We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v0.46.003-beta
Docker
openwrt 23.05.3
Linux-armv6
--privileged
--cap-add=NET_ADMIN --cap-add=SYS_RESOURCE --cap-add=SYS_PTRACE
docker运行的命令分别是
sudo docker run -d --restart=on-failure:3 --hostname=OneCloud --name onecloud --network openwrt --cap-add=NET_ADMIN --cap-add=SYS_RESOURCE --cap-add=SYS_PTRACE --device=/dev/net/tun openwrt:23.05.3 /sbin/init sudo docker run -d --restart=on-failure:3 --name onecloud --network openwrt --privileged --device=/dev/net/tun openwrt:23.05.3 /sbin/init
cap-add 的方式,分别附加了 NET_ADMIN,SYS_RESOURCE,SYS_PTRACE。其他的根据 https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 说明,属于默认行为。 此类方式能启动 openwrt 容器,能启动 openclash,进入容器也能正常代理,客户机网关和 dns 都指向容器 ip 后,客户机无法做任何解析
NET_ADMIN,SYS_RESOURCE,SYS_PTRACE
privileged 的方式,一切正常
正常log
No response
期望能用 --cap-add 的方式来做精细化控制 --privileged 方式,太容易让宿主机出问题,譬如内核崩溃
--cap-add
The text was updated successfully, but these errors were encountered:
OpenClash/luci-app-openclash/root/etc/init.d/openclash
Line 796 in c0cd0f1
Sorry, something went wrong.
OpenClash/luci-app-openclash/root/etc/init.d/openclash Line 796 in c0cd0f1 capabilties="cap_sys_resource,cap_dac_override,cap_net_raw,cap_net_bind_service,cap_net_admin,cap_sys_ptrace" 这里有需要的权限
这里有需要的权限
capabilties="cap_sys_resource,cap_dac_override,cap_net_raw,cap_net_bind_service,cap_net_admin,cap_sys_ptrace"
其中,cap_dac_override,cap_net_raw,cap_net_bind_service是默认就有的
cap_dac_override,cap_net_raw,cap_net_bind_service
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
只需要额外添加cap_net_admin,cap_sys_resource,cap_sys_ptrace
cap_net_admin,cap_sys_resource,cap_sys_ptrace
我也测试过给 cap_net_admin,cap_sys_admin权限,也是同样问题
cap_net_admin,cap_sys_admin
是否有什么权限用到了,但是没列出来
症状是,客户机完全无法dns解析
没解析你要看内核有没有日志,还是防火墙没配置好
内核也无日志 防火墙将 input output都接受了
这个周末有时间再做一个复现
对了顺带提一下,docker stop xxx,大概率host也会崩溃,目前不清楚是debian环境问题,还是docker 开privileged问题,所以--restart只给了3次机会,否则会进入无限重启的噩梦。
No branches or pull requests
Verify Steps
OpenClash Version
v0.46.003-beta
Bug on Environment
Docker
OpenWrt Version
openwrt 23.05.3
Bug on Platform
Linux-armv6
Describe the Bug
--privileged
运行包含 openclash 的 openwrt 镜像是没有问题--cap-add=NET_ADMIN --cap-add=SYS_RESOURCE --cap-add=SYS_PTRACE
来运行容器,openclash 能正常启动,但是客户端无法做任何解析To Reproduce
docker运行的命令分别是
cap-add 的方式,分别附加了
NET_ADMIN,SYS_RESOURCE,SYS_PTRACE
。其他的根据 https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 说明,属于默认行为。此类方式能启动 openwrt 容器,能启动 openclash,进入容器也能正常代理,客户机网关和 dns 都指向容器 ip 后,客户机无法做任何解析
privileged 的方式,一切正常
OpenClash Log
OpenClash Config
No response
Expected Behavior
期望能用
--cap-add
的方式来做精细化控制--privileged
方式,太容易让宿主机出问题,譬如内核崩溃Additional Context
No response
The text was updated successfully, but these errors were encountered: