Procd init scripts - understanding service jails and reading files

Noino · February 25, 2026, 10:35pm

First post here so here goes. I am new to OpenWrt, BusyBox and ash shell, but not to Linux.

I've installed and am using the package snowflake-proxy whose procd init script is here. This is a generic question about procd service jails & I've read the docs here.

The snowflake-proxy command tries to reads from two default, absolute file paths (hard coded here in the source code). These files exist and are readable:

# ls -l /usr/share/tor
-rw-r--r--    1 root     root       9163013 Feb 25 20:04 geoip
-rw-r--r--    1 root     root      16533752 Feb 25 20:04 geoip6

If I simply run # snowflake-proxy. The output from the command looks like this and shows that the files have been successfully read:

# snowflake-proxy
2026/02/25 22:06:31 Using geoip file  /usr/share/tor/geoip  with checksum 4bdff9c5c91eb87685fb637e8cbcb1f5b0cab970
2026/02/25 22:06:31 Loaded  372677  entries into table
2026/02/25 22:06:33 Using geoip file  /usr/share/tor/geoip6  with checksum 265f349d046819240b0a930ba50b2a4274c2b362
2026/02/25 22:06:33 Loaded  286480  entries into table
2026/02/25 22:06:33 Proxy starting
...

However, if I start the process via the init script (/etc/init.d/snowflake-proxy start) and then read the logs (logread|grep snowflake-proxy) I see that the files have not been read:

<timestamp> daemon.err snowflake-proxy[14681]: 2026/02/25 22:07:18 Error loading geoip db for country based metrics: open /usr/share/tor/geoip: no such file or directory
<timestamp> daemon.err snowflake-proxy[14681]: 2026/02/25 22:07:18 Proxy starting

Furthermore, if I comment out the line procd_add_jail snowflake-proxy ronly in the init script, and then run it I see logs that confirm the files were successfully read.

Question: I understand service jails are to facilitate process isolation. The docs say the "ronly" flag for procd_add_jail "Re-mount[s] jail rootfs read-only". As this seems to be preventing file reads by the jailed process how can the script be modified such that this is permitted? The files are read once only at startup and not read thereafter.

Once I understand what is preventing the file reads and have formulated & tested a solution I aim to do a PR for this package.

Noino · March 2, 2026, 6:41pm

The answer was simply to add the following lines in the start_service() function:

procd_add_jail_mount /usr/share/tor/geoip
procd_add_jail_mount /usr/share/tor/geoip6