wireguard安装(HCE OS)
【摘要】 HCE OS2.0 的内核版本是5.10,那应该内核里已经包含了wireguard。不过wireguard-tools是没有,Yum也找不到:[root@ecs-openeuler etc]# yum search wireguard-toolsLast metadata expiration check: 0:00:42 ago on Mon 15 Aug 2022 05:25:09 PM...
HCE OS2.0 的内核版本是5.10,那内核源码里已经包含了wireguard,但不代表编译出的内核里就有、或者以模块的形式存在。实际上发现是关闭了的。
wireguard-tools也没有,yum也找不到:
[root@ecs-openeuler etc]# yum search wireguard-tools
Last metadata expiration check: 0:00:42 ago on Mon 15 Aug 2022 05:25:09 PM CST.
No matches found.
那就从源码安装一下:
[root@ecs-openeuler src]# make
CC wg.o
CC config.o
CC curve25519.o
CC encoding.o
CC genkey.o
CC ipc.o
CC pubkey.o
CC set.o
CC setconf.o
CC show.o
CC showconf.o
CC terminal.o
LD wg
[root@ecs-openeuler src]# make install
'wg' -> '/usr/bin/wg'
'man/wg.8' -> '/usr/share/man/man8/wg.8'
'completion/wg.bash-completion' -> '/usr/share/bash-completion/completions/wg'
'wg-quick/linux.bash' -> '/usr/bin/wg-quick'
install: creating directory '/etc/wireguard'
'man/wg-quick.8' -> '/usr/share/man/man8/wg-quick.8'
'completion/wg-quick.bash-completion' -> '/usr/share/bash-completion/completions/wg-quick'
'systemd/wg-quick@.service' -> '/usr/lib/systemd/system/wg-quick@.service'
'systemd/wg-quick.target' -> '/usr/lib/systemd/system/wg-quick.target'
生成密钥对:
[root@ecs-openeuler wireguard]# pwd
/etc/wireguard
[root@ecs-openeuler wireguard]# umask 077
[root@ecs-openeuler wireguard]# wg genkey >privatekey
[root@ecs-openeuler wireguard]# wg pubkey <privatekey >publickey
[root@ecs-openeuler wireguard]# ll
total 8
-rw------- 1 root root 45 Aug 15 18:05 privatekey
-rw------- 1 root root 45 Aug 15 18:06 publickey
[root@ecs-openeuler wireguard]# cat privatekey publickey
gOdQN/y/jmsS1k+tUfpXrCLEpddBj3y6sJvSiRFTGWE=
f+Ifa5PiXuwnpBssV5pnOTY//qPYfxQF3EoteD3SVWs=
添加虚拟接口wg0:
[root@ecs-openeuler wireguard]# ip link add dev wg0 type wireguard
Error: Unknown device type.
报错了。感觉内核里好像没有wireguard的样子。
既然这样,那尝试从内核源码重新编译添加wireguard试试:
先安装内核源码
yum install kernel-source.aarch64
进入源码目录/usr/src/linux-5.10.0-60.18.0.50.h322_1.hce2.aarch64
在make menuconfig之前,安装好依赖包 ncurses-devel flex bison
顺便搜索一下:
[root@ecs-openeuler linux-5.10.0-60.18.0.50.h322_1.hce2.aarch64]# find . -name "*wireguard*"
./tools/testing/selftests/wireguard
./drivers/net/wireguard
./include/uapi/linux/wireguard.h
make menuconfig进入内核编译配置界面:
搜索一下wireguard:
顺着路径找进去,发现默认确实没有选择wireguard
以模块的形式选择上,并且学习研究的话,把DEBUG也开了
用make -j8开启并行编译,报错了,于是先安装openssl-devel、bc
当遇到报错:
make[1]: *** No rule to make target 'signing_key.pem', needed by 'certs/signing_key.x509'. Stop.
make[1]: *** Waiting for unfinished jobs....
EXTRACT_CERTS
make: *** [Makefile:1822: certs] Error 2
在.config将这个注释:
CONFIG_MODULE_SIG_KEY="./signing_key.pem"
重新开始,有个提示
File name or PKCS#11 URI of module signing key (MODULE_SIG_KEY) [certs/signing_key.pem] (NEW)
直接敲回车,大概20分钟编译完:
*
* Restart config...
*
*
* Certificates for signature checking
*
File name or PKCS#11 URI of module signing key (MODULE_SIG_KEY) [certs/signing_key.pem] (NEW)
Provide system-wide ring of trusted keys (SYSTEM_TRUSTED_KEYRING) [Y/?] y
Additional X.509 keys for default system keyring (SYSTEM_TRUSTED_KEYS) []
Reserve area for inserting a certificate without recompiling (SYSTEM_EXTRA_CERTIFICATE) [N/y/?] n
Provide a keyring to which extra trustable keys may be added (SECONDARY_TRUSTED_KEYRING) [Y/n/?] y
Provide system-wide ring of blacklisted keys (SYSTEM_BLACKLIST_KEYRING) [Y/n/?] y
Hashes to be preloaded into the system blacklist keyring (SYSTEM_BLACKLIST_HASH_LIST) []
Provide system-wide ring of revocation certificates (SYSTEM_REVOCATION_LIST) [Y/n/?] y
X.509 certificates to be preloaded into the system blacklist keyring (SYSTEM_REVOCATION_KEYS) []
Preload PGP public keys (PGP_PRELOAD_PUBLIC_KEYS) [Y/n/?] y
CALL scripts/atomic/check-atomics.sh
CALL scripts/checksyscalls.sh
CC mm/filemap.o
CHK include/generated/compile.h
###
### Now generating an X.509 key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the
### background to keep the supply of entropy topped up. It
### needs to be run as root, and uses a hardware random
### number generator if one is available.
CC mm/mempool.o
###
CC certs/common.o
Generating a RSA private key
......... CC certs/blacklist.o
....................................... EXTRACT_CERTS
.. CC certs/blacklist_nohashes.o
............................................... AS certs/revocation_certificates.o
........... CC fs/notify/dnotify/dnotify.o
....... CC fs/notify/inotify/inotify_fsnotify.o
............ CC fs/notify/inotify/inotify_user.o
.................................................... UPD kernel/config_data
.......++ AR fs/nfs_common/built-in.a
+ CC [M] fs/nfs_common/nfsacl.o
+
...............................++++
writing new private key to 'certs/signing_key.pem'
-----
###
### Key pair generated.
###
EXTRACT_CERTS certs/signing_key.pem
AS certs/system_certificates.o
AR certs/built-in.a
然后make modules_install; make install
重启了一下,modprobe wireguard :
modprobe: FATAL: Module wireguard not found in directory /lib/modules/5.10.0-60.18.0.50.h322_1.hce2.aarch64
#看一看modules和加载的内核版本、编译时间
[root@ecs-openeuler ~]# ls /lib/modules
5.10.0 5.10.0-60.18.0.50.h322_1.hce2.aarch64 HCE
[root@ecs-openeuler modules]# uname -a
Linux ecs-openeuler 5.10.0-60.18.0.50.h322_1.hce2.aarch64 #1 SMP Tue Jul 5 02:37:28 UTC 2022 aarch64 aarch64 aarch64 GNU/Linux
在5.10.0目录里有大量刚生成的文件,启动时没有默认使用新编译的核心
[root@ecs-openeuler modules]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
#这里是saved 即使用 被 GRUB_SAVEDEFAULT 保存的上次选择项,ECS又不看屏幕上启动选项,还是直接改成编号指定的内核吧
#看了下 /boot/efi/EFI/hce/grub.cfg 第一个就是新编译的内核 所以改为0
#GRUB_DEFAULT=saved
GRUB_DEFAULT=0
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="net.ifnames=0 consoleblank=600 console=ttyAMA0,115200n8 mitigations=off crashkernel=512M crash_kexec_post_notifiers panic=1 vga=0x317 nohz=off smmu.bypassdev=0x1000:0x17 smmu.bypassdev=0x1000:0x15 selinux=0 console=tty0 rd.shell=0"
GRUB_DISABLE_RECOVERY="true"
感觉上面的操作不是很对,所以还是还原,
用下面几个命令反复操作和确认:
[root@ecs-openeuler modules]# awk -F\' /^menuentry/{print\$2} /etc/grub2-efi.cfg
Huawei Cloud EulerOS (5.10.0) 2.0
Huawei Cloud EulerOS (5.10.0-60.18.0.50.h322_1.hce2.aarch64) 2.0
Huawei Cloud EulerOS (0-rescue) 2.0
[root@ecs-openeuler modules]# grub2-set-default 0
[root@ecs-openeuler modules]# grep saved /boot/grub2/grubenv
saved_entry=0
[root@ecs-openeuler modules]# grub2-mkconfig -o /boot/efi/EFI/hce/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-5.10.0-60.18.0.50.h322_1.hce2.aarch64
Found initrd image: /boot/initramfs-5.10.0-60.18.0.50.h322_1.hce2.aarch64.img
Found linux image: /boot/vmlinuz-5.10.0
Found initrd image: /boot/initramfs-5.10.0.img
Found linux image: /boot/vmlinuz-0-rescue
Found initrd image: /boot/initramfs-0-rescue.img
Adding boot menu entry for UEFI Firmware Settings ...
done
grub2-mkconfig之后,内核列表的顺序有时候会变的;用set-default调着看。
设置后重启,就好了:
[root@ecs-openeuler ~]# uname -a
Linux ecs-openeuler 5.10.0 #1 SMP Tue Aug 16 15:17:24 CST 2022 aarch64 aarch64 aarch64 GNU/Linux
#加载模块后
[root@ecs-openeuler ~]# lsmod |grep wireguard
wireguard 98304 0
libchacha20poly1305 16384 1 wireguard
ip6_udp_tunnel 16384 1 wireguard
udp_tunnel 28672 1 wireguard
libblake2s 16384 1 wireguard
libcurve25519_generic 40960 1 wireguard
[root@ecs-openeuler ~]# ip link add dev wg0 type wireguard
[root@ecs-openeuler ~]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether fa:16:3e:d3:d3:1e brd ff:ff:ff:ff:ff:ff
altname enp3s0
3: wg0: <POINTOPOINT,NOARP> mtu 1420 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/none
【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)