From 6a1d5c3bedf34fca1d2043cde651792ffc8437d1 Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Sat, 18 Apr 2026 11:31:37 -0400
Subject: [PATCH] pxe: route dnsmasq lease + pid files into RuntimeDir
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without explicit dhcp-leasefile and pid-file, dnsmasq reaches for
its distro defaults (/var/lib/misc/dnsmasq.leases,
/run/dnsmasq.pid) — both outside the systemd unit's
ReadWritePaths=/var/lib/vetting /var/log/vetting sandbox, causing
'Read-only file system' on every start.

RuntimeDir is already writable by construction (Supervisor.Start
mkdir's it), so writing both files there keeps dnsmasq entirely
inside the sandbox.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 internal/pxe/dnsmasq.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/pxe/dnsmasq.go b/internal/pxe/dnsmasq.go
index d0f396f..7e201a7 100644
--- a/internal/pxe/dnsmasq.go
+++ b/internal/pxe/dnsmasq.go
@@ -276,6 +276,12 @@ dhcp-host={{ .MAC }},set:known
 # DHCP range (broader subnet coverage is fine; allowlist above gates replies).
 dhcp-range={{ .Cfg.DHCPRange }}
 
+# Keep runtime state inside RuntimeDir so the systemd sandbox
+# (ReadWritePaths=/var/lib/vetting ...) doesn't block writes to the
+# distro defaults (/var/lib/misc/dnsmasq.leases, /run/dnsmasq.pid).
+dhcp-leasefile={{ .Cfg.RuntimeDir }}/dhcp.leases
+pid-file={{ .Cfg.RuntimeDir }}/dnsmasq.pid
+
 # TFTP + HTTP boot (iPXE chainload).
 enable-tftp
 tftp-root={{ .Cfg.TFTPRoot }}