QM subpackage: Wayland

Developed by Albert and Roberto, integrating to QM upstream as sub-package.
This is an initial patch, I am sure we will need more work but let's
make it happen!

Use: make qm_dropin_window_manager

Ref:
https://aesteve-rh.github.io/alesgar-digital-cockpit/posts/wayland-in-qm/

Signed-off-by: Douglas Schilling Landgraf <[email protected]>

Makefile

@@ -76,6 +76,11 @@ rpm: clean dist ## - Creates a local RPM package, useful for develop
 .PHONY: ostree
 ostree: qm_dropin_img_tempdir ## - A helper for creating QM packages for ostree based distros
 
+.PHONY: qm_dropin_window_manager
+qm_dropin_window_manager: qm_dropin_mount_bind_kvm qm_dropin_mount_bind_sound qm_dropin_mount_bind_tty7 qm_dropin_mount_bind_input ## - QM RPM sub-package qm_dropin_window_manager
+ sed -i 's/%define enable_qm_window_manager 0/%define enable_qm_window_manager 1/' ${SPECFILE}
+ $(MAKE) VERSION=${VERSION} rpm
+
 .PHONY: qm_dropin_img_tempdir
 qm_dropin_img_tempdir: ## - QM RPM sub-package qm_dropin_img_tempdir
  sed -i 's/%define enable_qm_dropin_img_tempdir 0/%define enable_qm_dropin_img_tempdir 1/' ${SPECFILE}

qm-windowmanager/etc/pam.d/wayland

@@ -0,0 +1,12 @@
+#%PAM-1.0
+auth substack system-auth
+auth include postlogin
+account required pam_nologin.so
+account include system-auth
+password include system-auth
+session required pam_loginuid.so
+session required pam_namespace.so
+session optional pam_keyinit.so force revoke
+session include system-auth
+session include postlogin
+-session optional pam_ck_connector.so

qm-windowmanager/etc/qm/containers/containers.conf.d/qm_dropin_mount_bind_window_manager.conf

@@ -0,0 +1,13 @@
+# Drop-in configuration for Podman to bind tty devices
+
+[containers]
+mounts = [
+ "type=bind,source=/dev/tty0,target=/dev/tty0",
+ "type=bind,source=/dev/tty1,target=/dev/tty1",
+ "type=bind,source=/dev/tty2,target=/dev/tty2",
+ "type=bind,source=/dev/tty3,target=/dev/tty3",
+ "type=bind,source=/dev/tty4,target=/dev/tty4",
+ "type=bind,source=/dev/tty5,target=/dev/tty5",
+ "type=bind,source=/dev/tty6,target=/dev/tty6",
+ "type=bind,source=/dev/tty7,target=/dev/tty7"
+]

qm-windowmanager/etc/systemd/system/active-session.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Session Activate Service
+After=network.target dbus.service
+
+[Service]
+Environment=XDG_RUNTIME_DIR=/run/user/0
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket
+Type=simple
+ExecStart=/qm_windowmanager/session-activate/qm_windowmanager_activate_session
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

qm-windowmanager/etc/systemd/system/qm-dbus.socket

@@ -0,0 +1,10 @@
+[Unit]
+Description=QM D-Bus User Message Bus Socket
+After=dbus.socket
+
+[Socket]
+ListenStream=/run/dbus/qm_bus_socket
+
+
+[Install]
+WantedBy=sockets.target

qm-windowmanager/etc/systemd/system/wayland-session.service

@@ -0,0 +1,37 @@
+[Unit]
+Description=Wayland Session Creation Handling
+After=systemd-user-sessions.service
+
+[Service]
+Type=simple
+Environment=XDG_SESSION_TYPE=wayland
+UnsetEnvironment=TERM
+ExecStart=/bin/sleep infinity
+Restart=no
+
+# Run the session as root (required by PAMName)
+User=0
+Group=0
+
+# Set up a full user session for the user, required by Wayland.
+PAMName=login
+
+# Fail to start if not controlling the tty.
+StandardInput=tty-fail
+
+# Defaults to journal.
+StandardError=journal
+StandardOutput=journal
+
+# A virtual terminal is needed.
+TTYPath=/dev/tty7
+TTYReset=yes
+TTYVHangup=yes
+TTYVTDisallocate=yes
+
+# Log this user with utmp.
+UtmpIdentifier=tty7
+UtmpMode=user
+
+[Install]
+WantedBy=graphical.target

qm-windowmanager/usr/lib/tmpfiles.d/etc/containers/systemd/gnome_mutter.container

@@ -0,0 +1,39 @@
+[Unit]
+After=qm-dbus.socket
+Description=mutter container
+Requires=qm-dbus.socket
+
+[Container]
+ContainerName=mutter
+Environment=XDG_RUNTIME_DIR=/run/user/0
+Environment=XDG_SESSION_TYPE=wayland
+Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/dbus/qm_bus_socket
+Exec=mutter --no-x11 --wayland --sm-disable --wayland-display=wayland-0
+Image=mutter:latest
+SecurityLabelType=qm_container_wayland_t
+Volume=/run/systemd:/run/systemd:ro
+Volume=/run/udev:/run/udev:ro
+Volume=/run/dbus/qm_bus_socket:/run/dbus/qm_bus_socket
+Volume=/run/dbus/system_bus_socket:/run/dbus/system_bus_socket
+Volume=/run/user/0:/run/user/0
+AddDevice=/dev/dri/renderD128
+AddDevice=/dev/dri/card0
+AddDevice=/dev/tty0
+AddDevice=/dev/tty1
+AddDevice=/dev/tty2
+AddDevice=/dev/tty3
+AddDevice=/dev/tty4
+AddDevice=/dev/tty5
+AddDevice=/dev/tty6
+AddDevice=/dev/tty7
+AddDevice=/dev/input/event0
+AddDevice=/dev/input/event1
+AddDevice=/dev/input/event2
+AddDevice=/dev/input/event3
+AddDevice=/dev/input/event4
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Restart=always

qm-windowmanager/usr/lib/tmpfiles.d/etc/containers/systemd/qm.container.d/wayland-extra-devices.conf

@@ -0,0 +1,17 @@
+[Container]
+AddDevice=/dev/dri/renderD128
+AddDevice=/dev/dri/card0
+AddDevice=/dev/tty0
+AddDevice=/dev/tty1
+AddDevice=/dev/tty2
+AddDevice=/dev/tty3
+AddDevice=/dev/tty4
+AddDevice=/dev/tty5
+AddDevice=/dev/tty6
+AddDevice=/dev/tty7
+AddDevice=/dev/input/event0
+AddDevice=/dev/input/event1
+AddDevice=/dev/input/event2
+AddDevice=/dev/input/event3
+AddDevice=/dev/input/event4
+Volume=/run/udev:/run/udev:ro,Z

qm-windowmanager/usr/lib/tmpfiles.d/etc/containers/systemd/weston_terminal.container

@@ -0,0 +1,19 @@
+[Unit]
+After=mutter.service
+Description=weston_terminal container
+Requires=mutter.service
+
+[Container]
+ContainerName=weston_terminal
+Environment=XDG_RUNTIME_DIR=/run/user/0
+Environment=WAYLAND_DISPLAY=wayland-0
+Exec=/usr/bin/weston-terminal
+Image=localhost/weston_terminal:latest
+SecurityLabelType=qm_container_wayland_t
+Volume=/run/user/0:/run/user/0
+
+[Install]
+WantedBy=multi-user.target
+
+[Service]
+Restart=always

qm-windowmanager/usr/lib/tmpfiles.d/wayland-xdg-directory.conf

@@ -0,0 +1,2 @@
+#Type Path Mode UID GID Age Argument
+d /run/user/0 0700 0 0 - -

qm-windowmanager/usr/share/qm/manage-pam-selinux-systemd-user-config

@@ -0,0 +1,89 @@
+#!/bin/bash
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+COMMENT_TAG="commented-by-qm-windowmanager-rpm-package"
+
+create_systemd_user_pam() {
+ # Set default path if no argument is provided, or use the provided argument
+ local target_path="${1:-/usr/lib/qm/rootfs/etc/pam.d/systemd-user}"
+
+ # Create the directory if it doesn't exist
+ sudo mkdir -p "$(dirname "$target_path")"
+
+ # Create the systemd-user file with the standard content
+ cat << EOF | sudo tee "$target_path" > /dev/null
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_loginuid.so
+session optional pam_keyinit.so force revoke
+session include system-auth
+EOF
+
+ # Set the correct permissions (644)
+ sudo chmod 644 "$target_path"
+
+ # Restore SELinux context
+ sudo restorecon "$target_path"
+
+ # Check if file was created successfully and confirm
+ if [ ! -f "$target_path" ]; then
+ echo "Failed to create the file."
+ return 1
+ fi
+}
+
+# Function to comment pam_selinux lines and add the comment tag
+comment_pam_selinux() {
+ sed -i "/pam_selinux/ s|^|# |; s|# .*|& # $COMMENT_TAG|" "$1"
+}
+
+# Function to uncomment pam_selinux lines (removing both the comment and the tag)
+uncomment_pam_selinux() {
+ sed -i "/pam_selinux/ s|^# ||; s| # $COMMENT_TAG||" "$1"
+}
+
+# Check if sufficient arguments are provided
+if [[ $# -lt 2 ]]; then
+ echo "Usage: $0 <file_path> [--comment | --uncomment]"
+ exit 1
+fi
+
+FILE=$1
+ACTION=$2
+
+# Check if the file exists
+# if not, lets create a template
+# /usr/lib/qm/rootfs/etc/pam.d/systemd-user
+if [[ ! -f "$FILE" ]]; then
+ create_systemd_user_pam "$@"
+ exit 0
+fi
+
+# Execute the action based on the option
+case $ACTION in
+ --comment )
+ comment_pam_selinux "$FILE"
+ ;;
+ --uncomment )
+ uncomment_pam_selinux "$FILE"
+ ;;
+ * )
+ echo "Usage: $0 <file_path> [--comment | --uncomment]"
+ exit 1
+ ;;
+esac

qm-windowmanager/usr/share/qm/mutter/ContainerFile

@@ -0,0 +1,6 @@
+# Documentation and example only, users can adapt to their need when building
+# mutter image for their own Wayland quadlet
+FROM fedora:40
+
+RUN dnf -y install mutter \
+ && dnf clean all && rm -rf /var/cache/dnf

qm-windowmanager/usr/share/qm/session-activate/ContainerFile

@@ -0,0 +1,5 @@
+# Documentation and example provided for users who wish to containerize the activate_session process.
+FROM fedora:40
+RUN dnf -y install systemd jq \
+ && dnf clean all && rm -rf /var/cache/dnf
+COPY qm_windowmanager_activate_sessione /usr/share/qm/qm_windowmanager_activate_session

qm-windowmanager/usr/share/qm/session-activate/qm_windowmanager_activate_session

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+SESSION=
+while [ -z "$SESSION" ]; do
+ sleep 1
+ SESSION=$(loginctl list-sessions -o json | jq -re '.[] | select(.seat=="seat0").session')
+done
+
+loginctl activate "${SESSION}"
+
+exit 0