Keep WireGuard configuration local to projects subdir

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>

kernel/kernel_config

@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.9.12 Kernel Configuration
+# Linux/x86 4.9.10 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -374,7 +374,6 @@ CONFIG_DEFAULT_DEADLINE=y
 # CONFIG_DEFAULT_CFQ is not set
 # CONFIG_DEFAULT_NOOP is not set
 CONFIG_DEFAULT_IOSCHED="deadline"
-CONFIG_PADATA=y
 CONFIG_ASN1=y
 CONFIG_INLINE_SPIN_UNLOCK_IRQ=y
 CONFIG_INLINE_READ_UNLOCK=y
@@ -781,9 +780,6 @@ CONFIG_XFRM_IPCOMP=y
 CONFIG_NET_KEY=y
 CONFIG_NET_KEY_MIGRATE=y
 CONFIG_INET=y
-CONFIG_WIREGUARD=y
-CONFIG_WIREGUARD_PARALLEL=y
-# CONFIG_WIREGUARD_DEBUG is not set
 CONFIG_IP_MULTICAST=y
 CONFIG_IP_ADVANCED_ROUTER=y
 CONFIG_IP_FIB_TRIE_STATS=y

projects/wireguard/examples/wireguard.yaml

@@ -0,0 +1,28 @@
+kernel:
+  image: "mobylinux/kernel-wireguard:4.9.x"
+  cmdline: "console=ttyS0 page_poison=1"
+init: "mobylinux/init-wireguard:4309fb8b65cafa9e07b0e75d86a0bff4070e67e9"
+system:
+  - name: sysctl
+    image: "mobylinux/sysctl:2cf2f9d5b4d314ba1bfc22b2fe931924af666d8c"
+    network_mode: host
+    pid: host
+    ipc: host
+    capabilities:
+     - CAP_SYS_ADMIN
+    read_only: true
+daemon:
+  - name: rngd
+    image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92"
+    capabilities:
+     - CAP_SYS_ADMIN
+    oom_score_adj: -800
+    read_only: true
+    command: [/bin/tini, /usr/sbin/rngd, -f]
+files:
+  - path: etc/docker/daemon.json
+    contents: '{"debug": true}'
+outputs:
+  - format: kernel+initrd
+  - format: iso-bios
+  - format: iso-efi

projects/wireguard/init-wireguard/.gitignore

@@ -0,0 +1,2 @@
+sbin/
+usr/

projects/wireguard/init-wireguard/Dockerfile

@@ -0,0 +1,14 @@
+FROM alpine:3.5
+
+COPY repositories /etc/apk/
+
+RUN \
+  apk update && apk upgrade -a && \
+  apk add --no-cache \
+  dhcpcd \
+  e2fsprogs \
+  e2fsprogs-extra \
+  wireguard-tools \
+  && true
+
+COPY . ./

projects/wireguard/init-wireguard/Makefile

@@ -0,0 +1,52 @@
+CONTAINERD_IMAGE=mobylinux/containerd:c9c8a069da6dccd2803ab476ee0d57a8768f0dcb@sha256:ff5aa0b1086e8c600d6e1508cfae4da31e4935d36ec40f0128aa73113b664e7f
+CONTAINERD_BINARIES=usr/bin/containerd usr/bin/containerd-shim usr/bin/ctr usr/bin/dist
+
+RUNC_IMAGE=mobylinux/runc:f1cee12a65e7b7de06a01aec24609dc3175e1542@sha256:ff1ead6aa4388418ee07f8e93304e5b2fa9b975fe2399474d408654a1411a44a
+RUNC_BINARY=usr/bin/runc
+
+C_COMPILE=mobylinux/c-compile:81a6bd8ff45d769b60a2ee1acdaccda11ab835c8@sha256:eac250997a3b9784d3285a03c0c8311d4ca6fb63dc75164c987411ba93006487
+START_STOP_DAEMON=sbin/start-stop-daemon
+
+default: push
+
+$(RUNC_BINARY):
+	mkdir -p $(dir $@)
+	docker run --rm --net=none $(RUNC_IMAGE) tar cf - $@ | tar xf -
+
+$(CONTAINERD_BINARIES):
+	mkdir -p $(dir $@)
+	docker run --rm --net=none $(CONTAINERD_IMAGE) tar cf - $@ | tar xf -
+
+$(START_STOP_DAEMON): start-stop-daemon.c
+	mkdir -p $(dir $@)
+	tar cf - $^ | docker run --rm --net=none --log-driver=none -i $(C_COMPILE) -o $@ | tar xf -
+
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=init-wireguard
+
+ETC=$(shell find etc -type f)
+
+hash: Dockerfile $(ETC) init $(RUNC_BINARY) $(CONTAINERD_BINARIES) $(START_STOP_DAEMON) repositories
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm $(IMAGE):build sh -c 'cat $^ /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -rf hash sbin usr
+
+.DELETE_ON_ERROR:

projects/wireguard/init-wireguard/etc/dhcpcd.conf

@@ -0,0 +1,46 @@
+# Moby dhcpcd config
+
+# Only configure standard external ethernet
+allowinterfaces eth*
+
+# Inform the DHCP server of our hostname for DDNS.
+hostname
+
+# Use the hardware address of the interface for the Client ID.
+clientid
+# or
+# Use the same DUID + IAID as set in DHCPv6 for DHCPv4 ClientID as per RFC4361.
+# Some non-RFC compliant DHCP servers do not reply with this set.
+# In this case, comment out duid and enable clientid above.
+#duid
+
+# Persist interface configuration when dhcpcd exits.
+persistent
+
+# Rapid commit support.
+# Safe to enable by default because it requires the equivalent option set
+# on the server to actually work.
+option rapid_commit
+
+# A list of options to request from the DHCP server.
+option domain_name_servers, domain_name, domain_search, host_name
+option classless_static_routes
+# Most distributions have NTP support.
+option ntp_servers
+# Respect the network MTU. This is applied to DHCP routes.
+option interface_mtu
+
+# A ServerID is required by RFC2131.
+require dhcp_server_identifier
+
+# Generate Stable Private IPv6 Addresses instead of hardware based ones
+slaac private
+
+# Do not wait
+nodelay
+
+# Do not arp to check IP
+noarp
+
+# Only fork when we have ipv4
+# waitip 4

projects/wireguard/init-wireguard/etc/init.d/containerd

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+# bring up containerd
+ulimit -n 1048576
+ulimit -p unlimited
+
+printf "\nStarting containerd\n"
+mkdir -p /var/log
+/sbin/start-stop-daemon --start --exec /usr/bin/containerd

projects/wireguard/init-wireguard/etc/init.d/containers

@@ -0,0 +1,31 @@
+#!/bin/sh
+
+# TODO more robust
+# while [ ! -S /run/containerd/containerd.sock ]; do sleep 1; done
+# while ! ctr list 2> /dev/null; do sleep 1; done
+
+# start system containers
+# temporarily using runc not containerd
+
+if [ -d /containers/system ]
+then
+	for f in $(find /containers/system -mindepth 1 -maxdepth 1 | sort)
+	do
+		base="$(basename $f)"
+		/usr/bin/runc run --bundle "$f" "$(basename $f)"
+		printf " - $base\n"
+	done
+fi
+
+if [ -d /containers/daemon ]
+then
+	for f in $(find /containers/daemon -mindepth 1 -maxdepth 1 | sort)
+	do
+		base="$(basename $f)"
+		log="/var/log/$base.log"
+		/sbin/start-stop-daemon --start --pidfile /run/$base.pid --exec /usr/bin/runc -- run --bundle "$f" --pid-file /run/$base.pid "$(basename $f)" </dev/null 2>$log >$log &
+		printf " - $base\n"
+	done
+fi
+
+wait

projects/wireguard/init-wireguard/etc/init.d/rcS

@@ -0,0 +1,106 @@
+#!/bin/sh
+
+# mount filesystems
+mkdir -p -m 0755 /proc /run /tmp /sys /dev
+
+mount -n -t proc proc /proc -o ndodev,nosuid,noexec,relatime
+
+mount -n -t tmpfs tmpfs /run -o nodev,nosuid,noexec,relatime,size=10%,mode=755
+mount -n -t tmpfs tmpfs /tmp -o nodev,nosuid,noexec,relatime,size=10%,mode=1777
+
+# mount devfs
+mount -n -t devtmpfs dev /dev -o nosuid,noexec,relatime,size=10m,nr_inodes=248418,mode=755
+# devices
+[ -c /dev/console ] || mknod -m 600 /dev/console c 5 1
+[ -c /dev/tty1 ] || mknod -m 620 /dev/tty1 c 4 1
+[ -c /dev/tty ] || mknod -m 666 /dev/tty c 5 0
+
+[ -c /dev/null ] || mknod -m 666 /dev/null c 1 3
+[ -c /dev/kmsg ] || mknod -m 660 /dev/kmsg c 1 11
+
+# extra symbolic links not provided by default
+[ -e /dev/fd ] || ln -snf /proc/self/fd /dev/fd
+[ -e /dev/stdin ] || ln -snf /proc/self/fd/0 /dev/stdin
+[ -e /dev/stdout ] || ln -snf /proc/self/fd/1 /dev/stdout
+[ -e /dev/stderr ] || ln -snf /proc/self/fd/2 /dev/stderr
+[ -e /proc/kcore ] && ln -snf /proc/kcore /dev/core
+
+# devfs filesystems
+mkdir -p -m 1777 /dev/mqueue
+mkdir -p -m 1777 /dev/shm
+mkdir -p -m 0755 /dev/pts
+mount -n -t mqueue -o noexec,nosuid,nodev mqueue /dev/mqueue
+mount -n -t tmpfs -o noexec,nosuid,nodev,mode=1777 shm /dev/shm
+mount -n -t devpts -o noexec,nosuid,gid=5,mode=0620 devpts /dev/pts
+
+# mount sysfs
+sysfs_opts=nodev,noexec,nosuid
+mount -n -t sysfs -o ${sysfs_opts} sysfs /sys
+[ -d /sys/kernel/security ] && mount -n -t securityfs -o ${sysfs_opts} securityfs /sys/kernel/security
+[ -d /sys/kernel/debug ] && mount -n -t debugfs -o ${sysfs_opts} debugfs /sys/kernel/debug
+[ -d /sys/kernel/config ] && mount -n -t configfs -o ${sysfs_opts} configfs /sys/kernel/config
+[ -d /sys/fs/fuse/connections ] && mount -n -t fusectl -o ${sysfs_opts} fusectl /sys/fs/fuse/connections
+[ -d /sys/fs/selinux ] && mount -n -t selinuxfs -o nosuid,noexec selinuxfs /sys/fs/selinux
+[ -d /sys/fs/pstore ] && mount -n -t pstore pstore -o ${sysfs_opts} /sys/fs/pstore
+[ -d /sys/firmware/efi/efivars ] && mount -n -t efivarfs -o ro,${sysfs_opts} efivarfs /sys/firmware/efi/efivars
+
+# misc /proc mounted fs
+[ -d /proc/sys/fs/binfmt_misc ] && mount -t binfmt_misc -o nodev,noexec,nosuid binfmt_misc /proc/sys/fs/binfmt_misc
+
+# mount cgroups
+mount -n -t tmpfs -o nodev,noexec,nosuid,mode=755,size=10m cgroup_root /sys/fs/cgroup
+
+while read name hier groups enabled rest
+do
+	case "${enabled}" in
+	1)	mkdir -p /sys/fs/cgroup/${name}
+		mount -n -t cgroup -o ${sysfs_opts},${name} ${name} /sys/fs/cgroup/${name}
+	;;
+	esac
+done < /proc/cgroups
+
+# for compatibility
+mkdir -p /sys/fs/cgroup/systemd
+mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
+
+# set SELinux contexts
+if [ -x /sbin/restorecon ]
+then
+	restorecon -F /sys/devices/system/cpu/online >/dev/null 2>&1
+	restorecon -rF /sys/fs/cgroup >/dev/null 2>&1
+	restorecon -rF /dev >/dev/null 2>&1
+fi
+
+# start mdev for hotplug
+echo "/sbin/mdev" > /proc/sys/kernel/hotplug
+
+# mdev -s will not create /dev/usb[1-9] devices with recent kernels
+# so we trigger hotplug events for usb for now
+for i in $(find /sys/devices -name 'usb[0-9]*'); do
+	[ -e $i/uevent ] && echo add > $i/uevent
+done
+
+mdev -s
+
+# set hostname
+if [ -s /etc/hostname ]
+then
+	hostname -F /etc/hostname
+fi
+
+if [ $(hostname) = "moby" -a -f /sys/class/net/eth0/address ]
+then
+	mac=$(cat /sys/class/net/eth0/address)
+	hostname moby-$(echo $mac | sed 's/://g')
+fi
+
+# set system clock from hwclock
+hwclock --hctosys --utc
+
+# bring up loopback interface
+ip addr add 127.0.0.1/8 dev lo brd + scope host
+ip route add 127.0.0.0/8 dev lo scope host
+ip link set lo up
+
+# will be containerised
+/sbin/dhcpcd

projects/wireguard/init-wireguard/etc/inittab

@@ -0,0 +1,15 @@
+# /etc/inittab
+
+::sysinit:/etc/init.d/rcS
+::once:/etc/init.d/containerd
+::once:/etc/init.d/containers
+
+# Stuff to do for the 3-finger salute
+::ctrlaltdel:/sbin/reboot
+
+# Stuff to do before rebooting
+::shutdown:/usr/sbin/killall5 -15
+::shutdown:/bin/sleep 5
+::shutdown:/usr/sbin/killall5 -9
+::shutdown:/bin/echo "Unmounting filesystems"
+::shutdown:/bin/umount -a -r

projects/wireguard/init-wireguard/etc/issue

@@ -0,0 +1,12 @@
+
+Welcome to Moby
+
+                        ##         .
+                  ## ## ##        ==
+               ## ## ## ## ##    ===
+           /"""""""""""""""""\___/ ===
+      ~~~ {~~ ~~~~ ~~~ ~~~~ ~~~ ~ /  ===- ~~~
+           \______ o           __/
+             \    \         __/
+              \____\_______/
+

projects/wireguard/init-wireguard/init

@@ -0,0 +1,44 @@
+#!/bin/sh
+
+setup_console() {
+	tty=${1%,*}
+	speed=${1#*,}
+	inittab="$2"
+	securetty="$3"
+	line=
+	term="linux"
+	[ "$speed" = "$1" ] && speed=115200
+
+	case "$tty" in
+	ttyS*|ttyAMA*|ttyUSB*|ttyMFD*)
+		line="-L"
+		term="vt100"
+		;;
+	tty0)
+		# skip current console
+		return 0
+		;;
+	esac
+	# skip consoles already in inittab
+	grep -q "^$tty:" "$inittab" && return
+
+	echo "$tty::once:cat /etc/issue" >> "$inittab"
+	echo "$tty::respawn:/sbin/getty -n -l /bin/sh $line $speed $tty $term" >> "$inittab"
+	if ! grep -q -w "$tty" "$securetty"; then
+		echo "$tty" >> "$securetty"
+	fi
+}
+
+/bin/mount -t tmpfs tmpfs /mnt
+
+/bin/cp -a / /mnt 2>/dev/null
+
+/bin/mount -t proc -o noexec,nosuid,nodev proc /proc
+for opt in $(cat /proc/cmdline); do
+	case "$opt" in
+	console=*)
+		setup_console ${opt#console=} /mnt/etc/inittab /mnt/etc/securetty;;
+	esac
+done
+
+exec /bin/busybox switch_root /mnt /sbin/init

projects/wireguard/init-wireguard/repositories

@@ -0,0 +1,2 @@
+http://dl-cdn.alpinelinux.org/alpine/v3.5/main
+http://dl-cdn.alpinelinux.org/alpine/edge/testing

projects/wireguard/kernel-wireguard/Makefile

@@ -0,0 +1,70 @@
+DEBUG ?= 0
+
+all:	bzImage push
+
+# We push the image to hub twice, once with the full kernel version of
+# "mobylinux/kernel:<kernel version>.<major version>.<minor version>-<n>",
+# where "<n>" is a monotonically increasing config number, and as
+# "mobylinux/kernel:<kernel version>.<major version>.x". This version
+# number is stored in IMAGE_VERSION.
+#
+# We expect most users to us the "<kernel version>.<major version>.x"
+# variant as this simply is the latest version of a given major kernel
+# version. This version number is stored in IMAGE_MAJOR_VERSION.
+#
+# For IMAGE_VERSION, the "<n>" must be increased whenever
+# the kernel config or the patches change. We don't expect this to
+# happen very often as the minor version number gets update quite
+# frequently.
+#
+# IMAGE_VERSION is used to determine if a new image should be pushed to hub.
+KERNEL_VERSION=4.9.15
+IMAGE_VERSION=$(KERNEL_VERSION)-1
+IMAGE_MAJOR_VERSION=4.9.x
+DEPS=Dockerfile Makefile kernel_config kernel_config.debug patches-4.9
+
+kernel.tag: $(DEPS)
+	BUILD=$$( tar cf - $^ | docker build -f $< --build-arg DEBUG=$(DEBUG) --build-arg KERNEL_VERSION=$(KERNEL_VERSION) -q - ) && [ -n "$$BUILD" ] && echo "Built $$BUILD" && echo "$$BUILD" > $@
+
+bzImage: kernel.tag
+	rm -rf etc/kernel-patches
+	mkdir -p x86_64 etc lib usr sbin etc/kernel-patches
+	docker run --rm --net=none --log-driver=none $(shell cat kernel.tag) tar cf - bzImage kernel-dev.tar kernel-headers.tar vmlinux kernel-modules.tar | tar xf - -C x86_64
+	cp x86_64/kernel-modules.tar kernel.tar
+	cp x86_64/bzImage $@
+
+.PHONY: image push tag
+
+MEDIA_TOYBOX=mobylinux/toybox-media:0a26fe5f574e444849983f9c4148ef74b3804d55@sha256:5ac38f77b66deb194c9016591b9b096e81fcdc9f7c3e6d01566294a6b4b4ebd2
+
+BASE="$MEDIA_TOYBOX"
+IMAGE=kernel-wireguard
+
+default: push
+
+Dockerfile.media:
+	printf "FROM $(MEDIA_TOYBOX)\nADD . /\n" > $@
+
+image: Dockerfile.media bzImage kernel.tar $(DEPS)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -f Dockerfile.media -
+
+push: image
+	docker pull mobylinux/$(IMAGE):$(IMAGE_VERSION) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
+		 docker push mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
+		 docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION) && \
+		 docker push mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: image
+	(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_VERSION) && \
+	docker tag $(IMAGE):build mobylinux/$(IMAGE):$(IMAGE_MAJOR_VERSION))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+.PHONY: clean
+clean:
+	rm -rf x86_64 lib usr sbin kernel.tag Dockerfile.media bzImage kernel.tar
+
+.DELETE_ON_ERROR:

projects/wireguard/roadmap.md

@@ -0,0 +1,43 @@
+# WireGuard
+
+[WireGuard](https://wireguard.io) is a modern VPN released for the Linux kernel that can replace IPSec.
+
+We can use WireGuard in Moby to better secure container networking.
+WireGuard transparently encrypts *and* authenticates traffic between all peers, and uses state-of-the-art cryptography
+from the [Noise protocol](http://www.noiseprotocol.org/). Moreover, WireGuard is implemented in less than a few thousand
+lines of code, making it auditable for security.
+
+Moreover, WireGuard provides a `wg0` (`wg1`, `wg2`,... etc) network interface that can be passed directly to containers,
+such that all intercontainer traffic would benefit from encrypted and authenticated networking.
+
+A full technical paper from NDSS 2017 is available [here](https://www.wireguard.io/papers/wireguard.pdf).
+
+## Contents
+
+### Kernel Patches
+This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.  
+This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
+
+WireGuard can also be included as a kernel module.
+
+### Userspace Tools
+This project embeds the `wireguard-tools` package in the userspace image.
+This is built into the `mobylinux/init-wireguard` image that is generated by `cd init-wireguard && make`.
+
+## Quickstart
+The quickest way to get started is to use the provided `examples/wireguard.yaml` in this directory and use the prebuilt images.
+
+To give WireGuard a spin, the [official quick start](https://www.wireguard.io/quickstart/) is a good way to get going.  For containers,
+WireGuard has a [network namespace integration](https://www.wireguard.io/netns/) that we could use for Moby's containers.
+
+## Roadmap
+
+**Near-term:**
+- moving `wireguard-tools` out of the init image (with any other tools, as well)
+- decide between either carrying the WireGuard patches in our kernel tree or using a module
+
+**Long-term:**
+
+- We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
+  - Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
+  - Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface