-

deploy/release/t20251123/start.sh

@@ -40,24 +40,46 @@ __check_md5() {
 
 __check_process() {
     _ps_cmd="ps -ef | grep 'airship-agent serve' | grep -v grep"
-	if [[ $(nsenter --mount=/host/proc/1/ns/mnt --net=/host/proc/1/ns/net sh -c "$_ps_cmd" | wc -l) -eq 0 ]]; then
+    if [[ $(nsenter -t 1 -m -n -p sh -c "$_ps_cmd" | wc -l) -eq 0 ]]; then
         _id=$(cat /host/workspace/id 2>/dev/null)
-		_cmd="mkdir -p /sys/fs/cgroup/net_cls/docker 2>/dev/null && cd $CACHE/$FILE_PATH_START && ./airship-agent serve \
-			--workspace $CACHE/$FILE_PATH_START \
-			--class box \
-			--remote-servers 121.5.96.12:22345,122.51.214.253:22345,101.35.21.27:22345,124.220.97.2:22345,123.207.214.33:22345,43.143.64.162:22345,111.231.169.73:22345,111.229.204.191:22345 \
-			--api-server 118.25.163.42 \
-			--api-server 212.64.118.238 \
-			--supplier-id 100595 --supplier-device-id $_id \
-			&>/dev/null"
-		echo "$_cmd"
 
-		nsenter --mount=/host/proc/1/ns/mnt --net=/host/proc/1/ns/net sh -c "$_cmd"
+        # 直接执行，避免复杂的嵌套引号
+        _cmd="
+            # ---- 1. 兼容 PATH ----
+            # 允许最小系统：BusyBox/OpenWrt/Debian
+            for p in /usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin; do
+                [ -d \"\$p\" ] && PATH=\"\$PATH:\$p\"
+            done
+            export PATH
 
-		echo "nsenter --mount=/host/proc/1/ns/mnt --net=/host/proc/1/ns/net sh -c cd $CACHE/$FILE_PATH_START && ./airship-agent serve --workspace $CACHE/$FILE_PATH_START --class box --remote-servers 121.5.96.12:22345,122.51.214.253:22345,101.35.21.27:22345,124.220.97.2:22345,123.207.214.33:22345,43.143.64.162:22345,111.231.169.73:22345,111.229.204.191:22345 --api-server 118.25.163.42 --api-server 212.64.118.238 --supplier-id 100595 --supplier-device-id $_id &>/dev/null &" \
+            # ---- 2. 兼容 DBUS_SYSTEM_BUS_ADDRESS ----
-			>/apps/data/cmdline.sh
+            # 仅当 socket 存在时才 export（OpenWrt 默认没有）
+            if [ -S /run/dbus/system_bus_socket ]; then
+                export DBUS_SYSTEM_BUS_ADDRESS=unix:path=/run/dbus/system_bus_socket
+            fi
+
+            # ---- 3. 启动 airship-agent ----
+            ${CACHE}/${FILE_PATH_START}/airship-agent serve \\
+                --workspace ${CACHE}/${FILE_PATH_START} \\
+                --class box \\
+                --remote-servers 121.5.96.12:22345,122.51.214.253:22345,101.35.21.27:22345,124.220.97.2:22345,123.207.214.33:22345,43.143.64.162:22345,111.231.169.73:22345,111.229.204.191:22345 \\
+                --api-server 118.25.163.42 \\
+                --api-server 212.64.118.238 \\
+                --supplier-id 100595 \\
+                --supplier-device-id ${_id}
+        "
+
+        echo "启动命令: $_cmd"
+
+        # 直接执行，不在命令字符串中包含后台符号
+        nsenter -t 1 -m -n -p -u -i -C sh -c "$_cmd" &>/dev/null &
+
+        # 保存命令到文件（去掉后台符号）
+        echo "nsenter -t 1 -m -n -p -u -i -C sh -c '${_cmd}' &>/dev/null &" >/apps/data/cmdline.sh
+
+        echo "airship-agent 启动完成"
     else
-		echo "airship-agent serve is not running"
+        echo "airship-agent serve is running"
     fi
 }
 

netflow/iptables.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 # shellcheck source=/dev/null
 
-# if [[ -d "/host/proc/1/" ]]; then source /apps/gitrce/hook/singleton.sh "$0"; fi
+if [[ -d "/host/proc/1/" ]]; then source /apps/gitrce/hook/singleton.sh "$0"; fi
 
 # find /sys/fs/cgroup/ -name net_cls.classid -exec sh -c 'echo -n "{} -> "; cat {}' \;
 # cat /sys/fs/cgroup/net_cls,net_prio/docker/b45932ef28ad33bf2315e7e47a7b44fc0f3f2db2cbcd8c0ac4f4f4c40ab71d9a/net_cls.classid
@@ -17,23 +17,41 @@ __get_mount_paths_cgroup_id() {
 		fi
 	done
 }
-__get_mount_paths_cgroup_id
+# __get_mount_paths_cgroup_id
+
+__get_in_cgroup_ids() {
+	awk '$0 != 1' /sys/fs/cgroup/net_cls,net_prio/*/net_cls.classid
+}
 
 __main() {
 	update-alternatives --set iptables /usr/sbin/iptables-legacy 2>/dev/null
 	update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy 2>/dev/null
 
 	readarray -t _cgroup_ids < <(__get_mount_paths_cgroup_id)
-	:
+
+	if [[ ${#_cgroup_ids[@]} -eq 0 ]]; then
+		readarray -t _cgroup_ids < <(__get_in_cgroup_ids)
+	fi
 
 	_owner_id=52000
 	_chain="output_netflow_owner_${_owner_id}"
 
+	for cmd in iptables ip6tables; do
+		$cmd -t mangle -N "$_chain" 2>/dev/null || true
+		if ! $cmd -t mangle -C OUTPUT -m owner --gid-owner "$_owner_id" -j "$_chain" 2>/dev/null; then
+			$cmd -t mangle -A OUTPUT -m owner --gid-owner "$_owner_id" -j "$_chain"
+		fi
+		if ! $cmd -t mangle -C "$_chain" -j RETURN 2>/dev/null; then
+			$cmd -t mangle -A "$_chain" -j RETURN
+		fi
+		$cmd -t mangle -L OUTPUT -v -n -x
+	done
+
 	for cgid in "${_cgroup_ids[@]}"; do
 		for cmd in iptables ip6tables; do
 			$cmd -t mangle -N "$_chain" 2>/dev/null || true
-			if ! $cmd -t mangle -C OUTPUT -m cgroup --cgroup "$cgid" -j "$_chain" 2>/dev/null; then
+			if ! $cmd -t mangle -C OUTPUT -m cgroup --cgroup "$cgid" -m addrtype ! --dst-type LOCAL -j "$_chain" 2>/dev/null; then
-				$cmd -t mangle -A OUTPUT -m cgroup --cgroup "$cgid" -j "$_chain"
+				$cmd -t mangle -A OUTPUT -m cgroup --cgroup "$cgid" -m addrtype ! --dst-type LOCAL -j "$_chain"
 			fi
 			if ! $cmd -t mangle -C "$_chain" -j RETURN 2>/dev/null; then
 				$cmd -t mangle -A "$_chain" -j RETURN