[WireGuard] Fedora WireGuard RPMs

[WireGuard] Fedora WireGuard RPMs

[Joe Doss]

Hey there!

I saw the project was missing packages for Fedora, so I wrote some specs 
for RPMs to install the kernel module via DKMS and one for WireGuard 
tools. They are up on my Copr.

https://copr.fedorainfracloud.org/coprs/jdoss/wireguard/

Which can be enabled with:

sudo dnf copr enable jdoss/wireguard

and the packages installed with:

sudo dnf install wireguard-dkms wireguard-tools

I haven't tested them other than making sure the kernel module loads on 
Fedora 24 and doing the first parts of the quick start. Let me know what 
you think and feedback for improvements on the specs is welcome.

Thanks!
Joe


-- 
Joe Doss
joe@solidadmin.com

Re: [WireGuard] Fedora WireGuard RPMs

[Jason A. Donenfeld]

Hey Joe,

This is great news! Thanks for doing that. Are you a Fedora developer
per chance?

A few notes for fixing this:

1) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-tools.git/tree/wireguard-tools.spec

a)
> BuildRequires:  libmnl-devel, kernel-devel, systemd
> Requires:       wireguard-dkms, systemd

Remove the systemd requirement.

b)
> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/contrib/examples/systemd/wgserver.service \
>    %{buildroot}%{_unitdir}/wgserver.service
> %attr(0644, root, root) %{_unitdir}/wgserver.service

Remove these lines. Do not install this systemd unit. It's in the
examples directory; thus it is an EXAMPLE. It is not meant to be
installed. When we write a unit that's meant to be installed, `make
install` will do it automatically.

Instead, copy all of contrib/examples to /usr/share/{pkg}/examples or
wherever the default Fedora examples directory is.

c)
> BuildRequires:  libmnl-devel, kernel-devel, systemd

Are you sure that the tools package requires kernel-devel? Did you
double check this?

d)
> install -Z -s -m 0755 -v %{_builddir}/WireGuard-experimental-%{version}/src/tools/wg \
>    %{buildroot}%{_bindir}/wg
> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/contrib/examples/systemd/wgserver.service \
>    %{buildroot}%{_unitdir}/wgserver.service
> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/src/tools/wg.8 \
>    %{buildroot}%{_mandir}/man8/wg.8
> %defattr(-,root,root,-)
> %attr(0755, root, root) %{_bindir}/wg
> %attr(0644, root, root) %{_unitdir}/wgserver.service
> %attr(0644, root, root) %{_mandir}/man8/wg.8*

All of this is garbage. Instead, use `make install` and set the
environment variables appropriately. By default they are:
PREFIX ?= /usr
DESTDIR ?=
BINDIR ?= $(PREFIX)/bin
LIBDIR ?= $(PREFIX)/lib
MANDIR ?= $(PREFIX)/share/man
RUNSTATEDIR ?= /var/run

I imagine here you'll want to roll with something like:

DESTDIR=%{buildroot} BINDIR=%{_bindir} MANDIR=%{_mandir}
RUNSTATEDIR=/run make install


2) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-dkms.git/tree/wireguard-dkms.conf

I recommend you use Debian's as a starting point:
https://anonscm.debian.org/git/collab-maint/wireguard.git/tree/debian/wireguard-dkms.dkms

In particular DEST_MODULE_LOCATION="/kernel/net" and
BUILD_EXCLUSIVE_KERNEL="^(4\.[^0]|[5-9])".

3) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-dkms.git/tree/wireguard-dkms.spec

a)
> BuildRequires:  libmnl-devel, kernel-devel, sed

The kernel module does not require libmnl-devel.

b)
> cp -fr %{_builddir}/WireGuard-experimental-%{version}/* %{buildroot}%{_usrsrc}/%{dkms_name}-%{version}/

You might consider instead only copying src/.


Please let me know when you've addressed 1a, 1b, 1c, 1d, 2, 3a, and
3b, and then I'll add your instructions to the wireguard.io website.

Thanks for your hard work on this. Much appreciated.

Jason

Re: [WireGuard] Fedora WireGuard RPMs

[David Woodhouse]

[-- Attachment #1: Type: text/plain, Size: 488 bytes --]

On Wed, 2016-08-17 at 16:38 +0200, Jason A. Donenfeld wrote:
> 
> a)
> > BuildRequires:  libmnl-devel, kernel-devel, systemd
> > Requires:       wireguard-dkms, systemd
> 
> Remove the systemd requirement.

The BR should also be for 'pkgconfig(libmnl)', not 'libmnl-devel',
shouldn't it?

Unless WireGuard isn't actually using pkgconfig to find the library?
In which case WireGuard should be fixed and *then* the BR should be for
'pkgconfig(libmnl)' :)


-- 
dwmw2

[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5760 bytes --]

Re: [WireGuard] Fedora WireGuard RPMs

[Jason A. Donenfeld]

On Wed, Aug 17, 2016 at 4:44 PM, David Woodhouse <dwmw2@infradead.org> wrote:
>
> The BR should also be for 'pkgconfig(libmnl)', not 'libmnl-devel',
> shouldn't it?
>
> Unless WireGuard isn't actually using pkgconfig to find the library?
> In which case WireGuard should be fixed and *then* the BR should be for
> 'pkgconfig(libmnl)' :)

WireGuard is using pkgconfig. David is right about pkgconfig(libmnl).

Re: [WireGuard] Fedora WireGuard RPMs

[Joe Doss]

On 08/17/2016 09:38 AM, Jason A. Donenfeld wrote:
> Hey Joe,
>
> This is great news! Thanks for doing that. Are you a Fedora developer
> per chance?

I am not an official one currently, no. I don't have any packages in 
upstream Fedora yet. I am just a dude that likes to write RPMs and 
contributing to cool open source projects. :)

> A few notes for fixing this:
>
> 1) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-tools.git/tree/wireguard-tools.spec
>
> a)
>> BuildRequires:  libmnl-devel, kernel-devel, systemd
>> Requires:       wireguard-dkms, systemd
>
> Remove the systemd requirement.

Done.

> b)
>> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/contrib/examples/systemd/wgserver.service \
>>    %{buildroot}%{_unitdir}/wgserver.service
>> %attr(0644, root, root) %{_unitdir}/wgserver.service
>
> Remove these lines. Do not install this systemd unit. It's in the
> examples directory; thus it is an EXAMPLE. It is not meant to be
> installed. When we write a unit that's meant to be installed, `make
> install` will do it automatically.

Fair enough. Removed.

> Instead, copy all of contrib/examples to /usr/share/{pkg}/examples or
> wherever the default Fedora examples directory is.

Done.

> c)
>> BuildRequires:  libmnl-devel, kernel-devel, systemd
>
> Are you sure that the tools package requires kernel-devel? Did you
> double check this?

It doesn't need it. Fixed.

> d)
>> install -Z -s -m 0755 -v %{_builddir}/WireGuard-experimental-%{version}/src/tools/wg \
>>    %{buildroot}%{_bindir}/wg
>> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/contrib/examples/systemd/wgserver.service \
>>    %{buildroot}%{_unitdir}/wgserver.service
>> install -p -D -m 0644 %{_builddir}/WireGuard-experimental-%{version}/src/tools/wg.8 \
>>    %{buildroot}%{_mandir}/man8/wg.8
>> %defattr(-,root,root,-)
>> %attr(0755, root, root) %{_bindir}/wg
>> %attr(0644, root, root) %{_unitdir}/wgserver.service
>> %attr(0644, root, root) %{_mandir}/man8/wg.8*
>
> All of this is garbage. Instead, use `make install` and set the
> environment variables appropriately. By default they are:
> PREFIX ?= /usr
> DESTDIR ?=
> BINDIR ?= $(PREFIX)/bin
> LIBDIR ?= $(PREFIX)/lib
> MANDIR ?= $(PREFIX)/share/man
> RUNSTATEDIR ?= /var/run
>
> I imagine here you'll want to roll with something like:
>
> DESTDIR=%{buildroot} BINDIR=%{_bindir} MANDIR=%{_mandir}
> RUNSTATEDIR=/run make install

Fixed. I guess I was doing it the hard way eh? :)

> 2) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-dkms.git/tree/wireguard-dkms.conf
>
> I recommend you use Debian's as a starting point:
> https://anonscm.debian.org/git/collab-maint/wireguard.git/tree/debian/wireguard-dkms.dkms
>
> In particular DEST_MODULE_LOCATION="/kernel/net" and
> BUILD_EXCLUSIVE_KERNEL="^(4\.[^0]|[5-9])".

Done.

> 3) http://copr-dist-git.fedorainfracloud.org/cgit/jdoss/wireguard/wireguard-dkms.git/tree/wireguard-dkms.spec
>
> a)
>> BuildRequires:  libmnl-devel, kernel-devel, sed
>
> The kernel module does not require libmnl-devel.

Fixed.

> b)
>> cp -fr %{_builddir}/WireGuard-experimental-%{version}/* %{buildroot}%{_usrsrc}/%{dkms_name}-%{version}/
>
> You might consider instead only copying src/.

Good idea. Fixed.

> Please let me know when you've addressed 1a, 1b, 1c, 1d, 2, 3a, and
> 3b, and then I'll add your instructions to the wireguard.io website.

Some gotchas for Fedora might be issues using DKMS if they have secure 
boot enabled. You might want to mention that as the kmod generated by 
DKMS isn't signed, so loading it with secure boot will fail.

Also, SELinux is set enforcing by default on Fedora. I am not sure if 
that is going to cause any issues either.

Other than that, the RPMs should be good to go. Let me know if you want 
any other changes before adding the install instructions to the site.

> Thanks for your hard work on this. Much appreciated.

No problem! Glad to help. Thanks for your awesome work on WireGuard. :)

Joe




-- 
Joe Doss
joe@solidadmin.com

Re: [WireGuard] Fedora WireGuard RPMs

[Bruno Wolff III]

On Wed, Aug 17, 2016 at 14:39:16 -0500,
  Joe Doss <joe@solidadmin.com> wrote:
>
>Also, SELinux is set enforcing by default on Fedora. I am not sure if 
>that is going to cause any issues either.

Users run unconfined (technically there are confined by a policy that lets 
them do almost anything) so generally there won't be a problem for stuff 
they run manually. However I did hit issues running stuff in a service. 
I didn't try to figure out what the correct fix was and kust added an 
allow rule. I suspect there was a better solution using labelling, but I 
didn't think it was worth worrying about.

Re: [WireGuard] Fedora WireGuard RPMs

[Jason A. Donenfeld]

Hey Joe,

Terrific! We're all set now:
https://www.wireguard.io/install/

I've put the instructions on there.

Thanks so much for doing this. I really appreciate it.

Regards,
Jason