[GH-ISSUE #210] Newt Crash - SIGSEGV On WG Interface Creation #1133

New Issue

Closed

opened 2026-04-22 00:56:35 -05:00 by GiteaMirror · 2 comments

GiteaMirror commented 2026-04-22 00:56:35 -05:00

Owner

Copy Link

Originally created by @tullisar on GitHub (Dec 17, 2025).
Original GitHub issue: https://github.com/fosrl/newt/issues/210

Describe the Bug

I'm having a similar issue to #201, though this doesn't appear to be related to the IP address. I was using newt with the native client mode and after upgrading to 1.7.0 my Newt instances crash when trying to create the network interface. A fresh redeploy doesn't seem to help either.

Here's a snippet of the log:

client-native-1  | ERROR: 2025/12/16 17:27:22 Failed to ensure WireGuard interface: failed to create native TUN device: CreateTUN("newt") failed; /dev/net/tun does not exist
client-native-1  | panic: runtime error: invalid memory address or nil pointer dereference
client-native-1  | [signal SIGSEGV: segmentation violation code=0x1 addr=0x260 pc=0x632b2c]
client-native-1  | 
client-native-1  | goroutine 69 [running]:
client-native-1  | sync/atomic.(*Int32).Add(...)
client-native-1  | 	/usr/local/go/src/sync/atomic/type.go:94
client-native-1  | sync.(*RWMutex).RLock(...)
client-native-1  | 	/usr/local/go/src/sync/rwmutex.go:72
client-native-1  | golang.zx2c4.com/wireguard/device.(*Device).IpcGetOperation(0x0, {0x11a3ca0, 0xc000052440})
client-native-1  | 	/go/pkg/mod/golang.zx2c4.com/wireguard@v0.0.0-20250521234502-f333402bd9cb/device/uapi.go:52 +0x4c
client-native-1  | golang.zx2c4.com/wireguard/device.(*Device).IpcGet(0x0)
client-native-1  | 	/go/pkg/mod/golang.zx2c4.com/wireguard@v0.0.0-20250521234502-f333402bd9cb/device/uapi.go:409 +0x38
client-native-1  | github.com/fosrl/newt/clients.(*WireGuardService).ensureWireguardPeers(0xc00033e9c0, {0xc0003d81c0, 0x3, 0xc0003d81c0?})
client-native-1  | 	/app/clients/clients.go:648 +0x45
client-native-1  | github.com/fosrl/newt/clients.(*WireGuardService).handleConfig(0xc00033e9c0, {{0xc0000400a8, 0x16}, {0xec0520, 0xc00040af00}})
client-native-1  | 	/app/clients/clients.go:475 +0x274
client-native-1  | github.com/fosrl/newt/websocket.(*Client).readPumpWithDisconnectDetection(0xc000274dc0, {0xc000066fd0?, 0x577324?, 0x1976320?})
client-native-1  | 	/app/websocket/client.go:742 +0x21c
client-native-1  | created by github.com/fosrl/newt/websocket.(*Client).establishConnection in goroutine 9
client-native-1  | 	/app/websocket/client.go:565 +0xb6a

For reference, he's a snippet of the deployed compose configuration for the service:

name: newt
services:
  client-native:
    profiles:
      - base
      - native
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    depends_on:
      socket-proxy:
        condition: service_healthy
        required: true
    devices:
      - source: /dev/net/tun
        target: /dev/net/tun
        permissions: rwm
    environment:
      ACCEPT_CLIENTS: "true"
      DOCKER_SOCKET: unix:///socket/newt.sock
      HEALTH_FILE: /tmp/healthy
      KEEP_INTERFACE: "true"
      LOG_LEVEL: INFO
      NEWT_ID: <REDACTED>
      NEWT_SECRET: <REDACTED>
      PANGOLIN_ENDPOINT: <REDACTED>
      USE_NATIVE_INTERFACE: "true"
    healthcheck:
      test:
        - CMD-SHELL
        - cat /tmp/healthy || exit 1
      timeout: 10s
      interval: 1m0s
      retries: 3
      start_period: 1m0s
    image: fosrl/newt:latest
    network_mode: host
    restart: unless-stopped

I added the /dev/net/tun devices specification to see if that would help but no luck.

Environment

• OS Type & Version: Docker
• Newt Version: 1.7.0

To Reproduce

Run Newt in native client mode with the parameters shown in the compose snippet.

Expected Behavior

Newt creates the WG interface successfully and doesn't crash.

Originally created by @tullisar on GitHub (Dec 17, 2025). Original GitHub issue: https://github.com/fosrl/newt/issues/210 ### Describe the Bug I'm having a similar issue to #201, though this doesn't appear to be related to the IP address. I was using newt with the native client mode and after upgrading to 1.7.0 my Newt instances crash when trying to create the network interface. A fresh redeploy doesn't seem to help either. Here's a snippet of the log: ``` client-native-1 | ERROR: 2025/12/16 17:27:22 Failed to ensure WireGuard interface: failed to create native TUN device: CreateTUN("newt") failed; /dev/net/tun does not exist client-native-1 | panic: runtime error: invalid memory address or nil pointer dereference client-native-1 | [signal SIGSEGV: segmentation violation code=0x1 addr=0x260 pc=0x632b2c] client-native-1 | client-native-1 | goroutine 69 [running]: client-native-1 | sync/atomic.(*Int32).Add(...) client-native-1 | /usr/local/go/src/sync/atomic/type.go:94 client-native-1 | sync.(*RWMutex).RLock(...) client-native-1 | /usr/local/go/src/sync/rwmutex.go:72 client-native-1 | golang.zx2c4.com/wireguard/device.(*Device).IpcGetOperation(0x0, {0x11a3ca0, 0xc000052440}) client-native-1 | /go/pkg/mod/golang.zx2c4.com/wireguard@v0.0.0-20250521234502-f333402bd9cb/device/uapi.go:52 +0x4c client-native-1 | golang.zx2c4.com/wireguard/device.(*Device).IpcGet(0x0) client-native-1 | /go/pkg/mod/golang.zx2c4.com/wireguard@v0.0.0-20250521234502-f333402bd9cb/device/uapi.go:409 +0x38 client-native-1 | github.com/fosrl/newt/clients.(*WireGuardService).ensureWireguardPeers(0xc00033e9c0, {0xc0003d81c0, 0x3, 0xc0003d81c0?}) client-native-1 | /app/clients/clients.go:648 +0x45 client-native-1 | github.com/fosrl/newt/clients.(*WireGuardService).handleConfig(0xc00033e9c0, {{0xc0000400a8, 0x16}, {0xec0520, 0xc00040af00}}) client-native-1 | /app/clients/clients.go:475 +0x274 client-native-1 | github.com/fosrl/newt/websocket.(*Client).readPumpWithDisconnectDetection(0xc000274dc0, {0xc000066fd0?, 0x577324?, 0x1976320?}) client-native-1 | /app/websocket/client.go:742 +0x21c client-native-1 | created by github.com/fosrl/newt/websocket.(*Client).establishConnection in goroutine 9 client-native-1 | /app/websocket/client.go:565 +0xb6a ``` For reference, he's a snippet of the deployed compose configuration for the service: ``` name: newt services: client-native: profiles: - base - native cap_add: - NET_ADMIN - SYS_MODULE depends_on: socket-proxy: condition: service_healthy required: true devices: - source: /dev/net/tun target: /dev/net/tun permissions: rwm environment: ACCEPT_CLIENTS: "true" DOCKER_SOCKET: unix:///socket/newt.sock HEALTH_FILE: /tmp/healthy KEEP_INTERFACE: "true" LOG_LEVEL: INFO NEWT_ID: <REDACTED> NEWT_SECRET: <REDACTED> PANGOLIN_ENDPOINT: <REDACTED> USE_NATIVE_INTERFACE: "true" healthcheck: test: - CMD-SHELL - cat /tmp/healthy || exit 1 timeout: 10s interval: 1m0s retries: 3 start_period: 1m0s image: fosrl/newt:latest network_mode: host restart: unless-stopped ``` I added the /dev/net/tun devices specification to see if that would help but no luck. ### Environment - OS Type & Version: Docker - Newt Version: 1.7.0 ### To Reproduce Run Newt in native client mode with the parameters shown in the compose snippet. ### Expected Behavior Newt creates the WG interface successfully and doesn't crash.

GiteaMirror closed this issue 2026-04-22 00:56:36 -05:00

GiteaMirror commented 2026-04-22 00:56:36 -05:00

Author

Owner

Copy Link

@tullisar commented on GitHub (Dec 17, 2025):

Deleting the newt interface on the host with sudo ip link del newt, then redeploying the container fixed the issue. Seems like a migration issue with regards to the KEEP_INTERFACE parameter? I'm going to leave my containers running for a day or so then I'll close the issue if nothing breaks.

<!-- gh-comment-id:3663244112 --> @tullisar commented on GitHub (Dec 17, 2025): Deleting the `newt` interface on the host with `sudo ip link del newt`, then redeploying the container fixed the issue. Seems like a migration issue with regards to the `KEEP_INTERFACE` parameter? I'm going to leave my containers running for a day or so then I'll close the issue if nothing breaks.

GiteaMirror commented 2026-04-22 00:56:37 -05:00

Author

Owner

Copy Link

@oschwartz10612 commented on GitHub (Dec 18, 2025):

Yeah KEEP_INTERFACE was deprecated as it does not use netlink anymore to create interfaces. I can see if you were migrating the need to delete the old interface.

In 3305f71 I tried to prevent the segfault.

<!-- gh-comment-id:3670866344 --> @oschwartz10612 commented on GitHub (Dec 18, 2025): Yeah `KEEP_INTERFACE` was deprecated as it does not use netlink anymore to create interfaces. I can see if you were migrating the need to delete the old interface. In 3305f71 I tried to prevent the segfault.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/prod-patch-updates-6805a9e229

dependabot/go_modules/golang.zx2c4.com/wireguard/windows-1.0.1

dependabot/docker/minor-updates-1134f52710

dev

fix-nix

dependabot/github_actions/actions/setup-go-6.4.0

dependabot/github_actions/docker/build-push-action-7.1.0

dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.0

dependabot/github_actions/softprops/action-gh-release-3.0.0

logging-provision

1.12.3

1.12.2

v1.12.2

1.12.1

v1.12.1

1.12.0

v1.12.0

v1.12.0-rc.1

1.12.0-rc.0

1.11.0

v1.11.0

1.10.4

1.10.3

v1.10.3

1.10.2

v1.10.2

1.10.1

v1.10.1

1.10.0

v1.10.0

1.9.5

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

v1.9.0

1.8.1

v1.8.1

v1.8.0

1.8.0

1.8.0-rc.0

1.7.0

1.6.1

1.7.0-rc.0

1.6.0

v1.0.1

1.4.9

1.5.2

1.5.1

1.5.0

1.4.4

1.4.3

1.4.2

1.4.1

1.4.0

1.3.4

1.3.3

1.3.2

1.3.1

1.3.0

1.2.1

1.2.0

1.1.3

1.1.2

1.1.1

1.1.0

1.0.0

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

bug

dependencies

enhancement

good first issue

help wanted

Improvement

needs investigating

pull-request

Mirrored from GitHub Pull Request

stale

wontfix

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/newt#1133