From: Joe Doss <joe@solidadmin.com>
To: WireGuard Mailing List <wireguard@lists.zx2c4.com>
Subject: atomic-wireguard: Fedora Atomic Host and Silverblue support
Date: Tue, 29 May 2018 21:29:08 -0500 [thread overview]
Message-ID: <64ba52e4-98cf-cede-8852-a694038eb082@solidadmin.com> (raw)
Hello there,
I am the Fedora/RHEL/CentOS package maintainer for WireGuard and I have
seen at least one post on the mailing list and some random chatter on
IRC about supporting WireGuard on Project Atomic [1] based distros.
Specifically Fedora Atomic Host [2] and Silverblue [3]. Since I am
starting to work more with Fedora Atomic Host for my projects, I have
found a need to create a solution on my end.
Like CoreOS, these distros are immutable and designed to run
containerized applications. Most of the file system on a Project Atomic
based distro is read-only. This makes the current wireguard-dkms RPM
impossible to use without substantial work on rpm-ostree [4]. To work
around this limitation, I have created atomic-wireguard [5] and
open-sourced it. Simply put, it builds the kernel module inside a
container and then it loads it on the host node.
Some comments and disclaimers to consider before you use this project:
* It is much slower than using DKMS. It will add ~5 to 10min on your
boot time if the kernel module isn't built for your currently booted
kernel. Speeding this up is something I will be looking into soon.
* It relies on having a working Internet connection during boot to pull
down the source and build the module for the current running kernel.
This most likely can be improved.
* It probably has bugs. I wouldn't use this with production workloads
without ample testing on your end.
* You can use the RPM on Fedora 28 Workstation. It will replace the
wireguard-dkms and wireguard-tools packages and the install instructions
are on the GitHub repo.
* wg-quick isn't supported as my use-case doesn't use it. Instead,
atomic-wireguard makes use of the new WireGuard features in
systemd-networkd that comes with systemd 238 that ships with Fedora 28.
* RHEL Atomic Host/CentOS Atomic Host support is going to take some
time. There are a handful of RPMs that have to mature a bit to get into
RHEL. Specifically systemd, podman, and container-selinux packages.
* Updating to the most current WireGuard snapshot is faster since you
don't have to wait for me to make a new wireguard-dkms RPM. ;)
This project should be a stopgap for getting WireGuard on a Project
Atomic based distro until we get upstream into the mainline kernel. All
of the source is up on GitHub and the RPM is on Copr [6]. PRs and GH
issues are welcome! Enjoy!
Thanks,
Joe
[1] https://www.projectatomic.io/
[2] https://getfedora.org/en/atomic/
[3] https://teamsilverblue.org/
[4] https://github.com/projectatomic/rpm-ostree/issues/1091
[5] https://github.com/jdoss/atomic-wireguard
[6] https://copr.fedorainfracloud.org/coprs/jdoss/atomic-wireguard/
--
Joe Doss
joe@solidadmin.com
https://twitter.com/jdoss
reply other threads:[~2018-05-30 2:27 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=64ba52e4-98cf-cede-8852-a694038eb082@solidadmin.com \
--to=joe@solidadmin.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).