Restructure the mirage/dhcp container into the new project structure

Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>

base/dhcp-client/ROADMAP.md

@@ -1,22 +0,0 @@
-## Roadmap
-
-Very basic roadmap, to be improved shortly.
-
-### Done
-
-- use 2 static binaries privileged + unikernel (calf) in the container,
-  connected via socketpairs and pipes.
-- use eBPF to filter DHCP traffic
-- redirect the calf's sterr/stdout to the priv container
-- the priv exposes a simple HTTP interface to the calf, and read/write
-  are stored into a local Datakit/Git repo.
-- use upstream MirageOS's charrua-core.
-
-### TODO
-
-- current: make the packets flow in both directions
-- use runc to isolate the calf
-- use seccomp to isolate the privileged container
-- use the DHCP results to actually update the system
-- add metrics aggregation (using prometheus)
-- better logging aggregation (using syslog)

moby.yaml

@@ -17,13 +17,6 @@ system:
      - /proc/sys/fs/binfmt_misc:/binfmt_misc
     read_only: true
     command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc]
-  - name: dhcp-client
-    network_mode: host
-    image: "mobylinux/dhcp-client:dc3fd177a588ca9a850cfc75dd9083fb26d278dc"
-    capabilities:
-     - CAP_NET_RAW
-    command: [/dhcp-client]
-    read_only: true
 daemon:
   - name: rngd
     image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92"

projects/miragesdk/README.md

@@ -7,7 +7,7 @@
                | privileged shim |                      |       calf     |
                |=================|                      |================|
                |                 |                      |                |
-    eth0 ----> |    eBPF rules   | <--- network IO ---> |   type-safe    |
+<--  eth0 ---> |    eBPF rules   | <--- network IO ---> |   type-safe    |
                |                 |      (data path)     | network stack  |
                |                 |                      |                |
                |-----------------|                      |----------------|
@@ -86,7 +86,7 @@ share it with the calf on startup).
 - Has access to a Mirage_net.S interface for network traffic
 - Has access to a a simple KV interface
 
-Internally, it might use something more typed than a KV store:
+Internally, it uses something more typed than a KV store:
 
 ```
 module Shim: sig
@@ -114,8 +114,25 @@ What the SDK should enable:
 
 ### Roadmap
 
-- first PoC
-- ipv6 support
-- gracefully handle expiration
+#### first PoC: DHCP client
+
+Current status: one container containing two static binaries (priv + calf),
+private pipes open between the process for stdout/stderr aggregation +
+raw sockets (data path). Control path is using a simple HTTP server running
+in the priv container. The calf is using the dev version of mirage/charrua-core,
+and is able to get a DHCP lease on boot.
+
+##### TODO
+
+- use runc to isolate the calf
+- eBPF filtering
+- use seccomp to isolate the privileged container
+- use the DHCP results to actually update the system
+- add metrics aggregation (using prometheus)
+- better logging aggregation (using syslog)
+- IPv6 support
 - tests, tests, tests (especially against non compliant RFC servers)
-- second iteration: NTP
+
+### Second iteration: NTP
+
+TODO

projects/miragesdk/examples/mirage-dhcp.yaml

@@ -0,0 +1,50 @@
+kernel:
+  image: "mobylinux/kernel:4.9.x"
+  cmdline: "console=ttyS0 page_poison=1"
+init: "mobylinux/init:d6d115d601e78f7909d4a2ff7eb4caa3fff65271"
+system:
+  - name: sysctl
+    image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
+    network_mode: host
+    pid: host
+    ipc: host
+    capabilities:
+     - CAP_SYS_ADMIN
+    read_only: true
+  - name: binfmt
+    image: "mobylinux/binfmt:bdb754f25a5d851b4f5f8d185a43dfcbb3c22d01"
+    binds:
+     - /proc/sys/fs/binfmt_misc:/binfmt_misc
+    read_only: true
+    command: [/usr/bin/binfmt, -dir, /etc/binfmt.d/, -mount, /binfmt_misc]
+  - name: dhcp-client
+    network_mode: host
+    image: "mobylinux/dhcp-client:dc3fd177a588ca9a850cfc75dd9083fb26d278dc"
+    capabilities:
+     - CAP_NET_RAW
+    command: [/dhcp-client]
+    read_only: true
+daemon:
+  - name: rngd
+    image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92"
+    capabilities:
+     - CAP_SYS_ADMIN
+    oom_score_adj: -800
+    read_only: true
+    command: [/bin/tini, /usr/sbin/rngd, -f]
+  - name: nginx
+    image: "nginx:alpine"
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+    network_mode: host
+files:
+  - path: etc/docker/daemon.json
+    contents: '{"debug": true}'
+outputs:
+  - format: kernel+initrd
+  - format: iso-bios
+  - format: iso-efi