on launch container crashes with exit code 2

[MysteriousLounger]

I'm currently trying to transition to your new, better version of qbittorrent-vpn; I'm currently runnning the old, unmaintained version by dyonr. However, the new container crashes with exit code 2. upon inspecting the logs, it seems that the crash happens shortly after a resolvconf error. The end of the log looks like this;

2024-07-24 23:38:55.250271 [INFO] Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 100.72.182.83/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
could not detect a useable init system
[#] wg set wg0 fwmark 51820
[#] ip -6 route add ::/0 dev wg0 table 51820
Error: IPv6 is disabled on nexthop device.
[#] resolvconf -d wg0 -f
could not detect a useable init system
[#] ip link delete dev wg0

it seems exit code 2 is likely to have been caused by a permissions error. It's worth noting that i set the values of PUID and PGID both to 1000, and did chown -R 1000;1000 on the folders that are used by the container. however, after running the container, it crashes, and the permissions for the wireguard folder in the config mount point get all messed up [execute access is removed so the folder can't be opened]. after correcting the folder permissions, the old container still runs fine.

If there is any advice you have I would be very grateful, as i am looking forward using your version, as i'll be able to set the UID and GID of the container so that my folders stop getting their ownership changed to root. cheers

additional info that might be relevant, in case i made some sort of blunder setting up my container.

/// old container set-up command, works
docker run --privileged \
    -d \
    -v /media/hdd1/docker-configs/:/config \
    -v /media/hdd1/Videos/:/downloads \
    -e "VPN_ENABLED=yes" \
    -e "VPN_TYPE=wireguard" \
    -e "LAN_NETWORK=192.168.1.0/24" \
    -p 8080:8080 \
    --restart unless-stopped \
    --name old-qbittorent-vpn \
    dyonr/qbittorrentvpn

/// new container set-up command, results in constant crash and restart loop
docker run -d \
    -v /media/hdd1/docker-configs/:/config \
    -v /media/hdd1/Videos/:/downloads \
    -e "PUID=1000" \
    -e "PGID=1000" \
    -e "LAN_NETWORK=192.168.1.0/24" \
    -e "QBT_LEGAL_NOTICE=confirm" \
    -p 8080:8080 \
    --cap-add NET_ADMIN \
    --sysctl "net.ipv4.conf.all.rp_filter=2" \
    --sysctl "net.ipv4.conf.all.src_valid_mark=1" \
    --sysctl "net.ipv6.conf.all.disable_ipv6=1" \
    --restart unless-stopped \
    --privileged \
    --name qbittorrent-wireguard \
    tenseiken/qbittorrent-wireguard

[tenseiken]

You may want to double check that your primary user group is in fact 1000. Mine is 100, but it will vary based on your distro, etc. If you run id $USER on your host system (outside of the container) as the user you want to map to, it should display your user ID and primary group ID. Looking through the scripts, though, I don't see anything that alters the wireguard config directory's permissions, so it must be something Wireguard itself is trying to do.

What I'm seeing in the log you provided makes me think that Wireguard isn't starting. If it was working OK without the sysctls, try removing those one at a time from your run command and checking the logs again to see if one of them is causing the problem.

I also noticed that you don't appear to be exposing a port for qBittorrent's traffic. That shouldn't be causing the problem you're seeing right now, but it will make you less connectable. You will probably be able to download OK, but uploading will likely be sporadic at best. You should do one of the following:

• Expose a port with another -p argument in your run command (ex: -p 53412:53412) and then manually set that as your listen port in qBittorrent.
• Enable auto port forwarding if you use ProtonVPN.

[tenseiken]

Actually, I think the problem may be with the qbtUser that gets created by the underlying docker-qbittorrent-nox official image. This is the user that runs qBittorrent, so files will be created owned by that user. That user is created as user 1000, primary group 100. I think the reason it works for me is because that's identical to what my UID and primary GID are on my host machine, but for you it seems like your primary GID is 1000. So the script is using the UID and GID you provide with environment variables, but the qbtUser is using 1000:100 regardless.

That user gets created in docker-qbittorrent-nox's Dockerfile, so I can't change the way it's created. What I may be able to do is alter that user after it's been created but before starting qbittorrent with a usermod statement. Checking into that now.

[tenseiken]

OK, I got it sorted out in a29f16a052e75c7a3798778cbbb9fef7f95f2801 and pushed a new build to dockerhub. Pull the latest and see if it's still causing problems for UID:GID 1000:1000.

Apparently when I was initially doing this I just forgot to work out the user running the qBittorrent client because it already worked for me, coincidentally, because everything already matched up on my server.

[MysteriousLounger]

hi, thanks for replying so quickly and so sorry that I've not followed up until now. I pulled the latest image, and also added another port forward as per your other suggestion, but unfortunately the container still constantly restarts with exit code 2, and produces the same log as before. I also tried setting the UID:GID 0:0, which is the root user and group, to see if that had any effect, but it also failed.

[MysteriousLounger]

In order to try to figure out what was going on, I checked the logs of the old version to see how they compare with the output I posted above. The old container does quite a few things before it actually starts initializing the wireguard connection. the logs start to match at the following line, and there are only a few differences until the resolvconf failure:

/// old logs, starting from the line when they match the new logs

2024-08-06 00:40:24.395024 [INFO] The container is currently running iptables v1.8.7 (nf_tables).
2024-08-06 00:40:24.425621 [INFO] VPN_TYPE defined as 'wireguard'
2024-08-06 00:40:24.460740 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
dos2unix: converting file /config/wireguard/wg0.conf to Unix format...
2024-08-06 00:40:24.489958 [INFO] VPN remote line defined as 'yvr-124-wg.whiskergalaxy.com:65142'
2024-08-06 00:40:24.517943 [INFO] VPN_REMOTE defined as 'yvr-124-wg.whiskergalaxy.com'
2024-08-06 00:40:24.544026 [INFO] VPN_PORT defined as '65142'
2024-08-06 00:40:24.570160 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-08-06 00:40:24.594740 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
2024-08-06 00:40:24.623324 [INFO] LAN_NETWORK defined as '192.168.1.0/24'
2024-08-06 00:40:24.651281 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2024-08-06 00:40:24.679519 [INFO] Adding 1.1.1.1 to resolv.conf
2024-08-06 00:40:24.707687 [INFO] Adding 8.8.8.8 to resolv.conf
2024-08-06 00:40:24.736520 [INFO] Adding 1.0.0.1 to resolv.conf
2024-08-06 00:40:24.762828 [INFO] Adding 8.8.4.4 to resolv.conf
2024-08-06 00:40:24.794996 [INFO] PUID not defined. Defaulting to root user
2024-08-06 00:40:24.819439 [INFO] PGID not defined. Defaulting to root group
2024-08-06 00:40:24.846556 [INFO] Starting WireGuard...
Warning: `/config/wireguard/wg0.conf' is world accessible
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 100.72.182.83/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
[#] wg set wg0 fwmark 51820

/// logs from the new container;

2024-08-10 20:09:09.058651 [INFO] The container is currently running iptables v1.8.10 (nf_tables).
2024-08-10 20:09:09.093654 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
2024-08-10 20:09:09.127143 [INFO] VPN remote line defined as 'yvr-124-wg.whiskergalaxy.com:65142'
2024-08-10 20:09:09.165365 [INFO] VPN_REMOTE defined as 'yvr-124-wg.whiskergalaxy.com'
2024-08-10 20:09:09.196719 [INFO] VPN_PORT defined as '65142'
2024-08-10 20:09:09.232533 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
2024-08-10 20:09:09.263814 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
2024-08-10 20:09:09.296175 [INFO] LAN_NETWORK defined as '192.168.1.0/24'
2024-08-10 20:09:09.329341 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
2024-08-10 20:09:09.375714 [INFO] Adding 1.1.1.1 to resolv.conf
2024-08-10 20:09:09.413812 [INFO] Adding 8.8.8.8 to resolv.conf
2024-08-10 20:09:09.458613 [INFO] Adding 1.0.0.1 to resolv.conf
2024-08-10 20:09:09.506086 [INFO] Adding 8.8.4.4 to resolv.conf
2024-08-10 20:09:09.544570 [INFO] Starting WireGuard...
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 100.72.182.83/32 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] resolvconf -a wg0 -m 0 -x
could not detect a useable init system
[#] wg set wg0 fwmark 51820

the differences that I've noticed are as follows:

• the old container uses an older version of iptables, which I don't think should be causing any problems.
• the old container runs dos2unix on wg0.conf, which the new container does not do. i think this is a good candidate for the problem, actually.
• the old container notes that it is defaulting to the PUID and PGID of root, because none have been set. having run the new container with PUID:PGID set to 0:0, i don't think this is the problem, but I should also try running the new container without setting the PUID:PGID to see if it makes a difference.
• the old container warns that wg0.conf is "world accessible". I'm not sure what this warning means, but is it possible that the new container is actually not able to open the file?

anyways to me it looks like the missing dos2unix conversion might be at fault. None of the other differences really seem like promising leads. Thanks again though for having a look at this, I'm very grateful for the help as I don't have a particularly strong grasp on docker containers yet!

[tenseiken]

So that dos2unix thing basically takes any Windows-style line breaks (which consist of a carriage return and a line feed) to Unix style line breaks (which are just a line feed without a carriage return). If your WireGuard config file is already in the proper format it shouldn't matter that this isn't being run. I took it out because I didn't really need it. I use Proton for my VPN service and one of the download options already has the correct line breaks for Linux, but there are options if you can only get a copy of the file with Windows line breaks. You could use Notepad++ in Windows and change the line break style with it, for example. You could also use sed or something like that to do it.

You should be setting PUID and PGID environment variables to the correct values for those on your host system if you want everything to map up right. I'm not sure how the old version handled for them (though it looks like there's logic to default to root:root), but they're required in the new one. Null values will be a problem.

That line about wg0.conf being world accessible is WireGuard itself telling you that the permissions for the file are set to allow every user on the system to read its contents, including your private key. That warning is just to let you know that for security's sake you should probably chmod it to 660 or similar so that other users on the same system can't read it. You shouldn't see that happen in my image because there's a line before starting WireGuard that recursively chmods the /config/wireguard directory to 660, which makes that file not world accessible.

All that said, does your log end at the point you cut off there? I don't have that line about could not detect a useable init system in my logs. It sounds like WireGuard isn't actually starting.

[erredi]

Hello! I have the same error while running the container, it keep restarting with exit code 2 and I have the same error on the logs could not detect a useable init system. Were you able to find a solution?

I have tried installing it on other machines with other operating systems and different cpu architectures, but the error persists, so the error is not related to the host. I would like to add that my wireguard server that I am connecting to is working properly and the wg0.conf file when used to connect to the server is working properly, so neither a misconfiguration of the wireguard server.

I share with you my log I have only masked with x's the domain of my wireguard server for privacy reasons.

qbittorrent-wireguard    | 2024-08-24 11:32:39.669955 [INFO] The container is currently running iptables v1.8.10 (nf_tables).
qbittorrent-wireguard    | 2024-08-24 11:32:39.745445 [INFO] WireGuard config file is found at /config/wireguard/wg0.conf
qbittorrent-wireguard    | 2024-08-24 11:32:39.803889 [INFO] VPN remote line defined as 'xxx.xxx.xxx.xxx:51820'
qbittorrent-wireguard    | 2024-08-24 11:32:39.835242 [INFO] VPN_REMOTE defined as 'xxx.xxx.xxx.xxx'
qbittorrent-wireguard    | 2024-08-24 11:32:39.868818 [INFO] VPN_PORT defined as '51820'
qbittorrent-wireguard    | 2024-08-24 11:32:39.897281 [INFO] VPN_PROTOCOL set as 'udp', since WireGuard is always udp.
qbittorrent-wireguard    | 2024-08-24 11:32:39.928749 [INFO] VPN_DEVICE_TYPE set as 'wg0', since WireGuard will always be wg0.
qbittorrent-wireguard    | 2024-08-24 11:32:39.977166 [INFO] LAN_NETWORK defined as '192.168.1.0/24'
qbittorrent-wireguard    | 2024-08-24 11:32:40.043209 [WARNING] NAME_SERVERS not defined (via -e NAME_SERVERS), defaulting to CloudFlare and Google name servers
qbittorrent-wireguard    | 2024-08-24 11:32:40.115813 [INFO] Adding 1.1.1.1 to resolv.conf
qbittorrent-wireguard    | 2024-08-24 11:32:40.157451 [INFO] Adding 8.8.8.8 to resolv.conf
qbittorrent-wireguard    | 2024-08-24 11:32:40.187396 [INFO] Adding 1.0.0.1 to resolv.conf
qbittorrent-wireguard    | 2024-08-24 11:32:40.219597 [INFO] Adding 8.8.4.4 to resolv.conf
qbittorrent-wireguard    | 2024-08-24 11:32:40.247628 [INFO] Starting WireGuard...
qbittorrent-wireguard    | [#] ip link add wg0 type wireguard
qbittorrent-wireguard    | [#] wg setconf wg0 /dev/fd/63
qbittorrent-wireguard    | [#] ip -4 address add 10.7.0.14/24 dev wg0
qbittorrent-wireguard    | [#] ip link set mtu 1420 up dev wg0
qbittorrent-wireguard    | [#] resolvconf -a wg0 -m 0 -x
qbittorrent-wireguard    | could not detect a useable init system
qbittorrent-wireguard    | [#] wg set wg0 fwmark 51820
qbittorrent-wireguard    | [#] ip -6 route add ::/0 dev wg0 table 51820
qbittorrent-wireguard    | Error: IPv6 is disabled on nexthop device.
qbittorrent-wireguard    | [#] resolvconf -d wg0 -f
qbittorrent-wireguard    | could not detect a useable init system
qbittorrent-wireguard    | [#] ip link delete dev wg0

[tenseiken]

In your case, it might be good to make sure you have configured the container not to use IPv6. The following are the sysctls I use in my docker-compose yaml file. This container runs on a network that doesn't use IPv6.

    sysctls:
      - "net.ipv4.conf.all.src_valid_mark=1"
      - "net.ipv4.conf.all.rp_filter=2"
      - "net.ipv6.conf.all.disable_ipv6=1"

I'd say try these first and see what changes in the log.

[erredi]

Well...that's weird, I already have that configuration on my yaml file and it wasn't working, so as a test I decided to remove them and now it works perfectly, the container connects to the wireguard tunnel and I can get to the login screen of qbittorrent. Thank you for that :D

[tenseiken]

Yeah, I figured it was probably something different in your network compared to mine. Glad you got it working. @MysteriousLounger you might try the same thing: if you have those sysctls already in your continer, try removing them or changing the values.