Interface not deleted in kubernetes

Nico Schottelius nico.schottelius at ungleich.ch
Thu May 5 19:32:19 UTC 2022 

Hello,

I am not sure if I am off-topic here, but I am not sure where to best
raise this issue. The situation is: if I start a Pod in Kubernetes that
uses the ungleich-wireguard:0.0.5 [0] container, which is basically
using this script [1] I am able to get the following output:

--------------------------------------------------------------------------------
[21:29] blind:~% kubectl -n test logs -f wireguard-7cf446469-gmkvd
+ wg show
interface: clients
  public key: 5QzByP8MnQyR7seJWJyiP6fFHn5OnkPI+O0WAuYoLko=
  private key: (hidden)
  listening port: 51820

peer: fnIGys3sZKfyjSA7oXw891IOxuuRi7yYM6tihNG+1WA=
  allowed ips: 10.0.0.2/32
+ wg-quick up /etc/wireguard/clients.conf
Warning: `/etc/wireguard/..2022_05_05_19_29_32.4005058985/clients.conf' is world accessible
wg-quick: `clients' already exists
+ exit 1
[21:29] blind:~%
--------------------------------------------------------------------------------

As the pod/container are freshly created, I assume that the "clients"
interface is a leftover from a previous run of that container. Which
brings me to the real questions:

  Are wireguard interfaces

      a) Not contained in a container?
      b) Not destroyed if the container is destroyed?

As containers are namespaced, I would have expected the device to die
with the container, but I even cleared the full deployment and get this
error again.

My logical understand would be that the interface should be destroyed if
the container exits, however the output implies that this is not the
case.

Any pointers in this direction are very welcome.

Best regards,

Nico

[0]
https://hub.docker.com/layers/ungleich-wireguard/ungleich/ungleich-wireguard/0.0.5/images/sha256-cf50085115df1f686509288375349ce61cc4ef06a06c940cf7cbd9041a6d9ef6?context=explore

[1]
--------------------------------------------------------------------------------
#!/bin/sh

set -x

# Ensure everything is clean / show prior state
wg show

# Start all definitions
for conf in /etc/wireguard/*.conf; do
    # Try to up and if any tunnel fails -> exit
    wg-quick up "$conf" || exit 1
done

# Debug output
while true; do
    wg show
    sleep 300
done
--------------------------------------------------------------------------------


--
Sustainable and modern Infrastructures by ungleich.ch

More information about the WireGuard mailing list