From 39509039e326cfd409029d46b63309b1175cda9db3faf17f85b397e83383301a Mon Sep 17 00:00:00 2001 From: Till Wegmueller Date: Tue, 7 Apr 2026 15:57:10 +0200 Subject: [PATCH] Update orchestrator Containerfile: drop libvirt, add QEMU - Remove libvirt-dev from build stage, libvirt-clients/libvirt0 from runtime - Remove genisoimage (vm-manager has pure-Rust ISO builder) - Add qemu-system-x86 to runtime for direct VM execution - Keep qemu-utils for qemu-img overlay creation - Remove --features libvirt from cargo build - Remove libvirt socket/config volume mounts from compose.yml - Remove LIBVIRT_URI/LIBVIRT_NETWORK env vars - Add optional NETWORK_BRIDGE env var for TAP mode - Container now only needs /dev/kvm device access --- deploy/images/orchestrator/Containerfile | 17 ++++++++-------- deploy/podman/compose.yml | 25 +++++++----------------- 2 files changed, 16 insertions(+), 26 deletions(-) diff --git a/deploy/images/orchestrator/Containerfile b/deploy/images/orchestrator/Containerfile index 28dc9d7..6ab7289 100644 --- a/deploy/images/orchestrator/Containerfile +++ b/deploy/images/orchestrator/Containerfile @@ -1,32 +1,33 @@ # syntax=docker/dockerfile:1.7 -# Build Solstice Orchestrator using upstream official images (no sccache) +# Build Solstice Orchestrator using upstream official images +# Uses vm-manager (direct QEMU) instead of libvirt — only needs /dev/kvm at runtime FROM docker.io/library/rust:bookworm AS builder ENV CARGO_HOME=/cargo WORKDIR /work -# Install build dependencies: protoc, headers, pkg-config +# Install build dependencies: protoc, DB headers, pkg-config RUN apt-get update \ && apt-get install -y --no-install-recommends \ - protobuf-compiler pkg-config libsqlite3-dev libpq-dev libvirt-dev ca-certificates \ + protobuf-compiler libprotobuf-dev pkg-config libsqlite3-dev libpq-dev ca-certificates \ && rm -rf /var/lib/apt/lists/* # Configure cargo target-dir so it can be cached between layers RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml # Pre-copy manifests for better caching COPY Cargo.toml ./ COPY crates ./crates -# Build orchestrator only +# Build orchestrator (no libvirt feature needed — uses vm-manager QEMU backend) RUN --mount=type=cache,target=/cargo/registry,sharing=locked \ --mount=type=cache,target=/cargo/git,sharing=locked \ --mount=type=cache,target=/cargo/target,sharing=locked \ - cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator + cargo build --release -p orchestrator && cp /cargo/target/release/orchestrator /orchestrator FROM docker.io/library/debian:bookworm-slim -# Minimal runtime image with required shared libs for sqlite/postgres and libvirt/qemu tools +# Runtime: QEMU for VMs, qemu-utils for qemu-img, DB client libs RUN apt-get update \ && apt-get install -y --no-install-recommends \ libsqlite3-0 libpq5 ca-certificates \ - libvirt-clients libvirt0 qemu-utils genisoimage \ + qemu-system-x86 qemu-utils \ && rm -rf /var/lib/apt/lists/* COPY --from=builder /orchestrator /usr/local/bin/orchestrator -EXPOSE 50051 8081 +EXPOSE 8081 ENTRYPOINT ["/usr/local/bin/orchestrator"] diff --git a/deploy/podman/compose.yml b/deploy/podman/compose.yml index d5c6f52..db0e108 100644 --- a/deploy/podman/compose.yml +++ b/deploy/podman/compose.yml @@ -190,8 +190,6 @@ services: build: context: ../.. dockerfile: deploy/images/orchestrator/Containerfile - args: - BIN: orchestrator image: local/solstice-orchestrator:latest container_name: solstice-orchestrator restart: unless-stopped @@ -212,9 +210,8 @@ services: REMOTE_RUNNER_PATH: /usr/local/bin/solstice-runner # SSH connect timeout for reaching the VM (seconds) SSH_CONNECT_TIMEOUT_SECS: ${SSH_CONNECT_TIMEOUT_SECS:-300} - # Libvirt configuration for Linux/KVM - LIBVIRT_URI: ${LIBVIRT_URI:-qemu:///system} - LIBVIRT_NETWORK: ${LIBVIRT_NETWORK:-default} + # Optional: bridge name for TAP networking (leave empty for user-mode/SLIRP) + # NETWORK_BRIDGE: virbr0 depends_on: postgres: condition: service_healthy @@ -222,25 +219,17 @@ services: condition: service_completed_successfully rabbitmq: condition: service_healthy - # Host integrations: libvirt sockets/devices and config + image/work directories volumes: - # Read-only mount of the image map config into the container path expected by the binary + # Read-only mount of the image map config - ${ORCH_IMAGE_MAP_PATH:-../../examples/orchestrator-image-map.yaml}:/examples/orchestrator-image-map.yaml:ro,Z - # Writable bind for images so the orchestrator can download/retain base images on the host + # Writable bind for base images (downloaded by orchestrator) - ${ORCH_IMAGES_DIR:-/var/lib/solstice/images}:/var/lib/solstice/images:Z - # Writable bind for per-VM overlays and console logs (used by libvirt backend) + # Writable bind for per-VM overlays, QEMU sockets, and console logs - ${ORCH_WORK_DIR:-/var/lib/solstice-ci}:/var/lib/solstice-ci:Z - # Read-only bind for locally built workflow runner binaries; orchestrator will upload over SSH + # Read-only bind for workflow runner binaries (uploaded to VMs over SSH) - ${RUNNER_DIR_HOST:-../../target/runners}:/opt/solstice/runners:ro,Z - # Libvirt control sockets (ro is sufficient for read-only, but write is needed to create domains) - - /var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock:Z - - /var/run/libvirt/libvirt-sock-ro:/var/run/libvirt/libvirt-sock-ro:Z - # Optional: expose host libvirt configs for network XML reads - - /etc/libvirt:/etc/libvirt:ro,Z - - /var/lib/libvirt:/var/lib/libvirt:ro,Z - # KVM device for hardware acceleration - - /dev/kvm:/dev/kvm devices: + # KVM device for hardware-accelerated VM execution - /dev/kvm networks: - core