system-generators/podman-system-generator {--user} --dryrun
+
+```
+
+1. Reload systemd and restart `qm.service` to apply the configuration changes:
+
+```bash
+
+systemctl daemon-reload
+
+systemctl restart qm.service
+
+```
+
+1. Verify the value of `MemoryHigh`:
+
+```bash
+
+systemctl show -P MemoryHigh qm
+
+2147483648
+```
+
+Memory values are displayed in bytes; 2147483648 bytes = 2G, which confirms that `MemoryHigh` is set to 2G.

VERSION

@@ -1 +1 @@
-0.6.8
+0.7.6

build-aux/exclude_from_tar_gz_subpackage_kvm.txt

@@ -0,0 +1,32 @@
+.git
+.gitignore
+demos
+tests
+rpmbuild
+tools
+subsystems
+qm-windowmanager
+.github
+NOTICE
+plans
+create-seccomp-rules
+qm_file_context
+qm.te
+build-aux
+docs
+qm_contexts
+qm.if
+qm_selinux.8
+setup
+rpm
+qm.8.md
+qm.fc
+pre-commit-hooks
+pre-commit-hooks/validate-config.sh
+Makefile
+.fmf/
+.fmf/version
+.packit.sh
+.packit.yaml
+.pre-commit-config.yaml
+.pre-commit-hooks.yaml

containers.conf

@@ -1,10 +1,15 @@
 [containers]
+default_ulimits = []
 default_sysctls = []
 
 cgroup_conf=[
 	"memory.oom.group=1",
 ]
 
+# Temporary default to host network until we fix private network bridge setup
+# when the qm container doesn't unmask all the virtual filesystems.
+netns="host"
+
 # The om_score_adj refers to the "Out of Memory score adjustment" in Linux
 # operating systems. This parameter is used by the Out of Memory (OOM)
 # killer to decide which processes to terminate when the system is
@@ -17,3 +22,8 @@ cgroup_conf=[
 # OOMScoreAdjust=500
 #
 oom_score_adj = 750
+
+[network]
+# The default is 10.88.0.0, but we need qm containers to have a
+# different ip address range or routing becomes confused
+default_subnet="10.89.0.0/16"

create-seccomp-rules

@@ -17,7 +17,7 @@
 SECCOMP_CONTAINERS_FILE="/usr/share/containers/seccomp.json"
 SYSCALLS_TO_DENY=("sched_setscheduler" "sched_setattr")
 
-QM_PATH_SECCOMP="/usr/share/qm/seccomp.json"
+QM_PATH_SECCOMP="/usr/share/qm/seccomp-no-rt.json"
 QM_DIR="${QM_PATH_SECCOMP%/*}"
 
 function remove_seccomp_entry_from_allow() {
@@ -37,11 +37,69 @@ function add_syscall_deny_list() {
     local syscall_name="$1"
     local seccomp_file_path="$2"
 
+    local temp_file
     temp_file=$(mktemp)
-    jq --tab \
-       --arg syscall "$syscall_name" \
-       '.syscalls += [{"names": [$syscall], "action": "SCMP_ACT_ERRNO", "args": [], "errnoRet": 1, "errno": "EPERM"}]' \
-       "${seccomp_file_path}" > "$temp_file" && mv "$temp_file" "${seccomp_file_path}"
+
+    if [[ "$syscall_name" == "sched_setscheduler" ]]; then
+        jq --tab \
+           '.syscalls += [
+               {
+                   "names": ["sched_setscheduler"],
+                   "action": "SCMP_ACT_ALLOW",
+                   "args": [
+                       {
+                           "index": 1,
+                           "value": 0,
+                           "valueTwo": 0,
+                           "op": "SCMP_CMP_EQ"
+                       }
+                   ],
+                   "comment": "",
+                   "includes": {},
+                   "excludes": {}
+               },
+               {
+                   "names": ["sched_setscheduler"],
+                   "action": "SCMP_ACT_ALLOW",
+                   "args": [
+                       {
+                           "index": 1,
+                           "value": 3,
+                           "valueTwo": 0,
+                           "op": "SCMP_CMP_EQ"
+                       }
+                   ],
+                   "comment": "",
+                   "includes": {},
+                   "excludes": {}
+               },
+               {
+                   "names": ["sched_setscheduler"],
+                   "action": "SCMP_ACT_ALLOW",
+                   "args": [
+                       {
+                           "index": 1,
+                           "value": 5,
+                           "valueTwo": 0,
+                           "op": "SCMP_CMP_EQ"
+                       }
+                   ],
+                   "comment": "",
+                   "includes": {},
+                   "excludes": {}
+               }
+           ]' "$seccomp_file_path" > "$temp_file" && mv "$temp_file" "$seccomp_file_path"
+    else
+        jq --tab \
+           --arg syscall "$syscall_name" \
+           '.syscalls += [{
+               "names": [$syscall],
+               "action": "SCMP_ACT_ERRNO",
+               "args": [],
+               "errnoRet": 1,
+               "errno": "EPERM"
+           }]' "$seccomp_file_path" > "$temp_file" && mv "$temp_file" "$seccomp_file_path"
+    fi
 
     rm "$temp_file" &> /dev/null
 }

demos/demo

@@ -105,20 +105,15 @@ status() {
 }
 
 cpuweight() {
-    exec_color "sudo systemctl set-property --runtime QM.slice CPUWeight=50"
     exec_color "sudo systemctl set-property --runtime qm.service CPUWeight=50"
 
-    echo "Value stored in QM.slice/cpu.weight:"
-    sudo cat /sys/fs/cgroup/QM.slice/cpu.weight
+    echo "Value stored in qm.service/cpu.weight:"
+    sudo cat /sys/fs/cgroup/qm.service/cpu.weight
 
-    echo "Value stored in QM.slice/qm.service/cpu.weight:"
-    sudo cat /sys/fs/cgroup/QM.slice/qm.service/cpu.weight
-    exec_color "sudo systemctl set-property --runtime QM.slice CPUWeight=10"
+    exec_color "sudo systemctl set-property --runtime qm.service CPUWeight=10"
 
-    echo "Value stored in QM.slice/cpu.weight:"
-    sudo cat /sys/fs/cgroup/QM.slice/cpu.weight
-    echo "Value stored in QM.slice/qm.service/cpu.weight:"
-    sudo cat /sys/fs/cgroup/QM.slice/qm.service/cpu.weight
+    echo "Value stored in qm.service/cpu.weight:"
+    sudo cat /sys/fs/cgroup/qm.service/cpu.weight
     echo -e "\n\n[Press enter to continue]"
     read -r
 }

docs/devel/README.developer.md

@@ -0,0 +1,109 @@
+# Developers documentation
+
+## Building QM rpm manually with changes
+
+Building QM locally with changes for tests is a recommended practice,
+especially for testing new features before submitting a pull request.
+
+**1.** Prerequisite
+
+```bash
+dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
+```
+
+**2.** Clone the repo
+
+```bash
+git clone https://github.com/containers/qm.git && cd qm
+```
+
+**3.** Build the RPM
+
+Select a QM version that is a higher number from the current one.
+For example, if today's QM version is 0.6.2, set it to 1.0 so that
+the RPM created is identifiable as yours.
+
+```bash
+make clean && VERSION=1.0 make rpm
+```
+
+The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
+`${PWD}/rpmbuild/RPMS`.
+You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
+For example:
+
+```bash
+VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
+```
+
+## Building CentOS AutoSD and QM manually
+
+During development, it is common to conduct integration tests to ensure your
+changes work well with other components within the overall solution.
+In our case, it's best to test against the CentOS Automotive Stream
+Distribution (AutoSD) image.
+
+Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
+
+**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
+
+Example
+
+```bash
+ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
+/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
+```
+
+**2.** Download additional packages required by the image
+
+```bash
+sudo dnf download --destdir /root/rpmbuild/RPMS/noarch/ selinux-policy selinux-policy-any
+```
+
+**3.** Create a local repository with the new package
+
+```bash
+dnf install createrepo_c -y
+cd /root/rpmbuild/RPMS/noarch/
+createrepo .
+```
+
+**4.** Clone the CentOS Automotive distro for the build
+
+Ensure you meet the requirements for the CentOS Automotive Stream by
+referring to [this link](https://sigs.centos.org/automotive/building/).
+
+The following commands will execute:
+
+- Install the podman package
+- Clone the sample-images repository and required submodules (automotive-image-builder)
+- Cleanups before a fresh build
+- Finally creates a new qcow2 image (BASED ON distro name, mode (ostree or regular) and uses the qemu-qm-container sample image)
+  NOTE:
+  - The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
+  - extra_rpms - useful for debug.
+  - ssh enabled
+
+The command below utilises automotive-image-builder to produce a `qm-minimal` qcow2 image for cs9,
+other example images such as `simple-qm-container` and the `simple-qm`
+image can be found in the images directory of the sample-images repository.
+
+```bash
+dnf install podman -y && dnf clean all
+git clone https://gitlab.com/CentOS/automotive/sample-images.git
+git submodule update --init
+cd sample-images/
+rm -rf _build #Optional, only relevant after initial build
+rm -rf *.qcow2 #Optional, only relevant after initial build
+./automotive-image-builder/automotive-image-builder build --distro cs9 --mode package --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' --define 'extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}]' --define 'extra_rpms=["qm-1.0", "vim-enhanced", "openssh-server", "openssh-clients", "python3", "polkit", "rsync", "strace", "dnf", "gdb"]' --target qemu --export qcow2 images/qm-minimal.mpp.yml cs9-qemu-qm-container.x86_64.qcow2
+```
+
+If you would like more information on building automotive images with automotive-image-builder, please see the
+[Automotive SIG pages for AutoSD](https://sigs.centos.org/automotive/getting-started/about-automotive-image-builder/)
+
+Run the virtual machine, default user: root, pass: password.
+To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
+
+```bash
+./automotive-image-builder/automotive-image-runner --nographics ./cs9-qemu-qm-container.x86_64.qcow2
+```

docs/devel/README.maintainer.md

@@ -0,0 +1,21 @@
+# Maintainer documentation
+
+## Creating a new release
+
+Initially, make sure to [bump **qm.te** and **VERSION** files in the git repo](https://github.com/containers/qm/pull/760) to the next release, i.e: *v0.7.5*.
+After that, follow the steps below using GitHub UI.
+
+**Create a new Release**
+![Click on Releases](./pics/creatingreleases/00-Click-on-Releases.jpeg)
+
+**Draft a new release**
+![Draft a new release](./pics/creatingreleases/01-Draft-a-new-release.png)
+
+**Create a new tag**
+![Create a tag](./pics/creatingreleases/02-Create-a-tag.jpeg)
+
+**Generate release notes**
+![Generate release notes](./pics/creatingreleases/03-Generate-release-notes.jpeg)
+
+**Publish Release**
+![Click on publish release](./pics/creatingreleases/04-click-on-publish-release.jpeg)

docs/devel/README.md

@@ -1,277 +0,0 @@
-# Developers documentation
-
-## Table of contents
-
-- [Building QM rpm manually with changes](#building-qm-rpm-manually-with-changes)
-- [Building CentOS AutoSD and QM manually](#building-centos-autosd-and-qm-manually)
-- [Useful Commands](#useful-commands)
-  - [Installing software inside QM partition](#installing-software-inside-qm-partition)
-  - [Removing software inside QM partition](#removing-software-inside-qm-partition)
-  - [Copying files to QM partition](#copying-files-to-qm-partition)
-  - [Listing QM service](#listing-qm-service)
-  - [List QM container via podman](#list-qm-container-via-podman)
-  - [Connecting to QM container via podman](#connecting-to-qm-container-via-podman)
-  - [SSH guest CentOS Automotive Stream Distro](#ssh-guest-centos-automotive-stream-distro)
-  - [Check if HOST and Container are using different network namespace](#check-if-host-and-container-are-using-different-network-namespace)
-  - [Debugging with podman in QM using --root](#debugging-with-podman-in-qm)
-  - [Debugging with quadlet](#debugging-with-quadlet)
-
-## Building QM rpm manually with changes
-
-Building QM locally with changes for tests is a recommended practice,
-especially for testing new features before submitting a pull request.
-
-**1.** Prerequisite
-
-```bash
-dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
-```
-
-**2.** Clone the repo
-
-```bash
-git clone https://github.com/containers/qm.git
-```
-
-**3.** Build the RPM
-
-Select a QM version that is a higher number from the current one.
-For example, if today's QM version is 0.6.2, set it to 1.0 so that
-the RPM created is identifiable as yours.
-
-```bash
-make clean && VERSION=1.0 make rpm
-```
-
-The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
-`${PWD}/rpmbuild/RPMS`.
-You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
-For example:
-
-```bash
-VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
-```
-
-## Building CentOS AutoSD and QM manually
-
-During development, it is common to conduct integration tests to ensure your
-changes work well with other components within the overall solution.
-In our case, it's best to test against the CentOS Automotive Stream
-Distribution (AutoSD) image.
-
-Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
-
-**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
-
-Example
-
-```bash
-ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
-/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
-```
-
-**2.** Create a local repository with the new package
-
-```bash
-dnf install createrepo_c -y
-cd /root/rpmbuild/RPMS/
-createrepo .
-```
-
-**4.** Clone the CentOS Automotive distro for the build
-
-Ensure you meet the requirements for the CentOS Automotive Stream by
-referring to [this link](https://sigs.centos.org/automotive/building/).
-
-The following commands will execute:
-
-- Cleanups before a fresh build
-- Remove old qcow2 images used (regular and ostree)
-- Finally creates a new image (BASED ON target name, ostree or regular)
-  NOTE:
-  - The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
-  - extra_rpms - useful for debug (do not use spaces between packages or will break)
-  - ssh enabled
-
-```bash
-dnf install podman -y && dnf clean all
-git clone https://gitlab.com/CentOS/automotive/sample-images.git
-git submodule update --init
-cd sample-images/
-rm -rf _build
-rm -f cs9-qemu-qmcontainer-regular.x86_64.qcow2
-rm -f cs9-qemu-qmcontainer-ostree.x86_64.qcow2
-./build --distro cs9 --target qemu --define 'extra_repos=[{\"id\":\"local\",\"baseurl\":\"file:///root/rpmbuild/RPMS/noarch\"}]' --define 'extra_rpms=[\"qm-1.0\",\"vim-enhanced\",\"strace\",\"dnf\",\"gdb\",\"polkit\",\"rsync\",\"python3\",\"openssh-server\",\"openssh-clients\"]' --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' cs9-qemu-qmcontainer-regular.x86_64.qcow2
-```
-
-Run the virtual machine, default user: root, pass: password.
-To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
-
-```bash
-./runvm --nographics ./cs9-qemu-qm-minimal-regular.x86_64.qcow2
-```
-
-## Useful Commands
-
-### Installing software inside QM partition
-
-```bash
-dnf --installroot /usr/lib/qm/rootfs/ install vim -y
-```
-
-### Removing software inside QM partition
-
-```bash
-dnf --installroot /usr/lib/qm/rootfs/ remove vim -y
-```
-
-### Copying files to QM partition
-
-Please note: This process is only applicable for regular images.
-OSTree images are read-only, and any files must be included during the build process.
-
-Once this is understood, proceed by executing the following command on the host after
-the QM package has been installed.
-
-```bash
-#host> cp file_to_be_copied /usr/lib/qm/rootfs/root
-#host> podman exec -it qm bash
-bash-5.1> ls /root
-file_to_be_copied
-```
-
-### Listing QM service
-
-```bash
-[root@localhost ~]# systemctl status qm -l
-● qm.service
-     Loaded: loaded (/usr/share/containers/systemd/qm.container; generated)
-     Active: active (running) since Sun 2024-04-28 22:12:28 UTC; 12s
-ago
-   Main PID: 354 (conmon)
-      Tasks: 7 (limit: 7772)
-     Memory: 82.1M (swap max: 0B)
-        CPU: 945ms
-     CGroup: /QM.slice/qm.service
-             ├─libpod-payload-a83253ae278d7394cb38e975535590d71de90a41157b547040
-4abd6311fd8cca
-             │ ├─init.scope
-             │ │ └─356 /sbin/init
-             │ └─system.slice
-             │   ├─bluechi-agent.service
-             │   │ └─396 /usr/libexec/bluechi-agent
-             │   ├─dbus-broker.service
-             │   │ ├─399 /usr/bin/dbus-broker-launch --scope system
---audit
-             │   │ └─401 dbus-broker --log 4 --controller 9 --machin
-e-id a83253ae278d7394cb38e975535590d7 --max-bytes 536870912 --max-fds 4096 --max
--matches 16384 --audit
-```
-
-### List QM container via podman
-
-```console
-# podman ps
-CONTAINER ID  IMAGE       COMMAND     CREATED         STATUS         PORTS       NAMES
-a83253ae278d              /sbin/init  38 seconds ago  Up 38 seconds              qm
-```
-
-### Connecting to QM container via podman
-
-```console
-# podman exec -it qm bash
-bash-5.1#
-```
-
-### SSH guest CentOS Automotive Stream Distro
-
-Make sure the CentOS Automotive Stream Distro Virtual Machine/Container is running with SSHD enabled
-and permits ssh connection from root user.
-
-Add **PermitRootLogin yes** into **sshd_config**
-
-```bash
-host> vi /etc/ssh/sshd_config
-```
-
-Restart systemctl restart sshd
-
-```bash
-host> systemctl restart sshd
-```
-
-Find the port the ssh is listening in the VM
-
-```bash
-host> netstat -na |more # Locate the port (2222 or 2223, etc)
-```
-
-Example connecting from the terminal to the Virtual Machine:
-
-```bash
-connect-to-VM-via-SSH> ssh root@127.0.0.1 \
-    -p 2222 \
-    -oStrictHostKeyChecking=no \
-    -oUserKnownHostsFile=/dev/null
-```
-
-### Check if HOST and Container are using different network namespace
-
-#### HOST
-
-```console
-[root@localhost ~]# ls -l /proc/self/ns/net
-lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026531840]'
-```
-
-#### QM
-
-```console
-bash-5.1# ls -l /proc/self/ns/net
-lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026532287]'
-```
-
-### Debugging with podman in QM
-
-```console
-bash-5.1# podman --root /usr/share/containers/storage pull alpine
-Error: creating runtime static files directory "/usr/share/containers/storage/libpod":
-mkdir /usr/share/containers/storage: read-only file system
-```
-
-### Creating your own drop-in QM sub-package
-
-We recommend using the existing drop-in files as a guide and adapting them to your specific needs. However, here are the step-by-step instructions:
-
-1) Create a drop-in file in the directory: `etc/qm/containers/containers.conf.d`
-2) Add it as a sub-package to `rpm/qm.spec`
-3) Test it by running: `make clean && VERSION=YOURVERSIONHERE make rpm`
-4) Additionally, test it with and without enabling the sub-package using (by default it should be disabled but there are cases where it will be enabled by default if QM community decide):
-
-Example changing the spec and triggering the build via make (feel free to automate via sed, awk etc):
-
-```bash
-# Define the feature flag: 1 to enable, 0 to disable
-# By default it's disabled: 0
-%define enable_qm_dropin_img_tempdir 1
-
-$ make clean && VERSION=YOURVERSIONHERE make rpm
-```
-
-### Debugging with quadlet
-
-Imagine a situation where you have a Quadlet container inside QM that isn't starting, and you're unsure why. The best approach is to log into the QM, run the ```quadlet --dryrun``` command, and analyze what's happening. Here's how you can troubleshoot the issue step by step.
-
-```bash
-$ sudo podman exec -it qm bash
-bash-5.1# cd /etc/containers/systemd/
-bash-5.1# ls
-ros2-rolling.container
-
-bash-5.1# /usr/libexec/podman/quadlet --dryrun
-quadlet-generator[1068]: Loading source unit file /etc/containers/systemd/ros2-rolling.container
-quadlet-generator[1068]: converting "ros2-rolling.container": unsupported key 'Command' in group 'Container' in /etc/containers/systemd/ros2-rolling.container
-bash-5.1#
-```
-
-As you can see above, the error occurs because the Quadlet is attempting to use an unsupported key from the Service section in the Container group. Removing the unsupported key ```Command``` from ```ros2-rolling.container``` and then reloading or restarting the service should resolve the issue.

docs/docs/experimental/subpackages.md

@@ -0,0 +1,419 @@
+# Subpackages
+
+Subpackages are **experimental approach** to deliver in a single point (RPM) dropin files
+and additional requirements.
+
+The qm project is designed to provide a flexible and modular environment for managing
+Quality Management (QM) software in containerized environments. One of the key features
+of the qm package is its support for sub-package(s), such as the qm-dropin sub-packages.
+These sub-packages are not enabled by default and are optional. However,  allow users
+to easily extend or customize their QM environment by adding specific configurations,
+tools, or scripts to the containerized QM ecosystem by simple installing or uninstalling
+a RPM package into the system.
+
+The key features of QM Sub-Packages are
+
+- **Modularity**
+  - No configuration change, no typo or distribution rebuild/update.
+    - Just dnf install/remove from the traditional rpm schema.
+- **Customizability**
+  - Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
+- **Maintainability**
+  - Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
+- **Simplicity**
+  - Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
+
+!!! note
+    The following sections describe the currently available QM subpackages.
+
+## Building QM sub-packages
+
+Choose one of the following sub-packages and build using make.
+
+```bash
+git clone git@github.com:containers/qm.git && cd qm
+
+Example of subpackages: input, kvm, sound, tty7, ttyUSB0, video, windowmanager
+
+make TARGETS=input subpackages
+ls rpmbuild/RPMS/noarch/
+qm-0.6.7-1.fc40.noarch.rpm  qm_mount_bind_input-0.6.7-1.fc40.noarch.rpm
+```
+
+## Installing QM sub-packages
+
+```bash
+$ sudo dnf install ./rpmbuild/RPMS/noarch/qm_mount_bind_input-0.6.7-1.fc40.noarch.rpm
+<SNIP>
+Complete!
+```
+
+If QM is already running, restart or reload your QM container environment to apply the new configurations.
+
+```bash
+sudo systemctl daemon-reload
+sudo podman restart qm
+```
+
+## Removing QM sub-packages
+
+```bash
+sudo rpm -e qm_mount_bind_input
+```
+
+## Creating your own drop-in QM sub-package
+
+We recommend using the existing drop-in files as a guide and adapting them to your specific needs. However, here are the step-by-step instructions:
+
+1) Add a drop-in file to: `etc/containers/systemd/qm.container.d/qm_dropin_<subpackage>.conf>`
+2) Add your package as a sub-package to: `rpm/<subpackage_directory>/<subpackage>.spec`
+3) Add the makefile for the sub-package and any files required by the sub-package to: `subsystems/<subpackage_directory>`
+4) Test the sub-package build by running: `make clean && make TARGETS=<subpackage> subpackages`
+5) Install your sub-package using: `dnf install -y rpmbuild/RPMS/noarch/<subpackage>*.noarch.rpm`
+6) Restart podman container using: `sudo podman restart qm`
+7) Additionally, test it with and without enabling the sub-package using (by default it should be disabled but there are cases where it will be enabled by default if QM community decide):
+
+Example changing the spec and triggering the build via make (feel free to automate via sed, awk etc):
+
+```bash
+# Use make file to run specific subpackage
+make TARGETS=windowmanager subpackages
+```
+
+## QM sub-package Input
+
+The `input` sub-package exposes `/dev/input/*` devices (such as keyboards, mice, touchpads, etc.) from the host system to the QM container.
+
+Follow the steps below to verify that the input sub-package properly mounts and exposes input devices inside the QM container.
+
+### Step 1: Verify input devices are NOT visible inside QM
+
+```bash
+host> sudo podman exec -it qm ls /dev/input
+ls: cannot access '/dev/input': No such file or directory
+```
+
+### Step 2: Build and install the input sub-package
+
+```bash
+host> make TARGETS=input subpackages
+host> sudo dnf install ./rpmbuild/RPMS/noarch/qm_mount_bind_input-0.7.4-1.fc41.noarch.rpm
+```
+
+### Step 3: Confirm input devices exist on the host
+
+```bash
+host> ls /dev/input
+by-id    event0  event2  event4  js0   mouse0  mouse2
+by-path  event1  event3  event5  mice  mouse1
+```
+
+### Step 4: Restart QM to apply the mount bind configuration
+
+```bash
+host> sudo systemctl daemon-reload
+host> sudo podman restart qm
+```
+
+### Step 5: Re-check input devices inside QM
+
+```bash
+host> sudo podman exec -it qm ls /dev/input
+event0  event2  event4  js0   mouse0  mouse2
+event1  event3  event5  mice  mouse1
+```
+
+## QM sub-package tty7
+
+The tty7 sub-package exposes `/dev/tty7` to the container. `/dev/tty7` is typically the virtual terminal associated with the graphical user interface (GUI) on Linux systems.
+
+Follow the steps below to verify that the input sub-package properly mounts and exposes input devices inside the QM container.
+
+### Step 1: Verify tty7 is NOT visible inside QM
+
+```bash
+host> sudo podman exec -it qm ls -l /dev/tty7
+ls: cannot access '/dev/tty7': No such file or directory
+```
+
+### Step 2: Build and install the tty7 sub-package
+
+```bash
+host> make TARGETS=tty7 subpackages
+host> sudo dnf install ./rpmbuild/RPMS/noarch/qm-mount-bind-tty7-0.7.4-1.fc41.noarch.rpm
+```
+
+### Step 3: Restart QM to apply the mount bind configuration
+
+```bash
+host> sudo systemctl daemon-reload
+host> sudo podman restart qm
+```
+
+### Step 4: Re-check tty7 inside QM
+
+```bash
+host> sudo podman exec -it qm ls -l /dev/tty7
+crw--w----. 1 root tty 4, 7 Apr 15 13:34 /dev/tty7
+```
+
+## QM sub-package ttyUSB0
+
+The ttyUSB0 sub-package exposes /dev/ttyUSB0 to the QM container. This device node is commonly used for USB-to-serial adapters, which are widely used to connect embedded systems, IoT devices, or other serial-based equipment.
+
+### Step 1: Verify ttyUSB0 is NOT visible inside QM
+
+```bash
+host> sudo podman exec -it qm ls -l /dev/ttyUSB0
+ls: cannot access '/dev/ttyUSB0': No such file or directory
+```
+
+### Step 2: Build and install the ttyUSB0 sub-package
+
+```bash
+host> make TARGETS=ttyUSB0 subpackages
+host> sudo dnf install ./rpmbuild/RPMS/noarch/qm-mount-bind-ttyUSB0-0.7.4-1.fc41.noarch.rpm
+```
+
+### Step 3: Restart QM to apply the configuration
+
+```bash
+host> sudo systemctl daemon-reload
+host> sudo podman restart qm
+```
+
+### Step 4: Re-check ttyUSB0 inside QM
+
+```bash
+host> sudo podman exec -it qm ls -l /dev/ttyUSB0
+crw-rw-rw-. 1 root root 4, 64 Apr 24 08:50 /dev/ttyUSB0
+```
+
+### Additional Notes
+
+- Make sure the USB-to-serial device is connected to the host machine before restarting QM.
+- You can fake ttyUSB0 connection on host machine for testing reasons with:
+
+    ```bash
+    sudo mknod /dev/ttyUSB0 c 4 64
+    sudo chmod 666 /dev/ttyUSB0
+    ```
+
+## QM sub-package Video
+
+The video sub-package exposes `/dev/video0` (or many video devices required) to the container. This feature is useful for demonstrating how to share a camera from the host system into a container using Podman drop-in. To showcase this functionality, we provide the following demo:
+
+### Building the video sub-package, installing, and restarting QM
+
+```bash
+make TARGETS=video subpackages
+sudo dnf install ./rpmbuild/RPMS/noarch/qm-mount-bind-video-0.6.7-1.fc40.noarch.rpm
+sudo systemctl daemon-reload
+sudo podman restart qm
+```
+
+This simulates a rear camera when the user shifts into reverse gear.
+
+In this simulation, we created a systemd service that, every time it is started, captures a snapshot from the webcam, simulating the action of a rear camera. (Feel free to start and restart the service multiple times!)
+
+```bash
+host> sudo podman exec -it qm bash
+
+bash-5.2# systemctl daemon-reload
+bash-5.2# systemctl start rear-camera
+
+# ls -la /var/tmp/screenshot.jpg
+-rw-r--r--. 1 root root 516687 Oct 13 04:05 /var/tmp/screenshot.jpg
+bash-5.2#
+```
+
+### Copy the screenshot to the host and view it
+
+```bash
+host> sudo podman cp qm:/var/tmp/screenshot.jpg .
+```
+
+Great job! Now imagine all the possibilities this opens up!
+
+## QM sub-package Sound
+
+### Step 1: Install the QM Mount Bind Sound Package
+
+To set up sound cards in a QM environment using Podman, follow the steps below:
+Run the following commands to install the `qm_mount_bind_sound` package and restart QM (if previously in use):
+
+```bash
+# Build and install the RPM for QM sound
+git clone https://github.com/containers/qm.git && cd qm
+make TARGETS=sound subpackages
+sudo dnf install -y rpmbuild/RPMS/noarch/qm_mount_bind_sound-0.6.7-1.fc40.noarch.rpm
+
+# Restart QM container (if already running)
+sudo systemctl daemon-reload
+sudo podman restart qm
+```
+
+### Step 2: Identify Sound Cards
+
+After installing the drop-in and restarting QM, you need to identify which sound card in the Linux system will be used in QM. If you're familiar with your sound card setup feel free to skip this step.
+
+To list the sound cards available on your system (in our case, we will pick the number 1):
+
+```bash
+cat /proc/asound/cards
+```
+
+**Example Output**:
+
+```bash
+ 0 [NVidia         ]: HDA-Intel - HDA NVidia
+                      HDA NVidia at 0x9e000000 irq 17
+ 1 [sofhdadsp      ]: sof-hda-dsp - sof-hda-dsp
+                      LENOVO-20Y5000QUS-ThinkPadX1ExtremeGen4i
+ 2 [USB            ]: USB-Audio - USB Audio Device
+                      Generic USB Audio at usb-0000:00:14.0-5, full speed
+```
+
+### Detecting Channels and Sample Rates
+
+To list the supported number of channels and samples use `pactl` command:
+
+```bash
+pactl list sinks | grep -i 48000 | uniq
+    Sample Specification: s24-32le 2ch 48000Hz
+```
+
+### Verify Sample Rate Support
+
+To show the supported sample rates for a specific sound card codec, you can also inspect the codec details:
+
+```bash
+cat /proc/asound/card1/codec#0 | grep -i rates
+```
+
+This will output the supported sample rates for the codec associated with `card1`.
+
+### Differentiating Between Cards
+
+Accessing Card 1 (sof-hda-dsp)
+
+```bash
+cat /proc/asound/cards | grep -A 1 '^ 1 '
+```
+
+Accessing Card 2 (USB Audio Device)
+
+```bash
+cat /proc/asound/cards | grep -A 1 '^ 2 '
+```
+
+### Step 3: Testing audio inside QM
+
+Inside QM, run the following command:
+
+```bash
+podman exec -it qm bash
+bash-# podman ps
+CONTAINER ID  IMAGE                           COMMAND         CREATED      STATUS      PORTS       NAMES
+76dacaa9a89e  quay.io/qm-images/audio:latest  sleep infinity  7 hours ago  Up 7 hours              systemd-audio
+
+
+bash-# podman exec -it systemd-audio bash
+
+Execute the audio test within the nested container, and the sound will be output through the physical speakers of your computer—or, in this case, the car's multimedia soundbox.
+bash-# speaker-test -D hw:1,0 -c 2 -r 48000
+```
+
+Params:
+
+```bash
+hw:1,0: sound card 1, device 0
+-c 2: two channels (stereo)
+-r 48000: sample rate of 48 kHz
+```
+
+## QM sub-package ROS2
+
+The QM sub-package ROS2 (a.k.a "The Robot Operating System" or middleware for robots) is widely used by open-source projects, enterprises, companies, edge env and government agencies, including NASA, to advance robotics and autonomous systems. Enabled by Quadlet in QM, ROS2 on top of QM provides a secure environment where robots can operate and communicate safely, benefiting from QM's "Freedom from Interference" frequently tested layer. This ensures robots can function without external interference, enhancing their reliability and security.
+
+The types of robots compatible with this environment are extensive, ranging from medical devices and aerial drones to aqua drones and space rockets. ROS2 within QM supports high availability, meaning these robotic systems can maintain continuous operations, crucial for mission-critical and industrial applications. This versatility makes it ideal for environments that demand robust communication and operational safety, from healthcare and aerospace to underwater exploration and autonomous land vehicles.
+
+How to test this env?
+
+```bash
+git clone https://github.com/containers/qm.git && cd qm
+make TARGETS=ros2_rolling subpackages
+sudo dnf install rpmbuild/RPMS/noarch/qm_ros2_rolling-0.6.7-1.fc40.noarch.rpm  -y
+sudo systemctl daemon-reload
+sudo podman restart qm  # if you have qm already running
+
+Testing using talker and listener examples
+$host> sudo podman exec -it qm bash
+QM> . /opt/ros/jazzy/setup.bash # always replace jazz with the image ROS distro
+QM> ros2 run demo_nodes_cpp talker &
+QM> ros2 run demo_nodes_cpp listener
+```
+
+## QM sub-package KVM
+
+The QM sub-package KVM includes drop-in configuration that enables the integration of Kernel-based Virtual Machine (KVM) management into the QM (Quality Management) container environment.
+This configuration allows users to pull containerized kvm from [qm-images-repo](https://quay.io/repository/qm-images/kvm) and run it inside QM
+
+There is also kvm.container which is installed as a service.
+
+Below example step by step:
+
+Step 1:  clone QM repo, create rpm.
+
+```bash
+git clone https://github.com/containers/qm.git && cd qm
+make TARGETS=kvm subpackages
+```
+
+Step 2: copy rpm to running machine
+
+```bash
+scp -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null -P 2222 rpmbuild/RPMS/noarch/qm-kvm-0.7.4-1.fc41.noarch.rpm   root@127.0.0.1:/root/
+```
+
+Step 3: ssh machine install and verify
+
+```bash
+sudo dnf install ./qm-kvm-0.7.4-1.fc41.noarch.rpm
+sudo systemctl restart qm  # if you have qm already running
+```
+
+Step 4: verify, configuration exist
+
+```bash
+ls -ltr /etc/containers/systemd/qm.container.d/
+total 12
+-rw-r--r--. 1 root root  34 Jan  1  1970 publish-port.conf
+-rw-r--r--. 1 root root 139 Jul 21  2023 qm_dropin_mount_bind_kvm.conf
+
+ ls -ltr /etc/qm/containers/systemd/
+total 12
+-rw-r--r--. 1 root root  91 Jan  1  1970 nginx.container
+-rw-r--r--. 1 root root 188 Jul 21  2023 kvm.container
+
+[root@localhost ~]# podman exec  qm systemctl is-active kvm
+active
+
+[root@localhost ~]# podman exec -it qm sh
+sh-5.1# ssh fedora@localhost -p 2226
+[fedora@ibm-p8-kvm-03-guest-02 ~]$ grep ^NAME /etc/os-release
+NAME="Fedora Linux"
+```
+
+### AutoSD install
+
+Some notes related to installing qm on ostree AutoSD image
+
+1. Check /var/qm size is larger then 1.5G
+2. Installing in ostree images with dnf command, requires running rpm-ostree usroverlay
+
+In case using aib schema to build your image, verify adding the following to build command
+
+```bash
+--define 'extra_rpms=["audit","dnf","python3-gobject"] qm_varpart_relative_size=0.5'
+```

docs/docs/getting_started.md

@@ -0,0 +1,17 @@
+## Installing QM
+
+The first step to getting started with QM is installation.
+
+Fedora or CentOS:
+On Fedora and CentOS-Stream systems (with EPEL repository enabled), QM can be directly installed via:
+
+```bash
+dnf install qm
+```
+
+## RPM Mirrors
+
+Looking for a specific version of QM?
+Search in the mirrors list below.
+
+[CentOS Automotive SIG - qm package - noarch](https://mirror.stream.centos.org/SIGs/9-stream/automotive/aarch64/packages-main/Packages/q/)

docs/docs/how_tos/android.md

@@ -1,4 +1,6 @@
-# An example of Android container running on top of kvm using quadlet and Wayland
+# Virtualization: Android container with Quadlet
+
+This is an example of an Android container running on top of kvm using quadlet and Wayland:
 
 ```console
 $ cat ~/.config/containers/systemd/android.container

docs/docs/how_tos/network.md

@@ -0,0 +1,84 @@
+# Using network modes with QM
+
+## Basics: Network Modes in Podman
+
+When running a container with Podman, you can specify the network mode using the `--network` flag. Two common options are `host` and `private`.
+
+### Network=host
+
+If you set `--network=host`, the container will use the host's network stack. This means the container will share the same network namespace as the host, and will be able to access the host's network interfaces, IP addresses, and ports.
+
+In this mode, the container is not isolated from the host's network, and can potentially access sensitive network resources. This can be useful for certain use cases, such as running a container that needs to access a specific network interface or port on the host.
+
+### Network=private (default)
+
+By default, Podman uses the `private` network mode. This means that the container will have its own isolated network namespace, and will not be able to access the host's network interfaces, IP addresses, or ports.
+
+In this mode, the container is isolated from the host's network, and can only communicate with other containers on the same network. This provides a higher level of security, as the container is not able to access sensitive network resources on the host.
+
+### Security Implications
+
+The reason `private` is the default network mode is due to security concerns. By isolating the container's network namespace, Podman prevents the container from accessing sensitive network resources on the host, such as:
+
+* Host's network interfaces and IP addresses
+* Host's ports and services
+* Other containers on the host
+
+This helps to prevent potential security vulnerabilities, such as:
+
+* Container escape: a container accessing sensitive resources on the host
+* Lateral movement: a container accessing other containers on the host
+
+### Example
+
+To illustrate the difference, consider the following example:
+
+```bash
+# Run a container with network=host
+podman run -it --network=host fedora /bin/bash
+
+# Run a container with network=private (default)
+podman run -it --network=private fedora /bin/bash
+```
+
+In the first example, the container will share the host's network namespace, while in the second example, the container will have its own isolated network namespace.
+
+For more information, see the [Podman Networking Tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md).
+
+For network modes configuration example using quadlets, see [Quadlet Network Example](https://github.com/containers/qm/blob/main/docs/quadlet-examples/network/README.md).
+
+## Quadlet example running host and private networks
+
+Here is an example of running a network-test container using quadlets for both --network=host and --network=private. You should place this file either in /usr/share/containers/systemd/ or /etc/containers/systemd/
+
+```console
+/usr/share/containers/systemd/
+/etc/containers/systemd/
+```
+
+For rootless users:
+
+```console
+$HOME/.config/containers/systemd/
+
+```
+
+Host Network
+
+```console
+# network-test.container
+[Container]
+ContainerName=network-test
+Image=localhost/local-audio-image
+Network=host
+```
+
+Private Network
+
+```console
+# network-test.container
+[Container]
+ContainerName=network-test
+Image=localhost/local-audio-image
+Network=private
+```

docs/docs/how_tos/qm_variables.md

@@ -1,11 +1,7 @@
-# Title: How to change the variables in qm containers.conf
-
-## Description
+# Changing variables in qm containers.conf
 
 The `container.conf` file needs to be modified to allow pulling images larger than 1G from the repository on OStree images.
 
-Input:
-
 ## Update container image_copy_tmp_dir if the image is an OStree
 
 1. Create /var/qm/tmp.dir or differently named directory on host.

docs/docs/index.md

@@ -0,0 +1,11 @@
+# QM
+
+## QM is a containerized environment for running Functional Safety QM (Quality Management) software
+
+The qm package sets up an isolated runtime environment for non-critical processes, managed through container tools and systemd. It is designed to ensure that these processes do not interfere with the host system, making it ideal for scenarios such as ASIL (Automotive Safety Integrity Level) separation.
+
+QM runs as an exploded container—a persistent, containerized root filesystem mounted under /var/lib/qm/rootfs. It operates with its own instance of systemd, effectively creating a nested user space within its dedicated disk partition. This setup allows the system to isolate and control resource usage via cgroups, namespaces, and security constraints.
+
+System-level tooling like Podman and systemd inside QM are fully independent from the host, so even container commands themselves are sandboxed. The environment is provisioned using Podman and configured with quadlet units, which streamline setup and lifecycle management.
+
+Software installed inside the QM root is automatically isolated from the host. Developers can further segment workloads by using container tools inside QM to manage additional levels of containment for processes requiring extra isolation.

docs/docs/ipc.md

@@ -0,0 +1,72 @@
+# Setting up IPC
+
+In systems where **Automotive Safety Integrity Level (ASIL)** and **Quality Management (QM)**
+components coexist, strict separation is enforced to maintain safety and security boundaries via
+**SELinux (Security-Enhanced Linux)**, which labels processes and files with security contexts
+to control their interactions.
+
+**IPC (Inter-Process Communication)** between ASIL and QM components must be tightly controlled.
+To comply with SELinux policies and avoid permission denials, any socket-based communication
+between ASIL and QM domains should be established in the dedicated directory such as /run/ipc
+with ipc_var_run_t file context. It serves as a secure bridge for cross-domain communication
+while maintaining SELinux isolation.
+
+On the other hand, **IPC between QM services** (e.g., two services or containers within the same QM domain)
+can occur as well. Since these components share the same SELinux type and context, they are allowed to
+communicate using standard Unix domain sockets located in /run. This approach simplifies internal QM
+communication without compromising the system's overall security posture. Such communication can be
+orchestrated also using container orchestration patterns like **.pod (Podman pod definitions)** or
+**.kube (Kubernetes pod manifests)**, which group related services in shared namespaces to support efficient
+IPC within the same trust boundary.
+
+## Example QM to QM app
+
+## /etc/qm/containers/systemd/ipc_client.container
+
+```console
+[Unit]
+Description=Demo client service container
+Requires=ipc_server.socket
+After=ipc_server.socket
+[Container]
+Image=quay.io/username/ipc-demo/ipc_client:latest
+Network=none
+Volume=/run/:/run/
+SecurityLabelLevel=s0:c1,c2
+[Service]
+Restart=always
+[Install]
+WantedBy=multi-user.target
+```
+
+## /etc/qm/containers/systemd/ipc_server.container
+
+```console
+[Unit]
+Description=Demo server service container
+Requires=ipc_server.socket
+After=ipc_server.socket
+[Container]
+Image=quay.io/username/ipc-demo/ipc_server:latest
+Network=none
+Volume=/run/:/run/
+SecurityLabelLevel=s0:c1,c2
+[Service]
+Restart=always
+Type=notify
+[Install]
+WantedBy=multi-user.target
+```
+
+## /etc/qm/systemd/system/ipc_server.socket
+
+```console
+[Unit]
+Description=IPC Server Socket
+[Socket]
+ListenStream=%t/ipc_server.socket
+SELinuxContextFromNet=yes
+
+[Install]
+WantedBy=sockets.target
+```

docs/docs/resources.md

@@ -0,0 +1,6 @@
+# Additional Resources
+
+- [Paving the Way for Uninterrupted Car Operations - DevConf Boston 2024](https://www.youtube.com/watch?v=jTrLqpw7E6Q)
+- [Security - Sample Risk Analysis according to ISO26262](https://www.youtube.com/watch?v=jTrLqpw7E6Q&t=1268s)
+- [ASIL and QM - Simulation and Service Monitoring using bluechi and podman](https://www.youtube.com/watch?v=jTrLqpw7E6Q&t=1680s)
+- [Containers in a Car - DevConf.CZ 2023](https://www.youtube.com/watch?v=FPxka5uDA_4)

docs/docs/usage.md

@@ -0,0 +1,262 @@
+# Using QM
+
+This section describes how to interact with QM.
+
+## Installing software inside QM partition
+
+```bash
+dnf --installroot /usr/lib/qm/rootfs/ install vim -y
+```
+
+## Removing software inside QM partition
+
+```bash
+dnf --installroot /usr/lib/qm/rootfs/ remove vim -y
+```
+
+## Copying files to QM partition
+
+Please note: This process is only applicable for regular images.
+OSTree images are read-only, and any files must be included during the build process.
+
+Once this is understood, proceed by executing the following command on the host after
+the QM package has been installed.
+
+```bash
+#host> cp file_to_be_copied /usr/lib/qm/rootfs/root
+#host> podman exec -it qm bash
+bash-5.1> ls /root
+file_to_be_copied
+```
+
+## Listing QM service
+
+```bash
+[root@localhost ~]# systemctl status qm -l
+● qm.service
+     Loaded: loaded (/usr/share/containers/systemd/qm.container; generated)
+     Active: active (running) since Sun 2024-04-28 22:12:28 UTC; 12s
+ago
+   Main PID: 354 (conmon)
+      Tasks: 7 (limit: 7772)
+     Memory: 82.1M (swap max: 0B)
+        CPU: 945ms
+     CGroup: /qm.service
+             ├─libpod-payload-a83253ae278d7394cb38e975535590d71de90a41157b547040
+4abd6311fd8cca
+             │ ├─init.scope
+             │ │ └─356 /sbin/init
+             │ └─system.slice
+             │   ├─bluechi-agent.service
+             │   │ └─396 /usr/libexec/bluechi-agent
+             │   ├─dbus-broker.service
+             │   │ ├─399 /usr/bin/dbus-broker-launch --scope system
+--audit
+             │   │ └─401 dbus-broker --log 4 --controller 9 --machin
+e-id a83253ae278d7394cb38e975535590d7 --max-bytes 536870912 --max-fds 4096 --max
+-matches 16384 --audit
+```
+
+## List QM container via podman
+
+```console
+# podman ps
+CONTAINER ID  IMAGE       COMMAND     CREATED         STATUS         PORTS       NAMES
+a83253ae278d              /sbin/init  38 seconds ago  Up 38 seconds              qm
+```
+
+## Extend QM quadlet managed by podman
+
+QM quadlet file is shipped through rpm, refer the following file.
+qm.container which is installed to /usr/share/containers/systemd/qm.container
+Please refer `man quadlet` for the supported value and how to.
+
+In case a change needed in quadlet file, do not update systemd/qm.container file
+As per `man quadlet` do the following:
+
+```console
+if ! test -e /etc/containers/systemd/qm.container.d ; then
+  mkdir -p  /etc/containers/systemd/qm.container.d
+fi
+cat > "/etc/containers/systemd/qm.container.d/expose-dev.conf" <<EOF
+[Container]
+# Expose host device /dev/net/tun
+AddDevice=-/dev/net/tun
+# In case parameter override needed, add empty value before the required key
+Unmask=
+Unmask=ALL
+EOF
+```
+
+To verify the result use the following command:
+
+```console
+/usr/lib/systemd/system-generators/podman-system-generator  --dryrun
+```
+
+Once the result is satisfied, apply the following
+
+```console
+systemctl daemon-reload
+systemctl restart qm
+systemctl is-active qm
+active
+```
+
+## Managing CPU usage
+
+Using the steps below, it's possible to manage CPU usage of the `qm.service` by modifying service attributes and utilizing drop-in files.
+
+### Setting the CPUWeight attribute
+
+Modifying the `CPUWeight` attribute affects the priority of the `qm.service`. A higher value prioritizes the service, while a lower value deprioritizes it.
+
+Inspect the current CPUWeight value:
+
+```bash
+systemctl show -p CPUWeight qm.service
+```
+
+Set the CPUWeight value:
+
+```bash
+systemctl set-property qm.service CPUWeight=500
+```
+
+### Limiting CPUQuota
+
+It's also possible to limit the percentage of the CPU allocated to the `qm.service` by defining `CPUQuota`. The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time available on one CPU.
+
+Inspect the current `CPUQuota` value via the `CPUQuotaPerSecUSec` property:
+
+```bash
+systemctl show -p CPUQuotaPerSecUSec qm.service
+```
+
+Set the `CPUQuota` value of `qm.service` on the host using:
+
+```bash
+systemctl set-property qm.service CPUQuota=50%
+```
+
+Verify the `CPUQuota` drop in file has been created using the command below.
+
+```bash
+systemctl show qm.service | grep "DropInPath"
+```
+
+Expected output:
+
+```bash
+DropInPaths=/usr/lib/systemd/system/service.d/10-timeout-abort.conf /etc/systemd/system.control/qm.service.d/50-CPUQuota.conf
+```
+
+To test maxing out CPU usage and then inspect using the `top` command, follow these steps:
+
+- Set the `CPUQuota` value of `qm.service` on the host using:
+
+```bash
+systemctl set-property qm.service CPUQuota=50%
+```
+
+- Execute this command to stress the CPU for 30 seconds:
+
+```bash
+podman exec qm timeout 30 dd if=/dev/zero of=/dev/null
+```
+
+- Observe the limited CPU consumption from the `qm.service`, as shown in the output of the command below:
+
+```bash
+top | head
+```
+
+Expected output:
+
+```bash
+    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND
+1213867 root      20   0    2600   1528   1528 R  50.0   0.0   4:15.21 dd
+   3471 user      20   0  455124   7568   6492 S   8.3   0.0   1:43.64 ibus-en+
+      1 root      20   0   65576  37904  11116 S   0.0   0.1   0:40.00 systemd
+```
+
+## Connecting to QM container via podman
+
+```console
+# podman exec -it qm bash
+bash-5.1#
+```
+
+## SSH guest CentOS Automotive Stream Distro
+
+Make sure the CentOS Automotive Stream Distro Virtual Machine/Container is running with SSHD enabled
+and permits ssh connection from root user.
+
+Add **PermitRootLogin yes** into **sshd_config**
+
+```bash
+host> vi /etc/ssh/sshd_config
+```
+
+Restart systemctl restart sshd
+
+```bash
+host> systemctl restart sshd
+```
+
+Find the port the ssh is listening in the VM
+
+```bash
+host> netstat -na |more # Locate the port (2222 or 2223, etc)
+```
+
+Example connecting from the terminal to the Virtual Machine:
+
+```bash
+connect-to-VM-via-SSH> ssh root@127.0.0.1 \
+    -p 2222 \
+    -oStrictHostKeyChecking=no \
+    -oUserKnownHostsFile=/dev/null
+```
+
+## Check if HOST and Container are using different network namespace
+
+### HOST
+
+```console
+[root@localhost ~]# ls -l /proc/self/ns/net
+lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026531840]'
+```
+
+### QM
+
+```console
+bash-5.1# ls -l /proc/self/ns/net
+lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026532287]'
+```
+
+## Debugging with podman in QM
+
+```console
+bash-5.1# podman --root /usr/share/containers/storage pull alpine
+Error: creating runtime static files directory "/usr/share/containers/storage/libpod":
+mkdir /usr/share/containers/storage: read-only file system
+```
+
+## Debugging with quadlet
+
+Imagine a situation where you have a Quadlet container inside QM that isn't starting, and you're unsure why. The best approach is to log into the QM, run the ```quadlet --dryrun``` command, and analyze what's happening. Here's how you can troubleshoot the issue step by step.
+
+```bash
+$ sudo podman exec -it qm bash
+bash-5.1# cd /etc/containers/systemd/
+bash-5.1# ls
+ros2.container
+
+bash-5.1# /usr/libexec/podman/quadlet --dryrun
+quadlet-generator[1068]: Loading source unit file /etc/containers/systemd/ros2.container
+quadlet-generator[1068]: converting "ros2.container": unsupported key 'Command' in group 'Container' in /etc/containers/systemd/ros2.container
+bash-5.1#
+```
+
+As you can see above, the error occurs because the Quadlet is attempting to use an unsupported key from the Service section in the Container group. Removing the unsupported key ```Command``` from ```ros2.container``` and then reloading or restarting the service should resolve the issue.

docs/mkdocs.yml

@@ -0,0 +1,38 @@
+site_name: QM Documentation
+
+repo_url: https://github.com/containers/qm
+repo_name: qm
+edit_uri: blob/main/docs/docs/
+
+copyright: Copyright Contributors to the QM project
+nav:
+  - Home: index.md
+  - Getting Started: getting_started.md
+  - Using QM: usage.md
+  - Setting up IPC: ipc.md
+  - How To:
+    - Android container: how_tos/android.md
+    - Using network modes with QM: how_tos/network.md
+    - Changing variables in QM: how_tos/qm_variables.md
+  - Experimental:
+    - QM Subpackages: experimental/subpackages.md
+  - Additional resources: resources.md
+
+theme:
+  name: material
+  features:
+    - content.code.copy
+    - navigation.indexes
+
+markdown_extensions:
+  - toc:
+      permalink: True
+  - sane_lists
+  - smarty
+  - admonition
+  - pymdownx.snippets:
+      base_path: ["docs"]
+      check_paths: True
+  - pymdownx.superfences:
+  - pymdownx.tabbed:
+      alternate_style: true

docs/requirements.txt

@@ -0,0 +1,3 @@
+mkdocs>=1.3.0
+mkdocs-material>=9.3.1
+pymdown-extensions>=10.0.1

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_dvb.conf

@@ -0,0 +1,28 @@
+# Drop-in configuration for Podman to mount bind /dev/dvbX Digital TV
+#
+# In a typical vehicle system, dvb is connected to car's onboard computer via a CAN bus
+# (Controller Area Network), which transmits signals from the dvbs to the car’s system for real-time
+# processing.
+#
+# However, it's possible to create a simulation environment using traditional hardware and open-source
+# software, eliminating the need for actual car dvb or CAN bus integration. By using open-source
+# tools like Podman containers and dvb processing libraries, virtual
+# dvbs can be simulated.
+#
+# "/dev/dvb0:/dev/dvb0", # Stereo Radio
+#
+#          Camera System Layout (Top-Down View)
+#
+#          ┌─────────────────────────────┐
+#          │        /dev/dvb0            │
+#          └────────────┬────────────────┘
+#                       │
+# ┌─────────────────────┴────────────────────────────────┐
+# │              Vehicle Body (Top View)                 │
+# │                                                      │
+# └──────────────────────────────────────────────────────┘
+#
+# Drop-in configuration for Podman to mount bind /dev/dvb from host to container
+#
+[Container]
+AddDevice=-/dev/dvb0

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_input.conf

@@ -41,7 +41,5 @@
 # input device is connected to (useful for distinguishing between
 # identical devices connected to different ports).
 #
-[containers]
-devices = [
-	"/dev/input:/dev/input"
-]
+[Container]
+AddDevice=-/dev/input

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_kvm.conf

@@ -1,7 +1,5 @@
 # Drop-in configuration for Podman to mount bind /dev/kvm from host to container
 #
-[containers]
-devices = [
-	"/dev/kvm:/dev/kvm",
-	"/dev/net/tun:/dev/net/tun"
-]
+[Container]
+AddDevice=-/dev/net/tun
+AddDevice=-/dev/kvm

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_radio.conf

@@ -0,0 +1,29 @@
+# Drop-in configuration for Podman to mount bind /dev/radioX Stereo Radio
+#
+# In a typical vehicle system, radio is connected to car's onboard computer via a CAN bus
+# (Controller Area Network), which transmits signals from the radios to the car’s system for real-time
+# processing.
+#
+# However, it's possible to create a simulation environment using traditional hardware and open-source
+# software, eliminating the need for actual car radio or CAN bus integration. By using open-source
+# tools like Podman containers and radio processing libraries, virtual
+# radios can be simulated.
+#
+# "/dev/radio0:/dev/radio0", # Stereo Radio
+#
+#          Camera System Layout (Top-Down View)
+#
+#          ┌─────────────────────────────┐
+#          │        /dev/radio0          │
+#          │      (Stereo Radio)         │
+#          └────────────┬────────────────┘
+#                       │
+# ┌─────────────────────┴────────────────────────────────┐
+# │              Vehicle Body (Top View)                 │
+# │                                                      │
+# └──────────────────────────────────────────────────────┘
+#
+# Drop-in configuration for Podman to mount bind /dev/radio0 from host to container
+#
+[Container]
+AddDevice=-/dev/radio0

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_snd.conf

@@ -38,9 +38,5 @@
 # +-------------------------------------------------------------+
 #
 # qm_dropin_mount_bind_snd.conf
-[containers]
-
-# Devices to map for the container (sound device)
-devices = [
-    "/dev/snd:/dev/snd"
-]
+[Container]
+AddDevice=-/dev/snd

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_tty7.conf

@@ -6,7 +6,5 @@
 # handling the graphical display, input, and windowing environment.
 # When you start a graphical session (such as GNOME, KDE, etc.),
 # it usually runs on this virtual console.
-[containers]
-devices = [
-	"/dev/tty7:/dev/tty7"
-]
+[Container]
+AddDevice=-/dev/tty7

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_ttyUSB0.conf

@@ -68,7 +68,5 @@
 #      +------------------------------------------------------------+
 #
 #
-[containers]
-devices = [
-	"/dev/ttyUSB0:/dev/ttyUSB0"
-]
+[Container]
+AddDevice=-/dev/ttyUSB0

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_video.conf

@@ -56,7 +56,5 @@
 #          └─────────────────────────────┘
 #
 #
-[containers]
-devices = [
-	"/dev/video0:/dev/video0"
-]
+[Container]
+AddDevice=-/dev/video0

etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_window_manager.conf

@@ -0,0 +1,11 @@
+# Drop-in configuration for Podman to mount bind tty from host to container
+#
+[Container]
+Mount=type=bind,source=/dev/tty0,target=/dev/tty0
+Mount=type=bind,source=/dev/tty1,target=/dev/tty1
+Mount=type=bind,source=/dev/tty2,target=/dev/tty2
+Mount=type=bind,source=/dev/tty3,target=/dev/tty3
+Mount=type=bind,source=/dev/tty4,target=/dev/tty4
+Mount=type=bind,source=/dev/tty5,target=/dev/tty5
+Mount=type=bind,source=/dev/tty6,target=/dev/tty6
+Mount=type=bind,source=/dev/tty7,target=/dev/tty7

plans/e2e/aib.fmf

@@ -0,0 +1,18 @@
+summary: automotive-image-builder QM build test
+
+discover:
+    how: fmf
+    filter: 'tag:aib'
+
+prepare:
+  - name: Install packages
+    how: install
+    order: 20
+    package:
+      - jq
+
+execute:
+    how: tmt
+
+report:
+    how: junit

plans/e2e/ffi.fmf

@@ -24,6 +24,10 @@ adjust:
         script: |
            cd tests/e2e
            ./set-ffi-env-e2e "${FFI_SETUP_OPTIONS}"
+      - name: Place quadlet for ffi-qm container
+        how: shell
+        script: |
+            cp tests/ffi/common/ffi-qm.container /etc/qm/containers/systemd/
 
 execute:
     how: tmt

plans/e2e/kvm-tier-0.fmf

@@ -0,0 +1,18 @@
+summary: Kvm Tier 0 - QM sanity test
+
+discover:
+    how: fmf
+    filter: 'tier:0&tag:kvm|tier:0&tag:qmctl-test'
+
+prepare+:
+    - name: Enable copr and install rpms
+      script: |
+          cd tests/e2e
+          bash ./lib/repoutils
+
+execute:
+    how: tmt
+
+report:
+    how: junit
+

plans/e2e/tier-0.fmf

@@ -2,7 +2,7 @@ summary: Tier 0 - QM sanity test
 
 discover:
     how: fmf
-    filter: tier:0
+    filter: 'tier:0&tag:-setup'
 
 prepare+:
   - name: Set QM environment
@@ -16,4 +16,4 @@ execute:
     how: tmt
 
 report:
-    how: junit
+    how: junit

plans/main.fmf

@@ -9,6 +9,7 @@ prepare:
     order: 20
     package:
       - podman
+      - bc
 
 adjust:
  - when: run == manual

qm.8.md

@@ -40,7 +40,7 @@ systemctl status qm.service
       Tasks: 11 (limit: 76801)
      Memory: 275.1M (swap max: 0B)
         CPU: 4.527s
-     CGroup: /QM.slice/qm.service
+     CGroup: /qm.service
              ├─libpod-payload-00de006493bc970788d6c830beb494a58a9a2847a5eda200812d3a8b4e214814
              │ ├─init.scope
              │ │ └─993676 /sbin/init
@@ -53,11 +53,13 @@ systemctl status qm.service
 ...
 ```
 
-## CGROUPS QM.slice
+## CGroups and container configuration
 
-Notice that the QM environment is running systemd and other services within the
-QM.Slice. This slice can be used to modify the cgroups controls of all of the
-processes within the QM environment.
+The options in the qm.container file overridden by using drop-in files, in the
+directories `/etc/containers/systemd/qm.container.d` or`
+`/usr/lib/containers/systemd/qm.container.d. This allows overriding for example
+CGroup options like Service.CPUWeight, or podman options like Container.Volume.
+Such options will affect all the processes running in the qm container.
 
 ## Install Additional packages in QM
 

qm.container

@@ -4,7 +4,14 @@ WantedBy=default.target
 [Service]
 # It's recommended to use systemd drop-in to override the
 # systemd settings. See QM manpage for an example.
-CPUWeight=50
+# CPUWeight: This setting controls the CPU controller for qm.
+# Delegate: Turns on delegation of further resource control
+#           partitioning to processes of the unit.
+# IOWeight: Set the overall block I/O weight for qm.
+# ManagedOOMSwap=auto|kill: Specifies how systemd-oomd.service will act on qm.
+# QM cgroup, pass directly to systemd and handled by it,
+# please refer to `man systemd.resource-control` for details.
+CPUWeight=idle
 Delegate=true
 IOWeight=50
 ManagedOOMSwap=kill
@@ -27,7 +34,10 @@ MemorySwapMax=0
 # Containers within the qm contain default set OOMScoreAdj to 750
 OOMScoreAdjust=500
 Restart=always
-Slice=QM.slice
+# qm.service is a toplevel cgroup, so CPUWeight is relative to all other cgroups in that
+# parent (such as user.slice and system.slice), otherwise the CPUWeight of qm.service
+# is only compared to the other children of its parent.
+Slice=-.slice
 Environment=ROOTFS=/usr/lib/qm/rootfs
 Environment=RWETCFS=/etc/qm
 Environment=RWVARFS=/var/qm
@@ -35,18 +45,50 @@ LimitNOFILE=65536
 TasksMax=50%
 
 [Container]
+# AddCapability
+# -------------
+# Add these capabilities, in addition to the default Podman capability set, to the container.
+# If set to all, grants all capabilities to the container, increasing flexibility but significantly
+# reducing security.
+# For details see: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#addcapability
 AddCapability=all
 
+SecurityLabelNested=true
+SeccompProfile=/usr/share/qm/seccomp-no-rt.json
+
+# PidsLimit
+# ---------
+# Disables the PID limit for the container by setting it to -1.
+# Without a limit, the container can spawn unlimited processes, potentially exhausting system resources.
+# For details see: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#pidslimit
+PidsLimit=-1
+
 # Comment DropCapability this will allow FFI Tools to surpass their defaults.
-DropCapability=sys_resource
+DropCapability=sys_boot sys_resource
 
 AddDevice=-/dev/kvm
 AddDevice=-/dev/fuse
 ContainerName=qm
 Exec=/sbin/init
 Network=private
-PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp.json --security-opt label=nested --security-opt unmask=all
+
+# ReadOnly
+# --------
+# Makes the container's filesystem read-only, enhancing security by preventing modifications.
 ReadOnly=true
+
+# TmpFS flags
+ReadOnlyTmpfs=false
+Mount=type=tmpfs,tmpfs-size=512M,destination=/tmp
+Mount=type=tmpfs,tmpfs-size=512M,destination=/run
+Mount=type=tmpfs,destination=/dev/shm
+
+# Rootfs
+# ------
+# Defines the root filesystem location for QM partition.
+# By default the '${ROOTFS}' variable points to /usr/lib/qm/rootfs.
+# For details see: https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html#rootfs
+#
 Rootfs=${ROOTFS}
 
 SecurityLabelNested=true
@@ -56,3 +98,4 @@ SecurityLabelType=qm_t
 Timezone=local
 Volume=${RWETCFS}:/etc
 Volume=${RWVARFS}:/var
+

qm.fc

@@ -10,4 +10,8 @@
 /etc/qm(/.*)?	gen_context(system_u:object_r:qm_file_t,s0)
 
 # File context for ipc programs
-/var/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
+/usr/lib/qm/rootfs/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
+/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
+
+# File context for bluechi-agent inside QM
+/usr/lib/qm/rootfs/usr/libexec/bluechi-agent	--	gen_context(system_u:object_r:qm_bluechi_agent_exec_t,s0)

qm.if

@@ -15,6 +15,7 @@ template(`qm_domain_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
 		class passwd rootok;
+		class process setcurrent;
 
 		attribute container_domain;
 		attribute filesystem_type;
@@ -60,6 +61,7 @@ template(`qm_domain_template',`
 	container_exec_share_files($1_t)
 	allow $1_t container_ro_file_t:file execmod;
 	allow $1_container_domain $1_file_type:chr_file { rw_inherited_file_perms };
+	allow $1_t self:process setcurrent;
 
 	attribute $1_file_type;
 	allow $1_file_type self:filesystem associate;
@@ -83,6 +85,7 @@ template(`qm_domain_template',`
 	allow $1_t $1_file_type:chr_file mounton;
 	allow $1_t $1_file_type:sock_file mounton;
 
+	filetrans_pattern(ipc_t, $1_file_t, ipc_var_run_t, dir, "ipc")
 	list_dirs_pattern($1_t, ipc_var_run_t, ipc_var_run_t)
 	allow $1_t ipc_var_run_t:dir mounton;
 
@@ -93,7 +96,7 @@ template(`qm_domain_template',`
 	manage_lnk_files_pattern($1_t, $1_file_type, $1_file_type)
 	manage_sock_files_pattern($1_t, $1_file_type, $1_file_type)
 	fs_tmpfs_filetrans($1_t, $1_file_t, { dir file lnk_file })
-	allow $1_t $1_file_type:chr_file { watch watch_reads };
+	allow $1_t $1_file_type:chr_file { watch watch_reads map };
 	allow $1_t $1_file_type:dir { mounton relabelfrom relabelto };
 	allow $1_t $1_file_type:filesystem all_filesystem_perms;
 

qm.te

@@ -1,4 +1,4 @@
-policy_module(qm, 0.6.8)
+policy_module(qm, 0.7.6)
 
 gen_require(`
 	attribute container_file_type;
@@ -29,3 +29,57 @@ files_pid_filetrans(init_t, ipc_var_run_t, dir, "ipc")
 unconfined_domain(ipc_t)
 
 qm_domain_template(qm)
+
+
+
+#########################################
+#
+# bluechi-agent inside QM
+#
+
+type qm_bluechi_agent_t;
+type qm_bluechi_agent_exec_t;
+init_daemon_domain(qm_bluechi_agent_t, qm_bluechi_agent_exec_t)
+
+allow qm_bluechi_agent_t qm_file_t:chr_file read;
+allow qm_bluechi_agent_t qm_file_t:dir { open read search getattr };
+allow qm_bluechi_agent_t qm_file_t:file { execute getattr open read };
+allow qm_bluechi_agent_t qm_file_t:file map;
+allow qm_bluechi_agent_t qm_file_t:lnk_file read;
+allow qm_bluechi_agent_t qm_file_t:sock_file write;
+allow qm_bluechi_agent_t qm_t:unix_dgram_socket sendto;
+allow qm_bluechi_agent_t qm_t:unix_stream_socket connectto;
+allow qm_bluechi_agent_t self:unix_dgram_socket { create getopt setopt };
+allow qm_bluechi_agent_t self:tcp_socket create_stream_socket_perms;
+
+allow qm_bluechi_agent_t qm_t:dbus { send_msg acquire_svc };
+allow qm_bluechi_agent_t qm_t:system status;
+allow qm_bluechi_agent_t qm_t:system { reload start stop status };
+allow qm_bluechi_agent_t qm_file_t:service { reload start stop status };
+
+allow qm_t qm_bluechi_agent_t:dir search;
+allow qm_t qm_bluechi_agent_t:file { getattr ioctl open read };
+allow qm_t qm_bluechi_agent_t:lnk_file read;
+allow qm_t qm_bluechi_agent_t:dbus send_msg;
+allow qm_t qm_bluechi_agent_t:process { signull signal sigkill };
+
+unconfined_server_stream_connectto(qm_bluechi_agent_t)
+
+# Allow qm_bluechi_agent_t to connect to any port instead of labelled ones.
+gen_tunable(qm_bluechi_agent_port_connect_any, true)
+
+optional_policy(`
+	require{
+		type bluechi_var_run_t;
+		type bluechi_agent_port_t;
+		type bluechi_t;
+	}
+
+	tunable_policy(`qm_bluechi_agent_port_connect_any',`
+		corenet_tcp_connect_all_ports(qm_bluechi_agent_t)
+	',`
+		allow qm_bluechi_agent_t bluechi_agent_port_t:tcp_socket name_connect;
+	')
+
+	stream_connect_pattern(qm_bluechi_agent_t, bluechi_var_run_t, bluechi_var_run_t, bluechi_t)
+')

rpm/.coprignore

@@ -0,0 +1 @@
+qm-kvm.spec

rpm/.gitignore

@@ -1 +1 @@
-v*.tar.gz
+*.tar.gz

rpm/dvb/dvb.spec

@@ -0,0 +1,37 @@
+%global debug_package %{nil}
+
+Name: qm-mount-bind-dvb
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/dvb
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-dvb-%{version}.tar.gz
+
+BuildArch: noarch
+Requires: qm >= %{version}
+
+%description
+This subpackage installs a drop-in configuration for QM containers to mount bind `/dev/dvb`.
+
+%prep
+%autosetup -Sgit -n qm-dvb-%{version}
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+
+# Install the dvb drop-in configuration file
+install -m 644 %{_builddir}/qm-dvb-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_dvb.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_dvb.conf
+
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_dvb.conf
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added dvb mount bind drop-in configuration.
+

rpm/input/input.spec

@@ -0,0 +1,35 @@
+%global debug_package %{nil}
+
+Name: qm-mount-bind-input
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind input devices
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-input-%{version}.tar.gz
+BuildArch: noarch
+
+Requires: qm >= %{version}
+
+%description
+This sub-package installs drop-in configurations for QM containers to mount bind input devices.
+
+%prep
+%autosetup -Sgit -n qm-input-%{version}
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+
+# Install the input drop-in configuration file
+install -m 644 %{_builddir}/qm-input-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_input.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_input.conf
+
+%files
+%license LICENSE
+%doc README.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_input.conf
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added input mount bind drop-in configuration.

rpm/kvm/qm-kvm.spec

@@ -0,0 +1,48 @@
+%global debug_package %{nil}
+
+# rootfs_qm, Define rootfs macro for QM environment not need, do to install command from host
+# dnf install --setopt=reposdir=/etc/yum.repos.d  <package>
+# using qm_sysconfdir /etc/qm/ overlay preventing the detection of quadletfile, need to install
+# in the overlay of etc under the host
+%define qm_sysconfdir %{_sysconfdir}/qm
+
+Name: qm-kvm
+# Version: 0
+Version: %{version}
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/kvm
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-kvm-%{version}.tar.gz
+BuildArch: noarch
+
+Requires: qm >= %{version}
+
+%description -n qm-kvm
+This subpackage provides a drop-in configuration for the QM environment to enable mount binding of `/dev/kvm` from the host system to containers. This configuration is essential for supporting KVM-based virtualization within QM containers.
+
+%prep
+%autosetup -Sgit -n qm-kvm-%{version}
+
+%build
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+install -d %{buildroot}%{qm_sysconfdir}/containers/systemd
+
+# Install the KVM drop-in configuration file
+install -m 644 %{_builddir}/qm-kvm-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_kvm.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_kvm.conf
+install -m 644 %{_builddir}/qm-kvm-%{version}/subsystems/kvm/etc/containers/systemd/kvm.container \
+    %{buildroot}%{qm_sysconfdir}/containers/systemd/kvm.container
+
+%files -n qm-kvm
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_kvm.conf
+%{qm_sysconfdir}/containers/systemd/kvm.container
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Initial standalone spec for the QM KVM subpackage.

rpm/qm.spec

@@ -1,77 +1,12 @@
 %global debug_package %{nil}
 
-# rootfs macros
-%global rootfs_qm %{_prefix}/lib/qm/rootfs/
-%global rootfs_qm_window_manager %{_prefix}/lib/qm/rootfs/qm_windowmanager
-
 # Define the feature flag: 1 to enable, 0 to disable
 # By default it's disabled: 0
 
-###########################################
-# subpackage QM - img_tempdir             #
-###########################################
-# use img temp dir as /var/tmp
-%define enable_qm_dropin_img_tempdir 0%{?u_enable_qm_dropin_img_tempdir}
-
-####################################################################
-# subpackage QM - mount bind /dev/tty7                             #
-####################################################################
-# mount bind /dev/tty7 from host to nested containers              #
-# as /dev/tty7:rw                                                  #
-# Please note:                                                     #
-# /dev/tty7 is typically the virtual terminal                      #
-# associated with the graphical user interface (GUI)               #
-# on Linux systems.                                                #
-# It is where the X server or the Wayland display server           #
-# usually runs, handling the graphical display, input              #
-# and windowing environment.                                       #
-# When you start a graphical session (ex. GNOME, KDE, etc.),       #
-# it usually runs on this virtual console.                         #
-####################################################################
-%define enable_qm_mount_bind_tty7 0%{?u_enable_qm_mount_bind_tty7}
-
-#####################################################################
-# subpackage QM - mount bind audio                                  #
-# device from host to container and nested container enabling sound #
-#####################################################################
-%define enable_qm_mount_bind_sound 0%{?u_enable_qm_mount_bind_sound}
-
-
-###########################################
-# subpackage QM - Enable Window Manager   #
-###########################################
-%define enable_qm_window_manager 0%{?u_enable_qm_window_manager}
-
-###########################################
-# subpackage QM - ROS2 Rolling version    #
-###########################################
-%define enable_qm_ros2_rolling 0%{?u_enable_qm_ros2_rolling}
-
-###########################################
-# subpackage QM - mount bind /dev/ttyUSB0 #
-###########################################
-%define enable_qm_mount_bind_ttyUSB0 0%{?u_enable_qm_mount_bind_ttyUSB0}
-
-###########################################
-# subpackage QM - mount bind /dev/kvm     #
-###########################################
-%define enable_qm_mount_bind_kvm 0%{?u_enable_qm_mount_bind_kvm}
-
-###########################################
-# subpackage QM - mount bind /dev/video   #
-###########################################
-%define enable_qm_mount_bind_video 0%{?u_enable_qm_mount_bind_video}
-
-###########################################
-# subpackage QM - input devices           #
-###########################################
-%define enable_qm_mount_bind_input 0%{?u_enable_qm_mount_bind_input}
-
-# Some bits borrowed from the openstack-selinux package
-%global selinuxtype targeted
+# Some bits borrowed from the openstack-selinux and container-selinux packages
 %global moduletype services
 %global modulenames qm
-%global seccomp_json /usr/share/%{modulenames}/seccomp.json
+%global seccomp_json /usr/share/%{modulenames}/seccomp-no-rt.json
 %global setup_tool %{_prefix}/share/%{modulenames}/setup
 
 %global _installscriptdir %{_prefix}/lib/%{modulenames}
@@ -81,6 +16,11 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %%1+=" "; done;
 
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
+
 # copr_username is only set on copr environments, not on others like koji
 # Check if copr is owned by rhcontainerbot
 %if "%{?copr_username}" != "rhcontainerbot"
@@ -122,16 +62,18 @@ BuildRequires: git-core
 BuildRequires: pkgconfig(systemd)
 BuildRequires: selinux-policy >= %_selinux_policy_version
 BuildRequires: selinux-policy-devel >= %_selinux_policy_version
+BuildRequires: bluechi-selinux
 
+Requires: iptables
 Requires: parted
 Requires: containers-common
 Requires: selinux-policy >= %_selinux_policy_version
 Requires(post): selinux-policy-base >= %_selinux_policy_version
-Requires(post): selinux-policy-targeted >= %_selinux_policy_version
+Requires(post): selinux-policy-any >= %_selinux_policy_version
+Recommends: selinux-policy-targeted >= %_selinux_policy_version
 Requires(post): policycoreutils
 Requires(post): libselinux-utils
 Requires: podman >= %{podman_epoch}:4.5
-Requires: bluechi-agent
 Requires: jq
 
 %description
@@ -153,196 +95,29 @@ use container tools like Podman.
 sed -i 's/^install: man all/install:/' Makefile
 
 %build
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' qm.fc
+%endif
+
 %{__make} all
 
 %install
 # Create the directory for drop-in configurations
 install -d %{buildroot}%{_sysconfdir}/containers/containers.conf.d
-install -d %{buildroot}%{rootfs_qm}%{_sysconfdir}/containers/systemd
-install -d %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d
-
-####################################################################
-################# QM Window Manager ################################
-####################################################################
-%if %{enable_qm_window_manager}
-    # Create the necessary directory structure in the BUILDROOT
-    mkdir -p %{buildroot}/%{rootfs_qm}/etc/pam.d
-    mkdir -p %{buildroot}/%{rootfs_qm}/etc/systemd/system
-    mkdir -p %{buildroot}/etc/systemd/system
-    mkdir -p %{buildroot}/etc/containers/systemd/
-    mkdir -p %{buildroot}/%{rootfs_qm}/etc/containers/systemd
-    mkdir -p %{buildroot}/%{rootfs_qm}/%{_prefix}/lib/tmpfiles.d/etc/containers/systemd/
-    mkdir -p %{buildroot}/%{rootfs_qm}/%{_prefix}/lib/tmpfiles.d/etc/containers/systemd/qm.container.d
-    mkdir -p %{buildroot}/%{rootfs_qm_window_manager}/mutter
-    mkdir -p %{buildroot}/%{rootfs_qm_window_manager}/session-activate
-
-    # Install the pam.d file for wayland
-    install -m 644 ./qm-windowmanager/etc/pam.d/wayland %{buildroot}/%{rootfs_qm}/etc/pam.d/wayland
-
-    # Install the systemd service files
-    install -m 644 ./qm-windowmanager/etc/systemd/system/wayland-session.service %{buildroot}/%{rootfs_qm}/etc/systemd/system/wayland-session.service
-    install -m 644 ./qm-windowmanager/etc/systemd/system/qm-dbus.socket %{buildroot}/%{rootfs_qm}/etc/systemd/system/qm-dbus.socket
-    install -m 644 ./qm-windowmanager/etc/containers/systemd/session-activate.container %{buildroot}/%{rootfs_qm}/etc/containers/systemd/session-activate.container
-
-    install -m 755 ./qm-windowmanager/usr/share/qm/mutter/ContainerFile %{buildroot}/%{rootfs_qm_window_manager}/mutter/ContainerFile
-    install -m 755 ./qm-windowmanager/usr/share/qm/manage-pam-selinux-systemd-user-config %{buildroot}/%{rootfs_qm_window_manager}/manage-pam-selinux-systemd-user-config
-    install -m 755 ./qm-windowmanager/usr/share/qm/session-activate/ContainerFile %{buildroot}/%{rootfs_qm_window_manager}/session-activate/ContainerFile
-    install -m 755 ./qm-windowmanager/usr/share/qm/session-activate/qm_windowmanager_activate_session %{buildroot}/%{rootfs_qm_window_manager}/session-activate/qm_windowmanager_activate_session
-
-    # Install the tmpfiles.d configuration for mutter and weston
-    install -m 644 ./qm-windowmanager/etc/containers/systemd/gnome_mutter.container %{buildroot}/%{rootfs_qm}/etc/containers/systemd/gnome_mutter.container
-    install -m 644 ./qm-windowmanager/etc/containers/systemd/weston_terminal.container %{buildroot}/%{rootfs_qm}/etc/containers/systemd/weston_terminal.container
-    install -m 644 ./qm-windowmanager/etc/containers/systemd/session-activate.container %{buildroot}/%{rootfs_qm}/etc/containers/systemd/session-activate.container
-
-    # Install additional tmpfiles.d configurations
-    install -m 644 ./qm-windowmanager/usr/lib/tmpfiles.d/wayland-xdg-directory.conf %{buildroot}/%{rootfs_qm}%{_prefix}/lib/tmpfiles.d/wayland-xdg-directory.conf
-    install -m 644 ./qm-windowmanager/etc/containers/systemd/wayland-extra-devices.conf %{buildroot}/etc/containers/systemd/wayland-extra-devices.conf
-
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_window_manager.conf
-    install -m 644 ./qm-windowmanager/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_window_manager.conf
-    install -m 644 ./qm-windowmanager/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf
-%endif
-####################################################################
-################# END QM Window Manager ############################
-####################################################################
-
-########################################################
-# START - qm dropin sub-package - img tempdir          #
-########################################################
-%if %{enable_qm_dropin_img_tempdir}
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_img_tempdir.conf \
-        %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_img_tempdir.conf
-%endif
-########################################################
-# END - qm dropin sub-package - img tempdir            #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount kvm            #
-########################################################
-%if %{enable_qm_mount_bind_kvm}
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_kvm.conf
-    # to QM container mount bind /dev/kvm
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_kvm.conf
-    # to nested containers in QM env mount bind it in /dev/kvm
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf
-%endif
-########################################################
-# END - qm dropin sub-package - mount kvm              #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount sound          #
-########################################################
-%if %{enable_qm_mount_bind_sound}
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_snd.conf
-    # to QM container mount bind /dev/snd
-    install -m 644 %{_builddir}/qm-%{version}/subsystems/audio/audio.container %{buildroot}%{rootfs_qm}%{_sysconfdir}/containers/systemd/audio.container
-    install -m 644 %{_builddir}/qm-%{version}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_snd.conf
-    # to nested containers in QM env mount bind it in /dev/snd
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf
-%endif
-########################################################
-# END - qm dropin sub-package - mount sound            #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount ttyUSB0        #
-########################################################
-%if %{enable_qm_mount_bind_ttyUSB0}
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_ttyUSB0.conf
-    # to QM container mount ttyUSB0
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_ttyUSB0.conf
-    # to nested containers in QM env mount bind ttyUSB0
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf
-%endif
-########################################################
-# END - qm dropin sub-package - mount ttyUSB0          #
-########################################################
-
-########################################################
-# START - qm dropin ROS2 - Rolling                     #
-########################################################
-%if %{enable_qm_ros2_rolling}
-    mkdir -p %{buildroot}/%{rootfs_qm}/%{_sysconfdir}/containers/systemd/
-    install -m 644 %{_builddir}/qm-%{version}/subsystems/ros2/ros2-rolling.container %{buildroot}/%{rootfs_qm}/etc/containers/systemd/ros2-rolling.container
-%endif
-########################################################
-# END - qm dropin sub-package - ROS2 - Rolling         #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount video          #
-########################################################
-%if %{enable_qm_mount_bind_video}
-    mkdir -p %{buildroot}/%{rootfs_qm}/%{_sysconfdir}/containers/systemd/
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_video.conf
-    # to QM container mount video
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_video.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_video.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_video.conf
-    # to nested containers in QM env mount bind video
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_video.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_video.conf
-
-    install -m 644 %{_builddir}/qm-%{version}/etc/containers/systemd/rear-camera.container %{buildroot}/%{rootfs_qm}/%{_sysconfdir}/containers/systemd/rear-camera.container
-%endif
-########################################################
-# END - qm dropin sub-package - mount video            #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount input          #
-########################################################
-%if %{enable_qm_mount_bind_input}
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_input.conf
-    # to QM container mount input
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_input.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_input.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_input.conf
-    # to nested containers in QM env mount bind input
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_input.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_input.conf
-%endif
-########################################################
-# END - qm dropin sub-package - mount input            #
-########################################################
-
-########################################################
-# START - qm dropin sub-package - mount bind /dev/tty7 #
-########################################################
-%if %{enable_qm_mount_bind_tty7}
-    # first step - add drop-in file in /etc/containers/containers.d.conf/qm_dropin_mount_bind_tty.conf
-    # to QM container mount bind /dev/tty7
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf %{buildroot}%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf
-
-    # second step - add drop-in file in /etc/qm/containers/containers.d.conf/qm_dropin/mount_bind_tty.conf
-    # to nested containers in QM env mount bind it in /dev/tty7
-    install -m 644 %{_builddir}/qm-%{version}/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf %{buildroot}%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf
-%endif
-
-########################################################
-# END - qm dropin sub-package - mount bind /dev/tty7   #
-########################################################
 
 # install policy modules
 %_format MODULES $x.pp.bz2
 %{__make} DESTDIR=%{buildroot} DATADIR=%{_datadir} install
 
 %post
-# Install all modules in a single transaction
 %_format MODULES %{_datadir}/selinux/packages/$x.pp.bz2
-%selinux_modules_install -s %{selinuxtype} $MODULES
+. %{_sysconfdir}/selinux/config
+%selinux_modules_install -s ${SELINUXTYPE} $MODULES
 # Execute the script to create seccomp rules after the package is installed
 /usr/share/qm/create-seccomp-rules
 /usr/share/qm/comment-tz-local # FIX-ME GH-issue: 367
-/usr/share/qm/qm-is-ostree
+# podmand netavark requires at host to load or let's ignore in case host don't have it and proceed with the installation
+modprobe ip_tables || true
 
 %preun
 if [ $1 = 0 ]; then
@@ -355,7 +130,8 @@ fi
 %postun
 if [ $1 -eq 0 ]; then
    # This section executes only on package removal, not on upgrade
-   %selinux_modules_uninstall -s %{selinuxtype} %{modulenames}
+   . %{_sysconfdir}/selinux/config
+   %selinux_modules_uninstall -s ${SELINUXTYPE} %{modulenames}
    if [ -f %{seccomp_json} ]; then
      /bin/rm -f %{seccomp_json}
    fi
@@ -368,7 +144,6 @@ fi
 %license LICENSE
 %doc CODE-OF-CONDUCT.md NOTICE README.md SECURITY.md
 %dir %{_datadir}/selinux
-%dir %{_sysconfdir}/qm/containers/containers.conf.d
 %{_datadir}/selinux/*
 %dir %{_datadir}/qm
 %{_datadir}/qm/containers.conf
@@ -388,215 +163,6 @@ fi
 %ghost %dir %{_installscriptdir}/rootfs
 %ghost %{_installscriptdir}/rootfs/*
 
-#######################################
-# sub-package QM Img TempDir          #
-#######################################
-%if %{enable_qm_dropin_img_tempdir}
-%package -n qm-dropin-img-tempdir
-Summary: Drop-in configuration for QM nested containers to img tempdir
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm-dropin-img-tempdir
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm-dropin-img-tempdir
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_img_tempdir.conf
-%endif
-
-#######################################
-# sub-package QM Mount Bind /dev/tty7 #
-#######################################
-%if %{enable_qm_mount_bind_tty7}
-%package -n qm_mount_bind_tty7
-Summary: Drop-in configuration for QM containers to mount bind /dev/tty7
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_tty7
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_tty7
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_tty7.conf
-%endif
-
-#######################################
-# sub-package QM Mount Input          #
-#######################################
-%if %{enable_qm_mount_bind_input}
-%package -n qm_mount_bind_input
-Summary: Drop-in configuration for QM containers to mount bind input
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_input
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_input
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_input.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_input.conf
-%endif
-
-#######################################
-# sub-package QM Mount ttyUSB0        #
-#######################################
-%if %{enable_qm_mount_bind_ttyUSB0}
-%package -n qm_mount_bind_ttyUSB0
-Summary: Drop-in configuration for QM containers to mount bind ttyUSB0
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_ttyUSB0
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_ttyUSB0
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_ttyUSB0.conf
-%endif
-
-#######################################
-# sub-package QM Mount Bind /dev/snd  #
-#######################################
-%if %{enable_qm_mount_bind_sound}
-%package -n qm_mount_bind_sound
-Summary: Drop-in configuration for QM containers to mount bind /dev/snd
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_sound
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_sound
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_snd.conf
-%{rootfs_qm}%{_sysconfdir}/containers/systemd/audio.container
-%endif
-
-#######################################
-# sub-package QM Mount Bind /dev/kvm  #
-#######################################
-%if %{enable_qm_mount_bind_kvm}
-%package -n qm_mount_bind_kvm
-Summary: Drop-in configuration for QM containers to mount bind /dev/kvm
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_kvm
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_kvm
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_kvm.conf
-%endif
-
-#######################################
-# sub-package qm window manager       #
-#######################################
-%if %{enable_qm_window_manager}
-%package windowmanager
-Summary: Optional Window Manager deployed in QM environment (Experimental)
-Requires: qm_mount_bind_input
-Requires: qm_mount_bind_kvm
-Requires: qm_mount_bind_sound
-%description windowmanager
-The optional window manager deployed in QM environment as nested container.
-
-%files windowmanager
-%{rootfs_qm}/%{_sysconfdir}/pam.d/wayland
-%{rootfs_qm}/%{_sysconfdir}/systemd/system/wayland-session.service
-%{rootfs_qm}/%{_sysconfdir}/systemd/system/qm-dbus.socket
-%{rootfs_qm}/%{_sysconfdir}/containers/systemd/session-activate.container
-%{rootfs_qm}/%{_sysconfdir}/containers/systemd/gnome_mutter.container
-%{rootfs_qm}/%{_sysconfdir}/containers/systemd/weston_terminal.container
-%{rootfs_qm_window_manager}/session-activate/ContainerFile
-%{rootfs_qm_window_manager}/session-activate/qm_windowmanager_activate_session
-%{rootfs_qm_window_manager}/mutter/ContainerFile
-%{rootfs_qm_window_manager}/manage-pam-selinux-systemd-user-config
-%config(noreplace) %{rootfs_qm}/%{_prefix}/lib/tmpfiles.d/wayland-xdg-directory.conf
-%config(noreplace) /etc/containers/systemd/wayland-extra-devices.conf
-# extra seats tty0-7
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf
-
-%post windowmanager
-%{rootfs_qm_window_manager}/manage-pam-selinux-systemd-user-config %{rootfs_qm_window_manager}/etc/pam.d/systemd-user --comment
-services=("activate-session.service" "qm-dbus.socket" "wayland-session.service")
-
-# Loop to enable and start each service or socket
-for service in "${services[@]}"; do
-    podman exec qm systemctl enable "$service" >/dev/null 2>&1 || :
-    podman exec qm systemctl start "$service" >/dev/null 2>&1 || :
-done
-
-%preun windowmanager
-# getting back the config from the qm-windowmanager config comments
-%{rootfs_qm_window_manager}/manage-pam-selinux-systemd-user-config %{rootfs_qm_window_manager}/etc/pam.d/systemd-user --uncomment
-services=("activate-session.service" "qm-dbus.socket" "wayland-session.service")
-
-# Stop and disable the services before uninstalling
-for service in "${services[@]}"; do
-    podman exec qm systemctl stop "$service" >/dev/null 2>&1 || :
-    podman exec qm systemctl disable "$service" >/dev/null 2>&1 || :
-done
-
-%postun windowmanager
-# Reload systemd daemon after uninstallation
-podman exec qm systemctl daemon-reload &> /dev/null
-%endif
-
-#######################################
-# sub-package QM Mount Bind /dev/video#
-#######################################
-%if %{enable_qm_mount_bind_video}
-%package -n qm_mount_bind_video
-Summary: Drop-in configuration for QM containers to mount bind /dev/video
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_mount_bind_video
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_mount_bind_video
-%{_sysconfdir}/containers/containers.conf.d/qm_dropin_mount_bind_video.conf
-%{_sysconfdir}/qm/containers/containers.conf.d/qm_dropin_mount_bind_video.conf
-%{rootfs_qm}/%{_sysconfdir}/containers/systemd/rear-camera.container
-%endif
-
-#######################################
-# sub-package QM ROS2 rolling
-#######################################
-%if %{enable_qm_ros2_rolling}
-%package -n qm_ros2_rolling
-Summary: Subpackage container for quadlet container to ROS2 Rolling environment
-Requires: %{name} = %{version}-%{release}
-BuildArch: noarch
-
-%description -n qm_ros2_rolling
-This sub-package installs a drop-in configurations for the QM.
-It creates the `/etc/qm/containers/containers.conf.d/` directory for adding
-additional drop-in configurations.
-
-%files -n qm_ros2_rolling
-%{rootfs_qm}/%{_sysconfdir}/containers/systemd/ros2-rolling.container
-%endif
-
-#######################################
-
 %changelog
 %if %{defined autochangelog}
 %autochangelog

rpm/radio/radio.spec

@@ -0,0 +1,35 @@
+%global debug_package %{nil}
+
+Name: qm-mount-bind-radio
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/radio
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-radio-%{version}.tar.gz
+
+BuildArch: noarch
+Requires: qm >= %{version}
+
+%description
+This subpackage installs a drop-in configuration for QM containers to mount bind `/dev/radio`.
+
+%prep
+%autosetup -Sgit -n qm-radio-%{version}
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+# Install the KVM drop-in configuration file
+install -m 644 %{_builddir}/qm-radio-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_radio.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_radio.conf
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_radio.conf
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added radio mount bind drop-in configuration.
+

rpm/ros2/ros2_rolling.spec

@@ -0,0 +1,44 @@
+%global debug_package %{nil}
+
+%define qm_sysconfdir %{_sysconfdir}/qm
+
+Name: qm-ros2
+Version: %{version}
+Release: 1%{?dist}
+Summary: Subpackage container for quadlet container to ROS2 Rolling environment
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-ros2-%{version}.tar.gz
+
+BuildArch: noarch
+Requires: qm >= %{version}
+
+%description
+This subpackage provides a containerized ROS2 Rolling environment within the
+Quality Management (QM) system. It enables ROS2 applications to run in isolated
+containers managed by Podman and systemd within the QM environment.
+
+%prep
+%autosetup -Sgit -n qm-ros2-%{version}
+
+%build
+# No special build requirements for ROS2 Rolling container
+
+%install
+# Create the necessary directory structure
+install -d %{buildroot}%{qm_sysconfdir}/containers/systemd
+
+# Install the ROS2 Rolling container file
+install -m 644 %{_builddir}/qm-ros2-%{version}/subsystems/ros2/etc/containers/systemd/ros2.container \
+      %{buildroot}%{qm_sysconfdir}/containers/systemd/ros2.container
+
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{qm_sysconfdir}/containers/systemd/ros2.container
+
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org> - 0.6.8-1
+- Initial release of qm-ros2

rpm/sound/sound.spec

@@ -0,0 +1,48 @@
+%global debug_package %{nil}
+
+# Define the rootfs macros
+%define qm_sysconfdir %{_sysconfdir}/qm
+
+Name: qm-sound
+Version: %{version}
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/snd
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-sound-%{version}.tar.gz
+BuildArch: noarch
+
+Requires: qm >= %{version}
+
+%description
+This subpackage installs a drop-in configuration for QM containers,
+enabling the mount bind of the audio device `/dev/snd` from the host to
+the container and nested containers.
+
+%prep
+%autosetup -Sgit -n qm-sound-%{version}
+
+%build
+# No build necessary for this configuration package
+
+%install
+# Install drop-in configuration for /dev/snd
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+install -d %{buildroot}%{qm_sysconfdir}/containers/systemd
+
+install -m 644 %{_builddir}/qm-sound-%{version}/subsystems/sound/etc/containers/systemd/audio.container \
+    %{buildroot}%{qm_sysconfdir}/containers/systemd/audio.container
+# Install the sound drop-in configuration file
+install -m 644 %{_builddir}/qm-sound-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_snd.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_snd.conf
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_snd.conf
+%{qm_sysconfdir}/containers/systemd/audio.container
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Initial release focused on enabling mount bind for /dev/snd in QM environments.

rpm/text2speech/text2speech.spec

@@ -0,0 +1,36 @@
+%global debug_package %{nil}
+
+Name: qm-text2speech
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-text2speech-%{version}.tar.gz
+BuildArch: noarch
+
+# Runtime dependencies
+Requires: qm >= %{version}
+Requires: qm-mount-bind-sound
+Requires: espeak
+
+%description -n qm-text2speech
+This subpackage provides a drop-in configuration for the QM environment to enable espeak
+
+%prep
+%autosetup -n qm-text2speech-%{version}
+
+%build
+
+%install
+
+%post
+dnf install  --setopt=reposdir=/etc/yum.repos.d  --installroot /usr/lib/qm/rootfs/ espeak-ng
+
+%files
+%license LICENSE
+%doc CODE-OF-CONDUCT.md README.md SECURITY.md
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Initial standalone spec for the QM espeak subpackage.

rpm/tty7/tty7.spec

@@ -0,0 +1,40 @@
+%global debug_package %{nil}
+
+Name: qm-mount-bind-tty7
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/tty7
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-tty7-%{version}.tar.gz
+
+BuildArch: noarch
+Requires: qm >= %{version}
+
+%description
+This subpackage installs a drop-in configuration for QM containers to mount bind `/dev/tty7`.
+`/dev/tty7` is typically associated with the virtual terminal running the GUI session on Linux systems.
+This configuration is useful when graphical applications require access to the host’s GUI display server.
+
+%prep
+%autosetup -Sgit -n qm-tty7-%{version}
+
+%build
+# No build required for configuration files
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+
+# Install the KVM drop-in configuration file
+install -m 644 %{_builddir}/qm-tty7-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_tty7.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_tty7.conf
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_tty7.conf
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added drop-in configuration to mount bind /dev/tty7.

rpm/ttyUSB0/ttyUSB0.spec

@@ -0,0 +1,34 @@
+%global debug_package %{nil}
+
+Name: qm-mount-bind-ttyUSB0
+Version: 0
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind ttyUSB0
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-ttyUSB0-%{version}.tar.gz
+BuildArch: noarch
+
+Requires: qm >= %{version}
+
+%description
+This sub-package installs drop-in configurations for QM containers to mount bind ttyUSB0.
+
+%prep
+%autosetup -Sgit -n qm-ttyUSB0-%{version}
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+
+# Install the ttyusb0 drop-in configuration file
+install -m 644 %{_builddir}/qm-ttyUSB0-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_ttyUSB0.conf %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_ttyUSB0.conf
+
+%files
+%license LICENSE
+%doc README.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_ttyUSB0.conf
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added ttyUSB0 mount bind drop-in configuration.

rpm/video/video.spec

@@ -0,0 +1,46 @@
+%global debug_package %{nil}
+
+# Define the rootfs macros
+%define qm_sysconfdir %{_sysconfdir}/qm
+
+Name: qm-mount-bind-video
+Version: %{version}
+Release: 1%{?dist}
+Summary: Drop-in configuration for QM containers to mount bind /dev/video
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-video-%{version}.tar.gz
+
+BuildArch: noarch
+Requires: qm >= %{version}
+
+%description
+This subpackage installs a drop-in configuration for QM containers to mount bind `/dev/video`.
+
+%prep
+%autosetup -Sgit -n qm-video-%{version}
+
+%build
+# No build required for configuration files
+
+%install
+# Create the directory for drop-in configurations
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+install -d %{buildroot}%{qm_sysconfdir}/containers/systemd
+
+install -m 644 %{_builddir}/qm-video-%{version}/subsystems/video/etc/containers/systemd/rear-camera.container \
+     %{buildroot}%{qm_sysconfdir}/containers/systemd/rear-camera.container
+
+install -m 644 %{_builddir}/qm-video-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_video.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_video.conf
+
+%files
+%license LICENSE
+%doc README.md SECURITY.md
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_video.conf
+%{qm_sysconfdir}/containers/systemd/rear-camera.container
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added video mount bind drop-in configuration.
+

rpm/windowmanager/windowmanager.spec

@@ -0,0 +1,46 @@
+# Define the rootfs macros
+%define qm_sysconfdir %{_sysconfdir}/qm
+
+
+Name: qm-windowmanager
+Version: %{version}
+Release: 1%{?dist}
+Summary: Optional Window Manager for QM environment
+License: GPL-2.0-only
+URL: https://github.com/containers/qm
+Source0: %{url}/archive/qm-windowmanager-%{version}.tar.gz
+BuildArch: noarch
+
+Requires: qm >= %{version}
+
+%description
+This sub-package installs an experimental window manager for the QM environment.
+
+%prep
+%autosetup -Sgit -n qm-windowmanager-%{version}
+
+%install
+# Create the directory for drop-in configurations
+install -d  %{buildroot}/%{_sysconfdir}/pam.d/
+install -d %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d
+install -d %{buildroot}%{qm_sysconfdir}/containers/systemd
+
+# Install the Window manager drop-in configuration file
+install -m 644 %{_builddir}/qm-windowmanager-%{version}/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_window_manager.conf \
+    %{buildroot}%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_window_manager.conf
+install -m 644 %{_builddir}/qm-windowmanager-%{version}/subsystems/windowmanager/etc/pam.d/wayland %{buildroot}/%{_sysconfdir}/pam.d/
+install -m 644 %{_builddir}/qm-windowmanager-%{version}/subsystems/windowmanager/etc/containers/systemd/* %{buildroot}%{qm_sysconfdir}/containers/systemd/
+
+%files
+%license LICENSE
+%doc README.md
+%{_sysconfdir}/pam.d/wayland
+%{_sysconfdir}/containers/systemd/qm.container.d/qm_dropin_mount_bind_window_manager.conf
+%{qm_sysconfdir}/containers/systemd/gnome_mutter.container
+%{qm_sysconfdir}/containers/systemd/session-activate.container
+%{qm_sysconfdir}/containers/systemd/wayland-extra-devices.conf
+%{qm_sysconfdir}/containers/systemd/weston_terminal.container
+
+%changelog
+* Fri Jul 21 2023 RH Container Bot <rhcontainerbot@fedoraproject.org>
+- Added windowmanager mount bind drop-in configuration.

setup

@@ -35,10 +35,41 @@ CMDLINE_ARGUMENT_LIST=(
   "skip-systemctl"
 )
 
+logger() {
+    {
+     	local log_level="$1"
+        local message="$2"
+        local NC='\033[0m' # No Color
+        local log_col=$NC
+    } > /dev/null 2>&1
+        case "$log_level" in
+            INFO)
+                log_col='\033[0;36m' #BLUE
+            ;;
+            WARNING)
+                log_col='\033[1;33m' #YELLOW
+            ;;
+            ERROR)
+                log_col='\033[0;31m' #RED
+                ;;
+            DEBUG)
+                log_col='\033[0;90m' #GREY
+                ;;
+            SUCCESS)
+                log_col='\033[0;32m' #GREEN
+            ;;
+            *)
+              	echo -e "[\033[1;31mERROR\033[0m] Invalid log level: $log_level" >&2
+                return 1
+            ;;
+	esac
+  echo -e "[$log_col${log_level}${NC}] $message"
+}
+
 root_check() {
     if [ "$(id -u)" -ne 0 ];then
-	echo "Please run this script as root"
-	exit 1
+        logger "WARNING" "Please run this script as root"
+        exit 1
     fi
 }
 
@@ -132,7 +163,7 @@ validate_qm_installation() {
 
     for file in "${files[@]}"; do
         if [[ ! -f "$file" ]]; then
-            echo "Exiting... '$file' not found. Try reinstall the QM package before continue." >&2
+            logger "ERROR" "Exiting... '$file' not found. Try reinstall the QM package before continuing."
             exit 1
         fi
     done
@@ -147,10 +178,15 @@ install() {
     setupRW "${ROOTFS}" "${RWETCFS}" "${RWVARFS}"
 
     EXTRA_FLAG=""
-    if grep -qi "^ID=fedora" /etc/os-release; then
+    if [ "$ID" == "fedora" ] && [ "$VERSION_ID" -ge 41 ]; then
         EXTRA_FLAG="--use-host-config"
     fi
 
+    # SecurityLabelNested not supported so far in CentOS Stream 9 or lower
+    if grep -qi "^ID=centos" /etc/os-release && [[ $(grep -oP '^VERSION_ID="\K[0-9]+' /etc/os-release) -le 9 ]]; then
+        sed -i '/SecurityLabelNested/d' /usr/share/containers/systemd/qm.container
+    fi
+
     cmd_dnf_install="dnf -y install --releasever=${VERSION_ID} --installroot ${ROOTFS} ${PACKAGES_TO_INSTALL} ${EXTRA_FLAG}"
     echo "$cmd_dnf_install"
     ${cmd_dnf_install}
@@ -261,6 +297,15 @@ echo  "  * agent hostname: ${AGENT_HOSTNAME}"
 echo
 
 if [ "${REMOVE_QM_ROOTFS}" == "Y" ]; then
+    # Unmount qm binds
+    qm_mounts="$(mount | grep /qm  | cut -d" " -f3)"
+    if [ -z "$qm_mounts" ]; then
+        echo "No mount points found under /qm."
+    else
+        for mount in $qm_mounts; do
+            umount "$mount"
+        done
+    fi
     # Get the one path below, i.e: /usr/lib/qm instead /usr/lib/qm/rootfs
     path_qm_rootfs=$(${QM_ROOTFS_TOOL} | sed 's|/[^/]*$||')
     rm -rf "${path_qm_rootfs}"
@@ -289,9 +334,23 @@ case "$1" in
 
     if [ "$SYSTEMCTL_SKIP" == "N" ]; then
 	    systemctl daemon-reload
-	    systemctl start qm.service
+        systemctl start qm.service || {
+            logger "ERROR" "'systemctl start qm.service' has failed, see details below";
+            set +x
+            logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
+            set -x
+            exit 1;
+        }
+        if [ "$(systemctl is-active qm.service)" != "active" ]; then
+            logger "WARNING" "QM service is inactive, see details below:";
+            set +x
+            logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
+            set -x
+            exit 1
+        fi
     else
       /usr/libexec/podman/quadlet /run/systemd/generator/
     fi
+    logger "SUCCESS" "Setup complete";
 	;;
 esac

subsystems/dvb/Makefile

@@ -0,0 +1,32 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_DVB ?= ${ROOTDIR}/rpm/dvb/dvb.spec
+PACKAGE_NAME = qm-mount-bind-dvb
+
+.PHONY: dist
+dist: ##             - Creates the QM dvb package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform s/qm/qm-dvb-${VERSION}/ \
+		-f /tmp/qm-dvb-${VERSION}.tar.gz \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_dvb.conf
+	cd $(ROOTDIR) && mv /tmp/qm-dvb-${VERSION}.tar.gz ./rpm
+
+.PHONY: dvb
+dvb: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-dvb-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_DVB}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi
+

subsystems/input/Makefile

@@ -0,0 +1,31 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_INPUT ?= ${ROOTDIR}/rpm/input/input.spec
+PACKAGE_NAME = qm-mount-bind-input
+
+.PHONY: dist
+dist: ##             - Creates the QM input package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform s/qm/qm-input-${VERSION}/ \
+		-f /tmp/qm-input-${VERSION}.tar.gz \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_input.conf
+	cd $(ROOTDIR) && mv /tmp/qm-input-${VERSION}.tar.gz ./rpm
+
+.PHONY: input
+input:  dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-input-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_INPUT}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/kvm/Makefile

@@ -0,0 +1,39 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_IMG_KVM ?= ${ROOTDIR}/rpm/kvm/qm-kvm.spec
+PACKAGE_NAME = qm-kvm
+
+.PHONY: dist
+dist: ##             - Creates the QM kvm package
+	cd ${ROOTDIR} && tar cvz \
+		--dereference \
+		--transform 's|subsystems/kvm/Makefile|Makefile|' \
+		--transform 's|rpm/kvm/qm-kvm.spec|qm-kvm.spec|' \
+		--transform 's|qm|qm-kvm-${VERSION}|' \
+		-f /tmp/qm-kvm-${VERSION}.tar.gz \
+		../qm/rpm/kvm/qm-kvm.spec \
+		../qm/subsystems/kvm/Makefile \
+		../qm/tools/version-update \
+		../qm/VERSION \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_kvm.conf \
+		../qm/subsystems/kvm/etc/containers/systemd/kvm.container
+
+	cd ${ROOTDIR} && mv /tmp/qm-kvm-${VERSION}.tar.gz ./rpm
+
+.PHONY: kvm
+kvm: dist ##             - Creates a local RPM kvm package, useful for development
+	@echo ${VERSION}
+	cd ${ROOTDIR} && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd ${ROOTDIR} && cp ./rpm/qm-kvm-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_IMG_KVM}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/kvm/etc/containers/systemd/kvm.container

@@ -0,0 +1,11 @@
+[Unit]
+Description=kvm Container
+After=network.target
+
+[Container]
+Image=quay.io/qm-images/kvm:latest
+ContainerName=kvm-container
+AddDevice=-/dev/kvm
+
+[Install]
+WantedBy=multi-user.target

subsystems/kvm/usr/share/qm/kvm/ContainerFile

@@ -0,0 +1,23 @@
+# ContainerFile used to create the image available at quay.io/qm-images/kvm:latest
+#
+# How to build
+# ==================
+# podman login quay.io
+# use build_kvm_container.sh to build container
+# podman push quay.io/qm-images/kvm:latest
+FROM fedora-minimal:latest
+
+ARG ARCH_QEMU
+
+ENV PASSWORD_FEDORA_USER=fedora
+
+RUN echo "Using QEMU architecture: ${ARCH_QEMU}"
+ENV ARCH_QEMU=${ARCH_QEMU}
+
+RUN dnf install qemu-system-${ARCH_QEMU} -y \
+                 && dnf clean all && rm -rf /var/cache/dnf
+
+COPY ./Fedora-Cloud-Base-Generic.qcow2 /var/lib/libvirt/images/
+
+# Set container stay alive
+ENTRYPOINT ["/bin/sh", "-c", "/usr/bin/qemu-system-${ARCH_QEMU} -smp 8 -enable-kvm -m 700M  -machine q35 -cpu host -device virtio-net-pci,netdev=n0,mac=FE:30:26:a6:91:2d -netdev user,id=n0,net=10.0.2.0/24,hostfwd=tcp::2226-:22 -drive file=/var/lib/libvirt/images/Fedora-Cloud-Base-Generic.qcow2,index=0,media=disk,format=qcow2,if=virtio,snapshot=off -nographic"]

subsystems/kvm/usr/share/qm/kvm/build_kvm_container.sh

@@ -0,0 +1,43 @@
+#!/usr/bin/bash
+
+# Install required repos
+sudo dnf -y install guestfs-tools curl perl qemu-user-static
+
+ARCHS=("amd64" "aarch64")
+IMAGE_NAME="kvm"
+TAG="latest"
+MANIFEST_NAME="${IMAGE_NAME}-manifest:${TAG}"
+FEDORA_USER_PASSWORD=${FEDORA_USER_PASSWORD:-$(openssl rand -base64 12)}
+
+#IMG_REG=quay.io
+#IMG_ORG=qm-images
+
+rm -f ./Fedora-Cloud-Base-Generic.qcow2
+podman manifest rm "$MANIFEST_NAME"
+podman manifest create "$MANIFEST_NAME" || exit 1
+
+for ARCH in "${ARCHS[@]}"; do
+    ARCH_QEMU=$([[ "$ARCH" == "amd64" ]] && echo "x86_64" || echo "$ARCH")
+    curl  -Lo ./Fedora-Cloud-Base-Generic.qcow2 "https://download.fedoraproject.org/pub/fedora/linux/releases/41/Cloud/${ARCH_QEMU}/images/Fedora-Cloud-Base-Generic-41-1.4.${ARCH_QEMU}.qcow2"
+    # Customize user:pass
+    export LIBGUESTFS_BACKEND=direct &&   \
+       virt-customize -a ./Fedora-Cloud-Base-Generic.qcow2   \
+             --edit '/etc/ssh/sshd_config: s/#PasswordAuthentication.*/PasswordAuthentication yes/' \
+             --firstboot-command 'dnf remove -y cloud-init' \
+             --firstboot-command "useradd -m -s /bin/bash -G wheel fedora" \
+             --firstboot-command "echo fedora:$FEDORA_USER_PASSWORD | chpasswd"
+
+    echo "Adding ${IMAGE_NAME}:${ARCH} to the manifest"
+    podman build \
+        --arch "${ARCH}" \
+	--build-arg ARCH_QEMU="${ARCH_QEMU}" \
+        --manifest ${MANIFEST_NAME} \
+        -f ContainerFile \
+        -t "${IMAGE_NAME}:${ARCH}"
+
+    rm -f ./Fedora-Cloud-Base-Generic.qcow2
+
+done
+
+#podman login --username "${REG_USERNAME}" --password "${REG_PASSWORD}" "${REG_URL}"
+#podman push localhost/kvm-manifest quay.io/qm-images/kvm:latest

subsystems/radio/Makefile

@@ -0,0 +1,32 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_RADIO ?= ${ROOTDIR}/rpm/radio/radio.spec
+PACKAGE_NAME = qm-mount-bind-radio
+
+.PHONY: dist
+dist: ##             - Creates the QM radio package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform s/qm/qm-radio-${VERSION}/ \
+		-f /tmp/qm-radio-${VERSION}.tar.gz \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+        ../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_radio.conf
+	cd $(ROOTDIR) && mv /tmp/qm-radio-${VERSION}.tar.gz ./rpm
+
+
+.PHONY: radio
+radio: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-radio-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_RADIO}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/ros2/Makefile

@@ -0,0 +1,38 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_ROS2_ROLLING ?= ${ROOTDIR}/rpm/ros2/ros2_rolling.spec
+PACKAGE_NAME = qm-ros2
+
+.PHONY: dist
+dist: ##             - Creates the QM ros2 package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+                --transform 's|subsystems/ros2/Makefile|Makefile|' \
+                --transform 's|rpm/ros2/ros2_rolling.spec|ros2_rolling.spec|' \
+		--transform s/qm/qm-ros2-${VERSION}/ \
+		-f /tmp/qm-ros2-${VERSION}.tar.gz \
+                ../qm/rpm/ros2/ros2_rolling.spec \
+                ../qm/subsystems/ros2/Makefile \
+                ../qm/tools/version-update \
+                ../qm/VERSION \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/subsystems/ros2/etc/containers/systemd/ros2.container
+	cd $(ROOTDIR) && mv /tmp/qm-ros2-${VERSION}.tar.gz ./rpm
+
+
+.PHONY: ros2
+ros2: dist ##          - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-ros2-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_ROS2_ROLLING}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/ros2/etc/containers/systemd/ros2.container

@@ -3,7 +3,8 @@ Description=ROS 2 Container Development env
 After=network.target
 
 [Container]
-Image=quay.io/qm-images/ros2:rolling
+Image=quay.io/fedora-sig-robotics/ros2:jazzy-cs9
+Exec=sleep infinity
 
 [Install]
 WantedBy=multi-user.target

subsystems/ros2/usr/share/qm/ContainerFile

@@ -12,7 +12,7 @@
 # ros2 run demo_nodes_cpp talker &
 #    ros2 run demo_nodes_cpp listener
 
-ARG FEDORA_VERSION=40
+ARG FEDORA_VERSION=latest
 
 FROM registry.fedoraproject.org/fedora-toolbox:${FEDORA_VERSION}
 
@@ -46,6 +46,12 @@ RUN dnf install -y \
   python3-pytest \
   python3-pytest-cov \
   python3-pytest-mock \
+  assimp-devel \
+  python3-matplotlib \
+  ignition-cmake-devel \
+  ignition-math-devel \
+  python3-pygraphviz \
+  urdfdom-headers-devel \
   python3-pytest-runner \
   python3-rosdep \
   python3-setuptools \
@@ -60,6 +66,7 @@ RUN dnf install -y \
 
 RUN python3 -m pip install -U \
   flake8-blind-except==0.1.1 \
+  flake8-docstrings \
   flake8-class-newline \
   flake8-deprecated
 
@@ -72,7 +79,7 @@ RUN rosdep update
 RUN rosdep install \
      --from-paths src \
      --ignore-src -y \
-     --skip-keys "assimp fastcdr ignition-cmake2 ignition-math6 python3-matplotlib python3-pygraphviz rti-connext-dds-6.0.1 urdfdom_headers"
+     --skip-keys "assimp fastcdr ignition-cmake2 ignition-math6 python3-matplotlib python3-pygraphviz rti-connext-dds-6.0.1 urdfdom_headers python3-flake8-docstrings"
 
 WORKDIR /opt/ros2
 

subsystems/sound/Makefile

@@ -0,0 +1,38 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_SOUND ?= ${ROOTDIR}/rpm/sound/sound.spec
+PACKAGE_NAME = qm-sound
+
+.PHONY: dist
+dist: ##             - Creates the QM sound package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform 's|subsystems/kvm/Makefile|Makefile|' \
+		--transform 's|rpm/sound/sound.spec|qm-sound.spec|' \
+		--transform 's|qm|qm-sound-${VERSION}|' \
+		-f /tmp/qm-sound-${VERSION}.tar.gz \
+		../qm/rpm/sound/sound.spec \
+		../qm/subsystems/sound/Makefile \
+		../qm/tools/version-update \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_snd.conf \
+		../qm/subsystems/sound/etc/containers/systemd/audio.container
+
+	cd $(ROOTDIR) && mv /tmp/qm-sound-${VERSION}.tar.gz ./rpm
+
+.PHONY: sound
+sound: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-sound-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_SOUND}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/sound/etc/containers/systemd/audio.container

@@ -4,6 +4,8 @@ After=network.target
 
 [Container]
 Image=quay.io/qm-images/audio:latest
+Network=host
+AddDevice=/dev/snd
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=multi-user.target

subsystems/text2speech/Makefile

@@ -0,0 +1,37 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_TEXT2SPEECH ?= ${ROOTDIR}/rpm/text2speech/text2speech.spec
+PACKAGE_NAME = qm-text2speech
+
+.PHONY: dist
+dist: ##             - Creates the QM input package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+                --transform 's|subsystems/text2speech/Makefile|Makefile|' \
+                --transform 's|rpm/text2speech/text2speech.spec|text2speech.spec|' \
+		--transform s/qm/qm-text2speech-${VERSION}/ \
+		-f /tmp/qm-text2speech-${VERSION}.tar.gz \
+                ../qm/rpm/text2speech/text2speech.spec \
+                ../qm/subsystems/text2speech/Makefile \
+                ../qm/tools/version-update \
+                ../qm/VERSION \
+		../qm/README.md \
+		../qm/CODE-OF-CONDUCT.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE
+	cd $(ROOTDIR) && mv /tmp/qm-text2speech-${VERSION}.tar.gz ./rpm
+
+.PHONY: text2speech
+text2speech: dist ##            - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-text2speech-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	cd $(ROOTDIR) && rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_TEXT2SPEECH}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/tty7/Makefile

@@ -0,0 +1,37 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_TTY7 ?= ${ROOTDIR}/rpm/tty7/tty7.spec
+PACKAGE_NAME = qm-mount-bind-tty7
+
+.PHONY: dist
+dist: ##             - Creates the QM tty7 package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform 's|subsystems/tty7/Makefile|Makefile|' \
+		--transform 's|rpm/tty7/tty7.spec|tty7.spec|' \
+		--transform s/qm/qm-tty7-${VERSION}/ \
+		-f /tmp/qm-tty7-${VERSION}.tar.gz \
+                ../qm/rpm/tty7/tty7.spec \
+		../qm/subsystems/tty7/Makefile \
+		../qm/tools/version-update \
+		../qm/VERSION \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_tty7.conf
+	cd $(ROOTDIR) && mv /tmp/qm-tty7-${VERSION}.tar.gz ./rpm
+
+.PHONY: tty7
+tty7: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-tty7-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_TTY7}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/ttyUSB0/Makefile

@@ -0,0 +1,37 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_TTYUSB0 ?= ${ROOTDIR}/rpm/ttyUSB0/ttyUSB0.spec
+PACKAGE_NAME = qm-mount-bind-ttyUSB0
+
+.PHONY: dist
+dist: ##             - Creates the QM ttyUSB0 package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform s/qm/qm-ttyUSB0-${VERSION}/ \
+		--transform 's|subsystems/ttyUSB0/Makefile|Makefile|' \
+		--transform 's|rpm/ttyUSB0/ttyUSB0.spec|ttyUSB0.spec|' \
+		-f /tmp/qm-ttyUSB0-${VERSION}.tar.gz \
+		../qm/rpm/ttyUSB0/ttyUSB0.spec \
+		../qm/subsystems/ttyUSB0/Makefile \
+		../qm/tools/version-update \
+		../qm/VERSION \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_ttyUSB0.conf
+	cd $(ROOTDIR) && mv /tmp/qm-ttyUSB0-${VERSION}.tar.gz ./rpm
+
+.PHONY: ttyUSB0
+ttyUSB0: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-ttyUSB0-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_TTYUSB0}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/video/Makefile

@@ -0,0 +1,38 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_VIDEO ?= ${ROOTDIR}/rpm/video/video.spec
+PACKAGE_NAME = qm-mount-bind-video
+
+.PHONY: dist
+dist: ##             - Creates the QM video package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+                --transform 's|subsystems/video/Makefile|Makefile|' \
+                --transform 's|rpm/video/video.spec|video.spec|' \
+		--transform s/qm/qm-video-${VERSION}/ \
+		-f /tmp/qm-video-${VERSION}.tar.gz \
+		../qm/rpm/video/video.spec \
+                ../qm/subsystems/video/Makefile \
+                ../qm/tools/version-update \
+                ../qm/VERSION \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_video.conf \
+		../qm/subsystems/video/etc/containers/systemd/rear-camera.container
+	cd $(ROOTDIR) && mv /tmp/qm-video-${VERSION}.tar.gz ./rpm
+
+.PHONY: video
+video: dist ##             - Creates a local RPM package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cd $(ROOTDIR) && cp ./rpm/qm-video-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_VIDEO}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi

subsystems/video/etc/containers/systemd/rear-camera.container

@@ -12,4 +12,5 @@ WantedBy=multi-user.target
 [Container]
 Image=quay.io/qm-images/multimedia:latest
 Exec=fswebcam -r 1024x768 --jpeg 100 /tmp/screenshot.jpg
-Volume=/tmp:/tmp
+Volume=/var/tmp:/tmp:Z
+AddDevice=-/dev/video0

subsystems/windowmanager/Makefile

@@ -0,0 +1,35 @@
+RPM_TOPDIR ?= $(PWD)/rpmbuild
+VERSION ?= $(shell cat VERSION)
+ROOTDIR ?= $(PWD)
+SPECFILE_SUBPACKAGE_IMG_WINDOWMANAGER ?= ${ROOTDIR}/rpm/windowmanager/windowmanager.spec
+PACKAGE_NAME = qm-windowmanager
+
+.PHONY: dist
+dist: ##             - Creates the QM windowmanager package
+	cd $(ROOTDIR) && tar cvz \
+		--dereference \
+		--transform 's|subsystems/windowmanager/Makefile|Makefile|' \
+		--transform 's|rpm/windowmanager/windowmanager.spec|windowmanager.spec|' \
+		--transform s/qm/qm-windowmanager-${VERSION}/ \
+		-f /tmp/qm-windowmanager-${VERSION}.tar.gz \
+		../qm/README.md \
+		../qm/SECURITY.md \
+		../qm/LICENSE \
+		../qm/subsystems/windowmanager/etc/containers/systemd/ \
+		../qm/subsystems/windowmanager/etc/pam.d/wayland \
+		../qm/etc/containers/systemd/qm.container.d/qm_dropin_mount_bind_window_manager.conf
+	cd $(ROOTDIR) && mv /tmp/qm-windowmanager-${VERSION}.tar.gz ./rpm
+
+.PHONY: windowmanager
+windowmanager: dist ##         - Creates a local windowmanager package, useful for development
+	cd $(ROOTDIR) && mkdir -p ${RPM_TOPDIR}/{RPMS,SRPMS,BUILD,SOURCES}
+	cd $(ROOTDIR) && tools/version-update -v ${VERSION}
+	cp ./rpm/qm-windowmanager-${VERSION}.tar.gz ${RPM_TOPDIR}/SOURCES
+	rpmbuild -ba \
+		--define="_topdir ${RPM_TOPDIR}" \
+		--define="version ${VERSION}" \
+		${SPECFILE_SUBPACKAGE_IMG_WINDOWMANAGER}
+	if [ ! -f ${RPM_TOPDIR}/RPMS/noarch/${PACKAGE_NAME}-${VERSION}*.noarch.rpm ]; then \
+		echo "rpmbuild failed to build: ${PACKAGE_NAME}"; \
+		exit 1; \
+	fi