From 4fdb048cc17d22d90664c3cac076516b771f4d30 Mon Sep 17 00:00:00 2001
From: unitexe <unitexe70@gmail.com>
Date: Sat, 3 Jan 2026 15:20:53 -0600
Subject: Podman (rootful & rootless) support

- Rootless support for unitexe user specifically
---
 .../recipes-containers/podman/podman_%.bbappend    |  2 ++
 .../recipes-extended/shadow/shadow_%.bbappend      | 12 ++++++++++
 .../recipes-kernel/linux/linux-yocto_%.bbappend    |  1 +
 .../recipes-unit/images/core-image-unit.bbappend   |  1 +
 .../useradd/add-user-unitexe.bbappend              | 18 +++++++++++++++
 .../packagegroups/packagegroup-unit-containers.bb  | 27 ++++++++++++++++++++++
 .../linux/files/netfilter_xt_match.cfg             |  2 ++
 .../recipes-kernel/linux/linux-yocto_%.bbappend    |  1 +
 8 files changed, 64 insertions(+)
 create mode 100644 meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/podman/podman_%.bbappend
 create mode 100644 meta-unit-core/dynamic-layers/virtualization-layer/recipes-extended/shadow/shadow_%.bbappend
 create mode 100644 meta-unit-core/dynamic-layers/virtualization-layer/recipes-kernel/linux/linux-yocto_%.bbappend
 create mode 100644 meta-unit-core/dynamic-layers/virtualization-layer/recipes-unit/images/core-image-unit.bbappend
 create mode 100644 meta-unit-core/dynamic-layers/virtualization-layer/recipes-users/useradd/add-user-unitexe.bbappend
 create mode 100644 meta-virtualization-extra/recipes-containers/packagegroups/packagegroup-unit-containers.bb
 create mode 100644 meta-virtualization-extra/recipes-kernel/linux/files/netfilter_xt_match.cfg
 create mode 100644 meta-virtualization-extra/recipes-kernel/linux/linux-yocto_%.bbappend

diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/podman/podman_%.bbappend b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/podman/podman_%.bbappend
new file mode 100644
index 0000000..3b9e0c7
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-containers/podman/podman_%.bbappend
@@ -0,0 +1,2 @@
+# Enable rootless containers.
+PACKAGECONFIG:append = " rootless"
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-extended/shadow/shadow_%.bbappend b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-extended/shadow/shadow_%.bbappend
new file mode 100644
index 0000000..cb2beaa
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-extended/shadow/shadow_%.bbappend
@@ -0,0 +1,12 @@
+#
+# Support rootless podman for unitexe user.
+#
+# This is explained at:
+#   https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration
+#
+do_install:append() {
+    echo "unitexe:100000:65536" >> ${D}${sysconfdir}/subuid
+    echo "" >> ${D}${sysconfdir}/subuid
+    echo "unitexe:100000:65536" >> ${D}${sysconfdir}/subgid
+    echo "" >> ${D}${sysconfdir}/subgid
+}
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-kernel/linux/linux-yocto_%.bbappend
new file mode 100644
index 0000000..37d2edd
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -0,0 +1 @@
+SRC_URI:append = " file://netfilter_xt_match.cfg"
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-unit/images/core-image-unit.bbappend b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-unit/images/core-image-unit.bbappend
new file mode 100644
index 0000000..ee336ce
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-unit/images/core-image-unit.bbappend
@@ -0,0 +1 @@
+IMAGE_INSTALL:append = " packagegroup-unit-containers"
diff --git a/meta-unit-core/dynamic-layers/virtualization-layer/recipes-users/useradd/add-user-unitexe.bbappend b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-users/useradd/add-user-unitexe.bbappend
new file mode 100644
index 0000000..922b0c8
--- /dev/null
+++ b/meta-unit-core/dynamic-layers/virtualization-layer/recipes-users/useradd/add-user-unitexe.bbappend
@@ -0,0 +1,18 @@
+do_install:append() {
+    # If linger is not enabled then rootless podman 
+    # commands will complain with number of warnings.
+    install -d ${D}${localstatedir}/lib/systemd/linger
+    touch ${D}${localstatedir}/lib/systemd/linger/${USER_TO_ADD_NAME}
+
+    # Note: Use of .profile here assumes busybox shell.
+    # Podman uses these (if defined) for overriding
+    # default configuration file locations. This is
+    # explained here:
+    #   https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#user-configuration-files
+    cat > ${D}/home/${USER_TO_ADD_NAME}/.profile << 'EOF'
+export XDG_RUNTIME_DIR=/run/user/$(id -u)
+export XDG_CONFIG_HOME=$HOME/.config
+EOF
+}
+
+FILES:${PN}:append = " ${localstatedir}/lib/systemd/linger/${USER_TO_ADD_NAME}"
diff --git a/meta-virtualization-extra/recipes-containers/packagegroups/packagegroup-unit-containers.bb b/meta-virtualization-extra/recipes-containers/packagegroups/packagegroup-unit-containers.bb
new file mode 100644
index 0000000..7cf28bd
--- /dev/null
+++ b/meta-virtualization-extra/recipes-containers/packagegroups/packagegroup-unit-containers.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Container packages"
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"
+
+inherit packagegroup
+
+# A number of kernel modules are needed for this to work
+RDEPENDS:${PN}:append = " kernel-modules"
+
+# Rootless containers
+RDEPENDS:${PN}:append = " dbus-broker"
+RDEPENDS:${PN}:append = " libpam"
+
+# Networking
+RDEPENDS:${PN}:append = " iproute2"
+RDEPENDS:${PN}:append = " passt"
+
+# Podman
+RDEPENDS:${PN}:append = " podman"
+RDEPENDS:${PN}:append = " podman-tui"
+RDEPENDS:${PN}:append = " podman-compose"
+
+# Working with registries
+RDEPENDS:${PN}:append = " skopeo"
+
+# Working with container images
+RDEPENDS:${PN}:append = " umoci"
diff --git a/meta-virtualization-extra/recipes-kernel/linux/files/netfilter_xt_match.cfg b/meta-virtualization-extra/recipes-kernel/linux/files/netfilter_xt_match.cfg
new file mode 100644
index 0000000..5ea566a
--- /dev/null
+++ b/meta-virtualization-extra/recipes-kernel/linux/files/netfilter_xt_match.cfg
@@ -0,0 +1,2 @@
+CONFIG_NETFILTER_XT_MATCH_COMMENT=m
+CONFIG_NETFILTER_XT_MATCH_MARK=m
diff --git a/meta-virtualization-extra/recipes-kernel/linux/linux-yocto_%.bbappend b/meta-virtualization-extra/recipes-kernel/linux/linux-yocto_%.bbappend
new file mode 100644
index 0000000..8802adb
--- /dev/null
+++ b/meta-virtualization-extra/recipes-kernel/linux/linux-yocto_%.bbappend
@@ -0,0 +1 @@
+FILESEXTRAPATHS:prepend := "${THISDIR}/files:"
-- 
cgit v1.2.3