wireguard: add into default kernel

This integrates the WireGuard module directly into the kernel build system. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
2025-07-19 09:16:29 +00:00 · 2017-07-19 19:25:00 +02:00 · 2017-07-19 19:25:00 +02:00 · e24cc5c77f
commit e24cc5c77f
parent 5545f3085a
8 changed files with 12 additions and 25699 deletions
--- a/kernel/Dockerfile
+++ b/kernel/Dockerfile
@ -38,6 +38,10 @@ ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VE
 ENV KERNEL_SHA256_SUMS=https://www.kernel.org/pub/linux/kernel/v4.x/sha256sums.asc
 ENV KERNEL_PGP2_SIGN=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.sign

+ENV WIREGUARD_VERSION=0.0.20170706
+ENV WIREGUARD_SHA256=5763b9436265421a67f92cb82142042867fc87c573ecc18033d40c1476146c33
+ENV WIREGUARD_URL=https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${WIREGUARD_VERSION}.tar.xz
+
 # PGP keys: 589DA6B1 (greg@kroah.com) & 6092693E (autosigner@kernel.org) & 00411886 (torvalds@linux-foundation.org)
 COPY keys.asc keys.asc

@ -98,8 +102,15 @@ RUN make defconfig && \
    cp System.map /out && \
    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)

+# WireGuard
+RUN curl -sSL -o /wireguard.tar.xz "${WIREGUARD_URL}" && \
+    echo "${WIREGUARD_SHA256}  /wireguard.tar.xz" | sha256sum -c - && \
+    tar -C / --one-top-level=wireguard --strip-components=2 -xJf /wireguard.tar.xz "WireGuard-${WIREGUARD_VERSION}/src" && \
+    make -j "$(getconf _NPROCESSORS_ONLN)" M="/wireguard" modules
+
 # Modules
 RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
+    make INSTALL_MOD_PATH=/tmp/kernel-modules M="/wireguard" modules_install && \
    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
      cd /tmp/kernel-modules/lib/modules/$DVER && \
      rm build source && \
--- a/projects/wireguard/README.md
+++ b/projects/wireguard/README.md
@ -15,10 +15,7 @@ A full technical paper from NDSS 2017 is available [here](https://www.wireguard.
 ## Contents

 ### Kernel Patches
-This project keeps Linux kernel patches for WireGuard against a 4.9.x kernel.  
-This kernel is built into the `mobylinux/kernel-wireguard` image that is generated by `cd kernel-wireguard && make`.
-
-WireGuard can also be included as a kernel module.
+The `kernel/patches-*` sub-directories contain a kernel patch.

 ### Userspace Tools
 This project embeds the `wireguard-tools` package in the userspace image.
@ -32,11 +29,6 @@ WireGuard has a [network namespace integration](https://www.wireguard.com/netns/

 ## Roadmap

-**Near-term:**
- decide between either carrying the WireGuard patches in our kernel tree or using a module
-
-**Long-term:**
-
 - We have yet to determine the best way to integrate WireGuard into Moby - at the node level or service level isolation.
  - Node level: it's plausible that Moby's provisioner could allocate keys per Moby node
  - Service level: swarmkit could set up WireGuard on a per-service basis, handing the container the wireguard interface
--- a/projects/wireguard/kernel/Dockerfile
+++ b/projects/wireguard/kernel/Dockerfile
@ -1,73 +0,0 @@
-FROM linuxkit/kernel-compile:1b396c221af673757703258159ddc8539843b02b@sha256:6b32d205bfc6407568324337b707d195d027328dbfec554428ea93e7b0a8299b AS kernel-build
-
-ARG KERNEL_VERSION
-ARG KERNEL_SERIES
-ARG DEBUG
-
-ENV KERNEL_SOURCE=https://www.kernel.org/pub/linux/kernel/v4.x/linux-${KERNEL_VERSION}.tar.xz
-
-RUN curl -fsSL -o linux-${KERNEL_VERSION}.tar.xz ${KERNEL_SOURCE}
-
-RUN cat linux-${KERNEL_VERSION}.tar.xz | tar --absolute-names -xJ &&  mv /linux-${KERNEL_VERSION} /linux
-
-COPY kernel_config-${KERNEL_SERIES} /linux/arch/x86/configs/x86_64_defconfig
-COPY kernel_config.debug /linux/debug_config
-
-RUN if [ -n "${DEBUG}" ]; then \
-    sed -i 's/CONFIG_PANIC_ON_OOPS=y/# CONFIG_PANIC_ON_OOPS is not set/' /linux/arch/x86/configs/x86_64_defconfig; \
-    cat /linux/debug_config >> /linux/arch/x86/configs/x86_64_defconfig; \
-    fi
-
-# Apply local patches
-COPY patches-${KERNEL_SERIES} /patches
-WORKDIR /linux
-RUN set -e && for patch in /patches/*.patch; do \
-        echo "Applying $patch"; \
-        patch -p1 < "$patch"; \
-    done
-
-RUN mkdir /out
-
-# Kernel
-RUN make defconfig && \
-    make oldconfig && \
-    make -j "$(getconf _NPROCESSORS_ONLN)" KCFLAGS="-fno-pie" && \
-    cp arch/x86_64/boot/bzImage /out/kernel && \
-    cp System.map /out && \
-    ([ -n "${DEBUG}" ] && cp vmlinux /out || true)
-
-# Modules
-RUN make INSTALL_MOD_PATH=/tmp/kernel-modules modules_install && \
-    ( DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
-      cd /tmp/kernel-modules/lib/modules/$DVER && \
-      rm build source && \
-      ln -s /usr/src/linux-headers-$DVER build ) && \
-    ( cd /tmp/kernel-modules && tar cf /out/kernel.tar lib )
-
-# Headers (userspace API)
-RUN mkdir -p /tmp/kernel-headers/usr && \
-    make INSTALL_HDR_PATH=/tmp/kernel-headers/usr headers_install && \
-    ( cd /tmp/kernel-headers && tar cf /out/kernel-headers.tar usr )
-
-# Headers (kernel development)
-RUN DVER=$(basename $(find /tmp/kernel-modules/lib/modules/ -mindepth 1 -maxdepth 1)) && \
-    dir=/tmp/usr/src/linux-headers-$DVER && \
-    mkdir -p $dir && \
-    cp /linux/.config $dir && \
-    cp /linux/Module.symvers $dir && \
-    find . -path './include/*' -prune -o \
-           -path './arch/*/include' -prune -o \
-           -path './scripts/*' -prune -o \
-           -type f \( -name 'Makefile*' -o -name 'Kconfig*' -o -name 'Kbuild*' -o \
-                      -name '*.lds' -o -name '*.pl' -o -name '*.sh' \) | \
-         tar cf - -T - | (cd $dir; tar xf -) && \
-    ( cd /tmp && tar cf /out/kernel-dev.tar usr/src )
-
-RUN printf "KERNEL_SOURCE=${KERNEL_SOURCE}\n" > /out/kernel-source-info
-
-
-FROM scratch
-ENTRYPOINT []
-CMD []
-WORKDIR /
-COPY --from=kernel-build /out/* /
--- a/projects/wireguard/kernel/Makefile
+++ b/projects/wireguard/kernel/Makefile
@ -1,66 +0,0 @@
-# This builds the supported LinuxKit kernels. Kernels are wrapped up
-# in a minimal toybox container, which contains the bzImage, a tar
-# ball with modules and the kernel source.
-#
-# Each kernel is pushed to hub twice, once as
-# linuxkit/kernel:<kernel>.<major>.<minor>-<hash> and once as
-# inuxkit/kernel:<kernel>.<major>.x. The <hash> is the git tree hash
-# of the current directory. The build will only rebuild the kernel
-# image if the git tree hash changed.
-
-# Git tree hash of this directory. Override to force build
-HASH?=$(shell git ls-tree HEAD -- ../$(notdir $(CURDIR)) | awk '{print $$3}')
-# Name and Org on Hub
-ORG?=linuxkit
-IMAGE:=kernel-wireguard
-
-.PHONY: check tag push sign
-# Targets:
-# build: builds all kernels
-# push:  pushes all tagged kernel images to hub
-# sign:  sign and push all kernel images to hub
-build:
-push:
-sign:
-
-# A template for defining kernel build
-# Arguments:
-# $1: Full kernel version, e.g., 4.9.22
-# $2: Kernel "series", e.g., 4.9.x
-# $3: Build a debug kernel (used as suffix for image)
-# This defines targets like:
-# build_4.9.x, push_4.9.x and sign_4.9.x and adds them as dependencies
-# to the global targets
-# Set $3 to "_dbg", to build debug kernels. This defines targets like
-# build_4.9.x_dbg and adds "_dbg" to the hub image name.
-define kernel
-build_$(2)$(3): Dockerfile Makefile $(wildcard patches-$(2)/*) kernel_config-$(2) kernel_config.debug
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		docker build \
-			--build-arg KERNEL_VERSION=$(1) \
-			--build-arg KERNEL_SERIES=$(2) \
-			--build-arg DEBUG=$(3) \
-			--no-cache -t $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) .
-
-push_$(2)$(3): build_$(2)$(3)
-	docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		(docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
-		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
-		 docker push $(ORG)/$(IMAGE):$(2)$(3))
-
-sign_$(2)$(3): build_$(2)$(3)
-	DOCKER_CONTENT_TRUST=1 docker pull $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) || \
-		(DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) && \
-		 docker tag $(ORG)/$(IMAGE):$(1)$(3)-$(HASH) $(ORG)/$(IMAGE):$(2)$(3) && \
-		 DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(2)$(3))
-
-build: build_$(2)$(3)
-push: push_$(2)$(3)
-sign: sign_$(2)$(3)
-endef
-
-#
-# Build Targets
-# Debug targets only for latest stable and LTS stable
-#
-$(eval $(call kernel,4.9.15,4.9.x))
--- a/projects/wireguard/kernel/kernel_config-4.9.x
+++ b/projects/wireguard/kernel/kernel_config-4.9.x
--- a/projects/wireguard/kernel/kernel_config.debug
+++ b/projects/wireguard/kernel/kernel_config.debug
@ -1,26 +0,0 @@
-
-
-## MOBY DEBUG OPTIONS ##
-
-CONFIG_LOCKDEP=y
-CONFIG_FRAME_POINTER=y
-CONFIG_LOCKUP_DETECTOR=y
-CONFIG_DETECT_HUNG_TASK=y
-CONFIG_DEBUG_TIMEKEEPING=y
-CONFIG_DEBUG_RT_MUTEXES=y
-CONFIG_DEBUG_SPINLOCK=y
-CONFIG_DEBUG_MUTEXES=y
-CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y
-CONFIG_DEBUG_LOCK_ALLOC=y
-CONFIG_PROVE_LOCKING=y
-CONFIG_LOCK_STAT=y
-CONFIG_DEBUG_ATOMIC_SLEEP=y
-CONFIG_DEBUG_LIST=y
-CONFIG_DEBUG_NOTIFIERS=y
-CONFIG_PROVE_RCU=y
-CONFIG_RCU_TRACE=y
-CONFIG_KGDB=y
-CONFIG_KGDB_SERIAL_CONSOLE=y
-CONFIG_KGDBOC=y
-CONFIG_DEBUG_RODATA_TEST=y
-CONFIG_DEBUG_WX=y
--- a/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
+++ b/projects/wireguard/kernel/patches-4.9.x/WireGuard.patch
--- a/projects/wireguard/wireguard.yml
+++ b/projects/wireguard/wireguard.yml
@ -1,6 +1,3 @@
-kernel:
-  image: linuxkit/kernel-wireguard:4.9.15-2ca28b7589b673373a33274023ca870a3a77e081
-  cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
  - linuxkit/init:d049e7b2074da5cd699a27defb47eb101142455d
  - linuxkit/runc:d5cbeb95bdafedb82ad2cf11cff1a5da7fcae630