switch to rocky linux 10, add --init for zombie reaping, fix NAT setup

- base image alpine -> rockylinux:10 (cgit/fcgiwrap from EPEL) - drop spawn-fcgi, use fcgiwrap -s directly - add --init to reap zombie sshd-auth processes (PID exhaustion fix) - replace ip addr/route networking with nft DNAT/SNAT/FORWARD rules - add FORWARD accept rule that was missing for inbound DNAT traffic
author: Your Name <you@example.com> 2026-02-18 15:12:32 +0800
committer: Your Name <you@example.com> 2026-02-18 15:12:32 +0800
commit: c3a377a265d2ca92b8823be281fa0e487d30692b (patch)
tree: 1d5b4213c65635ffdd82921b633eaaf5bebd2e60 /start_container.sh
parent: b0572c958427ae6ad75109752e9741aab31ad65a (diff)
1 files changed, 16 insertions, 5 deletions
diff --git a/start_container.sh b/start_container.sh
index 2299390..f93f5df 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -29,6 +29,7 @@ podman build -t cgit "$(dirname "$0")"
 # Run container
 podman run -d \
+    --init \
    --name ${CONTAINER_NAME} \
    --network ${NETWORK} \
    --ip ${PRIVATE_IP} \
@@ -39,11 +40,21 @@ podman run -d \
    -v /git:/git \
    localhost/cgit
-# Setup public IP
+# Setup public IP via DNAT/SNAT
 sleep 2
-# Get the container's network interface name (e.g. eth0)
+OIFACE=$(ip route show default | awk '{print $5; exit}')
-IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link | grep -v lo | head -1 | cut -d: -f2 | tr -d ' ' | cut -d@ -f1")
+BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
-podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}
-ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}
+# Clean up any stale rules for this IP
+nft -a list chain ip nat PREROUTING 2>/dev/null | grep "daddr ${PUBLIC_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "snat to ${PUBLIC_IP}" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+nft -a list chain inet netavark FORWARD 2>/dev/null | grep "daddr ${PRIVATE_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "daddr ${PRIVATE_IP}.*masquerade" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+ip route del ${PUBLIC_IP} 2>/dev/null || true
+nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
+nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
 echo "Running at https://${DOMAIN}/"
author	Your Name <you@example.com>	2026-02-18 15:12:32 +0800
committer	Your Name <you@example.com>	2026-02-18 15:12:32 +0800
commit	c3a377a265d2ca92b8823be281fa0e487d30692b (patch)
tree	1d5b4213c65635ffdd82921b633eaaf5bebd2e60 /start_container.sh
parent	b0572c958427ae6ad75109752e9741aab31ad65a (diff)

diff --git a/start_container.sh b/start_container.sh index 2299390..f93f5df 100755 --- a/start_container.sh +++ b/start_container.sh
@@ -29,6 +29,7 @@ podman build -t cgit "$(dirname "$0")"
29		29
30	# Run container	30	# Run container
31	podman run -d \	31	podman run -d \
		32	--init \
32	--name ${CONTAINER_NAME} \	33	--name ${CONTAINER_NAME} \
33	--network ${NETWORK} \	34	--network ${NETWORK} \
34	--ip ${PRIVATE_IP} \	35	--ip ${PRIVATE_IP} \
@@ -39,11 +40,21 @@ podman run -d \
39	-v /git:/git \	40	-v /git:/git \
40	localhost/cgit	41	localhost/cgit
41		42
42	# Setup public IP	43	# Setup public IP via DNAT/SNAT
43	sleep 2	44	sleep 2
44	# Get the container's network interface name (e.g. eth0)	45	OIFACE=$(ip route show default \| awk '{print $5; exit}')
45	IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link \| grep -v lo \| head -1 \| cut -d: -f2 \| tr -d ' ' \| cut -d@ -f1")	46	BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null \| python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
46	podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}	47
47	ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}	48	# Clean up any stale rules for this IP
		49	nft -a list chain ip nat PREROUTING 2>/dev/null \| grep "daddr ${PUBLIC_IP} " \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
		50	nft -a list chain ip nat POSTROUTING 2>/dev/null \| grep "snat to ${PUBLIC_IP}" \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
		51	nft -a list chain inet netavark FORWARD 2>/dev/null \| grep "daddr ${PRIVATE_IP} " \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
		52	nft -a list chain ip nat POSTROUTING 2>/dev/null \| grep "daddr ${PRIVATE_IP}.*masquerade" \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
		53	ip route del ${PUBLIC_IP} 2>/dev/null \|\| true
		54
		55	nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
		56	nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
		57	nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
		58	nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
48		59
49	echo "Running at https://${DOMAIN}/"	60	echo "Running at https://${DOMAIN}/"