compile wireguard tools/module, make it optional

Dockerfile

@@ -14,22 +14,35 @@ RUN \
  apt-get update && \
  apt-get install -y \
 	bc \
+	build-essential \
 	curl \
-	dkms \
+	git \
 	gnupg \ 
 	ifupdown \
 	iproute2 \
 	iptables \
 	iputils-ping \
+	jq \
 	libc6 \
+	libelf-dev \
 	perl \
+	pkg-config \
 	qrencode && \
- apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E1B39B6EF6DDB96564797591AE33835F504A1A25 && \
- echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
- echo "deb-src http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
  echo resolvconf resolvconf/linkify-resolvconf boolean false | debconf-set-selections && \
  echo "REPORT_ABSENT_SYMLINK=no" >> /etc/default/resolvconf && \
  apt-get install resolvconf && \
+ echo "**** install wireguard-tools ****" && \
+ if [ -z ${WIREGUARD_RELEASE+x} ]; then \
+	WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \
+	| jq -r .[0].name); \
+ fi && \
+ cd /app && \
+ git clone https://git.zx2c4.com/wireguard-linux-compat && \
+ git clone https://git.zx2c4.com/wireguard-tools && \
+ cd wireguard-tools && \
+ git checkout "${WIREGUARD_RELEASE}" && \
+ make -C src -j$(nproc) && \
+ make -C src install && \
  echo "**** install CoreDNS ****" && \
  COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \
 	| awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \
@@ -40,6 +53,9 @@ RUN \
 	/tmp/coredns.tar.gz -C \
 	/app && \
  echo "**** clean up ****" && \
+ apt-get -y purge \
+	git && \
+ apt-get -y autoremove && \
  rm -rf \
 	/tmp/* \
 	/var/lib/apt/lists/* \

Dockerfile.aarch64

@@ -14,32 +14,48 @@ RUN \
  apt-get update && \
  apt-get install -y \
 	bc \
+	build-essential \
 	curl \
-	dkms \
+	git \
 	gnupg \ 
 	ifupdown \
 	iproute2 \
 	iptables \
 	iputils-ping \
+	jq \
 	libc6 \
+	libelf-dev \
 	perl \
+	pkg-config \
 	qrencode && \
- apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E1B39B6EF6DDB96564797591AE33835F504A1A25 && \
- echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
- echo "deb-src http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
  echo resolvconf resolvconf/linkify-resolvconf boolean false | debconf-set-selections && \
  echo "REPORT_ABSENT_SYMLINK=no" >> /etc/default/resolvconf && \
  apt-get install resolvconf && \
+ echo "**** install wireguard-tools ****" && \
+ if [ -z ${WIREGUARD_RELEASE+x} ]; then \
+	WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \
+	| jq -r .[0].name); \
+ fi && \
+ cd /app && \
+ git clone https://git.zx2c4.com/wireguard-linux-compat && \
+ git clone https://git.zx2c4.com/wireguard-tools && \
+ cd wireguard-tools && \
+ git checkout "${WIREGUARD_RELEASE}" && \
+ make -C src -j$(nproc) && \
+ make -C src install && \
  echo "**** install CoreDNS ****" && \
  COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \
 	| awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \
  curl -o \
 	/tmp/coredns.tar.gz -L \
-	"https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_arm64.tgz" && \
+	"https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" && \
  tar xf \
 	/tmp/coredns.tar.gz -C \
 	/app && \
  echo "**** clean up ****" && \
+ apt-get -y purge \
+	git && \
+ apt-get -y autoremove && \
  rm -rf \
 	/tmp/* \
 	/var/lib/apt/lists/* \

Dockerfile.armhf

@@ -14,32 +14,48 @@ RUN \
  apt-get update && \
  apt-get install -y \
 	bc \
+	build-essential \
 	curl \
-	dkms \
+	git \
 	gnupg \ 
 	ifupdown \
 	iproute2 \
 	iptables \
 	iputils-ping \
+	jq \
 	libc6 \
+	libelf-dev \
 	perl \
+	pkg-config \
 	qrencode && \
- apt-key adv --keyserver keyserver.ubuntu.com --recv-keys E1B39B6EF6DDB96564797591AE33835F504A1A25 && \
- echo "deb http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
- echo "deb-src http://ppa.launchpad.net/wireguard/wireguard/ubuntu bionic main" >> /etc/apt/sources.list.d/wireguard.list && \
  echo resolvconf resolvconf/linkify-resolvconf boolean false | debconf-set-selections && \
  echo "REPORT_ABSENT_SYMLINK=no" >> /etc/default/resolvconf && \
  apt-get install resolvconf && \
+ echo "**** install wireguard-tools ****" && \
+ if [ -z ${WIREGUARD_RELEASE+x} ]; then \
+	WIREGUARD_RELEASE=$(curl -sX GET "https://api.github.com/repos/WireGuard/wireguard-tools/tags" \
+	| jq -r .[0].name); \
+ fi && \
+ cd /app && \
+ git clone https://git.zx2c4.com/wireguard-linux-compat && \
+ git clone https://git.zx2c4.com/wireguard-tools && \
+ cd wireguard-tools && \
+ git checkout "${WIREGUARD_RELEASE}" && \
+ make -C src -j$(nproc) && \
+ make -C src install && \
  echo "**** install CoreDNS ****" && \
  COREDNS_VERSION=$(curl -sX GET "https://api.github.com/repos/coredns/coredns/releases/latest" \
 	| awk '/tag_name/{print $4;exit}' FS='[""]' | awk '{print substr($1,2); }') && \
  curl -o \
 	/tmp/coredns.tar.gz -L \
-	"https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_arm.tgz" && \
+	"https://github.com/coredns/coredns/releases/download/v${COREDNS_VERSION}/coredns_${COREDNS_VERSION}_linux_amd64.tgz" && \
  tar xf \
 	/tmp/coredns.tar.gz -C \
 	/app && \
  echo "**** clean up ****" && \
+ apt-get -y purge \
+	git && \
+ apt-get -y autoremove && \
  rm -rf \
 	/tmp/* \
 	/var/lib/apt/lists/* \

Jenkinsfile

@@ -103,7 +103,7 @@ pipeline {
       steps{
         script{
           env.EXT_RELEASE = sh(
-            script: ''' curl -sX GET http://ppa.launchpad.net/wireguard/wireguard/ubuntu/dists/bionic/main/binary-amd64/Packages.gz | gunzip -c |grep -A 7 -m 1 'Package: wireguard' | awk -F ': ' '/Version/{print $2;exit}' ''',
+            script: ''' curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name ''',
             returnStdout: true).trim()
             env.RELEASE_LINK = 'custom_command'
         }

README.md

@@ -268,6 +268,7 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 
 ## Versions
 
+* **19.06.20:** - Compile wireguard tools and kernel module instead of using the ubuntu packages, make module install optional.
 * **29.05.20:** - Add support for 64bit raspbian.
 * **28.04.20:** - Add Buster/Stretch backports repos for Debian. Tested with OMV 5 and OMV 4 (on kernel 4.19.0-0.bpo.8-amd64).
 * **20.04.20:** - Fix typo in client mode conf existence check.

jenkins-vars.yml

@@ -3,7 +3,7 @@
 # jenkins variables
 project_name: docker-wireguard
 external_type: na
-custom_version_command: "curl -sX GET http://ppa.launchpad.net/wireguard/wireguard/ubuntu/dists/bionic/main/binary-amd64/Packages.gz | gunzip -c |grep -A 7 -m 1 'Package: wireguard' | awk -F ': ' '/Version/{print $2;exit}'"
+custom_version_command: "curl -sX GET https://api.github.com/repos/WireGuard/wireguard-tools/tags | jq -r .[0].name"
 release_type: stable
 release_tag: latest
 ls_branch: master

readme-vars.yml

@@ -85,6 +85,7 @@ app_setup_block: |
   
 # changelog
 changelogs:
+  - { date: "19.06.20:", desc: "Compile wireguard tools and kernel module instead of using the ubuntu packages, make module install optional." }
   - { date: "29.05.20:", desc: "Add support for 64bit raspbian." }
   - { date: "28.04.20:", desc: "Add Buster/Stretch backports repos for Debian. Tested with OMV 5 and OMV 4 (on kernel 4.19.0-0.bpo.8-amd64)." }
   - { date: "20.04.20:", desc: "Fix typo in client mode conf existence check." }

root/etc/cont-init.d/30-config

@@ -2,83 +2,113 @@
 
 mkdir -p /config/{templates,coredns}
 
-# install headers and wireguard
-apt-get update
-if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
-  apt-get install -y \
-    linux-headers-$(uname -r) \
-    wireguard
-elif (uname -r | grep -q 'v7+') || (uname -r | grep -q 'v7l+') || (uname -r | grep -q 'v8+'); then
-  echo "Raspbian kernel naming convention detected, attempting to install raspbian kernel headers"
-  curl -s http://archive.raspberrypi.org/debian/raspberrypi.gpg.key | apt-key add -
-  echo -e \
-    "deb http://archive.raspberrypi.org/debian/ buster main\ndeb-src http://archive.raspberrypi.org/debian/ buster main" \
-    > /etc/apt/sources.list.d/raspbian.list
-  apt-get update
-  apt-get install -y \
-    raspberrypi-kernel-headers \
-    wireguard
-elif uname -v | grep -q 'Ubuntu'; then
-  echo "Attempting to install kernel headers from Ubuntu Xenial repo"
-  echo -e \
-    "deb http://archive.ubuntu.com/ubuntu/ xenial main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted\n\ndeb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted" \
-    > /etc/apt/sources.list.d/xenial.list
-  apt-get update
-  if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
-    apt-get install -y \
-      linux-headers-$(uname -r) \
-      wireguard
+# check for wireguard module
+if grep -q wireguard /proc/modules; then
+  echo "It seems the wireguard module is already loaded, let's test to make sure it works."
+  /app/wireguard-tools/contrib/ncat-client-server/client-quick.sh
+  wg-quick up demo
+  if wg show | grep -q demo; then
+    echo "The module is working properly, skipping kernel header install and module compilation."
+    SKIP_COMPILE="true"
   else
-    echo "No kernel headers found in the Ubuntu repos!! Will try the headers from host (if mapped), may or may not work"
-    apt-get install -y \
-      wireguard
+    echo "The module is not functional, will attempt kernel header install and module compilation."
   fi
-elif uname -v | grep -q 'Debian'; then
-  echo "Debian host detected, attempting to install kernel headers from Debian Buster repo"
-  curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add -
-  echo -e \
-    "deb http://deb.debian.org/debian buster main contrib non-free\ndeb-src http://deb.debian.org/debian buster main contrib non-free\ndeb http://deb.debian.org/debian buster-backports main contrib non-free\ndeb-src http://deb.debian.org/debian buster-backports main contrib non-free" \
-    > /etc/apt/sources.list.d/debian.list
+  wg-quick down demo
+  rm -f /etc/wireguard/demo.conf
+else
+  echo "The wireguard module is not loaded, will attempt kernel header install and module compilation."
+fi  
+
+# install headers if necessary
+if [ "$SKIP_COMPILE" != "true" ]; then
+  echo "Attempting kernel header install"
   apt-get update
   if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
-    if uname -r | grep -qs "bpo"; then
-      echo "Backported kernel detected"
-      apt-get install -y -t buster-backports \
-        linux-headers-$(uname -r)
+    apt-get install -y \
+      linux-headers-$(uname -r)
+  elif (uname -r | grep -q 'v7+') || (uname -r | grep -q 'v7l+') || (uname -r | grep -q 'v8+'); then
+    echo "Raspbian kernel naming convention detected, attempting to install raspbian kernel headers"
+    curl -s http://archive.raspberrypi.org/debian/raspberrypi.gpg.key | apt-key add -
+    echo -e \
+      "deb http://archive.raspberrypi.org/debian/ buster main\ndeb-src http://archive.raspberrypi.org/debian/ buster main" \
+      > /etc/apt/sources.list.d/raspbian.list
+    apt-get update
+    apt-get install -y \
+      raspberrypi-kernel-headers
+  elif uname -v | grep -q 'Ubuntu'; then
+    echo "Attempting to install kernel headers from Ubuntu Xenial repo"
+    echo -e \
+      "deb http://archive.ubuntu.com/ubuntu/ xenial main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial main restricted\n\ndeb http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted\ndeb-src http://archive.ubuntu.com/ubuntu/ xenial-updates main restricted" \
+      > /etc/apt/sources.list.d/xenial.list
+    apt-get update
+    if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
       apt-get install -y \
-        wireguard
+        linux-headers-$(uname -r)
     else
-      apt-get install -y \
-        linux-headers-$(uname -r) \
-        wireguard
+      echo "No kernel headers found in the Ubuntu repos!! Will try the headers from host (if mapped), may or may not work"
     fi
-  else
-    echo "Attempting to install kernel headers from the Debian Stretch repo"
-    curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add -
-    sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list
+  elif uname -v | grep -q 'Debian'; then
+    echo "Debian host detected, attempting to install kernel headers from Debian Buster repo"
+    curl -s https://ftp-master.debian.org/keys/archive-key-10.asc | apt-key add -
+    echo -e \
+      "deb http://deb.debian.org/debian buster main contrib non-free\ndeb-src http://deb.debian.org/debian buster main contrib non-free\ndeb http://deb.debian.org/debian buster-backports main contrib non-free\ndeb-src http://deb.debian.org/debian buster-backports main contrib non-free" \
+      > /etc/apt/sources.list.d/debian.list
     apt-get update
     if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
       if uname -r | grep -qs "bpo"; then
         echo "Backported kernel detected"
-        apt-get install -y -t stretch-backports \
+        apt-get install -y -t buster-backports \
           linux-headers-$(uname -r)
-        apt-get install -y \
-          wireguard
       else
         apt-get install -y \
-          linux-headers-$(uname -r) \
-          wireguard
+          linux-headers-$(uname -r)
       fi
     else
-      echo "No kernel headers found in Debian repos!! Will try the headers from host (if mapped), may or may not work"
-      apt-get install -y \
-        wireguard
+      echo "Attempting to install kernel headers from the Debian Stretch repo"
+      curl -s https://ftp-master.debian.org/keys/archive-key-9.asc | apt-key add -
+      sed -i 's/buster/stretch/g' /etc/apt/sources.list.d/debian.list
+      apt-get update
+      if apt-cache show linux-headers-$(uname -r) 2&>1 >/dev/null; then
+        if uname -r | grep -qs "bpo"; then
+          echo "Backported kernel detected"
+          apt-get install -y -t stretch-backports \
+            linux-headers-$(uname -r)
+        else
+          apt-get install -y \
+            linux-headers-$(uname -r)
+        fi
+      else
+        echo "No kernel headers found in Debian repos!! Will try the headers from host (if mapped), may or may not work"
+      fi
     fi
+  else
+    echo "No kernel headers found in the Ubuntu or Debian repos!! Will try the headers from host (if mapped), may or may not work"
+  fi
+fi
+
+if [ "$SKIP_COMPILE" != "true" ]; then
+  if [ -e /lib/modules/$(uname -r)/build ]; then 
+    echo "Kernel headers seem to be present, attempting to build the wireguard module. . ."
+    cd /app
+    make -C wireguard-linux-compat/src -j$(nproc)
+    make -C wireguard-linux-compat/src install
+    echo "Let's test our new module."
+    /app/wireguard-tools/contrib/ncat-client-server/client-quick.sh
+    wg-quick up demo
+    if wg show | grep -q demo; then
+      echo "The module is working properly, moving forward with setup."
+    else
+      echo "The module is not working, review the logs. Sleeping now. . ."
+      wg-quick down demo
+      rm -f /etc/wireguard/demo.conf
+      sleep infinity
+    fi
+    wg-quick down demo
+    rm -f /etc/wireguard/demo.conf
+  else
+    echo "Kernel headers don't seem to be available, can't compile the module. Sleeping now. . ."
+    sleep infinity
   fi
-else
-  echo "No kernel headers found in the Ubuntu or Debian repos!! Will try the headers from host (if mapped), may or may not work"
-  apt-get install -y \
-    wireguard
 fi
 
 # prepare symlinks