alpine issueshttps://gitlab.alpinelinux.org/groups/alpine/-/issues2024-02-04T16:54:20Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15739community/loki: Package does not create "loki" user2024-02-04T16:54:20Zchimo omichcommunity/loki: Package does not create "loki" userOn a fresh Alpine 3.19:
`# apk add loki && service loki start`
```
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/2) I...On a fresh Alpine 3.19:
`# apk add loki && service loki start`
```
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/2) Installing loki (2.9.2-r0)
(2/2) Installing loki-openrc (2.9.2-r0)
Executing busybox-1.36.1-r15.trigger
OK: 80 MiB in 32 packages
* Caching service dependencies ... [ ok ]
* Starting loki ...
* start-stop-daemon: user `loki' not found
* Failed to start loki [ !! ]
* ERROR: loki failed to start`
```
The `grafana' group might need to be created too.Michael PirogovMichael Pirogovhttps://gitlab.alpinelinux.org/alpine/apk-tools/-/issues/10972package version formatting2024-03-27T16:28:48ZSertonixpackage version formattingThe issue has mutated to a discussion about the version formatting in general.
Related !144, #7100, #10816
## Old description
The version format for virtual packages (`YYYYmmdd.HHMMSS`) doesn't include a `pkgrel` like packages normall...The issue has mutated to a discussion about the version formatting in general.
Related !144, #7100, #10816
## Old description
The version format for virtual packages (`YYYYmmdd.HHMMSS`) doesn't include a `pkgrel` like packages normally have (`<pkgver>-r<pkgrel>`).
This creates ambiguity in the output of the `apk list` command. Normally it is enough the strip the last 2 dashes but that doesn't work with the version format of virtual packages:
- `<pkgname>-<pkgver>-r<pkgrel>`
- `<pkgname>-YYYYmmdd.HHMMSS`
I suggest adding `-r0` to the version of virtual packages [`app_add.c#L118`](https://gitlab.alpinelinux.org/alpine/apk-tools/-/blob/acefa1acc1ce0e1871d17b4eafe4b1888f45d4d0/src/app_add.c#L118). !132 does fix the `apk list` problem too but a consistent version format would still be better.v3.0https://gitlab.alpinelinux.org/alpine/aports/-/issues/15736let abuild manage GOCACHE, GOMODCACHE, GOTMPDIR, CARGO_HOME2024-03-21T17:52:00ZSertonixlet abuild manage GOCACHE, GOMODCACHE, GOTMPDIR, CARGO_HOMEWhen the `MOVE_CACHES` environmental variable is set abuild will export `GOCACHE`, `GOMODCACHE`, `GOTMPDIR`, `CARGO_HOME`.
A lot of `APKBUILD` files export these variables too though. I suggest removing the exports from the `APKBUILD` f...When the `MOVE_CACHES` environmental variable is set abuild will export `GOCACHE`, `GOMODCACHE`, `GOTMPDIR`, `CARGO_HOME`.
A lot of `APKBUILD` files export these variables too though. I suggest removing the exports from the `APKBUILD` files.
Since this would be a larger effort I want to know some opinions on that before starting.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15735DHCP fails on netboot in system with dual port NIC since 3.19.12024-02-04T01:11:37ZScott YeagerDHCP fails on netboot in system with dual port NIC since 3.19.1I've been testing network booting Alpine 3.19 on bare metal. At version 3.19.0, the system was able to boot up. In version 3.19.1, something has changed and `udhcpc` no longer obtains a lease, so the system doesn't finish booting.
My bo...I've been testing network booting Alpine 3.19 on bare metal. At version 3.19.0, the system was able to boot up. In version 3.19.1, something has changed and `udhcpc` no longer obtains a lease, so the system doesn't finish booting.
My boot method is via iPXE with no special kernel args. Two routes produce the same result:
1. [3.19.1 archive](https://dl-cdn.alpinelinux.org/alpine/v3.19/releases/x86_64/alpine-netboot-3.19.1-x86_64.tar.gz) extracted to my local web server and an iPXE script based on the [wiki example](https://wiki.alpinelinux.org/wiki/Netboot_Alpine_Linux_using_iPXE)
2. Booting the latest 3.19 artifacts directly from Alpine CDN using netboot.xyz
The system in question has a dual port NIC, `eth0` and `eth1`, with only `eth1` plugged in. Perhaps the issue is that lease solicitation is only happening on `eth0`, but I haven't tested swapping the ethernet cable to `eth0`. If I boot from a 3.19.1 standard ISO, I can bring up `eth1` and obtain a lease with `udhcpc` manually by targeting the interface specifically.
Hardware is Intel Xeon D-1518 SOC using integrated NIC.https://gitlab.alpinelinux.org/alpine/tsc/-/issues/78Future of init systems (pid-1, service manager)2024-02-13T17:11:37ZSertonixFuture of init systems (pid-1, service manager)The current init stack (busybox init + openrc) has it's flaws.
Current efforts exist to at least allow other configurations (https://gitlab.alpinelinux.org/alpine/aports/-/issues/15725).
There are a lot of possible alternatives but the...The current init stack (busybox init + openrc) has it's flaws.
Current efforts exist to at least allow other configurations (https://gitlab.alpinelinux.org/alpine/aports/-/issues/15725).
There are a lot of possible alternatives but the ones where I have seen people interested in are `dinit` (from @PureTryOut) and `s6-linux-init`+`s6-rc` (from @skarnet).
These are some questions that arise and that might effect a lot of packages:
- Do we want to allow changing pid-1 / service manager? (https://gitlab.alpinelinux.org/alpine/aports/-/merge_requests/59848)
- Do we want to support multiple pid-1 / service managers? (`dinit`, `runit`, `s6-linux-init`, `s6-rc` are already packaged)
- Do we want to change the default pid-1 / service manager?
I try to create a unified service format that can get converted into at least the `dinit`, `openrc` and `s6-rc` formats (Current status: [sertonix/cross-services](https://gitlab.alpinelinux.org/sertonix/cross-services)). When that works supporting multiple service managers shouldn't be that big of a maintenance problem.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15733If pam-rundir and elogind are both installed, gnome desktop won't launch from...2024-02-01T17:30:46ZAhmad RaniriIf pam-rundir and elogind are both installed, gnome desktop won't launch from tty.Recently I can't launch gnome desktop from tty, using display manager is just fine. After I searched for solution I found this [post](https://www.reddit.com/r/voidlinux/comments/vpjvbr/how_to_change_elogind_to_seatd_on_void_msul_with/). ...Recently I can't launch gnome desktop from tty, using display manager is just fine. After I searched for solution I found this [post](https://www.reddit.com/r/voidlinux/comments/vpjvbr/how_to_change_elogind_to_seatd_on_void_msul_with/). It's said that pam-rundir and elogind are not supposed to be installed at the same time or we should not have them in the same system. After I removed pam-rundir, I can launch gnome desktop from tty.
Before I removed pam-rundir, I got this in /var/log/messages
```
auth.warn elogind[2376]: Directory "/run/user" already exists, but has mode 0775 that is too permissive (0755 was requested), refusing.
```
After removed pam-rundir, that message disappear.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15731[Package request]: bkt - subprocess caching utility2024-01-30T22:12:21ZYonas Yanfa[Package request]: bkt - subprocess caching utility**Name:** bkt
**License:** MIT
**Repository:** https://github.com/dimo414/bkt
**Releases:** https://github.com/dimo414/bkt/releases
**Dependencies:** Requires Rust to compile**Name:** bkt
**License:** MIT
**Repository:** https://github.com/dimo414/bkt
**Releases:** https://github.com/dimo414/bkt/releases
**Dependencies:** Requires Rust to compilehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15729community/lagrange: please also compile the TUI client "clagrange"2024-01-29T09:58:04ZCarlo Montecommunity/lagrange: please also compile the TUI client "clagrange"Since version 1.13, Lagrange also contains a TUI client called "clagrange".
Would it please be possible to include this one in the package as well?
Thank you.Since version 1.13, Lagrange also contains a TUI client called "clagrange".
Would it please be possible to include this one in the package as well?
Thank you.Michał PolańskiMichał Polańskihttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15726[Package request]: nom - A RSS reader for the terminal2024-03-16T11:32:44ZMarek Ľach[Package request]: nom - A RSS reader for the terminal**Name:** nom
**License:** GPLv3
**Repository:** https://github.com/guyfedwards/nom
**Releases:** https://github.com/guyfedwards/nom/releases
**Dependencies:** [go](https://pkgs.alpinelinux.org/packages?name=go&branch=edge&repo=&arch...**Name:** nom
**License:** GPLv3
**Repository:** https://github.com/guyfedwards/nom
**Releases:** https://github.com/guyfedwards/nom/releases
**Dependencies:** [go](https://pkgs.alpinelinux.org/packages?name=go&branch=edge&repo=&arch=&maintainer=), [glow](https://pkgs.alpinelinux.org/packages?name=glow&branch=edge&repo=&arch=&maintainer=)...https://gitlab.alpinelinux.org/alpine/aports/-/issues/15725Multiple pid-1 / service managers2024-03-03T14:08:08ZSertonixMultiple pid-1 / service managersThis issue is to coordinate the addition of dinit and s6 support in alpine linux (and maybe more).
Note the important distinction between pid-1 and service manager! They can be both the same binary though (eg. `dinit`).
- [pid-1](https:...This issue is to coordinate the addition of dinit and s6 support in alpine linux (and maybe more).
Note the important distinction between pid-1 and service manager! They can be both the same binary though (eg. `dinit`).
- [pid-1](https://wiki.alpinelinux.org/wiki/User:Sertonix/Freedom_of_choice#PID_1): busybox `init`, `openrc-init`, `s6-linux-init`, `runit-init`, `dinit-init`
- [service manager](https://wiki.alpinelinux.org/wiki/User:Sertonix/Freedom_of_choice#Service_Manager): `openrc`, `s6-rc`, `runit`, `dinit`, busybox `runit`
This is what I came up with as important steps (order irrelevant):
* [ ] Remove busybox init bias (Draft !59848)
* [ ] Add `busybox-init` subpackage depending on `/etc/inittab`
* [ ] Split `/etc/inittab` from `alpine-baselayout` into `openrc-inittab` subpackage providing `/etc/inittab`
* [ ] Create meta packages that are used in the `install_if` of service packages. (eg. `install_if=dinit-system-services`)
* [ ] `openrc-system-services`
* [ ] `dinit-system-services`
* [ ] pid-1 provide `/sbin/init`
* [ ] Create a service format that can generate OpenRC, dinit and s6 service files (for reducing effort) (Testing [cross-services](https://gitlab.alpinelinux.org/sertonix/cross-services))https://gitlab.alpinelinux.org/alpine/cloud/tiny-cloud/-/issues/55deprecate/remove vnic_eth_hotplug (etc.)2024-01-27T18:48:08ZJake Buchholz Göktürkdeprecate/remove vnic_eth_hotplug (etc.)The Alpine aports APKBUILD is still configuring `vnic_eth_hotplug` module, but it's no longer installed.
With the switch to `dhcpcd`, this is no longer needed, and we should be able to remove it, `imds-net-sync`, and maybe even `assembl...The Alpine aports APKBUILD is still configuring `vnic_eth_hotplug` module, but it's no longer installed.
With the switch to `dhcpcd`, this is no longer needed, and we should be able to remove it, `imds-net-sync`, and maybe even `assemble-interfaces`.https://gitlab.alpinelinux.org/alpine/cloud/tiny-cloud/-/issues/54404 is okay if there's no user-data set2024-01-27T18:45:15ZJake Buchholz Göktürk404 is okay if there's no user-data settreat 404 when trying to get user-data as success -- it wasn't set.treat 404 when trying to get user-data as success -- it wasn't set.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15722Icons in some kde apps (kasts, kweather, more?) don't show up (not using a kd...2024-03-17T12:15:35ZZach DeCookIcons in some kde apps (kasts, kweather, more?) don't show up (not using a kde desktop)In both Alpine 3.19.0 and in postmarketOS edge, which installing some kde applications to use in a non-kde desktop environment, the icons don't show up.
kasts:
![2024-01-27T08_04_47_402535121-05_00](/uploads/a19f86912b24b3cf178de438a3d4...In both Alpine 3.19.0 and in postmarketOS edge, which installing some kde applications to use in a non-kde desktop environment, the icons don't show up.
kasts:
![2024-01-27T08_04_47_402535121-05_00](/uploads/a19f86912b24b3cf178de438a3d42926/2024-01-27T08_04_47_402535121-05_00.png)
kweather:
![2024-01-27T08_20_32_000000000-05_00](/uploads/35e98e048e50510e8f24754c3d1d1382/2024-01-27T08_20_32_000000000-05_00.png)
@PureTryOutBart RibbersBart Ribbershttps://gitlab.alpinelinux.org/alpine/mkinitfs/-/issues/53allow multiple url in alpine_repo2024-01-27T08:43:27ZJustinallow multiple url in alpine_repobased on the code in init, it's not able to set multiple repo like : alpine_repo="https://.../main https://.../contrib ", can you support this syntax? thanksbased on the code in init, it's not able to set multiple repo like : alpine_repo="https://.../main https://.../contrib ", can you support this syntax? thankshttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15721release checklist 3.18.6, 3.17.7, 3.16.92024-01-26T23:03:26ZNatanael Coparelease checklist 3.18.6, 3.17.7, 3.16.9* [x] set version in main/alpine-base. see git log for commit message format
* [x] `git tag -a <version>`
* [x] before git push, verify that builders are idle. don’t push until they are
* [x] `git push && git push --tags`
* [x] write rel...* [x] set version in main/alpine-base. see git log for commit message format
* [x] `git tag -a <version>`
* [x] before git push, verify that builders are idle. don’t push until they are
* [x] `git push && git push --tags`
* [x] write release notes and publish on alpinelinux.org
* [x] update alpine-mksite/alpine-releases.conf.yaml
* [x] verify that builders complete the release build successfully (check if release is uploaded to dl-master)
* [x] sign releases
* [x] make docker image release PR
* [ ] publish cloud images
* [x] send release announcement to ~alpine/announce@lists.alpinelinux.org
* [x] post a tweet (https://tweetdeck.twitter.com)
* [ ] post a toot (https://fosstodon.org/)
* [ ] Celebratehttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15720Separate the library files for each QT package2024-03-04T16:07:46ZFxzx micSeparate the library files for each QT packageI'm not sure if it's feasible, so it's just a proposal. After all, no one wants to install the entire package and its accompanying dependencies just because a software relies on a single library file.I'm not sure if it's feasible, so it's just a proposal. After all, no one wants to install the entire package and its accompanying dependencies just because a software relies on a single library file.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15719community/mate-applets: stickynotes-applet not provided and not usable2024-01-29T10:02:48ZFafa Kittencommunity/mate-applets: stickynotes-applet not provided and not usableOn most distros, MATE can have sticky notes, but on Alpine Linux and Gentoo the sticky notes icon can't spawn sticky notes and it crashes if you try to spawn a sticky note and then double click on the icon, and on Alpine Linux you have t...On most distros, MATE can have sticky notes, but on Alpine Linux and Gentoo the sticky notes icon can't spawn sticky notes and it crashes if you try to spawn a sticky note and then double click on the icon, and on Alpine Linux you have to install `gtksourceview-dev`, then remove `--disable-stickynotes` from the `ABUILD` and recompile it in order to see the icon to begin with.
How to reproduce the crash:
- if necessary, recompile `mate-applets` without using `--disable-stickynotes`
- right click on a MATE panel->Add to Panel->Sticky Notes->Add->Right click Sticky Notes Icon->New Note->Double click Sticky Notes Icon
How to reproduce the backtrace:
- if necessary, recompile `mate-applets` without using `--disable-stickynotes`
- compile `mate-applets` and `libx11` with debug symbols and unstripped
- open a shell and type this:
```
gdb /usr/libexec/stickynotes-applet
run
```
right click on a MATE panel->Add to Panel->Sticky Notes->Add->Right click Sticky Notes Icon->New Note->Double click Sticky Notes Icon
Type this in the shell:
```
bt
```
Gentoo issue - https://bugs.gentoo.org/922937
MATE issue - https://github.com/mate-desktop/mate-applets/issues/664Francesco ColistaFrancesco Colistahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/15718release checklist 3.19.12024-01-26T21:26:20ZNatanael Coparelease checklist 3.19.1* [x] check that kernel version are in sync (eg linux-lts and linux-rpi)
* [x] check that raspberrypi-bootloader is up-to-date
* [x] create new milestone https://gitlab.alpinelinux.org/groups/alpine/-/milestones
* [x] change milestone to...* [x] check that kernel version are in sync (eg linux-lts and linux-rpi)
* [x] check that raspberrypi-bootloader is up-to-date
* [x] create new milestone https://gitlab.alpinelinux.org/groups/alpine/-/milestones
* [x] change milestone to version-next on all unresolved issues
* [x] set version in main/alpine-base. see git log for commit message format
* [x] `git tag -a <version>`
* [x] before git push, verify that builders are idle. don’t push until they are
* [x] `git push && git push --tags`
* [x] write release notes and publish on alpinelinux.org
* [x] update alpine-mksite/alpine-releases.conf.yaml
* [x] verify that builders complete the release build successfully (check if release is uploaded to dl-master)
* [x] sign releases
* [x] make docker image release PR
* [ ] publish cloud images
* [x] update topic in IRC channels
* [x] update https://wiki.alpinelinux.org/wiki/Template:AlpineLatest
* [x] send release announcement to ~alpine/announce@lists.alpinelinux.org
* [x] post a tweet (https://tweetdeck.twitter.com)
* [x] post a toot (https://fosstodon.org/)
* [ ] Celebratehttps://gitlab.alpinelinux.org/alpine/tsc/-/issues/77Add Celeste as developer2024-02-04T22:10:34Zomniomni+alpine@hack.orgAdd Celeste as developerSee https://git.alpinelinux.org/aports/log/?qt=author&q=Celeste :upside_down:
In addition to a large volume of quality commits, @Celeste is also pragmatic, friendly and helpful within the project.See https://git.alpinelinux.org/aports/log/?qt=author&q=Celeste :upside_down:
In addition to a large volume of quality commits, @Celeste is also pragmatic, friendly and helpful within the project.https://gitlab.alpinelinux.org/alpine/aports/-/issues/15715Alpine 3.19 container image delete iptables rule error (iptables: Bad rule (d...2024-02-04T10:11:34ZpexcnAlpine 3.19 container image delete iptables rule error (iptables: Bad rule (does a matching rule exist in that chain?).)Alpine 3.19 container image reports an error when deleting iptables rules, but deleting it on the host is normal.
The process to reproduce the problem is as follows:
1. Start the Alpine 3.19 container image and install components.
```...Alpine 3.19 container image reports an error when deleting iptables rules, but deleting it on the host is normal.
The process to reproduce the problem is as follows:
1. Start the Alpine 3.19 container image and install components.
```sh
docker run -itd --name=alpine-319 --network=host --privileged=true alpine:3.19
docker exec -it alpine-319 sh
/ # apk add --no-cache iptables iptables-legacy ip6tables tzdata wireguard-tools=1.0.20210914-r3 wireguard-tools-doc=1.0.20210914-r3
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/24) Installing libmnl (1.0.5-r2)
(2/24) Installing libnftnl (1.2.6-r0)
(3/24) Installing libxtables (1.8.10-r3)
(4/24) Installing iptables (1.8.10-r3)
(5/24) Installing libip4tc (1.8.10-r3)
(6/24) Installing libip6tc (1.8.10-r3)
(7/24) Installing iptables-legacy (1.8.10-r3)
(8/24) Installing tzdata (2023d-r0)
(9/24) Installing wireguard-tools-wg (1.0.20210914-r3)
(10/24) Installing libcap2 (2.69-r1)
(11/24) Installing zstd-libs (1.5.5-r8)
(12/24) Installing libelf (0.190-r1)
(13/24) Installing iproute2-minimal (6.6.0-r0)
(14/24) Installing iproute2-tc (6.6.0-r0)
(15/24) Installing iproute2-ss (6.6.0-r0)
(16/24) Installing iproute2 (6.6.0-r0)
Executing iproute2-6.6.0-r0.post-install
(17/24) Installing ncurses-terminfo-base (6.4_p20231125-r0)
(18/24) Installing libncursesw (6.4_p20231125-r0)
(19/24) Installing readline (8.2.1-r2)
(20/24) Installing bash (5.2.21-r0)
Executing bash-5.2.21-r0.post-install
(21/24) Installing openresolv (3.13.2-r0)
(22/24) Installing wireguard-tools-wg-quick (1.0.20210914-r3)
(23/24) Installing wireguard-tools (1.0.20210914-r3)
(24/24) Installing wireguard-tools-doc (1.0.20210914-r3)
Executing busybox-1.36.1-r15.trigger
OK: 18 MiB in 39 packages
/ # iptables -V
iptables v1.8.10 (nf_tables)
```
2. Create iptables rules in the container.
```sh
/ # iptables -A FORWARD -i wg-vps -j ACCEPT; iptables -A FORWARD -o wg-vps -j ACCEPT
/ # iptables -t mangle -A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
/ # iptables-save | grep wg
-A POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i wg-vps -j ACCEPT
-A FORWARD -o wg-vps -j ACCEPT
/ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1433K 443M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- wg-vps * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1406K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9462 1062K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
387 20129 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
17849 2741K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
```
3. Delete the iptables rule in the container. When deleting `iptables -D FORWARD -o wg-vps -j ACCEPT`, an error is reported `does a matching rule exist in that chain?`.
```sh
/ # iptables -D FORWARD -i wg-vps -j ACCEPT
/ # iptables -D FORWARD -o wg-vps -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).
/ # iptables -t mangle -D POSTROUTING -o wg-vps -p tcp -j TCPMSS --clamp-mss-to-pmtu
/ # iptables-save | grep wg
-A FORWARD -o wg-vps -j ACCEPT
/ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1436K 444M GFW_DEFENSE 0 -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 6 -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1800
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 0 -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT 0 -- * wg-vps 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 0 -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1408K 440M ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9483 1064K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
388 20189 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
17929 2752K RETURN 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
```
4. The host environment information is as follows.
```sh
root@LAXB ~ # cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
root@LAXB ~ # uname -mrs
Linux 6.0.0-0.deb11.6-amd64 x86_64
root@LAXB ~ # docker info
Client:
Context: default
Debug Mode: false
Plugins:
compose: Docker Compose (Docker Inc.)
Version: v2.16.0
Path: /usr/libexec/docker/cli-plugins/docker-compose
Server:
Containers: 6
Running: 6
Paused: 0
Stopped: 0
Images: 7
Server Version: 23.0.1
Storage Driver: overlay2
Backing Filesystem: extfs
Supports d_type: true
Using metacopy: false
Native Overlay Diff: true
userxattr: false
Logging Driver: json-file
Cgroup Driver: systemd
Cgroup Version: 2
Plugins:
Volume: local
Network: bridge host ipvlan macvlan null overlay
Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
Swarm: inactive
Runtimes: runc io.containerd.runc.v2
Default Runtime: runc
Init Binary: docker-init
containerd version: 2456e983eb9e37e47538f59ea18f2043c9a73640
runc version: v1.1.4-0-g5fd4c4d
init version: de40ad0
Security Options:
apparmor
seccomp
Profile: builtin
cgroupns
Kernel Version: 6.0.0-0.deb11.6-amd64
Operating System: Debian GNU/Linux 11 (bullseye)
OSType: linux
Architecture: x86_64
CPUs: 1
Total Memory: 471.9MiB
Name: LAXB
ID: 3f740c04-20c9-4621-9db2-8e33c2be088a
Docker Root Dir: /var/lib/docker
Debug Mode: false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
root@LAXB ~ # docker-compose version
Docker Compose version v2.16.0
```
5. It is normal to delete the corresponding iptables rules on the host
```sh
root@LAXB ~ # iptables-save | grep wg
-A FORWARD -o wg-vps -j ACCEPT
root@LAXB ~ # iptables -D FORWARD -o wg-vps -j ACCEPT
root@LAXB ~ # iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
1451K 448M GFW_DEFENSE all -- * * 0.0.0.0/0 0.0.0.0/0
3 193 udp2rawDwrW_6c17f961_C0 tcp -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER-ISOLATION-STAGE-1 all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain GFW_DEFENSE (1 references)
pkts bytes target prot opt in out source destination
1423K 444M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
9536 1067K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_whitelist src
393 20453 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set gfw_defense_blacklist src
18024 2766K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain udp2rawDwrW_6c17f961_C0 (1 references)
pkts bytes target prot opt in out source destination
3 193 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
```
Alpine 3.19 container image information
```sh
root@LAXB ~ # docker image inspect alpine:3.19
[
{
"Id": "sha256:f8c20f8bbcb684055b4fea470fdd169c86e87786940b3262335b12ec3adef418",
"RepoTags": [
"alpine:3.19"
],
"RepoDigests": [
"alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48"
],
"Parent": "",
"Comment": "",
"Created": "2023-12-08T01:20:49.650406179Z",
"Container": "f2f93a8109b6034cb27137e7cb0a77417b4d7529cde89524d455964455c0d23a",
"ContainerConfig": {
"Hostname": "f2f93a8109b6",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh",
"-c",
"#(nop) ",
"CMD [\"/bin/sh\"]"
],
"Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": {}
},
"DockerVersion": "20.10.23",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
],
"Cmd": [
"/bin/sh"
],
"Image": "sha256:c068232ea3eea78e6800063b9b599c95911729d5c8dd2a2b737684998eefb10a",
"Volumes": null,
"WorkingDir": "",
"Entrypoint": null,
"OnBuild": null,
"Labels": null
},
"Architecture": "amd64",
"Os": "linux",
"Size": 7377066,
"VirtualSize": 7377066,
"GraphDriver": {
"Data": {
"MergedDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/merged",
"UpperDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/diff",
"WorkDir": "/var/lib/docker/overlay2/258a55d4871c650b528ab0d60d6418f7031cbb138cf3354555aaaad04add7b41/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:5af4f8f59b764c64c6def53f52ada809fe38d528441d08d01c206dfb3fc3b691"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
```Natanael CopaNatanael Copa