Run OpenWrt 22.03 in systemd-nspawn container

Issue

The dnsmasq can’t start to running.

Why? The ujail is enabled by default on OpenWrt 22.03, and no privilege to do some jail operation in systemd-nspawn container. e.g. mount /tmp/xxx to /dev/log

How to fix

0x1. Uninstall procd-ujail and procd-seccomp

opkg remove procd-ujail
opkg remove procd-seccomp

0x2. Fix dnsmasq service script

/etc/init.d/dnsmasq:

[ -x /sbin/ujail -a -e /etc/capabilities/ntpd.json ] && {
	procd_add_jail dnsmasq ubus log
	procd_add_jail_mount $CONFIGFILE $DHCPBOGUSHOSTNAMEFILE $DHCPSCRIPT $DHCPSCRIPT_DEPENDS
	procd_add_jail_mount $EXTRA_MOUNT $RFC6761FILE $TRUSTANCHORSFILE
	procd_add_jail_mount $dnsmasqconffile $dnsmasqconfdir $resolvdir $user_dhcpscript
	procd_add_jail_mount /etc/passwd /etc/group /etc/TZ /etc/hosts /etc/ethers
	procd_add_jail_mount_rw /var/run/dnsmasq/ $leasefile
	case "$logfacility" in */*)
		[ ! -e "$logfacility" ] && touch "$logfacility"
		procd_add_jail_mount_rw "$logfacility"
	esac
}

Linux socket bind IPv6 only

Socket options

IPv6 support some protocol-specific socket options that can be set with setsockopt and read with getsockopt. The socket option level for IPv6 is IPPROTO_IPV6. A boolean integer flag is zero with it is false, otherwise true.

IPV6_V6ONLY

If this flag is set to true (nonzero), then the socket is restricted to sending and receiving IPv6 packets only. In this case, an IPv4 and an IPv6 application can bind to a single port at the same time.

If this flag is set to false (zero), then the socket can be used to send and receive packets to and from an IPv6 address or an IPv4-mapped IPv6 address.

The argument is a pointer to a boolean value in an integer.

The default value for this flag is defined by the contents of the file /proc/sys/net/ipv6/bindv6only. The default value for that file is 0 (false).

Example

int one = 1;
setsockopt (fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof (one));

Refer to: https://man7.org/linux/man-pages/man7/ipv6.7.html

IP addr-label persistent by systemd

This is an example shows how to make IP address label persistent by systemd-networkd.

/etc/systemd/network/eth0.network :

[Match]
Name=eth0

[Network]
Address=192.168.0.1/24
Gateway=192.168.0.254
DNS=192.168.0.254

[IPv6AddressLabel]
Label=100
Prefix=2409::/16

[IPv6AddressLabel]
Label=100
Prefix=2606::/16

It’s successful if you can see labels that you configured :

$ ip addrl
prefix ::1/128 label 0 
prefix ::/96 label 3 
prefix ::ffff:0.0.0.0/96 label 4 
prefix 2001::/32 label 6 
prefix 2001:10::/28 label 7 
prefix 2606::/16 dev br0 label 100 
prefix 2409::/16 dev br0 label 100 
prefix 3ffe::/16 label 12 
prefix 2002::/16 label 2 
prefix fec0::/10 label 11 
prefix fc00::/7 label 5 
prefix ::/0 label 1