I would like to share my experimental OpenWrt Docker Image. I created it to run OpenWrt on a Raspberry Pi 5 and on a Weidmueller UC20-M4000 PLC with u-OS. But I tested it also with a Ubuntu 23.10 and Ubuntu 24.04 host so this image should be generic.
Main features:
KVM acceleration via qemu
Supports CPU architectures x86_64 and aarch64
Web-based viewer for tty console
Attaches two physical Ethernet interfaces (LAN/WAN) exclusively into the docker container
Create virtual LAN between OpenWrt and host system (LAN only)
USB passthrough e.g. for modem or Wi-Fi
Automatic config migration when OpenWrt container is updated (experimental)
I would like to get your feedback on that! For example is there a general interest in a OpenWrt container or what do you think to run OpenWrt on an embedded device via virtualization?
There is certainly no interest in running OpenWrt in a container, as that is broken by design - with grave functionality and serious security issues. OpenWrt does hard-depend on un-/loading kernel modules at will, configuring sysctl settings and querying the (networking-) hardware (this hardware may be virtual, but it needs to be in charge of it, without the containerization filtering or failing those actions).
containerization, like docker, lxc, lxd, virtuozzo, OpenVZ, v-server: no
full system virtualization, like qemu-kvm, virtualbox, hyper-v, vmware: yes
real hardware/ bare-iron: yes
This has been discussed many times before, so the above is the short form of it.
tl;dr: running OpenWrt in a container is broken and insecure.
…and importing the ready-made OpenWrt disk images into the virtualization option of your choosing shouldn't take yo more than 2 minutes either, I certainly wouldn't trust any third party with that for the sake of convenience.
--
I'm feeling like a broken record already, this is the third time this has been raised this week alone…
I understand your point but inside the Docker container I run qemu-kvm so technical speaking I do a full system virtualization and I use the ready made OpenWrt images for that.
Do you still think that this is "broken and insecure"?
I think I need to explain a little but more i detail why I created this Docker image.
Two years ago I started experimenting with OpenWrt in LXC and Docker (just the rootfs). So I used the host Linux kernel instead of the OpenWrt Linux kernel. Surprisingly a lot of things just worked fine but I ran into limitations pretty soon. For me it was mandatory to connect a 4G/5G modem to it. With the host kernel it was not possible because of many different reasons. I didn't check this thread "Running OpenWrt in a Docker container" in detail but I think the limitations are discussed there.
With this experience I was looking for an alternative approach. After tests with QEMU and the QEMUs USB pass-through feature I was successful connecting a 4G/5G modem to OpenWrt. In this case I used the OpenWrt Linux kernel of course.
You may ask why I still want to use Docker? In the industrial world you have Linux systems where it is no possible to install software via a package manager (like apt or opkg for example). Usually the base Linux OS is packed as a firmware and runs in read-only mode. Because customers are requesting customer specific features many different vendors started to add Docker to the base system. Yes, Docker is running on DIN rail mounted embedded systems! In my case I wanted to run OpenWrt as a software router on top of the base system the only way is to pack everything into a Docker image. So I'm using Alpine as image base layer and install qemu into the image and run OpenWrt in qemu. With USB pass-though, macvtap and some Linux network namespace magic it is possible to run OpenWrt completely isolated from the host system.
Because OpenWrt is running as a VM it can be used without any limitations!