aws-iot-greengrass-lite-container-demo-image: make it smaller 43MB

Author: Thomas Roos

meta-aws-demos/recipes-core/images/aws-iot-greengrass-lite-container-demo-image/README.md

@@ -2,4 +2,97 @@
 
 This image is similar to [aws-iot-greengrass-lite-demo-image](../aws-iot-greengrass-lite-demo-image/README.md)
 
-It will create a container image with greengrass lite installed.
+It will create a 43MB systemd libmusl container image with greengrass lite installed.
+
+
+## BUILDING
+
+Init build environment
+
+```bash
+. init-build-env
+```
+
+Configure this image
+
+```bash
+export IMAGE=aws-iot-greengrass-lite-container-demo-image
+```
+
+Configure a device e.g. qemuarm64
+
+```bash
+export DEVICE=qemuarm64
+```
+
+Build
+
+```bash
+bitbake $IMAGE
+```
+
+You can run an interactive terminal like this - password root:root :
+
+```bash
+podman run -it --arch arm64 oci:/home/ubuntu/data/meta-aws-demos/build/tmp/deploy/images/qemuarm64/aws-iot-greengrass-lite-container-demo-image-latest-oci/ /bin/bash
+```
+
+This also works with fleetprovisioning, if certs are not in the docker image, you can mount them into the container e.g.:
+
+```bash
+podman run -it --arch arm64 -v /host/path:/container/path oci:/home/ubuntu/data/meta-aws-demos/build/tmp/deploy/images/qemuarm64/aws-iot-greengrass-lite-container-demo-image-latest-oci/ /bin/bash
+```
+
+To start and stop multiple instances of a container
+
+```bash
+# Start 20 instances (see hitting a limit on issues):
+for i in {1..20}; do podman run -d --name greengrass-$i --arch arm64 oci:/home/ubuntu/data/meta-aws-demos/build/tmp/deploy/images/qemuarm64/aws-iot-greengrass-lite-container-demo-image-latest-oci/; done
+
+# Stop all instances:
+podman stop $(podman ps -q --filter name=greengrass-)
+
+# Remove all instances:
+podman rm $(podman ps -aq --filter name=greengrass-)
+
+# attach to a instance a terminal
+podman exec -it greengrass-1 /bin/bash
+
+# List all instances:
+podman ps --filter name=greengrass-
+
+# Get detailed info with resource usage:
+podman stats --no-stream --filter name=greengrass-
+
+# Show all container details:
+podman inspect greengrass-1
+
+# Quick health check all instances:
+for i in {1..10}; do echo "=== greengrass-$i ==="; podman exec greengrass-$i ps aux | head -5; done
+
+```
+
+### how to detach from a instance?
+Press Ctrl+P then Ctrl+Q to detach from the container without stopping it.
+
+
+### hitting a limit in starting containers
+
+```
+# Defines the maximum number of inotify listeners.
+# By default, this value is 128, which is quickly exhausted when using
+# systemd-based LXC containers (15 containers are enough).
+# When the limit is reached, systemd becomes mostly unusable, throwing
+# "Too many open files" all around (both on the host and in containers).
+# See https://kdecherf.com/blog/2015/09/12/systemd-and-the-fd-exhaustion/
+# Increase the user inotify instance limit to allow for about
+# 100 containers to run before the limit is hit again
+fs.inotify.max_user_instances = 1024
+So you should do the same by creating this file on the host. For immediate effect (on the host):
+
+sysctl -w fs.inotify.max_user_instances=1024
+
+or permanently add or change here: /etc/sysctl.conf
+fs.inotify.max_user_instances = 1024
+
+```

meta-aws-demos/recipes-core/images/aws-iot-greengrass-lite-container-demo-image/aws-iot-greengrass-lite-container-demo-image.bb

@@ -1,14 +1,27 @@
 SUMMARY = "A demo image for gg-lite as a container"
 DESCRIPTION = "A small systemd system container which will run greengrass-lite."
 
-IMAGE_INSTALL += "packagegroup-core-boot ${CORE_IMAGE_EXTRA_INSTALL}"
-
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
 
-IMAGE_FEATURES += "empty-root-password allow-empty-password allow-root-login serial-autologin-root"
+IMAGE_FEATURES += "empty-root-password allow-empty-password allow-root-login read-only-rootfs"
+IMAGE_FEATURES:remove = "package-management doc-pkgs"
+
+# Remove locale data
+IMAGE_LINGUAS = ""
+
+PACKAGE_CLASSES = "package_ipk"
+
+IMAGE_INSTALL:append = " libcgroup"
+IMAGE_INSTALL:remove = " packagegroup-core-base-utils shadow shadow-base"
+IMAGE_INSTALL:remove = "openssh vim gawk iproute2 coreutils e2fsprogs-e2fsck e2fsprogs-mke2fs e2fsprogs-tune2fs perl"
+
+# Force exclude packages
+PACKAGE_EXCLUDE += "coreutils vim gawk iproute2 e2fsprogs-e2fsck e2fsprogs-mke2fs e2fsprogs-tune2fs packagegroup-core-ssh-openssh"
 
-IMAGE_INSTALL:append = " python3-misc python3-venv python3-tomllib python3-ensurepip libcgroup python3-pip"
+# Use minimal providers
+PREFERRED_PROVIDER_coreutils = "busybox"
+PREFERRED_PROVIDER_util-linux = "busybox"
 # Use local.conf to specify additional systemd services to disable. To overwrite
 # the default list use SERVICES_TO_DISABLE:pn-systemd-container in local.conf
 SERVICES_TO_DISABLE = "systemd-userdbd.service"
@@ -22,9 +35,13 @@ require container-systemd-base.inc
 SYSTEMD_CONTAINER_DISABLE_SERVICES += " \
     systemd-resolved.service \
     var-volatile.mount \
+    systemd-udevd.service \
+    systemd-hwdb-update.service \
+    systemd-modules-load.service \
+    systemd-vconsole-setup.service \
 "
 
-IMAGE_INSTALL:append = " systemd-serialgetty systemd-extra-utils systemd-conf"
+IMAGE_INSTALL:append = " systemd-serialgetty systemd-conf"
 # resolvconf
 
 OCI_IMAGE_ENTRYPOINT = "/sbin/init systemd.unified_cgroup_hierarchy=1"
@@ -36,3 +53,22 @@ IMAGE_INSTALL:append = " greengrass-lite"
 
 # disable fleetprovisioning
 PACKAGECONFIG:pn-greengrass-lite = ""
+
+# Disable unnecessary systemd features for containers
+PACKAGECONFIG:pn-systemd:remove = "backlight hibernate hostnamed localed machined networkd resolved rfkill timesyncd timedated vconsole"
+
+# Set root password to "root"
+ROOTFS_POSTPROCESS_COMMAND += "set_root_passwd; remove_extra_files;"
+set_root_passwd() {
+    echo 'root:root' | chpasswd -R ${IMAGE_ROOTFS}
+}
+
+# Remove unnecessary files to reduce image size
+remove_extra_files() {
+    rm -rf ${IMAGE_ROOTFS}/usr/share/common-licenses
+    rm -rf ${IMAGE_ROOTFS}/usr/share/keymaps
+    rm -rf ${IMAGE_ROOTFS}/usr/share/misc
+}
+
+
+IMAGE_INSTALL:append = " systemd systemd-serialgetty"

meta-aws-demos/recipes-core/images/aws-iot-greengrass-lite-container-demo-image/config.conf

@@ -1,6 +1,80 @@
-DISTRO = "poky-altcfg"
+DISTRO = "poky"
 
-DISTRO_FEATURES:append = " virtualization"
+# note it is a hard overwrite
+DISTRO_FEATURES = "virtualization systemd usrmerge"
 
-# we do not want to have ptests in demo images enabled
-DISTRO_FEATURES:remove = " ptest"
+# OSPO license compliance
+BB_GENERATE_MIRROR_TARBALLS = "1"
+BB_GIT_SHALLOW = "1"
+BB_GENERATE_SHALLOW_TARBALLS = "1"
+INHERIT += "create-spdx"
+
+TCLIBC = "musl"
+
+FULL_OPTIMIZATION="-Os -pipe ${DEBUG_FLAGS}"
+
+PACKAGE_CLASSES ?= "package_ipk"
+
+VIRTUAL-RUNTIME_init_manager = "systemd"
+VIRTUAL-RUNTIME_initscripts = "systemd-compat-units"
+
+# Disable wide char support for ncurses as we don't include it in
+# in the LIBC features below.
+# Leave native enable to avoid build failures
+ENABLE_WIDEC = "false"
+ENABLE_WIDEC:class-native = "true"
+
+# Drop native language support. This removes the
+# eglibc->bash->gettext->libc-posix-clang-wchar dependency.
+USE_NLS="no"
+# As we don't have native language support, don't install locales into images
+IMAGE_LINGUAS = ""
+
+# Drop v86d from qemu dependency list (we support serial)
+# Drop grub from meta-intel BSPs
+# FIXME: A different mechanism is needed here. We could define -tiny
+#        variants of all compatible machines, but that leads to a lot
+#        more machine configs to maintain long term.
+MACHINE_ESSENTIAL_EXTRA_RDEPENDS = ""
+
+# The mtrace script included by eglibc is a perl script. ThPACKAGE_EXCLUDEis means the system
+# will build perl in case this package is installed. Since we don't care about
+# this script for the purposes of tiny, remove the dependency from here.
+RDEPENDS:${PN}-mtrace:pn-eglibc = ""
+
+SKIP_RECIPE[build-appliance-image] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-rt] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-rt-sdk] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-sato] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-sato-dev] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-sato-sdk] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-x11] = "not buildable with poky-tiny"
+SKIP_RECIPE[core-image-weston] = "not buildable with poky-tiny"
+
+# Disable python usage in opkg-utils since it won't build with tiny config
+PACKAGECONFIG:remove:pn-opkg-utils = "python"
+
+NO_RECOMMENDATIONS = "1"
+
+require conf/distro/include/gcsections.inc
+
+# Distro config is evaluated after the machine config, so we have to explicitly
+# set the kernel provider to override a machine config.
+PREFERRED_PROVIDER_virtual/kernel = "linux-yocto-tiny"
+PREFERRED_VERSION_linux-yocto-tiny ?= "6.6%"
+
+# We can use packagegroup-core-boot, but in the future we may need a new packagegroup-core-tiny
+#POKY_DEFAULT_EXTRA_RDEPENDS += "packagegroup-core-boot"
+# Drop kernel-module-af-packet from RRECOMMENDS
+POKY_DEFAULT_EXTRA_RRECOMMENDS = ""
+
+# FIXME: what should we do with this?
+TCLIBCAPPEND = ""
+
+# Drop native language support. This removes the
+# eglibc->bash->gettext->libc-posix-clang-wchar dependency.
+USE_NLS="no"
+
+# remove
+# We need debug symbols so that SPDX license manifests for the kernel work
+KERNEL_EXTRA_FEATURES:remove = "features/debug/debug-kernel.scc"