images: add systemd reference container

Extends container-base to create a systemd enabled container that is
an appropriate starting point if a systemd applciation is being run
or a mulit-user style environment is required.

The application specified in SYSTEMD_CONTAINER_APP will be installed
and be available to be executed.

The rootfs of this container type is post processed to enable and
disable services as specified by the containeer definition. This allows
service that are not appropriate in a containerized environemnt to
be disabled (i.e. getty login)

The list of services can be found in the recipes themselves.

This container enables ssh by default, so that it can be executed
in the background and then accessed as a full environment.

Note: this is currently a priviledged container if run under docker.

There are multiple ways to add/remove permissions from the container,
and most are configurable during launch:

  % root@qemuarm64-54:~# docker run -d --rm --name systemd_test  --privileged --cap-add SYS_ADMIN \
     --security-opt seccomp=unconfined --cgroup-parent=docker.slice --cgroupns private \
     --tmpfs /tmp --tmpfs /run --tmpfs /run/lock zeddii/systemd-container-base

or

  % docker run -d --rm --name systemd_test --privileged  --cgroup-parent=docker.slice \
     --cgroupns private  zeddii/c3-systemd-container

  % root@qemuarm64-54:~# docker ps
  CONTAINER ID   IMAGE                         COMMAND        CREATED         STATUS         PORTS     NAMES
  4b07cc907e26   zeddii/c3-systemd-container   "/sbin/init"   5 minutes ago   Up 5 minutes             systemd_test

  % podman run -d --name systemd_test --privileged --cgroupns=host --tmpfs /tmp --tmpfs /run --tmpfs /run/lock \
           -v /sys/fs/cgroup:/sys/fs/cgroup:ro  zeddii/systemd-container-base

  % ctr container create --privileged --runtime="io.containerd.runc.v2" \
      --mount type=bind,src=/sys/fs/cgroup,dst=/sys/fs/cgroup,options=rbind:rw \
      docker.io/zeddii/systemd-container-base:latest  my_systemd_container /sbin/init

  % ctr task start --detach my_systemd_container

  % ctr task ls
    TASK                    PID    STATUS
    my_systemd_container    690    RUNNING

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

2 files changed, 89 insertions, 0 deletions

diff --git a/recipes-extended/images/container-systemd-base.bb b/recipes-extended/images/container-systemd-base.bb
new file mode 100644
index 00000000..96ef4667
--- /dev/null
+++ b/recipes-extended/images/container-systemd-base.bb
@@ -0,0 +1,17 @@
+SUMMARY = "Systemd system container for ${SYSTEMD_CONTAINER_APP}"
+DESCRIPTION = "A small systemd system container which will run \
+                ${SYSTEMD_CONTAINER_APP}."
+
+SYSTEMD_CONTAINER_APP ?= ""
+
+# Use local.conf to specify the application(s) to install
+IMAGE_INSTALL += "${SYSTEMD_CONTAINER_APP}"
+
+# Use local.conf to specify additional systemd services to disable. To overwrite
+# the default list use SERVICES_TO_DISABLE:pn-systemd-container in local.conf
+SERVICES_TO_DISABLE:append = " ${SYSTEMD_CONTAINER_DISABLE_SERVICES}"
+
+# Use local.conf to enable systemd services
+SERVICES_TO_ENABLE += "${SYSTEMD_CONTAINER_ENABLE_SERVICES}"
+
+require container-systemd-base.inc
diff --git a/recipes-extended/images/container-systemd-base.inc b/recipes-extended/images/container-systemd-base.inc
new file mode 100644
index 00000000..0b856e83
--- /dev/null
+++ b/recipes-extended/images/container-systemd-base.inc
@@ -0,0 +1,72 @@
+SUMMARY ?= "Sample systemd system container"
+DESCRIPTION ?= "A small systemd system container which will run \
+                the application defined in IMAGE_INSTALL."
+
+LICENSE ?= "MIT"
+LIC_FILES_CHKSUM ?= "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
+
+# Some commands of interest:
+# % docker run -d --rm --name systemd_test  --privileged \
+#    --cap-add SYS_ADMIN --security-opt seccomp=unconfined --cgroup-parent=docker.slice \
+#    --cgroupns private --tmpfs /tmp --tmpfs /run --tmpfs /run/lock zeddii/systemd-container-base
+#
+# % docker run -d --rm --name systemd_test --privileged \
+#    --cgroup-parent=docker.slice --cgroupns private  zeddii/c3-systemd-container
+#
+# % docker inspect systemd_test
+# % docker inspect systemd_test | grep \"IPAddress\":
+# % docker exec systemd_test bash -c "echo 'testuser:password' | chpasswd"
+# % ssh testuser@172.17.0.2
+
+require container-base.bb
+
+OCI_IMAGE_ENTRYPOINT = "/sbin/init"
+
+IMAGE_INSTALL:append = " systemd"
+IMAGE_INSTALL:append = " packagegroup-core-base-utils"
+IMAGE_INSTALL:append = " packagegroup-core-ssh-openssh"
+IMAGE_INSTALL:append = " busybox"
+
+IMAGE_FEATURES ?= ""
+
+NO_RECOMMENDATIONS = "1"
+
+SERVICES_TO_DISABLE ?= " \
+    systemd-udevd.service \
+    systemd-udevd-control.socket \
+    systemd-udevd-kernel.socket \
+    proc-sys-fs-binfmt_misc.automount \
+    sys-fs-fuse-connections.mount \
+    sys-kernel-debug.mount \
+    systemd-hwdb-update.service \
+    serial-getty@ttyS0.service \
+    dev-ttyS0.device \
+    console-getty.service \
+    serial-getty@.service \
+"
+
+SERVICES_TO_ENABLE ?= ""
+
+disable_systemd_services () {
+        SERVICES_TO_DISABLE="${SERVICES_TO_DISABLE}"
+        if [ -n "$SERVICES_TO_DISABLE" ]; then
+                echo "Disabling systemd services:"
+                for service in $SERVICES_TO_DISABLE; do
+                        echo "    $service"
+                        systemctl --root="${IMAGE_ROOTFS}" mask $service > /dev/null >1
+                done
+        fi
+}
+
+enable_systemd_services () {
+        SERVICES_TO_ENABLE="${SERVICES_TO_ENABLE}"
+        if [ -n "$SERVICES_TO_ENABLE" ]; then
+                echo "Enabling additional systemd services:"
+                for service in $SERVICES_TO_ENABLE; do
+                        echo "    $service"
+                        systemctl --root="${IMAGE_ROOTFS}" enable $service > /dev/null >1
+                done
+        fi
+}
+
+ROOTFS_POSTPROCESS_COMMAND += "disable_systemd_services; enable_systemd_services;"