Proxmox LXC containers attempting to insert kernel modules

[gregorydlogan]

I've got a set of unprivileged Debian 11 LXCs running in Proxmox which are attempting to insert the WireGuard kernel module when running this role. Looking at the logic here, I'm wondering if there needs to be an additional flag set in the PVE guest bits which will turn off the insert? Normally I'd suggest checking to see if the module is already loaded, but inside the LXC we can't.

To be clear, completely disabling the load makes things work just fine since the host already has the relevant module loaded.

Edit: This seems similar to #103, but maybe from the other side of the coin?

[githubixx]

Well, I don't know that much about LXC. Currently it's assumed that this role will be executed on a "normal" host or virtual machine were modprobe runs just fine. I also can't really test this kind of setup.

One possibility could be to introduce a variable like wireguard_probe_module that by default is set to true but as in your case can be set to false.

But maybe even better would be to add a new tag to the task you mentioned above and run ansible-playbook playbook.yml --skip-tags=.... In that case it would be possible to skip that part. Currently it only has the tag wg-install. But if you skip that then it would skip too much tasks.

[gregorydlogan]

What about something like https://github.com/gregorydlogan/ansible-role-wireguard/commit/a924da1378ee2c7963dc63cc200a06117d3628aa? Then it's automated, and if we can't write to /proc there's no point in trying to modprobe anyway.

[githubixx]

As said I don't know that much about LXC. If /proc not owned by root is an attribute to identify a LXC container then that might also be possibility to implement.