search

linuxserver / docker-wireguard

GNU General Public License v3.0
2.92k stars 361 forks source link

[BUG] busybox's modprobe fails to load kernel module #343

Closed ZauberNerd closed 2 months ago

ZauberNerd commented 3 months ago

Is there an existing issue for this?

Current Behavior

The container fails to bring up the wireguard interface, because modprobe fails to load the ip6_tables module:

modprobe: can't load module ip6_tables (kernel/net/ipv6/netfilter/ip6_tables.ko.zst): invalid module format

Installing kmod before running /init in the container's entrypoint fixes the issue. I suspect that the modprobe utility from busybox is unable to load the zstd compressed archive.

I have also tried to install zstd, but that does not change anything.

Expected Behavior

The container should load the correct kernel module (since it has CAP_SYS_MODULE and /lib/modules mounted from the host) and bring up the wireguard interface.

Steps To Reproduce

On a host with zstd compressed kernel modules run:

  1. docker run --rm --volume /srv/config/wireguard:/config --volume /lib/modules:/lib/modules --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -it lscr.io/linuxserver/wireguard:latest
  2. observe the above mentioned error

Workaround: Run: docker run --rm --volume /srv/config/wireguard:/config --volume /lib/modules:/lib/modules --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 --entrypoint /bin/sh -it lscr.io/linuxserver/wireguard:latest -c 'apk add kmod && /init'

Environment

- OS: Ubuntu 24.04
- How docker service was installed:
docker engine on ubuntu: https://docs.docker.com/engine/install/ubuntu/

CPU architecture

x86-64

Docker creation

docker run --rm --volume /srv/config/wireguard:/config --volume /lib/modules:/lib/modules --cap-add NET_ADMIN --cap-add SYS_MODULE --sysctl net.ipv4.conf.all.src_valid_mark=1 -it lscr.io/linuxserver/wireguard:latest

Container logs

[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls42
Build-date: 2024-07-07T23:46:22+00:00
───────────────────────────────────────

Uname info: Linux fc18b7aaf323 6.8.0-38-generic #38-Ubuntu SMP PREEMPT_DYNAMIC Fri Jun  7 15:25:01 UTC 2024 x86_64 GNU/Linux
**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****
**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****
****     If your host does not automatically load the iptables module, you may still need the SYS_MODULE capability.     ****
**** Client mode selected. ****
[custom-init] No custom files found, skipping...
**** Disabling CoreDNS ****
**** Found WG conf /config/wg_confs/wg0.conf, adding to list ****
**** Activating tunnel /config/wg_confs/wg0.conf ****
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add x.x.x.x dev wg0
[#] ip -6 address add x:x:x:x:x:x:x:x dev wg0
[#] ip link set mtu 1320 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
s6-rc: fatal: unable to take locks: Resource busy
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip6tables-restore -n
modprobe: can't load module ip6_tables (kernel/net/ipv6/netfilter/ip6_tables.ko.zst): invalid module format
ip6tables-restore v1.8.10 (legacy): ip6tables-restore: unable to initialize table 'raw'
Error occurred at line: 1
Try `ip6tables-restore -h' or 'ip6tables-restore --help' for more information.
[#] resolvconf -d wg0 -f
s6-rc: fatal: unable to take locks: Resource busy
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
**** Tunnel /config/wg_confs/wg0.conf failed, will stop all others! ****
**** All tunnels are now down. Please fix the tunnel config /config/wg_confs/wg0.conf and restart the container ****
[ls.io-init] done.
github-actions[bot] commented 3 months ago

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.