Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout

Michael Biebl biebl at debian.org
Mon Dec 17 12:41:28 GMT 2018 

clone  914297 -1
reassign -1 release-notes
retitle -1 document getrandom changes causing entropy starvation
thanks

Am 17.12.18 um 13:28 schrieb Alexander E. Patrakov:
> Michael Biebl <biebl at debian.org>:
>> On Sat, 15 Dec 2018 09:17:46 +0100 Stefan Fritsch <sf at sfritsch.de> wrote:
>>> It turns out there was a similar bug against openssh which was closed as
>>> wontfix [1]. I don't see how apache can do anything about this, either.
>>
>> There is. Don't request high-quality randomness during boot unless you
>> explicitly need it.
> 
> Well, this problem is much more widespread (in terms of software that
> requests entropy needlessly) than you might think. If you override the
> unit for something as deterministic as systemd-tmpfiles-setup.service
> to run it under strace and log the result, you'll see numerous calls
> to getrandom().

Incidentally there is
https://github.com/systemd/systemd/commit/abdcb688a8a82807cb5f864babdba91c859ac5f8

This patch is not yet in the Debian package.

I'm well aware that this potentially affects quite a lot of packages,
but I can only repeat that systemd-random-seed is not the answer here.

I fear that indeed the only option is to review each and every service
during boot which requests randomness, unless the change in
openssl/kernel is reverted.

> This might need a release-note if no other solution appears (like e.g.
> [imagine a strawman here, I am not serious] making haveged essential
> and copying it into the initramfs).

I don't think making haveged essential would make sense, as this problem
manifests typically in containerized or virtualized environments.
For the later, if using KVM, the best option afaik is to use virtio-rng.

And yes, at this point I think the only solution is to document this in
the release notes.

Michael Biebl

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-systemd-maintainers/attachments/20181217/4e784bfb/attachment.sig>

More information about the Pkg-systemd-maintainers mailing list