7,159
edits
No edit summary |
(→雑多なメモ) |
||
(29 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Docker OpenWrt Image= | =Docker OpenWrt Image= | ||
==はじめの第一歩== | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs | docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs | ||
docker images | docker images | ||
docker run -i openwrt-x86-64-generic-rootfs cat /etc/banner | docker run --rm -i openwrt-x86-64-generic-rootfs cat /etc/banner | ||
docker run -i -t openwrt-x86-64-generic-rootfs /bin/ash | docker run --rm -i -t openwrt-x86-64-generic-rootfs /bin/ash | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==つかえる OpenWrt 環境構築== | |||
Head はいろいろ問題点があったりするのでリリース版で | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
wget https://downloads.openwrt.org/releases/18.06.1/targets/x86/64/openwrt-18.06.1-x86-64-generic-rootfs.tar.gz | |||
</syntaxhighlight> | |||
Dockerfile: | |||
<syntaxhighlight lang="text" enclose="div"> | |||
FROM scratch | |||
ADD ./openwrt-18.06.1-x86-64-generic-rootfs.tar.gz / | |||
EXPOSE 80 443 22 | |||
ADD network /etc/config/network | |||
USER root | |||
CMD ["/sbin/init"] | |||
</syntaxhighlight> | |||
network: | |||
<syntaxhighlight lang="text" enclose="div"> | |||
config interface 'loopback' | |||
option ifname 'lo' | |||
option proto 'static' | |||
option ipaddr '127.0.0.1' | |||
option netmask '255.0.0.0' | |||
config interface 'lan' | |||
option type 'bridge' | |||
option ifname 'eth0' | |||
option proto 'static' | |||
option ipaddr '172.17.0.2' | |||
option netmask '255.255.0.0' | |||
option gateway '172.17.0.1' | |||
option delegate '0' | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
docker build -t openwrt-18.06.1-x86-64-generic-rootfs:latest . | |||
docker run -d --name openwrt --device /dev/kmsg --tmpfs /tmp --cap-add NET_ADMIN -p 8822:22 -p 8880:80 openwrt-18.06.1-x86-64-generic-rootfs:latest | |||
docker exec -it openwrt /bin/ash | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
docker exec -it openwrt uci set network.lan.ipaddr='`docker inspect --format="{{ .NetworkSettings.IPAddress }}" openwrt`' | |||
docker exec -it openwrt uci commit | |||
docker exec -it openwrt /etc/init.d/odhcpd disable | |||
docker exec -it openwrt /etc/init.d/dnsmasq disable | |||
docker exec -it openwrt /etc/init.d/sysntpd disable | |||
docker restart openwrt | |||
</syntaxhighlight> | |||
==雑多なメモ== | |||
OpenWrt Head で IPv4 only の環境で docker 配下で動かすとなぜか wget が IPv6 でバインドしようとして 'Failed to establish connection' | |||
ネットワークの設定も間違いがないのがだ、IPv6 で bind しにいく。もちろん wget -4 では正常。uclient-fetch が wget の正体。 | |||
ホストOS側で完全にIPv6を停止すれば大丈夫だが。 | |||
強引な解決法 | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
mv /bin/wget /bin/wget.orig | |||
cat <<EOF > /bin/wget | |||
#/bin/ash | |||
/bin/wget.orig -4 \$* | |||
EOF | |||
chmod +x /bin/wget | |||
</syntaxhighlight> | </syntaxhighlight> | ||
==security== | |||
ホストで制限したほうがよさそう | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
sudo sysctl -w kernel.dmesg_restrict=1 | |||
sudo sysctl -w kernel.kptr_restrict=1 | |||
sudo sysctl -w kernel.yama.ptrace_scope=0 | |||
</syntaxhighlight> | </syntaxhighlight> |