From a60ac172331b336e9a063c853b9588819bfcbd18 Mon Sep 17 00:00:00 2001
From: Thomas Gazagnaire <thomas@gazagnaire.org>
Date: Thu, 6 Apr 2017 19:37:06 +0200
Subject: [PATCH] miragesdk: start the calf using runc

`nested runc` unfortunately needs a lot of caps/privileged. The removal of `readonly: true` is also a bit unfortunate.

Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
---
 projects/miragesdk/examples/mirage-dhcp.yml | 11 +++++++++--
 projects/miragesdk/src/dhcp-client/main.ml  | 11 +++++------
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/projects/miragesdk/examples/mirage-dhcp.yml b/projects/miragesdk/examples/mirage-dhcp.yml
index 7a7fc4528..c9174594f 100644
--- a/projects/miragesdk/examples/mirage-dhcp.yml
+++ b/projects/miragesdk/examples/mirage-dhcp.yml
@@ -24,17 +24,24 @@ daemon:
     oomScoreAdj: -800
     readonly: true
   - name: dhcp-client
-    image: "mobylinux/dhcp-client:30fddee3bf4a17945065dffb6f6bbef0d729f60d@sha256:32d5d93a96253928268ddd03a900f9404afb6267d60ba1e551859ca92d35663c"
+    image: "mobylinux/dhcp-client:9e7009ae469ddd4d37f9cffaad2cf612114a3fb0@sha256:4421e05a0082b56c4ef83ca652e1da1a5af3a24e5baec61e7ba5b981f3b94a09"
     net: host
     capabilities:
      - CAP_NET_ADMIN # to bring eth0 up
      - CAP_NET_RAW   # to read /dev/eth0
+     - CAP_SYS_ADMIN # for runc (unshare)
+     - CAP_SETGID    # for runc (setns)
+     - CAP_SYS_PTRACE # for runc (read /proc/[pid]/fd)
+    mounts: # for runc
+     - type: cgroup
+       options: ["rw","nosuid","noexec","nodev","relatime"]
     binds:
      - /var/run/dhcp-client:/data
+     - /usr/bin/runc:/usr/bin/runc # for runc
+     - /run/runc:/run/runc         # for runc
      - /sbin:/sbin   # for ifconfig
      - /bin:/bin     # for ifconfig
      - /lib:/lib     # for ifconfig
-    readonly: true
 files:
   - path: /var/run/dhcp-client/README
     contents: 'data for dhcp-client'
diff --git a/projects/miragesdk/src/dhcp-client/main.ml b/projects/miragesdk/src/dhcp-client/main.ml
index e8b796963..860fd4100 100644
--- a/projects/miragesdk/src/dhcp-client/main.ml
+++ b/projects/miragesdk/src/dhcp-client/main.ml
@@ -62,17 +62,16 @@ external dhcp_filter: unit -> string = "bpf_filter"
 
 let t = Init.Pipe.v ()
 
+(*
 let default_cmd = [
   "/calf/dhcp-client-calf"; "--net=3"; "--ctl=4"; "-vv";
 ]
-
-(*
-let default_cmd = [
-  "/usr/bin/runc"; "run"; "--preserve-fds"; "2"; "--bundle"; ".";  "calf
-"
-]
 *)
 
+let default_cmd = [
+  "/usr/bin/runc"; "run"; "--preserve-fds"; "2"; "--bundle"; ".";  "calf"
+]
+
 let read_cmd file =
   if Sys.file_exists file then
     let ic = open_in_bin file in