Skip to content

nalind/fedora-qemu-user-static

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

31 Commits
.github/workflows
.github/workflows
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
build-and-push.sh
build-and-push.sh
 
 
daemonset.yml
daemonset.yml
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

fedora-qemu-user-static

Borrowing heavily from the docker.io/multiarch/qemu-user-static and tonistiigi/binfmt images and references at https://dbhi.github.io/qus/, this image is based on Fedora with its qemu-user-static package installed. There are many variations on this theme, and this is one more.

If your Linux distribution includes a qemu-user-static package, I enthusiastically recommend that you install it instead of attempting to use this image. On Fedora, at least, the packaging does all of the right things automatically, and updates for the package are also provided by the distribution.

For everyone else, when run using the --privileged flag using docker or podman (as root), its entry point script will register the static qemu binaries that it includes with the binfmt_misc module in the host's kernel. The registration is done using the flags that instruct the kernel to load the emulator binary immediately, so the fact that they're in a container that will be removed immediately after is not an issue.

TL;DR

To turn on emulation:

  docker run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static register
  sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static register
  podman machine ssh sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static register

To turn off emulation:

  docker run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister
  sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister
  podman machine ssh sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister

SELinux

SELinux policy would normally not allow binaries in one container to access binaries in another container, so an additional workaround is required.

A workaround that has worked for me is to copy the interpreters to a mounted volume, relabel them, and register them from there. SELinux policy will then allow them to run binaries in containers.

To turn on emulation using that workaround:

  docker run --rm --privileged -v $(sudo mktemp -d -p /run -t qemu-user-static-XXXXXX):/usr/local/bin -e BINDIR=/usr/local/bin -e CHCON="-t bin_t" ghcr.io/nalind/fedora-qemu-user-static register
  sudo podman run --rm --privileged -v /usr/local/bin -e BINDIR=/usr/local/bin -e CHCON="-t bin_t" ghcr.io/nalind/fedora-qemu-user-static register
  podman machine ssh sudo podman run --rm --privileged -v /usr/local/bin -e BINDIR=/usr/local/bin -e 'CHCON="-t bin_t"' ghcr.io/nalind/fedora-qemu-user-static register

To turn off emulation:

  docker run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister
  sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister
  podman machine ssh sudo podman run --rm --privileged ghcr.io/nalind/fedora-qemu-user-static unregister

We're heavily dependent on the quality of the emulation. It should go without saying, but if something breaks, you get to keep all of the pieces.

About

Fedora with qemu-user-static

Resources

Readme

License

View license
Activity

Stars

2 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Languages