I have following versions:

podman-4.8.3-1 crun-1.12-1 crun-qemu manually compiled from the documentation provided qemu-kvm-6.2.0-40

ls -l my-vm-image/
total 531844
drwxr-xr-x. 2 foobar foobar       18 Jan 11 10:44 etc
-rw-rw-r--. 1 foobar foobar 544604160 Jan 11 09:24 Fedora-Cloud-Base-39-1.5.x86_64.qcow2

when executing the podman

$podman run --runtime crun-qemu -it --rm --rootfs my-vm-image "" 
Authorization not available. Check if polkit service is running or see debug message for more information.
error: Failed to define domain from /crun-qemu/domain.xml
error: Cannot check QEMU binary /usr/bin/qemu-system-x86_64: No such file or directory

I am executing the above command on a x86_64 system.

@albertofaria I have limited time that I can dedicate to this so I will just dump my thoughts here and see where things go from there. Hope you don't mind :)

The subject kinda says it all, really. The fact that the first argument passed to podman exec is interpreted as the ssh username is extremely weird and, in my opinion, should be changed.

I guess you've done it that way instead of introducing another custom command line option like --cloud-init because you only get to hook those up for podman run?

Anyway, I think a better way is needed. My idea is that crun-qemu could conditionally interpret the first few arguments as its own options if they are present, without requiring them to be there.

Extremely hacky POC (apologies for my Rust being terrible, haven't touched the language in months/years):

diff --git a/src/commands/exec.rs b/src/commands/exec.rs
index 7b19cfc..b9abf85 100644
--- a/src/commands/exec.rs
+++ b/src/commands/exec.rs
@@ -17,10 +17,16 @@ pub fn exec(global_args: &liboci_cli::GlobalOpts, args: &liboci_cli::Exec) -> Re
         serde_json::from_reader(File::open(process_config_path).map(BufReader::new)?)?;
 
     let command = process.args().as_ref().expect("command specified");
-
-    let ssh_user = command
-        .first()
-        .expect("first command argument is user to ssh as into the vm");
+    let mut ssh_user = "abologna"; // TODO grab this from $USERNAME
+    let mut skip = 0;
+
+    let first_arg = command.first();
+    if first_arg.is_some() && first_arg.unwrap() == "-l" {
+        ssh_user = command
+            .get(1)
+            .expect("first command argument is user to ssh as into the vm");
+        skip = 2;
+    }
 
     let mut new_command = vec![];
 
@@ -32,12 +38,12 @@ pub fn exec(global_args: &liboci_cli::GlobalOpts, args: &liboci_cli::Exec) -> Re
             "-o".to_string(),
             "StrictHostKeyChecking=no".to_string(),
             "-l".to_string(),
-            ssh_user.clone(),
+            ssh_user.to_string(),
             "localhost".to_string(),
         ]);
     }
 
-    new_command.extend(command.iter().skip(1).cloned());
+    new_command.extend(command.iter().skip(skip).cloned());
 
     if ssh_user == "-" && new_command.is_empty() {
         new_command.push("/bin/bash".to_string());

With this patch applied and

#cloud-config
users:
  - name: abologna
    groups: sudo
    shell: /bin/bash
    sudo: 'ALL=(ALL) NOPASSWD:ALL'
    ssh-authorized-keys:
      - ssh-rsa AAAAB3Nza...

in examples/cloud-init/config/user-data, I can just do

$ podman exec --latest whoami
abologna

which is much closer to the interactions I normally expect from podman. If I use the default cloud-init data, I can still do

$ podman exec --latest -- -l fedora
fedora

which is only slightly clunkier. The trade-off is IMO very much worth it.

Additionally, I think it would be very useful to adopt this model to allow for further expansion. For example:

$ podman exec --latest -- --ssh-options="-o whatever" actual-command

Let me know what you think!

When using the --detach option to use exec , i fail to login using fedora user.

$ podman run --runtime /home/mniranja/bin/crun-vm --detach --rm --rootfs my-vm-image ""  --password pass
2cff5d48bcc3f962d51abf3ace03265fae1ae10a9c8c45a979570cc19b7594bc
$ podman exec -it --latest fedora
fedora@localhost's password: 
Permission denied, please try again.
fedora@localhost's password: 

if i don't use --detach and do interactively i can login as fedora user using password "pass"

podman run --runtime /home/mniranja/bin/crun-vm -it --rm --rootfs my-vm-image "" --password pass console output:

[FAILED] Failed to start cloud-fina… Execute cloud user/final scripts.
See 'systemctl status cloud-final.service' for details.
[  OK  ] Reached target cloud-init.target - Cloud-init target.

Fedora Linux 38 (Cloud Edition)
Kernel 6.2.9-300.fc38.x86_64 on an x86_64 (ttyS0)

eth0: 10.0.2.15 fec0::603d:cddd:14f:ec08
7c8dec184a04 login: fedora
Password: 
[systemd]
Failed Units: 1
  cloud-final.service
[fedora@7c8dec184a04 ~]$ id
uid=1000(fedora) gid=1000(fedora) groups=1000(fedora),4(adm),10(wheel),190(systemd-journal) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[fedora@7c8dec184a04 ~]$ 

Resolves #22

Adds the minimal Renovate configuration, inheriting configuration from the org's central config.

Various repositories in this org use different Renovate configs, such as Bootc using the platform-engineering-org's config. It seemed more logical to use the central configuration from the containers org though, because it seemed more commonly used in Podman etc. Please let me know if you want it switched over to "github>platform-engineering-org/.github".

I appreciate the project is still very new, so you may not wish to merge this immediately, but it seemed like the only issue I am able to help with, plus it was tagged with "good-first-issue".

Thanks Rob

Hi, I built crun-vm and like the idea, but can't test it with any image.

Most images use entrypoint / cmd

# docker run --runtime crun-vm -d -ti ubuntu 
dd9d946d7b6a145f2fd9d54d939849158032b9bcbafc3d2fe9795adce083c734
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/moby/dd9d946d7b6a145f2fd9d54d939849158032b9bcbafc3d2fe9795adce083c734/log.json: no such file or directory): /usr/local/bin/crun-vm did not terminate successfully: exit status 1: unexpected entrypoint '/bin/bash' found; use an image without an entrypoint or with entrypoint "no-entrypoint", and/or pass in an empty "" entrypoint on the command line

So passed "no-entrypoint", but got another error

# docker run --runtime crun-vm -d -ti ubuntu no-entrypoint
5178b707bbe240fe22e96f040e9fb79721e48dd1eacb54f1e1b93a95caf59c24
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: unable to retrieve OCI runtime error (open /run/containerd/io.containerd.runtime.v2.task/moby/5178b707bbe240fe22e96f040e9fb79721e48dd1eacb54f1e1b93a95caf59c24/log.json: no such file or directory): /usr/local/bin/crun-vm did not terminate successfully: exit status 1: no files found
: unknown.

Build with alpine linux. tried on alpine with docker 26.1.3 and an arch linux with docker 24.0.5. cloned crun-vm from git today

Binary:

# ls -lh /usr/local/bin/crun-vm
-rwxr-xr-x    1 root     root        3.4M Apr 18  2017 /usr/local/bin/crun-vm

And is executable

# /usr/local/bin/crun-vm
Usage: crun-vm [OPTIONS] <COMMAND>

Commands:
  create       Create a container Reference: https://github.com/opencontainers/runc/blob/main/man/runc-create.8.md
  start        Start a previously created container
  state        Show the container state
  kill         Send the specified signal to the container
  delete       Release any resources held by the container
  checkpointt  Checkpoint a running container Reference: https://github.com/opencontainers/runc/blob/main/man/runc-checkpoint.8.md
  events       Show resource statistics for the container
  exec         Execute a process within an existing container Reference: https://github.com/opencontainers/runc/blob/main/man/runc-exec.8.md
  features     Return the features list for a container This subcommand was introduced in runc by https://github.com/opencontainers/runc/pull/3296 It is documented here: https://github.com/opencontainers/runtime-spec/blob/main/features-linux.md
  list         List created containers
  pause        Suspend the processes within the container
  ps           Display the processes inside the container
  resume       Resume the processes within the container
  run          Create a container and immediately start it
  update       Update running container resource constraints
  spec         Command generates a config.json
  help         Print this message or the help of the given subcommand(s)

Options:
  -l, --log <LOG>                set the log file to write youki logs to (default is '/dev/stderr')
      --debug                    change log level to debug, but the `log-level` flag takes precedence
      --log-format <LOG_FORMAT>  set the log format ('text' (default), or 'json') (default: "text")
  -r, --root <ROOT>              root directory to store container state
  -s, --systemd-cgroup           Enable systemd cgroup manager, rather then use the cgroupfs directly
  -h, --help                     Print help

Same problem also with podman

# podman run --runtime /usr/local/bin/crun-vm -ti ubuntu no-entrypoin
t
No such file or directory (os error 2)
ERRO[0000] Removing container 3ebf64d5c3c2afb157ec3a1fbaece7eb0228e6c9301851a6639d77178feec2d7 from runtime after creation failed 
Error: OCI runtime error: /usr/local/bin/crun-vm: no files found

To run bootc bootable containers using crun-vm, users currently must first create a VM image from the container using something like bootc-image-builder, and then pass that image to crun-vm.

We could potentially allow users to pass the bootc container directly to crun-vm, which would internally convert it into an image and run a VM from it. This would simplify the workflow for users.

bootc-image-builder requires root privileges, but we would want this to work with rootless podman. A possible solution is running it an ephemeral VM before launching the actual VM requested by the user.

I'm trying to run the doc example,

My machine is Fedora 39 silverblue

$ uname -a Linux fedora 6.6.9-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Mon Jan 1 20:05:54 UTC 2024 x86_64 GNU/Linux

$ podman run --log-level debug --runtime "$PWD"/target/debug/crun-qemu -it --rm quay.io/containerdisks/fedora:39 ""

INFO[0000] podman filtering at log level debug
DEBU[0000] Called run.PersistentPreRunE(podman run --log-level debug --runtime /var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu -it --rm quay.io/containerdisks/fedora:39 ) DEBU[0000] Using conmon: "/usr/bin/conmon"
INFO[0000] Using boltdb as database backend
DEBU[0000] Initializing boltdb state at /home/jwesterl/.local/share/containers/storage/libpod/bolt_state.db DEBU[0000] Overriding graph root "/var/home/jwesterl/.local/share/containers/storage" with "/home/jwesterl/.local/share/containers/storage" from database DEBU[0000] Overriding volume path "/home/jwesterl/.local/share/containers/storage/libpod" with "/home/jwesterl/.local/share/containers/storage/volumes" from database DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /home/jwesterl/.local/share/containers/storage DEBU[0000] Using run root /run/user/25059/containers
DEBU[0000] Using static dir /home/jwesterl/.local/share/containers/storage/libpod DEBU[0000] Using tmp dir /run/user/25059/libpod/tmp
DEBU[0000] Using volume path /home/jwesterl/.local/share/containers/storage/volumes DEBU[0000] Using transient store: false
DEBU[0000] [graphdriver] trying provided driver "overlay" DEBU[0000] Cached value indicated that overlay is supported DEBU[0000] Cached value indicated that overlay is supported DEBU[0000] Cached value indicated that metacopy is not being used DEBU[0000] Cached value indicated that native-diff is usable DEBU[0000] backingFs=btrfs, projectQuotaSupported=false, useNativeDiff=true, usingMetacopy=false DEBU[0000] Initializing event backend journald
DEBU[0000] Configured OCI runtime runj initialization failed: no valid executable found for OCI runtime runj: invalid argument DEBU[0000] Configured OCI runtime runsc initialization failed: no valid executable found for OCI runtime runsc: invalid argument DEBU[0000] Configured OCI runtime krun initialization failed: no valid executable found for OCI runtime krun: invalid argument DEBU[0000] Configured OCI runtime ocijail initialization failed: no valid executable found for OCI runtime ocijail: invalid argument DEBU[0000] Configured OCI runtime crun-wasm initialization failed: no valid executable found for OCI runtime crun-wasm: invalid argument DEBU[0000] Configured OCI runtime runc initialization failed: no valid executable found for OCI runtime runc: invalid argument DEBU[0000] Configured OCI runtime kata initialization failed: no valid executable found for OCI runtime kata: invalid argument DEBU[0000] Configured OCI runtime youki initialization failed: no valid executable found for OCI runtime youki: invalid argument DEBU[0000] Using OCI runtime "/var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu" INFO[0000] Setting parallel job count to 25
DEBU[0000] Successfully loaded network podman-default-kube-network: &{podman-default-kube-network 9056d64605b66705d6063f6c54c7d4b02ea98009d3636bbf8df5ab59cd7e7f6c bridge podman1 2023-05-02 10:08:24.087279997 +0200 CEST [{{{10.89.0.0 ffffff00}} 10.89.0.1 }] [] false false true [] map[] map[] map[driver:host-local]} DEBU[0000] Successfully loaded network podman: &{podman 2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9 bridge podman0 2023-05-02 14:46:42.665278835 +0200 CEST [{{{10.88.0.0 ffff0000}} 10.88.0.1 }] [] false false false [] map[] map[] map[driver:host-local]} DEBU[0000] Successfully loaded 2 networks
DEBU[0000] Pulling image quay.io/containerdisks/fedora:39 (policy: missing) DEBU[0000] Looking up image "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] Trying "quay.io/containerdisks/fedora:39" ... DEBU[0000] parsed reference into "[overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage ([overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455) DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Looking up image "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] Trying "quay.io/containerdisks/fedora:39" ... DEBU[0000] parsed reference into "[overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage ([overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455) DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Looking up image "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Normalized platform linux/amd64 to {amd64 linux [] } DEBU[0000] Trying "quay.io/containerdisks/fedora:39" ... DEBU[0000] parsed reference into "[overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage DEBU[0000] Found image "quay.io/containerdisks/fedora:39" as "quay.io/containerdisks/fedora:39" in local containers storage ([overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455) DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Inspecting image a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455 DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Inspecting image a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455 DEBU[0000] Inspecting image a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455 DEBU[0000] Inspecting image a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455 DEBU[0000] using systemd mode: false
DEBU[0000] No hostname set; container's hostname will default to runtime default DEBU[0000] Loading seccomp profile from "/usr/share/containers/seccomp.json" DEBU[0000] Allocated lock 3 for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] parsed reference into "[overlay@/home/jwesterl/.local/share/containers/storage+/run/user/25059/containers]@a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] exporting opaque data as blob "sha256:a85e682c84b7c54b29f57def07571d83282da6d0bae7ff60a7ba91bfc0bc6455" DEBU[0000] Cached value indicated that idmapped mounts for overlay are not supported DEBU[0000] Check for idmapped mounts support
DEBU[0000] Created container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956" DEBU[0000] Container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956" has work directory "/home/jwesterl/.local/share/containers/storage/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata" DEBU[0000] Container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956" has run directory "/run/user/25059/containers/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata" DEBU[0000] Handling terminal attach
INFO[0000] Received shutdown.Stop(), terminating! PID=30304 DEBU[0000] Enabling signal proxying
DEBU[0000] Cached value indicated that volatile is being used DEBU[0000] overlay: mount_data=lowerdir=/home/jwesterl/.local/share/containers/storage/overlay/l/XNMIBJLZDS5ELNIWTLKWFMVKLV,upperdir=/home/jwesterl/.local/share/containers/storage/overlay/06fe0013493c5fd1ee689cc2fd4543403a69ef6cac7fe8537543b53f62be02f9/diff,workdir=/home/jwesterl/.local/share/containers/storage/overlay/06fe0013493c5fd1ee689cc2fd4543403a69ef6cac7fe8537543b53f62be02f9/work,userxattr,volatile,context="system_u:object_r:container_file_t:s0:c215,c640" DEBU[0000] Made network namespace at /run/user/25059/netns/netns-80a429fb-7e70-4ff1-10d2-bff7059ee352 for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Mounted container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956" at "/home/jwesterl/.local/share/containers/storage/overlay/06fe0013493c5fd1ee689cc2fd4543403a69ef6cac7fe8537543b53f62be02f9/merged" DEBU[0000] Created root filesystem for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 at /var/home/jwesterl/.local/share/containers/storage/overlay/06fe0013493c5fd1ee689cc2fd4543403a69ef6cac7fe8537543b53f62be02f9/merged DEBU[0000] slirp4netns command: /usr/bin/slirp4netns --disable-host-loopback --mtu=65520 --enable-sandbox --enable-seccomp --enable-ipv6 -c -r 3 -e 4 --netns-type=path /run/user/25059/netns/netns-80a429fb-7e70-4ff1-10d2-bff7059ee352 tap0 DEBU[0000] /etc/system-fips does not exist on host, not mounting FIPS mode subscription DEBU[0000] Setting Cgroups for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 to user.slice:libpod:0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] reading hooks from /usr/share/containers/oci/hooks.d DEBU[0000] Workdir "/" resolved to host path "/var/home/jwesterl/.local/share/containers/storage/overlay/06fe0013493c5fd1ee689cc2fd4543403a69ef6cac7fe8537543b53f62be02f9/merged" DEBU[0000] Created OCI spec for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 at /home/jwesterl/.local/share/containers/storage/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata/config.json DEBU[0000] /usr/bin/conmon messages will be logged to syslog DEBU[0000] running conmon: /usr/bin/conmon args="[--api-version 1 -c 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 -u 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 -r /var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu -b /home/jwesterl/.local/share/containers/storage/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata -p /run/user/25059/containers/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata/pidfile -n vigilant_maxwell --exit-dir /run/user/25059/libpod/tmp/exits --full-attach -s -l journald --log-level debug --syslog -t --conmon-pidfile /run/user/25059/containers/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata/conmon.pid --exit-command /usr/bin/podman --exit-command-arg --root --exit-command-arg /home/jwesterl/.local/share/containers/storage --exit-command-arg --runroot --exit-command-arg /run/user/25059/containers --exit-command-arg --log-level --exit-command-arg debug --exit-command-arg --cgroup-manager --exit-command-arg systemd --exit-command-arg --tmpdir --exit-command-arg /run/user/25059/libpod/tmp --exit-command-arg --network-config-dir --exit-command-arg --exit-command-arg --network-backend --exit-command-arg netavark --exit-command-arg --volumepath --exit-command-arg /home/jwesterl/.local/share/containers/storage/volumes --exit-command-arg --db-backend --exit-command-arg boltdb --exit-command-arg --transient-store=false --exit-command-arg --runtime --exit-command-arg /var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu --exit-command-arg --storage-driver --exit-command-arg overlay --exit-command-arg --events-backend --exit-command-arg journald --exit-command-arg --syslog --exit-command-arg container --exit-command-arg cleanup --exit-command-arg --rm --exit-command-arg 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956]" INFO[0000] Running conmon under slice user.slice and unitName libpod-conmon-0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956.scope DEBU[0000] Received: -1
DEBU[0000] Cleaning up container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Tearing down network namespace at /run/user/25059/netns/netns-80a429fb-7e70-4ff1-10d2-bff7059ee352 for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Unmounted container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956" DEBU[0000] Removing container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Cleaning up container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Network is already cleaned up, skipping...
DEBU[0000] Container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 storage is already unmounted, skipping... DEBU[0000] Removing all exec sessions for container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 DEBU[0000] Container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 storage is already unmounted, skipping... DEBU[0000] Failed to delete container "0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956": 1 error occurred: * unlinkat /home/jwesterl/.local/share/containers/storage/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata/crun-qemu-root/crun-qemu: directory not empty

DEBU[0000] unable to remove container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 after failing to start and attach to it: cleaning up storage: removing container 0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956 root filesystem: 1 error occurred: * unlinkat /home/jwesterl/.local/share/containers/storage/overlay-containers/0e957eea6bec3aaaac2fa5cf9467bfda68a9327d061805bd64ca19de4d30f956/userdata/crun-qemu-root/crun-qemu: directory not empty

DEBU[0000] ExitCode msg: "/var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu: failed to load cloud-init config: no such file or directory (os error 2): oci runtime attempted to invoke a command that was not found" Error: /var/home/jwesterl/bootc/crun-qemu/target/debug/crun-qemu: failed to load cloud-init config: No such file or directory (os error 2): OCI runtime attempted to invoke a command that was not found DEBU[0000] Shutting down engines

We attempt to detect if a container image is bootable. We can't easily retrieve the image's labels, so we instead look for files under /usr/lib/bootc/install. If there are none, it isn't a bootable container. If it is a bootable container but we're not running under Podman or Docker, we fail with an error.

Once our container's entrypoint starts running, a background process on the host (outside the container) queries Podman/Docker for the image's name and ID, which the OCI runtime does not get but bootc-install needs. It then saves the container image as a docker-archive.

It then runs the original container to generate the VM image. We do this using krun so that elevated privileges aren't necessary. Our entrypoint blocks until this is done, and all subsequent logic remains the same.

We could potentially avoid the docker-archive creation step by mounting the host's container storage into the container running under krun. This isn't trivial to achieve due to SELinux label and context mismatches between the host and the krun environment, so we leave this optimization for a future date.

Closes #26.

TODO:

• [x] Wait for containers/libkrunfw#57 to make it into an upstream release.
• [x] Wait for ostreedev/ostree-rs-ext#620 to make it into an upstream release.
• [x] Wait for an upstream bootc release making use of that ostree-rs-ext release.
• [x] Wait for that bootc release to make it into Fedora and quay.io/fedora/fedora-bootc:40.

When I saw this project, my first thought was can I replace our use of Vagrant in our project and centralize tooling for developers and CI on podman. For reference, our project that handles this is forklift for the Foreman community.

Effectively we use Vagrant to spin up a VM, and then execute a bunch of Ansible against it. From the docs, I only saw examples of using podman exec to SSH to the VM. Is there a way to execute Ansible against the resulting VM?

Closes https://github.com/containers/crun-qemu/issues/5

This provides a much simpler way for individuals to try out the project. Binaries are built in CI and can simply be downloaded and used, rather than requiring people to install many build dependencies.

Creates a GitHub Actions workflow to do the following:

1. When running in a Pull Request, attaches the binary as a build artifact of the workflow
2. When wanting to publish a semi-stable/beta/whatever release, you can manually invoke the release workflow with the preferred tag name. This will create a GitHub release with the binary attached. You can select if this is a pre-release or release version.

All releases and tags will be named as follows: <version>-<git-sha> But of course, this can be changed further down the line. I have included the Git SHA to prevent trying to publish to v0.0.0 multiple times, for example. You can now have v0.0.0-abcdefg(..) and v0.0.0-zyxwvut(..) while you do not wish for this to be considered stable.

Tried to build this project, and some error output as below:

[root@dell-per730-60 crun-qemu]# cargo build Compiling crun-qemu v0.0.0 (/root/workdir/crun-qemu) error: linking with cc failed: exit status: 1 | = note: LC_ALL="C" PATH="/usr/lib/rustlib/x86_64-unknown-linux-gnu/bin:/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin" VSLANG="1033" "cc" "-m64" "/tmp/rustclzDfNI/symbols.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.19y4ey6a8v2m5v7w.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.1bditkwl7sy1zab0.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.1eakctqkc9o8lbpr.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.1et2ua47q92f1fre.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.1spdjxlgvcf3omcl.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.2f3zo9l0qzkyo6nh.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.2pfres9egkuw8si0.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.2yh0cmj2u8j6axe8.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.357wmuxms6ht5fca.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.35jhvrmn2ysnjl4s.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.38ekp2w3598kk09l.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.3a0gy1gch4wxax57.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.3edcs1v27fq0gsi8.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.3gql2u2xy51w8r1k.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.3n0zd4lgdsxt7lbk.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.3tm3tb7v662p1x6j.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.41c1ecdcsqmfj8jl.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.46xgunun1wyg8bj3.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.49jy6797zt1edd8z.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.4sq84pjnykqfp74x.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.bvau3ag62b7uv0z.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.c2e0q1wrmnzp7we.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.l4xaporkhhoau36.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.lfe0v6evixm2lql.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.npqmg79a0a0z3uc.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.swfscdn25kvyg1v.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.v86w44fna3q9vou.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.w63xptayuq8zc1j.rcgu.o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69.1ibgztrf9m2orky0.rcgu.o" "-Wl,--as-needed" "-L" "/root/workdir/crun-qemu/target/debug/deps" "-L" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib" "-Wl,-Bstatic" "/root/workdir/crun-qemu/target/debug/deps/libcrun_qemu-2a9df37c881c8e34.rlib" "/root/workdir/crun-qemu/target/debug/deps/libhome-7a2d401631f12527.rlib" "/root/workdir/crun-qemu/target/debug/deps/libliboci_cli-4181281368f920a7.rlib" "/root/workdir/crun-qemu/target/debug/deps/liburlencoding-2786e59e7876568e.rlib" "/root/workdir/crun-qemu/target/debug/deps/libserde_yaml-e21e68a0594462cd.rlib" "/root/workdir/crun-qemu/target/debug/deps/libindexmap-782209d549e41a44.rlib" "/root/workdir/crun-qemu/target/debug/deps/libequivalent-08663f589c7ef581.rlib" "/root/workdir/crun-qemu/target/debug/deps/libhashbrown-006a300511556918.rlib" "/root/workdir/crun-qemu/target/debug/deps/libunsafe_libyaml-16230026238c102e.rlib" "/root/workdir/crun-qemu/target/debug/deps/libnum_cpus-bc798d8e687bf848.rlib" "/root/workdir/crun-qemu/target/debug/deps/liboci_spec-f5213df0c1ee05d8.rlib" "/root/workdir/crun-qemu/target/debug/deps/libderive_builder-4c1d0e3ac7302270.rlib" "/root/workdir/crun-qemu/target/debug/deps/libthiserror-0b7b090616f7ccc8.rlib" "/root/workdir/crun-qemu/target/debug/deps/libserde_json-718ca4b74afa5076.rlib" "/root/workdir/crun-qemu/target/debug/deps/libryu-9d5220396fcbbf13.rlib" "/root/workdir/crun-qemu/target/debug/deps/libitoa-9084045bc5264353.rlib" "/root/workdir/crun-qemu/target/debug/deps/libserde-f05617c7c10406df.rlib" "/root/workdir/crun-qemu/target/debug/deps/libnix-de3dfeb29d2a2ff7.rlib" "/root/workdir/crun-qemu/target/debug/deps/libbitflags-15c474feade7c811.rlib" "/root/workdir/crun-qemu/target/debug/deps/libxml-999370e45e30fed4.rlib" "/root/workdir/crun-qemu/target/debug/deps/libsysinfo-426df8391ad89c01.rlib" "/root/workdir/crun-qemu/target/debug/deps/libonce_cell-a9d9f66e733d8519.rlib" "/root/workdir/crun-qemu/target/debug/deps/liblibc-69e840d4bad768ec.rlib" "/root/workdir/crun-qemu/target/debug/deps/libcfg_if-d6a13c804d7a5b38.rlib" "/root/workdir/crun-qemu/target/debug/deps/libregex-1060ddaecdd4f1ac.rlib" "/root/workdir/crun-qemu/target/debug/deps/libregex_automata-6af38b312353eb63.rlib" "/root/workdir/crun-qemu/target/debug/deps/libregex_syntax-33ae447c47968eb2.rlib" "/root/workdir/crun-qemu/target/debug/deps/liblazy_static-f8427cbae7d55ada.rlib" "/root/workdir/crun-qemu/target/debug/deps/libclap-db8f37dca9849dd6.rlib" "/root/workdir/crun-qemu/target/debug/deps/libclap_builder-3e80e64ae0f32cce.rlib" "/root/workdir/crun-qemu/target/debug/deps/libstrsim-784d9df655430a2d.rlib" "/root/workdir/crun-qemu/target/debug/deps/libclap_lex-931cc997986c2eee.rlib" "/root/workdir/crun-qemu/target/debug/deps/libanstyle-d34286df36f51066.rlib" "/root/workdir/crun-qemu/target/debug/deps/libanyhow-ea0937e8255f5417.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd-9ef8951a9b3a6df7.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libpanic_unwind-6554986a19ed2c0b.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libobject-328f15c722929bfb.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libmemchr-57cc3a84a8631f4b.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libaddr2line-9ce9ca808f2546d7.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libgimli-fffee6bb8d876a13.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_demangle-064f0a940946c24b.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libstd_detect-02439c9117a25586.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libhashbrown-e1cc866cf3222533.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_alloc-dd4c7a36fa60d162.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libminiz_oxide-a31fc84f09512f78.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libadler-aa058a04eb362e60.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libunwind-c82d0fe0341d6c2c.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcfg_if-8164627cfc83efb4.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liblibc-2a9f407501eee09f.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/liballoc-038b03d73dd5affa.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/librustc_std_workspace_core-6c10f76896855489.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcore-6364922750687291.rlib" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib/libcompiler_builtins-1fa15b4ad6325f7f.rlib" "-Wl,-Bdynamic" "-lselinux" "-lgcc_s" "-lutil" "-lrt" "-lpthread" "-lm" "-ldl" "-lc" "-Wl,--eh-frame-hdr" "-Wl,-z,noexecstack" "-L" "/usr/lib/rustlib/x86_64-unknown-linux-gnu/lib" "-o" "/root/workdir/crun-qemu/target/debug/deps/crun_qemu-55a6966bfed9be69" "-Wl,--gc-sections" "-pie" "-Wl,-z,relro,-z,now" "-nodefaultlibs" = note: /usr/bin/ld: cannot find -lselinux: No such file or directory collect2: error: ld returned 1 exit status

error: could not compile crun-qemu (bin "crun-qemu") due to previous error

Quack,

I've been giving a try to crun-vm to overcome problems we have with nested containers (CI container running molecule tests) and we use an image based on quay.io/podman/upstream, only adding systemd needed for certain tests.

It seems the image is compatible with crun-vm as it creates it properly (with podman run) but the gitlab preparation script needs to copy the gitlab-runner into the VM before exec-ing the real workload and that fails:

Running with gitlab-runner 17.5.3 (12030cf4)
  on gl-runner-podman-02.osci.io t2_D16Jou, system ID: s_cbfa6646c082
Preparing the "custom" executor 00:14
Using Custom executor...
Running in runner-43441658-project-31791330-concurrent-0-8375585513
Login to registry.gitlab.com with CI_REGISTRY_USER
Login Succeeded!
Trying to pull registry.gitlab.com/osci/podman-systemd-container:latest...
Getting image source signatures
Copying blob sha256:1bb9855e1afb4fc53ae94da3fb358868811dacb52e869def9d74ae225d0f6c35
Copying blob sha256:9402150a0e0b7244ce96ca2f7d2ddd29042b8987c5a1c47fe1be6a2ae9eb43c2
Copying blob sha256:5834ff41b0bcc04d91328a62a635de1f699da102d82aaffa20945dc6e3be1a8c
Copying blob sha256:94f43534c2c6d38520040102ef9df87fbb8d0f007277abb0224eb9e14efe2928
Copying blob sha256:e83f3bc2948ac89513f21986e9ec27336afe9805a8ed9767059421dd8ee6ab8f
Copying blob sha256:a97b10dda78d89f54100e53ee5413aa0f4ad4b95f1d6d6587e3ad1d5a13d4393
Copying blob sha256:a2da08455699d2013d3014a1d95a8320b6309e70e143b81af624d0b7dbe2dc07
Copying blob sha256:d8a51423ba93addcb2e8014656cb524200073589bc41da324007c13020239a85
Copying blob sha256:c3a0e61cb4d6199decc85e39b391bdb978fb86138c199aff6153add3509d0cfc
Copying blob sha256:bd7a5cb2d057b8984622e959d2f339a727b98570896891937978f25e5054e40d
Copying blob sha256:40ce70dfa26995362ea261ca9bb210ebdd32a3dedbfbd247ec9996f7f9fe6c9f
Copying config sha256:19a08554818953fa8522731943469838f1d55a3e14ae4b1d97b3ef709c24ff43
Writing manifest to image destination
19a08554818953fa8522731943469838f1d55a3e14ae4b1d97b3ef709c24ff43
291b96464a4c12418089558b70e277e3d3326ede92d24a65bc01a73172f88c7e
Error: 2 errors occurred:
	* copying to container: open /proc/658129/ns/mnt: no such file or directory
	* copying from host: copier: get: "/usr/bin/gitlab-runner": copying /usr/bin/gitlab-runner: io: read/write on closed pipe

More precisely this command fails: podman cp --pause=false "${RUNNER_BINARY}" "$CONTAINER_ID":/usr/bin/gitlab-runner

Did I make a mistake or is the cp command not supported yet?

Regards. \_o<

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | regex | dependencies | minor | 1.10.6 -> 1.11.0 |

Release Notes

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | fedora | container | major | 39 -> 42 |

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

This PR contains the following updates:

| Package | Type | Update | Change | |---|---|---|---| | minidom | dependencies | minor | 0.15.2 -> 0.16.0 |

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

• [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.