search

k8s-at-home / charts

⚠️ Deprecated : Helm charts for applications you run at home
https://docs.k8s-at-home.com
Apache License 2.0
1.45k stars 623 forks source link

[qbittorrent] Probes fail, no web UI and external resource downloads fail with vpn (wireguard) addon #1734

Closed slaecker closed 2 years ago

slaecker commented 2 years ago

Helm chart name

qbittorrent

Helm chart version

13.5.2

Container name

ghcr.io/k8s-at-home/qbittorrent

Container tag

v4.4.2

Description

When using the wireguard vpn addon

  1. the startup probe fails
  2. external resource downloads fail
    Couldn't download IP geolocation database file. Reason: The remote host name was not found (invalid hostname)
  3. the qBittorrent web UI is not accessible

Log:

Waiting for VPN to be connected...
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN not connected
VPN Connected, starting application...
QFile::at: Cannot set file position 0
(N) 2022-08-07T18:39:45 - qBittorrent v4.4.2 started
(N) 2022-08-07T18:39:45 - Using config directory: /config/qBittorrent
(I) 2022-08-07T18:39:45 - Trying to listen on: 0.0.0.0:6881,[::]:6881
(N) 2022-08-07T18:39:45 - Peer ID: -qB4420-
(N) 2022-08-07T18:39:45 - HTTP User-Agent is 'qBittorrent/4.4.2'
(I) 2022-08-07T18:39:45 - DHT support [ON]
(I) 2022-08-07T18:39:45 - Local Peer Discovery support [ON]
(I) 2022-08-07T18:39:45 - PeX support [ON]
(I) 2022-08-07T18:39:45 - Anonymous mode [OFF]
(I) 2022-08-07T18:39:45 - Encryption support [ON]
(I) 2022-08-07T18:39:45 - UPnP / NAT-PMP support [ON]
(W) 2022-08-07T18:39:45 - Couldn't load IP geolocation database. Reason: No such file or directory
(N) 2022-08-07T18:39:45 - Using built-in Web UI.
(N) 2022-08-07T18:39:45 - Web UI translation for selected locale (en_US) has been successfully loaded.
(N) 2022-08-07T18:39:45 - Web UI: Now listening on IP: *, port: 8080
******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 127.0.0.1, port: TCP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 127.0.0.1, port: UTP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 10.42.4.47, port: TCP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 10.42.4.47, port: UTP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 10.8.0.4, port: TCP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: 10.8.0.4, port: UTP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: ::1, port: TCP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: ::1, port: UTP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: fe80::3026:dcff:fe99:eb52%eth0, port: TCP/6881
(I) 2022-08-07T18:39:45 - Successfully listening on IP: fe80::3026:dcff:fe99:eb52%eth0, port: UTP/6881
(W) 2022-08-07T18:39:50 - Couldn't download IP geolocation database file. Reason: The remote host name was not found (invalid hostname)

I've also tried with the env variable FIREWALL: 'off' as mentioned on the OpenVPN example, to no avail.

Expected result

Probes work, external resources can be downloaded and qBittorrent web UI is accessible.

Helm values to reproduce

env:
  WAIT_FOR_VPN: "true"

service:
  main:
    type: NodePort
    ports:
      http:
        port: 8080
        nodePort: 30105

persistence:
  config:
    enabled: true
    type: emptyDir
    mountPath: /config

  shared:
    enabled: true
    type: emptyDir
    mountPath: /shared

addons:
  vpn:
    enabled: true
    type: wireguard

    securityContext:
      runAsUser: 568
      runAsGroup: 568

    env:
      KILLSWITCH: "true"

    configFile: |-
      [Interface]
      PrivateKey = xxxxxxxxxxxxxxxxxxxx
      Address = 10.8.0.4/24
      DNS = 1.1.1.1,1.0.0.1
      PostUp = /config/up.sh %i
      PreDown = /config/down.sh %i

      [Peer]
      PublicKey = xxxxxxxxxxxxxxxxxxxxxxxxxx
      AllowedIPs = 0.0.0.0/0
      Endpoint = xxxxxxxxxxx:51820

    scripts:
      up: |-
        #!/bin/bash
        echo "connected" > /shared/vpnstatus

      down: |-
        #!/bin/bash
        echo "disconnected" > /shared/vpnstatus

Additional Information

K3s 1.21.10+k3s1 on Arm64 cluster Helm 3.8.2

Repo link

No response

bjw-s commented 2 years ago

You haven't set any exclusions for the firewall configuration. That means that all traffic will be routed through your VPN. Also the kubernetes livenes probe checks, and traffic will not be able to reach it from your ingress. This is also mentioned in our documentation: http://docs.k8s-at-home.com/our-helm-charts/common-library-add-ons/#example-values_1.

Be sure to check out the examples of others using similar setups by using the search available on https://whazor.github.io/k8s-at-home-search.