search

githubixx / ansible-role-wireguard

Ansible role for installing WireGuard VPN. Supports Ubuntu, Debian, Archlinx, Fedora and CentOS.
https://www.tauceti.blog/post/kubernetes-the-not-so-hard-way-with-ansible-wireguard/
565 stars 180 forks source link

Debian vanilla tasks fetches headers ahead of current kernel #62

Closed ldelelis closed 4 years ago

ldelelis commented 4 years ago

The host I'm trying to target currently runs kernel 4.19.0-9-amd64, which is one patch (is this the correct name?) version behind the current release (4.19.0-10). As it's not a -cloud- tagged kernel, the debian-vanilla tasks attempt to fetch linux-headers-amd64, which pulls headers from a version outside my current kernel.

This makes wireguard's modprobe step fail, as it can't find the module for 4.19.0-9. Upgrading the kernel is not an option at the moment

I can provide execution logs if necessary, just let me know.

Steps to reproduce

I managed to make this reproducible via Vagrant:

Vagrant.configure("2") do |config|
  config.vm.box = "debian/buster64"

  config.vm.define "vpn"

  config.vm.provision "ansible" do |ans|
    ans.playbook = "../config-management/site.yaml" # Or any yaml that just includes the wireguard role
    ans.groups = {
      "vpn" => ["vpn"],
    }
    ans.host_vars = {
      "vpn" => {
        "wireguard_address" => "10.0.0.2/24"
      }
    }
  end
end

Workaround diff

I managed to make the role work on my use case by applying the following diff. However, I do not know the consequences this change could have on other environments:

diff --git a/tasks/setup-debian-vanilla.yml b/tasks/setup-debian-vanilla.yml
index 0b6aa0b..b45ce72 100644
--- a/tasks/setup-debian-vanilla.yml
+++ b/tasks/setup-debian-vanilla.yml
@@ -19,7 +19,7 @@
   changed_when: False

 - set_fact:
-    kernel_header_version: "{{ ('-cloud-' in ansible_kernel) | ternary(ansible_kernel,dpkg_arch.stdout) }}"
+    kernel_header_version: "{{ ansible_kernel }}"

 - name: (Debian) Install kernel headers to compile Wireguard with DKMS
   apt:
githubixx commented 4 years ago

Thanks for the report! I don't have Debian installed. This code was contributed by various people. But after installing Docker image debian:buster I'm wondering if dpkg_arch.stdout is really needed or if it's just good enough to use ansible_kernel variable.

Can you please provide the output of apt-cache search linux-headers- | sort? It would also be interesting to have the output of ansbile -m setup some_debian_host (where some_debian_host should be a host with a Debian OS that doesn't have reached end of life (EOL) - which is basically only Buster while Stretch is still in the EOL LTS time frame).

ldelelis commented 4 years ago

Thank you for replying! Sure, here are the outputs, running from the provided Vagrantfile:

# apt-cache search linux-headers- | sort
linux-headers-4.19.0-10-all - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-10-all-amd64 - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-10-amd64 - Header files for Linux 4.19.0-10-amd64
linux-headers-4.19.0-10-cloud-amd64 - Header files for Linux 4.19.0-10-cloud-amd64
linux-headers-4.19.0-10-common - Common header files for Linux 4.19.0-10
linux-headers-4.19.0-10-common-rt - Common header files for Linux 4.19.0-10-rt
linux-headers-4.19.0-10-rt-amd64 - Header files for Linux 4.19.0-10-rt-amd64
linux-headers-4.19.0-6-all - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-6-all-amd64 - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-6-amd64 - Header files for Linux 4.19.0-6-amd64
linux-headers-4.19.0-6-cloud-amd64 - Header files for Linux 4.19.0-6-cloud-amd64
linux-headers-4.19.0-6-common - Common header files for Linux 4.19.0-6
linux-headers-4.19.0-6-common-rt - Common header files for Linux 4.19.0-6-rt
linux-headers-4.19.0-6-rt-amd64 - Header files for Linux 4.19.0-6-rt-amd64
linux-headers-4.19.0-8-all - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-8-all-amd64 - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-8-amd64 - Header files for Linux 4.19.0-8-amd64
linux-headers-4.19.0-8-cloud-amd64 - Header files for Linux 4.19.0-8-cloud-amd64
linux-headers-4.19.0-8-common - Common header files for Linux 4.19.0-8
linux-headers-4.19.0-8-common-rt - Common header files for Linux 4.19.0-8-rt
linux-headers-4.19.0-8-rt-amd64 - Header files for Linux 4.19.0-8-rt-amd64
linux-headers-4.19.0-9-all - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-9-all-amd64 - All header files for Linux 4.19 (meta-package)
linux-headers-4.19.0-9-amd64 - Header files for Linux 4.19.0-9-amd64
linux-headers-4.19.0-9-cloud-amd64 - Header files for Linux 4.19.0-9-cloud-amd64
linux-headers-4.19.0-9-common - Common header files for Linux 4.19.0-9
linux-headers-4.19.0-9-common-rt - Common header files for Linux 4.19.0-9-rt
linux-headers-4.19.0-9-rt-amd64 - Header files for Linux 4.19.0-9-rt-amd64
linux-headers-5.4.0-0.bpo.2-all - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.2-all-amd64 - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.2-amd64 - Header files for Linux 5.4.0-0.bpo.2-amd64
linux-headers-5.4.0-0.bpo.2-cloud-amd64 - Header files for Linux 5.4.0-0.bpo.2-cloud-amd64
linux-headers-5.4.0-0.bpo.2-common - Common header files for Linux 5.4.0-0.bpo.2
linux-headers-5.4.0-0.bpo.2-common-rt - Common header files for Linux 5.4.0-0.bpo.2-rt
linux-headers-5.4.0-0.bpo.2-rt-amd64 - Header files for Linux 5.4.0-0.bpo.2-rt-amd64
linux-headers-5.4.0-0.bpo.3-all - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.3-all-amd64 - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.3-amd64 - Header files for Linux 5.4.0-0.bpo.3-amd64
linux-headers-5.4.0-0.bpo.3-cloud-amd64 - Header files for Linux 5.4.0-0.bpo.3-cloud-amd64
linux-headers-5.4.0-0.bpo.3-common - Common header files for Linux 5.4.0-0.bpo.3
linux-headers-5.4.0-0.bpo.3-common-rt - Common header files for Linux 5.4.0-0.bpo.3-rt
linux-headers-5.4.0-0.bpo.3-rt-amd64 - Header files for Linux 5.4.0-0.bpo.3-rt-amd64
linux-headers-5.4.0-0.bpo.4-all - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.4-all-amd64 - All header files for Linux 5.4 (meta-package)
linux-headers-5.4.0-0.bpo.4-amd64 - Header files for Linux 5.4.0-0.bpo.4-amd64
linux-headers-5.4.0-0.bpo.4-cloud-amd64 - Header files for Linux 5.4.0-0.bpo.4-cloud-amd64
linux-headers-5.4.0-0.bpo.4-common - Common header files for Linux 5.4.0-0.bpo.4
linux-headers-5.4.0-0.bpo.4-common-rt - Common header files for Linux 5.4.0-0.bpo.4-rt
linux-headers-5.4.0-0.bpo.4-rt-amd64 - Header files for Linux 5.4.0-0.bpo.4-rt-amd64
linux-headers-5.5.0-0.bpo.2-all - All header files for Linux 5.5 (meta-package)
linux-headers-5.5.0-0.bpo.2-all-amd64 - All header files for Linux 5.5 (meta-package)
linux-headers-5.5.0-0.bpo.2-amd64 - Header files for Linux 5.5.0-0.bpo.2-amd64
linux-headers-5.5.0-0.bpo.2-cloud-amd64 - Header files for Linux 5.5.0-0.bpo.2-cloud-amd64
linux-headers-5.5.0-0.bpo.2-common - Common header files for Linux 5.5.0-0.bpo.2
linux-headers-5.6.0-0.bpo.2-amd64 - Header files for Linux 5.6.0-0.bpo.2-amd64
linux-headers-5.6.0-0.bpo.2-cloud-amd64 - Header files for Linux 5.6.0-0.bpo.2-cloud-amd64
linux-headers-5.6.0-0.bpo.2-common - Common header files for Linux 5.6.0-0.bpo.2
linux-headers-5.6.0-0.bpo.2-common-rt - Common header files for Linux 5.6.0-0.bpo.2-rt
linux-headers-5.6.0-0.bpo.2-rt-amd64 - Header files for Linux 5.6.0-0.bpo.2-rt-amd64
linux-headers-5.7.0-0.bpo.2-amd64 - Header files for Linux 5.7.0-0.bpo.2-amd64
linux-headers-5.7.0-0.bpo.2-cloud-amd64 - Header files for Linux 5.7.0-0.bpo.2-cloud-amd64
linux-headers-5.7.0-0.bpo.2-common - Common header files for Linux 5.7.0-0.bpo.2
linux-headers-amd64 - Header files for Linux amd64 configuration (meta-package)
linux-headers-cloud-amd64 - Header files for Linux cloud-amd64 configuration (meta-package)
linux-headers-rt-amd64 - Header files for Linux rt-amd64 configuration (meta-package)

Ansible setup: http://linkode.org/#04HQbTCJVAu5kz5mP2Sqy7 (using an external pastebin since output is ~400 lines long)

githubixx commented 4 years ago

I'm waiting until https://github.com/githubixx/ansible-role-wireguard/pull/67 can be merged. I'll prepare a PR afterwards. @ldelelis Is it possible to for you to test the change by checking out the branch I'll prepare? That would be helpful.

ldelelis commented 4 years ago

Sure! Just let me know when the changeset is ready and I'll run the same tests

ypid commented 4 years ago

I also faced this issue and propose #77 to fix it.

ypid commented 4 years ago

Or we just reboot the server when it does not run the latest kernel. What do you think :) ?

(I don’t think we should do that. It is not even needed to reboot for this.)

Ref: https://github.com/b-m-f/Wirt/blob/master/ansible/tasks/wireguard.yml