Add qemu-guest-agent over vsock for time sync and host-guest features#238
Add qemu-guest-agent over vsock for time sync and host-guest features#238Honny1 wants to merge 1 commit into
Conversation
| # ConditionVirtualization= cannot distinguish our target providers: vfkit is `apple`, | ||
| # libkrun is `vm-other`, and `kvm` would overmatch. Gate on DMI sys_vendor instead. | ||
| ExecCondition=/usr/local/bin/qemu-guest-agent-exec-condition.sh |
There was a problem hiding this comment.
not sure why kvm would overmatch, there is also "qemu" as option we could use?!
It seems like we could check this (untested):
ConditionVirtualization=|qemu
ConditionVirtualization=|apple
ConditionFirmware=|smbios-field(sys_vendor = Libkrun)`
https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#ConditionFirmware=
There was a problem hiding this comment.
It seems to work. I tested it with AppleHV and libkrun, but I haven't tested it with QEMU because I don't have a machine ready for it.
There was a problem hiding this comment.
ok we will need to match kvm not qemu
$ systemd-detect-virt
kvm
per docs kvm should be fine and no overmatch other things
Linux KVM kernel virtual machine, in combination with QEMU. Not used for other virtualizers using the KVM interfaces, such as Oracle VirtualBox or Amazon EC2 Nitro, see below.
https://www.freedesktop.org/software/systemd/man/latest/systemd-detect-virt.html
| RUN dnf install -y checkpolicy policycoreutils && dnf clean all | ||
| COPY qemu_guest_agent_vsock.te /qemu_guest_agent_vsock.te | ||
| RUN checkmodule -M -m -o /qemu_guest_agent_vsock.mod /qemu_guest_agent_vsock.te && \ | ||
| semodule_package -o /qemu_guest_agent_vsock.pp -m /qemu_guest_agent_vsock.mod |
There was a problem hiding this comment.
can you copy first and then two all command in one RUN instruction,
it is just a minor thing but it is best to keep the RUN instructions to a minimum IMO
| RUN semodule -i /tmp/qemu_guest_agent_vsock.pp && rm -f /tmp/qemu_guest_agent_vsock.pp | ||
| COPY qemu-guest-agent-exec-condition.sh /usr/local/bin/qemu-guest-agent-exec-condition.sh | ||
| RUN chmod +x /usr/local/bin/qemu-guest-agent-exec-condition.sh && \ | ||
| chcon --reference=/bin/sh /usr/local/bin/qemu-guest-agent-exec-condition.sh | ||
| COPY qemu-guest-agent.service /etc/systemd/system/qemu-guest-agent.service |
There was a problem hiding this comment.
same thing here, lets group this into one RUN instruction
| # Disable coreos chrony config, we do provide our own. | ||
| disable coreos-platform-chrony-config.service | ||
|
|
||
| # qemu-guest-agent (vsock) for macOS (vfkit, libkrun) and Linux (qemu); gated by DMI ExecCondition. |
| Expect(catSession).To(Exit(0)) | ||
| out := catSession.outputToString() | ||
| Expect(out).To(ContainSubstring("vsock-listen")) | ||
| Expect(out).To(ContainSubstring("--path=3:1234")) |
There was a problem hiding this comment.
can you add a check here that the service is also actually active for linux and macos?
Honny1
force-pushed
the
add-qemu-agent
branch
2 times, most recently
from
33f2d2b to
0c85a03
Compare
Install qemu-guest-agent and configure it to listen on vsock port 1234 (matching the constant in containers/podman). The service is gated by a DMI sys_vendor check (ExecCondition) so it only runs on Podman machine providers that expose the vsock channel: vfkit (Apple Inc.), libkrun (Libkrun), and qemu (QEMU). A custom SELinux module allows virt_qemu_ga_t to use vsock sockets. Related PR: containers/podman#28527 Replace: containers#175 Signed-off-by: Jan Rodák <[email protected]>
|
Image Downloads for cirrus build 4933016755109888: |
|
PTAL @containers/podman-maintainers I think this is ready for merge. I am not sure about timing with containers/podman#28527 |
|
I am fine merging this if we commit to having the podman side also merged for 6.0 and fully integrated with this. |
Agree |
3 participants
Install qemu-guest-agent and configure it to listen on vsock port 1234 (matching the constant in containers/podman). The service is gated by a DMI sys_vendor check (ExecCondition) so it only runs on Podman machine providers that expose the vsock channel: vfkit (Apple Inc.), libkrun (Libkrun), and qemu (QEMU). A custom SELinux module allows virt_qemu_ga_t to use vsock sockets.
Related PR: containers/podman#28527
Replace: #175