-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug] docker容器下跑openclash时,--cap-add 精细化控制 #3849
Comments
这里有需要的权限 |
其中, https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 只需要额外添加 我也测试过给 是否有什么权限用到了,但是没列出来 症状是,客户机完全无法dns解析 |
没解析你要看内核有没有日志,还是防火墙没配置好 |
内核也无日志 这个周末有时间再做一个复现 对了顺带提一下,docker stop xxx,大概率host也会崩溃,目前不清楚是debian环境问题,还是docker 开privileged问题,所以--restart只给了3次机会,否则会进入无限重启的噩梦。 |
Verify Steps
OpenClash Version
v0.46.003-beta
Bug on Environment
Docker
OpenWrt Version
openwrt 23.05.3
Bug on Platform
Linux-armv6
Describe the Bug
--privileged
运行包含 openclash 的 openwrt 镜像是没有问题--cap-add=NET_ADMIN --cap-add=SYS_RESOURCE --cap-add=SYS_PTRACE
来运行容器,openclash 能正常启动,但是客户端无法做任何解析To Reproduce
docker运行的命令分别是
cap-add 的方式,分别附加了
NET_ADMIN,SYS_RESOURCE,SYS_PTRACE
。其他的根据 https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities 说明,属于默认行为。此类方式能启动 openwrt 容器,能启动 openclash,进入容器也能正常代理,客户机网关和 dns 都指向容器 ip 后,客户机无法做任何解析
privileged 的方式,一切正常
OpenClash Log
OpenClash Config
No response
Expected Behavior
期望能用
--cap-add
的方式来做精细化控制--privileged
方式,太容易让宿主机出问题,譬如内核崩溃Additional Context
No response
The text was updated successfully, but these errors were encountered: