atomic-wireguard: Fedora Atomic Host and Silverblue support

Joe Doss joe at solidadmin.com
Wed May 30 04:29:08 CEST 2018


Hello there,

I am the Fedora/RHEL/CentOS package maintainer for WireGuard and I have 
seen at least one post on the mailing list and some random chatter on 
IRC about supporting WireGuard on Project Atomic [1] based distros. 
Specifically Fedora Atomic Host [2] and Silverblue [3]. Since I am 
starting to work more with Fedora Atomic Host for my projects, I have 
found a need to create a solution on my end.

Like CoreOS, these distros are immutable and designed to run 
containerized applications. Most of the file system on a Project Atomic 
based distro is read-only. This makes the current wireguard-dkms RPM 
impossible to use without substantial work on rpm-ostree [4]. To work 
around this limitation, I have created atomic-wireguard [5] and 
open-sourced it. Simply put, it builds the kernel module inside a 
container and then it loads it on the host node.

Some comments and disclaimers to consider before you use this project:

* It is much slower than using DKMS. It will add ~5 to 10min on your 
boot time if the kernel module isn't built for your currently booted 
kernel. Speeding this up is something I will be looking into soon.

* It relies on having a working Internet connection during boot to pull 
down the source and build the module for the current running kernel. 
This most likely can be improved.

* It probably has bugs. I wouldn't use this with production workloads 
without ample testing on your end.

* You can use the RPM on Fedora 28 Workstation. It will replace the 
wireguard-dkms and wireguard-tools packages and the install instructions 
are on the GitHub repo.

* wg-quick isn't supported as my use-case doesn't use it. Instead, 
atomic-wireguard makes use of the new WireGuard features in 
systemd-networkd that comes with systemd 238 that ships with Fedora 28.

* RHEL Atomic Host/CentOS Atomic Host support is going to take some 
time. There are a handful of RPMs that have to mature a bit to get into 
RHEL. Specifically systemd, podman, and container-selinux packages.

* Updating to the most current WireGuard snapshot is faster since you 
don't have to wait for me to make a new wireguard-dkms RPM. ;)

This project should be a stopgap for getting WireGuard on a Project 
Atomic based distro until we get upstream into the mainline kernel. All 
of the source is up on GitHub and the RPM is on Copr [6]. PRs and GH 
issues are welcome! Enjoy!

Thanks,
Joe

[1] https://www.projectatomic.io/
[2] https://getfedora.org/en/atomic/
[3] https://teamsilverblue.org/
[4] https://github.com/projectatomic/rpm-ostree/issues/1091
[5] https://github.com/jdoss/atomic-wireguard
[6] https://copr.fedorainfracloud.org/coprs/jdoss/atomic-wireguard/


-- 
Joe Doss
joe at solidadmin.com

https://twitter.com/jdoss


More information about the WireGuard mailing list