From a6dbe8ceba4ad054533f44da6c9a34c185edeed9 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Fri, 22 Jun 2018 13:41:34 +0100
Subject: [PATCH] Rather than bind mounting binfmt_misc filesystem, mount a
 copy.

For some reason, bind mounting does not always seem to work,
sometimes the filesystem is empty. Mounting a fresh copy seems
a better solution, and simplifies things. The container does
need `CAP_SYS_ADMIN` but only on boot.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 pkg/binfmt/Dockerfile | 5 +----
 pkg/binfmt/build.yml  | 5 +++--
 pkg/binfmt/main.go    | 5 +++++
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/pkg/binfmt/Dockerfile b/pkg/binfmt/Dockerfile
index cd912216d..70e540dd1 100644
--- a/pkg/binfmt/Dockerfile
+++ b/pkg/binfmt/Dockerfile
@@ -12,13 +12,10 @@ ENV GOPATH=/go PATH=$PATH:/go/bin
 COPY main.go /go/src/binfmt/
 RUN go-compile.sh /go/src/binfmt
 
-RUN mkdir /binfmt_misc
-
 FROM scratch
 ENTRYPOINT []
 WORKDIR /
 COPY --from=qemu usr/bin/qemu-* usr/bin/
 COPY --from=mirror /go/bin/binfmt usr/bin/binfmt
-COPY --from=mirror /binfmt_misc /binfmt_misc/
 COPY etc/binfmt.d/00_linuxkit.conf etc/binfmt.d/00_linuxkit.conf
-CMD ["/usr/bin/binfmt", "-dir", "/etc/binfmt.d/", "-mount", "/binfmt_misc"]
+CMD ["/usr/bin/binfmt"]
diff --git a/pkg/binfmt/build.yml b/pkg/binfmt/build.yml
index 06150b01d..289611a90 100644
--- a/pkg/binfmt/build.yml
+++ b/pkg/binfmt/build.yml
@@ -1,9 +1,10 @@
 image: binfmt
+network: true
 arches:
   - amd64
 config:
-  binds:
-  - /proc/sys/fs/binfmt_misc:/binfmt_misc
+  capabilities:
+    - CAP_SYS_ADMIN
   readonly: true
   net: new
   ipc: new
diff --git a/pkg/binfmt/main.go b/pkg/binfmt/main.go
index 25d310b72..4df469a2d 100644
--- a/pkg/binfmt/main.go
+++ b/pkg/binfmt/main.go
@@ -69,6 +69,11 @@ func binfmt(line []byte) error {
 func main() {
 	flag.Parse()
 
+	if err := syscall.Mount("binfmt_misc", mount, "binfmt_misc", 0, ""); err != nil {
+		log.Fatalf("Cannot mount binfmt_misc filesystem at %s: %v", mount, err)
+	}
+	defer syscall.Unmount(mount, 0)
+
 	files, err := ioutil.ReadDir(dir)
 	if err != nil {
 		log.Fatalf("Cannot read directory %s: %s", dir, err)