search

masipcat / wireguard-go-docker

Wireguard docker image
https://hub.docker.com/r/masipcat/wireguard-go
GNU General Public License v3.0
182 stars 42 forks source link

What is the purpose of the sysctls image? #26

Open airza opened 2 years ago

airza commented 2 years ago

I'm trying to get this container to work on a k8s deployment and am a bit perplexed: the initContainer 'sysctls' is created and enables ipv4 routing but it doesn't seem to be accessed or used anywhere else. Can I remove this safely? It is quite possible that I don't understand how images are composed as I am new to k8s, but I don't understand its relationship to the wg container. Thanks for the image, by the way! I am slowly understanding what it's up to 8^)

masipcat commented 2 years ago

I think I need to improve the README :P The k8s example is not just how to deploy wireguard in a k8s cluster, it also contains the additional configuration to be able to communicate from outside the cluster to all the pods. That's the purpose of enabling ip routing and it can be done in a different container because it is a system-wide configuration (affects the entire k8s node).

I don't remember, but I guess I used the busybox image in the initContainer to avoid installing sysctl in the wireguard image. Anyway, now it seems that there is a better way to do it with k8s. Something like this should work as well (but I haven't tried):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wireguard
  template:
    metadata:
      labels:
        app: wireguard
    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.ip_forward
          value: "1"
        - name:  net.ipv4.conf.all.forwarding
          value: "1"
    containers:
        - name: wireguard
          image: masipcat/wireguard-go:latest
   ...

I hope this answers your questions :) If this works for you, feel free to open a PR to improve the readme with this change.

airza commented 2 years ago

Thanks for the prompt reply :) I think I am running into some issues trying to get it running on macOS, but once I can get this image up and functional I will be happy to send a PR as it's been a big timesaver.

On Fri, Apr 15, 2022 at 8:11 PM Jordi Masip @.***> wrote:

I think I need to improve the README :P The k8s example is not just how to deploy wireguard in a k8s cluster, it also contains the additional configuration to be able to communicate from outside the cluster to all the pods. That's the purpose of enabling ip routing and it can be done in a different container because it is a system-wide configuration (affects the entire k8s node).

I don't remember, but I guess I used the busybox image in the initContainer to avoid installing sysctl in the wireguard image. Anyway, now it seems that there is a better way to do it with k8s. Something like this should work as well (but I haven't tried):

apiVersion: apps/v1kind: Deploymentmetadata: name: wireguardspec: replicas: 1 selector: matchLabels: app: wireguard template: metadata: labels: app: wireguard spec: securityContext: sysctls:

  • name: net.ipv4.ip_forward value: "1"
  • name: net.ipv4.conf.all.forwarding value: "1" containers:
  • name: wireguard image: masipcat/wireguard-go:latest ...

I hope this answers your questions :) If this works for you, feel free to open a PR to improve the readme with this change.

— Reply to this email directly, view it on GitHub https://github.com/masipcat/wireguard-go-docker/issues/26#issuecomment-1100270894, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAM3E5EIS74UXRZRVUWUID3VFGWMNANCNFSM5TQQHBWA . You are receiving this because you authored the thread.Message ID: @.***>