Routine version bump that also removes the necessity of carrying that
extra patch. Changes:
* Kconfig: remove trailing whitespace
* allowedips: rename from routingtable
* tools: remove ioctl cruft
* global: revert checkpatch.pl changes
Cleanliness.
* device: please lockdep
* device: wait for all peers to be freed before destroying
These make the various checkers happy.
* netlink: plug memory leak
* qemu: check for memory leaks
There was a small memory leak on the netlink configuration layer that's now
been fixed.
* receive: hoist fpu outside of receive loop
Should be a small speedup on x86_64.
* qemu: more debugging
* qemu: bump kernel version
Significantly more debugging checkers have been turned on.
* wg-quick: stat the correct enclosing folder of config file
* wg-quick: allow for tabs in keys
Minor fixups for wg-quick(8).
* compat: 4.4.0 has strange ECN function
Nobody actually runs base 4.4.0, but this is more correct anyway.
* netlink: make sure we reserve space for NLMSG_DONE
A rather important change - due to an upstream kernel bug, that's existed
since the advent of netlink itself, sometimes wg(8) failed to receive valid
data back from kernelspace, resulting in "ENOBUFS" when trying to dump all
peers. This patch works around it while we wait for upstream to commit the
fix.
* curve25519: reject deriving from NULL private keys
* tools: allow for NULL keys everywhere
A null 25519 private point isn't a valid point (prior to normalization), which
is why we use it as the "unsetting" value. Conversely, however, except for
psk, we should be using the existence of it in the netlink message being an
indication of whether or not it's set, for the tools.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Version 0.0.20171101 errors out when compiled for
debug kernels. This will be fixed in the next release.
In the meantime pull in the patch which fixes the
compile error.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
20171031, the Halloween edition, had a show stopper bug, which was
neither security related, nor did it affect LinuxKit kernels, but
was important enough for me to bump the snapshot. This is the
corresponding LinuxKit bump. Changes:
* wg-quick: save all hooks on save
Tiny bug fix for 'wg-quick save'.
* timers: switch to kees' new timer_list functions
Shiny new things for Linux 4.14.
* compat: unbreak unloading on kernels 4.6 through 4.9
The real motivation for this extra snapshot bump. Before we would run into
some issues when unloading the module, which was not good.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Simple version bump. Changes:
* netns: use read built-in instead of ncat hack for dmesg
* netns: use time-based test instead of quantity-based
* qemu: allow for cross compilation
* qemu: work around ccache bugs
* qemu: test using four cores
* selftest: initialize mutex in routingtable selftest
We now cross compile and run in QEMU for x86_64, i686,
ARMv7, Aarch64, and MIPS. You can see the current build
status on: https://www.wireguard.com/build-status/
* stats: more robust accounting
* compat: fix up stat calculation for udp tunnel
The statistics from `ip link -stats` or from `wg show` are
now much more accurate.
* global: accept decent check_patch.pl suggestions
* global: infuriating kernel iterator style
* global: style nits
* global: use fewer BUG_ONs
* global: get rid of useless forward declarations
* blake2: include headers for macros
* tools: correct type for CTRL_ATTR_FAMILY_ID
Lots of style cleanups.
* crypto/avx: make sure we can actually use ymm registers
This fixes an issue on some Xen platforms that expose
conflicting CPU features.
* peer: get rid of peer_for_each magic
* peer: store total number of peers instead of iterating
A major cleanup of our peer iteration logic, getting rid
of a big ugly macro and clarifying our locking semantics.
* compat: be sure to include header before testing
* wg-quick: allow specifiying multiple hooks
You can now specify {Post,Pre}{Down,Up} multiple times, and
the commands will then run in succession.
* wg-quick: remember to rewind DNS settings on failure
Small consistency fix.
* wg-quick: allow for saving existing interface
There is now a 'save' option for saving an existing
configuration without having to bring down the device.
* wg-quick: fsync the temporary file before renaming
In case the system looses power, you are now left with
either the old file or the new file but not an empty file.
* wg-quick: allow for the hatchet, but not by default
In order to account for distributions that do not have an
implementation of resolvconf(8), the contrib directory ships
with an alternative implementation that may be patched in.
This was extensively discussed and debated on the mailing
list.
* device: only take reference if netns is different
Solves an important memory leak when tearing down network
namespaces that haven't moved the wireguard device.
* device: expand scope of destruct lock
* timers: guard entire setting in block
Just to be certain.
* curve25519: only enable int128 if compiler support is sound
Allows building for Aarch64 with old gcc (such as that used
by Android) where we don't want to branch to a __multi3.
* contrib: add reresolve-dns
A small script that's been passed around for a while now for
reresolving DNS entries from a cronjob.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
It's kinda obvious that these are kernel configuration files
and, looking at various other distros it seems more common
to call the files 'config-<foo>'.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Copying the entire local directory into the container allows
us to check for the existence of the patch directory and
only apply the patches if the directory exists.
An alternative would have been to re-arrange the patch directory
into a sub-directory, but in terms of copying wouldn't have
made that much if a difference.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Simple version bump. Changes:
* noise: handshake constants can be read-only after init
* noise: no need to take the RCU lock if we're not dereferencing
* send: improve dead packet control flow
* receive: improve control flow
* socket: eliminate dead code
* device: our use of queues means this check is worthless
* device: no need to take lock for integer comparison
* blake2s: modernize API and have faster _final
* compat: support READ_ONCE
* compat: just make ro_after_init read_mostly
Assorted cleanups to the module, including nice things like marking our
precomputations as const.
* Makefile: even prettier output
* Makefile: do not clean before cloc
* selftest: better test index for rate limiter
* netns: disable accept_dad for all interfaces
Fixes in our testing and build infrastructure. Now works on the 4.14 rc
series.
* qemu: add build-only target
* qemu: work on ubuntu toolchain
* qemu: add more debugging options to main makefile
* qemu: simplify shutdown
* qemu: open /dev/console if we're started early
* qemu: phase out bitbanging
* qemu: always create directory before untarring
* qemu: newer packages
* qemu: put hvc directive into configuration
This is the beginning of working out a cross building test suite, so we do
several tricks to be less platform independent.
* tools: encoding: be more paranoid
* tools: retry resolution except when fatal
* tools: don't insist on having a private key
* tools: add pass example to wg-quick man page
* tools: style
* tools: newline after warning
* tools: account for padding being in zero attribute
Several important tools fixes, one of which suppresses a needless warning.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
'make firmware_install' adds the firmware blobs creating
during the build to '/lib/firmware' in the result tarball.
This should be installed along with the kernel modules.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
By running:
./scripts/update-component-sha.sh --image linuxkit/alpine ad35b6ddbc70faa07e59a9d7dee7707c08122e8d
Signed-off-by: Ian Campbell <ijc@docker.com>
For some use cases, we may want to add additional kernel
configuration options (e.g. when adding AUFS). This commit
enables it by:
- renaming DEBUG to EXTRA
- append kernel_config${EXTRA} to the kernel config
- allowing passing in an EXTRA argument to the make file
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Without this change, recent Docker build produce this warning:
[WARNING]: Empty continuation line found in:
RUN apk add xz xz-dev zlib-dev && if [ $(uname -m) == x86_64 ]; then apk add libunwind-dev;
fi
[WARNING]: Empty continuation lines will become errors in a future release.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The kernel config for debug kernels is created by concatenating
config files, so we can't use diff to check it.
This fixes a regression introduced by:
9362de0a ("kernel: Verify kernel config")
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The new Dockerfile.kconfig can be used, via the 'kconfig' make target
to build a 'linuxkit/kconfig' images. This images contains the patched
source and default kernel configs for all supported kernels.
It's useful to updating the kernel config files.
While at it, also update the alpine base.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The kernel build currently downloads the source tar ball every
time, which is a little tedious when experimenting with kernel
configs or when compiling the kernel multiple times.
This commit adds a new 'fetch' make target which downloads the
kernel sources into ./sources. Then in the Dockerfile we add
the directory and only download the source if it is not present.
The tarballs signature is till checked on each build.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Since we supply a full .config file we can check that after
make defconfig/oldconfig it hasn't changed. This should catch
cases where a config option has changed between releases.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The original kernel Dockerfile hardcodes the amd64 as the
only arch supported, this patch removes this kind of hardcode
and make the Dockerfile is ready to support both amd64 and
arm64 by using the runtime arch type.
Signed-off-by: Dennis Chen <dennis.chen@arm.com>
It clashes with libelf-dev but libelf-dev is sufficient
to compile the kernel. This also allows us to remove the
'|| true' from the 'apk add', catching errors with the
tools installation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The perf utility is somewhat kernel specific so might as well
compile it when we compile the kernel. The resulting binary
is statically linked (and stripped for size) and is added the
resulting kernel packages.
Although we add alpine packages such as libunwind and other,
it seems that the config detection code for perf/tools does
not detect them.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Also add additional tools and libraries useful/needed for
compiling some of the ./tools in the kernel source.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
The vmlinux image is the un-stripped kernel image containing
full debug information which is useful for kernel debugging.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Building debug kernels (with additional run time checks and debugging)
was broken a few commits back. This adds back support for building debug
kernels.
In addition, it builds and uploads debug kernels for selected kernel
series (4.9.x LTS and latest stable). The tag for these kernels has
a "_dbg" suffix.
Update documentation.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
- Use a RUN command per artefact created
- Use WORKDIR to avoid "cd /linux" on every RUN command
- Copy all relevant build artefacts to /out
- Only create one additional layer in final stage
- Add System.map to output image
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
