From 874344971189ba6d8e5e6df61ab4025b2cfdcd22 Mon Sep 17 00:00:00 2001 From: caoqianming Date: Wed, 27 May 2026 12:15:36 +0800 Subject: [PATCH] =?UTF-8?q?init.sh:=20apply=5Fresolv=5Fconf=20=E5=A4=B1?= =?UTF-8?q?=E8=B4=A5=20robust,=E4=B8=8D=E8=AE=A9=E5=AE=B9=E5=99=A8?= =?UTF-8?q?=E6=95=B4=E4=BD=93=E9=80=80=E5=87=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit docker 在某些 kernel / version 组合下 /etc/resolv.conf 可能是 ro mount, > redirect 失败 → set -e 触发 → 容器立即退出 → docker exec 报 "cannot exec in a stopped container"。 修法:tmp file 中转 + cat > 失败 || warn,resolv.conf 写不动也继续跑 iptables 等其他启动逻辑;此时容器仍能跑 shell/run_python,只是 DNS 解析跪 ── 比容器 直接退出可调试。 Co-Authored-By: Claude Opus 4.7 (1M context) --- deploy/sandbox/init.sh | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/deploy/sandbox/init.sh b/deploy/sandbox/init.sh index c81eca0..91d9a9f 100644 --- a/deploy/sandbox/init.sh +++ b/deploy/sandbox/init.sh @@ -10,22 +10,33 @@ set -euo pipefail apply_resolv_conf() { # 覆写 /etc/resolv.conf 直接指公网 DNS,绕过 docker embedded DNS(127.0.0.11)。 - # user-defined bridge network 默 resolv.conf = nameserver 127.0.0.11,embedded DNS - # 转发给 docker daemon 上游 ── 腾讯云轻量等场景 daemon 探测 systemd-resolved 失败 - # → embedded DNS 自己 forward 不出去 → 全跪。docker run `--dns` flag 只改 daemon - # 上游不动 resolv.conf,在 user-defined network 上无效。 - # init.sh root 跑可写 /etc/resolv.conf(docker bind mount file 而非 rootfs); - # --restart=no 容器整生命周期内不被 docker 覆盖。 - if [ -n "${ZCBOT_DNS:-}" ]; then - { - for ip in $(echo "$ZCBOT_DNS" | tr ',' ' '); do - [ -z "$ip" ] && continue - echo "nameserver $ip" - done - } > /etc/resolv.conf + # docker user-defined bridge network 默 resolv.conf = nameserver 127.0.0.11, + # embedded DNS 转发到 docker daemon 上游 ── 腾讯云轻量等场景 daemon 探测 + # systemd-resolved 失败 → embedded DNS forward 不出去 → 全跪。`--dns` flag 只 + # 改 daemon 上游不动 resolv.conf,在 user-defined network 上无效。 + # + # 失败 robust:resolv.conf 在某些 docker / kernel 组合下是 ro mount,写不进 + # 不能让 init.sh 整体退出(set -e),仅 warn 后继续跑 iptables 等其他启动逻辑; + # 此时容器仍能跑 shell / run_python,只是 DNS 解析跪 ── 比容器直接退好。 + if [ -z "${ZCBOT_DNS:-}" ]; then + return 0 + fi + local tmp + tmp="$(mktemp 2>/dev/null)" || tmp="/tmp/resolv.conf.tmp.$$" + : > "$tmp" + for ip in $(echo "$ZCBOT_DNS" | tr ',' ' '); do + if [ -n "$ip" ]; then + echo "nameserver $ip" >> "$tmp" + fi + done + if cat "$tmp" > /etc/resolv.conf 2>/dev/null; then echo "[init] /etc/resolv.conf set:" cat /etc/resolv.conf + else + echo "[init] WARN: cannot write /etc/resolv.conf (ro mount?);" \ + "DNS via embedded 127.0.0.11 will be used as fallback" >&2 fi + rm -f "$tmp" } apply_blocklist() {