Public bug reported:
The wg-quick test fails on all architectures
sample log:
96s autopkgtest [07:45:22]: test wg-quick: [-----------------------
96s Setting things up
96s Generating keys
96s Generating wireguard config
96s Cleaning up old namespaces
96s Creating new namespaces left_ns and right_ns and adding loopback interface
to them
97s Creating veth interface connecting both namespaces
97s Bringing up LEFT wireguard interface in namespace left_ns
97s Bringing up RIGHT wireguard interface in namespace right_ns
97s /tmp/autopkgtest.pzNh3P/build.7k9/src/debian/tests/wg-quick: line 33:
1189 Segmentation fault ip netns exec "${LEFT_NS}" wg-quick up
"${WG_LEFT_INTERFACE}"
97s /tmp/autopkgtest.pzNh3P/build.7k9/src/debian/tests/wg-quick: line 33:
1190 Segmentation fault ip netns exec "${RIGHT_NS}" wg-quick up
"${WG_RIGHT_INTERFACE}"
97s Failed vpn test setup
97s Some test failed, here is some debugging
97s dmesg: read kernel buffer failed: Operation not permitted
97s autopkgtest [07:45:23]: test wg-quick: -----------------------]
97s autopkgtest [07:45:23]: test wg-quick: - - - - - - - - - - results - - -
- - - - - - -
97s wg-quick FAIL non-zero exit status 1
some troubleshooting has already been done by ~ahasenack and I
a local test run shows dmesg errors:
[ 1010.926831] audit: type=1400 audit(1782302828.143:4078): apparmor="DENIED"
operation="file_inherit" class="file"
namespace="root//lxd-autopkgtest-lxd-zmsdjp_<var-snap-lxd-common-lxd>"
profile="wg" name="/tmp/tmp.XaXFtmDa78/err" pid=47688 comm="wg"
requested_mask="a" denied_mask="a" fsuid=1000000 ouid=1000000
[ 1010.926842] audit: type=1400 audit(1782302828.143:4079): apparmor="DENIED"
operation="open" class="file"
profile="lxd-autopkgtest-lxd-zmsdjp_</var/snap/lxd/common/lxd>" pid=47688
comm="wg" requested_mask="wr" denied_mask="wr" fsuid=1000000 ouid=0
[ 1010.941858] VFS: Mount too revealing
[ 1010.946108] VFS: Mount too revealing
[ 1010.950269] VFS: Mount too revealing
[ 1010.952473] VFS: Mount too revealing
[ 1010.953773] VFS: Mount too revealing
[ 1010.955025] VFS: Mount too revealing
[ 1010.956651] VFS: Mount too revealing
[ 1010.958287] VFS: Mount too revealing
And a lead from Andreas:
This change[1] almost made the test pass. The apparmor profile blocked
bash in one of those commands, so maybe just some rules needed changing.
I disabled it here for now. The second change prevented the /sys remount
via ip netns, but the ping commands failed later, maybe because the vpn
wasn't setup at all, i.e., the nsenter tricks didn't work:
Disabling wg.
Disabling wg-quick.
Setting things up
Generating keys
Generating wireguard config
Cleaning up old namespaces
Creating new namespaces left_ns and right_ns and adding loopback interface to
them
Creating veth interface connecting both namespaces
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
mount of /sys failed: Operation not permitted
Bringing up LEFT wireguard interface in namespace left_ns
[#] ip link add dev wg_left type wireguard
[#] wg setconf wg_left /dev/fd/63
[#] ip -4 address add 10.0.5.1/24 dev wg_left
RTNETLINK answers: Network is unreachable
[#] ip link set mtu 1420 up dev wg_left
Bringing up RIGHT wireguard interface in namespace right_ns
[#] ip link add dev wg_right type wireguard
[#] wg setconf wg_right /dev/fd/63
[#] ip -4 address add 10.0.5.2/24 dev wg_right
RTNETLINK answers: Network is unreachable
[#] ip link set mtu 1420 up dev wg_right
This is the config
left_ns namespace:
[Interface]
ListenPort = 3001
PrivateKey = iBdjPl1uALj1YhHFWfR1B8DrZmKeYES1L41PTVOvumE=
[Peer]
PublicKey = qacpJYohL0qIlgru2GHWbzfYngJFKTVfvWIiPNYHQjk=
AllowedIPs = 10.0.5.2/32
Endpoint = 10.0.1.2:3002
right_ns namespace:
[Interface]
ListenPort = 3002
PrivateKey = 6Mty1sJtimqUAIsbfFLu1nqcF/Gz1r+IvdbYwbxVok8=
[Peer]
PublicKey = g0FnrtD5RYNT0FxrqWRPr6eDyO0BEDp6rG1YcPdDln0=
AllowedIPs = 10.0.5.1/32
Endpoint = 10.0.1.1:3001
Testing gateway ping
Pinging right gateway, from left_ns namespace
PING 10.0.5.2 (10.0.5.2) 56(84) bytes of data.
--- 10.0.5.2 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
Failed gateway ping
Some test failed, here is some debugging
1. https://pastebin.ubuntu.com/p/cdd2dKFDPS/
** Affects: wireguard (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158464
Title:
wg-quick autopkgtest failing on all arches
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/2158464/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs