Add rootless container engine section

[lucario]

Create a new section in README outlining potential additional optional parameters to enable running the container in rootless container engines and SELinux enforcing systems.

---

• I have read the contributing guideline and understand that I have made the correct modifications

---

Description:

I understand rootless docker/podman and SELinux are not supported, however this image does function on such systems, like Fedora and RHEL.

There was no documentation I could find online that describes running wireguard with rootless podman that didn't require root to first modprobe wireguard kernel module. ip does issue a module_request to load the module without needing to use sudo outside of the container that will be initially blocked on SELinux enforcing systems.

These parameters allow a completely unpriviledged user, without sudo or access to a root docker daemon, to run the container on SELinux enforcing systems.

NET_RAW seems to be a requirement on newer kernels and does allow client mode WG to properly setup 0.0.0.0/0 and 0::0/0 allowed IPs. This fixes the issue where some users would have to disable IPv6 or modify IPv4 allowed IP to 0.0.0.0/1. This also allows users with only an IPv4 address to have an IPv6 route.

--security-opt label=disable is not ideal, and I will be looking into narrowing the permission scope to only allowing module_request.

Regardless, these additional parameters allowing the use of rootless docker/podman are substantially more secure than:

1. Docker daemon/Podman executed with root.
2. A system with no SELinux, or SELinux in permissive mode.
3. A user in the sudo or docker group running rootless docker/podman.
4. A completely unprivileged user not in sudo running any container with --privileged.

No additional effort is required by the maintainers to support these configurations. I think it is at least worth mentioning that this container does support these configurations unofficially with additional fine grained permission parameters rather than throwing root or --privileged at the issue like most documentation/blogs I've read related to wireguard and rootless container engines.

Benefits of this PR and context:

Documentation surrounding running wireguard with a rootless container engine is either outdated, uses workarounds, or promotes poor practice. This appears to be the most popular container with wireguard so it is worth adding a section denoting the additional parameters necessary to running the container in rootless environments even if it is not officially supported.
Specifically to avoid bad configurations such as:

• running with --privileged, incorrectly granting more permissions than is actually required.
• Modifying or removing IPv6, IPv4 configuration when not strictly necessary. Ex 0.0.0.0/1 hack when NET_RAW is required.
• User manually sudo modprobe wireguard on each boot when ip requests the module anyway.
• Module blocked from automatically loading due to SELinux in enforcing mode.

How Has This Been Tested?

Fedora CoreOS VM

Source / References:

[github-actions]

Thanks for opening this pull request! Be sure to follow the pull request template!

[hasan4791]

For rootless podman, the interface which is created is tap, that requires change in iptables rules in this file.

https://github.com/linuxserver/docker-wireguard/blob/master/root/defaults/server.conf

[hasan4791]

Also I would hesitate to do this eventhough its a rootless container.
--security-opt label=disable

The best we could do here is ask users to preload the required modules

ip_tables
iptable_filter
iptable_nat
wireguard
xt_MASQUERADE

You can check here for reference,
containers/podman#15120

[lucario]

Also I would hesitate to do this eventhough its a rootless container. --security-opt label=disable

The best we could do here is ask users to preload the required modules

ip_tables
iptable_filter
iptable_nat
wireguard
xt_MASQUERADE

You can check here for reference, containers/podman#15120

I appreciate your insight. I adjusted my butane config to include loading the wireguard on every boot which is definitely a more optimal approach.

I will revise my changes here to only include the additional CAP as an optional arg, removing the additional section since it would be out of scope.

[Jojonintendo]

In my case, with rootless podman I had to set an MTU of 1500 for wireguard to work. By default it seems that rootless uses an MTU of 65k. It took me so much time to figure it out, that I thought it better to share it here.

[hasan4791]

Yep, i missed this. Though all the details are captured in the above linked issue.

[lucario]

The modules in the above thread were incomplete for my configuration.

Fedora CoreOS 37.20230218.3.0 running WG with AllowedIPs = 0.0.0.0/0,::0/0

Contents of ~/.config/containers/systemd/vpn.container

[Container]
Image=lscr.io/linuxserver/wireguard:alpine
# Label=io.containers.autoupdate=registry
Environment="PUID=1004" "PGID=1004" "TZ=Etc/UTC"
Volume=vpn-config:/config:Z
AddCapability=NET_ADMIN NET_RAW
PodmanArgs=--sysctl net.ipv4.conf.all.src_valid_mark=1

[Install]
WantedBy=default.target

I ran a diff of lsmod before running the container and after with --privileged. So the modules below I have set to load automatically on boot, so the WG container can be run without --privileged.

contents of /etc/modules-load.d/example.conf

iptable_mangle
iptable_raw
xt_connmark
nf_conntrack
nf_defrag_ipv6
nf_defrag_ipv4
xt_mark
ip6table_mangle
xt_comment
xt_addrtype
ip6table_raw
wireguard
curve25519_x86_64
libcurve25519_generic
ip6_udp_tunnel
udp_tunnel

[hasan4791]

Good 👍 seems coreos doesn't load much modules and needs lot more than we had listed.

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. This might be due to missing feedback from OP. It will be closed if no further activity occurs. Thank you for your contributions.

[github-actions]

This pull request is locked due to inactivity