Closed gregorydlogan closed 6 months ago
Well, I don't know that much about LXC. Currently it's assumed that this role will be executed on a "normal" host or virtual machine were modprobe
runs just fine. I also can't really test this kind of setup.
One possibility could be to introduce a variable like wireguard_probe_module
that by default is set to true
but as in your case can be set to false.
But maybe even better would be to add a new tag to the task you mentioned above and run ansible-playbook playbook.yml --skip-tags=...
. In that case it would be possible to skip that part. Currently it only has the tag wg-install
. But if you skip that then it would skip too much tasks.
What about something like https://github.com/gregorydlogan/ansible-role-wireguard/commit/a924da1378ee2c7963dc63cc200a06117d3628aa? Then it's automated, and if we can't write to /proc
there's no point in trying to modprobe anyway.
As said I don't know that much about LXC. If /proc
not owned by root
is an attribute to identify a LXC container then that might also be possibility to implement.
I've got a set of unprivileged Debian 11 LXCs running in Proxmox which are attempting to insert the WireGuard kernel module when running this role. Looking at the logic here, I'm wondering if there needs to be an additional flag set in the PVE guest bits which will turn off the insert? Normally I'd suggest checking to see if the module is already loaded, but inside the LXC we can't.
To be clear, completely disabling the load makes things work just fine since the host already has the relevant module loaded.
Edit: This seems similar to #103, but maybe from the other side of the coin?