OpenWrt CT

[norbertjoni]

https://openwrt.org/

[norbertjoni]

https://openwrt.org/docs/guide-user/virtualization/lxc

[tteck]

#1435

[jaminmc]

Working OpenWRT in a Proxmox Container!

It is possible, and also have it be unprivlaged.

The rootfs used by LXD and the rootfs on the LXD images is almost the same, but with the following patch...

diff -ruN open/etc/init.d/dnsmasq lxd/etc/init.d/dnsmasq
--- open/etc/init.d/dnsmasq	2023-04-27 16:28:15
+++ lxd/etc/init.d/dnsmasq	2023-07-20 07:58:00
@@ -1168,17 +1168,17 @@
 	[ -n "$instance_ifc" ] && network_get_device instance_netdev "$instance_ifc" &&
 		[ -n "$instance_netdev" ] && procd_set_param netdev $instance_netdev
 
-	procd_add_jail dnsmasq ubus log
-	procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
-	procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
-	procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
-	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
-	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
+	: procd_add_jail dnsmasq ubus log
+	: procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+	: procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
+	: procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
+	: procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
+	: procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
 	case "$logfacility" in */*)
 		[ ! -e "$logfacility" ] && touch "$logfacility"
-		procd_add_jail_mount_rw "$logfacility"
+		: procd_add_jail_mount_rw "$logfacility"
 	esac
-	[ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile
+	[ -e "$hostsfile" ] && : procd_add_jail_mount $hostsfile
 
 	procd_close_instance
 }
diff -ruN open/etc/init.d/sudo lxd/etc/init.d/sudo
--- open/etc/init.d/sudo	1969-12-31 19:00:00
+++ lxd/etc/init.d/sudo	2022-03-16 22:45:02
@@ -0,0 +1,11 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2014 OpenWrt.org
+
+START=99
+
+start() {
+	[ -d /var/lib/sudo ] || {
+		mkdir -m 0755 -p /var/lib/sudo
+		chmod 0700 /var/lib/sudo
+	}
+}
diff -ruN open/etc/rc.d/S19dnsmasq lxd/etc/rc.d/S19dnsmasq
--- open/etc/rc.d/S19dnsmasq	2023-04-27 16:28:15
+++ lxd/etc/rc.d/S19dnsmasq	2023-07-20 07:58:00
@@ -1168,17 +1168,17 @@
 	[ -n "$instance_ifc" ] && network_get_device instance_netdev "$instance_ifc" &&
 		[ -n "$instance_netdev" ] && procd_set_param netdev $instance_netdev
 
-	procd_add_jail dnsmasq ubus log
-	procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
-	procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
-	procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
-	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
-	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
+	: procd_add_jail dnsmasq ubus log
+	: procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
+	: procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
+	: procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
+	: procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
+	: procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
 	case "$logfacility" in */*)
 		[ ! -e "$logfacility" ] && touch "$logfacility"
-		procd_add_jail_mount_rw "$logfacility"
+		: procd_add_jail_mount_rw "$logfacility"
 	esac
-	[ -e "$hostsfile" ] && procd_add_jail_mount $hostsfile
+	[ -e "$hostsfile" ] && : procd_add_jail_mount $hostsfile
 
 	procd_close_instance
 }
diff -ruN open/etc/rc.d/S99sudo lxd/etc/rc.d/S99sudo
--- open/etc/rc.d/S99sudo	1969-12-31 19:00:00
+++ lxd/etc/rc.d/S99sudo	2022-03-16 22:45:02
@@ -0,0 +1,11 @@
+#!/bin/sh /etc/rc.common
+# Copyright (C) 2014 OpenWrt.org
+
+START=99
+
+start() {
+	[ -d /var/lib/sudo ] || {
+		mkdir -m 0755 -p /var/lib/sudo
+		chmod 0700 /var/lib/sudo
+	}
+}
diff -ruN open/etc/sudoers lxd/etc/sudoers
--- open/etc/sudoers	1969-12-31 19:00:00
+++ lxd/etc/sudoers	2022-03-16 22:45:02
@@ -0,0 +1,96 @@
+## sudoers file.
+##
+## This file MUST be edited with the 'visudo' command as root.
+## Failure to use 'visudo' may result in syntax or file permission errors
+## that prevent sudo from running.
+##
+## See the sudoers man page for the details on how to write a sudoers file.
+##
+
+##
+## Host alias specification
+##
+## Groups of machines. These may include host names (optionally with wildcards),
+## IP addresses, network numbers or netgroups.
+# Host_Alias	WEBSERVERS = www1, www2, www3
+
+##
+## User alias specification
+##
+## Groups of users.  These may consist of user names, uids, Unix groups,
+## or netgroups.
+# User_Alias	ADMINS = millert, dowdy, mikef
+
+##
+## Cmnd alias specification
+##
+## Groups of commands.  Often used to group related commands together.
+# Cmnd_Alias	PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
+# 			    /usr/bin/pkill, /usr/bin/top
+# Cmnd_Alias	REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff
+
+##
+## Defaults specification
+##
+## You may wish to keep some of the following environment variables
+## when running commands via sudo.
+##
+## Locale settings
+# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
+##
+## Run X applications through sudo; HOME is used to find the
+## .Xauthority file.  Note that other programs use HOME to find   
+## configuration files and this may lead to privilege escalation!
+# Defaults env_keep += "HOME"
+##
+## X11 resource path settings
+# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
+##
+## Desktop path settings
+# Defaults env_keep += "QTDIR KDEDIR"
+##
+## Allow sudo-run commands to inherit the callers' ConsoleKit session
+# Defaults env_keep += "XDG_SESSION_COOKIE"
+##
+## Uncomment to enable special input methods.  Care should be taken as
+## this may allow users to subvert the command being run via sudo.
+# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+##
+## Uncomment to use a hard-coded PATH instead of the user's to find commands
+# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+##
+## Uncomment to send mail if the user does not enter the correct password.
+# Defaults mail_badpass
+##
+## Uncomment to enable logging of a command's output, except for
+## sudoreplay and reboot.  Use sudoreplay to play back logged sessions.
+# Defaults log_output
+# Defaults!/usr/bin/sudoreplay !log_output
+# Defaults!/usr/local/bin/sudoreplay !log_output
+# Defaults!REBOOT !log_output
+
+##
+## Runas alias specification
+##
+
+##
+## User privilege specification
+##
+root ALL=(ALL:ALL) ALL
+
+## Uncomment to allow members of group wheel to execute any command
+# %wheel ALL=(ALL:ALL) ALL
+
+## Same thing without a password
+# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
+
+## Uncomment to allow members of group sudo to execute any command
+# %sudo	ALL=(ALL:ALL) ALL
+
+## Uncomment to allow any user to run sudo if they know the password
+## of the user they are running the command as (root by default).
+# Defaults targetpw  # Ask for the password of the target user
+# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
+
+## Read drop-in files from /etc/sudoers.d
+@includedir /etc/sudoers.d

If I download the rootfs from openwrt on my proxmox, and then untar it. do the patch:
patch -Np1 -d extractedopenwrt < patch.txt

Note: patch isn't included in the default proxmox install, so you will need to do a apt install patch to get it to work :)

Then I tar up that folder and then put it in my templates, I can install from commandline:

vid=111
storage=local-zfs
pct create $vid openwrt-23.05.0-rc2-x86-64-rootfs-patched.tar.gz --arch amd64 --hostname OpenWrt-LXC --rootfs $storage:$vid --memory  128 --swap 128 --cores 2 --ostype unmanaged --unprivileged 1 --features keyctl=1,mknod=1

Then setup network interfaces in the webui....
create these 2 networks.
eth0 = WAN
eth1 = LAN

If you do it with the rootfs without the patch, the DHCP server won't work, and you will pull out your hair trying to figure it out :)