WIP: add a podman container for running podman in podman

Author: dcermak

src/bci_build/package/__init__.py

@@ -1564,6 +1564,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
 from .appcontainers import HELM_CONTAINERS  # noqa: E402
 from .appcontainers import NGINX_CONTAINERS  # noqa: E402
 from .appcontainers import PCP_CONTAINERS  # noqa: E402
+from .appcontainers import PODMAN_CONTAINERS  # noqa: E402
 from .appcontainers import POSTGRES_CONTAINERS  # noqa: E402
 from .appcontainers import PROMETHEUS_CONTAINERS  # noqa: E402
 from .appcontainers import REGISTRY_CONTAINERS  # noqa: E402
@@ -1622,6 +1623,7 @@ def generate_disk_size_constraints(size_gb: int) -> str:
         *FIPS_BASE_CONTAINERS,
         *MARIADB_CONTAINERS,
         *MARIADB_CLIENT_CONTAINERS,
+        *PODMAN_CONTAINERS,
         *POSTFIX_CONTAINERS,
         *POSTGRES_CONTAINERS,
         *PROMETHEUS_CONTAINERS,

src/bci_build/package/appcontainers.py

@@ -542,3 +542,65 @@ def _get_nginx_kwargs(os_version: OsVersion):
     )
     for os_version in (OsVersion.TUMBLEWEED,)
 ]
+
+
+_PODMAN_FILES = {"podman-containers.conf": "", "containers.conf": ""}
+
+for fname in _PODMAN_FILES:
+    _PODMAN_FILES[fname] = (Path(__file__).parent / "podman" / fname).read_text()
+
+_PODMAN_VERS_REGEX = "%%podman_version%%"
+
+PODMAN_CONTAINERS = [
+    ApplicationStackContainer(
+        name="podman",
+        pretty_name="Podman",
+        license="Apache-2.0",
+        version_in_uid=False,
+        version=_PODMAN_VERS_REGEX,
+        replacements_via_service=[
+            Replacement(
+                regex_in_build_description=_PODMAN_VERS_REGEX, package_name="podman"
+            )
+        ],
+        os_version=os_version,
+        extra_files=_PODMAN_FILES,
+        is_latest=os_version in CAN_BE_LATEST_OS_VERSION,
+        package_list=["podman", "fuse-overlayfs"],
+        custom_end=r"""RUN useradd podman && \
+    echo -e "podman:1:999\npodman:1001:64535" > /etc/subuid && \
+    echo -e "podman:1:999\npodman:1001:64535" > /etc/subgid
+
+COPY containers.conf /etc/containers/containers.conf
+COPY podman-containers.conf /home/podman/.config/containers/containers.conf
+
+RUN mkdir -p /home/podman/.local/share/containers && \
+    chown podman:podman -R /home/podman && \
+    chmod 0644 /etc/containers/containers.conf
+
+# Copy & modify the defaults to provide reference if runtime changes needed.
+# Changes here are required for running with fuse-overlay storage inside container.
+RUN sed -e 's|^#mount_program|mount_program|g' \
+           -e '/additionalimage.*/a "/var/lib/shared",' \
+           -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' \
+           /usr/share/containers/storage.conf \
+           > /etc/containers/storage.conf
+
+VOLUME /var/lib/containers
+VOLUME /home/podman/.local/share/containers
+
+RUN mkdir -p /var/lib/shared/overlay-images \
+             /var/lib/shared/overlay-layers \
+             /var/lib/shared/vfs-images \
+             /var/lib/shared/vfs-layers && \
+    touch /var/lib/shared/overlay-images/images.lock && \
+    touch /var/lib/shared/overlay-layers/layers.lock && \
+    touch /var/lib/shared/vfs-images/images.lock && \
+    touch /var/lib/shared/vfs-layers/layers.lock
+
+ENV _CONTAINERS_USERNS_CONFIGURED="" \
+    BUILDAH_ISOLATION=chroot
+""",
+    )
+    for os_version in ALL_NONBASE_OS_VERSIONS
+]

src/bci_build/package/podman/containers.conf

@@ -0,0 +1,12 @@
+[containers]
+netns="host"
+userns="host"
+ipcns="host"
+utsns="host"
+cgroupns="host"
+cgroups="disabled"
+log_driver = "k8s-file"
+[engine]
+cgroup_manager = "cgroupfs"
+events_logger="file"
+runtime="crun"

src/bci_build/package/podman/podman-containers.conf

@@ -0,0 +1,5 @@
+[containers]
+volumes = [
+	"/proc:/proc",
+]
+default_sysctls = []

update-files.sh

@@ -4,7 +4,7 @@
 #
 # Note: when fetching external files, make sure to include their license declarations!
 
-mkdir -p src/bci_build/package/{postgres,nginx,grafana,mariadb,postfix/entrypoint/ldap}
+mkdir -p src/bci_build/package/{postgres,nginx,grafana,mariadb,postfix/entrypoint/ldap,podman}
 
 ### postgres: PostgreSQL license
 curl -sf -o src/bci_build/package/postgres/LICENSE https://raw.githubusercontent.com/docker-library/postgres/master/LICENSE
@@ -43,3 +43,7 @@ curl -sf -o src/bci_build/package/postfix/entrypoint/ldap/virtual_mailbox_maps h
 curl -sf -o src/bci_build/package/postfix/entrypoint/ldap/virtual_uid_maps https://raw.githubusercontent.com/thkukuk/containers-mailserver/master/postfix/ldap/virtual_uid_maps
 
 patch src/bci_build/package/postfix/entrypoint/entrypoint.sh src/bci_build/package/postfix/entrypoint/sles-entrypoint.patch -o src/bci_build/package/postfix/entrypoint/entrypoint.sles.sh
+
+### podman: Apache-2
+curl -sf -o src/bci_build/package/podman/containers.conf https://raw.githubusercontent.com/containers/image_build/main/podman/containers.conf
+curl -sf -o src/bci_build/package/podman/podman-containers.conf https://raw.githubusercontent.com/containers/image_build/main/podman/podman-containers.conf