Skip to content

feat: Add support for running qemu-guest-agent in machine #175

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat: Add support for running qemu-guest-agent in machine #175

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash

set -exo pipefail

Expand Down
13 changes: 13 additions & 0 deletions podman-image/Containerfile.COREOS
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,3 +40,16 @@ RUN --network=none rm -vf /etc/resolv.conf && rpm -e systemd-resolved
# https://github.com/containers/podman/pull/21670#discussion_r1585790802
COPY rosetta-activation.service /etc/systemd/system/rosetta-activation.service
COPY rosetta-activation.sh /usr/local/bin/rosetta-activation.sh

# Configure qemu-guest-agent
# Copy in our service file override that communicates over vsock
COPY qemu-guest-agent.service /etc/systemd/system/qemu-guest-agent.service
# Bind mount non-base selinux policy module compile it and install it to allow
# qemu-guest-agent access to the vsock-socket
RUN --mount=type=bind,source=/qemuga-vsock.te,target=/run/qemuga-vsock.te,z <<EOF
/usr/bin/checkmodule -M -m -o /run/qemuga-vsock.mod /run/qemuga-vsock.te
/usr/bin/semodule_package -o /run/qemuga-vsock.pp -m /run/qemuga-vsock.mod
Comment on lines +49 to +51
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd rather do this in a build step so we don't need to install the checkpolicy package.
I could include the compiled qemuga-vsock.pp, it can be read with tools like sedismod but I think as a rule it's better to not include compiled files.

sudo semodule -i /run/qemuga-vsock.pp
rm /run/qemuga-vsock.pp /run/qemuga-vsock.mod
systemctl enable qemu-guest-agent.service
EOF
4 changes: 4 additions & 0 deletions podman-image/build_common.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,10 @@ PACKAGES=(

# cpp for buildah.in support
cpp

# qemu-guest-agent to enable communication from the host
qemu-guest-agent
checkpolicy
)

dnf install -y "${PACKAGES[@]}"
Expand Down
11 changes: 11 additions & 0 deletions podman-image/qemu-guest-agent.service
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
Description=QEMU Guest Agent
IgnoreOnIsolate=True

[Service]
UMask=0077
ExecStart=/usr/bin/qemu-ga --method=vsock-listen --path=3:1025 # Todo: The 3 may need to be dynamic
Restart=always
RestartSec=0

[Install]
WantedBy=default.target
9 changes: 9 additions & 0 deletions podman-image/qemuga-vsock.te
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module qemuga-vsock 1.0;

require {
type virt_qemu_ga_t;
class vsock_socket { bind create getattr listen accept read write };
}

#============= virt_qemu_ga_t ==============
allow virt_qemu_ga_t self:vsock_socket { bind create getattr listen accept read write };