Procd jail not work in lxc, dnsmasq fail to start

For Developers
1

I compile and install trunk openwrt tar ball in Proxmox Virtual Envirment (pve) 7.2 as CT (Linux Containers or lxc).
And I find dnsmasq do not startup.
After comment procd jail code in /etc/init.d/dnsmasq dnsmasq_start(), dnsmasq start normally.

        procd_open_instance $cfg
        procd_set_param command $PROG -C $CONFIGFILE -k -x /var/run/dnsmasq/dnsmasq."${cfg}".pid
        procd_set_param file $CONFIGFILE
        [ -n "$user_dhcpscript" ] && procd_set_param env USER_DHCPSCRIPT="$user_dhcpscript"
        procd_set_param respawn

        local instance_ifc instance_netdev
        config_get instance_ifc "$cfg" interface
        [ -n "$instance_ifc" ] && network_get_device instance_netdev "$instance_ifc" &&
                [ -n "$instance_netdev" ] && procd_set_param netdev $instance_netdev

#       procd_add_jail dnsmasq ubus log
#       procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
#       procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
#       procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
#       procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
#       procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
#       case "$logfacility" in */*)
#               [ ! -e "$logfacility" ] && touch "$logfacility"
#               procd_add_jail_mount_rw "$logfacility"
#       esac

        procd_close_instance
}

I think sysntpd have the same issue.

4 Likes
2

Thank you, I met the same problem like you. I downloaded official openwrt 22.03.2 x86 tarball as image and run it with LXD on an Ubuntu22.04 host. After try you solution, it works. :grinning:

3

Thank you.
Solved this big problem, I specially registered an account to thank.

4

The proposed workaround worked also for me.

I also managed to make it work without modifications:

  • first I set features: nesting=1, this solved the jail error but another error appeared (failed to seed the random number generator)
  • then I changed the container to privileged

Having both privileged and nesting, dnsmasq seems to work fine.