Update orchestrator Containerfile: drop libvirt, add QEMU

- Remove libvirt-dev from build stage, libvirt-clients/libvirt0 from runtime
- Remove genisoimage (vm-manager has pure-Rust ISO builder)
- Add qemu-system-x86 to runtime for direct VM execution
- Keep qemu-utils for qemu-img overlay creation
- Remove --features libvirt from cargo build
- Remove libvirt socket/config volume mounts from compose.yml
- Remove LIBVIRT_URI/LIBVIRT_NETWORK env vars
- Add optional NETWORK_BRIDGE env var for TAP mode
- Container now only needs /dev/kvm device access

deploy/images/orchestrator/Containerfile

@@ -1,32 +1,33 @@
 # syntax=docker/dockerfile:1.7
-# Build Solstice Orchestrator using upstream official images (no sccache)
+# Build Solstice Orchestrator using upstream official images
+# Uses vm-manager (direct QEMU) instead of libvirt — only needs /dev/kvm at runtime
 
 FROM docker.io/library/rust:bookworm AS builder
 ENV CARGO_HOME=/cargo
 WORKDIR /work
-# Install build dependencies: protoc, headers, pkg-config
+# Install build dependencies: protoc, DB headers, pkg-config
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
-    protobuf-compiler pkg-config libsqlite3-dev libpq-dev libvirt-dev ca-certificates \
+    protobuf-compiler libprotobuf-dev pkg-config libsqlite3-dev libpq-dev ca-certificates \
  && rm -rf /var/lib/apt/lists/*
 # Configure cargo target-dir so it can be cached between layers
 RUN mkdir -p /cargo && printf "[build]\ntarget-dir = \"/cargo/target\"\n" > /cargo/config.toml
 # Pre-copy manifests for better caching
 COPY Cargo.toml ./
 COPY crates ./crates
-# Build orchestrator only
+# Build orchestrator (no libvirt feature needed — uses vm-manager QEMU backend)
 RUN --mount=type=cache,target=/cargo/registry,sharing=locked \
     --mount=type=cache,target=/cargo/git,sharing=locked \
     --mount=type=cache,target=/cargo/target,sharing=locked \
-    cargo build --release -p orchestrator --features libvirt && cp /cargo/target/release/orchestrator /orchestrator
+    cargo build --release -p orchestrator && cp /cargo/target/release/orchestrator /orchestrator
 
 FROM docker.io/library/debian:bookworm-slim
-# Minimal runtime image with required shared libs for sqlite/postgres and libvirt/qemu tools
+# Runtime: QEMU for VMs, qemu-utils for qemu-img, DB client libs
 RUN apt-get update \
  && apt-get install -y --no-install-recommends \
     libsqlite3-0 libpq5 ca-certificates \
-    libvirt-clients libvirt0 qemu-utils genisoimage \
+    qemu-system-x86 qemu-utils \
  && rm -rf /var/lib/apt/lists/*
 COPY --from=builder /orchestrator /usr/local/bin/orchestrator
-EXPOSE 50051 8081
+EXPOSE 8081
 ENTRYPOINT ["/usr/local/bin/orchestrator"]

deploy/podman/compose.yml

@@ -190,8 +190,6 @@ services:
     build:
       context: ../..
       dockerfile: deploy/images/orchestrator/Containerfile
-      args:
-        BIN: orchestrator
     image: local/solstice-orchestrator:latest
     container_name: solstice-orchestrator
     restart: unless-stopped
@@ -212,9 +210,8 @@ services:
       REMOTE_RUNNER_PATH: /usr/local/bin/solstice-runner
       # SSH connect timeout for reaching the VM (seconds)
       SSH_CONNECT_TIMEOUT_SECS: ${SSH_CONNECT_TIMEOUT_SECS:-300}
-      # Libvirt configuration for Linux/KVM
+      # Optional: bridge name for TAP networking (leave empty for user-mode/SLIRP)
-      LIBVIRT_URI: ${LIBVIRT_URI:-qemu:///system}
+      # NETWORK_BRIDGE: virbr0
-      LIBVIRT_NETWORK: ${LIBVIRT_NETWORK:-default}
     depends_on:
       postgres:
         condition: service_healthy
@@ -222,25 +219,17 @@ services:
         condition: service_completed_successfully
       rabbitmq:
         condition: service_healthy
-    # Host integrations: libvirt sockets/devices and config + image/work directories
     volumes:
-      # Read-only mount of the image map config into the container path expected by the binary
+      # Read-only mount of the image map config
       - ${ORCH_IMAGE_MAP_PATH:-../../examples/orchestrator-image-map.yaml}:/examples/orchestrator-image-map.yaml:ro,Z
-      # Writable bind for images so the orchestrator can download/retain base images on the host
+      # Writable bind for base images (downloaded by orchestrator)
       - ${ORCH_IMAGES_DIR:-/var/lib/solstice/images}:/var/lib/solstice/images:Z
-      # Writable bind for per-VM overlays and console logs (used by libvirt backend)
+      # Writable bind for per-VM overlays, QEMU sockets, and console logs
       - ${ORCH_WORK_DIR:-/var/lib/solstice-ci}:/var/lib/solstice-ci:Z
-      # Read-only bind for locally built workflow runner binaries; orchestrator will upload over SSH
+      # Read-only bind for workflow runner binaries (uploaded to VMs over SSH)
       - ${RUNNER_DIR_HOST:-../../target/runners}:/opt/solstice/runners:ro,Z
-      # Libvirt control sockets (ro is sufficient for read-only, but write is needed to create domains)
-      - /var/run/libvirt/libvirt-sock:/var/run/libvirt/libvirt-sock:Z
-      - /var/run/libvirt/libvirt-sock-ro:/var/run/libvirt/libvirt-sock-ro:Z
-      # Optional: expose host libvirt configs for network XML reads
-      - /etc/libvirt:/etc/libvirt:ro,Z
-      - /var/lib/libvirt:/var/lib/libvirt:ro,Z
-      # KVM device for hardware acceleration
-      - /dev/kvm:/dev/kvm
     devices:
+      # KVM device for hardware-accelerated VM execution
       - /dev/kvm
     networks:
       - core