nilrt-container: service startup on boot by Shreejit-03 · Pull Request #997 · ni/meta-nilrt

Shreejit-03 · 2026-05-05T19:58:14Z

Summary of Changes

Enable container services, NI MAX connectivity, and opkg feed support for NILRT runtime containers.

container/init:
- Bind-mount boot so ni-arch-gen can detect it as mounted and generate /etc/opkg/ni-arch.conf at first boot.
- Start D-Bus, Avahi, nirtmdnsd, SystemWebServer, NI XNT services, and sshd.
- Fix /run/natinst ownership so webserv can create PID file.
nilrt-container.inc:
- Replace static arch DeviceCode77E1 opkg config with ni-arch-gen (generates correct arch config dynamically).
- Add ni-sysapi-webservice, ni-auth, ni-system-webserver, ni-webdav-system-webserver-support, and nirtmdnsd to IMAGE_INSTALL_NODEPS for NI MAX connectivity, WebDAV deployment, and target discovery.
- Remove ni-dim, ni-dim-dkms, ni-dim-libs, ni-dim-sysapi, and libnidimu1 via ROOTFS_RO_UNNEEDED — they segfault without real PXI hardware.
- Remove libnimdbgu.so at build time (crashes NIWebServiceContainer's mDNS thread in Docker).
- Install opkg wrapper at /usr/local/bin/opkg that removes crashing libraries after any install/upgrade.
- Enable sshd by default in ni-rt.ini.
env-config-container.bb:
- Fix fw_printenv.wrapper and fw_setenv.wrapper permissions from 0550 to 0555 so the webserv user can execute them. Without this, libnitargetcfg cannot read grubenv variables and NI MAX reports model as "Pele" / "not supported by drivers."
nilrt-container.postinst:
- Restore file capabilities lost during OCI image packaging (setcap for hwclock and SystemWebServer).
opkg-wrapper.sh :
- Wrapper that removes libnidimu.so and libnimdbgu.so after any opkg install/upgrade (they get pulled back as LabVIEW/VeriStand dependencies).
- Restarts lvrt-daemon after cleanup to reset crash counter.
- Re-applies setgid on /c for proper file ownership.

Justification

AB#3201988.

Testing

Built nilrt-runmode-container and nilrt-slim-container images with bitbake successfully.
Ran containers with docker run --privileged --network=nilrt-net and verified:
- SystemWebServer starts and runs as webserv user.
- SSH is accessible from remote hosts on the macvlan network.
- /nisysdetails/system API reports "model": "NI LinuxRT Container".
- NI MAX discovers and connects to the container target.
ran a LabVIEW RT .vi on the containers.
ran VeriStand example on the containers.

Copilot

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the NILRT container image to improve first-boot behavior and stability in Docker by installing required NI services/tools, removing known-crashing libraries, and adding an opkg wrapper to keep the container usable after package installs.

Changes:

Adjusts container image package set (adds NI web services/mDNS/arch generation components; removes some packages from RO removal list).
Adds post-processing to delete problematic libraries/caches and installs an opkg wrapper that re-applies those mitigations after installs/upgrades.
Updates container init/postinst to start additional services and restore file capabilities lost during OCI image packaging.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
recipes-ni/env-config-container/env-config-container.bb	Makes fw env wrapper scripts world-executable (permission change).
recipes-core/images/includes/nilrt-container.inc	Adds container packages, rootfs cleanup, opkg wrapper install, and enables sshd via ini edits.
recipes-core/images/files/container/opkg-wrapper.sh	Introduces an opkg wrapper to remove crashing libs, fix /c perms, and restart lvrt services.
recipes-core/images/files/container/nilrt-container.postinst	Restores file capabilities after image extraction.
recipes-core/images/files/container/init	Starts more NI services (auth, dbus/avahi/mdns, webserver, XNT, sshd) and bind-mounts /boot.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.

chaitu236 · 2026-05-22T23:15:49Z

+
+# Start NI XNT services (required for NI-RPC interfaces)
+if [ -x /usr/sbin/nixntipstackd ]; then
+    /usr/sbin/nixntipstackd &


I see that these are not default installed in BSI - I suppose they're for cases when a customer creates container image that has them installed?

If so, are we intending to start initscripts for every potential h/w a customer may want to install right here?

I thought the only s/w install workflow we'll support on containers is via opkg install in custom docker images.. if so, why not let customers edit/append to init in the docker images themselves for each s/w they want to install (we could provide commands for what to add for each s/w)?

It seems to not be sustainable to add workarounds for any future pieces of s/w someone would want to install in the default init (like here and the dim stuff below, etc). But if there's a good reason to do this, I'd like to know.

Copilot

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 9 comments.

Shreejit-03 · 2026-05-26T13:54:44Z

+	# fw_printenv needs group 'ni' (gid 500) execute permission because
+	# SystemWebServer runs as webserv:ni and libnitargetcfg calls
+	# /sbin/fw_printenv to read DeviceCode/DeviceDesc. Without execute
+	# access, NI MAX shows model "Pele".
+	install -m 0550 ${S}/fw_printenv.wrapper ${D}${base_sbindir}/
+	chgrp 500 ${D}${base_sbindir}/fw_printenv.wrapper


I originally used install -m 0550 -g ni but it fails at build time with install: invalid group 'ni' — the group only exists in the target rootfs, not in pseudo's namespace during do_install. The chgrp 500 approach works because pseudo records the numeric GID and it resolves to ni in the final image.

GID 500 is a fixed allocation defined in group — it's not fragile since NILRT always uses this value.

Replace static opkg arch config in container_image_pre() with ni-arch-gen, which generates /etc/opkg/ni-arch.conf at first boot via run-postinsts. Bind-mount /boot so ni-arch-gen can detect it as mounted. Set fw_printenv and fw_setenv wrappers to 0555 so non-root users can read env vars. Add ni-sysapi-webservice, ni-auth, ni-system-webserver, ni-webdav-system-webserver-support, and nirtmdnsd to IMAGE_INSTALL_NODEPS for NI MAX connectivity, WebDAV deployment, and target discovery. Remove ni-dim, ni-dim-dkms, ni-dim-libs, ni-dim-sysapi, and libnidimu1 via ROOTFS_RO_UNNEEDED — they segfault without real PXI hardware. Install an opkg wrapper at /usr/local/bin/opkg that removes these crashing libraries after any install/upgrade, since they get pulled back as LabVIEW/VeriStand dependencies. Move setcap calls to nilrt-container.postinst to restore file capabilities lost during OCI tar layer packaging. Set fw_printenv.wrapper to group ni (gid 500) so SystemWebServer (webserv:ni) can invoke it — without this, libnitargetcfg fails. Start D-Bus, Avahi, nirtmdnsd, SystemWebServer, and sshd in the container init script. Enable sshd in ni-rt.ini at image build time. Signed-off-by: Shreejit C <shreejit.c@emerson.com>

Shreejit-03 force-pushed the nilrt/master/next branch from 25855a9 to f991f6b Compare May 6, 2026 07:06

Shreejit-03 changed the title ~~nilrt-container: add NI feed configuration and service startup on boot~~ nilrt-container: service startup on boot May 6, 2026

Shreejit-03 force-pushed the nilrt/master/next branch from f991f6b to d3654d6 Compare May 6, 2026 21:51

Shreejit-03 requested a review from chaitu236 May 6, 2026 21:52