qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
8.17k stars 375 forks source link

Error: too many files open. #1197

Open Arturoe1 opened 2 years ago

Arturoe1 commented 2 years ago

Is this urgent?

Yes

Host OS

Asustor ADM 4.1.0

CPU arch

x86_64

VPN service provider

Mullvad

What are you using to run the container

docker-compose

What is the version of Gluetun

latest

What's the problem 🤔

when running Gluetun this warning messages comes up INFO [dns over tls] warning: increase ulimit or decrease threads, ports in config to remove this warning

Over time the gluetun exceeds the openfiles limit and causes the system to freeze. ADM does not provide a way to increase those limits directly for the whole system. Although asking Asustor support to provide a way to adjust the ulimit settings i'd like to ask if it's possible to have control over this parameters from the gluetun container as using so many threads causes some systems to freeze.

The objective would be to able to remove this issue by having the possibility to use environmental variables to control the threads the message is pointing out.

Share your logs

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================
Running version latest built on 2022-10-02T09:36:14.095Z (commit cb80457)
🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2022-10-16T12:46:28+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.3
2022-10-16T12:46:28+02:00 INFO [routing] local ethernet link found: eth0
2022-10-16T12:46:28+02:00 INFO [routing] local ipnet found: 172.18.0.0/16
2022-10-16T12:46:28+02:00 INFO [firewall] enabling...
2022-10-16T12:46:28+02:00 INFO [firewall] enabled successfully
2022-10-16T12:46:28+02:00 INFO [storage] merging by most recent 11721 hardcoded servers and 11721 servers read from /gluetun/servers.json
2022-10-16T12:46:28+02:00 INFO Alpine version: 3.16.2
2022-10-16T12:46:28+02:00 INFO OpenVPN 2.4 version: 2.4.12
2022-10-16T12:46:28+02:00 INFO OpenVPN 2.5 version: 2.5.6
2022-10-16T12:46:28+02:00 INFO Unbound version: 1.15.0
2022-10-16T12:46:28+02:00 INFO IPtables version: v1.8.8
2022-10-16T12:46:28+02:00 INFO Settings summary:
├── VPN settings:
|   ├── VPN provider settings:
|   |   ├── Name: mullvad
|   |   └── Server selection settings:
|   |       ├── VPN type: openvpn
|   |       ├── Cities: madrid
|   |       └── OpenVPN server selection settings:
|   |           └── Protocol: UDP
|   └── OpenVPN settings:
|       ├── OpenVPN version: 2.5
|       ├── User: [set]
|       ├── Password: [set]
|       ├── Network interface: tun0
|       ├── Run OpenVPN as: root
|       └── Verbosity level: 1
├── DNS settings:
|   ├── DNS server address to use: 127.0.0.1
|   ├── Keep existing nameserver(s): no
|   └── DNS over TLS settings:
|       ├── Enabled: yes
|       ├── Update period: every 24h0m0s
|       ├── Unbound settings:
|       |   ├── Authoritative servers:
|       |   |   └── cloudflare
|       |   ├── Caching: yes
|       |   ├── IPv6: no
|       |   ├── Verbosity level: 1
|       |   ├── Verbosity details level: 0
|       |   ├── Validation log level: 0
|       |   ├── System user: root
|       |   └── Allowed networks:
|       |       ├── 0.0.0.0/0
|       |       └── ::/0
|       └── DNS filtering settings:
|           ├── Block malicious: yes
|           ├── Block ads: no
|           ├── Block surveillance: no
|           └── Blocked IP networks:
|               ├── 127.0.0.1/8
|               ├── 10.0.0.0/8
|               ├── 172.16.0.0/12
|               ├── 192.168.0.0/16
|               ├── 169.254.0.0/16
|               ├── ::1/128
|               ├── fc00::/7
|               ├── fe80::/10
|               ├── ::ffff:7f00:1/104
|               ├── ::ffff:a00:0/104
|               ├── ::ffff:a9fe:0/112
|               ├── ::ffff:ac10:0/108
|               └── ::ffff:c0a8:0/112
├── Firewall settings:
|   ├── Enabled: yes
|   └── Outbound subnets:
|       └── {192.168.1.0 ffffff00}
├── Log settings:
|   └── Log level: INFO
├── Health settings:
|   ├── Server listening address: 127.0.0.1:9999
|   ├── Target address: cloudflare.com:443
|   ├── Read header timeout: 100ms
|   ├── Read timeout: 500ms
|   └── VPN wait durations:
|       ├── Initial duration: 6s
|       └── Additional duration: 5s
├── Shadowsocks server settings:
|   └── Enabled: no
├── HTTP proxy settings:
|   └── Enabled: no
├── Control server settings:
|   ├── Listening address: :8000
|   └── Logging: yes
├── OS Alpine settings:
|   ├── Process UID: 1000
|   ├── Process GID: 1000
|   └── Timezone: Europe/Madrid
├── Public IP settings:
|   ├── Fetching: every 12h0m0s
|   └── IP file path: /tmp/gluetun/ip
└── Version settings:
    └── Enabled: yes
2022-10-16T12:46:28+02:00 INFO IPv6 is not supported
2022-10-16T12:46:28+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.3
2022-10-16T12:46:28+02:00 INFO [routing] adding route for 0.0.0.0/0
2022-10-16T12:46:28+02:00 INFO [firewall] setting allowed subnets...
2022-10-16T12:46:28+02:00 INFO [routing] default route found: interface eth0, gateway 172.18.0.1 and assigned IP 172.18.0.3
2022-10-16T12:46:28+02:00 INFO [routing] adding route for 192.168.1.0/24
2022-10-16T12:46:28+02:00 INFO TUN device is not available: open /dev/net/tun: no such file or directory; creating it...
2022-10-16T12:46:28+02:00 INFO [pprof] http server listening on [::]:6060
2022-10-16T12:46:28+02:00 INFO [dns over tls] using plaintext DNS at address 1.1.1.1
2022-10-16T12:46:28+02:00 INFO [http server] http server listening on [::]:8000
2022-10-16T12:46:28+02:00 INFO [healthcheck] listening on 127.0.0.1:9999
2022-10-16T12:46:28+02:00 INFO [firewall] allowing VPN connection...
2022-10-16T12:46:28+02:00 INFO [openvpn] OpenVPN 2.5.6 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Apr 17 2022
2022-10-16T12:46:28+02:00 INFO [openvpn] library versions: OpenSSL 1.1.1q  5 Jul 2022, LZO 2.10
2022-10-16T12:46:28+02:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]195.206.107.146:1194
2022-10-16T12:46:28+02:00 INFO [openvpn] UDP link local: (not bound)
2022-10-16T12:46:28+02:00 INFO [openvpn] UDP link remote: [AF_INET]195.206.107.146:1194
2022-10-16T12:46:29+02:00 WARN [openvpn] 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
2022-10-16T12:46:29+02:00 WARN [openvpn] 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
2022-10-16T12:46:29+02:00 INFO [openvpn] [es-mad-003.mullvad.net] Peer Connection Initiated with [AF_INET]195.206.107.146:1194
2022-10-16T12:46:31+02:00 INFO [openvpn] setsockopt TCP_NODELAY=1 failed
2022-10-16T12:46:31+02:00 INFO [openvpn] TUN/TAP device tun0 opened
2022-10-16T12:46:31+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up mtu 1500
2022-10-16T12:46:31+02:00 INFO [openvpn] /sbin/ip link set dev tun0 up
2022-10-16T12:46:31+02:00 INFO [openvpn] /sbin/ip addr add dev tun0 10.8.0.12/16
2022-10-16T12:46:31+02:00 INFO [openvpn] UID set to nonrootuser
2022-10-16T12:46:31+02:00 INFO [openvpn] Initialization Sequence Completed
2022-10-16T12:46:31+02:00 INFO [dns over tls] downloading DNS over TLS cryptographic files
2022-10-16T12:46:32+02:00 INFO [healthcheck] healthy!
2022-10-16T12:46:34+02:00 INFO [dns over tls] downloading hostnames and IP block lists
2022-10-16T12:46:35+02:00 INFO [dns over tls] warning: setrlimit: Operation not permitted
2022-10-16T12:46:35+02:00 INFO [dns over tls] warning: cannot increase max open fds from 4096 to 8266
2022-10-16T12:46:35+02:00 INFO [dns over tls] warning: continuing with less udp ports: 2013
2022-10-16T12:46:35+02:00 INFO [dns over tls] warning: increase ulimit or decrease threads, ports in config to remove this warning
2022-10-16T12:46:40+02:00 INFO [healthcheck] unhealthy: cannot dial: dial tcp4: lookup cloudflare.com: i/o timeout
2022-10-16T12:46:40+02:00 INFO [dns over tls] init module 0: validator
2022-10-16T12:46:40+02:00 INFO [dns over tls] init module 1: iterator
2022-10-16T12:46:40+02:00 INFO [dns over tls] start of service (unbound 1.15.0).
2022-10-16T12:46:40+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-10-16T12:46:40+02:00 INFO [dns over tls] generate keytag query _ta-4a5c-4f66. NULL IN
2022-10-16T12:46:40+02:00 INFO [dns over tls] ready
2022-10-16T12:46:41+02:00 INFO [healthcheck] healthy!
2022-10-16T12:46:41+02:00 INFO [vpn] You are running on the bleeding edge of latest!
2022-10-16T12:46:41+02:00 INFO [ip getter] Public IP address is 195.206.107.147 (Spain, Madrid, Madrid)

Share your configuration

version: "3"
services:  
  gluetun:
    image: qmcgaw/gluetun
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    network_mode: bridge

    volumes:
      - ./gluetun:/gluetun
    environment:
      - VPN_SERVICE_PROVIDER=Mullvad
      - VPN_TYPE=openvpn
      # OpenVPN:
      - OPENVPN_USER=
      - OPENVPN_PASSWORD=
      - SERVER_CITIES=Madrid
      # Wireguard:
      # WIREGUARD_PRIVATE_KEY=
      # WIREGUARD_ADDRESSES=
      # Timezone for accurate log times
      - TZ=Europe/Madrid
      - FIREWALL_OUTBOUND_SUBNETS=
      #- FIREWALL_INBOUND_SUBNETS=
      - LAN_NETWORK=
qdm12 commented 2 years ago

If you don't mind, I'm in the middle of implementing #137 with my own implementation, and there should no longer this (weird) issue since Unbound will be thrown out. I would rather avoid making further changes with Unbound for now. In the meantime, you may want to just disable with DOT=off. Let's keep this opened thought in case I take too long to implement the switch.

Arturoe1 commented 2 years ago

yes that is perfectly fine. Thank you for your support!