I try to run openwrt on podman

This is precisely the problem, in order to achieve higher performance, in the relatively cheap solutions available only X86, dedicated solutions lack customization.

But it's true that a good enough CPU+ hardware NAT+ other hardware accelerators are a more elegant solution for device manufacturers when making 40Gbps-100Gbps devices.

Higher speed devices are purely custom solutions, or even dedicated SOCs.

Even though the most common MT7621 is enough to support 1Gbps network bandwidth when enabling hardware NAT, let alone I remember that the normal ARM Soc general computing performance in the test was twice as high as that of MIPS.

It's not for sqm/cake or vpn at those throughputs, and your offloading flies out of the window once you enable sqm.

There is no direct relation between "computing performance" and "routing performance" or more general I/O performance. Simple example, ipq806x or ipq807x are very fast on the computational side, but their I/O side shackles them for routing use (they don't work well without NSS offloading).

I prefer to think that this is intentional on Qualcomm's part, and their performance should be much more than that, although their performance is still outdated for mobile SoCs.

After booting without using Systemd, it seems to work unexpectedly, but it seems to be limited by Mavlan's limitations, and everything seems very strange.

In short, I am similar to everyone else. I have an OpenWrt (temporarily called AC) working in a virtual machine, and I have an AP. The AP's br-lan obtains an address from AC through DHCP. As I want to control the host of OpenWrt, the host should also have an IP address, and network topology becomes very complex. In short, it is due to the limitations of the macvlan network itself.

Out of curiosity, what are the specs of your dedicated x86_64 router?
Those are some impressive consumption numbers

The recent developments have led to an apparently normalized state, albeit with an unusual network topology. Adding a second macvlan to the br-lan within your podman resulted in anomalous behavior, wherein one interface could acquire an address through DHCP but couldn't engage in other forms of communication. Ultimately, I managed to resolve this by establishing a bridge (br0) connecting the two physical devices, subsequently allowing podman containers to connect to the br0 via macvlan, which seemed to rectify the situation.

Given the excessively intricate network topology, I chose not to have the openwrt within the container use br-lan, as the bridge had already been configured within the host machine.

In my experience, it's important to ensure that the owner of your /etc directory is changed to root:root, as otherwise, you may encounter issues with SSH key authentication when attempting to log in to the router.

Do you happen to know the minimal Linux capabilities required to run an openwrt container?

I wonder how you go with the OpenWrt running in podman? I also would like to run OpenWrt in a container on Fedora CoreOS. I just today made decision that I no longer want to use the limited devices with EXTROOT etc.
The goal is to make an ignition file which sets the Fedora CoreOS with OpenWRT configured and working as needed.
I wonder what network you use? Initial idea was to use Host Networking but it could be macvlan better. Any thoughts?

Just to be very explicit -again- running OpenWrt in a container is not a supported configuration and will fail in a number of areas, as well as silently rip up serious security issues - don't do it; full system virtualization (e.g. kvm) is fine.

Note that due to privileges issue, running OpenWrt in a container will have troubles like the following (previously I tested with Proxmox LXC):

No extra device control, including virtual device, so you can expect that even the most simple PPPoE dialup won't work, not to mention VPN tunnel device, you can't create new device inside container. Of course when I run LXC I can allow root privileges to mitigate the issue but it's not a good move.

With your Fedora why not just use KVM and run a guest VM?

To run openwrt in podman, you need to give the container more privileges, including the dangerous sys_admin permission, because I can't get openwrt to work properly without sys_admin permission, and the isolation of the container is weaker than that of the vm. Combined with the abuse of privilege, this made me abandon the plan.

Hi All, thanks for all your posts. After doing research I came to conclusion that this won't fly as too many limitations. It started with the problem that you can't use macvlan with rootless containers. It all was coming to high privileges. So I gave up with the idea. Now exploring running in VM. But I see other problem. My minipc with 4 ethernet ports not very modern. It doesn't have TPM2 so I have not solved yet a problem of drive encryption and running Clevis Tang complicates the things amd makes it fragile. I'm thinking I might need to buy a newer device.

It is almost impossible to make the openwrt container work in rootless mode, and multiple privileges need to be granted. The namespace network is also very difficult to use in rootless mode, which makes it very scary for the container to run gateway devices. If the openwrt container can be run in rootless mode, I think it would be more interesting.

1 Like