Merge pull request #2249 from zx2c4/default-wireguard

Add wireguard to core of LinuxKit
2025-07-19 01:06:27 +00:00 · 2017-07-20 16:50:48 +01:00 · 2017-07-20 16:50:48 +01:00 · 3ca12fa014
commit 3ca12fa014
parent 5545f3085a 332c4edf62
13 changed files with 17 additions and 25766 deletions
--- a/projects/wireguard/README.md
+++ b/projects/wireguard/README.md
@ -15,28 +15,17 @@ A full technical paper from NDSS 2017 is available [here](https://www.wireguard.
 ## Contents

 ### Kernel Patches
-This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.  
-This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
-
-WireGuard can also be included as a kernel module.
+The default kernels build WireGuard in as a module.

 ### Userspace Tools
-This project embeds the `wireguard-tools` package in the userspace image.
-This is built into the `mobylinux/init-wireguard` image that is generated by `cd init-wireguard && make`.
+The userspace tools are part of `tools/alpine`.

 ## Quickstart
-The quickest way to get started is to use the provided `examples/wireguard.yml` in this directory and use the prebuilt images.
-
 To give WireGuard a spin, the [official quick start](https://www.wireguard.com/quickstart/) is a good way to get going.  For containers,
 WireGuard has a [network namespace integration](https://www.wireguard.com/netns/) that we could use for Moby's containers.

 ## Roadmap

-**Near-term:**
- decide between either carrying the WireGuard patches in our kernel tree or using a module
-
-**Long-term:**
-
 - We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
  - Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
  - Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@ -38,6 +38,10 @@ ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VE
 ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign

+ENV WIREGUARD_VERSION=0.0.20170706
+ENV WIREGUARD_SHA256=5763b9436265421a67f92cb82142042867fc87c573ecc18033d40c1476146c33
+ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
+
 # PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
 COPY keys.asc keys.asc

@ -98,8 +102,15 @@ RUN make defconfig && \
    cp System.map /out && \
    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)

+# WireGuard
+RUN curl -sSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
+    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
+    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
+    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
+
 # Modules
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
+    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
      cd /tmp/kernel-modules/lib/modules/$DVER && \
      rm build source && \
--- a/projects/README.md
+++ b/projects/README.md
@ -12,7 +12,6 @@ If you want to create a project, please submit a pull request to create a new di
 ## Current projects
 - [Kernel Self Protection Project enhancements](kspp/)
 - [Mirage SDK](miragesdk/) privilege separation for userspace services
- [Wireguard](wireguard/) cryptographic enforced container network separation
 - [OKernel](okernel/) intra-kernel protection using EPT (HPE)
 - [eBPF](ebpf/) iovisor eBPF tools
 - [Swarmd](swarmd) Standalone swarmkit based orchestrator
@ -33,3 +32,4 @@ If you want to create a project, please submit a pull request to create a new di
 ## Completed projects

 - `aws/`: AWS support was merged into mainline in #1964.
+- `wireguard/`: [WireGuard](https://www.wireguard.com/) is now part of the default LinuxKit kernel and package set.
--- a/projects/wireguard/kernel/Dockerfile
+++ b/projects/wireguard/kernel/Dockerfile
@ -1,73 +0,0 @@
-FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build
-
-ARG KERNEL_VERSION
-ARG KERNEL_SERIES
-ARG DEBUG
-
-ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
-
-RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
-
-RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
-
-COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
-COPY kernel_config.debug /linux/debug_config
-
-RUN if [ -n "${DEBUG}" ]; then \
-    sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
-    cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
-    fi
-
-# Apply local patches
-COPY patches-${KERNEL_SERIES} /patches
-WORKDIR /linux
-RUN set -e && for patch in /patches/*.patch; do \
-        echo "Applying $patch"; \
-        patch -p1 < "$patch"; \
-    done
-
-RUN mkdir /out
-
-# Kernel
-RUN make defconfig && \
-    make oldconfig && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
-    cp arch/x86_64/boot/bzImage /out/kernel && \
-    cp System.map /out && \
-    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
-
-# Modules
-RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
-    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
-      cd /tmp/kernel-modules/lib/modules/$DVER && \
-      rm build source && \
-      ln -s /usr/src/linux-headers-$DVER build ) && \
-    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib )
-
-# Headers (userspace API)
-RUN mkdir -p /tmp/kernel-headers/usr && \
-    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
-    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
-
-# Headers (kernel development)
-RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
-    dir=/tmp/usr/src/linux-headers-$DVER && \
-    mkdir -p $dir && \
-    cp /linux/.config $dir && \
-    cp /linux/Module.symvers $dir && \
-    find . -path './include/*' -prune -o \
-           -path './arch/*/include' -prune -o \
-           -path './scripts/*' -prune -o \
-           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
-         tar cf - -T - | (cd $dir; tar xf -) && \
-    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
-
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
-
-
-FROM scratch
-ENTRYPOINT []
-CMD []
-WORKDIR /
-COPY --from=kernel-build /out/* /
--- a/projects/wireguard/kernel/Makefile
+++ b/projects/wireguard/kernel/Makefile
@ -1,66 +0,0 @@
-# This builds the supported LinuxKit kernels. Kernels are wrapped up
-# in a minimal toybox container, which contains the bzImage, a tar
-# ball with modules and the kernel source.
-#
-# Each kernel is pushed to hub twice, once as
-# linuxkit/kernel:<kernel>.<major>.<minor>-<hash> and once as
-# inuxkit/kernel:<kernel>.<major>.x. The <hash> is the git tree hash
-# of the current directory. The build will only rebuild the kernel
-# image if the git tree hash changed.
-
-# Git tree hash of this directory. Override to force build
-HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
-# Name and Org on Hub
-ORG?=linuxkit
-IMAGE:=kernel-wireguard
-
-.PHONY: check tag push sign
-# Targets:
-# build: builds all kernels
-# push:  pushes all tagged kernel images to hub
-# sign:  sign and push all kernel images to hub
-build:
-push:
-sign:
-
-# A template for defining kernel build
-# Arguments:
-# $1: Full kernel version, e.g., 4.9.22
-# $2: Kernel "series", e.g., 4.9.x
-# $3: Build a debug kernel (used as suffix for image)
-# This defines targets like:
-# build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies
-# to the global targets
-# Set $3 to "_dbg", to build debug kernels. This defines targets like
-# build_4.9.x_dbg and adds "_dbg" to the hub image name.
-define kernel
-build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		docker build \
-			--build-arg KERNEL_VERSION=$(1) \
-			--build-arg KERNEL_SERIES=$(2) \
-			--build-arg DEBUG=$(3) \
-			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) .
-
-push_$(2)$(3): build_$(2)$(3)
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
-		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
-		 docker push $(ORG)/$(IMAGE):$(2)$(3))
-
-sign_$(2)$(3): build_$(2)$(3)
-	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		(DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
-		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
-		 DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3))
-
-build: build_$(2)$(3)
-push: push_$(2)$(3)
-sign: sign_$(2)$(3)
-endef
-
-#
-# Build Targets
-# Debug targets only for latest stable and LTS stable
-#
-$(eval $(call kernel,4.9.15,4.9.x))
--- a/projects/wireguard/kernel/kernel_config-4.9.x
+++ b/projects/wireguard/kernel/kernel_config-4.9.x
--- a/projects/wireguard/kernel/kernel_config.debug
+++ b/projects/wireguard/kernel/kernel_config.debug
@ -1,26 +0,0 @@
-
-
-## MOBY DEBUG OPTIONS ##
-
-CONFIG_LOCKDEP=y
-CONFIG_FRAME_POINTER=y
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_DETECT_HUNG_TASK=y
-CONFIG_DEBUG_TIMEKEEPING=y
-CONFIG_DEBUG_RT_MUTEXES=y
-CONFIG_DEBUG_SPINLOCK=y
-CONFIG_DEBUG_MUTEXES=y
-CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
-CONFIG_DEBUG_LOCK_ALLOC=y
-CONFIG_PROVE_LOCKING=y
-CONFIG_LOCK_STAT=y
-CONFIG_DEBUG_ATOMIC_SLEEP=y
-CONFIG_DEBUG_LIST=y
-CONFIG_DEBUG_NOTIFIERS=y
-CONFIG_PROVE_RCU=y
-CONFIG_RCU_TRACE=y
-CONFIG_KGDB=y
-CONFIG_KGDB_SERIAL_CONSOLE=y
-CONFIG_KGDBOC=y
-CONFIG_DEBUG_RODATA_TEST=y
-CONFIG_DEBUG_WX=y
--- a/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
+++ b/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
--- a/projects/wireguard/tools/.gitignore
+++ b/projects/wireguard/tools/.gitignore
@ -1,2 +0,0 @@
-sbin/
-usr/
--- a/projects/wireguard/tools/Dockerfile
+++ b/projects/wireguard/tools/Dockerfile
@ -1,13 +0,0 @@
-FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 as tools
-RUN echo http://dl-cdn.alpinelinux.org/alpine/edge/testing >> /etc/apk/repositories
-RUN \
-  apk update && \
-  apk upgrade -a && \
-  apk add --no-cache wireguard-tools
-
-FROM scratch
-ENTRYPOINT []
-CMD []
-WORKDIR /
-COPY --from=tools /usr/bin/wg /usr/bin/wg-quick /usr/bin/
-COPY --from=tools /usr/lib/libmnl.so* /lib/
--- a/projects/wireguard/tools/Makefile
+++ b/projects/wireguard/tools/Makefile
@ -1,16 +0,0 @@
-.PHONY: tag push
-default: push
-
-IMAGE=wireguard-utils
-DEPS=Dockerfile
-ORG?=linuxkit
-
-HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
-
-tag: $(DEPS)
-	docker pull $(ORG)/$(IMAGE):$(HASH) || \
-	docker build --no-cache -t $(ORG)/$(IMAGE):$(HASH) .
-
-push: tag
-	docker pull $(ORG)/$(IMAGE):$(HASH) || \
-	docker push $(ORG)/$(IMAGE):$(HASH)
--- a/projects/wireguard/wireguard.yml
+++ b/projects/wireguard/wireguard.yml
@ -1,34 +0,0 @@
-kernel:
-  image: linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081
-  cmdline: "console=ttyS0 console=tty0 page_poison=1"
-init:
-  - linuxkit/init:d049e7b2074da5cd699a27defb47eb101142455d
-  - linuxkit/runc:d5cbeb95bdafedb82ad2cf11cff1a5da7fcae630
-  - linuxkit/containerd:e33e0534d6fca88e1eb86897a1ea410b4a5d722e
-  - linuxkit/ca-certificates:4e9a83e890e6477dcd25029fc4f1ced61d0642f4
-  - linuxkit/wireguard-utils:26fe3d38455f2d441549e3c54bdec1b26ac819b8
-onboot:
-  - name: sysctl
-    image: linuxkit/sysctl:225c52c2d6f04a040663bac84cabf81825027f64
-  - name: binfmt
-    image: linuxkit/binfmt:603e5f064b3e8a64088c0fcf7a80d2783541ee1d
-  - name: dhcpcd
-    image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41
-    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
-services:
-  - name: rngd
-    image: linuxkit/rngd:1516d5d70683a5d925fe475eb1b6164a2f67ac3b
-  - name: nginx
-    image: nginx:alpine
-    capabilities:
-     - CAP_NET_BIND_SERVICE
-     - CAP_CHOWN
-     - CAP_SETUID
-     - CAP_SETGID
-     - CAP_DAC_OVERRIDE
-files:
-  - path: etc/docker/daemon.json
-    contents: '{"debug": true}'
-trust:
-  org:
-    - linuxkit
--- a/tools/alpine/Dockerfile
+++ b/tools/alpine/Dockerfile
@ -27,6 +27,9 @@ RUN abuild-sign /mirror/$(uname -m)/APKINDEX.tar.gz
 # fetch OVMF for qemu EFI boot (this is not added as a package)
 RUN apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/community ovmf

+# add the tools for WireGuard, since the kernel module is now included
+RUN apk add -X http://dl-cdn.alpinelinux.org/alpine/edge/testing -U wireguard-tools
+
 # set this as our repo but keep a copy of the upstream for downstream use
 RUN mv /etc/apk/repositories /etc/apk/repositories.upstream && echo "/mirror" > /etc/apk/repositories && apk update