Public bug reported:

The wg-quick test fails on all architectures

sample log:

 96s autopkgtest [07:45:22]: test wg-quick: [-----------------------
 96s Setting things up
 96s Generating keys
 96s Generating wireguard config
 96s Cleaning up old namespaces
 96s Creating new namespaces left_ns and right_ns and adding loopback interface 
to them
 97s Creating veth interface connecting both namespaces
 97s Bringing up LEFT wireguard interface in namespace left_ns
 97s Bringing up RIGHT wireguard interface in namespace right_ns
 97s /tmp/autopkgtest.pzNh3P/build.7k9/src/debian/tests/wg-quick: line 33:  
1189 Segmentation fault         ip netns exec "${LEFT_NS}" wg-quick up 
"${WG_LEFT_INTERFACE}"
 97s /tmp/autopkgtest.pzNh3P/build.7k9/src/debian/tests/wg-quick: line 33:  
1190 Segmentation fault         ip netns exec "${RIGHT_NS}" wg-quick up 
"${WG_RIGHT_INTERFACE}"
 97s Failed vpn test setup
 97s Some test failed, here is some debugging
 97s dmesg: read kernel buffer failed: Operation not permitted
 97s autopkgtest [07:45:23]: test wg-quick: -----------------------]
 97s autopkgtest [07:45:23]: test wg-quick:  - - - - - - - - - - results - - - 
- - - - - - -
 97s wg-quick             FAIL non-zero exit status 1


some troubleshooting has already been done by ~ahasenack and I

a local test run shows dmesg errors:

[ 1010.926831] audit: type=1400 audit(1782302828.143:4078): apparmor="DENIED" 
operation="file_inherit" class="file" 
namespace="root//lxd-autopkgtest-lxd-zmsdjp_<var-snap-lxd-common-lxd>" 
profile="wg" name="/tmp/tmp.XaXFtmDa78/err" pid=47688 comm="wg" 
requested_mask="a" denied_mask="a" fsuid=1000000 ouid=1000000
[ 1010.926842] audit: type=1400 audit(1782302828.143:4079): apparmor="DENIED" 
operation="open" class="file" 
profile="lxd-autopkgtest-lxd-zmsdjp_</var/snap/lxd/common/lxd>" pid=47688 
comm="wg" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 1010.941858] VFS: Mount too revealing
[ 1010.946108] VFS: Mount too revealing
[ 1010.950269] VFS: Mount too revealing
[ 1010.952473] VFS: Mount too revealing
[ 1010.953773] VFS: Mount too revealing
[ 1010.955025] VFS: Mount too revealing
[ 1010.956651] VFS: Mount too revealing
[ 1010.958287] VFS: Mount too revealing


And a lead from Andreas:

This change[1] almost made the test pass. The apparmor profile blocked
bash in one of those commands, so maybe just some rules needed changing.
I disabled it here for now. The second change prevented the /sys remount
via ip netns, but the ping commands failed later, maybe because the vpn
wasn't setup at all, i.e., the nsenter tricks didn't work:

Disabling wg.
Disabling wg-quick.
Setting things up
Generating keys
Generating wireguard config
Cleaning up old namespaces
Creating new namespaces left_ns and right_ns and adding loopback interface to 
them
Creating veth interface connecting both namespaces
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
Bringing up LEFT wireguard interface in namespace left_ns
[#] ip link add dev wg_left type wireguard
[#] wg setconf wg_left /dev/fd/63
[#] ip -4 address add 10.0.5.1/24 dev wg_left
RTNETLINK answers: Network is unreachable
[#] ip link set mtu 1420 up dev wg_left
Bringing up RIGHT wireguard interface in namespace right_ns
[#] ip link add dev wg_right type wireguard
[#] wg setconf wg_right /dev/fd/63
[#] ip -4 address add 10.0.5.2/24 dev wg_right
RTNETLINK answers: Network is unreachable
[#] ip link set mtu 1420 up dev wg_right

This is the config
left_ns namespace:
[Interface]
ListenPort = 3001
PrivateKey = iBdjPl1uALj1YhHFWfR1B8DrZmKeYES1L41PTVOvumE=

[Peer]
PublicKey = qacpJYohL0qIlgru2GHWbzfYngJFKTVfvWIiPNYHQjk=
AllowedIPs = 10.0.5.2/32
Endpoint = 10.0.1.2:3002

right_ns namespace:
[Interface]
ListenPort = 3002
PrivateKey = 6Mty1sJtimqUAIsbfFLu1nqcF/Gz1r+IvdbYwbxVok8=

[Peer]
PublicKey = g0FnrtD5RYNT0FxrqWRPr6eDyO0BEDp6rG1YcPdDln0=
AllowedIPs = 10.0.5.1/32
Endpoint = 10.0.1.1:3001

Testing gateway ping
Pinging right gateway, from left_ns namespace
PING 10.0.5.2 (10.0.5.2) 56(84) bytes of data.

--- 10.0.5.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Failed gateway ping
Some test failed, here is some debugging

1. https://pastebin.ubuntu.com/p/cdd2dKFDPS/

** Affects: wireguard (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158464

Title:
  wg-quick autopkgtest failing on all arches

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2158464/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to