Merge pull request Place1#104 from DasSkelett/fix/docker-modules

Add CAP_SYS_MODULE to Docker commands and docker-compose.yml

Author: DasSkelett

README.md

@@ -51,11 +51,12 @@ docker run \
   -it \
   --rm \
   --cap-add NET_ADMIN \
+  --cap-add SYS_MODULE \
   --device /dev/net/tun:/dev/net/tun \
   --sysctl net.ipv6.conf.all.disable_ipv6=0 \
   --sysctl net.ipv6.conf.all.forwarding=1 \
   -v wg-access-server-data:/data \
-  -v /lib/modules:/lib/modules \
+  -v /lib/modules:/lib/modules:ro \
   -e "WG_ADMIN_PASSWORD=$WG_ADMIN_PASSWORD" \
   -e "WG_WIREGUARD_PRIVATE_KEY=$WG_WIREGUARD_PRIVATE_KEY" \
   -p 8000:8000/tcp \
@@ -87,8 +88,9 @@ helm delete my-release
 Download the the docker-compose.yml file from the repo and run the following command.
 
 ```bash
-export WG_ADMIN_PASSWORD="example"
+export WG_ADMIN_PASSWORD=$(tr -cd '[:alnum:]' < /dev/urandom | fold -w30 | head -n1)
 export WG_WIREGUARD_PRIVATE_KEY="$(wg genkey)"
+echo "Your automatically generated admin password for the wg-access-server's web interface: $WG_ADMIN_PASSWORD"
 
 docker-compose up
 ```

docker-compose.yml

@@ -9,10 +9,12 @@ services:
     container_name: wg-access-server
     cap_add:
       - NET_ADMIN
+      - SYS_MODULE
     sysctls:
       net.ipv6.conf.all.disable_ipv6: 0
       net.ipv6.conf.all.forwarding: 1
     volumes:
+      - "/lib/modules:/lib/modules:ro"
       - "wg-access-server-data:/data"
     #   - "./config.yaml:/config.yaml" # if you have a custom config file
     environment:

docs/deployment/1-docker.md

@@ -9,22 +9,33 @@ docker run \
   -it \
   --rm \
   --cap-add NET_ADMIN \
+  --cap-add SYS_MODULE \
   --device /dev/net/tun:/dev/net/tun \
   --sysctl net.ipv6.conf.all.disable_ipv6=0 \
   --sysctl net.ipv6.conf.all.forwarding=1 \
   -v wg-access-server-data:/data \
-  -v /lib/modules:/lib/modules \
+  -v /lib/modules:/lib/modules:ro \
   -e "WG_ADMIN_PASSWORD=$WG_ADMIN_PASSWORD" \
   -e "WG_WIREGUARD_PRIVATE_KEY=$WG_WIREGUARD_PRIVATE_KEY" \
   -p 8000:8000/tcp \
   -p 51820:51820/udp \
   ghcr.io/freifunkmuc/wg-access-server:latest
 ```
 
-Make sure you have the `ip_tables` and `ip6_tables` kernel modules loaded on the host:
+## Modules
+
+If you load the kernel modules `ip_tables` and `ip6_tables` on the host,
+you can drop the `SYS_MODULE` capability and remove the `/lib/modules` mount:
 ```bash
 modprobe ip_tables && modprobe ip6_tables
+# Load modules on boot
+echo ip_tables >> /etc/modules
+echo ip6_tables >> /etc/modules
 ```
+This is highly recommended, as a container with CAP_SYS_MODULE essentially has root privileges
+over the host system and attacker could easily break out of the container.
+
+## IPv4-only (without IPv6)
 
 If you don't want IPv6 inside the VPN network, set `WG_VPN_CIDRV6=0`.
 In this case you can also get rid of the sysctls:

docs/deployment/2-docker-compose.md

@@ -1,10 +1,10 @@
 # Docker Compose
 
-You can run wg-access-server using the following example
-Docker Compose file.
+You can run wg-access-server using the following example Docker Compose file.
 
-Checkout the [configuration docs](../2-configuration.md) to learn how wg-access-server
-can be configured.
+Checkout the [configuration docs](../2-configuration.md) to learn how wg-access-server can be configured.
+
+Please also read the [Docker instructions](../1-docker.md) for general information regarding Docker deployments.
 
 ```yaml
 {!../docker-compose.yml!}