fix: Avoid duplicating dnsmasq arguments (#1113)

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "Virtual DSM",
-  "service": "vdsm",
+  "service": "dsm",
   "forwardPorts": [5000],
   "portsAttributes": {
     "5000": {
@@ -11,7 +11,5 @@
   "otherPortsAttributes": {
     "onAutoForward": "ignore"
   }, 
-  "dockerComposeFile": "codespaces.yml",
+  "dockerComposeFile": "codespaces.yml"
-  "workspaceFolder": "/workspaces/vdsm",
-  "initializeCommand": "docker system prune --all --force"
 }

.github/workflows/build.yml

@@ -22,7 +22,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
       -

.github/workflows/check.yml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - 
         name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       -
         name: Run ShellCheck
         uses: ludeeus/action-shellcheck@master

.github/workflows/hub.yml

@@ -12,13 +12,15 @@ jobs:
   dockerHubDescription:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+      -
-    - 
+        name: Checkout repo
-      name: Docker Hub Description
+        uses: actions/checkout@v6
-      uses: peter-evans/dockerhub-description@v5
+      - 
-      with:
+        name: Docker Hub Description
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
+        uses: peter-evans/dockerhub-description@v5
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
+        with:
-        repository: ${{ secrets.DOCKERHUB_REPO }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
-        short-description: ${{ github.event.repository.description }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
-        readme-filepath: ./readme.md
+          repository: ${{ secrets.DOCKERHUB_REPO }}
+          short-description: ${{ github.event.repository.description }}
+          readme-filepath: ./readme.md

.github/workflows/review.yml

@@ -15,7 +15,7 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       -
         name: Spelling
         uses: reviewdog/action-misspell@v1
@@ -26,7 +26,7 @@ jobs:
             *.md
             *.sh
           reporter: github-pr-review
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Hadolint
         uses: reviewdog/action-hadolint@v1
@@ -34,28 +34,28 @@ jobs:
           level: warning
           reporter: github-pr-review
           hadolint_ignore: DL3008 DL3003 DL3006 DL3013
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: YamlLint
         uses: reviewdog/action-yamllint@v1
         with:
           level: warning
           reporter: github-pr-review
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: ActionLint
         uses: reviewdog/action-actionlint@v1
         with:
           level: warning
           reporter: github-pr-review
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Shellformat
         uses: reviewdog/action-shfmt@v1
         with:
           level: warning
           shfmt_flags: "-i 2 -ci -bn"
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
       -
         name: Shellcheck
         uses: reviewdog/action-shellcheck@v1
@@ -63,4 +63,4 @@ jobs:
           level: warning
           reporter: github-pr-review
           shellcheck_flags: -x -e SC2001 -e SC2034 -e SC2064 -e SC2317 -e SC2153 -e SC2028          
-          github_token: ${{ secrets.REPO_ACCESS_TOKEN }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}

src/disk.sh

@@ -346,7 +346,7 @@ checkFS () {
   DIR=$(dirname "$DISK_FILE")
   [ ! -d "$DIR" ] && return 0
 
-  if [[ "${FS,,}" == "overlay"* && "$PODMAN" != [Yy1]* ]]; then
+  if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
     warn "the filesystem of $DIR is OverlayFS, this usually means it was binded to an invalid path!"
   fi
 

src/install.sh

@@ -31,7 +31,6 @@ if [ -n "$URL" ] && [ ! -s "$FILE" ] && [ ! -d "$DIR" ]; then
   BASE=$(basename "$URL" .pat)
   if [ ! -s "$STORAGE/$BASE.system.img" ]; then
     BASE=$(basename "${URL%%\?*}" .pat)
-    BASE="${BASE//+/ }"
     printf -v BASE '%b' "${BASE//%/\\x}"
     BASE="${BASE//[!A-Za-z0-9._-]/_}"
   fi
@@ -66,7 +65,6 @@ fi
 
 if [ ! -s "$FILE" ]; then
   BASE=$(basename "${URL%%\?*}" .pat)
-  BASE="${BASE//+/ }"
   printf -v BASE '%b' "${BASE//%/\\x}"
   BASE="${BASE//[!A-Za-z0-9._-]/_}"
 fi
@@ -82,7 +80,7 @@ rm -f "$STORAGE/$BASE.system.img"
 # Check filesystem
 FS=$(stat -f -c %T "$STORAGE")
 
-if [[ "${FS,,}" == "overlay"* && "$PODMAN" != [Yy1]* ]]; then
+if [[ "${FS,,}" == "overlay"* && "${ENGINE,,}" == "docker" ]]; then
   warn "the filesystem of $STORAGE is OverlayFS, this usually means it was binded to an invalid path!"
 fi
 

src/network.sh

@@ -19,14 +19,16 @@ set -Eeuo pipefail
 : "${VM_NET_HOST:="VirtualDSM"}"
 : "${VM_NET_MASK:="255.255.255.0"}"
 
-: "${PASST:="passt"}"
+: "${PASST:="/run/passt"}"
 : "${PASST_MTU:=""}"
 : "${PASST_OPTS:=""}"
 : "${PASST_DEBUG:=""}"
+: "${PASST_PID:="/var/run/passt.pid"}"
 
 : "${DNSMASQ_OPTS:=""}"
 : "${DNSMASQ_DEBUG:=""}"
 : "${DNSMASQ:="/usr/sbin/dnsmasq"}"
+: "${DNSMASQ_PID:="/var/run/dnsmasq.pid"}"
 : "${DNSMASQ_CONF_DIR:="/etc/dnsmasq.d"}"
 
 ADD_ERR="Please add the following setting to your container:"
@@ -121,14 +123,15 @@ configureDNS() {
   local host="$4"
   local mask="$5"
   local gateway="$6"
+  local arguments="$DNSMASQ_OPTS"
 
   echo "$gateway" > /run/shm/qemu.gw
 
   [[ "${DNSMASQ_DISABLE:-}" == [Yy1]* ]] && return 0
   [[ "$DEBUG" == [Yy1]* ]] && echo "Starting dnsmasq daemon..."
 
-  local log="/var/log/dnsmasq.log"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
-  rm -f "$log"
+  rm -f "$DNSMASQ_PID"
 
   case "${NETWORK,,}" in
     "tap" | "tun" | "tuntap" | "y" )
@@ -138,40 +141,45 @@ configureDNS() {
       chmod 644 /var/lib/misc/dnsmasq.leases
 
       # dnsmasq configuration:
-      DNSMASQ_OPTS+=" --dhcp-authoritative"
+      arguments+=" --dhcp-authoritative"
 
       # Set DHCP range and host
-      DNSMASQ_OPTS+=" --dhcp-range=$ip,$ip"
+      arguments+=" --dhcp-range=$ip,$ip"
-      DNSMASQ_OPTS+=" --dhcp-host=$mac,,$ip,$host,infinite"
+      arguments+=" --dhcp-host=$mac,,$ip,$host,infinite"
 
       # Set DNS server and gateway
-      DNSMASQ_OPTS+=" --dhcp-option=option:netmask,$mask"
+      arguments+=" --dhcp-option=option:netmask,$mask"
-      DNSMASQ_OPTS+=" --dhcp-option=option:router,$gateway"
+      arguments+=" --dhcp-option=option:router,$gateway"
-      DNSMASQ_OPTS+=" --dhcp-option=option:dns-server,$gateway"
+      arguments+=" --dhcp-option=option:dns-server,$gateway"
 
   esac
 
   # Set interfaces
-  DNSMASQ_OPTS+=" --interface=$if"
+  arguments+=" --interface=$if"
-  DNSMASQ_OPTS+=" --bind-interfaces"
+  arguments+=" --bind-interfaces"
 
   # Add DNS entry for container
-  DNSMASQ_OPTS+=" --address=/host.lan/$gateway"
+  arguments+=" --address=/host.lan/$gateway"
 
   # Set local dns resolver to dnsmasq when needed
-  [ -f /etc/resolv.dnsmasq ] && DNSMASQ_OPTS+=" --resolv-file=/etc/resolv.dnsmasq"
+  [ -f /etc/resolv.dnsmasq ] && arguments+=" --resolv-file=/etc/resolv.dnsmasq"
 
   # Enable logging to file
-  DNSMASQ_OPTS+=" --log-facility=$log"
+  local log="/var/log/dnsmasq.log"
+  rm -f "$log"
+  arguments+=" --log-facility=$log"
 
-  DNSMASQ_OPTS=$(echo "$DNSMASQ_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
+  arguments=$(echo "$arguments" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
-  [[ "$DEBUG" == [Yy1]* ]] && printf "Dnsmasq arguments:\n\n%s\n\n" "${DNSMASQ_OPTS// -/$'\n-'}"
+  [[ "$DEBUG" == [Yy1]* ]] && printf "Dnsmasq arguments:\n\n%s\n\n" "${arguments// -/$'\n-'}"
 
-  if ! $DNSMASQ ${DNSMASQ_OPTS:+ $DNSMASQ_OPTS}; then
+  if ! $DNSMASQ ${arguments:+ $arguments}; then
 
     local msg="Failed to start Dnsmasq, reason: $?"
-    [ -f "$log" ] && cat "$log"
+
-    error "$msg"
+    if [[ "${NETWORK,,}" == "slirp" || "${NETWORK,,}" == "passt" || "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
+      [ -f "$log" ] && [ -s "$log" ] && cat "$log"
+      error "$msg"
+    fi
 
     return 1
   fi
@@ -309,12 +317,9 @@ configurePasst() {
   NETWORK="passt"
   [[ "$DEBUG" == [Yy1]* ]] && echo "Configuring user-mode networking..."
 
-  local log="/var/log/passt.log"
+  local log="/tmp/passt.log"
   rm -f "$log"
 
-  local pid="/var/run/dnsmasq.pid"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
-
   local ip="$IP"
   [ -n "$VM_NET_IP" ] && ip="$VM_NET_IP"
 
@@ -346,13 +351,7 @@ configurePasst() {
 
   PASST_OPTS+=" -H $VM_NET_HOST"
   PASST_OPTS+=" -M $GATEWAY_MAC"
-
+  PASST_OPTS+=" -P  $PASST_PID"
-  local uid gid
-  uid=$(id -u)
-  gid=$(id -g)
-  PASST_OPTS+=" --runas $uid:$gid"
-
-  PASST_OPTS+=" -P /var/run/passt.pid"
   PASST_OPTS+=" -l $log"
   PASST_OPTS+=" -q"
 
@@ -364,6 +363,8 @@ configurePasst() {
   PASST_OPTS=$(echo "$PASST_OPTS" | sed 's/\t/ /g' | tr -s ' ' | sed 's/^ *//')
   [[ "$DEBUG" == [Yy1]* ]] && printf "Passt arguments:\n\n%s\n\n" "${PASST_OPTS// -/$'\n-'}"
 
+  [ ! -f "$PASST" ] && cp /usr/bin/passt* /run
+
   if ! $PASST ${PASST_OPTS:+ $PASST_OPTS} >/dev/null 2>&1; then
 
     rm -f "$log"
@@ -371,7 +372,7 @@ configurePasst() {
     { $PASST ${PASST_OPTS:+ $PASST_OPTS}; rc=$?; } || :
 
     if (( rc != 0 )); then
-      [ -f "$log" ] && cat "$log"
+      [ -f "$log" ] && [ -s "$log" ] && cat "$log"
       warn "failed to start passt ($rc), falling back to slirp networking!"
       configureSlirp && return 0 || return 1
     fi
@@ -382,7 +383,7 @@ configurePasst() {
     tail -fn +0 "$log" --pid=$$ &
   else
     if [[ "$DEBUG" == [Yy1]* ]]; then
-      [ -f "$log" ] && cat "$log" && echo ""
+      [ -f "$log" ] && [ -s "$log" ] && cat "$log" && echo ""
     fi
   fi
 
@@ -403,7 +404,6 @@ configureNAT() {
 
   # Create the necessary file structure for /dev/net/tun
   if [ ! -c /dev/net/tun ]; then
-    [[ "$PODMAN" == [Yy1]* ]] && return 1
     [ ! -d /dev/net ] && mkdir -m 755 /dev/net
     if mknod /dev/net/tun c 10 200; then
       chmod 666 /dev/net/tun
@@ -411,6 +411,7 @@ configureNAT() {
   fi
 
   if [ ! -c /dev/net/tun ]; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -418,6 +419,7 @@ configureNAT() {
   if [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
     { sysctl -w net.ipv4.ip_forward=1 > /dev/null 2>&1; rc=$?; } || :
     if (( rc != 0 )) || [[ $(< /proc/sys/net/ipv4/ip_forward) -eq 0 ]]; then
+      [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
       warn "IP forwarding is disabled. $ADD_ERR --sysctl net.ipv4.ip_forward=1"
       return 1
     fi
@@ -444,6 +446,7 @@ configureNAT() {
   { ip link add dev "$VM_NET_BRIDGE" type bridge ; rc=$?; } || :
 
   if (( rc != 0 )); then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "failed to create bridge. $ADD_ERR --cap-add NET_ADMIN" && return 1
   fi
 
@@ -458,6 +461,7 @@ configureNAT() {
 
   # QEMU Works with taps, set tap to the bridge created
   if ! ip tuntap add dev "$VM_NET_TAP" mode tap; then
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
     warn "$tuntap" && return 1
   fi
 
@@ -498,8 +502,11 @@ configureNAT() {
     fi
   fi
 
-  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
+  if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE > /dev/null 2>&1; then
-    warn "$tables" && return 1
+    [[ "$ROOTLESS" == [Yy1]* && "$DEBUG" != [Yy1]* ]] && return 1
+    if ! iptables -t nat -A POSTROUTING -o "$VM_NET_DEV" -j MASQUERADE; then
+      warn "$tables" && return 1
+    fi
   fi
 
   # shellcheck disable=SC2086
@@ -533,13 +540,11 @@ configureNAT() {
 
 closeBridge() {
 
-  local pid="/var/run/dnsmasq.pid"
+  [ -s "$PASST_PID" ] && pKill "$(<"$PASST_PID")"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
+  rm -f "$PASST_PID"
-  rm -f "$pid"
 
-  pid="/var/run/passt.pid"
+  [ -s "$DNSMASQ_PID" ] && pKill "$(<"$DNSMASQ_PID")"
-  [ -s "$pid" ] && pKill "$(<"$pid")"
+  rm -f "$DNSMASQ_PID"
-  rm -f "$pid"
 
   case "${NETWORK,,}" in
     "user"* | "passt" | "slirp" ) return 0 ;;
@@ -595,9 +600,9 @@ closeNetwork() {
 cleanUp() {
 
   # Clean up old files
+  rm -f "$PASST_PID"
+  rm -f "$DNSMASQ_PID"
   rm -f /etc/resolv.dnsmasq
-  rm -f /var/run/passt.pid
-  rm -f /var/run/dnsmasq.pid
 
   if [[ -d "/sys/class/net/$VM_NET_TAP" ]]; then
     info "Lingering interface will be removed..."
@@ -637,7 +642,7 @@ getInfo() {
     [ -d "/sys/class/net/net1" ] && VM_NET_DEV="net1"
     [ -d "/sys/class/net/net2" ] && VM_NET_DEV="net2"
     [ -d "/sys/class/net/net3" ] && VM_NET_DEV="net3"
-    # Automaticly detect the default network interface
+    # Automatically detect the default network interface
     [ -z "$VM_NET_DEV" ] && VM_NET_DEV=$(awk '$2 == 00000000 { print $1 }' /proc/net/route)
     [ -z "$VM_NET_DEV" ] && VM_NET_DEV="eth0"
   fi
@@ -737,13 +742,6 @@ getInfo() {
 
   GATEWAY_MAC=$(echo "$VM_NET_MAC" | md5sum | sed 's/^\(..\)\(..\)\(..\)\(..\)\(..\).*$/02:\1:\2:\3:\4:\5/')
 
-  if [[ "$PODMAN" == [Yy1]* && "$DHCP" != [Yy1]* ]]; then
-    if [ -z "$NETWORK" ] || [[ "${NETWORK^^}" == "Y" ]]; then
-      # By default Podman has no permissions for NAT networking
-      NETWORK="user"
-    fi
-  fi
-
   if [[ "$DEBUG" == [Yy1]* ]]; then
     line="Host: $HOST  IP: $IP  Gateway: $GATEWAY  Interface: $VM_NET_DEV  MAC: $VM_NET_MAC  MTU: $mtu"
     [[ "$MTU" != "0" && "$MTU" != "$mtu" ]] && line+=" ($MTU)"
@@ -798,22 +796,26 @@ else
 
   case "${NETWORK,,}" in
     "passt" | "slirp" | "user"* ) ;;
-    "tap" | "tun" | "tuntap" | "y" )
+    "tap" | "tun" | "tuntap" | "y" | "" )
 
       # Configure tap interface
       if ! configureNAT; then
 
         closeBridge
         NETWORK="user"
-        msg="falling back to user-mode networking!"
+
-        msg="failed to setup NAT networking, $msg"
+        if [[ "$ROOTLESS" != [Yy1]* || "$DEBUG" == [Yy1]* ]]; then
+          msg="falling back to user-mode networking!"
+          msg="failed to setup NAT networking, $msg"
+          warn "$msg"
+        fi
 
       fi ;;
 
   esac
 
   case "${NETWORK,,}" in
-    "tap" | "tun" | "tuntap" | "y" ) ;;
+    "tap" | "tun" | "tuntap" | "y" | "" ) ;;
     "passt" | "user"* )
 
       # Configure for user-mode networking (passt)

src/proc.sh

@@ -33,9 +33,8 @@ if [[ "$KVM" != [Nn]* ]]; then
   KVM_OPTS=",accel=kvm -enable-kvm -global kvm-pit.lost_tick_policy=discard"
 
   if ! grep -qw "sse4_2" <<< "$flags"; then
-    info "Your CPU does not have the SSE4 instruction set that Virtual DSM requires, it will be emulated..."
+    error "Your CPU does not have the SSE4 instruction set that Virtual DSM requires!"
-    [ -z "$CPU_MODEL" ] && CPU_MODEL="qemu64"
+    [[ "$DEBUG" != [Yy1]* ]] && exit 88
-    CPU_FEATURES+=",+ssse3,+sse4.1,+sse4.2"
   fi
 
   if [ -z "$CPU_MODEL" ]; then

src/reset.sh

@@ -24,19 +24,40 @@ trap 'error "Status $? while: $BASH_COMMAND (line $LINENO/$BASH_LINENO)"' ERR
 
 # Helper variables
 
-PODMAN="N"
+ROOTLESS="N"
+PRIVILEGED="N"
 ENGINE="Docker"
 PROCESS="${APP,,}"
 PROCESS="${PROCESS// /-}"
 
 if [ -f "/run/.containerenv" ]; then
-  PODMAN="Y"
+  ENGINE="${container:-}"
-  ENGINE="Podman"
+  if [[ "${ENGINE,,}" == *"podman"* ]]; then
+    ROOTLESS="Y"
+    ENGINE="Podman"
+  else
+    [ -z "$ENGINE" ] && ENGINE="Kubernetes"
+  fi
 fi
 
 echo "❯ Starting $APP for $ENGINE v$(</run/version)..."
 echo "❯ For support visit $SUPPORT"
 
+# Get the capability bounding set
+CAP_BND=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
+CAP_BND=$(printf "%d" "0x${CAP_BND}")
+
+# Get the last capability number
+LAST_CAP=$(cat /proc/sys/kernel/cap_last_cap)
+
+# Calculate the maximum capability value
+MAX_CAP=$(((1 << (LAST_CAP + 1)) - 1))
+
+if [ "${CAP_BND}" -eq "${MAX_CAP}" ]; then
+  ROOTLESS="N"
+  PRIVILEGED="Y"
+fi
+
 INFO="/run/shm/msg.html"
 PAGE="/run/shm/index.html"
 TEMPLATE="/var/www/index.html"
@@ -166,6 +187,10 @@ if [[ "$KVM" != [Nn]* ]]; then
         if ! grep -qw "vmx\|svm" <<< "$flags"; then
           KVM_ERR="(not enabled in BIOS)"
         fi
+        if ! grep -qw "sse4_2" <<< "$flags"; then
+          error "Your CPU does not have the SSE4 instruction set that Virtual DSM requires!"
+          [[ "$DEBUG" != [Yy1]* ]] && exit 88
+        fi
       fi
     fi
   fi