1QM(8) System Manager's Manual QM(8)
2
6 QM - Set up a Containerized environment for running Functional Safety
7 QM (Quality Management) software.
8
11 This package allows users to set up an environment that prevents appli‐
12 cations and container tools from interfering with other processes on
13 the system.
14 The QM runs its own version of systemd and Podman to isolate not only
17 the applications and containers launched by systemd and Podman but also
18 systemd and Podman themselves. In other words, the systemd and Podman
19 launched within the QM environment cannot affect the systemd or Podman
20 processes running outside of that environment.
21 Software installed into the QM environment under the /usr/lib/qm/rootfs
24 directory is automatically isolated from the host. If developers need
25 to further isolate their applications from other processes in the QM,
26 they should use container tools like Podman.
27
30 After the QM software package is installed, execute the
31 /usr/share/qm/setup script to setup and install the /usr/lib/qm/rootfs
32 with packages to run an isolated environment. The setup script installs
33 the selinux-policy-targeted, podman, systemd, and bluechi packages.
34 Setup then enables and starts a Podman quadlet service qm.service
35 (qm.container).
36 This Podman quadlet can be examined with the following command:
39 systemctl status qm.service
41 ● qm.service
42 Loaded: loaded (/etc/containers/systemd/qm.container; generated)
43 Drop-In: /usr/lib/systemd/system/service.d
44 └─10-timeout-abort.conf
45 Active: active (running) since Tue 2023-04-11 15:43:45 EDT; 28min ago
46 Main PID: 993674 (conmon)
47 Tasks: 11 (limit: 76801)
48 Memory: 275.1M (swap max: 0B)
49 CPU: 4.527s
50 CGroup: /QM.slice/qm.service
51 ├─libpod-payload-00de006493bc970788d6c830beb494a58a9a2847a5eda200812d3a8b4e214814
52 │ ├─init.scope
53 │ │ └─993676 /sbin/init
54 │ └─system.slice
55 │ ├─dbus-broker.service
56 │ │ ├─993763 /usr/bin/dbus-broker-launch --scope system --audit
57 │ │ └─993764 dbus-broker --log 4 --controller 9 --machine-id 4ce4c21b211d41e78b7b64418c1c0cb5 -->
58 │ ├─systemd-journald.service
59 │ │ └─993718 /usr/lib/systemd/systemd-journald
60
64 Notice that the QM environment is running systemd and other services
65 within the QM.Slice. This slice can be used to modify the cgroups con‐
66 trols of all of the processes within the QM environment.
67
70 If other packages need to be added into the QM environment, use the dnf
71 command on the host. For example, the following example installs the
72 dnf command into the QM environment:
73 # dnf install --installroot=/usr/lib/qm/rootfs dnf
75 Unable to read consumer identity
76 Last metadata expiration check: 0:33:12 ago on Tue 11 Apr 2023 03:42:09 PM EDT.
78 Dependencies resolved.
79 ================================================================================================================
80 Package Architecture Version Repository Size
81 ================================================================================================================
82 Installing:
83 dnf noarch 4.14.0-2.fc38 fedora 478 k
84
88 To enter the QM environment, use this Podman command to launch contain‐
89 ers within it.
90 sh-5.2# podman exec -ti qm sh
92 sh-5.2#
93 The SELinux label can be checked by executing the following:
97 sh-5.2# id -Z
99 system_u:system_r:qm_t:s0:c35,c404
100 Notice that the process is running as qm_t, indicating that the process
104 is a confined QM process within the QM environment.
105 Containers can now be run within the QM environment using Podman.
108 sh-5.2# podman run --rm ubi9-minimal echo hi
110 Resolved "ubi9-minimal" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
111 Trying to pull registry.access.redhat.com/ubi9-minimal:latest...
112 Getting image source signatures
113 Checking if image destination supports signatures
114 Copying blob 7bffb309b4e8 done
115 Copying config 96179718b4 done
116 Writing manifest to image destination
117 Storing signatures
118 hi
119 It is recommended that Podman quadlets are used to run additional con‐
123 tainerized applications within the QM. All applications within the QM
124 environment are prevented from interfering with applications running
125 outside of the QM environment.
126
129 The configuration of the hosts /etc/bluechi/agent.conf file is copied
130 into the QM every time the qm.service is started, with the nodename of
131 the hosts agent.conf modified by prepending qm. on the front of the
132 nodename. If the hosts /etc/bluechi/agent.conf does not exists, then
133 the QM bluechi agent will default to qm.$(hostname).
134 If you want permanently modify the bluechi agent within the QM you can
137 add config to /usr/lib/qm/rootfs/etc/bluechi/agent.conf.d/ directory or
138 modify the /etc/containers/systemd/qm.container quadlet file to not ex‐
139 ecute the bluechi-agent setup script.
140
143 podman(1) ⟨https://github.com/containers/pod‐
144 man/blob/main/docs/source/markdown/podman.1.md⟩,quadlet(5)
145 ⟨https://github.com/containers/podman/blob/main/docs/source/mark‐
146 down/podman-systemd.unit.5.md⟩, systemctl(1), systemd(1), dnf(8),
147 bluechi-agent(1) ⟨https://github.com/contain‐
148 ers/bluechi/blob/main/doc/man/bluechi-agent.1.md⟩,bluechi-agent.conf.5
149 ⟨https://github.com/contain‐
150 ers/bluechi/blob/main/doc/man/bluechi-agent.conf.5.md⟩
151 QM(8)