On Linux the default is /dev/random which may block if there
is not enough entropy (and it determines lack of entropy
conservatively). /dev/urandom never blocks but is fed from
the same entropy source as /dev/random so this change should
not affect platforms which have hardware RNGs but helps to
prevent stalls on platforms, in particular some arm64 platforms,
where the hardware RNG is either not present or not enabled.
If you really care about proper entropy inside a VM do not use
'linuxkit run', it's mostly for testing and shouldn't be used
for production anyway.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
This fixes issue #2635 related to no network being passed during an
image upload as no network is required. However a hostname is still
required due to vCenter handing the upload to a vSphere server and it’s
DataStore.
Signed-off-by: Dan Finneran <daniel.finneran@gmail.com>
Version 0.0.20171101 errors out when compiled for
debug kernels. This will be fixed in the next release.
In the meantime pull in the patch which fixes the
compile error.
Signed-off-by: Rolf Neugebauer <rolf.neugebauer@docker.com>
Pulling the arch suffixed version does not provide any assurance that a
previous build was actually completed.
Signed-off-by: Ian Campbell <ijc@docker.com>
There is more to do on these, but clean up some unused variables,
missing args, stray `\n` etc.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
20171031, the Halloween edition, had a show stopper bug, which was
neither security related, nor did it affect LinuxKit kernels, but
was important enough for me to bump the snapshot. This is the
corresponding LinuxKit bump. Changes:
* wg-quick: save all hooks on save
Tiny bug fix for 'wg-quick save'.
* timers: switch to kees' new timer_list functions
Shiny new things for Linux 4.14.
* compat: unbreak unloading on kernels 4.6 through 4.9
The real motivation for this extra snapshot bump. Before we would run into
some issues when unloading the module, which was not good.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Simple version bump. Changes:
* netns: use read built-in instead of ncat hack for dmesg
* netns: use time-based test instead of quantity-based
* qemu: allow for cross compilation
* qemu: work around ccache bugs
* qemu: test using four cores
* selftest: initialize mutex in routingtable selftest
We now cross compile and run in QEMU for x86_64, i686,
ARMv7, Aarch64, and MIPS. You can see the current build
status on: https://www.wireguard.com/build-status/
* stats: more robust accounting
* compat: fix up stat calculation for udp tunnel
The statistics from `ip link -stats` or from `wg show` are
now much more accurate.
* global: accept decent check_patch.pl suggestions
* global: infuriating kernel iterator style
* global: style nits
* global: use fewer BUG_ONs
* global: get rid of useless forward declarations
* blake2: include headers for macros
* tools: correct type for CTRL_ATTR_FAMILY_ID
Lots of style cleanups.
* crypto/avx: make sure we can actually use ymm registers
This fixes an issue on some Xen platforms that expose
conflicting CPU features.
* peer: get rid of peer_for_each magic
* peer: store total number of peers instead of iterating
A major cleanup of our peer iteration logic, getting rid
of a big ugly macro and clarifying our locking semantics.
* compat: be sure to include header before testing
* wg-quick: allow specifiying multiple hooks
You can now specify {Post,Pre}{Down,Up} multiple times, and
the commands will then run in succession.
* wg-quick: remember to rewind DNS settings on failure
Small consistency fix.
* wg-quick: allow for saving existing interface
There is now a 'save' option for saving an existing
configuration without having to bring down the device.
* wg-quick: fsync the temporary file before renaming
In case the system looses power, you are now left with
either the old file or the new file but not an empty file.
* wg-quick: allow for the hatchet, but not by default
In order to account for distributions that do not have an
implementation of resolvconf(8), the contrib directory ships
with an alternative implementation that may be patched in.
This was extensively discussed and debated on the mailing
list.
* device: only take reference if netns is different
Solves an important memory leak when tearing down network
namespaces that haven't moved the wireguard device.
* device: expand scope of destruct lock
* timers: guard entire setting in block
Just to be certain.
* curve25519: only enable int128 if compiler support is sound
Allows building for Aarch64 with old gcc (such as that used
by Android) where we don't want to branch to a __multi3.
* contrib: add reresolve-dns
A small script that's been passed around for a while now for
reresolving DNS entries from a cronjob.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
