Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] RTNETLINK error with roodless podman #366

Open
1 task done
sharmay opened this issue Dec 6, 2024 · 4 comments
Open
1 task done

[BUG] RTNETLINK error with roodless podman #366

sharmay opened this issue Dec 6, 2024 · 4 comments

Comments

@sharmay
Copy link

sharmay commented Dec 6, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

wireguard[638069]: Uname info: Linux wireguard 6.11.6-300.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov 1 16:16:00 containeros wireguard[638069]: RTNETLINK answers: Operation not permitted

Expected Behavior

Wireguard starts and create the tunnel

Steps To Reproduce

  1. Surfshark VPN config
  2. Container fails long before reading configs

Here is .container

[Unit]
Description=WireGuard WG Client

[Container]
AutoUpdate=registry
Label=app=WireGuard
ContainerName=wireguard
HostName=wireguard
Network=container-intra.network
Image=lscr.io/linuxserver/wireguard:latest
UserNS=keep-id:uid=%U,gid=%G
AddCapability=NET_ADMIN
Environment=TZ=Etc/UTC
Volume=%h/wireguard/surfshark:/config:z
Sysctl="net.ipv4.conf.all.src_valid_mark=1"

[Install]
WantedBy=multi-user.target default.target

Environment

- OS: Fedora coreos 41
- How docker service was installed: Not using docker, testing with rootless podman and podman is part of Fedora coreos 41

`lsmod |grep wire`

wireguard             122880  0
curve25519_x86_64      36864  1 wireguard
libcurve25519_generic    45056  2 curve25519_x86_64,wireguard
ip6_udp_tunnel         16384  1 wireguard
udp_tunnel             36864  1 wireguard


### CPU architecture

x86-64

### Docker creation

```bash
[Unit]
Description=WireGuard WG Client

[Container]
AutoUpdate=registry
Label=app=WireGuard
ContainerName=wireguard
HostName=wireguard
Network=container-intra.network
Image=lscr.io/linuxserver/wireguard:latest
UserNS=keep-id:uid=%U,gid=%G
AddCapability=NET_ADMIN
Environment=TZ=Etc/UTC
Volume=%h/wireguard/surfshark:/config:z
Sysctl="net.ipv4.conf.all.src_valid_mark=1"

[Install]
WantedBy=multi-user.target default.target



### Container logs

```bash
`podman logs wireguard `


╔═════════════════════════════════════════════════════════════════════════╗
║                                                                         ║
║           You are running this container as a non-root user:            ║
║   UMASK, custom services, & docker mod functionality will be disabled   ║
║      and the PUID/PGID environment variables will have no effect.       ║
║                                                                         ║
╚═════════════════════════════════════════════════════════════════════════╝
[migrations] started
[migrations] no migrations found
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
WireGuard: https://www.wireguard.com/donations/

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 1.0.20210914-r4-ls58
Build-date: 2024-12-05T11:25:21+00:00
───────────────────────────────────────
    
Uname info: Linux wireguard 6.11.6-300.fc41.x86_64 #1 SMP PREEMPT_DYNAMIC Fri Nov  1 16:16:00 UTC 2024 x86_64 GNU/Linux
RTNETLINK answers: Operation not permitted
**** The wireguard module is not active. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****
****  If you have an old kernel without wireguard support built-in, you can try using the 'legacy' tag for this image to compile the modules from scratch.   ****
@github-actions GitHub Actions
Copy link

github-actions bot commented Dec 6, 2024

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

@thespad
Copy link
Member

thespad commented Dec 6, 2024

Wireguard can't run rootless as it needs to be able to modify host networking configuration to route traffic.

@sharmay
Copy link
Author

sharmay commented Dec 6, 2024

Just a random thought - Can most of configuration be performed at host level before starting the container?

Not sure how it is done here https://www.procustodibus.com/blog/2022/10/wireguard-in-podman/

@thespad
Copy link
Member

thespad commented Dec 6, 2024

I mean probably, but at that point why are you running it in a container at all? If you're going to have to manually configure everything on the host before you start the container just run in on the host.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Issue & PR Tracker
Status: Issues
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sharmay @thespad