Add OpenWrt LXC script

[mihazs]

Scripts which are clearly AI generated and not further revised by the Author of this PR (in terms of Coding Standards and Script Layout) may be closed without review.

✍️ Description

Adds OpenWrt LXC support using LinuxContainers OpenWrt rootfs images.

Current PR scope is limited to the new script files:

• ct/openwrt.sh
• install/openwrt-install.sh
• json/openwrt.json

There are no misc/build.func changes in the current PR diff. OpenWrt-specific behavior is local to ct/openwrt.sh, including LinuxContainers template resolution/download, unmanaged pct create, LAN/WAN NIC setup, TUN config, and /bin/ash install execution.

OpenWrt-specific notes:

• Defaults to an unprivileged CT.
• Uses LinuxContainers OpenWrt images because Proxmox templates do not reliably include OpenWrt.
• Uses ostype unmanaged and OpenWrt ash/uci conventions.
• Installs LuCI by default, so interface_port is 80; set var_interface=no to skip the web interface.
• Configures LAN on eth0 as 192.168.1.1/24 by default and WAN on eth1 via DHCP; override LAN defaults with var_lan_ipaddr and var_lan_netmask.
• Requires LAN and WAN bridges to differ by default; set var_allow_same_bridge=yes only after reviewing that topology.

Validation performed:

• bash /tmp/openwrt-review-regression-check.sh /tmp/opencode/ProxmoxVED-openwrt-pr1932
• bash -n ct/openwrt.sh install/openwrt-install.sh misc/build.func
• shellcheck -e SC1090 -s bash ct/openwrt.sh
• shellcheck -s sh install/openwrt-install.sh
• jq . json/openwrt.json >/dev/null
• GIT_MASTER=1 git diff --check
• bash /tmp/openwrt-core-refactor-check.sh /tmp/opencode/ProxmoxVED-openwrt-pr1932
• bash /tmp/openwrt-surface-qa.sh /tmp/opencode/ProxmoxVED-openwrt-pr1932
• Mocked surface QA verifies custom OPENWRT_LAN_IPADDR/OPENWRT_LAN_NETMASK values are applied through UCI.

Runtime limitations in this environment:

• No local Proxmox runtime was available, so real pct/pvesm execution was not performed.
• The OpenWrt path was exercised with a mocked Proxmox surface QA script.

🔗 Related PR / Issue

Link: #

✅ Prerequisites (X in brackets)

• Self-review completed – Code follows project standards.
• Tested thoroughly – Changes work as expected.
• No breaking changes – Existing functionality remains intact.
• No security risks – No hardcoded secrets, unnecessary privilege escalations, or permission issues.

---

🏗️ arm64 Support (X in brackets)

• arm64 supported - Tested and supported on arm64.
• arm64 not tested - Assumed to work on arm64, but testing has not been done.
• arm64 not supported - Confirmed upstream dependencies or binaries do not support arm64.

---

🛠️ Type of Change (X in brackets)

• 🐞 Bug fix – Resolves an issue without breaking functionality.
• ✨ New feature – Adds new, non-breaking functionality.
• 💥 Breaking change – Alters existing functionality in a way that may require updates.
• 🆕 New script – A fully functional and tested script or script set.
• 🌍 Website update – Changes to website-related JSON files or metadata.
• 🔧 Refactoring / Code Cleanup – Improves readability or maintainability without changing functionality.
• 📝 Documentation update – Changes to README, AppName.md, CONTRIBUTING.md, or other docs.

---

🔍 Code & Security Review (X in brackets)

• Follows Code_Audit.md & CONTRIBUTING.md guidelines
• Uses correct script structure (AppName.sh, AppName-install.sh, AppName.json)
• No hardcoded credentials

---

📦 Application Requirements (for new scripts)

⚠️ Do not remove this section.
It is used by automated PR validation checks.
If this PR is not a new script submission, leave the checkboxes unchecked.

Required for 🆕 New script submissions.
Pull requests that do not meet these requirements may be closed without review.

• The application is at least 6 months old
• The application is actively maintained
• The application has 600+ GitHub stars
• Official release tarballs are published
• I understand that not all scripts will be accepted due to various reasons and criteria by the community-scripts ORG

🌐 Source

• https://openwrt.org/
• https://github.com/openwrt/openwrt
• https://images.linuxcontainers.org/images/openwrt/

[CrazyWolf13]

why are there changes to build.func?

[mihazs]

@CrazyWolf13 The remaining misc/build.func changes are for OpenWrt container creation support: LinuxContainers template lookup/download because OpenWrt is not in the pveam catalog, -ostype unmanaged, /bin/ash installer execution, skipping Debian/Alpine bootstrap/network waits, and LAN/WAN NIC construction. I removed the unrelated interface-package vars from global default parsing so the shared-helper diff is narrower.

[mihazs]

@CrazyWolf13 Follow-up: I pushed f85d4b2 to narrow misc/build.func further. The generic install-script URL/error-handling change and the OpenWrt USB passthrough skip are gone; the remaining helper changes are limited to OpenWrt template/container creation support.

[michelroegl-brunner]

So that are pretty massive core changes for just one script, where we dont even know the userbase. And those are pretty confusing changes also.

For example, what is that magic number here for? elif [[ "$(stat -c%s "$TEMPLATE_PATH")" -lt 1000000 ]]

[mihazs]

Addressed in 7454cc0. The PR no longer changes misc/build.func; the current PR diff is limited to:

• ct/openwrt.sh
• install/openwrt-install.sh
• json/openwrt.json

The OpenWrt-specific behavior is now local to ct/openwrt.sh: LinuxContainers template resolution/download, unmanaged pct create, LAN/WAN NIC setup, TUN config, and /bin/ash install execution. The confusing OpenWrt stat -c%s ... -lt 1000000 template-size validation was removed from the PR path; the local OpenWrt template check now validates that the archive can be read with tar -tf.

Verification run before pushing:

• bash -n ct/openwrt.sh install/openwrt-install.sh misc/build.func
• shellcheck -e SC1090 -s bash ct/openwrt.sh
• shellcheck -s sh install/openwrt-install.sh
• jq . json/openwrt.json
• OpenWrt core-refactor static check: passed
• Mocked OpenWrt surface QA: passed

GitHub checks are passing on the pushed commit (autolabeler, validate-script-requirements).

[mihazs]

Follow-up after 47aa1cd2:

• Kept the current PR diff scoped to ct/openwrt.sh, install/openwrt-install.sh, and json/openwrt.json; misc/build.func still has no PR diff.
• Added OpenWrt-local safeguards for the remaining review risks: template preparation now happens while holding the OpenWrt template lock, unresolved template storage paths fail closed instead of falling back to /var/lib/vz, and same-bridge LAN/WAN topology now requires explicit var_allow_same_bridge=yes.
• Updated json/openwrt.json to warn that the rootfs is sourced from LinuxContainers at images.linuxcontainers.org rather than official OpenWrt release artifacts.
• Updated the PR description so it no longer describes core helper changes or says LuCI is disabled by default.

[mihazs]

Implemented in 9cc09e05.

The OpenWrt LAN address remains 192.168.1.1/255.255.255.0 by default, but it is no longer hardcoded in the installer. It can now be overridden from the CT script with:

• var_lan_ipaddr
• var_lan_netmask

ct/openwrt.sh exports those as OPENWRT_LAN_IPADDR and OPENWRT_LAN_NETMASK, and install/openwrt-install.sh uses those values for the UCI LAN config.

[mihazs]

Runtime connectivity follow-up after c1fdf082:

• The LinuxContainers index fetch now uses one shared helper that tries the normal curl path first and then retries with curl -4 before reporting the index unreachable.
• This avoids a false preflight failure on hosts where IPv6 routing to images.linuxcontainers.org is broken or transiently preferred.
• I tested from the Proxmox host with SSH key auth: default/IPv4 access to https://images.linuxcontainers.org/meta/1.0/index-system returns HTTP 200, while forced IPv6 fails. The raw branch preflight was then executed with a build-helper stub so no CT was created, and it returned PREFLIGHT_PASS:Template server reachable (images.linuxcontainers.org).

[mihazs]

Follow-up on the Proxmox host network concern:

The OpenWrt script does not change Proxmox node network settings such as interface IPs, bridge CIDRs, gateways, bridge ports, autostart, or VLAN-aware flags. It does not write /etc/network/interfaces and does not run host network mutation commands.

The Proxmox-side network action is limited to the new CT config created by pct create:

• net0 attaches eth0 to the selected existing LAN bridge with ip=manual
• net1 attaches eth1 to the selected existing WAN bridge with ip=dhcp

The OpenWrt LAN address, for example 192.168.1.1 by default or var_lan_ipaddr if overridden, is applied inside the OpenWrt container via UCI. It is not applied to vmbr0, vmbr1, or any Proxmox host interface.

I also added an explicit metadata note in 1797b35 documenting that the script does not change Proxmox host network interface, bridge CIDR, or gateway settings.