RDK Resources
[*RDK Preferred*]
Code Management Facility
RDK Forums
[RDK Conferences]
RDK Support
Archives
Papers & Presentations Archive
...
This document explains about how to build RDKB containerization image and use it. In addition it also has some useful commands which can be used to handle the containers
...
1) Create a *.xml file on the following path meta-cmf-raspberrypi/recipes-containers/lxc-container-generator/files/xml/*.xml
...
The code is developed and changes made in necessary files for containerization.
Below are the list of steps that needs to performed for creating a container for any component or application
To download code, following commands are needed to be executed
Code Block | ||||
---|---|---|---|---|
| ||||
$ repo init -u <url> -m <manifest file> -b <branch>
$ repo sync -j4 --no-clone-bundle
#Container Branch
$ repo init -u https://code.rdkcentral.com/r/manifests -b rdkb-container -m rdkb-container.xml
$ repo sync -j4 --no-clone-bundle |
Create a *.xml file on the following path meta-cmf-raspberrypi/recipes-containers/lxc-container-generator/files/xml/*.xml
This xml file would describe the following parameters for an container generation
Code Block | ||
---|---|---|
| ||
<?xml version="1.0" encoding="ISO-8859-1"?>
<CONTAINER SandboxName="CONTAINER_FOLDER_NAME">
<LxcParams> | ||
Code Block | ||
| ||
<?xml version="1.0" encoding="ISO-8859-1"?> <CONTAINER SandboxName="CONTAINER_FOLDER_NAME"> <LxcParams> <LauncherName>LAUNCHER_SCRIPT_NAME</LauncherName> <ExecName>APPLICATION_NAME_WITH_PATH</ExecName> <ExecParams>ARGUMENTS</ExecParams> <SystemdNotify create="yes"> <PidFile>PID_FILE_WITH_PATH</PidFile> </SystemdNotify> <StopFunction enable="true"></StopFunction> </LxcParams> <LxcConfig> - <UserName>USER_NAME</UserName> <GroupName>GROUP_NAME</GroupName> <CGroupSettings> <DeviceCgroup><LauncherName>"LAUNCHER_SCRIPT_NAME"</LauncherName> <ExecName>"APPLICATION_NAME_WITH_PATH"</ExecName> <DevicesDeny>a</DevicesDeny><ExecParams>"COMMAND_LINE_ARGUMENTS"</ExecParams> <AllowDefaultDevices<SystemdNotify enablecreate="yes"/> </DeviceCgroup> </CGroupSettings> <PidFile>"PID_FILE_WITH_PATH"</PidFile> <Environment> </SystemdNotify> <StopFunction enable="true"></StopFunction> <Variable>DBUS_SESSION_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket</Variable></LxcParams> <LxcConfig> - <UserName>"USER_NAME"</Environment>UserName> <Network type="none"></Network><GroupName>"GROUP_NAME"</GroupName> <CGroupSettings> <Dbus enable="true"></Dbus> <DeviceCgroup> <Rootfs create="yes"> <MountPoints> <!-- /bin --><DevicesDeny>a</DevicesDeny> <Entry<AllowDefaultDevices typeenable="fileyes"/> </DeviceCgroup> <Source>/bin/sh</Source></CGroupSettings> <Destination>bin/sh</Destination><Environment> <Options>ro,bind,nosuid,nodev</Options><Variable>DBUS_SESSION_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket</Variable> </Entry>Environment> <!-- /proc --><Network type="none"></Network> <Entry<Dbus typeenable="dirtrue">></Dbus> <Rootfs create="yes"> <Source>proc</Source> <MountPoints> <!-- /bin --> <Destination>proc</Destination><Entry type="file"> <FsType>proc</FsType><Source>/bin/sh</Source> <Options>defaults,noexec,nosuid,nodev,hidepid=2</Options> <Destination>bin/sh</Destination> </Entry> <Options>ro,bind,nosuid,nodev</Options> </MountPoints>Entry> <LibsRoBindMounts> <!-- /proc --> <Entry>ld</Entry> <Entry type="dir"> <Entry>libtr181< <Source>proc</Entry>Source> <Entry>libxml2<<Destination>proc</Entry>Destination> <Entry>libz< <FsType>proc</Entry>FsType> <Entry>libccsp_common</Entry> <Options>defaults,noexec,nosuid,nodev,hidepid=2</Options> </LibsRoBindMounts>Entry> </Rootfs>MountPoints> </LxcConfig> </CONTAINER> ---------------------------------------------------------------------------------------------------------------------- For example, <LibsRoBindMounts> <Entry>ld</Entry> <Entry>libtr181</Entry> <Entry>libxml2</Entry> <Entry>libz</Entry> <Entry>libccsp_common</Entry> </LibsRoBindMounts> </Rootfs> </LxcConfig> </CONTAINER> |
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="ISO-8859-1"?> <CONTAINER SandboxName="PSMSSP"> <LxcParams> <LauncherName>PsmSsp</LauncherName> <ExecName>/usr/bin/PsmSsp</ExecName> <ExecParams>-subsys eRT.</ExecParams> <SystemdNotify create="yes"> <PidFile>/var/tmp/PsmSsp.pid</PidFile> </SystemdNotify> <StopFunction enable="true"></StopFunction> </LxcParams> <LxcConfig> - <UserName>psm</UserName> <GroupName>psm</GroupName> <CGroupSettings> <DeviceCgroup> <DevicesDeny>a</DevicesDeny> <AllowDefaultDevices enable="yes"/> </DeviceCgroup> </CGroupSettings> <Environment> <Variable>DBUS_SESSION_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket</Variable> </Environment> <Network type="none"></Network> <Dbus enable="true"></Dbus> <Rootfs create="yes"> <MountPoints> <!-- /bin --> <Entry type="file"> <Source>/bin/sh</Source> <Destination>bin/sh</Destination> <Options>ro,bind,nosuid,nodev</Options> </Entry> <Entry type="file"> <Source>/usr/bin/PsmSsp</Source> <Destination>usr/bin/PsmSsp</Destination> <Options>ro,bind,nosuid,nodev</Options> </Entry> <Entry type="file"> <Source>/bin/touch</Source> <Destination>bin/touch</Destination> <Options>ro,bind,nosuid,nodev</Options> </Entry> <Entry type="file"> <!--rdklogs--> <Entry type="dir"> <Source>/rdklogs</Source> <Destination>rdklogs</Destination> <Options>rw,bind,noexec,nosuid</Options> </Entry> </MountPoints> <LibsRoBindMounts> <Entry>ld</Entry> <Entry>libtr181</Entry> <Entry>libxml2</Entry> <Entry>libz</Entry> <Entry>libccsp_common</Entry> <Entry>libsyscfg</Entry> <Entry>libsysevent</Entry> ... <Entry>liblzma</Entry> <Entry>libdl</Entry> <Entry>libtinfo</Entry> </LibsRoBindMounts> </Rootfs> </LxcConfig> </CONTAINER> |
2) Include the lxc_conf_Psm<NAME>.xml file on SRC_URI of the bb file meta-cmf-raspberrypi/recipes-containers/lxc-container-generator/lxc-container-generator-native.bbappend
Code Block | ||
---|---|---|
| ||
#For example, Adding lxc_conf_Psm.xml to the recipie
SRC_URI_append = "${@bb.utils.contains('DISTRO_FEATURES', 'lxc-secure-containers-br', ' file://xml/lxc_conf_Psm.xml ', '', d)}"
do_install_append () {
${@bb.utils.contains('DISTRO_FEATURES', 'lxc-secure-containers-br', ' install_lxc_config secure lxc_conf_Psm.xml ', '', d)}
} |
Provide user permission for the new container to run as unprivileged , 3) Add the un-privileged user permission in meta-cmf-raspberrypi/recipes-core/images/add-users-groups-file-owners-and-permissions-broadband.inc
...
Code Block | ||
---|---|---|
| ||
EXTRA_USERS_PARAMS += "\ useradd -u <uid> -G dbusgrp -r -s /bin/false <container_user_name> ; \ ROOTFS_CHOWN_SETCAP += " -o <container_user_name>:<container_group_name> -m o-rwx /usr/bin/application_name \n" --------------------------------------------------------------------------------------------------------------------- #Adding PSM permission EXTRA_USERS_PARAMS += "\ useradd -u 703 -G dbusgrp -r -s /bin/false psm ; \ ROOTFS_CHOWN_SETCAP += " -o psm:psm -m o-rwx /usr/bin/PsmSsp \n" |
Dbus 4) Dbus socket should allow the newly created conatiner to access system bus, to do so ,we need to add the conatiner conatiner user name to system.conf
Code Block | ||
---|---|---|
| ||
#Add the new user name in below line , sed -i '/allow user/c\<deny user="*"/>\n<allow user="ccspcr"/>\n<allow user="psm"/>\n<allow user="pandm"/>\n<allow user="ccspwifi"/>\n<allow user="ccsplmliteccspwifi"/>\n<allow user="root"/>' ${D}/usr/share/dbus-1/system.conf |
The code is developed and changes made in necessary files for containerization.
To download code, following commands are needed to be executed
...
language | bash |
---|---|
title | Code sync |
...
USER_NAME"/>\n<allow user="ccsplmlite"/>\n<allow user="root"/>' ${D}/usr/share/dbus-1/system.conf
|
Go to the <workspace>
...
raspberrypi-rdk-broadband-lxcrdk-generic-broadband-lxc-image_default_20190327101556.rootfs.rpi-sdimg
...
5530 | root | 0.00 | /usr/bin/lxc-execute -n PSMSSP -f /container/PSMSSP/conf/lxc.conf -- /usr/bin/PsmSsp -subsys eRT . |
5534 | psm | 0.00 | /init.lxc.static –gid 705 –uid 705 -- /usr/bin/PsmSsp -subsys eRT . |
6433 | root | 0.00 | /usr/bin/lxc-execute -n CCSPPANDM -f /container/CCSPPANDM/conf/lxc.conf -- /usr/bin/gw_prov_utopia |
6435 | pandm | 0.00 | /init.lxc.static –gid 706 –uid 706 -- /usr/bin/gw_prov_utopia |
6520 | root | 0.00 | /usr/bin/lxc-execute -n DBUS -f /container/DBUS/conf/lxc.conf -- /usr/bin/dbus-daemon –system –nofork –nopidfile –systemd-activation |
6532 | dbus | 0.00 | /init.lxc.static –gid 703 –uid 703 -- /usr/bin/dbus-daemon –system –nofork –nopidfile –systemd-activation |
6574 | root | 0.00 | /usr/bin/lxc-execute -n CCSPCR -f /container/CCSPCR/conf/lxc.conf -- /usr/bin/CcspCrSsp -subsys eRT . |
6577 | ccspcr | 0.00 | /init.lxc.static –gid 704 –uid 704 -- /usr/bin/CcspCrSsp -subsys eRT . |
6737 | root | 0.00 | grep lxc |
Due to some limitations in invoking wifi driver with container permission, ccspwifi container has to be run manually in latest environment with below procedure
...