wireguard-tools should NOT recommend wireguard-dkms

Status changed to 'Confirmed' because the bug affects multiple users.

The wireguard virtual package should imply "modules|dkms", and in general the order for the recommends here should change to "modules|dkms". Additionally, the dkms module should skip kernels that already have wireguard. We fixed this in Debian two ways, here:

1. https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch
Ubuntu will need a similar patch as this, but with slightly different semantics, likely.

2. https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f
This changes the Depends order accordingly.

FYI, there is no wireguard-modules package on Ubuntu and the wireguard.ko is shipped by linux-modules-5.4.0-XX-generic directly.

The kernel package has a "Provides: wireguard-modules", as wireguard-modules is a virtual.

At least that's how it's supposed to work.

To add to the list above of debian things:

3. https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023

I don't see wireguard-modules as being provided anywhere:

$ apt-cache show linux-image-generic linux-image-5.4.0-24-generic linux-modules-5.4.0-24-generic | grep Provides
Provides: virtualbox-guest-modules (= 6.1.4-dfsg-2), zfs-modules (= 0.8.3-1ubuntu11)
Provides: aufs-dkms, fuse-module, ivtv-modules, kvm-api-4, linux-image, redhat-cluster-modules, spl-dkms, spl-modules, virtualbox-guest-dkms, virtualbox-guest-modules, zfs-dkms, zfs-modules

Only linux-modules-5.4.0-XX-generic has "Built-Using" (dunno how that's used by apt) and it's the package actually shipping the .ko:

$ apt-cache show linux-modules-5.4.0-24-generic | grep wireguard
Built-Using: virtualbox-guest-dkms (= 6.1.4-dfsg-2), wireguard-dkms (= 1.0.20200401-1ubuntu1), zfs-dkms (= 0.8.3-1ubuntu11)

So I think the bug is twofold: 1) the kernel package is missing the "Provides: wireguard-modules" and 2) wireguard-tools "Recommends" ordering needs to have wireguard-modules first as done in Debian.

Something caught my attention:

$ lxc launch images:ubuntu/focal foo --vm
$ lxc exec foo -- apt-get update
$ lxc exec foo -- apt-get install -Vs wireguard-tools | grep wireguard
   wireguard (1.0.20200319-1ubuntu1)
   wireguard-dkms (1.0.20200413-1)
   wireguard (1.0.20200319-1ubuntu1)
   wireguard-dkms (1.0.20200413-1)
   wireguard-tools (1.0.20200319-1ubuntu1)
Inst wireguard-dkms (1.0.20200413-1 Ubuntu:20.04/focal [all])
Inst wireguard-tools (1.0.20200319-1ubuntu1 Ubuntu:20.04/focal [amd64])
Inst wireguard (1.0.20200319-1ubuntu1 Ubuntu:20.04/focal [all])
Conf wireguard-dkms (1.0.20200413-1 Ubuntu:20.04/focal [all])
Conf wireguard-tools (1.0.20200319-1ubuntu1 Ubuntu:20.04/focal [amd64])
Conf wireguard (1.0.20200319-1ubuntu1 Ubuntu:20.04/focal [all])

The wireguard{,-dkms,-tools} versions do not align: wireguard-dkms is newer. Maybe that's not relevant but I thought I'd mention it.

> The wireguard{,-dkms,-tools} versions do not align: wireguard-dkms is newer. Maybe that's not relevant but I thought I'd mention it.

This part doesn't matter. They're separate packages with separate releases and don't need to align.
https://git.zx2c4.com/wireguard-linux-compat/refs/
https://git.zx2c4.com/wireguard-tools/refs/

However, your mention about the Depends not actually being there is worrying. I thought I had observed the same thing the other day, but Unit193 convinced me I was mistaken, but I don't remember why. I'll wait for him or apw to chime in. I suspect there's an issue here though...

If so, that would mean we need the following to happen:

1. Reverse the order of wireguard-modules and wireguard-dkms in both the Depends: and Recommends:. Importing the latest Debian package will do this. ( https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f and https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023 )
2. Add Provides: wireguard-modules to the kernel package, just like Debian does ( https://salsa.debian.org/kernel-team/linux/-/commit/5a0532517e072117af71beb281b2cad86e55ba05 )
3. Tweak Debian's semantics for wireguard-dkms to handle the changed build exclusion based on Ubuntu's particulars. (modify https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch )

Okay something is very amiss, and at this point a member of Canonical's kernel team is going to have to check. I downloaded the latest one from the mirrors:

https://mirrors.edge.kernel.org/ubuntu/pool/main/l/linux-meta/linux-image-generic_5.4.0.24.29_amd64.deb

This has:

Provides: virtualbox-guest-modules (= 6.1.4-dfsg-2), zfs-modules (= 0.8.3-1ubuntu11)

No wireguard-modules!

But then if I look at a much earlier deb, such as https://launchpad.net/~canonical-kernel-team/+archive/ubuntu/unstable/+build/18884574/+files/linux-image-generic_5.4.0.20.24_amd64.deb :

Provides: virtualbox-guest-modules (= 6.1.4-dfsg-2), wireguard-modules (= 0.0.20200318-1ubuntu1), zfs-modules (= 0.8.3-1ubuntu8)

So what's going on here? Looks like there was some regression in Canonical's complex build scripts maybe?

Somebody else is going to have to look into this.

I've let people know in #ubuntu-kernel, so hopefully Canonical will take a look. To recap for whoever inherits this bug, the following things need to be done:

1. Add back the "Provides: wireguard-modules" in linux-image-generic. This is really important. It used to be there but has strangely been dropped, which is why this bug report was filed by a user.

2.. Reverse the order of wireguard-modules and wireguard-dkms in both the Depends: and Recommends:. Importing the latest Debian package will do this:
https://salsa.debian.org/debian/wireguard/-/commit/2d36365079f4668660963c5c819db3b544c5d56f
https://salsa.debian.org/debian/wireguard/-/commit/b536ea7e12ee259e5d16e7e66a7b921837223023

3. Optional: tweak Debian's semantics for wireguard-dkms to handle the changed build exclusion based on Ubuntu's particulars. That involves modifying:
https://salsa.debian.org/debian/wireguard-linux-compat/-/blob/debian/master/debian/patches/0002-Avoid-trying-to-compile-on-debian-5.5-kernels-Closes.patch

linux-image-generic only ships the vmlinuz so I believe that's why it doesn't directly "Provides: wireguard-modules". This is missing from linux-modules-5.4.0-XX-generic though which outta have it because does provides the .ko

> linux-image-generic only ships the vmlinuz so I believe that's why it doesn't directly "Provides: wireguard-modules". This is missing from linux-modules-5.4.0-XX-generic though which outta have it because does provides the .ko

Not sure this logic holds, considering that has Provides for other modules for which there is a .ko not in linux-image-generic.

wireguard-modules used to be there. Now it's not. A regression happened at some point.

Actually, it looks like it was dropped intentionally here by apw:

https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-next&id=95b5fab11fa1e681a3adaba4f669efef8a18fd70

But maybe it never got added to the meta as the commit message describes?

> Actually, it looks like it was dropped intentionally here by apw:
> https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/debian?h=master-next&id=95b5fab11fa1e681a3adaba4f669efef8a18fd70
> But maybe it never got added to the meta as the commit message describes?

Actually, even weirder. That commit has in it:

BugLink: https://bugs.launchpad.net/bugs/1856414

That bug mentions nvidia, not wireguard. Is it possible that the Provides was simply removed for the wrong package?

Simon - to keep you updated on the bug you reported, this fixes issue (1), as described in comment #9: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux-meta/+git/focal/commit/?id=204fb3b2ae6b0c8c41c339f47949b45d571c4953

We'll keep this open until there's a decision/fix on (2) and (3), as described in comment #9.

This bug was fixed in the package linux-meta - 5.4.0.24.30

---------------
linux-meta (5.4.0.24.30) focal; urgency=medium

  * wireguard-tools should NOT recommend wireguard-dkms (LP: #1873288)
    - [Config] correct brown-paper-bag in wireguard provides

 -- Andy Whitcroft <email address hidden> Fri, 17 Apr 2020 09:43:01 +0100

Thanks Jason and Andy for the very quick turnaround, it's much appreciated!

Reopening this until we have some conclusion on (2) and (3) of #9.

Ah, looks like I can't.

The verification of the Stable Release Update for linux-meta-aws has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Looks like it's still in -proposed, not -updates:

zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-proposed/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package:
Package: linux-image-aws
Package: linux-image-azure
Package: linux-image-gcp
Package: linux-image-generic
Package: linux-image-generic-hwe-20.04
Package: linux-image-gke
Package: linux-image-kvm
Package: linux-image-lowlatency
Package: linux-image-lowlatency-hwe-20.04
Package: linux-image-oracle
Package: linux-image-virtual
Package: linux-image-virtual-hwe-20.04

zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package:
Package: linux-image-generic
Package: linux-image-generic-hwe-20.04
Package: linux-image-lowlatency
Package: linux-image-lowlatency-hwe-20.04
Package: linux-image-virtual
Package: linux-image-virtual-hwe-20.04

All set now!

zx2c4@thinkpad ~ $ curl -s http://archive.ubuntu.com/ubuntu/dists/focal-updates/main/binary-amd64/Packages.xz | unxz | grep -B11 Provides:.*wireguard | grep ^Package:
Package: linux-image-aws
Package: linux-image-azure
Package: linux-image-gcp
Package: linux-image-generic
Package: linux-image-generic-hwe-20.04
Package: linux-image-gke
Package: linux-image-kvm
Package: linux-image-lowlatency
Package: linux-image-lowlatency-hwe-20.04
Package: linux-image-oracle
Package: linux-image-virtual
Package: linux-image-virtual-hwe-20.04

Indeed, install wireguard-tools on Focal doesn't pull the wireguard-dkms package.
I believe only 2) and 3) from comment 9 remain to be addressed.

Kernel team, is it safe to revert the order today for jammy?

I.e., can we apply this to the wireguard-tools package:
--- a/debian/control
+++ b/debian/control
@@ -18,7 +18,7 @@ Rules-Requires-Root: no
 Package: wireguard
 Architecture: all
 Depends:
- wireguard-dkms (>= 0.0.20200121-2) | wireguard-modules (>= 0.0.20191219),
+ wireguard-modules (>= 0.0.20191219) | wireguard-dkms (>= 0.0.20200121-2),
  wireguard-tools (>= ${source:Version}),
  ${misc:Depends},
 Description: fast, modern, secure kernel VPN tunnel (metapackage)

@ahasenack in lunar wireguard dropped depends on neither. Because it is expected to be built in, and the wireguard-dkms module is out of date, like a lot.

Please discuss this further with the SRU team on https://bugs.launchpad.net/ubuntu/kinetic/+source/wireguard/+bug/2008086 as kernel's team position is that nobody should be using wireguard-dkms in jammy.