--cap-add and --sysctl mods break container

[ryusko2]

jordan,

I had a working copy of your container I had created last week (I guess with the priveleged mode). I had to re-configure some of my other containers, so I re-pulled with the changes you recently made, and the container no longer stays open, exiting with a 255 code. I'm not sure what you need to troubleshoot ...

I am creating the container with the following command:

sudo docker create --name wireguard --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -v /home/me/.config/mullvad_config/wireguard/mullvad.conf:/etc/wireguard/mullvad.conf -p 1234:1234 jordanpotter/wireguard

[jordanpotter]

Hey Ryan!

Thanks to @bobbypage's help, we were able to remove the need to run the container in privileged mode! The README and jordanpotter/wireguard Docker Hub description have been updated with the new instructions.

Removing the requirement to run in privileged mode is a huge improvement for security (privileged mode is dangerous), however getting this to work introduced a backwards incompatible change. So...

From now on, the jordanpotter/wireguard Docker image is versioned. It is highly recommended to specify a version when using this image. The available image versions can be found here.

(Note: if for some reason you want to use the previous image that required --privileged to run, you can use jordanpotter/wireguard:0.1.0).

Now for an apology:

I originally built this Docker image for my own personal needs. I shared it with the community because I felt others could benefit from it, but was honestly surprised this image grew in popularity on Docker Hub so quickly! It's been exciting to see!

However in hindsight, this image should have had versioning from the very beginning. Only having latest means consumers will be surprised by backwards incompatible changes, even when they're made for the better.

I apologize to anyone that has been negatively impacted by the lack of versioning on this Docker image. Versioning has now been added so you'll have a stable image that you can rely on.

[ryusko2]

Jordan,

I certainly appreciate the changes and upgrades with respect to security. However, the container doesn't run with the new --cap-add and --sysctl modifications ... it just exits with code 255. I also should have mentioned that I used the same mullvad configuration file from the previous version without a kill switch...

[jordanpotter]

Hrmm, could you copy-paste the output you're seeing from the Docker logs (please redact any sensitive information such as IP addresses)? Additionally, which operating system and kernel are you using?

For context, I'm running this image in a high-throughput environment on Debian Buster. I'm seeing:

$ docker logs wireguard
[#] ip link add mullvad-us7 type wireguard
[#] wg setconf mullvad-us7 /dev/fd/63
[#] ip -4 address add <redacted>/32 dev mullvad-us7
[#] ip link set mtu 1420 up dev mullvad-us7
[#] resolvconf -a mullvad-us7 -m 0 -x
[#] wg set mullvad-us7 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad-us7 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] echo skipping setting net.ipv4.conf.all.src_valid_mark
skipping setting net.ipv4.conf.all.src_valid_mark
[#] iptables-restore -n
Skipping ipv6 killswitch setup since ipv6 interface was not found...

[jordanpotter]

Hey @ryusko2, it's been a few days so I wanted to follow-up on this. Are you still having issue? If you are, I'd like to make sure things get fixed for you!

[ryusko2]

I'll get back to you hopefully by the end of the weekend ... with some logs :)

[ryusko2]

[#] ip link add mullvad-de15 type wireguard
[#] wg setconf mullvad-de15 /dev/fd/63
[#] ip -4 address add <redacted>/32 dev mullvad-de15
[#] ip link set mtu 1420 up dev mullvad-de15
[#] resolvconf -a mullvad-de15 -m 0 -x
[#] wg set mullvad-de15 fwmark 51820
[#] ip -4 route add 0.0.0.0/0 dev mullvad-de15 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] echo skipping setting net.ipv4.conf.all.src_valid_mark
skipping setting net.ipv4.conf.all.src_valid_mark
[#] iptables-restore -n
Skipping ipv6 killswitch setup since ipv6 interface was not found...

So ... I had purged your original docker image and re-pulled, and now of course the issue is gone. Something must have been wrong with the docker versioning since I had the old version on my system when I started seeing issues. In either case, it's back up and running now. Thanks!