Wireguard kernel modules cannot be reliably built on gateways
There is an ongoing issue with the Wireguard kernel module not being buildable, due to lack of headers:
finn@gateway:~$ sudo apt install --reinstall wireguard-dkms
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/265 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 83627 files and directories currently installed.)
Preparing to unpack .../wireguard-dkms_0.0.20191012-1_all.deb ...
------------------------------
Deleting module version: 0.0.20191012
completely from the DKMS tree.
------------------------------
Done.
Unpacking wireguard-dkms (0.0.20191012-1) over (0.0.20191012-1) ...
Setting up wireguard-dkms (0.0.20191012-1) ...
Loading new wireguard-0.0.20191012 DKMS files...
Building for 5.2.0-2-cloud-amd64
Module build for kernel 5.2.0-2-cloud-amd64 was skipped since the
kernel headers for this kernel does not seem to be installed.
But the headers for that kernel version don't seem to exist:
finn@gateway:~$ sudo apt install linux-headers-5.2.0-2-cloud-amd64
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package linux-headers-5.2.0-2-cloud-amd64
E: Couldn't find any package by glob 'linux-headers-5.2.0-2-cloud-amd64'
E: Couldn't find any package by regex 'linux-headers-5.2.0-2-cloud-amd64'
I'm not clear what exactly is going wrong, but some things I've noticed:
- Per the wireguard docs we have to add the sid repos, and pin them to a priority of 90. I haven't been able to figure out what the default priority is, but I assume it's higher than 90, causing packages from the stable repo to be prioritized if they exist. I also don't really understand apt pinning in general, maybe there's some other side effects of that file that I'm not seeing.
- The kernel version that's currently installed appears to be the latest version in buster-backports, so it seems likely that it got installed from that repo.
- It's not clear why the headers package for this version doesn't exist.
- I've considered going and asking where these headers are, but even that will just be a temporary fix. Maybe we should consider a mechanism to ensure kernel upgrades don't happen until the associated headers are available.
- This has been ongoing for a while.
- I've been testing this on the
fruit-0
gateway, and noticed that that machine seems a little different, possibly due to my testing. - I rebooted that gateway on accident, causing the wireguard not to come up. The gateways on the other nodes should still have wireguard running, because it was installed before the kernel was upgraded.
-
lsb_release -c
showssid
on fruit-0 andbuster
on fruit-2 -
gateway.fruit-2.entanglement.garden
is running a newer kernel version that seems to have corresponding headers. - When I asked about this on IRC, i was told:
you have to run linux-image-5.2.0-3-cloud-amd64 if you want to build 3rd party kernel modules
- That package isn't available, not sure what to do about that.