Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
many thanks, L.
Hey,
On 7/21/22 07:41, lejeczek via CentOS-devel wrote:
Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
In one of the systemd CIs (running on C8S) I use wireguard-tools from EPEL with kmod-wireguard provided by the kmods SIG[0] and it seems to work fine (at least our tests like it*).
* the kmod-wireguard package maybe needs a rebuild, since it still pulls in older kernel-core package, and on systems with kernel 4.18.0-408 it causes interesting things
[0] https://sigs.centos.org/kmods/repositories/
many thanks, L.
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
Hi L,
You could otherwise use Oracle UEK kernel :
https://blogs.oracle.com/linux/post/how-to-setup-wireguard-on-oracle-linux
Regards, Jean-Marc
Le 21/07/2022 à 07:41, lejeczek via CentOS-devel a écrit :
Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
many thanks, L.
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
It is a shame that RH/Stream are unable to support the WireGuard CI.
In addition to Oracle, you could also use RHEL or Alma or Rocky or any other supported distro/kernel.
On 21/07/2022 11:12, Jean-Marc Liger wrote:
Hi L,
You could otherwise use Oracle UEK kernel :
https://blogs.oracle.com/linux/post/how-to-setup-wireguard-on-oracle-linux
Regards, Jean-Marc
Le 21/07/2022 à 07:41, lejeczek via CentOS-devel a écrit :
Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
many thanks, L.
On Thu, Jul 21, 2022 at 9:25 AM Phil Perry pperry@elrepo.org wrote:
It is a shame that RH/Stream are unable to support the WireGuard CI.
In addition to Oracle, you could also use RHEL or Alma or Rocky or any other supported distro/kernel.
In this case, I think CentOS Stream is actually catching things as we expect. The next RHEL release (and therefore Alma, Rocky, or any other rebuild) will have the same issues if the changes aren't made before then. There's a bug reported for this and the resolution was that the out of tree Wireguard module for EL8 needs to stop defining a particular function in a header.
As a potential option, CentOS Stream 9/RHEL 9 has Wireguard included and does not have this issue to my knowledge.
josh
On 21/07/2022 11:12, Jean-Marc Liger wrote:
Hi L,
You could otherwise use Oracle UEK kernel :
https://blogs.oracle.com/linux/post/how-to-setup-wireguard-on-oracle-linux
Regards, Jean-Marc
Le 21/07/2022 à 07:41, lejeczek via CentOS-devel a écrit :
Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
many thanks, L.
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
On 21/07/2022 14:37, Josh Boyer wrote:
On Thu, Jul 21, 2022 at 9:25 AM Phil Perry pperry@elrepo.org wrote:
It is a shame that RH/Stream are unable to support the WireGuard CI.
In addition to Oracle, you could also use RHEL or Alma or Rocky or any other supported distro/kernel.
In this case, I think CentOS Stream is actually catching things as we expect. The next RHEL release (and therefore Alma, Rocky, or any other rebuild) will have the same issues if the changes aren't made before then. There's a bug reported for this and the resolution was that the out of tree Wireguard module for EL8 needs to stop defining a particular function in a header.
The issue is that the C8S kernel will not run on the WireGuard CI [1], so WireGuard are unable/unwilling to address these issues upstream as part of their continuous development (as they do for every other kernel they backport to), _before_ they become an issue. If the C8S kernel ran on the WireGuard CI, these issues would get fixed at source and you would never see these filed bugs or mailing list threads.
WireGuard filed numerous bugs [2,3] with patches with Red Hat to get the Stream kernel running on the their CI, which Red Hat eventually declined to accept (and I totally get the reasons why), so WireGuard eventually gave up and dropped support for CentOS Stream.
The next best solution (other than getting Stream running on WireGuard's CI) would be for the kmod SIG (or some other 3rd party provider) to fix the code and ship kmods for Stream, but obviously that takes time and users are potentially left with a broken VPN each time a new kernel update is pushed. But it looks like upstream have lost interest in supporting Stream which is a shame.
[1] https://lists.zx2c4.com/pipermail/wireguard/2022-June/007664.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1905962 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1839419
As a potential option, CentOS Stream 9/RHEL 9 has Wireguard included and does not have this issue to my knowledge.
josh
On 21/07/2022 11:12, Jean-Marc Liger wrote:
Hi L,
You could otherwise use Oracle UEK kernel :
https://blogs.oracle.com/linux/post/how-to-setup-wireguard-on-oracle-linux
Regards, Jean-Marc
Le 21/07/2022 à 07:41, lejeczek via CentOS-devel a écrit :
Hi guys.
I asked wireguad's devel and the author explained the troublesome case of wireguard & c8S - without me going into depth of that - do you guys know how to get Wireguard work in 8 Stream? With "official" way with copr from "jdoss/wireguard-tools" module remains broken for last two kernel versions.
many thanks, L.
On Thu, Jul 21, 2022 at 3:51 PM Phil Perry pperry@elrepo.org wrote:
On 21/07/2022 14:37, Josh Boyer wrote:
On Thu, Jul 21, 2022 at 9:25 AM Phil Perry pperry@elrepo.org wrote:
It is a shame that RH/Stream are unable to support the WireGuard CI.
In addition to Oracle, you could also use RHEL or Alma or Rocky or any other supported distro/kernel.
In this case, I think CentOS Stream is actually catching things as we expect. The next RHEL release (and therefore Alma, Rocky, or any other rebuild) will have the same issues if the changes aren't made before then. There's a bug reported for this and the resolution was that the out of tree Wireguard module for EL8 needs to stop defining a particular function in a header.
The issue is that the C8S kernel will not run on the WireGuard CI [1], so WireGuard are unable/unwilling to address these issues upstream as part of their continuous development (as they do for every other kernel they backport to), _before_ they become an issue. If the C8S kernel ran on the WireGuard CI, these issues would get fixed at source and you would never see these filed bugs or mailing list threads.
Thanks for the link to that post. I hadn't seen it. I think Jason did a good job of explaining the situation and was fair to all involved.
WireGuard filed numerous bugs [2,3] with patches with Red Hat to get the Stream kernel running on the their CI, which Red Hat eventually declined to accept (and I totally get the reasons why), so WireGuard eventually gave up and dropped support for CentOS Stream.
The next best solution (other than getting Stream running on WireGuard's CI) would be for the kmod SIG (or some other 3rd party provider) to fix the code and ship kmods for Stream, but obviously that takes time and users are potentially left with a broken VPN each time a new kernel update is pushed. But it looks like upstream have lost interest in supporting Stream which is a shame.
I do think it would be great if we could get more participation in the kmod SIG here. Building kmods for RHEL is indeed different than building for older upstream kernels as Jason highlighted, and it seems like handling that difference is exactly what the kmod SIG would be well positioned to do.
Given that the recent build issue is something I already briefly looked at, I figured I'd go ahead and fix it.
https://pagure.io/centos-sig-kmods/kmod-wireguard/pull-request/1
josh
On 22/07/2022 17.53, Josh Boyer wrote:
On Thu, Jul 21, 2022 at 3:51 PM Phil Perry pperry@elrepo.org wrote:
On 21/07/2022 14:37, Josh Boyer wrote:
On Thu, Jul 21, 2022 at 9:25 AM Phil Perry pperry@elrepo.org wrote:
It is a shame that RH/Stream are unable to support the WireGuard CI.
In addition to Oracle, you could also use RHEL or Alma or Rocky or any other supported distro/kernel.
In this case, I think CentOS Stream is actually catching things as we expect. The next RHEL release (and therefore Alma, Rocky, or any other rebuild) will have the same issues if the changes aren't made before then. There's a bug reported for this and the resolution was that the out of tree Wireguard module for EL8 needs to stop defining a particular function in a header.
The issue is that the C8S kernel will not run on the WireGuard CI [1], so WireGuard are unable/unwilling to address these issues upstream as part of their continuous development (as they do for every other kernel they backport to), _before_ they become an issue. If the C8S kernel ran on the WireGuard CI, these issues would get fixed at source and you would never see these filed bugs or mailing list threads.
Thanks for the link to that post. I hadn't seen it. I think Jason did a good job of explaining the situation and was fair to all involved.
The explanation by Jason is really good and definitely worth reading for everyone who wants to know about the issue concerning Wireguard on RHEL 7 (and clones), RHEL 8 (and clones), and Stream 8. I on purpose listed all affected systems here to emphasize that this issue is not limited to CentOS Stream 8 but also concerns RHEL 7 and 8 (and any of its clones).
WireGuard filed numerous bugs [2,3] with patches with Red Hat to get the Stream kernel running on the their CI, which Red Hat eventually declined to accept (and I totally get the reasons why), so WireGuard eventually gave up and dropped support for CentOS Stream.
The next best solution (other than getting Stream running on WireGuard's CI) would be for the kmod SIG (or some other 3rd party provider) to fix the code and ship kmods for Stream, but obviously that takes time and users are potentially left with a broken VPN each time a new kernel update is pushed. But it looks like upstream have lost interest in supporting Stream which is a shame.
I do think it would be great if we could get more participation in the kmod SIG here. Building kmods for RHEL is indeed different than building for older upstream kernels as Jason highlighted, and it seems like handling that difference is exactly what the kmod SIG would be well positioned to do.
Usually I manage to update Wireguard quite fast. However I'm currently on vacation and hence the updated version has seen a delayed release on July 21st which is two days after kernel-4.18.0-408.el8 has been built in koji. Anyways, I'd be really happy to see more participation in the Kmods SIG to ensure timely updates of all provided kmod packages and to add further useful kmods.
Given that the recent build issue is something I already briefly looked at, I figured I'd go ahead and fix it.
https://pagure.io/centos-sig-kmods/kmod-wireguard/pull-request/1
Thanks for opening a PR! Please see my comment there. I hope to finish the transition to GitLab shortly after I return from vacation and properly document it.
josh
CentOS-devel mailing list CentOS-devel@centos.org https://lists.centos.org/mailman/listinfo/centos-devel
-
František Šumšal -
Jean-Marc Liger -
Josh Boyer -
lejeczek -
Peter Georg -
Phil Perry