Adding supported quadlet vars mappings

Remove PodmanArgs, since the following mappings supported: rpm -q podman podman-5.2.3-6.el9.x86_64 Unmask=ALL SecurityLabelNested=true SeccompProfile=/usr/share/qm/seccomp.json PidsLimit=-1 Adding Readme related to updating qm quadlet file It seems that currently there is usage in /etc/qm/containers/containers.conf Instead of extension of existing quadlet Signed-off-by: Yariv Rachmani <[email protected]>
containers · Nov 27, 2024 · da70aa5 · da70aa5
1 parent 1b6a02a
commit da70aa5
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 1 deletion.
diff --git a/docs/devel/README.md b/docs/devel/README.md
@@ -10,6 +10,7 @@
   - [Copying files to QM partition](#copying-files-to-qm-partition)
   - [Listing QM service](#listing-qm-service)
   - [List QM container via podman](#list-qm-container-via-podman)
+  - [Extend QM quadlet managed by podman](#extend-qm-quadlet-managed-by-podman)
   - [Connecting to QM container via podman](#connecting-to-qm-container-via-podman)
   - [SSH guest CentOS Automotive Stream Distro](#ssh-guest-centos-automotive-stream-distro)
   - [Check if HOST and Container are using different network namespace](#check-if-host-and-container-are-using-different-network-namespace)
@@ -179,6 +180,44 @@ CONTAINER ID  IMAGE       COMMAND     CREATED         STATUS         PORTS
 a83253ae278d              /sbin/init  38 seconds ago  Up 38 seconds              qm
 ```
 
+### Extend QM quadlet managed by podman
+
+QM quadlet file is shipped through rpm, refer the following file.
+qm.container which is installed to /usr/share/containers/systemd/qm.container
+Please refer `man quadlet` for the supported value and how to.
+
+In case a change needed in quadlet file, do not update systemd/qm.container file
+As per `man quadlet` do the following:
+
+```console
+if ! test -e /etc/containers/systemd/qm.container.d ; then
+  mkdir -p  /etc/containers/systemd/qm.container.d
+fi
+cat > "/etc/containers/systemd/qm.container.d/expose-dev.conf" <<EOF
+[Container]
+# Expose host device /dev/net/tun
+AddDevice=-/dev/net/tun
+# In case parameter override needed, add empty value before the required key
+Unmask=
+Unmask=ALL
+EOF
+```
+
+To verify the result use the following command:
+
+```console
+/usr/lib/systemd/system-generators/podman-system-generator  --dryrun
+```
+
+Once the result is satisfied, apply the following
+
+```console
+systemctl daemon-reload
+systemctl restart qm
+systemctl is-active qm
+active
+```
+
 ### Connecting to QM container via podman
 
 ```console

diff --git a/qm.container b/qm.container
@@ -36,6 +36,10 @@ TasksMax=50%
 
 [Container]
 AddCapability=all
+Unmask=ALL
+SecurityLabelNested=true
+SeccompProfile=/usr/share/qm/seccomp.json
+PidsLimit=-1
 
 # Comment DropCapability this will allow FFI Tools to surpass their defaults.
 DropCapability=sys_resource
@@ -45,7 +49,6 @@ AddDevice=-/dev/fuse
 ContainerName=qm
 Exec=/sbin/init
 Network=private
-PodmanArgs=--pids-limit=-1 --security-opt seccomp=/usr/share/qm/seccomp.json --security-opt label=nested --security-opt unmask=all
 ReadOnly=true
 Rootfs=${ROOTFS}