qm - Man Page

Set up a Containerized environment for running Functional Safety QM (Quality Management) software.

Examples (TL;DR)

List all virtual machines: qm list
Using an ISO file uploaded on the local storage, create a virtual machine with a 4 GB IDE disk on the local-lvm storage and an ID of 100: qm create 100 -ide0 local-lvm:4 -net0 e1000 -cdrom local:iso/proxmox-mailgateway_2.1.iso
Show the configuration of a virtual machine, specifying its ID: qm config 100
Start a specific virtual machine: qm start 100
Send a shutdown request, then wait until the virtual machine is stopped: qm shutdown 100 && qm wait 100
Destroy a virtual machine and remove all related resources: qm destroy 100 --purge

Synopsis

This package allows users to set up an environment that prevents applications and container tools from interfering with other processes on the system.

The QM runs its own version of systemd and Podman to isolate not only the applications and containers launched by systemd and Podman but also systemd and Podman themselves. In other words, the systemd and Podman launched within the QM environment cannot affect the systemd or Podman processes running outside of that environment.

Software installed into the QM environment under the /usr/lib/qm/rootfs directory is automatically isolated from the host. If developers need to further isolate their applications from other processes in the QM, they should use container tools like Podman.

Install

After the QM software package is installed, execute the /usr/share/qm/setup script to setup and install the /usr/lib/qm/rootfs with packages to run an isolated environment. The setup script installs the selinux-policy-targeted, podman, systemd, and bluechi packages. Setup then enables and starts a Podman quadlet service qm.service (qm.container).

This Podman quadlet can be examined with the following command:

systemctl status qm.service
● qm.service
     Loaded: loaded (/etc/containers/systemd/qm.container; generated)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Tue 2023-04-11 15:43:45 EDT; 28min ago
   Main PID: 993674 (conmon)
      Tasks: 11 (limit: 76801)
     Memory: 275.1M (swap max: 0B)
        CPU: 4.527s
     CGroup: /QM.slice/qm.service
             ├─libpod-payload-00de006493bc970788d6c830beb494a58a9a2847a5eda200812d3a8b4e214814
             │ ├─init.scope
             │ │ └─993676 /sbin/init
             │ └─system.slice
             │   ├─dbus-broker.service
             │   │ ├─993763 /usr/bin/dbus-broker-launch --scope system --audit
             │   │ └─993764 dbus-broker --log 4 --controller 9 --machine-id 4ce4c21b211d41e78b7b64418c1c0cb5 -->
             │   ├─systemd-journald.service
             │   │ └─993718 /usr/lib/systemd/systemd-journald

CGROUPS QM.slice

Notice that the QM environment is running systemd and other services within the QM.Slice. This slice can be used to modify the cgroups controls of all of the processes within the QM environment.

Install Additional packages in QM

If other packages need to be added into the QM environment, use the dnf command on the host. For example, the following example installs the dnf command into the QM environment:

# dnf install --installroot=/usr/lib/qm/rootfs dnf
Unable to read consumer identity

Last metadata expiration check: 0:33:12 ago on Tue 11 Apr 2023 03:42:09 PM EDT.
Dependencies resolved.
================================================================================================================
 Package                                Architecture       Version                     Repository          Size
================================================================================================================
Installing:
 dnf                                    noarch             4.14.0-2.fc38               fedora             478 k

Entering the QM

To enter the QM environment, use this Podman command to launch containers within it.

sh-5.2# podman exec -ti qm sh
sh-5.2#

The SELinux label can be checked by executing the following:

sh-5.2# id -Z
system_u:system_r:qm_t:s0:c35,c404

Notice that the process is running as qm_t, indicating that the process is a confined QM process within the QM environment.

Containers can now be run within the QM environment using Podman.

sh-5.2# podman run --rm ubi9-minimal echo hi
Resolved "ubi9-minimal" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
Trying to pull registry.access.redhat.com/ubi9-minimal:latest...
Getting image source signatures
Checking if image destination supports signatures
Copying blob 7bffb309b4e8 done
Copying config 96179718b4 done
Writing manifest to image destination
Storing signatures
hi

It is recommended that Podman quadlets are used to run additional containerized applications within the QM. All applications within the QM environment are prevented from interfering with applications running outside of the QM environment.

Configuring bluechi agent in the QM

The configuration of the hosts /etc/bluechi/agent.conf file is copied into the QM every time the qm.service is started, with the nodename of the hosts agent.conf modified by prepending qm. on the front of the nodename. If the hosts /etc/bluechi/agent.conf does not exists, then the QM bluechi agent will default to qm.$(hostname).

If you want permanently modify the bluechi agent within the QM you can add config to /usr/lib/qm/rootfs/etc/bluechi/agent.conf.d/ directory or modify the /etc/containers/systemd/qm.container quadlet file to not execute the bluechi-agent setup script.

Using systemd drop-in with QM

The systemd drop-in feature allows users to extend or modify the configuration of systemd units without directly editing the unit files provided by the system package.

In this example, we will add the AllowedCPU to set as 1 to qm.service that quadlet generated:

Create allowedcpus.conf

cat  /etc/systemd/system/qm.service.d/allowedcpus.conf

# Contents of qm.continer.d/allowedcpus.conf
[Service]
AllowedCPUs=1

Referenced By

qm_selinux(8).