Restructure qmctl (#839)

* Added QMCTL class

This MR I added QMCTL class wich will be responsiable to run all the
command function and return the result. Also added all the imports
needed to all the file

Signed-off-by: Artiom Divak <adivak@redhat.com>

* Adding ArgumentParserWithDefaults and SubcommandInitializer

ArgumentParserWithDefaults class automatically adds default values to the help text of arguments
SubcommandInitializer is a generic class to initialize subparsers for command-line applications

Signed-off-by: Artiom Divak <adivak@redhat.com>

* Added the core of QMCTL

This commits adds the main function the init of the subcommand and the
handle function for the subcommand with other vital function.

Signed-off-by: Artiom Divak <adivak@redhat.com>

---------

Signed-off-by: Artiom Divak <adivak@redhat.com>
Co-authored-by: Douglas Landgraf <dougsland@redhat.com>

.gitignore

@@ -6,3 +6,4 @@ qm.pp.bz2
 qm_file_contexts
 *.8
 tests/e2e/ContainerFile.template
+__pycache__/

VERSION

@@ -1 +1 @@
-0.7.5
+0.7.6

docs/devel/README.developer.md

@@ -0,0 +1,109 @@
+# Developers documentation
+
+## Building QM rpm manually with changes
+
+Building QM locally with changes for tests is a recommended practice,
+especially for testing new features before submitting a pull request.
+
+**1.** Prerequisite
+
+```bash
+dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
+```
+
+**2.** Clone the repo
+
+```bash
+git clone https://github.com/containers/qm.git && cd qm
+```
+
+**3.** Build the RPM
+
+Select a QM version that is a higher number from the current one.
+For example, if today's QM version is 0.6.2, set it to 1.0 so that
+the RPM created is identifiable as yours.
+
+```bash
+make clean && VERSION=1.0 make rpm
+```
+
+The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
+`${PWD}/rpmbuild/RPMS`.
+You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
+For example:
+
+```bash
+VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
+```
+
+## Building CentOS AutoSD and QM manually
+
+During development, it is common to conduct integration tests to ensure your
+changes work well with other components within the overall solution.
+In our case, it's best to test against the CentOS Automotive Stream
+Distribution (AutoSD) image.
+
+Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
+
+**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
+
+Example
+
+```bash
+ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
+/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
+```
+
+**2.** Download additional packages required by the image
+
+```bash
+sudo dnf download --destdir /root/rpmbuild/RPMS/noarch/ selinux-policy selinux-policy-any
+```
+
+**3.** Create a local repository with the new package
+
+```bash
+dnf install createrepo_c -y
+cd /root/rpmbuild/RPMS/noarch/
+createrepo .
+```
+
+**4.** Clone the CentOS Automotive distro for the build
+
+Ensure you meet the requirements for the CentOS Automotive Stream by
+referring to [this link](https://sigs.centos.org/automotive/building/).
+
+The following commands will execute:
+
+- Install the podman package
+- Clone the sample-images repository and required submodules (automotive-image-builder)
+- Cleanups before a fresh build
+- Finally creates a new qcow2 image (BASED ON distro name, mode (ostree or regular) and uses the qemu-qm-container sample image)
+  NOTE:
+  - The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
+  - extra_rpms - useful for debug.
+  - ssh enabled
+
+The command below utilises automotive-image-builder to produce a `qm-minimal` qcow2 image for cs9,
+other example images such as `simple-qm-container` and the `simple-qm`
+image can be found in the images directory of the sample-images repository.
+
+```bash
+dnf install podman -y && dnf clean all
+git clone https://gitlab.com/CentOS/automotive/sample-images.git
+git submodule update --init
+cd sample-images/
+rm -rf _build #Optional, only relevant after initial build
+rm -rf *.qcow2 #Optional, only relevant after initial build
+./automotive-image-builder/automotive-image-builder build --distro cs9 --mode package --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' --define 'extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}]' --define 'extra_rpms=["qm-1.0", "vim-enhanced", "openssh-server", "openssh-clients", "python3", "polkit", "rsync", "strace", "dnf", "gdb"]' --target qemu --export qcow2 images/qm-minimal.mpp.yml cs9-qemu-qm-container.x86_64.qcow2
+```
+
+If you would like more information on building automotive images with automotive-image-builder, please see the
+[Automotive SIG pages for AutoSD](https://sigs.centos.org/automotive/getting-started/about-automotive-image-builder/)
+
+Run the virtual machine, default user: root, pass: password.
+To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
+
+```bash
+./automotive-image-builder/automotive-image-runner --nographics ./cs9-qemu-qm-container.x86_64.qcow2
+```

docs/devel/README.maintainer.md

@@ -0,0 +1,21 @@
+# Maintainer documentation
+
+## Creating a new release
+
+Initially, make sure to [bump **qm.te** and **VERSION** files in the git repo](https://github.com/containers/qm/pull/760) to the next release, i.e: *v0.7.5*.
+After that, follow the steps below using GitHub UI.
+
+**Create a new Release**
+![Click on Releases](./pics/creatingreleases/00-Click-on-Releases.jpeg)
+
+**Draft a new release**
+![Draft a new release](./pics/creatingreleases/01-Draft-a-new-release.png)
+
+**Create a new tag**
+![Create a tag](./pics/creatingreleases/02-Create-a-tag.jpeg)
+
+**Generate release notes**
+![Generate release notes](./pics/creatingreleases/03-Generate-release-notes.jpeg)
+
+**Publish Release**
+![Click on publish release](./pics/creatingreleases/04-click-on-publish-release.jpeg)

docs/docs/experimental/subpackages.md

@@ -1,20 +1,7 @@
-# Topics
+# Subpackages
 
-1. [QM Sub-Packages](#qm-sub-packages)
-    - [Key Features of QM Sub-Packages](#key-features-of-qm-sub-packages)
-    - [Building QM Sub-Packages](#building-qm-sub-packages)
-    - [Installing QM Sub-Packages](#installing-qm-sub-packages)
-    - [Removing QM Sub-Packages](#removing-qm-sub-packages)
-    - [Creating Your Own Drop-In QM Sub-Package](#creating-your-own-drop-in-qm-sub-package)
-    - [QM Sub-Package Input](#qm-sub-package-input)
-    - [QM Sub-Package tty7](#qm-sub-package-tty7)
-    - [QM Sub-Package ttyUSB0](#qm-sub-package-ttyusb0)
-    - [QM Sub-Package Video](#qm-sub-package-video)
-    - [QM Sub-Package Sound](#qm-sub-package-sound)
-    - [QM Sub-Package ROS2](#qm-sub-package-ros2)
-    - [QM Sub-Package KVM](#qm-sub-package-kvm)
-
-## QM Sub-packages
+Subpackages are **experimental approach** to deliver in a single point (RPM) dropin files
+and additional requirements.
 
 The qm project is designed to provide a flexible and modular environment for managing
 Quality Management (QM) software in containerized environments. One of the key features
@@ -24,24 +11,20 @@ to easily extend or customize their QM environment by adding specific configurat
 tools, or scripts to the containerized QM ecosystem by simple installing or uninstalling
 a RPM package into the system.
 
-## Key Features of QM Sub-Packages
+The key features of QM Sub-Packages are
 
-### Modularity
+- **Modularity**
+  - No configuration change, no typo or distribution rebuild/update.
+    - Just dnf install/remove from the traditional rpm schema.
+- **Customizability**
+  - Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
+- **Maintainability**
+  - Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
+- **Simplicity**
+  - Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
 
-- No configuration change, no typo or distribution rebuild/update.
-- Just dnf install/remove from the traditional rpm schema.
-
-### Customizability
-
-- Users can easily add specific configurations to enhance or modify the behavior of their QM containers.
-
-### Maintainability
-
-- Sub-packages ensure that the base qm package remains untouched, allowing easy updates without breaking custom configurations.
-
-### Simplicity
-
-- Like qm-dropin provide a clear directory structure and templates to guide users in customizing their QM environment.
+!!! note
+    The following sections describe the currently available QM subpackages.
 
 ## Building QM sub-packages
 

docs/docs/how_tos/android.md

@@ -1,4 +1,6 @@
-# An example of Android container running on top of kvm using quadlet and Wayland
+# Virtualization: Android container with Quadlet
+
+This is an example of an Android container running on top of kvm using quadlet and Wayland:
 
 ```console
 $ cat ~/.config/containers/systemd/android.container

docs/docs/how_tos/network.md

@@ -1,20 +1,22 @@
-# Network Modes in Podman
+# Using network modes with QM
+
+## Basics: Network Modes in Podman
 
 When running a container with Podman, you can specify the network mode using the `--network` flag. Two common options are `host` and `private`.
 
-## Network=host
+### Network=host
 
 If you set `--network=host`, the container will use the host's network stack. This means the container will share the same network namespace as the host, and will be able to access the host's network interfaces, IP addresses, and ports.
 
 In this mode, the container is not isolated from the host's network, and can potentially access sensitive network resources. This can be useful for certain use cases, such as running a container that needs to access a specific network interface or port on the host.
 
-## Network=private (default)
+### Network=private (default)
 
 By default, Podman uses the `private` network mode. This means that the container will have its own isolated network namespace, and will not be able to access the host's network interfaces, IP addresses, or ports.
 
 In this mode, the container is isolated from the host's network, and can only communicate with other containers on the same network. This provides a higher level of security, as the container is not able to access sensitive network resources on the host.
 
-## Security Implications
+### Security Implications
 
 The reason `private` is the default network mode is due to security concerns. By isolating the container's network namespace, Podman prevents the container from accessing sensitive network resources on the host, such as:
 
@@ -27,7 +29,7 @@ This helps to prevent potential security vulnerabilities, such as:
 * Container escape: a container accessing sensitive resources on the host
 * Lateral movement: a container accessing other containers on the host
 
-## Example
+### Example
 
 To illustrate the difference, consider the following example:
 
@@ -43,4 +45,40 @@ In the first example, the container will share the host's network namespace, whi
 
 For more information, see the [Podman Networking Tutorial](https://github.com/containers/podman/blob/main/docs/tutorials/basic_networking.md).
 
-For network modes configuration example using quadlets, see [Qaudlet Network Example](https://github.com/containers/qm/blob/main/docs/quadlet-examples/network/README.md).
+For network modes configuration example using quadlets, see [Quadlet Network Example](https://github.com/containers/qm/blob/main/docs/quadlet-examples/network/README.md).
+
+## Quadlet example running host and private networks
+
+Here is an example of running a network-test container using quadlets for both --network=host and --network=private. You should place this file either in /usr/share/containers/systemd/ or /etc/containers/systemd/
+
+```console
+/usr/share/containers/systemd/
+/etc/containers/systemd/
+```
+
+For rootless users:
+
+```console
+$HOME/.config/containers/systemd/
+
+```
+
+Host Network
+
+```console
+# network-test.container
+[Container]
+ContainerName=network-test
+Image=localhost/local-audio-image
+Network=host
+```
+
+Private Network
+
+```console
+# network-test.container
+[Container]
+ContainerName=network-test
+Image=localhost/local-audio-image
+Network=private
+```

docs/docs/how_tos/qm_variables.md

@@ -1,11 +1,7 @@
-# Title: How to change the variables in qm containers.conf
-
-## Description
+# Changing variables in qm containers.conf
 
 The `container.conf` file needs to be modified to allow pulling images larger than 1G from the repository on OStree images.
 
-Input:
-
 ## Update container image_copy_tmp_dir if the image is an OStree
 
 1. Create /var/qm/tmp.dir or differently named directory on host.

docs/docs/ipc.md

@@ -0,0 +1,72 @@
+# Setting up IPC
+
+In systems where **Automotive Safety Integrity Level (ASIL)** and **Quality Management (QM)**
+components coexist, strict separation is enforced to maintain safety and security boundaries via
+**SELinux (Security-Enhanced Linux)**, which labels processes and files with security contexts
+to control their interactions.
+
+**IPC (Inter-Process Communication)** between ASIL and QM components must be tightly controlled.
+To comply with SELinux policies and avoid permission denials, any socket-based communication
+between ASIL and QM domains should be established in the dedicated directory such as /run/ipc
+with ipc_var_run_t file context. It serves as a secure bridge for cross-domain communication
+while maintaining SELinux isolation.
+
+On the other hand, **IPC between QM services** (e.g., two services or containers within the same QM domain)
+can occur as well. Since these components share the same SELinux type and context, they are allowed to
+communicate using standard Unix domain sockets located in /run. This approach simplifies internal QM
+communication without compromising the system's overall security posture. Such communication can be
+orchestrated also using container orchestration patterns like **.pod (Podman pod definitions)** or
+**.kube (Kubernetes pod manifests)**, which group related services in shared namespaces to support efficient
+IPC within the same trust boundary.
+
+## Example QM to QM app
+
+## /etc/qm/containers/systemd/ipc_client.container
+
+```console
+[Unit]
+Description=Demo client service container
+Requires=ipc_server.socket
+After=ipc_server.socket
+[Container]
+Image=quay.io/username/ipc-demo/ipc_client:latest
+Network=none
+Volume=/run/:/run/
+SecurityLabelLevel=s0:c1,c2
+[Service]
+Restart=always
+[Install]
+WantedBy=multi-user.target
+```
+
+## /etc/qm/containers/systemd/ipc_server.container
+
+```console
+[Unit]
+Description=Demo server service container
+Requires=ipc_server.socket
+After=ipc_server.socket
+[Container]
+Image=quay.io/username/ipc-demo/ipc_server:latest
+Network=none
+Volume=/run/:/run/
+SecurityLabelLevel=s0:c1,c2
+[Service]
+Restart=always
+Type=notify
+[Install]
+WantedBy=multi-user.target
+```
+
+## /etc/qm/systemd/system/ipc_server.socket
+
+```console
+[Unit]
+Description=IPC Server Socket
+[Socket]
+ListenStream=%t/ipc_server.socket
+SELinuxContextFromNet=yes
+
+[Install]
+WantedBy=sockets.target
+```

docs/docs/usage.md

@@ -1,172 +1,20 @@
-# Developers documentation
+# Using QM
 
-## Table of contents
+This section describes how to interact with QM.
 
-- [Building QM rpm manually with changes](#building-qm-rpm-manually-with-changes)
-- [Building CentOS AutoSD and QM manually](#building-centos-autosd-and-qm-manually)
-- [Creating Releases](#creating-releases)
-- [Subpackages](#subpackages)
-- [Useful Commands](#useful-commands)
-  - [Installing software inside QM partition](#installing-software-inside-qm-partition)
-  - [Removing software inside QM partition](#removing-software-inside-qm-partition)
-  - [Copying files to QM partition](#copying-files-to-qm-partition)
-  - [Listing QM service](#listing-qm-service)
-  - [List QM container via podman](#list-qm-container-via-podman)
-  - [Extend QM quadlet managed by podman](#extend-qm-quadlet-managed-by-podman)
-  - [Managing CPU usage](#managing-cpu-usage)
-  - [Connecting to QM container via podman](#connecting-to-qm-container-via-podman)
-  - [SSH guest CentOS Automotive Stream Distro](#ssh-guest-centos-automotive-stream-distro)
-  - [Check if HOST and Container are using different network namespace](#check-if-host-and-container-are-using-different-network-namespace)
-  - [Debugging with podman in QM using --root](#debugging-with-podman-in-qm)
-  - [Debugging with quadlet](#debugging-with-quadlet)
-
-## Building QM rpm manually with changes
-
-Building QM locally with changes for tests is a recommended practice,
-especially for testing new features before submitting a pull request.
-
-**1.** Prerequisite
-
-```bash
-dnf install -y rpm-build golang-github-cpuguy83-md2man selinux-policy-devel
-```
-
-**2.** Clone the repo
-
-```bash
-git clone https://github.com/containers/qm.git && cd qm
-```
-
-**3.** Build the RPM
-
-Select a QM version that is a higher number from the current one.
-For example, if today's QM version is 0.6.2, set it to 1.0 so that
-the RPM created is identifiable as yours.
-
-```bash
-make clean && VERSION=1.0 make rpm
-```
-
-The rpm is created at the `${RPM_TOPDIR}/RPMS` folder, by default
-`${PWD}/rpmbuild/RPMS`.
-You can export **RPM_TOPDIR** to change the path where the rpm will be placed.
-For example:
-
-```bash
-VERSION=1.0 RPM_TOPDIR=/USER/rpmbuild make rpm
-```
-
-## Building CentOS AutoSD and QM manually
-
-During development, it is common to conduct integration tests to ensure your
-changes work well with other components within the overall solution.
-In our case, it's best to test against the CentOS Automotive Stream
-Distribution (AutoSD) image.
-
-Once you have the new [RPM](#building-qm-rpm-manually-with-changes), follow these steps:
-
-**1.** Make sure the new rpm is located in **/USER/rpmbuild/RPMS/**
-
-Example
-
-```bash
-ls /root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
-/root/rpmbuild/RPMS/noarch/qm-1.0-1.noarch.rpm
-```
-
-**2.** Download additional packages required by the image
-
-```bash
-sudo dnf download --destdir /root/rpmbuild/RPMS/noarch/ selinux-policy selinux-policy-any
-```
-
-**3.** Create a local repository with the new package
-
-```bash
-dnf install createrepo_c -y
-cd /root/rpmbuild/RPMS/noarch/
-createrepo .
-```
-
-**4.** Clone the CentOS Automotive distro for the build
-
-Ensure you meet the requirements for the CentOS Automotive Stream by
-referring to [this link](https://sigs.centos.org/automotive/building/).
-
-The following commands will execute:
-
-- Install the podman package
-- Clone the sample-images repository and required submodules (automotive-image-builder)
-- Cleanups before a fresh build
-- Finally creates a new qcow2 image (BASED ON distro name, mode (ostree or regular) and uses the qemu-qm-container sample image)
-  NOTE:
-  - The path for the new QM rpm file (/root/rpmbuild/RPMS/noarch)
-  - extra_rpms - useful for debug.
-  - ssh enabled
-
-The command below utilises automotive-image-builder to produce a `qm-minimal` qcow2 image for cs9,
-other example images such as `simple-qm-container` and the `simple-qm`
-image can be found in the images directory of the sample-images repository.
-
-```bash
-dnf install podman -y && dnf clean all
-git clone https://gitlab.com/CentOS/automotive/sample-images.git
-git submodule update --init
-cd sample-images/
-rm -rf _build #Optional, only relevant after initial build
-rm -rf *.qcow2 #Optional, only relevant after initial build
-./automotive-image-builder/automotive-image-builder build --distro cs9 --mode package --define 'ssh_permit_root_login=true' --define 'ssh_permit_password_auth=true' --define 'extra_repos=[{"id":"local","baseurl":"file:///root/rpmbuild/RPMS/noarch"}]' --define 'extra_rpms=["qm-1.0", "vim-enhanced", "openssh-server", "openssh-clients", "python3", "polkit", "rsync", "strace", "dnf", "gdb"]' --target qemu --export qcow2 images/qm-minimal.mpp.yml cs9-qemu-qm-container.x86_64.qcow2
-```
-
-If you would like more information on building automotive images with automotive-image-builder, please see the
-[Automotive SIG pages for AutoSD](https://sigs.centos.org/automotive/getting-started/about-automotive-image-builder/)
-
-Run the virtual machine, default user: root, pass: password.
-To change default values, use the [defaults.ipp.yml](https://gitlab.com/CentOS/automotive/src/automotive-image-builder/-/blob/main/include/defaults.ipp.yml) file.
-
-```bash
-./automotive-image-builder/automotive-image-runner --nographics ./cs9-qemu-qm-container.x86_64.qcow2
-```
-
-## Creating Releases
-
-Initially make sure to [bump **qm.te** and **VERSION** files in the git repo](https://github.com/containers/qm/pull/760) to the next release, i.e: *v0.7.5*.
-After that, follow the steps below using GitHub UI.
-
-**Create a new Release**
-![Click on Releases](./pics/creatingreleases/00-Click-on-Releases.jpeg)
-
-**Draft a new release**
-![Draft a new release](./pics/creatingreleases/01-Draft-a-new-release.png)
-
-**Create a new tag**
-![Create a tag](./pics/creatingreleases/02-Create-a-tag.jpeg)
-
-**Generate release notes**
-![Generate release notes](./pics/creatingreleases/03-Generate-release-notes.jpeg)
-
-**Publish Release**
-![Click on publish release](./pics/creatingreleases/04-click-on-publish-release.jpeg)
-
-## Subpackages
-
-Subpackages are **experimental approach** to deliver in a single point (RPM) dropin files and additional requirements. [Click here for more information](experimental/SUBPACKAGES.md)
-
-## Useful Commands
-
-### Installing software inside QM partition
+## Installing software inside QM partition
 
 ```bash
 dnf --installroot /usr/lib/qm/rootfs/ install vim -y
 ```
 
-### Removing software inside QM partition
+## Removing software inside QM partition
 
 ```bash
 dnf --installroot /usr/lib/qm/rootfs/ remove vim -y
 ```
 
-### Copying files to QM partition
+## Copying files to QM partition
 
 Please note: This process is only applicable for regular images.
 OSTree images are read-only, and any files must be included during the build process.
@@ -181,7 +29,7 @@ bash-5.1> ls /root
 file_to_be_copied
 ```
 
-### Listing QM service
+## Listing QM service
 
 ```bash
 [root@localhost ~]# systemctl status qm -l
@@ -209,7 +57,7 @@ e-id a83253ae278d7394cb38e975535590d7 --max-bytes 536870912 --max-fds 4096 --max
 -matches 16384 --audit
 ```
 
-### List QM container via podman
+## List QM container via podman
 
 ```console
 # podman ps
@@ -217,7 +65,7 @@ CONTAINER ID  IMAGE       COMMAND     CREATED         STATUS         PORTS
 a83253ae278d              /sbin/init  38 seconds ago  Up 38 seconds              qm
 ```
 
-### Extend QM quadlet managed by podman
+## Extend QM quadlet managed by podman
 
 QM quadlet file is shipped through rpm, refer the following file.
 qm.container which is installed to /usr/share/containers/systemd/qm.container
@@ -255,13 +103,13 @@ systemctl is-active qm
 active
 ```
 
-### Managing CPU usage
+## Managing CPU usage
 
 Using the steps below, it's possible to manage CPU usage of the `qm.service` by modifying service attributes and utilizing drop-in files.
 
-#### Setting the CPUWeight attribute
+### Setting the CPUWeight attribute
 
-Modifying the `CPUWeight` attribute affects the priority the of `qm.service`. A higher value prioritizes the service, while a lower value deprioritizes it.
+Modifying the `CPUWeight` attribute affects the priority of the `qm.service`. A higher value prioritizes the service, while a lower value deprioritizes it.
 
 Inspect the current CPUWeight value:
 
@@ -275,7 +123,7 @@ Set the CPUWeight value:
 systemctl set-property qm.service CPUWeight=500
 ```
 
-#### Limiting CPUQuota
+### Limiting CPUQuota
 
 It's also possible to limit the percentage of the CPU allocated to the `qm.service` by defining `CPUQuota`. The percentage specifies how much CPU time the unit shall get at maximum, relative to the total CPU time available on one CPU.
 
@@ -332,14 +180,14 @@ Expected output:
       1 root      20   0   65576  37904  11116 S   0.0   0.1   0:40.00 systemd
 ```
 
-### Connecting to QM container via podman
+## Connecting to QM container via podman
 
 ```console
 # podman exec -it qm bash
 bash-5.1#
 ```
 
-### SSH guest CentOS Automotive Stream Distro
+## SSH guest CentOS Automotive Stream Distro
 
 Make sure the CentOS Automotive Stream Distro Virtual Machine/Container is running with SSHD enabled
 and permits ssh connection from root user.
@@ -371,23 +219,23 @@ connect-to-VM-via-SSH> ssh root@127.0.0.1 \
     -oUserKnownHostsFile=/dev/null
 ```
 
-### Check if HOST and Container are using different network namespace
+## Check if HOST and Container are using different network namespace
 
-#### HOST
+### HOST
 
 ```console
 [root@localhost ~]# ls -l /proc/self/ns/net
 lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026531840]'
 ```
 
-#### QM
+### QM
 
 ```console
 bash-5.1# ls -l /proc/self/ns/net
 lrwxrwxrwx. 1 root root 0 May  1 04:33 /proc/self/ns/net -> 'net:[4026532287]'
 ```
 
-### Debugging with podman in QM
+## Debugging with podman in QM
 
 ```console
 bash-5.1# podman --root /usr/share/containers/storage pull alpine
@@ -395,7 +243,7 @@ Error: creating runtime static files directory "/usr/share/containers/storage/li
 mkdir /usr/share/containers/storage: read-only file system
 ```
 
-### Debugging with quadlet
+## Debugging with quadlet
 
 Imagine a situation where you have a Quadlet container inside QM that isn't starting, and you're unsure why. The best approach is to log into the QM, run the ```quadlet --dryrun``` command, and analyze what's happening. Here's how you can troubleshoot the issue step by step.
 

docs/mkdocs.yml

@@ -7,8 +7,15 @@ edit_uri: blob/main/docs/docs/
 copyright: Copyright Contributors to the QM project
 nav:
   - Home: index.md
-  - Getting Started:
-      - Installation: getting_started/installation.md
+  - Getting Started: getting_started.md
+  - Using QM: usage.md
+  - Setting up IPC: ipc.md
+  - How To:
+    - Android container: how_tos/android.md
+    - Using network modes with QM: how_tos/network.md
+    - Changing variables in QM: how_tos/qm_variables.md
+  - Experimental:
+    - QM Subpackages: experimental/subpackages.md
   - Additional resources: resources.md
 
 theme:
@@ -17,9 +24,6 @@ theme:
     - content.code.copy
     - navigation.indexes
 
-extra_javascript:
-  - assets/js/tab-sync.js
-
 markdown_extensions:
   - toc:
       permalink: True

docs/quadlet-examples/network/README.md

@@ -1,35 +0,0 @@
-# Here is an example of running a network-test container using quadlets for both --network=host and --network=private
-
-You should place this file either in /usr/share/containers/systemd/ or /etc/containers/systemd/
-
-```console
-/usr/share/containers/systemd/
-/etc/containers/systemd/
-```
-
-For rootless users:
-
-```console
-$HOME/.config/containers/systemd/
-
-```
-
-Host Network
-
-```console
-# network-test.container
-[Container]
-ContainerName=network-test
-Image=localhost/local-audio-image
-Network=host
-```
-
-Private Network
-
-```console
-# network-test.container
-[Container]
-ContainerName=network-test
-Image=localhost/local-audio-image
-Network=private
-```

qm.fc

@@ -10,6 +10,7 @@
 /etc/qm(/.*)?	gen_context(system_u:object_r:qm_file_t,s0)
 
 # File context for ipc programs
+/usr/lib/qm/rootfs/run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
 /run/ipc(/.*)?	gen_context(system_u:object_r:ipc_var_run_t,s0)
 
 # File context for bluechi-agent inside QM

qm.if

@@ -15,6 +15,7 @@ template(`qm_domain_template',`
 	gen_require(`
 		class dbus { send_msg acquire_svc };
 		class passwd rootok;
+		class process setcurrent;
 
 		attribute container_domain;
 		attribute filesystem_type;
@@ -60,6 +61,7 @@ template(`qm_domain_template',`
 	container_exec_share_files($1_t)
 	allow $1_t container_ro_file_t:file execmod;
 	allow $1_container_domain $1_file_type:chr_file { rw_inherited_file_perms };
+	allow $1_t self:process setcurrent;
 
 	attribute $1_file_type;
 	allow $1_file_type self:filesystem associate;
@@ -83,6 +85,7 @@ template(`qm_domain_template',`
 	allow $1_t $1_file_type:chr_file mounton;
 	allow $1_t $1_file_type:sock_file mounton;
 
+	filetrans_pattern(ipc_t, $1_file_t, ipc_var_run_t, dir, "ipc")
 	list_dirs_pattern($1_t, ipc_var_run_t, ipc_var_run_t)
 	allow $1_t ipc_var_run_t:dir mounton;
 

qm.te

@@ -1,4 +1,4 @@
-policy_module(qm, 0.7.5)
+policy_module(qm, 0.7.6)
 
 gen_require(`
 	attribute container_file_type;

rpm/qm.spec

@@ -16,6 +16,11 @@
 # Format must contain '$x' somewhere to do anything useful
 %global _format() export %1=""; for x in %{modulenames}; do %1+=%2; %%1+=" "; done;
 
+# RHEL < 10 and Fedora < 40 use file context entries in /var/run
+%if %{defined rhel} && 0%{?rhel} < 10 || %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
+
 # copr_username is only set on copr environments, not on others like koji
 # Check if copr is owned by rhcontainerbot
 %if "%{?copr_username}" != "rhcontainerbot"
@@ -90,6 +95,10 @@ use container tools like Podman.
 sed -i 's/^install: man all/install:/' Makefile
 
 %build
+%if %{defined legacy_var_run}
+sed -i 's|^/run/|/var/run/|' qm.fc
+%endif
+
 %{__make} all
 
 %install

setup

@@ -35,10 +35,41 @@ CMDLINE_ARGUMENT_LIST=(
   "skip-systemctl"
 )
 
+logger() {
+    {
+     	local log_level="$1"
+        local message="$2"
+        local NC='\033[0m' # No Color
+        local log_col=$NC
+    } > /dev/null 2>&1
+        case "$log_level" in
+            INFO)
+                log_col='\033[0;36m' #BLUE
+            ;;
+            WARNING)
+                log_col='\033[1;33m' #YELLOW
+            ;;
+            ERROR)
+                log_col='\033[0;31m' #RED
+                ;;
+            DEBUG)
+                log_col='\033[0;90m' #GREY
+                ;;
+            SUCCESS)
+                log_col='\033[0;32m' #GREEN
+            ;;
+            *)
+              	echo -e "[\033[1;31mERROR\033[0m] Invalid log level: $log_level" >&2
+                return 1
+            ;;
+	esac
+  echo -e "[$log_col${log_level}${NC}] $message"
+}
+
 root_check() {
     if [ "$(id -u)" -ne 0 ];then
-	echo "Please run this script as root"
-	exit 1
+        logger "WARNING" "Please run this script as root"
+        exit 1
     fi
 }
 
@@ -132,7 +163,7 @@ validate_qm_installation() {
 
     for file in "${files[@]}"; do
         if [[ ! -f "$file" ]]; then
-            echo "Exiting... '$file' not found. Try reinstall the QM package before continue." >&2
+            logger "ERROR" "Exiting... '$file' not found. Try reinstall the QM package before continuing."
             exit 1
         fi
     done
@@ -303,15 +334,23 @@ case "$1" in
 
     if [ "$SYSTEMCTL_SKIP" == "N" ]; then
 	    systemctl daemon-reload
-	    systemctl start qm.service
-            if [ "$(systemctl is-active qm.service)" != "active" ]; then
-               journal=$(journalctl --no-pager -xu qm.service)
-               echo QM service is not up details:
-               echo "$journal"
-               exit 1
-            fi
+        systemctl start qm.service || {
+            logger "ERROR" "'systemctl start qm.service' has failed, see details below";
+            set +x
+            logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
+            set -x
+            exit 1;
+        }
+        if [ "$(systemctl is-active qm.service)" != "active" ]; then
+            logger "WARNING" "QM service is inactive, see details below:";
+            set +x
+            logger "DEBUG" "$(journalctl --no-pager -xu qm.service)"
+            set -x
+            exit 1
+        fi
     else
       /usr/libexec/podman/quadlet /run/systemd/generator/
     fi
+    logger "SUCCESS" "Setup complete";
 	;;
 esac

tests/qm-kvm-test/libkrun/check_libkrun.fmf

@@ -0,0 +1,7 @@
+summary: Test libkrun in qm
+test: /bin/bash ./check_libkrun.sh
+duration: 10m
+tier: 0
+tag: [kvm,setup]
+framework: shell
+

tests/qm-kvm-test/libkrun/check_libkrun.sh

@@ -0,0 +1,26 @@
+#!/bin/bash -x
+
+# shellcheck disable=SC1091
+source ../../e2e/lib/utils
+
+enable_repo() {
+    info_message "enable_repo(): enable repo"
+    exec_cmd "cd /etc/yum.repos.d/"
+    exec_cmd "dnf copr enable -y copr.fedorainfracloud.org/@centos-automotive-sig/libkrun centos-stream-9-$(arch)"
+}
+
+install_libkrun() {
+    info_message "install_libkrun(): install libkrun and crun-krun"
+    exec_cmd "dnf install --setopt=reposdir=/etc/yum.repos.d  --installroot=/usr/lib/qm/rootfs -y libkrun crun-krun"
+}
+
+check_libkrun() {
+    info_message "check_libkrun(): run virtualization-isolated containers."
+    exec_cmd "podman exec -it qm podman run --runtime=krun --rm -it alpine echo 'Hello libkrun.'"
+    info_message "PASS: libkrun runs successfully."
+}
+
+enable_repo
+install_libkrun
+check_libkrun
+