Open donaldzou opened 3 years ago
I can make a Dockerfile for this one. most of your code is in python right?
I can make a Dockerfile for this one. most of your code is in python right?
Hi! Yes, I tried to migrate this into Docker, but since this program need to access WireGuard and the configuration file from the host, which something i'm not sure how to do
Docker Volume mount can handle that somehow, but you need to give root access to docker container (build without setting user) or make wireguard executable being accessed by non-root user (which I think is not a good thing, I'm not a security expert) We can put a dockerFile and docker-compose with suitable volume mount.
I see, so is that means there are some command that allow python to execute wg show..
and then docker can execute that command to the host if the docker container have root access?
I've tried to write a simple python to control wireguard and ran that in docker, but it is still telling my wg
command not found
I tried that too and encounter many problems. Managed to get wg show to work, but not sure if it affect the docker interface or host interface. At this point, I think packing wireguard into docker too may be better options :(, So we will have a docker image with wireguard and dashboard on the same container
Yeah I've been looking into that, but is gonna be quite complicated and which is not gonna be a "simple" dashboard anymore lol
@potter420
Managed to get wg show to work, but not sure if it affect the docker interface or host interface.
Using host network allows the docker's wireguard to directly manipulate the host's network rules and interface. So this issue won't come. Simply run the docker container with these flags
--privileged --cap-add=NET_RAW --net=host
@donaldzou
You may use this as inspiration/template.
https://hub.docker.com/r/linuxserver/wireguard
If time permits today I'll provide a working docker command.
Hi @shrinidhi111 ! Thank you for doing this, I will look into too ;)
And there is https://github.com/WeeJeWel/wg-easy/ . I think your dashboard is visually more pleasing :-) The only issue i have with these kind of containers is that you always have to expose them, so i personally settled with a bridged container, volume and a inotify-reload on the host
i would reserve caution on moving to a Docker based dashboard as still to find one that works well and easy to install even the one above wg-easy following the install guide does not work unlike what you have here
i've added a dockerized form of your excellent app in this fork - tested successfully using an Ubuntu 20.04 LTS host on Linode.
this fork contains 5 extra files on top of the current repo that roll up your app + wireguard into a docker image, allow for custom config at compose time, and deploy using docker-compose. you can pull the forked repo, cd into the dir, and follow these two steps to test
bash install_docker_ubuntu.sh
docker-compose up -d --build
these extra 5 files are
install_docker_ubuntu.sh
- docker/docker-compose installs for ubuntu 20.04
#!/bin/bash
sudo apt install -y apt-transport-https ca-certificates curl gnupg software-properties-common curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" sudo apt update sudo apt install -y docker-ce docker-ce-cli containerd.io
sudo curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
2. `Dockerfile` - a basic Dockerfile rolling up your app + wireguard into an ubuntu image
FROM ubuntu:20.04
RUN apt update
RUN apt install -y apt-utils python3.8 python3-pip gcc libffi-dev python-dev default-libmysqlclient-dev python3-dev net-tools gettext-base iproute2 iptables wireguard
RUN wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey
RUN pip3 install Flask tinydb ifcfg icmplib flask-qrcode
RUN mkdir /home/app
COPY env.sh /home/app/env.sh COPY wg0_template.conf /etc/wireguard/wg0_template.conf
3. `wg0_template.conf` - config file template - currently allows `SERVER_PRIVATE_KEY` configuration based on wireguard instantiation
[Interface] Address = 10.0.0.1/24 SaveConfig = true ListenPort = 51820 PrivateKey = $SERVER_PRIVATE_KEY PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens3 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens3 -j MASQUERADE
4. `env.sh` - stamps env variables into `wg0_template.conf` at compose time. currently only `SERVER_PRIVATE_KEY`
export SERVER_PRIVATE_KEY=$(cat /etc/wireguard/privatekey)
cp /home/app/wg0_template.conf /etc/wireguard/wg0_template.conf
envsubst < /etc/wireguard/wg0_template.conf > /etc/wireguard/wg0.conf
rm /etc/wireguard/wg0_template.conf
chmod 600 /etc/wireguard/{privatekey,wg0.conf}
5. docker-compose.yml - a simple compose file that wraps up the docker-fied version of the app
version: '3.8'
services: wireguard_dashboard: build: context: . image: wireguard_dashboard container_name: wireguard_dashboard ports:
networks: wireguard_network:
With this setup there's no need to manufacture a specific `systemd` unit to ensure wireguard + your app runs at boot - as systemd's management of docker + the line `restart: "always"` should produce the same effect.
Here you can replace `/home/app/src/wgd.sh debug` with `/home/app/src/wgd.sh start` etc.,
You can examine logs of the running container via
`docker container logs wireguard_dashboard`
## Final thoughts - separating your app from wireguard
This docker configuration works - eventually it would be nice to separate the app from wireguard and host each from a separate container.
i would reserve caution on moving to a Docker based dashboard as still to find one that works well and easy to install even the one above wg-easy following the install guide does not work unlike what you have here
wg-easy works out of the box for me, your kernel needs to have wireguard support. I'm using Ubuntu 20.04 LTS with kernel 5.4
Hey, I still haven't figure out how to separate dashboard and wireguard container but I manage to setup everything under 5 mins (or even less) with pre-existing wireguard image out there that works out of the box, here's how I do it:
makedir
config directory to mount as volume and create empty wg-dashboard.ini
, otherwise it will be created as directory instead of file, which can be frustrating. (tldr; do mkdir data
then touch ./data/wg-dashboard.ini
, edit: if you aren't using data in current directory, make sure to change volume mount in docker-compose.yml
as well)Dockerfile
and docker-compose.yml
, also entrypoint script for the Dockerfile
which you can find it in my fork: https://github.com/SirusDoma/WGDashboard/commit/c00932b8478e398e3ff708b18c0679735428ed24docker-compose up -d
Hope this useful for someone looking for simple setup.
Edit: you can configure wg0.conf
in ./data/
directory after running the docker compose and then you may want to add SaveConfig = true
as per recommendation
Have you looked to see if there are any changes necessary to make to your docker setup here with the changes that have been applied regarding venv and sqlite?
I'm not so sure cuz i'm not an expert of Docker.. (too complicated for me lol)
For those working on docker I'd suggest wg-gen-web is a better example than wg-easy since it uses a host installed Wireguard instead of putting it in the same container in the way wg-easy does.
@adrinux wg-easy
works just fine for me. I actually prefer having wg in the container, since its easier to get updates. Host OS are slower at updating packages
Here https://gitlab.com/pgalonza/wireguard-image/-/tree/develop i using WGDashboard with podman, ansible and and scripts from https://github.com/linuxserver/docker-wireguard
unfortunately, you have to use different way, rather than "subprocess.check_output"...
Here is mine Dockerfile:
FROM --platform=$BUILDPLATFORM python:latest AS builder
WORKDIR /app
COPY requirements.txt /app
RUN --mount=type=cache,target=/root/.cache/pip \
pip3 install -r requirements.txt
COPY . /app
ENTRYPOINT ["python3"]
CMD ["dashboard.py"]
And compose.yaml for "docker compose up -d":
services:
web:
build:
context: src
target: builder
# flask requires SIGINT to stop gracefully
# (default stop signal from Compose is SIGTERM)
stop_signal: SIGINT
ports:
- '10086:10086'
volumes:
- /etc/wireguard:/data
New updates are in: https://github.com/donaldzou/WGDashboard/issues/272
Please close this issue and respond there to limit the wild growth of the same issue.
If you know how to migrate this project completely to a Docker app, please comment below ;) Thank you!