Docker OpenWrt Image: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→雑多なメモ) |
||
(29 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
=Docker OpenWrt Image= | =Docker OpenWrt Image= | ||
==はじめの第一歩== | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs | docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs | ||
docker images | docker images | ||
docker run -i openwrt-x86-64-generic-rootfs cat /etc/banner | docker run --rm -i openwrt-x86-64-generic-rootfs cat /etc/banner | ||
docker run -i -t openwrt-x86-64-generic-rootfs /bin/ash | docker run --rm -i -t openwrt-x86-64-generic-rootfs /bin/ash | ||
</syntaxhighlight> | </syntaxhighlight> | ||
==つかえる OpenWrt 環境構築== | |||
Head はいろいろ問題点があったりするのでリリース版で | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
wget https://downloads.openwrt.org/releases/18.06.1/targets/x86/64/openwrt-18.06.1-x86-64-generic-rootfs.tar.gz | |||
</syntaxhighlight> | |||
Dockerfile: | |||
<syntaxhighlight lang="text" enclose="div"> | |||
FROM scratch | |||
ADD ./openwrt-18.06.1-x86-64-generic-rootfs.tar.gz / | |||
EXPOSE 80 443 22 | |||
ADD network /etc/config/network | |||
USER root | |||
CMD ["/sbin/init"] | |||
</syntaxhighlight> | |||
network: | |||
<syntaxhighlight lang="text" enclose="div"> | |||
config interface 'loopback' | |||
option ifname 'lo' | |||
option proto 'static' | |||
option ipaddr '127.0.0.1' | |||
option netmask '255.0.0.0' | |||
config interface 'lan' | |||
option type 'bridge' | |||
option ifname 'eth0' | |||
option proto 'static' | |||
option ipaddr '172.17.0.2' | |||
option netmask '255.255.0.0' | |||
option gateway '172.17.0.1' | |||
option delegate '0' | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
docker build -t openwrt-18.06.1-x86-64-generic-rootfs:latest . | |||
docker run -d --name openwrt --device /dev/kmsg --tmpfs /tmp --cap-add NET_ADMIN -p 8822:22 -p 8880:80 openwrt-18.06.1-x86-64-generic-rootfs:latest | |||
docker exec -it openwrt /bin/ash | |||
</syntaxhighlight> | |||
<syntaxhighlight lang="bash" enclose="div"> | |||
docker exec -it openwrt uci set network.lan.ipaddr='`docker inspect --format="{{ .NetworkSettings.IPAddress }}" openwrt`' | |||
docker exec -it openwrt uci commit | |||
docker exec -it openwrt /etc/init.d/odhcpd disable | |||
docker exec -it openwrt /etc/init.d/dnsmasq disable | |||
docker exec -it openwrt /etc/init.d/sysntpd disable | |||
docker restart openwrt | |||
</syntaxhighlight> | |||
==雑多なメモ== | |||
OpenWrt Head で IPv4 only の環境で docker 配下で動かすとなぜか wget が IPv6 でバインドしようとして 'Failed to establish connection' | |||
ネットワークの設定も間違いがないのがだ、IPv6 で bind しにいく。もちろん wget -4 では正常。uclient-fetch が wget の正体。 | |||
ホストOS側で完全にIPv6を停止すれば大丈夫だが。 | |||
強引な解決法 | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
mv /bin/wget /bin/wget.orig | |||
cat <<EOF > /bin/wget | |||
#/bin/ash | |||
/bin/wget.orig -4 \$* | |||
EOF | |||
chmod +x /bin/wget | |||
</syntaxhighlight> | </syntaxhighlight> | ||
==security== | |||
ホストで制限したほうがよさそう | |||
<syntaxhighlight lang="bash" enclose="div"> | <syntaxhighlight lang="bash" enclose="div"> | ||
sudo sysctl -w kernel.dmesg_restrict=1 | |||
sudo sysctl -w kernel.kptr_restrict=1 | |||
sudo sysctl -w kernel.yama.ptrace_scope=0 | |||
</syntaxhighlight> | </syntaxhighlight> |
Latest revision as of 15:51, 12 March 2019
Docker OpenWrt Image
はじめの第一歩
docker import https://downloads.openwrt.org/snapshots/targets/x86/64/openwrt-x86-64-generic-rootfs.tar.gz openwrt-x86-64-generic-rootfs
docker images
docker run --rm -i openwrt-x86-64-generic-rootfs cat /etc/banner
docker run --rm -i -t openwrt-x86-64-generic-rootfs /bin/ash
つかえる OpenWrt 環境構築
Head はいろいろ問題点があったりするのでリリース版で
wget https://downloads.openwrt.org/releases/18.06.1/targets/x86/64/openwrt-18.06.1-x86-64-generic-rootfs.tar.gz
Dockerfile:
FROM scratch
ADD ./openwrt-18.06.1-x86-64-generic-rootfs.tar.gz /
EXPOSE 80 443 22
ADD network /etc/config/network
USER root
CMD ["/sbin/init"]
network:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config interface 'lan'
option type 'bridge'
option ifname 'eth0'
option proto 'static'
option ipaddr '172.17.0.2'
option netmask '255.255.0.0'
option gateway '172.17.0.1'
option delegate '0'
docker build -t openwrt-18.06.1-x86-64-generic-rootfs:latest .
docker run -d --name openwrt --device /dev/kmsg --tmpfs /tmp --cap-add NET_ADMIN -p 8822:22 -p 8880:80 openwrt-18.06.1-x86-64-generic-rootfs:latest
docker exec -it openwrt /bin/ash
docker exec -it openwrt uci set network.lan.ipaddr='`docker inspect --format="{{ .NetworkSettings.IPAddress }}" openwrt`'
docker exec -it openwrt uci commit
docker exec -it openwrt /etc/init.d/odhcpd disable
docker exec -it openwrt /etc/init.d/dnsmasq disable
docker exec -it openwrt /etc/init.d/sysntpd disable
docker restart openwrt
雑多なメモ
OpenWrt Head で IPv4 only の環境で docker 配下で動かすとなぜか wget が IPv6 でバインドしようとして 'Failed to establish connection'
ネットワークの設定も間違いがないのがだ、IPv6 で bind しにいく。もちろん wget -4 では正常。uclient-fetch が wget の正体。 ホストOS側で完全にIPv6を停止すれば大丈夫だが。
強引な解決法
mv /bin/wget /bin/wget.orig
cat <<EOF > /bin/wget
#/bin/ash
/bin/wget.orig -4 \$*
EOF
chmod +x /bin/wget
security
ホストで制限したほうがよさそう
sudo sysctl -w kernel.dmesg_restrict=1
sudo sysctl -w kernel.kptr_restrict=1
sudo sysctl -w kernel.yama.ptrace_scope=0