From: Nico Schottelius <nico.schottelius@ungleich.ch>
To: wireguard@lists.zx2c4.com
Subject: Interface not deleted in kubernetes
Date: Thu, 05 May 2022 21:32:19 +0200 [thread overview]
Message-ID: <874k2393cx.fsf@ungleich.ch> (raw)
Hello,
I am not sure if I am off-topic here, but I am not sure where to best
raise this issue. The situation is: if I start a Pod in Kubernetes that
uses the ungleich-wireguard:0.0.5 [0] container, which is basically
using this script [1] I am able to get the following output:
--------------------------------------------------------------------------------
[21:29] blind:~% kubectl -n test logs -f wireguard-7cf446469-gmkvd
+ wg show
interface: clients
public key: 5QzByP8MnQyR7seJWJyiP6fFHn5OnkPI+O0WAuYoLko=
private key: (hidden)
listening port: 51820
peer: fnIGys3sZKfyjSA7oXw891IOxuuRi7yYM6tihNG+1WA=
allowed ips: 10.0.0.2/32
+ wg-quick up /etc/wireguard/clients.conf
Warning: `/etc/wireguard/..2022_05_05_19_29_32.4005058985/clients.conf' is world accessible
wg-quick: `clients' already exists
+ exit 1
[21:29] blind:~%
--------------------------------------------------------------------------------
As the pod/container are freshly created, I assume that the "clients"
interface is a leftover from a previous run of that container. Which
brings me to the real questions:
Are wireguard interfaces
a) Not contained in a container?
b) Not destroyed if the container is destroyed?
As containers are namespaced, I would have expected the device to die
with the container, but I even cleared the full deployment and get this
error again.
My logical understand would be that the interface should be destroyed if
the container exits, however the output implies that this is not the
case.
Any pointers in this direction are very welcome.
Best regards,
Nico
[0]
https://hub.docker.com/layers/ungleich-wireguard/ungleich/ungleich-wireguard/0.0.5/images/sha256-cf50085115df1f686509288375349ce61cc4ef06a06c940cf7cbd9041a6d9ef6?context=explore
[1]
--------------------------------------------------------------------------------
#!/bin/sh
set -x
# Ensure everything is clean / show prior state
wg show
# Start all definitions
for conf in /etc/wireguard/*.conf; do
# Try to up and if any tunnel fails -> exit
wg-quick up "$conf" || exit 1
done
# Debug output
while true; do
wg show
sleep 300
done
--------------------------------------------------------------------------------
--
Sustainable and modern Infrastructures by ungleich.ch
reply other threads:[~2022-05-05 19:38 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874k2393cx.fsf@ungleich.ch \
--to=nico.schottelius@ungleich.ch \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.