search

NHAS / wag

Simple Wireguard 2FA
BSD 3-Clause "New" or "Revised" License
499 stars 27 forks source link

Restarting in docker doesn't always work #57

Closed bvanwiggen closed 1 year ago

bvanwiggen commented 1 year ago

When the docker container is restarted I get the following error: unable to create control socket: listen unix /tmp/wag.sock: bind: address already in use

I expect wag.sock not to be cleared when the container exits, because when I create the container it starts without any issue. Within a docker environment the wag.sock can be cleared on startup since there won't be any other instance using it.

NHAS commented 1 year ago

Ahhhhhh yes, so whats happening here is that wag has a signal handler that only catches SIGINT rather than SIGTERM which is what docker uses when killing them (iirc).

THis is super annoying and I'll look at getting that sorted! Thanks for the report, gives me motivation to get it done.

NHAS commented 1 year ago

That got fixed a little while ago, but I believe the entrypoint of the docker container might be swallowing the signals

NHAS commented 1 year ago

Hm I actually cant replicate this, can you give me the version and how you're using the docker image?

bvanwiggen commented 1 year ago

I'm using the latest image, and the following docker compose file:

version: '3.4'
services:
    wag-docker:
        image: wagvpn/wag
        container_name: wag
        ports:
          - '8081:8081/tcp'
          - '5920:5920/udp'
          - '8082:8082/tcp'
        cap_add:
          - NET_ADMIN
          - NET_RAW
          - SYS_ADMIN
        volumes:
          - './cfg:/cfg:z'
          - './data:/data:z'

config.json

{
    "Socket": "/tmp/wag.sock",
    "Proxied": false,
    "NAT": true,
    "HelpMail": "info@nospam.com",
    "Lockout": 5,
    "ExternalAddress": "vpn.blabla.com",
    "MaxSessionLifetimeMinutes": 1440,
    "SessionInactivityTimeoutMinutes": 60,
    "ManagementUI": {
        "ListenAddress": ":8082",
        "Enabled": true
    },
    "Webserver": {
        "Public": {
            "ListenAddress": ":8080"
        },
        "Tunnel": {
            "Port": "8081"
        }
    },
    "Authenticators": {
        "DefaultMethod": "totp",
        "Issuer": "My VPN",
        "Methods": [
            "totp"
        ],
        "DomainURL": "",
        "OIDC": {
            "IssuerURL": "",
            "ClientSecret": "",
            "ClientID": ""
        },
        "PAM": {
            "ServiceName": ""
        }
    },
    "Wireguard": {
        "DevName": "wg0",
        "ListenPort": 5920,
        "PrivateKey": "SOMEKEY",
        "Address": "10.1.2.1/24",
        "MTU": 1420,
        "PersistentKeepAlive": 25,
        "DNS": [
            "1.1.1.1/32"
        ]
    },
    "DatabaseLocation": "/data/devices.db",
    "Acls": {
        "Policies": {
            "*": {
                "Mfa": [

                ]
            }
        }
    }
}

Create the container, and stop the container, and start the container again

NHAS commented 1 year ago

Ah yes, thanks for that. I was trying it with restart which for some reason seemed to be working (although on a custom docker file so thats on me)

The issue is a missing exec which eats the signal into bash.

exec /usr/bin/wag start -config /cfg/config.json

Is the resolution, I'll do a patch for this as its super annoying