From a53eb5b666bac08a4b6c72cace5d953f4cba2ac3 Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 30 Nov 2022 15:07:42 +0000 Subject: [PATCH 1/4] Update readme to clarify caps and module processes --- readme-vars.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/readme-vars.yml b/readme-vars.yml index 557f3b58..0248bd6e 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -25,7 +25,6 @@ param_container_name: "{{ project_name }}" param_usage_include_vols: true param_volumes: - { vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files." } - - { vol_path: "/lib/modules", vol_host_path: "/lib/modules", desc: "Maps host's modules folder." } param_usage_include_ports: true param_ports: - { external_port: "51820", internal_port: "51820/udp", port_desc: "wireguard port" } @@ -35,7 +34,6 @@ param_env_vars: cap_add_param: true cap_add_param_vars: - { cap_add_var: "NET_ADMIN" } - - { cap_add_var: "SYS_MODULE" } custom_params: - { name: "sysctl", name_compose: "sysctls", value: ["net.ipv4.conf.all.src_valid_mark=1"], desc: "Required for client mode.", array: "true" } @@ -58,14 +56,6 @@ app_setup_block_enabled: true app_setup_block: | During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. - If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. - - If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). - - With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). - - This can be run as a server or a client, based on the parameters used. - ## Server Mode If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. From 4f4ddf64c04157b569e2e117a2e6e9df9b35affd Mon Sep 17 00:00:00 2001 From: TheSpad Date: Wed, 30 Nov 2022 15:14:30 +0000 Subject: [PATCH 2/4] Restore line removed in error --- .github/ISSUE_TEMPLATE/issue.bug.yml | 77 +++++++++++++++++++ .github/ISSUE_TEMPLATE/issue.feature.yml | 31 ++++++++ .github/workflows/call_invalid_helper.yml | 12 +++ .github/workflows/external_trigger.yml | 2 +- .../workflows/external_trigger_scheduler.yml | 2 +- .github/workflows/greetings.yml | 2 +- .github/workflows/package_trigger.yml | 2 +- .../workflows/package_trigger_scheduler.yml | 2 +- .github/workflows/stale.yml | 2 +- Jenkinsfile | 4 +- README.md | 13 ---- 11 files changed, 128 insertions(+), 21 deletions(-) create mode 100644 .github/ISSUE_TEMPLATE/issue.bug.yml create mode 100644 .github/ISSUE_TEMPLATE/issue.feature.yml create mode 100644 .github/workflows/call_invalid_helper.yml diff --git a/.github/ISSUE_TEMPLATE/issue.bug.yml b/.github/ISSUE_TEMPLATE/issue.bug.yml new file mode 100644 index 00000000..59a10f56 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/issue.bug.yml @@ -0,0 +1,77 @@ +# Based on the issue template +name: Bug report +description: Create a report to help us improve +title: "[BUG] " +labels: [Bug] +body: + - type: checkboxes + attributes: + label: Is there an existing issue for this? + description: Please search to see if an issue already exists for the bug you encountered. + options: + - label: I have searched the existing issues + required: true + - type: textarea + attributes: + label: Current Behavior + description: Tell us what happens instead of the expected behavior. + validations: + required: true + - type: textarea + attributes: + label: Expected Behavior + description: Tell us what should happen. + validations: + required: false + - type: textarea + attributes: + label: Steps To Reproduce + description: Steps to reproduce the behavior. + placeholder: | + 1. In this environment... + 2. With this config... + 3. Run '...' + 4. See error... + validations: + required: true + - type: textarea + attributes: + label: Environment + description: | + examples: + - **OS**: Ubuntu 20.04 + - **How docker service was installed**: distro's packagemanager + value: | + - OS: + - How docker service was installed: + render: markdown + validations: + required: false + - type: dropdown + attributes: + label: CPU architecture + options: + - x86-64 + - arm64 + - armhf + validations: + required: true + - type: textarea + attributes: + label: Docker creation + description: | + Command used to create docker container + Provide your docker create/run command or compose yaml snippet, or a screenshot of settings if using a gui to create the container + render: bash + validations: + required: true + - type: textarea + attributes: + description: | + Provide a full docker log, output of "docker logs linuxserver.io" + label: Container logs + placeholder: | + Output of `docker logs linuxserver.io` + render: bash + validations: + required: true diff --git a/.github/ISSUE_TEMPLATE/issue.feature.yml b/.github/ISSUE_TEMPLATE/issue.feature.yml new file mode 100644 index 00000000..099dcdb5 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/issue.feature.yml @@ -0,0 +1,31 @@ +# Based on the issue template +name: Feature request +description: Suggest an idea for this project +title: "[FEAT] <title>" +labels: [enhancement] +body: + - type: checkboxes + attributes: + label: Is this a new feature request? + description: Please search to see if a feature request already exists. + options: + - label: I have searched the existing issues + required: true + - type: textarea + attributes: + label: Wanted change + description: Tell us what you want to happen. + validations: + required: true + - type: textarea + attributes: + label: Reason for change + description: Justify your request, why do you want it, what is the benefit. + validations: + required: true + - type: textarea + attributes: + label: Proposed code change + description: Do you have a potential code change in mind? + validations: + required: false diff --git a/.github/workflows/call_invalid_helper.yml b/.github/workflows/call_invalid_helper.yml new file mode 100644 index 00000000..773767c2 --- /dev/null +++ b/.github/workflows/call_invalid_helper.yml @@ -0,0 +1,12 @@ +name: Comment on invalid interaction +on: + issues: + types: + - labeled +jobs: + add-comment-on-invalid: + if: github.event.label.name == 'invalid' + permissions: + issues: write + uses: linuxserver/github-workflows/.github/workflows/invalid-interaction-helper.yml@v1 + secrets: inherit diff --git a/.github/workflows/external_trigger.yml b/.github/workflows/external_trigger.yml index d0149e06..fc5f1136 100755 --- a/.github/workflows/external_trigger.yml +++ b/.github/workflows/external_trigger.yml @@ -7,7 +7,7 @@ jobs: external-trigger-alpine: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.3 + - uses: actions/checkout@v3.1.0 - name: External Trigger if: github.ref == 'refs/heads/alpine' diff --git a/.github/workflows/external_trigger_scheduler.yml b/.github/workflows/external_trigger_scheduler.yml index a9830deb..b677c14b 100755 --- a/.github/workflows/external_trigger_scheduler.yml +++ b/.github/workflows/external_trigger_scheduler.yml @@ -9,7 +9,7 @@ jobs: external-trigger-scheduler: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.3 + - uses: actions/checkout@v3.1.0 with: fetch-depth: '0' diff --git a/.github/workflows/greetings.yml b/.github/workflows/greetings.yml index 941dc886..b6fd79fd 100644 --- a/.github/workflows/greetings.yml +++ b/.github/workflows/greetings.yml @@ -8,6 +8,6 @@ jobs: steps: - uses: actions/first-interaction@v1 with: - issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-wireguard/blob/alpine/.github/ISSUE_TEMPLATE/issue.bug.md) or [feature](https://github.com/linuxserver/docker-wireguard/blob/alpine/.github/ISSUE_TEMPLATE/issue.feature.md) issue templates!' + issue-message: 'Thanks for opening your first issue here! Be sure to follow the [bug](https://github.com/linuxserver/docker-wireguard/blob/alpine/.github/ISSUE_TEMPLATE/issue.bug.yml) or [feature](https://github.com/linuxserver/docker-wireguard/blob/alpine/.github/ISSUE_TEMPLATE/issue.feature.yml) issue templates!' pr-message: 'Thanks for opening this pull request! Be sure to follow the [pull request template](https://github.com/linuxserver/docker-wireguard/blob/alpine/.github/PULL_REQUEST_TEMPLATE.md)!' repo-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/package_trigger.yml b/.github/workflows/package_trigger.yml index 192c361e..86333431 100755 --- a/.github/workflows/package_trigger.yml +++ b/.github/workflows/package_trigger.yml @@ -7,7 +7,7 @@ jobs: package-trigger-alpine: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.3 + - uses: actions/checkout@v3.1.0 - name: Package Trigger if: github.ref == 'refs/heads/alpine' diff --git a/.github/workflows/package_trigger_scheduler.yml b/.github/workflows/package_trigger_scheduler.yml index 43a87b0c..494f50ef 100755 --- a/.github/workflows/package_trigger_scheduler.yml +++ b/.github/workflows/package_trigger_scheduler.yml @@ -9,7 +9,7 @@ jobs: package-trigger-scheduler: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2.3.3 + - uses: actions/checkout@v3.1.0 with: fetch-depth: '0' diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 3b3846ee..73dfe45a 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/stale@v3 + - uses: actions/stale@v6.0.1 with: stale-issue-message: "This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." stale-pr-message: "This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions." diff --git a/Jenkinsfile b/Jenkinsfile index 8e0397f5..7d015534 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -56,7 +56,7 @@ pipeline { env.CODE_URL = 'https://github.com/' + env.LS_USER + '/' + env.LS_REPO + '/commit/' + env.GIT_COMMIT env.DOCKERHUB_LINK = 'https://hub.docker.com/r/' + env.DOCKERHUB_IMAGE + '/tags/' env.PULL_REQUEST = env.CHANGE_ID - env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.md ./.github/ISSUE_TEMPLATE/issue.feature.md ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt' + env.TEMPLATED_FILES = 'Jenkinsfile README.md LICENSE .editorconfig ./.github/CONTRIBUTING.md ./.github/FUNDING.yml ./.github/ISSUE_TEMPLATE/config.yml ./.github/ISSUE_TEMPLATE/issue.bug.yml ./.github/ISSUE_TEMPLATE/issue.feature.yml ./.github/PULL_REQUEST_TEMPLATE.md ./.github/workflows/external_trigger_scheduler.yml ./.github/workflows/greetings.yml ./.github/workflows/package_trigger_scheduler.yml ./.github/workflows/stale.yml ./.github/workflows/external_trigger.yml ./.github/workflows/package_trigger.yml ./root/donate.txt' } script{ env.LS_RELEASE_NUMBER = sh( @@ -277,7 +277,7 @@ pipeline { echo "Jenkinsfile is up to date." fi # Stage 2 - Delete old templates - OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md" + OLD_TEMPLATES=".github/ISSUE_TEMPLATE.md\n.github/ISSUE_TEMPLATE/issue.bug.md\n.github/ISSUE_TEMPLATE/issue.feature.md" for i in ${OLD_TEMPLATES}; do if [[ -f "${i}" ]]; then TEMPLATES_TO_DELETE="${i} ${TEMPLATES_TO_DELETE}" diff --git a/README.md b/README.md index 7f4969bc..6f8cb8ae 100644 --- a/README.md +++ b/README.md @@ -70,14 +70,6 @@ This image provides various versions that are available via tags. Please read th During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. -If the kernel is not built-in, or installed on host, the container will check if the kernel headers are present (in `/usr/src`) and if not, it will attempt to download the necessary kernel headers from the `ubuntu xenial/bionic`, `debian/raspbian buster` repos; then will attempt to compile and install the kernel module. If the kernel headers are not found in either `usr/src` or in the repos mentioned, container will sleep indefinitely as wireguard cannot be installed. - -If you're on a debian/ubuntu based host with a custom or downstream distro provided kernel (ie. Pop!_OS), the container won't be able to install the kernel headers from the regular ubuntu and debian repos. In those cases, you can try installing the headers on the host via `sudo apt install linux-headers-$(uname -r)` (if distro version) and then add a volume mapping for `/usr/src:/usr/src`, or if custom built, map the location of the existing headers to allow the container to use host installed headers to build the kernel module (tested successful on Pop!_OS, ymmv). - -With regards to arm32/64 devices, Raspberry Pi 2-4 running the [official ubuntu images](https://ubuntu.com/download/raspberry-pi) or Raspbian Buster are supported out of the box. For all other devices and OSes, you can try installing the kernel headers on the host, and mapping `/usr/src:/usr/src` and it may just work (no guarantees). - -This can be run as a server or a client, based on the parameters used. - ## Server Mode If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. @@ -145,7 +137,6 @@ services: container_name: wireguard cap_add: - NET_ADMIN - - SYS_MODULE environment: - PUID=1000 - PGID=1000 @@ -159,7 +150,6 @@ services: - LOG_CONFS=true #optional volumes: - /path/to/appdata/config:/config - - /lib/modules:/lib/modules ports: - 51820:51820/udp sysctls: @@ -173,7 +163,6 @@ services: docker run -d \ --name=wireguard \ --cap-add=NET_ADMIN \ - --cap-add=SYS_MODULE \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ @@ -186,7 +175,6 @@ docker run -d \ -e LOG_CONFS=true `#optional` \ -p 51820:51820/udp \ -v /path/to/appdata/config:/config \ - -v /lib/modules:/lib/modules \ --sysctl="net.ipv4.conf.all.src_valid_mark=1" \ --restart unless-stopped \ lscr.io/linuxserver/wireguard:alpine @@ -210,7 +198,6 @@ Container images are configured using parameters passed at runtime (such as thos | `-e ALLOWEDIPS=0.0.0.0/0` | The IPs/Ranges that the peers will be able to reach using the VPN connection. If not specified the default value is: '0.0.0.0/0, ::0/0' This will cause ALL traffic to route through the VPN, if you want split tunneling, set this to only the IPs you would like to use the tunnel AND the ip of the server's WG ip, such as 10.13.13.1. | | `-e LOG_CONFS=true` | Generated QR codes will be displayed in the docker log. Set to `false` to skip log output. | | `-v /config` | Contains all relevant configuration files. | -| `-v /lib/modules` | Maps host's modules folder. | | `--sysctl=` | Required for client mode. | ### Portainer notice From 86d384e8c3c228b181e23778aec497b2966610d7 Mon Sep 17 00:00:00 2001 From: TheSpad <git@spad.co.uk> Date: Wed, 30 Nov 2022 15:17:27 +0000 Subject: [PATCH 3/4] Actually save the changes --- README.md | 7 ++++++- readme-vars.yml | 21 +++++++++++++-------- 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6f8cb8ae..905d78c5 100644 --- a/README.md +++ b/README.md @@ -70,7 +70,10 @@ This image provides various versions that are available via tags. Please read th During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. +This can be run as a server or a client, based on the parameters used. + ## Server Mode + If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs. @@ -82,11 +85,13 @@ To display the QR codes of active peers again, you can use the following command The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. ## Client Mode + Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container. ## Road warriors, roaming and returning home + If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). @@ -99,7 +104,7 @@ Both of these approaches have positives and negatives however their setup is out When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): - ``` + ```ini [Interface] PrivateKey = <private key> Address = 9.8.7.6/32 diff --git a/readme-vars.yml b/readme-vars.yml index 0248bd6e..2b546775 100644 --- a/readme-vars.yml +++ b/readme-vars.yml @@ -55,28 +55,33 @@ optional_block_1_items: "" app_setup_block_enabled: true app_setup_block: | During container start, it will first check if the wireguard module is already installed and loaded. Kernels newer than 5.6 generally have the wireguard module built-in (along with some older custom kernels). However, the module may not be enabled. Make sure it is enabled prior to starting the container. - + + This can be run as a server or a client, based on the parameters used. + ## Server Mode + If the environment variable `PEERS` is set to a number or a list of strings separated by comma, the container will run in server mode and the necessary server and peer/client confs will be generated. The peer/client config qr codes will be output in the docker log. They will also be saved in text and png format under `/config/peerX` in case `PEERS` is a variable and an integer or `/config/peer_X` in case a list of names was provided instead of an integer. - + Variables `SERVERURL`, `SERVERPORT`, `INTERNAL_SUBNET` and `PEERDNS` are optional variables used for server mode. Any changes to these environment variables will trigger regeneration of server and peer confs. Peer/client confs will be recreated with existing private/public keys. Delete the peer folders for the keys to be recreated along with the confs. - + To add more peers/clients later on, you increment the `PEERS` environment variable or add more elements to the list and recreate the container. - + To display the QR codes of active peers again, you can use the following command and list the peer numbers as arguments: `docker exec -it wireguard /app/show-peer 1 4 5` or `docker exec -it wireguard /app/show-peer myPC myPhone myTablet` (Keep in mind that the QR codes are also stored as PNGs in the config folder). The templates used for server and peer confs are saved under `/config/templates`. Advanced users can modify these templates and force conf generation by deleting `/config/wg0.conf` and restarting the container. ## Client Mode - Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. + + Do not set the `PEERS` environment variable. Drop your client conf into the config folder as `/config/wg0.conf` and start the container. If you get IPv6 related errors in the log and connection cannot be established, edit the `AllowedIPs` line in your peer/client wg0.conf to include only `0.0.0.0/0` and not `::/0`; and restart the container. ## Road warriors, roaming and returning home + If you plan to use Wireguard both remotely and locally, say on your mobile phone, you will need to consider routing. Most firewalls will not route ports forwarded on your WAN interface correctly to the LAN out of the box. This means that when you return home, even though you can see the Wireguard server, the return packets will probably get lost. - + This is not a Wireguard specific issue and the two generally accepted solutions are NAT reflection (setting your edge router/firewall up in such a way as it translates internal packets correctly) or split horizon DNS (setting your internal DNS to return the private rather than public IP when connecting locally). - + Both of these approaches have positives and negatives however their setup is out of scope for this document as everyone's network layout and equipment will be different. ## Maintaining local access to attached services @@ -85,7 +90,7 @@ app_setup_block: | When routing via Wireguard from another container using the `service` option in docker, you might lose access to the containers webUI locally. To avoid this, exclude the docker subnet from being routed via Wireguard by modifying your `wg0.conf` like so (modifying the subnets as you require): - ``` + ```ini [Interface] PrivateKey = <private key> Address = 9.8.7.6/32 From ba5bb856557864325739662f0478c9c4e37fe4d9 Mon Sep 17 00:00:00 2001 From: TheSpad <git@spad.co.uk> Date: Wed, 30 Nov 2022 15:37:57 +0000 Subject: [PATCH 4/4] Add log entry if SYS_MODULE cap can be removed --- root/etc/s6-overlay/s6-rc.d/init-wireguard-module/run | 3 +++ 1 file changed, 3 insertions(+) diff --git a/root/etc/s6-overlay/s6-rc.d/init-wireguard-module/run b/root/etc/s6-overlay/s6-rc.d/init-wireguard-module/run index 0ae42e0c..3d1e8aa4 100755 --- a/root/etc/s6-overlay/s6-rc.d/init-wireguard-module/run +++ b/root/etc/s6-overlay/s6-rc.d/init-wireguard-module/run @@ -8,6 +8,9 @@ ip link del dev test 2>/dev/null if ip link add dev test type wireguard; then echo "**** It seems the wireguard module is already active. Skipping kernel header install and module compilation. ****" ip link del dev test + if capsh --print | grep -qv '\!cap_sys_module'; then + echo "**** As the wireguard module is already active you can remove the SYS_MODULE capability from your container run/compose. ****" + fi else echo "**** The wireguard module is not active. If you believe that your kernel should have wireguard support already, make sure that it is activated via modprobe! ****" sleep infinity