experimental: add built-in Incus sysext image

build_library/extra_sysexts.sh

@@ -2,4 +2,5 @@ EXTRA_SYSEXTS=(
   zfs:sys-fs/zfs
   podman:app-containers/podman,net-misc/passt
   python:dev-lang/python,dev-python/pip
+  incus:app-containers/incus
 )

build_library/sysext_mangle_flatcar-incus

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -euo pipefail
+rootfs="${1}"
+
+pushd "${rootfs}"
+
+pushd ./usr/lib/systemd/system
+mkdir -p "multi-user.target.d"
+{ echo "[Unit]"; echo "Upholds=incus.service"; } > "multi-user.target.d/10-incus.conf"
+popd
+
+mkdir -p ./usr/lib/tmpfiles.d
+pushd ./usr/lib/tmpfiles.d
+cat <<EOF >./10-incus.conf
+d  /var/lib/lxc/rootfs	0755  root  root  -  -
+EOF
+popd
+
+popd

sdk_container/src/third_party/coreos-overlay/coreos-devel/board-packages/board-packages-0.0.1.ebuild

@@ -29,6 +29,7 @@ RDEPEND="
 	app-containers/containerd
 	app-containers/docker
 	app-containers/docker-cli
+	app-containers/incus
 	app-emulation/amazon-ssm-agent
 	app-emulation/wa-linux-agent
 	coreos-base/coreos

sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus

@@ -0,0 +1,8 @@
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}

sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/incus-admin

@@ -0,0 +1,8 @@
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}

sdk_container/src/third_party/coreos-overlay/coreos/config/env/acct-group/lxc

@@ -0,0 +1,8 @@
+cros_post_src_install_add_userdb_record(){
+	insinto /usr/lib/userdb
+	newins - ${ACCT_GROUP_NAME}.group < <(
+		printf '{"groupName":"%q","gid":%q}\n' \
+			"${ACCT_GROUP_NAME}" \
+			"${_ACCT_GROUP_ID/#-*/-}"
+	)
+}

sdk_container/src/third_party/coreos-overlay/coreos/config/env/app-containers/incus

@@ -0,0 +1,3 @@
+cros_pre_src_compile_pkgconfig() {
+	export PKG_CONFIG="$(tc-getPKG_CONFIG)"
+}

sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use

@@ -165,3 +165,16 @@ dev-util/bpftool -llvm
 
 # Do not tinker with /boot partition at installation time.
 sys-firmware/intel-microcode -initramfs
+
+app-containers/lxc selinux
+
+# required by app-containers/incus-6.0.1-r1::portage-stable
+# required by app-containers/incus (argument)
+>=dev-libs/raft-0.22.1 lz4
+# required by app-containers/incus-6.0.1-r1::portage-stable
+# required by app-containers/incus (argument)
+>=dev-util/xdelta-3.0.11-r1 lzma
+# required by app-containers/lxc-6.0.0-r2::portage-stable[caps,tools]
+# required by app-containers/incus-6.0.1-r1::portage-stable
+# required by app-containers/incus (argument)
+>=sys-libs/libcap-2.70 static-libs

sdk_container/src/third_party/portage-stable/acct-group/incus-admin/incus-admin-0.ebuild

@@ -0,0 +1,9 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=533
+DESCRIPTION="Group for app-containers/incus"

sdk_container/src/third_party/portage-stable/acct-group/incus-admin/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-group/incus/incus-0.ebuild

@@ -0,0 +1,9 @@
+# Copyright 2020-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=532
+DESCRIPTION="Group for app-containers/incus"

sdk_container/src/third_party/portage-stable/acct-group/incus/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-group/lxc/lxc-0-r2.ebuild

@@ -0,0 +1,9 @@
+# Copyright 2021-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-group
+
+ACCT_GROUP_ID=358
+DESCRIPTION="Group for app-containers/lxc"

sdk_container/src/third_party/portage-stable/acct-group/lxc/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/acct-user/lxc/lxc-0-r2.ebuild

@@ -0,0 +1,12 @@
+# Copyright 2021-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit acct-user
+
+DESCRIPTION="User for app-containers/lxc"
+ACCT_USER_ID=358
+ACCT_USER_GROUPS=( lxc )
+
+acct-user_add_deps

sdk_container/src/third_party/portage-stable/acct-user/lxc/metadata.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+  <maintainer type="project">
+    <email>[email protected]</email>
+    <name>Gentoo Virtualization Project</name>
+  </maintainer>
+</pkgmetadata>

sdk_container/src/third_party/portage-stable/app-containers/incus/Manifest

@@ -0,0 +1,8 @@
+DIST incus-6.0.0.tar.xz 11839792 BLAKE2B 135574e6f19262992bb068a3c0a0045c192699503e417eb861e00a974e631fd869485eb96238d1dbe4712e789367d31afae1c62bade2a8b75f7e9a7620547e74 SHA512 eb6d784a535d487bd85b3e8272d7cddc23f2ed98ca2b3e2f19c038b4a6f910d4030822424154489adef7a688757905927309d25f6d1ff621d99d678fe6aeae2b
+DIST incus-6.0.0.tar.xz.asc 833 BLAKE2B f35c38f886290ff08e017cd54e8019c43bfbf1f9c84b26ede2cfa78acbe4047af4314465e77d6e900f296552d5ac8f8c07d26a11920bff937fbb8a0a910efb0d SHA512 0360520752fad3e95807d09e4fd6d60c96a202d0dbb61621925abd75aa801b6d573abbece3179a8906bdc47e96ddec4a746607ce2d10dcc1a76d0afd459cbf81
+DIST incus-6.0.1.tar.xz 11653056 BLAKE2B d026f9fb99d7393d286006cfe759681b58b980b7a2432a98ba8a6862e17099ef6ee8d1ec1766d00fac1a6d1e748a7d10d3d5ad14b31c542618044f77a27fe255 SHA512 8218c121cf1afd307f748c0f1c0b1ba34a05fa0c43a515aab03d9f92c66becaa6bff245e93842e7b0746ce6019d66f1a5e4c317ec05e0ab088b539e5378d78dc
+DIST incus-6.0.1.tar.xz.asc 833 BLAKE2B c5c9d3d4796e97ef745102c13e52d691e7f087a5a0cc8e0a069ec7c94686e6e8de04d3dd247157e16eb3deea2b877453e3462ec829ced2ba9cb1928af9a3aa1b SHA512 c47df95afa7c9ef7041fb29497567ab3b1ed30c3c175b4be84bc75a6a2c47072cc291e43fa738a5a58d753b04aef87334780f9d45184a9543a49fad263859aa0
+DIST incus-6.2.tar.xz 11060268 BLAKE2B ac276e9192bd309d41762e1756ed8276835d597f92fef554f74d8dd11f1d6685f95815c89a1770a7e3fd3c8c08dea65e5dffeac942e97052e7bdb1337d2d3817 SHA512 a5a41199b5ec21a6b2abb7ae33d245032db67ec8aedec3eb1cd18236ce39106c25c4a71524d363103c4a6fbe4420368e0fe8763a2eb84afdbf7f069e53312fa7
+DIST incus-6.2.tar.xz.asc 833 BLAKE2B 68e967083b715716f5eedeeb4e81c5d90e45af1c9bd3ce373d8edab9d872598585e3ee9ae738292a7cc66f52907908627d5dd62ef963f62b37ed74620d59ef90 SHA512 77a82dd92438815c0f02a4399f2cda465692589eef12dba4482bdcb0cf1bd1e71dd3a6ccedfa0d9c4a11891b0883764adae3db994f21bb46655372988941ae2a
+DIST incus-6.3.tar.xz 11717996 BLAKE2B 25a4f13e860c4d60e24b32f8ce1db0c4cf81f2595169c105d2e1a3b38563232b141f08039c243d903c5b81ddde0eb1a8008ae24cef955ed9d001241edc1336f2 SHA512 e9da3e2c3ef9c7e8b0ae77bef7fe674e427d63cc97a397c61eca3eb3f31e5e4ee8670543d7cf05b7efcfc08645ee7339c44aab87c5a4aa4578566dec3a512048
+DIST incus-6.3.tar.xz.asc 833 BLAKE2B 1b204199cda642dbe2b89167a4ac210ab43c1798ecf5079d24f585dc9e559e9216ba8dce8c39ae2de8ec298cb157d8926dd8a545c4a21464e88babe54e585c9c SHA512 e3318a8037f488b5ce0b551a485c568cba7137c70ad170f963d4cad3bb1fc8b12a9da564b03d754f82f354b1a59c37fd3857d3804e75d14428e52ee6121411a4

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.confd

@@ -0,0 +1,26 @@
+# Group which owns the shared socket
+INCUS_OPTIONS+=" --group incus-admin"
+
+# Enable cpu profiling into the specified file
+#INCUS_OPTIONS+=" --cpuprofile /tmp/lxc_cpu_profile"
+
+# Enable memory profiling into the specified file
+#INCUS_OPTIONS+=" --memprofile /tmp/lxc_mem_profile"
+
+# Enable debug mode
+#INCUS_OPTIONS+=" --debug"
+
+# For debugging, print a complete stack trace every n seconds
+#INCUS_OPTIONS+=" --print-goroutines-every 5"
+
+# Enable verbose mode
+#INCUS_OPTIONS+=" -v"
+
+# Logfile to log to
+#INCUS_OPTIONS+=" --logfile /var/log/incus/incus.log"
+
+# Enable syslog logging
+#INCUS_OPTIONS+=" --syslog"
+
+# Increase ulimits to allow more open files on OpenRC.
+rc_ulimit="-n 1048576 -l unlimited"

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.initd

@@ -0,0 +1,59 @@
+#!/sbin/openrc-run
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+DAEMON=/usr/sbin/incusd
+PIDFILE=/run/incus.pid
+
+depend() {
+	need net
+	need lxcfs
+}
+
+start() {
+	ebegin "Starting incus daemon service"
+
+	modprobe -f loop > /dev/null 2>&1
+
+	# Fix permissions on /var/lib/incus and make sure it exists.
+	# Create a log directory for incus with correct permissions.
+	install -d /var/lib/incus --group incus-admin --owner root --mode 0775
+	install -d /var/log/incus --group incus-admin --owner root
+
+	start-stop-daemon --start \
+		--pidfile ${PIDFILE} \
+		--exec ${DAEMON} \
+		--background \
+		--make-pidfile \
+		-- \
+		${INCUS_OPTIONS}
+	eend ${?}
+
+	# Create necessary systemd paths in order for systemd containers to work on openrc host.
+	# /etc/rc.conf should have following values:
+	#   rc_cgroup_mode="hybrid"
+	if [ -d /sys/fs/cgroup/unified ] &&
+	[ ! -d /sys/fs/cgroup/systemd ]; then
+		install -d /sys/fs/cgroup/systemd --group incus-admin --owner root
+		mount -t cgroup -o none,name=systemd systemd /sys/fs/cgroup/systemd
+	fi
+}
+
+stop() {
+	if [ "${RC_CMD}" = restart ]; then
+		ebegin "Stopping incus daemon service (but not containers)"
+		# start-stop-daemon sends SIGTERM with a timeout of 5s by default.
+		# SIGTERM indicates to INCUS that it will be stopped temporarily.
+		# Instances will keep running.
+		start-stop-daemon --stop --quiet -p "${PIDFILE}"
+		eend ${?}
+	else
+		ebegin "Stopping incus daemon service and containers, waiting 40s"
+		# SIGPWR indicates to INCUS that the host is going down.
+		# LXD will do a clean shutdown of all instances.
+		# After 30s all remaining instances will be killed.
+		# We wait up to 40s for INCUS.
+		start-stop-daemon --stop --quiet -R SIGPWR/40 -p "${PIDFILE}"
+		eend ${?}
+	fi
+}

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=Incus - main daemon
+After=network-online.target lxcfs.service incus.socket
+Requires=network-online.target lxcfs.service incus.socket
+
+[Service]
+EnvironmentFile=-/etc/environment
+ExecStart=/usr/sbin/incusd --group incus-admin --syslog
+ExecStartPost=/usr/sbin/incusd waitready --timeout=600
+ExecStartPre=/bin/mkdir -p /var/log/incus
+ExecStartPre=/bin/chown -R root:incus-admin /var/log/incus
+KillMode=process
+PermissionsStartOnly=true
+TimeoutStartSec=600s
+TimeoutStopSec=30s
+Restart=on-failure
+LimitNOFILE=1048576
+LimitNPROC=infinity
+TasksMax=infinity
+
+[Install]
+Also=incus-startup.service incus.socket

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-0.4.socket

@@ -0,0 +1,11 @@
+[Unit]
+Description=Incus - Daemon (unix socket)
+
+[Socket]
+ListenStream=/var/lib/incus/unix.socket
+SocketGroup=incus-admin
+SocketMode=0660
+Service=incus.service
+
+[Install]
+WantedBy=sockets.target

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-6.0.confd

@@ -0,0 +1,27 @@
+## "INCUS_OPTIONS+=" is not POSIX-compliant, so we use
+## "INCUS_OPTIONS="${INCUS_OPTIONS}"" to not rely on bashmisms.
+## bgo#929138
+
+# Group which owns the shared socket
+INCUS_OPTIONS="${INCUS_OPTIONS} --group incus-admin"
+
+# Enable cpu profiling into the specified file
+#INCUS_OPTIONS="${INCUS_OPTIONS} --cpuprofile /tmp/lxc_cpu_profile"
+
+# Enable memory profiling into the specified file
+#INCUS_OPTIONS="${INCUS_OPTIONS} --memprofile /tmp/lxc_mem_profile"
+
+# Enable debug mode
+#INCUS_OPTIONS="${INCUS_OPTIONS} --debug"
+
+# For debugging, print a complete stack trace every n seconds
+#INCUS_OPTIONS="${INCUS_OPTIONS} --print-goroutines-every 5"
+
+# Enable verbose mode
+#INCUS_OPTIONS="${INCUS_OPTIONS} -v"
+
+# Logfile to log to
+#INCUS_OPTIONS="${INCUS_OPTIONS} --logfile /var/log/incus/incus.log"
+
+# Enable syslog logging
+#INCUS_OPTIONS="${INCUS_OPTIONS} --syslog"

sdk_container/src/third_party/portage-stable/app-containers/incus/files/incus-6.0.initd

@@ -0,0 +1,63 @@
+#!/sbin/openrc-run
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+DAEMON=/usr/sbin/incusd
+PIDFILE=/run/incus.pid
+
+depend() {
+	need net
+	need lxcfs
+}
+
+start() {
+	ebegin "Starting incus daemon service"
+
+	modprobe -f loop > /dev/null 2>&1
+
+	# Call prlimit from the init.d file instead of ulimit through rc_ulimit,
+	# bgo#929138
+	prlimit --nofile=1048576 --memlock=unlimited --pid=$$
+
+	# Fix permissions on /var/lib/incus and make sure it exists.
+	# Create a log directory for incus with correct permissions.
+	install -d /var/lib/incus --group incus-admin --owner root --mode 0775
+	install -d /var/log/incus --group incus-admin --owner root
+
+	start-stop-daemon --start \
+		--pidfile ${PIDFILE} \
+		--exec ${DAEMON} \
+		--background \
+		--make-pidfile \
+		-- \
+		${INCUS_OPTIONS}
+	eend ${?}
+
+	# Create necessary systemd paths in order for systemd containers to work on openrc host.
+	# /etc/rc.conf should have following values:
+	#   rc_cgroup_mode="hybrid"
+	if [ -d /sys/fs/cgroup/unified ] &&
+	[ ! -d /sys/fs/cgroup/systemd ]; then
+		install -d /sys/fs/cgroup/systemd --group incus-admin --owner root
+		mount -t cgroup -o none,name=systemd systemd /sys/fs/cgroup/systemd
+	fi
+}
+
+stop() {
+	if [ "${RC_CMD}" = restart ]; then
+		ebegin "Stopping incus daemon service (but not containers)"
+		# start-stop-daemon sends SIGTERM with a timeout of 5s by default.
+		# SIGTERM indicates to INCUS that it will be stopped temporarily.
+		# Instances will keep running.
+		start-stop-daemon --stop --quiet -p "${PIDFILE}"
+		eend ${?}
+	else
+		ebegin "Stopping incus daemon service and containers, waiting 40s"
+		# SIGPWR indicates to INCUS that the host is going down.
+		# LXD will do a clean shutdown of all instances.
+		# After 30s all remaining instances will be killed.
+		# We wait up to 40s for INCUS.
+		start-stop-daemon --stop --quiet -R SIGPWR/40 -p "${PIDFILE}"
+		eend ${?}
+	fi
+}