config: add MQUEUE, BRIDGE, NETFILTER support#128
Open
dustymabe wants to merge 3 commits into
Open
Conversation
These config files were originally generated against older kernel versions (6.6.59 for x86_64/aarch64/sev/windows, 6.12.20 for tdx/riscv64) and had not been refreshed after the 6.12.87 rebase. Run `make olddefconfig` against the 6.12.87 kernel sources to pick up new defaults and resolve any missing or changed Kconfig symbols. Assisted-by: <anthropic/claude-opus-4.6> Signed-off-by: Dusty Mabe <dusty@dustymabe.com>
The value is set on aarch64 and without it we hit a common error trying to run containers inside a libkrun VM. Start up libkrun: ``` $ podman run --net=host --rm --log-level=debug quay.io/fedora/fedora-minimal:44 echo hello ... time="2026-05-18T19:55:54Z" level=debug msg="ExitCode msg: \"crun: mount `mqueue` to `dev/mqueue`: no such device: oci runtime error\"" Error: OCI runtime error: crun: mount `mqueue` to `dev/mqueue`: No such device ``` Note this is essentially a revert of 62444be. Assisted-by: <anthropic/claude-opus-4.6> Signed-off-by: Dusty Mabe <dusty@dustymabe.com>
If you want to start a podman container inside the krun VM and not use `--net=host` (i.e. use netavark instead) then you need BRIDGE support [1]. Additionally, enable CONFIG_NETFILTER and the full nftables stack (NF_TABLES, NF_CONNTRACK, NF_NAT, NFT_MASQ, etc.) so that podman/netavark can use nft without getting: src/mnl.c:66: Unable to initialize Netlink socket: Protocol not supported Enable these on all three architectures: x86_64, aarch64, riscv64. [1] containers/podman#25201 (comment) Assisted-by: <anthropic/claude-opus-4.6> Signed-off-by: Dusty Mabe <dusty@dustymabe.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See individual commit messages.
Essentially what I'm trying to do is run
podmaninside my krun VM and have it be completely isolated from the host, but also function well enough without special arguments to act generically like a container runtime. i.e. I want to be able to navigate to a project's source code and typemake whateverand if that project leverages containers everything just works.An example of this would be
make ci-operator-configfrom this repo without having to patch the Makefile like this:Ultimately my goal is to sandbox AI agents so I'm comfortable allowing them to do more, but not worrying about my host system.
I understand especially the last commit adding BRIDGE/NETFILTER may cause the size of the kernel to increase and may not be desired since it enables many options. Is this generally a problem? Is there some sort of balance between "these config options enable an important use case" and the size increase?