Gluetun will not start after latest image update

[mikul9]

Is this urgent?

Yes

Host OS

DSM 7.21 (Synology)

CPU arch

x86_64

VPN service provider

AirVPN

What are you using to run the container

Other

What is the version of Gluetun

Cannot tell as it won't start, but logs state "latest"

What's the problem 🤔

After upgrading today (7/28), the container will not start. Rebuilding the project from within container manager fails with the error "Failed to start. Container for service gluetun is unhealthy." Container manager shows the existence of the gluetun container but it is grayed out. Attempting to start it from within container manager does nothing.

Container can not be reset or deleted from within container manager, but can be deleted from Portainer.

Share your logs (at least 10 lines)

========================================
========================================
=============== gluetun ================
========================================
=========== Made with ❤️ by ============
======= https://github.com/qdm12 =======
========================================
========================================

Running version latest built on 2024-07-28T14:31:52.048Z (commit ddbfdc9)

🔧 Need help? https://github.com/qdm12/gluetun/discussions/new
🐛 Bug? https://github.com/qdm12/gluetun/issues/new
✨ New feature? https://github.com/qdm12/gluetun/issues/new
☕ Discussion? https://github.com/qdm12/gluetun/discussions/new
💻 Email? quentin.mcgaw@gmail.com
💰 Help me? https://www.paypal.me/qmcgaw https://github.com/sponsors/qdm12
2024-07-28T12:31:47-04:00 INFO [routing] default route found: interface eth0, gateway xxx.xxx.xxx.xxx, assigned IP xxx.xxx.xxx.xxx and family v4
2024-07-28T12:31:47-04:00 INFO [routing] local ethernet link found: eth0
2024-07-28T12:31:47-04:00 INFO [routing] local ipnet found: xxx.xxx.xxx.xxx/16
2024-07-28T12:31:47-04:00 ERROR no iptables supported found: errors encountered are: iptables-nft: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4); iptables: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4)
2024-07-28T12:31:47-04:00 INFO Shutdown successful

Share your configuration

services:
  gluetun:
    image: qmcgaw/gluetun:latest
    container_name: gluetun
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun:/dev/net/tun
    ports:
      - 8888:8888/tcp
      - 8388:8388/tcp
      - 8388:8388/udp
      - 8090:8090/tcp 
    volumes:
      - /volume1/docker/gluetun:/gluetun
    environment:
      - PUID=1040 
      - PGID=65536 
      - TZ=America/New_York 
      - VPN_SERVICE_PROVIDER=airvpn
      - VPN_TYPE=openvpn #change as per wiki 
      - USER=username
      - PASSWORD=password
#      - SERVER_COUNTRIES=Norway
      - HTTPPROXY=off #change to on if you wish to enable
      - SHADOWSOCKS=off #change to on if you wish to enable
      - FIREWALL_OUTBOUND_SUBNETS=172.20.0.0/16,192.168.1.0/24 #change this in line with your subnet see note on guide.
      - FIREWALL_VPN_INPUT_PORTS=13482 #uncomment this line and change the port as per the note on the guide
      - UPDATER_PERIOD=24h
    network_mode: synobridge
    labels:
      - com.centurylinklabs.watchtower.enable=false
    security_opt:
      - no-new-privileges:true
    restart: always

  qbittorrent:
    image: linuxserver/qbittorrent:latest
    container_name: qbittorrent
#    user: root
    environment:
#      - PUID=1026 
#      - PGID=100 
      - PUID=1040 
      - PGID=65536 
      - TZ=America/New_York 
      - WEBUI_PORT=8090
      - UMASK=000
    volumes:
      - /volume1/docker/qbittorrent:/config
#      - /volume1/Downloads:/data/torrents
      - /volume1/Downloads:/downloads
    network_mode: service:gluetun # run on the vpn network
    depends_on:
      gluetun:
        condition: service_healthy
    security_opt:
      - no-new-privileges:true
    restart: always

[github-actions]

@qdm12 is more or less the only maintainer of this project and works on it in his free time.
Please:

• do not ask for updates, be patient
• 👍 the issue to show your support instead of commenting
  @qdm12 usually checks issues at least once a week, if this is a new urgent bug,
  revert to an older tagged container image

[ralob]

Same issue here with the same error on Synology.

2024-07-28T16:51:15Z ERROR no iptables supported found: errors encountered are: iptables-nft: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4); iptables: iptables v1.8.10 (nf_tables): Could not fetch rule set generation id: Invalid argument (exit status 4)

[dokzlo13]

Also facing same issue on synology + docker-compose.
UPD: The last Docker Hub version that doesn't have this error is qmcgaw/gluetun:pr-2285.

[K4iN3R]

Exactly the same issue on synology.

[Suzaru]

As far as I remember this was related to an old kernel that synology doesn't update. Had this in May too. Maybe that helps 👌

[jeffreyswiggins]

Also facing same issue on synology + docker-compose. UPD: The last Docker Hub version that doesn't have this error is qmcgaw/gluetun:pr-2285.

Same on my Synology. Thank you for notating the version that is working so I could roll back! Back to working for me as well

[mikul9]

Rolling back to 2285 does work. This is an easy change in the yaml file, but does anyone know of a way to change the version in use for containers set up within container manager on a Synology box? This has always bothered me, and would help others who need to rollback until there's a fix in place.

[jeffreyswiggins]

Can you not set the pull name to include the :version name in Container Manager like you could when it was just Docker before?  Been a while since I used it but I thought you could always tag :latest on the end of anything to get the latest (or it assumes that without) and then if you need to rollback you remove “latest” and replace with the version tag number.

…

On Jul 28, 2024 at 13:50 -0500, mikul9 ***@***.***>, wrote: Rolling back to 2285 does work. This is an easy change in the yaml file, but does anyone know of a way to change the version in use for containers set up within container manager? This has always bothered me, and would help others who need to rollback until there's a fix in place. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

[mikul9]

The tag gets assigned when the container is created by running the image. There doesn't seem to be a way to change it afterward. How did you do it when it was Docker? It was a problem back then too.

[Trombalcazar]

Hello. Same issue here on my Synology NAS

Seems the same issue as in May

[raglits73]

Same issue on my qnap NAS, pr-2285 works though

[FreeFalcon163]

Same issue on Linux mint, resolved with v3.38.0

2024-07-28T19:50:40-05:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.3 and family v4
2024-07-28T19:50:40-05:00 INFO [routing] adding route for 0.0.0.0/0
2024-07-28T19:50:40-05:00 INFO [firewall] setting allowed subnets...
2024-07-28T19:50:40-05:00 INFO [routing] default route found: interface eth0, gateway 172.20.0.1, assigned IP 172.20.0.3 and family v4
2024-07-28T19:50:40-05:00 INFO [dns] using plaintext DNS at address 1.1.1.1
2024-07-28T19:50:40-05:00 INFO [http server] http server listening on [::]:8000
2024-07-28T19:50:40-05:00 INFO [healthcheck] listening on 127.0.0.1:9999
2024-07-28T19:50:40-05:00 INFO [firewall] allowing VPN connection...
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenVPN 2.6.11 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
2024-07-28T19:50:40-05:00 INFO [openvpn] library versions: OpenSSL 3.3.1 4 Jun 2024, LZO 2.10
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenSSL: error:068000E9:asn1 encoding routines::utctime is too short:
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revocationDate, Type=X509_REVOKED
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=revoked, Type=X509_CRL_INFO
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenSSL: error:0688010A:asn1 encoding routines::nested asn1 error:Field=crl, Type=X509_CRL
2024-07-28T19:50:40-05:00 INFO [openvpn] OpenSSL: error:0488000D:PEM routines::ASN1 lib:
2024-07-28T19:50:40-05:00 INFO [openvpn] CRL: cannot read CRL from file [[INLINE]]
2024-07-28T19:50:40-05:00 INFO [openvpn] CRL: loaded 0 CRLs from file -----BEGIN X509 CRL-----
2024-07-28T19:50:40-05:00 INFO [openvpn] MIIDWDCCAUAwDQYJKoZIhvcNAQENBQAwgegxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTETMBEGA1UEBxMKTG9zQW5nZWxlczEgMB4GA1UEChMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxIDAeBgNVBAsTF1ByaXZhdGUgSW50ZXJuZXQgQWNjZXNzMSAwHgYDVQQDExdQcml2YXRlIEludGVybmV0IEFjY2VzczEgMB4GA1UEKRMXUHJpdmF0ZSBJbnRlcm5ldCBBY2Nlc3MxLzAtBgkqhkiG9w0BCQEWIHNlY3VyZUBwcml2YXRlaW50ZXJuZXRhY2Nlc3MuY29tFw0xNjA3MDgxOTAwNDZaFw0zNjA3MDMxOTAwNDZaMCYwEQIBARcMMTYwNzA4MTkwMDQ2MBECAQYXDDE2MDcwODE5MDA0NjANBgkqhkiG9w0BAQ0FAAOCAgEAppFfEpGsasjB1QgJcosGpzbf2kfRhM84o2TlqY1ua+Gi5TMdKydA3LJcNTjlI9a0TYAJfeRX5IkpoglSUuHuJgXhP3nEvX10mjXDpcu/YvM8TdE5JV2+EGqZ80kFtBeOq94WcpiVKFTR4fO+VkOK9zwspFfb1cNs9rHvgJ1QMkRUF8PpLN6AkntHY0+6DnigtSaKqldqjKTDTv2OeH3nPoh80SGrt0oCOmYKfWTJGpggMGKvIdvU3vH9+EuILZKKIskt+1dwdfA5Bkz1GLmiQG7+9ZZBQUjBG9Dos4hfX/rwJ3eU8oUIm4WoTz9rb71SOEuUUjP5NPy9HNx2vx+cVvLsTF4ZDZaUztW9o9JmIURDtbeyqxuHN3prlPWB6aj73IIm2dsDQvs3XXwRIxs8NwLbJ6CyEuvEOVCskdM8rdADWx1J0lRNlOJ0Z8ieLLEmYAA834VN1SboB6wJIAPxQU3rcBhXqO9y8aa2oRMg8NxZ5gr+PnKVMqag1x0IxbIgLxtkXQvxXxQHEMSODzvcOfK/nBRBsqTj30P+R87sU8titOoxNeRnBDRNhdEy/QGAqGh62ShPpQUCJdnKRiRTjnil9hMQHevoSuFKeEMO30FQL7BZyo37GFU+q1WPCplVZgCP9hC8Rn5K2+f6KLFo5bhtowSmu+GY1yZtg+RTtsA=
2024-07-28T19:50:40-05:00 INFO [openvpn] -----END X509 CRL-----
2024-07-28T19:50:40-05:00 INFO [openvpn] TCP/UDP: Preserving recently used remote address: [AF_INET]66.115.142.58:1197
2024-07-28T19:50:40-05:00 INFO [openvpn] UDPv4 link local: (not bound)
2024-07-28T19:50:40-05:00 INFO [openvpn] UDPv4 link remote: [AF_INET]66.115.142.58:1197
2024-07-28T19:50:41-05:00 INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=3,code=113)
2024-07-28T19:50:45-05:00 INFO [openvpn] read UDPv4 [EHOSTUNREACH]: Host is unreachable (fd=3,code=113)

[kyralretsam]

Synology user here. Same issue as everyone else. pr-2285 works.

DSM 7.2.1-69057 Update 5 if that helps

[greatestape]

I could be missing context, but this looks like a regression of the fix to this bug from May: #2256

[greatestape]

Specifically, this commit: ddbfdc9

But I'm just a tourist in this code. No idea what else is up.

[lorissimo]

My God... I've just spent the last 3 hours + trying to figure this out, as I've been having the same exact issue starting today. I found a thread which led me to use "image: gluetun:v3" to fix the issue temporarily.

[qdm12]

Solved in 26705f5

[github-actions]

Closed issues are NOT monitored, so commenting here is likely to be not seen.
If you think this is still unresolved and have more information to bring, please create another issue.

This is an automated comment setup because @qdm12 is the sole maintainer of this project
which became too popular to monitor issues closed.

[qdm12]

For additional context, now that I had my breakfast after fixing this 😄....

After v3.38.0, I upgraded Alpine from 3.18 to 3.19... which has been quite troublesome, because iptables (the firewall) uses the nf_tables kernel backend, even if it's not there, which is your case, although with a rather obscure message Could not fetch rule set generation id: Invalid argument (exit status 4). I then figured a few weeks ago that problem and added the iptables-legacy package, which uses the legacy backend and works on your systems.

But wait, it's not over. It also turns out iptables (aka iptables-nft) on Alpine 3.19 is bugged, and will fail after running a few commands (see my netfilter bug report). Luckily, this if fixed in Alpine 3.20.
Yesterday, I read a Gluetun issue of someone not supporting the legacy backend, and using the bugged new backend nf_tables, producing buggy results. So I decided it was time to upgrade to Alpine 3.20 and use the fixed iptables (nf_tables backend), since Alpine 3.19 was becoming unmanageable. And, silly me, instead of changing the preference order as my commit message says ddbfdc9 I did throw out the iptables-legacy completely, which you still needed over here! So that was the extra step that was unneeded.

Again, sorry for the turbulent latest image since v3.38.0, it's partly my fault, but I am really also upset with Alpine messing up their iptables. It's not always easy to think about all the corner cases on everyone's kernel 😄

Finally...

UPD: The last Docker Hub version that doesn't have this error is qmcgaw/gluetun:pr-2285.

Please don't use :pr- images, use tagged released images like :v3.38. pr- images are generated from pull requests and might be unstable or for testing only.

[KirovAir]

Thanks for the quick fix!

[kyralretsam]

Fix confirmed. Thanks for the quick fix and the detailed explanation of what the cause was!

[mikul9]

Thank you for digging into this helping out edge cases like us!