Rewrite OpenRC

2025-04-10 03:25:10 +08:00 · 2025-04-10 03:25:10 +08:00 · fbd34ea6db
parent 167d978e96
commit fbd34ea6db
4 changed files with 93 additions and 26 deletions
--- a/README.md
+++ b/README.md
@ -53,3 +53,26 @@ $ curl -O https://raw.githubusercontent.com/XTLS/alpinelinux-install-xray/main/i
 ```
 # rc-service xray restart
 ```
+
+### Breaking Changes at 2025-04-09
+
+#### Path Change: Original path `/usr/local/lib/xray/` has been updated to new path `/usr/local/share/xray/`
+
+- This directory contains `geosite.dat` and `geoip.dat`
+- If you have scripts to automatically update these files, please adjust them accordingly
+- Regular users can ignore this change
+
+#### Watchdog: Xray process will now automatically restart indefinitely (every 2 seconds) upon panic
+
+- Advanced users no longer need to manually modify `/etc/init.d/xray` or write custom daemon scripts
+- Regular users can ignore this change
+
+#### No `root` Required: Xray now retains privileges (capabilities) to support `tproxy` and `sockopt` even when running as `nobody`
+
+- Advanced users **should not** (and need not) run Xray as `root` anymore — it already has all required network privileges
+- If you run Xray as a **server** (not client), you _may_ optionally run the command below to reduce capabilities. This theoretically minimizes attack surface but has negligible practical impact
+- Regular users can ignore this change
+
+```sh
+sed -i 's/^capabilities="cap_net_bind_service,cap_net_admin,cap_net_raw"$/capabilities="cap_net_bind_service"/g' /etc/init.d/xray
+```
--- a/README_zh-cn.md
+++ b/README_zh-cn.md
@ -2,7 +2,6 @@

 [English](README.md) | 中文(中国) | [中文(薹灣)](README_zh-tw.md)

-
 ## 依赖软件

 ### 安装 cURL
@ -54,3 +53,26 @@ $ curl -O https://raw.githubusercontent.com/XTLS/alpinelinux-install-xray/main/i
 ```
 # rc-service xray restart
 ```
+
+### 重大更改 at 2025-04-09
+
+#### 路径变更：原路径 `/usr/local/lib/xray/` 变更为 新路径 `/usr/local/share/xray/`
+
+- 此目录存放了 `geosite.dat` 和 `geoip.dat`
+- 如果你编写了一些脚本来自动更新这些文件，需要留意此项改动
+- 普通用户无需关注此改动
+
+#### 看门狗：若 Xray 进程 `panic` 将无限自动重启，间隔 2 秒
+
+- 对于高级用户，你无需再手动调整 `/etc/init.d/xray` 或自己编写 daemon 脚本了
+- 普通用户无需关注此改动
+
+#### 无需 `root`：已为 Xray 授予特权，即便以 `nobody` 身份运行也支持 `tproxy` 和 `sockopt`
+
+- 对于高级用户，你无需、也**不应该**再让 Xray 以 `root` 身份运行，现在它们已具备所有网络特权
+- 如果你的 Xray 作为**节点**而不是客户端运行，或*可考虑*执行下面的命令撤销部分网络特权。理论上可以降低攻击面，实际上无关痛痒
+- 普通用户无需关注此改动
+
+```sh
+sed -i 's/^capabilities="cap_net_bind_service,cap_net_admin,cap_net_raw"$/capabilities="cap_net_bind_service"/g' /etc/init.d/xray
+```
--- a/README_zh-tw.md
+++ b/README_zh-tw.md
@ -2,7 +2,6 @@

 [English](README.md) | [中文(中国)](README_zh-cn.md) | 中文(薹灣)

-
 ## 依賴軟體

 ### 安裝 cURL
@ -54,3 +53,26 @@ $ curl -O https://raw.githubusercontent.com/XTLS/alpinelinux-install-xray/main/i
 ```
 # rc-service xray restart
 ```
+
+### 重大變更 at 2025-04-09
+
+#### 路徑變更：原始路徑 `/usr/local/lib/xray/` 變更為 新路徑 `/usr/local/share/xray/`
+
+- 此目錄存放了 `geosite.dat` 和 `geoip.dat`
+- 如果你編寫了一些腳本來自動更新這些文件，需要留意此項改動
+- 普通用戶無需關注此改動
+
+#### 看門狗：若 Xray 進程 `panic` 將無限自動重啟，間隔 2 秒
+
+- 對於高級用戶，你無需再手動調整 `/etc/init.d/xray` 或自己編寫 daemon 腳本了
+- 普通用戶無需關注此改動
+
+#### 無需 `root`：已為 Xray 授予特權，即便以 `nobody` 身分執行也支援 `tproxy` 和 `sockopt`
+
+- 對於高級用戶，你無需、也**不應該**再讓 Xray 以 `root` 身份運行，現在它們已具備所有網絡特權
+- 如果你的 Xray 是作為**節點**而不是客戶端運行，或*可考慮*執行下面的命令撤銷部分網路特權。理論上可以降低攻擊面，實際上無關痛癢
+- 普通用戶無需關注此改動
+
+```sh
+sed -i 's/^capabilities="cap_net_bind_service,cap_net_admin,cap_net_raw"$/capabilities="cap_net_bind_service"/g' /etc/init.d/xray
+```
--- a/init.d/xray
+++ b/init.d/xray
@ -1,36 +1,36 @@
 #!/sbin/openrc-run
+
+name="Xray Daemon"
+description="A unified platform for anti-censorship"
+
 supervisor=supervise-daemon
+respawn_delay=2
+respawn_max=0

-name="Xray"
-description="The best v2ray-core, with XTLS support"
-description_checkconfig="Test configuration file"
-
-: ${env:="XRAY_LOCATION_ASSET=/usr/local/share/xray/"}
-: ${confdir:="/usr/local/etc/xray/"}
-
-command="/usr/local/bin/xray"
-command_args="run -confdir $confdir"
-command_user="nobody"
+pidfile="/run/${RC_SVCNAME}.pid"
+rc_ulimit="-n 1024000 -u 1024000"
+capabilities="cap_net_bind_service,cap_net_admin,cap_net_raw"
 extra_commands="checkconfig"
-capabilities="^cap_net_bind_service"
+
+env=${env:-"XRAY_LOCATION_ASSET=/usr/local/share/xray/"} # See: https://github.com/XTLS/Xray-core/blob/main/common/platform/platform.go
+confdir=${confdir:-"/usr/local/etc/xray/"}
+command="/usr/local/bin/xray"
+command_user="nobody:nobody"
+command_args="run -confdir $confdir"
+required_files="$confdir"

 depend() {
-	need net localmount
+    need net
+    want dns ntp-client
    after firewall
 }

 checkconfig() {
-	if [ ! -d "$confdir" ]; then
-		eerror "You need to setup $confdir first"
-		return 1
-	fi
    export $env
-	su ${command_user%:*} -s /bin/sh -c "$command $command_args -test"
+    $command $command_args -test
    eend $?
 }

-stop_pre() {
-	if [ "$RC_CMD" = restart ]; then
-		checkconfig || return $?
-	fi
+start_pre() {
+    checkconfig || return 1
 }