Dockerised install broken with version 22.03.2

emericv · April 22, 2023, 2:57pm

I build my own docker image using the OpenWRT SDK.
With OpenWRT 21.02.5, all works fine bu no anymore with the version 22.03.2:

dnsmasq service refuse to start.

In the system logs I have the message: user.err : jail: failed to clone/fork: Operation not permitted
I thinks that dnsmasq cannot fork in the background...

Any idea?

Dockerfile:

FROM hub.docker.mbedsys.org/internal/build-openwrt:23.03 as builder

SHELL ["/bin/bash", "-c"]

ENV OPENWRT_VERSION=22.03.2
ENV OPENWRT_VERS="$OPENWRT_VERSION"
ENV OPENWRT_URL_BASE="https://archive.openwrt.org"
ENV OPENWRT_URL_DIR="releases/$OPENWRT_VERS/targets/x86/64"
ENV OPENWRT_URL_BASENAME="openwrt-imagebuilder-$OPENWRT_VERS-x86-64.Linux-x86_64"

RUN PACKAGE_LIST=(                                  \
        6in4                                        \
        collectd-mod-cpu                            \
        collectd-mod-interface                      \
        collectd-mod-load                           \
        collectd-mod-memory                         \
        collectd-mod-network                        \
        -dnsmasq dnsmasq-full                       \
        ip-full                                     \
        iptables-mod-physdev                        \
        iptables-mod-nat-extra                      \
        luci-app-commands                           \
        luci-app-diag-core                          \
        luci-app-firewall                           \
        luci-app-ntpc                               \
        luci-app-openvpn                            \
        luci-app-qos                                \
        luci-app-statistics                         \
        luci-app-vnstat                             \
        luci-app-wol                                \
        luci-app-nlbwmon                            \
        luci-app-wifischedule                       \
        luci-app-wireguard                          \
        luci-proto-ipv6                             \
        luci-proto-qmi                              \
        luci-ssl                                    \
        picocom                                     \
        umbim                                       \
        uqmi                                        \
        usb-modeswitch                              \
        wifischedule                                \
        wireless-tools                              \
    ) \
 && wget -O - "$OPENWRT_URL_BASE/$OPENWRT_URL_DIR/$OPENWRT_URL_BASENAME.tar.xz" | tar -xJ \
 && cd "$OPENWRT_URL_BASENAME" && make image PACKAGES="${PACKAGE_LIST[*]}" \
 && mkdir /home/user/staging && tar -C /home/user/staging -xf \
    bin/targets/x86/64/openwrt-$OPENWRT_VERS-x86-64-generic-rootfs.tar.gz \
 && rm -rf /home/user/staging/lib/{modules,firmware} \
 && mkdir -m 755 /home/user/staging/lib/{modules,firmware}

FROM scratch

COPY --from=builder /home/user/staging/. /

RUN mkdir -p /var/lock /var/run /tmp/resolv.conf.d

ENTRYPOINT /sbin/init

docker-compose file:

version: '2.4'
services:
  router:
    container_name: router
    image: hub.docker.mbedsys.org/internal/router:23.04
    environment: []
    volumes:
      - /lib/modules:/lib/modules:ro
      - ./router/root:/root
      - ./router/etc/config:/etc/config
      - ./router/etc/dropbear:/etc/dropbear
      - ./router/var/log:/var/log
    restart: unless-stopped
    dns:
      - ::1
      - 127.0.0.1
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    mem_limit: 1024m
    network_mode: host

emericv · April 22, 2023, 3:31pm

The user.err : jail: failed to clone/fork: Operation not permitted error seems triggered from the line:
https://lxr.openwrt.org/source/procd/jail/jail.c#L3108

emericv · April 22, 2023, 3:57pm

Solved masking procd-ujail package by adding -procd-ujail to my package list

system · May 2, 2023, 3:57pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.