Closed dvinik closed 4 years ago
Thanks for creating your first issue :+1: Feel free to use Slack if you just need some quick help or want to chat
I would need more context, can you share your entire log? Are you forcing the container to run without root perhaps?
I'll close the issue for now, feel free to comment here with more information and I'll reopen the issue. Thanks!
I'm seeing this error too, here is the complete log. Using docker compose, on a boot2docker image in virtbox. This seems to point at missing modules https://forums.gentoo.org/viewtopic-t-1095354-start-0.html
2020-05-03T09:04:11.255Z INFO Unbound version: 1.9.6
2020-05-03T09:04:11.256Z INFO IPtables version: v1.8.3
2020-05-03T09:04:11.276Z INFO TinyProxy version: 1.10.0
2020-05-03T09:04:11.279Z INFO ShadowSocks version: 3.3.4
2020-05-03T09:04:11.279Z INFO Settings summary below:
OpenVPN settings:
|--Network protocol: udp
|--Verbosity level: 1
|--Run as root: yes
|--Target IP address: <nil>
|--Custom cipher:
|--Custom auth algorithm:
PIA settings:
|--User: [redacted]
|--Password: [redacted]
|--Region: xx
|--Encryption: strong
|--Port forwarding: off
System settings:
|--User ID: 1000
|--Group ID: 1000
|--Timezone: x/x
|--IP Status filepath: /ip
DNS over TLS settings:
|--DNS over TLS provider:
|--cloudflare
|--Caching: enabled
|--Block malicious: enabled
|--Block surveillance: disabled
|--Block ads: disabled
|--Allowed hostnames:
|--
|--Private addresses:
|--127.0.0.1/8
|--10.0.0.0/8
|--172.16.0.0/12
|--192.168.0.0/16
|--169.254.0.0/16
|--::1/128
|--fc00::/7
|--fe80::/10
|--::ffff:0:0/96
|--Verbosity level: 1/5
|--Verbosity details level: 0/4
|--Validation log level: 0/2
|--IPv6 resolution: disabled
Firewall settings:
|--Allowed subnets: 10.0.0.0/24
TinyProxy settings: disabled
ShadowSocks settings: disabled
2020-05-03T09:04:11.280Z INFO openvpn configurator: checking for device /dev/net/tun
2020-05-03T09:04:11.280Z WARN TUN device is not available: open /dev/net/tun: no such file or directory
2020-05-03T09:04:11.280Z INFO openvpn configurator: creating /dev/net/tun
2020-05-03T09:04:11.281Z INFO openvpn configurator: writing auth file /etc/openvpn/auth.conf
2020-05-03T09:04:11.281Z INFO routing: detecting default network route
2020-05-03T09:04:11.281Z INFO routing: default route found: interface eth2, gateway 172.18.0.1, subnet 10.20.0.0/24
2020-05-03T09:04:11.281Z INFO firewall configurator: accepting all traffic
2020-05-03T09:04:11.283Z ERROR failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.: exit status 3```
Did you figure out which modules were missing? I'll add that to the readme, thanks for reporting it.
I unfortunately have the exact same issue when running using the instructions from README.md.
Running version latest built on 2020-05-02T17:09:01Z (commit 754bab9)
...
2020-05-03T13:01:07.857Z INFO Unbound version: 1.9.6
2020-05-03T13:01:07.862Z INFO IPtables version: v1.8.3
2020-05-03T13:01:07.947Z INFO TinyProxy version: 1.10.0
2020-05-03T13:01:07.954Z INFO ShadowSocks version: 3.3.4
2020-05-03T13:01:07.959Z INFO OpenVPN version: 2.4.8
...
2020-05-03T13:01:07.963Z INFO openvpn configurator: checking for device /dev/net/tun
2020-05-03T13:01:07.964Z WARN TUN device is not available: open /dev/net/tun: no such file or directory
2020-05-03T13:01:07.964Z INFO openvpn configurator: creating /dev/net/tun
2020-05-03T13:01:07.965Z INFO openvpn configurator: /etc/openvpn/auth.conf already exists
2020-05-03T13:01:07.965Z INFO routing: detecting default network route
2020-05-03T13:01:07.966Z INFO routing: default route found: interface eth0, gateway 172.28.0.1, subnet 172.28.0.0/16
2020-05-03T13:01:07.967Z INFO firewall configurator: accepting all traffic
2020-05-03T13:01:07.973Z ERROR failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.: exit status 3
Are you guys sure you run the container with NET_ADMIN
capabilities? Because it seems very similar to this issue.
Hi,
Yes I ran it with net_admin.
Best regards,
David
Ah, I did not and running it with NET_ADMIN
seemed to fix my issue indeed. Thanks @qdm12.
Cool, how about you @winklevos? Just trying to narrow down the issue.
@dvinik what's your host OS, and kernel (use uname -a
)? And your host iptables iptables version
(from the top of my head)?
Linux XNAS 4.14.24-qnap #1 SMP Fri Apr 10 05:12:19 CST 2020 x86_64 GNU/Linux
iptables v1.4.21
On your host, can you try lsmod | grep ip
and post back the results? I just tried on a Synology nas I had and it works, I can compare the kernel ip related modules you have with the ones on my nas.
I am running with NET_ADMIN
.
host: Linux default 4.14.154-boot2docker #1 SMP Thu Nov 14 19:19:08 UTC 2019 x86_64 GNU/Linux
iptables: iptables v1.8.2 (legacy)
lsmod:
ip_vs_rr 16384 19
iptable_mangle 16384 3
xt_ipvs 16384 3
ip_vs 118784 22 ip_vs_rr,xt_ipvs
ip6_udp_tunnel 16384 1 vxlan
ipt_MASQUERADE 16384 5
nf_nat_masquerade_ipv4 16384 1 ipt_MASQUERADE
iptable_filter 16384 10
iptable_nat 16384 14
nf_conntrack_ipv4 16384 120
nf_defrag_ipv4 16384 1 nf_conntrack_ipv4
nf_nat_ipv4 16384 1 iptable_nat
nf_nat 24576 4 nf_nat_redirect,xt_nat,nf_nat_masquerade_ipv4,nf_nat_ipv4
nf_conntrack 81920 11 xt_state,ip_vs,xt_REDIRECT,xt_nat,xt_conntrack,ipt_MASQUERADE,nf_nat_masquerade_ipv4,nf_conntrack_netlink,nf_conntrack_ipv4,nf_nat_ipv4,nf_nat
@winklevos can you also share the exact docker command or docker-compose you're using, without credentials?
@ElleshaHackett Here is the compose
version: "3.7"
services:
pia:
image: qmcgaw/private-internet-access
container_name: pia
cap_add:
- NET_ADMIN
network_mode: bridge
init: true
ports:
- 8000:8000/tcp
environment:
- VPNSP=private internet access
- USER=<REDACTED>
- PROTOCOL=udp
- PASSWORD=<REDACTED>
- REGION=AU Sydney
- PIA_ENCRYPTION=strong
- OPENVPN_VERBOSITY=1
- OPENVPN_ROOT=yes
- TZ=Australia/Sydney
- PORT_FORWARDING=off
- DOT=off
- DOT_PROVIDERS=cloudflare
- DOT_IPV6=off
- DOT_VERBOSITY=1
- BLOCK_MALICIOUS=on
- BLOCK_SURVEILLANCE=off
- BLOCK_ADS=off
- EXTRA_SUBNETS=10.0.0.0/24
restart: always
@winklevos your docker-compose.yml seems fine. Maybe you could try it with privileged: true
just in case it solves it.
Regarding your kernel modules, on my side I have:
iptables v1.6.0
xt_ipvs 2202 0
ip_vs_rr 1447 0
ip_vs 127371 3 ip_vs_rr,xt_ipvs
iptable_mangle 1656 0
nf_conntrack_ipv6 6563 0
nf_defrag_ipv6 23062 1 nf_conntrack_ipv6
ip6table_filter 1532 0
ip6_tables 14730 1 ip6table_filter
ipt_MASQUERADE 1213 6
nf_nat_masquerade_ipv4 1929 1 ipt_MASQUERADE
iptable_nat 1959 7
nf_nat_ipv4 4903 1 iptable_nat
nf_nat 10925 4 nf_nat_redirect,nf_nat_ipv4,xt_nat,nf_nat_masquerade_ipv4
xt_iprange 1648 0
xt_multiport 1830 0
nf_conntrack_ipv4 11616 3
nf_defrag_ipv4 1475 1 nf_conntrack_ipv4
nf_conntrack 62480 8 ip_vs,nf_nat,xt_state,nf_nat_ipv4,xt_conntrack,nf_nat_masquerade_ipv4,nf_conntrack_ipv4,nf_conntrack_ipv6
iptable_filter 1592 1
ip_tables 14092 3 iptable_filter,iptable_mangle,iptable_nat
x_tables 16302 19 ip6table_filter,xt_ipvs,xt_iprange,xt_mark,xt_recent,ip_tables,xt_tcpudp,ipt_MASQUERADE,xt_limit,xt_state,xt_conntrack,xt_LOG,xt_nat,xt_multiport,iptable_filter,xt_REDIRECT,iptable_mangle,ip6_tables,xt_addrtype
ip6_udp_tunnel 1903 1 vxlan
ip_tunnel 13200 1 sit
ipv6 336006 197 sit,ip_vs,nf_defrag_ipv6,nf_conntrack_ipv6
iptables v1.8.4 (legacy)
ip6_udp_tunnel 16384 1 wireguard
iptable_filter 16384 5
iptable_nat 16384 23
nf_nat 49152 4 xt_nat,xt_NETMAP,iptable_nat,xt_MASQUERADE
nf_defrag_ipv6 24576 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
ip_tables 36864 2 iptable_filter,iptable_nat
x_tables 49152 8 xt_conntrack,iptable_filter,xt_tcpudp,xt_addrtype,xt_nat,xt_NETMAP,ip_tables,xt_MASQUERADE
iptables v1.8.3 (legacy)
ip6_udp_tunnel 16384 1 wireguard
ipt_MASQUERADE 16384 3
iptable_nat 16384 1
nf_nat_ipv4 16384 2 ipt_MASQUERADE,iptable_nat
iptable_filter 16384 1
ip_tables 24576 2 iptable_filter,iptable_nat
x_tables 40960 5 xt_conntrack,iptable_filter,ipt_MASQUERADE,xt_addrtype,ip_tables
nf_nat 36864 1 nf_nat_ipv4
nf_conntrack 126976 5 xt_conntrack,nf_nat,ipt_MASQUERADE,nf_nat_ipv4,nf_conntrack_netlink
nf_defrag_ipv6 16384 1 nf_conntrack
nf_defrag_ipv4 16384 1 nf_conntrack
ipv6 425984 48 bridge,wireguard
Let me re-read, I'll edit the comment with a conclusion 😉
So your iptables host version should be fine, as my old 1.6.x works.
Actually before digging into these ugly kernel modules, can you guys @winklevos and @dvinik play around with
docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
/ # apk --update add iptables
/ # iptables -P INPUT ACCEPT
To see if it works? That's the command failing in the pia container, maybe it's another reason than your host OS kernel.
If it still doesn't work, I can change the iptables commands to run older fashion rules. This -P
uses the slightly newer chain table policy
, basically instructing the input table to have an accept policy by default. You can imitate that with a bunch of simpler iptables rules which might work on your system (and possibly other people having the problem too)
privilged=true
didn't do anything
was this meant to output? didn't throw any error
docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
/ # apk --update add iptables
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.4-r0)
(2/3) Installing libnftnl-libs (1.1.5-r0)
(3/3) Installing iptables (1.8.3-r2)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 17 packages
/ # iptables -P INPUT ACCEPT
/ #
(edit: removed unneeded 2nd part)
That's odd it's working/not complaining.
Just to be sure, try:
docker run -it --rm --cap-add=NET_ADMIN alpine:3.11
apk --update add iptables
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit
If it works, it should output exit code: 0
.
If it works, try (just to be paranoid sure):
docker run -it --rm --cap-add=NET_ADMIN --entrypoint=/bin/sh qmcgaw/private-internet-access
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit
And let me know if it outputs exit code: 0
as well
@qdm12
Both seemed to work
apk --update add iptables
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit/ # apk --update add iptables
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.11/community/x86_64/APKINDEX.tar.gz
(1/3) Installing libmnl (1.0.4-r0)
(2/3) Installing libnftnl-libs (1.1.5-r0)
(3/3) Installing iptables (1.8.3-r2)
Executing busybox-1.31.1-r9.trigger
OK: 8 MiB in 17 packages
/ # iptables -P INPUT ACCEPT
/ # echo "exit code: $?"
exit code: 0
Unable to find image 'qmcgaw/private-internet-access:latest' locally
latest: Pulling from qmcgaw/private-internet-access
cbdbe7a5bc2a: Already exists 14da45486dac: Pull complete 55581d923200: Pull complete Digest: sha256:cf7f1736aa2496f53c96bb90ae29e81d13eeb7e2f024612629c686e73300b9b5
Status: Downloaded newer image for qmcgaw/private-internet-access:latest
iptables -P INPUT ACCEPT
echo "exit code: $?"
exit/ # iptables -P INPUT ACCEPT
/ # echo "exit code: $?"
exit code: 0
I was using Portainer for compose creation, I bet that is the issue
Please tell me it's Portainer because I'm running low on ideas :laughing:
I think Portainer doesn't support docker-compose 3 which might be needed for NET_ADMIN, although I believe other people are running it with Portainer? Maybe @Frepke do/did you run it with Portainer?
Please tell me it's Portainer because I'm running low on ideas 😆
I think Portainer doesn't support docker-compose 3 which might be needed for NET_ADMIN, although I believe other people are running it with Portainer? Maybe @Frepke do/did you run it with Portainer?
No sorry, I'm running docker-compose.yml -d from the terminal.
But @winklevos wrote in an earlier post:
I'm seeing this error too, here is the complete log. Using docker compose, on a boot2docker image in virtbox.
@winklevos can you try with the terminal just to make sure it works? Let me know if you need help.
I think @HerbM3 is running it with Portainer though.
@winklevos can you try with the terminal just to make sure it works? Let me know if you need help.
I think @HerbM3 is running it with Portainer though.
Quentin,
Did you see the edit in my previous post about @winklevos earlier post?
If I docker-compose up the exact same compose it works outside of portainer, unable to get traffic flow but it's not failing to start
If I docker-compose up the exact same compose it works outside of portainer, unable to get traffic flow but it's not failing to start
Hi winklevos,
How do you check the traffic flow?
docker run --rm --network=container:pia tianon/speedtest --accept-license
should work
docker run --rm --network=container:pia tianon/speedtest --accept-license
should work
Yes, works for me.
huh, server AU Sydney results in a TLS error for me.. I wonder if that caused it - EDIT nope
I'm glad it worked! You can use that wget ipinfo command in the readme to check it works as well.
So Portainer doesn't work it seems. It must be because of the NET_ADMIN option not being used correctly. Just out of curiosity what version of Portainer do you use? Maybe it would work with a docker run command in Portainer without docker-compose?
huh, server AU Sydney results in a TLS error for me.. I wonder if that caused it - EDIT nope
I did a bit of testing with the compose-file posted 9 days ago. Didn't work for me neither. But @winklevos could you try that file with REGION=netherlands and DOT=on because that worked for me with the above compose-file.
DOT=off is working as well.
You mean it doesn't work for certain regions? Maybe the Ip addresses changed. Please let me know which and I'll re-check their IPs.
I checked my own compose file with REGION=AU Sydney, but isn't working for me neither.
Au Melbourne works so I suspect the addresses have changed @qdm12
I'm moving from my current docker setup as containers crash all the time so I'll probably just manually do composer without protainer anyway. I think the issue here was the portainer cannot create / run the new container as root so it cannot get network permissions. There seems to be a lot of chat on portainers side as they need to redo a bunch of work to get to v3.
I'll check for AU sydney, please comment on #159 if you get the bug again for any region with some logs of the error if possible.
@dvinik is it still not working for you? Are you using Portainer as well?
I'll add information to the FAQ and close the issue then.
Added Portainer error to wiki thanks to all of you 👍 Also @winklevos I fixed #159 : re-resolved all ipv4 addresses for pia and windscribe so it should work 'better', for now at least!
ERROR failed executing "-P INPUT ACCEPT": iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.: exit status 3