search

Trigus42 / alpine-qbittorrentvpn

Multiarch docker image with the latest qBittorrent-nox client (WEB UI) and WireGuard/OpenVPN tunnel
GNU General Public License v3.0
80 stars 14 forks source link

Issues with Swarm integration #21

Open redhelling21 opened 2 years ago

redhelling21 commented 2 years ago

I've been trying for two days to make qbittorrentvpn work inside of a docker swarm. To be clear : it works when deployed as a simple docker compose, but doesn't when insde a swarm. I get the [ERROR] Network is down. Exiting.. error after the initialization ends. I tried manually pinging 1.1.1.1 from inside the container, on the tunnel adapter (wg0), but it times out. Same thing with traceroute.

Full logs :

n86af [s6-init] making user provided files available at /var/run/s6/etc...exited 0.
n86af [s6-init] ensuring user provided files have correct perms...exited 0.
n86af [fix-attrs.d] applying ownership & permissions fixes...
n86af [fix-attrs.d] done.
n86af [cont-init.d] executing container initialization scripts...
n86af [cont-init.d] 01-environment.sh: executing...
n86af 2022-10-26 19:54:27 [INFO] LAN_NETWORK defined as '10.0.1.0/24'
n86af 2022-10-26 19:54:27 [INFO] Docker network defined as 10.0.0.0/24
n86af 2022-10-26 19:54:27 [INFO] PUID not defined. Defaulting to 1000
n86af 2022-10-26 19:54:27 [INFO] PGID not defined. Defaulting to 1000
n86af 2022-10-26 19:54:27 [INFO] An user with PUID 1000 does not exist, adding an user called 'qbittorrent' with PUID 1000
n86af 2022-10-26 19:54:27 [INFO] VPN_ENABLED defined as 'yes'
n86af 2022-10-26 19:54:27 [INFO] VPN_TYPE defined as 'wireguard'
n86af 2022-10-26 19:54:27 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
n86af 2022-10-26 19:54:27 [INFO] Adding 1.1.1.1 to resolv.conf
n86af 2022-10-26 19:54:27 [INFO] Adding 8.8.8.8 to resolv.conf
n86af 2022-10-26 19:54:27 [INFO] Adding 1.0.0.1 to resolv.conf
n86af 2022-10-26 19:54:27 [INFO] Adding 8.8.4.4 to resolv.conf
n86af [cont-init.d] 01-environment.sh: exited 0.
n86af [cont-init.d] 02-vpn.sh: executing...
n86af 2022-10-26 19:54:27 [INFO] Choosen VPN config: 'wg0.conf'
n86af dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
n86af 2022-10-26 19:54:27 [INFO] VPN remote line defined as '193.32.127.66:51820'
n86af 2022-10-26 19:54:27 [INFO] VPN_REMOTE defined as '193.32.127.66'
n86af 2022-10-26 19:54:27 [INFO] VPN_PORT defined as '51820'
n86af 2022-10-26 19:54:27 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
n86af 2022-10-26 19:54:27 [INFO] VPN_DEVICE_TYPE set as 'wg0'
n86af 2022-10-26 19:54:29 [INFO] Starting WireGuard...
n86af --------------------
n86af Warning: `/config/wireguard/wg0.conf' is world accessible
n86af [#] ip link add wg0 type wireguard
n86af [#] wg setconf wg0 /dev/fd/63
n86af [#] ip -4 address add 10.68.11.100/32 dev wg0
n86af [#] ip link set mtu 1420 up dev wg0
n86af [#] resolvconf -a wg0 -m 0 -x
n86af [#] wg set wg0 fwmark 51820
n86af [#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
n86af [#] ip -4 rule add not fwmark 51820 table 51820
n86af [#] ip -4 rule add table main suppress_prefixlength 0
n86af [#] iptables-restore -n
n86af --------------------
n86af [cont-init.d] 02-vpn.sh: exited 0.
n86af [cont-init.d] 03-network.sh: executing...
n86af 2022-10-26 19:54:29 [INFO] Adding 192.168.1.0/24 as route via docker eth0
n86af 2022-10-26 19:54:29 [WARNING] Error adding route for 10.0.1.0/24. The web interface will still be reachable due to fwmark. However this is known to cause issues.
n86af 2022-10-26 19:54:29 [INFO] Adding fwmark for webui.
n86af [cont-init.d] 03-network.sh: exited 0.
n86af [cont-init.d] 04-qbittorrent-setup.sh: executing...
n86af 2022-10-26 19:54:29 [WARNING] ENABLE_SSL is set to , SSL is not enabled. This could cause issues with logging if other apps use the same Cookie name (SID).
n86af 2022-10-26 19:54:29 [WARNING] If you manage the SSL config yourself, you can ignore this.
n86af 2022-10-26 19:54:29 [WARNING] UMASK not defined (via -e UMASK), defaulting to '002'
n86af [cont-init.d] 04-qbittorrent-setup.sh: exited 0.
n86af [cont-init.d] 05-install.sh: executing...
n86af Terminated
n86af 2022-10-26 19:55:05 [ERROR] Network is down. Exiting..
n86af 2022-10-26 19:55:05 [ERROR INFO] 'ip addr show' output:
n86af --------------------
n86af 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
n86af     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
n86af     inet 127.0.0.1/8 scope host lo
n86af        valid_lft forever preferred_lft forever
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija 
      2: wg0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
n86af     link/none
n86af     inet 10.68.11.100/32 scope global wg0
n86af        valid_lft forever preferred_lft forever
n86af 91846: eth0@if91847: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
n86af     link/ether 02:42:0a:00:00:34 brd ff:ff:ff:ff:ff:ff link-netnsid 0
n86af     inet 10.0.0.52/24 brd 10.0.0.255 scope global eth0
n86af        valid_lft forever preferred_lft forever
n86af 91848: eth2@if91849: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
n86af     link/ether 02:42:ac:12:00:07 brd ff:ff:ff:ff:ff:ff link-netnsid 2
n86af     inet 172.18.0.7/16 brd 172.18.255.255 scope global eth2
n86af        valid_lft forever preferred_lft forever
n86af 91850: eth1@if91851: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
n86af     link/ether 02:42:0a:00:01:e4 brd ff:ff:ff:ff:ff:ff link-netnsid 1
n86af     inet 10.0.1.228/24 brd 10.0.1.255 scope global eth1
n86af        valid_lft forever preferred_lft forever
n86af --------------------
n86af 2022-10-26 19:55:05 [ERROR INFO] 'ip route show table main' output:
n86af --------------------
n86af default via 172.18.0.1 dev eth2
n86af 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.52
n86af 10.0.1.0/24 dev eth1 proto kernel scope link src 10.0.1.228
n86af 172.18.0.0/16 dev eth2 proto kernel scope link src 172.18.0.7
n86af --------------------
n86af 2022-10-26 19:55:05 [ERROR INFO] 'ip rule' output:
n86af --------------------
n86af 0:    from all lookup local
n86af 32763:    from all fwmark 0x1 lookup webui
n86af 32764:    from all lookup main suppress_prefixlength 0
n86af 32765:    not from all fwmark 0xca6c lookup 51820
n86af 32766:    from all lookup main
n86af 32767:    from all lookup default
n86af --------------------
n86af 2022-10-26 19:55:05 [ERROR INFO] 'netstat -lpn' output:
n86af --------------------
n86af Active Internet connections (only servers)
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 172.18.0.7:52863        0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 127.0.0.1:52863         0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 10.0.1.228:52863        0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 127.0.0.11:46509        0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 10.68.11.100:52863      0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp        0      0 10.0.0.52:52863         0.0.0.0:*               LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija tcp6       0      0 :::8080                 :::*                    LISTEN      -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 10.68.11.100:49450      0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:6771            0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 0.0.0.0:54535           0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 127.0.0.11:58669        0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 10.0.1.228:52863        0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 172.18.0.7:52863        0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 10.0.0.52:52863         0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 10.68.11.100:52863      0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 127.0.0.1:52863         0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 10.68.11.100:1900       0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp        0      0 172.18.0.7:45000        0.0.0.0:*                           -
n86af com.docker.swarm.node.id=prwmsmbev9qs674td03ato3ad,com.docker.swarm.service.id=xgccctjca3mbx2sldgh09b8em,com.docker.swarm.task.id=n86af90sz4ouccai5ixlzkija udp6       0      0 :::54535                :::*                                -
n86af Active UNIX domain sockets (only servers)
n86af Proto RefCnt Flags       Type       State         I-Node   PID/Program name     Path
n86af unix  2      [ ACC ]     STREAM     LISTENING     13936871 -                    /config/qBittorrent/config/.FOHyzQ/s
n86af --------------------
n86af [cont-finish.d] executing container finish scripts...
n86af [cont-finish.d] done.
n86af [s6-finish] waiting for services.
n86af [s6-finish] sending all processes the TERM signal.

Stack file : 

version: '3.7'
volumes:
    qbittorrent_vpn_config: {}

networks:
  traefik-public:
    external: true

services:
    qbittorrentvpn:
      image: trigus42/qbittorrentvpn:latest
      cap_add:
        - NET_ADMIN
        - SYS_MODULE
      privileged: true
      volumes:
        - qbittorrent_vpn_config:/config
        - /mnt/hdd1/data/medias/downloads:/downloads
      environment:
        - VPN_ENABLED=yes
        - SET_FWMARK=yes
        - VPN_TYPE=wireguard
        - LAN_NETWORK=192.168.1.0/24
      ports:
        - 8080:8080
      networks:
        - traefik-public
      restart: unless-stopped
      sysctls:
        - net.ipv4.conf.all.src_valid_mark=1
        - net.ipv6.conf.all.disable_ipv6=1
      deploy:
        mode: replicated
        replicas: 1
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.docker.network=traefik-public
          - traefik.constraint-label=traefik-public
          - traefik.http.routers.qbittorrent-https.rule=Host(`domain`)
          - traefik.http.services.qbittorrent.loadbalancer.server.port=8080

I tried applying the Adding 192.168.1.0/24 as route via docker eth0 operation by hand, directly in the container : ip route add "192.168.1.0/24" via "172.18.0.1" dev "eth2", but it fails with an error RTNETLINK answers: Network is unreachable.

I would totally understand if this is out of scope, as this image was probably not intended to be used in Swarm.

But if you have any idea or insight, you're welcome !

Thanks

Trigus42 commented 1 year ago

I am not very knowledgeable when it comes to Docker swarms but I created a swarm with one manager and one worker node and deployed one service on the manager node using your compose file with as little changes as possible and it worked perfectly fine for me:

version: '3.7'

networks:
  traefik-test:
    external: true

services:
    qbittorrentvpn:
      image: trigus42/qbittorrentvpn:latest
      cap_add:
        - NET_ADMIN
        - SYS_MODULE
      privileged: true
      volumes:
        - ./config:/config
        - ./downloads:/downloads
      environment:
        - VPN_ENABLED=yes
        - SET_FWMARK=yes
        - VPN_TYPE=wireguard
        - LAN_NETWORK=192.168.178.0/24
      ports:
        - 8054:8080
      networks:
        - traefik-test
      restart: unless-stopped
      sysctls:
        - net.ipv4.conf.all.src_valid_mark=1
        - net.ipv6.conf.all.disable_ipv6=1
      deploy:
        mode: replicated
        replicas: 1
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.docker.network=traefik-test
          - traefik.constraint-label=traefik-test
          - traefik.http.routers.qbittorrent-https.rule=Host(`test.mydomain`)
          - traefik.http.services.qbittorrent.loadbalancer.server.port=8080

I also tried using two manager nodes an it still worked. The only thing I can think of is that your "traefik-public" network has no internet access. Maybe you could also add the service to another network like this:

version: '3.7'
volumes:
    qbittorrent_vpn_config: {}

networks:
  traefik-public:
    external: true

services:
    qbittorrentvpn:
      image: trigus42/qbittorrentvpn:latest
      cap_add:
        - NET_ADMIN
        - SYS_MODULE
      privileged: true
      volumes:
        - qbittorrent_vpn_config:/config
        - /mnt/hdd1/data/medias/downloads:/downloads
      environment:
        - VPN_ENABLED=yes
        - SET_FWMARK=yes
        - VPN_TYPE=wireguard
        - LAN_NETWORK=192.168.1.0/24
      ports:
        - 8080:8080
      networks:
        - default
        - traefik-public
      restart: unless-stopped
      sysctls:
        - net.ipv4.conf.all.src_valid_mark=1
        - net.ipv6.conf.all.disable_ipv6=1
      deploy:
        mode: replicated
        replicas: 1
        placement:
          constraints:
            - node.role == manager
        labels:
          - traefik.enable=true
          - traefik.docker.network=traefik-public
          - traefik.constraint-label=traefik-public
          - traefik.http.routers.qbittorrent-https.rule=Host(`domain`)
          - traefik.http.services.qbittorrent.loadbalancer.server.port=8080