diff --git a/deploy/sandbox/init.sh b/deploy/sandbox/init.sh index c81eca0..91d9a9f 100644 --- a/deploy/sandbox/init.sh +++ b/deploy/sandbox/init.sh @@ -10,22 +10,33 @@ set -euo pipefail apply_resolv_conf() { # 覆写 /etc/resolv.conf 直接指公网 DNS,绕过 docker embedded DNS(127.0.0.11)。 - # user-defined bridge network 默 resolv.conf = nameserver 127.0.0.11,embedded DNS - # 转发给 docker daemon 上游 ── 腾讯云轻量等场景 daemon 探测 systemd-resolved 失败 - # → embedded DNS 自己 forward 不出去 → 全跪。docker run `--dns` flag 只改 daemon - # 上游不动 resolv.conf,在 user-defined network 上无效。 - # init.sh root 跑可写 /etc/resolv.conf(docker bind mount file 而非 rootfs); - # --restart=no 容器整生命周期内不被 docker 覆盖。 - if [ -n "${ZCBOT_DNS:-}" ]; then - { - for ip in $(echo "$ZCBOT_DNS" | tr ',' ' '); do - [ -z "$ip" ] && continue - echo "nameserver $ip" - done - } > /etc/resolv.conf + # docker user-defined bridge network 默 resolv.conf = nameserver 127.0.0.11, + # embedded DNS 转发到 docker daemon 上游 ── 腾讯云轻量等场景 daemon 探测 + # systemd-resolved 失败 → embedded DNS forward 不出去 → 全跪。`--dns` flag 只 + # 改 daemon 上游不动 resolv.conf,在 user-defined network 上无效。 + # + # 失败 robust:resolv.conf 在某些 docker / kernel 组合下是 ro mount,写不进 + # 不能让 init.sh 整体退出(set -e),仅 warn 后继续跑 iptables 等其他启动逻辑; + # 此时容器仍能跑 shell / run_python,只是 DNS 解析跪 ── 比容器直接退好。 + if [ -z "${ZCBOT_DNS:-}" ]; then + return 0 + fi + local tmp + tmp="$(mktemp 2>/dev/null)" || tmp="/tmp/resolv.conf.tmp.$$" + : > "$tmp" + for ip in $(echo "$ZCBOT_DNS" | tr ',' ' '); do + if [ -n "$ip" ]; then + echo "nameserver $ip" >> "$tmp" + fi + done + if cat "$tmp" > /etc/resolv.conf 2>/dev/null; then echo "[init] /etc/resolv.conf set:" cat /etc/resolv.conf + else + echo "[init] WARN: cannot write /etc/resolv.conf (ro mount?);" \ + "DNS via embedded 127.0.0.11 will be used as fallback" >&2 fi + rm -f "$tmp" } apply_blocklist() {