search

qdm12 / gluetun

VPN client in a thin Docker container for multiple VPN providers, written in Go, and using OpenVPN or Wireguard, DNS over TLS, with a few proxy servers built-in.
https://hub.docker.com/r/qmcgaw/gluetun
MIT License
6.71k stars 331 forks source link

Bug: if DOT on container will restart frequently and is instable #2210

Closed the-hotmann closed 2 months ago

the-hotmann commented 2 months ago

Is this urgent?

No

Host OS

Debian SID

CPU arch

x86_64

VPN service provider

Surfshark

What are you using to run the container

docker-compose

What is the version of Gluetun

Running version latest built on 2024-04-02T14:51:42.917Z (commit 9821007)

What's the problem 🤔

By default the option DOT is enabled, which is nice. But independend on, which VPN Service and which VPN Protokoll I use, as soon as DOT is enabled the container acts like this:

  1. start
  2. connects
  3. obtains VPN IP
  4. says is healthy
  5. downloads additional IPs and Lists
  6. restarts ...

Share your logs (at least 10 lines)

└── Version settings:
    └── Enabled: yes
2024-04-05T20:45:18Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.5 and family v4
2024-04-05T20:45:18Z INFO [routing] adding route for 0.0.0.0/0
2024-04-05T20:45:18Z INFO [firewall] setting allowed subnets...
2024-04-05T20:45:18Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.5 and family v4
2024-04-05T20:45:18Z INFO [dns] using plaintext DNS at address 1.1.1.1
2024-04-05T20:45:18Z INFO [http server] http server listening on [::]:8000
2024-04-05T20:45:18Z INFO [healthcheck] listening on 127.0.0.1:9999
2024-04-05T20:45:18Z INFO [firewall] allowing VPN connection...
2024-04-05T20:45:18Z INFO [wireguard] Using available kernelspace implementation
2024-04-05T20:45:18Z INFO [wireguard] Connecting to 138.199.19.206:51820
2024-04-05T20:45:18Z INFO [wireguard] Wireguard setup is complete. Note Wireguard is a silent protocol and it may or may not work, without giving any error message. Typically i/o timeout errors indicate the Wireguard connection is not working.
2024-04-05T20:45:18Z INFO [dns] downloading DNS over TLS cryptographic files
2024-04-05T20:45:19Z INFO [healthcheck] healthy!
2024-04-05T20:45:20Z INFO [dns] downloading hostnames and IP block lists
========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-04-02T14:51:42.917Z (commit 9821007)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-04-05T20:45:33Z WARN You are using the old environment variable HTTPPROXY_LOG, please consider changing it to HTTPPROXY_LOG
2024-04-05T20:45:33Z INFO [routing] default route found: interface eth0, gateway 172.18.0.1, assigned IP 172.18.0.5 and family v4
2024-04-05T20:45:33Z INFO [routing] local ethernet link found: eth0
2024-04-05T20:45:33Z INFO [routing] local ipnet found: 172.18.0.0/16
2024-04-05T20:45:33Z INFO [routing] local ipnet found: fe80::/64
2024-04-05T20:45:33Z INFO [firewall] enabling...
2024-04-05T20:45:33Z INFO [firewall] enabled successfully
2024-04-05T20:45:34Z INFO [storage] merging by most recent 19476 hardcoded servers and 19476 servers read from /gluetun/servers.json
2024-04-05T20:45:34Z INFO Alpine version: 3.18.6
2024-04-05T20:45:34Z INFO OpenVPN 2.5 version: 2.5.8
2024-04-05T20:45:34Z INFO OpenVPN 2.6 version: 2.6.8
2024-04-05T20:45:34Z INFO Unbound version: 1.19.3
2024-04-05T20:45:34Z INFO IPtables version: v1.8.9
2024-04-05T20:45:34Z INFO Settings summary:

Share your configuration

gluetun:
    container_name: gluetun
    image: qmcgaw/gluetun
    hostname: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    environment:
      - VPN_SERVICE_PROVIDER=surfshark
      - VPN_TYPE=wireguard
      - WIREGUARD_PRIVATE_KEY=####CENSORED####
      - WIREGUARD_ADDRESSES=####CENSORED####
      - SERVER_COUNTRIES=####CENSORED####
      - SERVER_CITIES=####CENSORED####
      - DOT=off
    deploy:
      resources:
        limits:
          memory: 300M
    restart: unless-stopped
github-actions[bot] commented 2 months ago

@qdm12 is more or less the only maintainer of this project and works on it in his free time. Please:

the-hotmann commented 2 months ago

Oh man .. I am so sorry, I found out myself. Sorry for bothering.

The container was killed since it reached the 300MB Memory limit I set to it. I never deploy containers without a memory limit. DOT now works fine, but there are two things to note:

  1. without DOT: ca. 97MB Memory usage
  2. with DOT: ca. 170MB Memory usage

BUT, while start it peaks at ca. 465MB Memory usage. I monitored the usage with docker stats and noticed, that it hit the limit and therefore crashed.

I will increase the limit to 1GB of Memory, but in general I think we should convert this issue to a request to optimize whatever it does when it starts DOT, as the memory spike is a little concerning.

Golang (which this god thanks is based on ;) ) allows for integrated profiling and benchmarking. Which could be super usefull in detecting memory allocations and inefficient code in this section.

Thanks for you super awesome application!

P.S.: I am open for a discussion. Anyway, feel free to close this issue since this technically is resolved. A note in the docs would be nice.

the-hotmann commented 2 months ago

After increasing the memory limit to 1GB the app allows itself way more memory:

gluetun                1.27%     496.5MiB / 1GiB     48.49%    176MB / 63.1MB    197kB / 42MB      19

even after some time it still was this high. After some tests I came to this conclusion:

recommended Memory Container-Limit: 700MB Would be awesome if the recommended docker-compose in the readme would contain a memory limit. And a note that Gluetun itself wants about 500MB Memory, but might aswell work with a little less.

github-actions[bot] commented 2 months ago

Closed issues are NOT monitored, so commenting here is likely to be not seen. If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project which became too popular to monitor issues closed.