linuxserver / docker-wireguard

GNU General Public License v3.0
3k stars 371 forks source link

[BUG] /etc/wireguard/wg0.conf does not exist #282

Closed danwilliams closed 1 year ago

danwilliams commented 1 year ago

Is there an existing issue for this?

Current Behavior

When starting with a brand-new installation, using Docker on Ubuntu Server, Wireguard exits with error code 1, complaining that /etc/wireguard/wg0.conf does not exist. This is despite having just created the wg0.conf file along with various other files in the conf directory.

Note: The following are very similar (same error message) but they have different setups and it seems explanatory causes. My setup is vanilla Docker with a fresh installation.

Expected Behavior

Presumably it should detect and use the wg0.conf file it just created, and not error...?

Steps To Reproduce

  1. In Ubuntu Server 23.04, using Docker
  2. Run the following:
sudo mkdir /data/docker/configs/wireguard
sudo useradd -M -r -s /bin/false wireguard
sudo chown wireguard:wireguard /data/docker/configs/wireguard

cat /etc/passwd | grep wireguard
  1. Check what user id has been given, and populate them below under PUID and PGID:
docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=995 \
  -e PGID=994 \
  -e TZ=Etc/UTC \
  -e SERVERURL=vpn.mydomain.net \
  -e SERVERPORT=51820 \
  -e PEERS=2 \
  -e PEERDNS=auto \
  -e INTERNAL_SUBNET=192.168.6.0 \
  -e ALLOWEDIPS=0.0.0.0/0 \
  -e PERSISTENTKEEPALIVE_PEERS=all \
  -e LOG_CONFS=true \
  -p 10.0.0.6:51820:51820/udp \
  -v /data/docker/configs/wireguard:/config \
  --restart always \
  linuxserver/wireguard
  1. The following log messages are generated (viewed by running docker logs -f wireguard):
...truncated...
mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory
...truncated...
wg-quick: `/etc/wireguard/wg0.conf' does not exist
s6-rc: warning: unable to start service svc-wireguard: command exited 1
  1. Confirmation that config files have indeed been created correctly:
ls /data/docker/configs/wireguard/ -aclt
total 45
drwxr-xr-x 7 wireguard wireguard   9 Jul  3 16:25 .
drwxr-xr-x 2 wireguard wireguard   3 Jul  3 16:25 coredns
-rw------- 1 wireguard wireguard 193 Jul  3 16:25 .donoteditthisfile
drwx------ 2 wireguard wireguard   7 Jul  3 16:25 peer1
drwx------ 2 wireguard wireguard   7 Jul  3 16:25 peer2
drwxr-xr-x 2 wireguard wireguard   4 Jul  3 16:25 server
drwxr-xr-x 2 wireguard wireguard   4 Jul  3 16:25 templates
-rw------- 1 wireguard wireguard 758 Jul  3 16:25 wg0.conf
drwxr-xr-x 6 root      root        6 Jul  2 14:36 ..

Environment

dpkg --list | grep docker

ii  docker-buildx-plugin                             0.10.5-1~ubuntu.23.04~lunar             amd64        Docker Buildx cli plugin.
ii  docker-ce                                        5:24.0.2-1~ubuntu.23.04~lunar           amd64        Docker: the open-source application container engine
ii  docker-ce-cli                                    5:24.0.2-1~ubuntu.23.04~lunar           amd64        Docker CLI: the open-source application container engine
ii  docker-ce-rootless-extras                        5:24.0.2-1~ubuntu.23.04~lunar           amd64        Rootless support for Docker.
ii  docker-compose-plugin                            2.18.1-1~ubuntu.23.04~lunar             amd64        Docker Compose (V2) plugin for the Docker CLI.

CPU architecture

x86-64

Docker creation

docker run -d \
  --name=wireguard \
  --cap-add=NET_ADMIN \
  --cap-add=SYS_MODULE \
  -e PUID=995 \
  -e PGID=994 \
  -e TZ=Etc/UTC \
  -e SERVERURL=vpn.mydomain.net \
  -e SERVERPORT=51820 \
  -e PEERS=2 \
  -e PEERDNS=auto \
  -e INTERNAL_SUBNET=192.168.6.0 \
  -e ALLOWEDIPS=0.0.0.0/0 \
  -e PERSISTENTKEEPALIVE_PEERS=all \
  -e LOG_CONFS=true \
  -p 10.0.0.6:51820:51820/udp \
  -v /data/docker/configs/wireguard:/config \
  --restart always \
  linuxserver/wireguard

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    995
User GID:    994
───────────────────────────────────────

Uname info: Linux 28e9cb4e08f2 6.2.0-24-generic #24-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun 16 12:03:50 UTC 2023 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument
ln: failed to create symbolic link '/etc/wireguard/wg0.conf': No such file or directory
**** Server mode is selected ****
**** PersistentKeepalive will be set for: all ****
**** External server address is set to vpn.mydomain.net ****
**** External server port is set to 51820. Make sure that port is properly forwarded to port 51820 inside this container ****
**** Internal subnet is set to 192.168.6.0 ****
**** AllowedIPs for peers 0.0.0.0/0 ****
**** PEERDNS var is either not set or is set to "auto", setting peer DNS to 192.168.6.1 to use wireguard docker host's DNS. ****
**** No wg0.conf found (maybe an initial install), generating 1 server and 2 peer/client confs ****
PEER 1 QR code (conf file is saved under /config/peer1):
█████████████████████████████████████████████████████████████████████
PEER 2 QR code (conf file is saved under /config/peer2):
█████████████████████████████████████████████████████████████████████
[custom-init] No custom files found, skipping...
.:53
CoreDNS-1.10.0
linux/amd64, go1.19.9,
wg-quick: `/etc/wireguard/wg0.conf' does not exist
s6-rc: warning: unable to start service svc-wireguard: command exited 1
github-actions[bot] commented 1 year ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

aptalca commented 1 year ago

mkdir: cannot create directory ‘/etc/wireguard’: Invalid argument suggests there is something wrong with your docker service Are you using rootless docker by any chance? The container's init runs as root and should be able to create that folder successfully, as it's a path inside the container.

danwilliams commented 1 year ago

I have a range of other containers which don't exhibit similar problems. Docker is the primary service on this machine, and runs as root. No changes have been made in this regard from the default Docker installation as per the Docker website.

The error message is indeed a path inside the container, but it appears something is up with the original mkdir command, and that it is not a permissions issue, due to the "invalid argument" message.

danwilliams commented 1 year ago

It's very odd, as this file looks correct at a glance:

https://github.com/linuxserver/docker-wireguard/blob/fbb3a4b5c7636229dfa17d729e819bedfe7e8ae9/root/etc/s6-overlay/s6-rc.d/init-wireguard-confs/run#L7

I believe it's these lines...?

# prepare symlinks
rm -rf /etc/wireguard
mkdir -p /etc/wireguard
ln -s /config/wg0.conf /etc/wireguard/wg0.conf

I don't immediately see a problem with those.

danwilliams commented 1 year ago

I even cloned and looked at the file in a hex editor to confirm that the line endings and dashes are correct - they are...

danwilliams commented 1 year ago

The "invalid argument" might be a musl coreutils thing obscuring the real issue (I've seen similar things). I wonder... your Dockerfile is v1 syntax, so I imagine you might test with older versions. I'm using the newer version, with Buildkit. When using overlay2, the layers are read-only... is it possible that the error is because it can't modify the read-only filesystem established in a prior layer...? I've not looked very deeply - it just occurred to me and thought I'd mention it. I'm likely totally wrong... I'll shut up now 🙂

aptalca commented 1 year ago

The layers are handled by docker via copy-on-write. It always makes changes in the final and active layer.

agunal commented 1 year ago

Same issue here: https://discourse.linuxserver.io/t/wireguard-error/7409

phsm commented 1 year ago

It seems that the issue is not bound to Docker alone: I'm observing it with Kubernetes + containerd runtime on Debian 12 OS.

Curious that only mkdir call fails, and creating a symlink works fine:

<ran inside running wg container>
root@wg-84f67564cd-n8l7z:/etc# strace mkdir /etc/wireguard
...
mkdir("/etc/wireguard", 0777)           = -1 EINVAL (Invalid argument)
...

# Then, try to create it as a symlink
root@wg-84f67564cd-n8l7z:/etc# mkdir /root/q
root@wg-84f67564cd-n8l7z:/etc# ln -s /root/q /etc/wireguard
root@wg-84f67564cd-n8l7z:/etc# cd /etc/wireguard
root@wg-84f67564cd-n8l7z:/etc/wireguard# ls -la
total 18
drwxr-xr-x 2 root root 2 Aug 21 10:15 .
drwx------ 1 root root 4 Aug 21 10:15 ..
radutomy commented 1 year ago

Yep I have the exact same issue

danwilliams commented 1 year ago

@agunal @phsm @radutomy The reply I had from @aptalca was not particularly helpful or showing interest, so I gave up and used a different source. As this has been an open issue for nearly three months despite preventing standard usage, I suggest you also go elsewhere. I don't think there's much likelihood of this being investigated or fixed.

aptalca commented 1 year ago

This is not a container issue. It is a docker system issue.

A root process should be able to create a new folder inside of the container filesystem, period. If it can't, there is something seriously wrong with the system.

I'm not sure what you expect from me or how I'm supposed to be more helpful or interested, but the bottom line is, we can't fix an issue we can't reproduce or pinpoint.

With that said, if you're using the wrong storage driver for docker, that could be one reason for filesystem issues. For instance, if your disk is using zfs, you have to use the zfs storage driver in docker: https://docs.docker.com/storage/storagedriver/select-storage-driver/#supported-backing-filesystems

radutomy commented 1 year ago

@danwilliams what did you go with in the end? i'm still looking for alternatives.

phsm commented 1 year ago

@danwilliams what did you go with in the end? i'm still looking for alternatives.

As a workaround you can just mount a docker volume/directory to /etc/wireguard. If the directory is mapped to a host, then it works.

danwilliams commented 1 year ago

@radutomy I ended up moving to OPNSense, which has a plugin for Wireguard. Works very nicely.

drizuid commented 1 year ago

as mentioned above, the setup causing this is NOT a supported docker setup, per docker. this is not something WE can fix, it is something the user with the improper setup must fix. Closing this

TheRedEclipse commented 2 months ago

Is there any workaround for this issue? I have similar situation but on Debian.