libvirt로 실행되고 virtiofs.
hostshare /etc/wireguard virtiofs rw,relatime 0 0
게스트의 디렉터리는 에 매핑되고 /etc/wireguard, 공유 폴더에 대한 권한은 모두 호스트와 게스트입니다 root:root (id:0).
이 디렉토리에 파일을 생성하면 wg0.confsystemd 서비스가 실패합니다.
Dec 11 12:59:11 vpn-server systemd[1]: Starting [email protected] - WireGuard via wg-quick(8) for wg0...
Dec 11 12:59:11 vpn-server wg-quick[889]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
Dec 11 12:59:11 vpn-server systemd[1]: [email protected]: Failed with result 'exit-code'.
Dec 11 12:59:11 vpn-server systemd[1]: Failed to start [email protected] - WireGuard via wg-quick(8) for wg0.
그러나 를 실행하면 wg-quick up wg0wireguard가 시작됩니다.
# wg-quick up wg0
[#] ip link add wg0 type wireguard
[#] wg setconf wg0 /dev/fd/63
[#] ip -4 address add 10.0.0.1/24 dev wg0
[#] ip -6 address add fdf0:426a:74ae::1/64 dev wg0
[#] ip link set mtu 1420 up dev wg0
[#] iptables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
[#] ip6tables -t nat -I POSTROUTING -o enp1s0 -j MASQUERADE
After서비스의 매개변수 에 마운트를 추가하여 systemd 서비스가 마운트가 존재하기를 기다리고 있음을 확인했습니다. 그러나 시스템 부팅 후 수동으로 시작하려고 시도하고 공유에 액세스할 수 있음을 확인한 후에도 서비스는 계속됩니다. 시작하지 못합니다.
누구든지 무엇이 잘못되었는지 알 수 있도록 도와줄 수 있습니까?
systemd 서비스에 마운트 지점이 표시되지 않는 것 같습니다.
Dec 11 13:21:50 vpn-server mount[1326]: /dev/mapper/fedora-root on / type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: devtmpfs on /dev type devtmpfs (rw,nosuid,seclabel,size=4096k,nr_inodes=368069,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,seclabel,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,seclabel,gid=5,mode=620,ptmxmode=000)
Dec 11 13:21:50 vpn-server mount[1326]: sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel,nsdelegate,memory_recursiveprot)
Dec 11 13:21:50 vpn-server mount[1326]: pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: bpf on /sys/fs/bpf type bpf (rw,nosuid,nodev,noexec,relatime,mode=700)
Dec 11 13:21:50 vpn-server mount[1326]: configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run type tmpfs (rw,nosuid,nodev,seclabel,size=594992k,nr_inodes=819200,mode=755,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: selinuxfs on /sys/fs/selinux type selinuxfs (rw,nosuid,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: systemd-1 on /proc/sys/fs/binfmt_misc type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=3915)
Dec 11 13:21:50 vpn-server mount[1326]: hugetlbfs on /dev/hugepages type hugetlbfs (rw,nosuid,nodev,relatime,seclabel,pagesize=2M)
Dec 11 13:21:50 vpn-server mount[1326]: mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server mount[1326]: fusectl on /sys/fs/fuse/connections type fusectl (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: hostshare on /etc/wireguard type virtiofs (rw,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /tmp type tmpfs (rw,nosuid,nodev,seclabel,nr_inodes=1048576,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: /dev/vda2 on /boot type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Dec 11 13:21:50 vpn-server mount[1326]: tmpfs on /run/user/1000 type tmpfs (rw,nosuid,nodev,relatime,seclabel,size=297496k,nr_inodes=74374,mode=700,uid=1000,gid=1000,inode64)
Dec 11 13:21:50 vpn-server mount[1326]: binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,nosuid,nodev,noexec,relatime)
Dec 11 13:21:50 vpn-server mount[1326]: tracefs on /sys/kernel/debug/tracing type tracefs (rw,nosuid,nodev,noexec,relatime,seclabel)
Dec 11 13:21:50 vpn-server wg-quick[1327]: wg-quick: `/etc/wireguard/wg0.conf' does not exist
Dec 11 13:21:50 vpn-server systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
고쳐 쓰다
@MarcusMüller가 지적했듯이 selinux 문제처럼 보입니다.
Dec 11 13:21:50 vpn-server audit[1327]: AVC avc: denied { search } for pid=1327 comm="wg-quick" name="/" dev="virtiofs" ino=981467275 scontext=system_u:system_r:wireguard_t:s0 tcontext=system_u:object_r:virtiofs_t:s0 tclass=dir permissive=0
좋은 소식은 selinux를 허용 모드로 설정하면 (setenforce 0)wg 서비스가 시작된다는 것입니다.
답변1
이 문제는 다음과 같은 SELINUX 권한 문제로 인해 발생합니다.@marcusmuller.
다른 질문에 해결 방법을 설명했지만 간단히 말해서 audit2allow를 사용하여 권한을 계산한 다음 을 사용해야 합니다 semanage.
더 완전한 답변을 보려면 이 질문을 참조하세요.