Use the `with-cdhcpc` branch of charrua-client, which exposes `Dhcp_client_lwt`. Dhcp_client_lwt exposes similar functions to `Dhcp_client_mirage`, but does not impose the structure of a Mirage_types_lwt.ipv4_config on the returned object, rather returning the full lease; the engine can then expose whatever information from the lease it finds to be pertinent.
Signed-off-by: Mindy Preston <mindy.preston@docker.com>
The intention with the yaml fragment is that it specifies the
set of processes that form the daemon, with minimal privileges
for each component and each running inside a separate container.
In addition to the normal container capabilities, there is also
a new field which lets a startup process establish an RPC channel,
based on a Capnp specification. This allows for extremely
unprivileged components to be started, such as the `dhcp-engine`
in this example which can only communicate with the outside world
via the `dhcp-network` (to transmit) or `dhcp-actuator` (to alter
the state of the local Linux distribution).
This is a first cut at the yaml interface and the capnp, with the
intention to refine it as we combine it with the rest of the existing
prototype (which currently doesnt have an RPC layer). Expect
more changes...
Signed-off-by: Anil Madhavapeddy <anil@docker.com>
- Update to packages using the Alpine 3.6 base image
- Remove config for packages which now supply it
- Update/add trust section
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The latest version of the `moby` tool now requires that the output formats
be specified in the CLI not in the yaml file.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Not sure when this arrived but it was stopping anything running.
Appears not to be in the older test `init` containers.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
It's not very interesting to see the forwarded stdout/stderr messages as
they will end-up being printed anyway.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
The priv container populate the `/mac` key on startup, that the calf can
then read.
Also add more fine-grained control over read/write delete capabilities attached
to the routes, e.g. the calf can read /mac but not write to it.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
As suggested by @shykes these are clearer
- onboot for things that are run at boot time to completion
- services for persistent services
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
`nested runc` unfortunately needs a lot of caps/privileged. The removal of `readonly: true` is also a bit unfortunate.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
Make all the low-level init code synchronous to avoid weird blocks on `close`.
Also move the net and ctl file descriptor at the beginning of the fd space for
the calf.
The SDK also allow to spamn multiple exec calves, which will all have the same
fd map:
- 0: stdin = /dev/null
- 1: stdout = pipe to parent stdout
- 2: stderr = pipe to parent stderr
- 3: net = socketpair to parent "net" pipe
- 4: ctl = socketpair to parent "ctl" pipe
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
This forces us to bind mount /lib but will be replaced by calling the proper
bindings later on.
Signed-off-by: Thomas Gazagnaire <thomas@gazagnaire.org>
