[Bug]: URGENT: WireGuard fails to start due to “sysctl: Read-only file system” after Ubuntu Kernel 6.8.0-87 update (Docker environment) #2261
Description
Describe the bug
After upgrading to Ubuntu kernel 6.8.0-87 (package linux-image-6.8.0-87-generic), the WireGuard container fails to start the wg0 interface.
The startup logs show:
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] ip link delete dev wg0
Error: Command failed: wg-quick up wg0
The wg-easy or docker-wireguard container aborts at this step — the wg0 interface is never created, and no VPN tunnel is established.
This did not occur on kernel 6.8.0-86 and earlier.
The following caps and ctls are set inside my yaml:
cap_add:
- NET_ADMIN
- SYS_MODULE
sysctls:
- net.ipv4.ip_forward=1
- net.ipv4.conf.all.src_valid_mark=1
Expected behavior
WireGuard should be able to bring up the wg0 interface inside the Docker container successfully, ignoring the sysctl write protection if the value is already set correctly on the host.
The command:
sysctl -q net.ipv4.conf.all.src_valid_mark=1
should either be silently ignored when /proc/sys/net/ipv4/conf/all/src_valid_mark is read-only,
or wg-quick should handle this non-critical error gracefully. When I set the flag locally, it should be recognized correctly.
Relevant log output
Starting WireGuard...
Starting Wireguard Interface wg0...
Saving Config...
Listening on http://0.0.0.0:51821
Config saved successfully.
$ wg-quick down wg0
$ wg-quick up wg0
[unhandledRejection] Error: Command failed: wg-quick up wg0
[#] ip link add dev wg0 type wireguard
[#]
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.8.0.1/24 dev wg0
[#] ip -6 address add fdcc:ad94:bacf:61a4::cafe:1/112 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] wg set wg0 fwmark 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -6 route add ::/0 dev wg0 table 51820
[#] nft -f /dev/fd/63
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] sysctl -q net.ipv4.conf.all.src_valid_mark=1
sysctl: error setting key 'net.ipv4.conf.all.src_valid_mark': Read-only file system
[#] nft -f /dev/fd/63
[#] ip -4 rule delete table 51820
[#] ip -4 rule delete table main suppress_prefixlength 0
[#] ip -6 rule delete table 51820
[#] ip -6 rule delete table main suppress_prefixlength 0
[#] ip link delete dev wg0
at genericNodeError (node:internal/errors:983:15)
at wrappedFn (node:internal/errors:537:14)
at ChildProcess.exithandler (node:child_process:415:12)
at ChildProcess.emit (node:events:518:28)
at maybeClose (node:internal/child_process:1101:16)
at ChildProcess._handle.onexit (node:internal/child_process:304:5) {
code: 1,
killed: false,
signal: null,
cmd: 'wg-quick up wg0'
}