alt Hacker NewsOur agent found a bug with WireGuard in Google Kubernetes Engine
Comments
A new bug appears, it’s in an encryption layer. You solve this by deciding to disable the encryption layer because user experience is better without the errors. You write it up as a recruitment piece for your engineering team.
There may be some good answers and lessons, but they didn’t make it into the article. Saying it’s on a cloud provider’s private network so encryption between your nodes isn’t necessary is a bold choice. Also, what happened to the root cause? Why did it start failing a week ago? Was a downgrade of the offending code not possible?
Not all bug investigations are worth really digging into. Sometimes the right call is to find any fix and move on. But all the nuance, judgement, implications, and lessons learned failed to make it into this post. And they are what make reading incident reports interesting for most engineers.
Isn't this like the #1 problem people have with wireguard? I've had clients with the MTU issue every time I've set it up for more than a few clients. Also how on earth is "connection reset by peer" dreaded?
This article reeks of desperation. I'm pretty sure Lovable's days are numbered.
This article really delves in and and finds the seam - operation reality not operational performance theater
Oh my, a bug in Wireguard? What did Google change, since it affects only them? Any lessons learned about modifying cryptographic software?
...
Skipping past the investigation bit (minimising my daily slop intake), it's a wrong MTU value causing failing connections when Wireguard is disabled:
> When we disabled WireGuard, we expected the configuration to change to use the full 1500 bytes. However, some nodes in the cluster hadn't been restarted [and were] using the old 1420-byte MTU.
> [paraphrased] This particularly affected Valkey connections because they were distributed across nodes with mismatched MTU settings. So your API pod might not connect. The fix was rerolling all the nodes to get a consistent MTU configuration
Great idea, rebuild a whole fleet of VMs instead of adding the MTU configuration to your wg-down script
This piece might be a record for how quick it took me to smell the AI-tone and close the tab.. one paragraph! I'm sure it's an interesting bug but I can't stomach reading any more slop.
I think the credit belongs to Sascha still. Look at this:
> The agent surfaced a suspicious issue: the anetd pods in our Google Kubernetes Engine cluster were restarting constantly, around 120 restarts per pod over six days, which is almost one crash per hour. Surely, this couldn't be right!
> Sascha dug into the crash dumps. The stack trace pointed to a concurrent map-access panic, multiple goroutines trying to read and write to the same data structure at the same time without proper locking. But the key detail was where the panic happened: inside the Wireguard module of anetd.
AI: Your anted pod is crashing.
Engineer: Looks in the logs and finds a stack trace.
Your agent didn't find the bug. It's really that simple.