Configuring communication between QM containers

Configuring communication between containers in the QM partition

QM container IPC follows the same principles as root partition container communication, with key differences:

• AIB manifest structure: You must add a qm section after the content section to specify QM-specific containers, Quadlet unit files, and other options.

• Socket mounting: Unlike in root-to-QM scenarios, systemd cannot mount domain sockets in the QM partition due to SELinux permission handling. Instead, set SecurityLabelLevel=s0:c1,c2 in the containerized server and each client applications' Quadlet unit file in the [Container] section. Doing so applies the SELinux context when containers mount or access sockets programmatically, thus enabling IPC between containers with matching contexts and socket paths.

  Note

  To ensure socket separation for any additional client-server combinations communicating via domain sockets in the QM partition, you must use unique security label levels. For example, you would label a second set of server and client applications running in the QM partition with SecurityLabelLevel=s0:c3,c4.

About the demo code

The demo code uses a pair of Python applications packaged as containers — a server and a client — that communicate over a UNIX domain socket inside the QM partition.

During the AutoSD OS image build, the Automotive Image Builder (AIB) manifest file specifies the client and server application container images to add to the QM partition and the Quadlet unit configurations to apply to the containerized applications so that the applications can communicate via the IPC socket inside the QM partition.

When it runs at system start, the server programmatically mounts a socket that the client can access, thus enabling IPC between the two applications running in separate containers in the QM partition.

The sample Containerfiles and Python code available in the /containers directory of the demo code illustrate one method of creating these local containerized Python applications.

Prerequisites

• A custom manifest file, such as the manifest file that you created in Embedding RPM packages from local storage into the AutoSD image.

Procedure

1. Using Podman, create local containerized versions of a client Python application and a server Python application using the sample code located in the demo code.

   Note

   The sample applications in the containers are configured to start automatically after the OS boots.

2. To copy the local container images to the QM partition in the OS image, add the following lines in the container_images subsection in the qm section of your manifest file:

   console --8<-- "demos/ipc-qm-qm/ipc-qm-qm-3.aib.yml:26:33"

3. Create an ipc_client_qm.container Quadlet unit file and an ipc_server_qm.container Quadlet unit file located in the same directory as your manifest file by following the procedure in Running containers from systemd.

4. To configure socket communication between the ipc_client_qm and ipc_server_qm containers, edit the two Quadlet files and add lines to indicate where to mount the volumes that contain the UNIX domain sockets. In the demo code, this location is /run/ipc.sock.

   1. Add these lines to the [Container] section of the ipc_client_qm.container Quadlet file to configure and mount the volume where the root socket resides:

      console --8<-- "demos/ipc-qm-qm/ipc_client_qm.container:7:11"

   2. Add these lines to the [Container] section of the ipc_server_qm.container Quadlet file to configure and mount the volume where the root socket resides:

      console --8<-- "demos/ipc-qm-qm/ipc_server_qm.container:5:9"

5. To copy the Quadlet files to the /etc/systemd/system/ directory in the OS image, which ensures that the socket is mounted when the OS boots, add the following lines in the add_files section of your manifest file:

   ```console
   --8<-- "demos/ipc-qm-qm/ipc-qm-qm-3.aib.yml:36:39"
   ```
   

Sample code

The following are fully functioning demo code samples of Quadlet unit files and an AIB manifest so that two containerized Python applications will be added to the QM partition and will automatically start communicating via an IPC Unix domain socket.

```console title="Sample ipc-qm-qm-3.aib.yml file" --8<-- "demos/ipc-qm-qm/ipc-qm-qm-3.aib.yml"

```console title="Sample ipc_client_qm.container Quadlet unit file"
--8<-- "demos/ipc-qm-qm/ipc_client_qm.container"

console title="Sample ipc_server_qm.container Quadlet unit file" --8<-- "demos/ipc-qm-qm/ipc_server_qm.container"

Next steps

• Now that you have configured the manifest and Quadlet unit files to set up communication between containers in the QM partition, you can build your AutoSD OS image. For more information, see Building an image from a custom manifest.
• Alternatively, you can continue customizing your image. For more information, see Containerized applications.

Additional resources

• Sample automotive image builder manifest
• Embedding containerized applications in the QM partition