diff --git a/BUILD_ORDER b/BUILD_ORDER index a0c8042..ec96b94 100644 --- a/BUILD_ORDER +++ b/BUILD_ORDER @@ -75,3 +75,4 @@ ap crun # podman n cni-plugins # podman ap fuse-overlayfs # podman + ap podman diff --git a/ap/podman/OPENWRT-in-podman.txt b/ap/podman/OPENWRT-in-podman.txt new file mode 100644 index 0000000..051d001 --- /dev/null +++ b/ap/podman/OPENWRT-in-podman.txt @@ -0,0 +1,13 @@ +--------------------------------------- +How to run OpenWrt in podman containers +--------------------------------------- + +Running OpenWrt versions for containers, such as docker.io/openwrtorg/rootfs, +with defaults podman parameters may result in errors. To avoid that, following +command line options should be supplied to 'podman run': +--dns=none --no-hosts=true --systemd=false + +Example: + +# podman run --dns=none --no-hosts=true --systemd=false -it docker.io/openwrtorg/rootfs + diff --git a/ap/podman/doinst.sh b/ap/podman/doinst.sh new file mode 100644 index 0000000..65e60c6 --- /dev/null +++ b/ap/podman/doinst.sh @@ -0,0 +1,19 @@ +config() { + NEW="$1" + OLD="$(dirname $NEW)/$(basename $NEW .new)" + # If there's no config file by that name, mv it over: + if [ ! -r $OLD ]; then + mv $NEW $OLD + elif [ "$(cat $OLD | md5sum)" = "$(cat $NEW | md5sum)" ]; then + # toss the redundant copy + rm $NEW + fi + # Otherwise, we leave the .new copy for the admin to consider... +} + +config etc/containers/libpod.conf.new +config etc/containers/registries.conf.new +config etc/containers/mounts.conf.new +config etc/containers/seccomp.json.new +config etc/containers/policy.json.new +config etc/containers/storage.conf.new diff --git a/ap/podman/get_sources.sh b/ap/podman/get_sources.sh new file mode 100755 index 0000000..1172242 --- /dev/null +++ b/ap/podman/get_sources.sh @@ -0,0 +1,8 @@ +#!/bin/bash +SRC=libpod +VERSION=1.9.3 +git clone -b master https://github.com/containers/${SRC}.git $SRC && \ + ( cd $SRC && git co v${VERSION} ) +mv $SRC ${SRC}-${VERSION} +tar cf - ${SRC}-${VERSION} | xz -c9 > ${SRC}-${VERSION}.tar.xz +[ -s ${SRC}-${VERSION}.tar.xz ] && rm -rf ${SRC}-${VERSION} diff --git a/ap/podman/mounts.conf b/ap/podman/mounts.conf new file mode 100644 index 0000000..270d316 --- /dev/null +++ b/ap/podman/mounts.conf @@ -0,0 +1 @@ +/etc/containers/secrets:/run/secrets diff --git a/ap/podman/podman.SlackBuild b/ap/podman/podman.SlackBuild new file mode 100755 index 0000000..c56cd9e --- /dev/null +++ b/ap/podman/podman.SlackBuild @@ -0,0 +1,150 @@ +#!/bin/sh +# Set initial variables: +CWD=$(pwd) + +APP=podman +SRC=libpod +VERSION=$(ls $SRC-*.tar.?z* | sed -e 's/\.tar\..z.*//' | rev | cut -d- -f1 | rev) +ARCH=${ARCH:-x86_64} +BUILD=${BUILD:-1} +TAG=${TAG:-micu} + +# The domain part of the go package name, usually the hosting platform +DOMAIN=github.com +# The name of the organization/owner of the package +ORG=containers +# The name of the repository +REPONAME=$SRC + +LIBSUFFIX="" +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "x86_64" ]; then + LIBSUFFIX=${LIBSUFFIX:-64} +fi + +if [ "$TMP" = "" ]; then + TMP=/tmp +fi +PKG=$TMP/package-$APP +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP || exit 1 +rm -rf $APP-$VERSION +mkdir -p $APP-$VERSION/src/$DOMAIN/$ORG +cd $APP-$VERSION/src/$DOMAIN/$ORG || exit 1 +tar xvf $CWD/$SRC-$VERSION.tar.?z* || exit 1 +mv $SRC-$VERSION $REPONAME +cd $REPONAME || exit 1 +chown -R root.root . +find . -perm 444 -exec chmod 644 {} \; +find . -perm 777 -exec chmod 755 {} \; +find . -perm 666 -exec chmod 644 {} \; + +# For recent build, we need go version at least 1.13.xx; +# gccgo is now 1.12.2, so let's spend some time and build a dedicated version +# (or use the one already built there): +GODEVDIR=$TMP/go-devel +GODEVVER=1.13.11 +if [ ! -x $GODEVDIR/go/bin/go ]; then + echo "Development go not found at $GODEVDIR, building it." + mkdir -p $GODEVDIR + cd $GODEVDIR || exit 1 + git clone https://go.googlesource.com/go + export GOPATH=$GODEVDIR/go + cd $GOPATH + git co go$GODEVVER + cd src || exit 1 + ./all.bash || exit 1 + cd $TMP/$APP-$VERSION/src/$DOMAIN/$ORG/$REPONAME || exit 1 +else + echo "Development go found at $GODEVDIR, using it." +fi +export PATH=$GODEVDIR/go/bin:$PATH + +# Point go to the location of the source tree +export GOPATH="$TMP/$APP-$VERSION" + +make binaries PREFIX="/usr/" MANDIR="/usr/man/" || exit 1 +make install install.completions DESTDIR="$PKG" PREFIX="/usr/" MANDIR="/usr/man/" || exit 1 + +rm -rf $PKG/usr/lib/systemd $PKG/usr/lib/tmpfiles.d +rmdir $PKG/usr/lib + +mkdir -p $PKG/etc/containers/secrets + +# use upstream's default seccomp policy +cp seccomp.json $PKG/etc/containers/seccomp.json.new +# use upstream config, but default to cgroupfs and crun +sed -e 's/^cgroup_manager = "systemd"/cgroup_manager = "cgroupfs"/g' \ + -e 's/^runtime = "runc"/runtime = "crun"/g' \ + -e 's/^# events_logger = "journald"/events_logger = "file"/g' \ + libpod.conf > $PKG/etc/containers/libpod.conf.new +# use upstream storage config, but default to overlayfs +sed -e 's/^driver = ""/driver = "overlay"/' \ + -e 's/^#mount_program = /mount_program = /' \ + vendor/github.com/containers/storage/storage.conf > $PKG/etc/containers/storage.conf.new + +cp $CWD/registries.conf $PKG/etc/containers/registries.conf.new +cp $CWD/mounts.conf $PKG/etc/containers/mounts.conf.new +cp $CWD/policy.json $PKG/etc/containers/policy.json.new + +# Make docker link: +( cd $PKG/usr/bin && ln -s podman docker ) + +# Don't ship .la files: +rm -f $PKG/{,usr/}lib${LIBSUFFIX}/*.la + +chown -R root.bin $PKG/usr/bin $PKG/usr/sbin + +( cd $PKG + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | xargs strip --strip-unneeded 2> /dev/null + find . | xargs file | grep "current ar archive" | grep ELF | cut -f 1 -d : | xargs strip -g 2> /dev/null +) + +# Compress and if needed symlink the man pages: +if [ -d $PKG/usr/info ]; then + rm -f $PKG/usr/info/dir + gzip -9 $PKG/usr/info/* +fi +if [ -d $PKG/usr/man ]; then + ( cd $PKG/usr/man + for manpagedir in $(find . -type d -name "man*") ; do + ( cd $manpagedir + for eachpage in $( find . -type l -maxdepth 1) ; do + ln -s $( readlink $eachpage ).gz $eachpage.gz + rm $eachpage + done + gzip -9 *.? + ) + done + ) +fi + +mkdir -p $PKG/usr/doc/$APP-$VERSION +cp -a LICENSE OWNERS changelog.txt *.md $CWD/OPENWRT-in-podman.txt \ + $PKG/usr/doc/$APP-$VERSION + +mkdir -p $PKG/install +[ -f $CWD/doinst.sh ] && cat $CWD/doinst.sh > $PKG/install/doinst.sh +[ -f $CWD/doinst.sh.gz ] && zcat $CWD/doinst.sh.gz > $PKG/install/doinst.sh +cat $CWD/slack-desc > $PKG/install/slack-desc + +# Allow to run as non-root until now: +if [ $(id -u) -ne 0 ]; then + echo "*** Running as non-root, skipping makepkg." + echo "*** Package contents is in $PKG directory." + exit 0 +fi + +cd $PKG +makepkg -l y -c n $TMP/$APP-$VERSION-$ARCH-${BUILD}${TAG}.txz + +# Clean up the extra stuff: +if [ "$1" = "--cleanup" ]; then + rm -rf $TMP/$APP-$VERSION + rm -rf $PKG + rm -rf $GODEVDIR +fi + diff --git a/ap/podman/policy.json b/ap/podman/policy.json new file mode 100644 index 0000000..dffc54a --- /dev/null +++ b/ap/podman/policy.json @@ -0,0 +1,14 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ], + "transports": + { + "docker-daemon": + { + "": [{"type":"insecureAcceptAnything"}] + } + } +} diff --git a/ap/podman/registries.conf b/ap/podman/registries.conf new file mode 100644 index 0000000..21ddef2 --- /dev/null +++ b/ap/podman/registries.conf @@ -0,0 +1,82 @@ +# For more information on this configuration file, see containers-registries.conf(5). +# +# There are multiple versions of the configuration syntax available, where the +# second iteration is backwards compatible to the first one. Mixing up both +# formats will result in an runtime error. +# +# The initial configuration format looks like this: +# +# Registries to search for images that are not fully-qualified. +# i.e. foobar.com/my_image:latest vs my_image:latest +[registries.search] +registries = ['docker.io', 'quay.io', 'registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org'] + +# Registries that do not use TLS when pulling images or uses self-signed +# certificates. +[registries.insecure] +registries = [] + +# Blocked Registries, blocks the `docker daemon` from pulling from the blocked registry. If you specify +# "*", then the docker daemon will only be allowed to pull from registries listed above in the search +# registries. Blocked Registries is deprecated because other container runtimes and tools will not use it. +# It is recommended that you use the trust policy file /etc/containers/policy.json to control which +# registries you want to allow users to pull and push from. policy.json gives greater flexibility, and +# supports all container runtimes and tools including the docker daemon, cri-o, buildah ... +# The atomic CLI `atomic trust` can be used to easily configure the policy.json file. +[registries.block] +registries = [] + +# The second version of the configuration format allows to specify registry +# mirrors: +# +# # An array of host[:port] registries to try when pulling an unqualified image, in order. +# unqualified-search-registries = ["example.com"] +# +# [[registry]] +# # The "prefix" field is used to choose the relevant [[registry]] TOML table; +# # (only) the TOML table with the longest match for the input image name +# # (taking into account namespace/repo/tag/digest separators) is used. +# # +# # If the prefix field is missing, it defaults to be the same as the "location" field. +# prefix = "example.com/foo" +# +# # If true, unencrypted HTTP as well as TLS connections with untrusted +# # certificates are allowed. +# insecure = false +# +# # If true, pulling images with matching names is forbidden. +# blocked = false +# +# # The physical location of the "prefix"-rooted namespace. +# # +# # By default, this equal to "prefix" (in which case "prefix" can be omitted +# # and the [[registry]] TOML table can only specify "location"). +# # +# # Example: Given +# # prefix = "example.com/foo" +# # location = "internal-registry-for-example.net/bar" +# # requests for the image example.com/foo/myimage:latest will actually work with the +# # internal-registry-for-example.net/bar/myimage:latest image. +# location = internal-registry-for-example.com/bar" +# +# # (Possibly-partial) mirrors for the "prefix"-rooted namespace. +# # +# # The mirrors are attempted in the specified order; the first one that can be +# # contacted and contains the image will be used (and if none of the mirrors contains the image, +# # the primary location specified by the "registry.location" field, or using the unmodified +# # user-specified reference, is tried last). +# # +# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics +# # as if specified in the [[registry]] TOML table directly: +# # - location +# # - insecure +# [[registry.mirror]] +# location = "example-mirror-0.local/mirror-for-foo" +# [[registry.mirror]] +# location = "example-mirror-1.local/mirrors/foo" +# insecure = true +# # Given the above, a pull of example.com/foo/image:latest will try: +# # 1. example-mirror-0.local/mirror-for-foo/image:latest +# # 2. example-mirror-1.local/mirrors/foo/image:latest +# # 3. internal-registry-for-example.net/bar/myimage:latest +# # in order, and use the first one that exists. diff --git a/ap/podman/slack-desc b/ap/podman/slack-desc new file mode 100644 index 0000000..618134f --- /dev/null +++ b/ap/podman/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. +# Line up the first '|' above the ':' following the base package name, and +# the '|' on the right side marks the last column you can put a character in. +# You must make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':' except on otherwise blank lines. + + |-----handy-ruler------------------------------------------------------| +podman: podman (utility to run OCI-based containers) +podman: +podman: libpod provides a library for applications looking to use the +podman: Container Pod concept popularized by Kubernetes. libpod also contains +podman: a tool called podman for managing Pods, Containers, and Container +podman: Images. +podman: +podman: Site: https://github.com/containers/libpod +podman: +podman: +podman: