Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout

Stefan Fritsch sf at sfritsch.de
Mon Dec 17 12:54:25 GMT 2018


On Mon, 17 Dec 2018, Michael Biebl wrote:
> > Well, this problem is much more widespread (in terms of software that
> > requests entropy needlessly) than you might think. If you override the
> > unit for something as deterministic as systemd-tmpfiles-setup.service
> > to run it under strace and log the result, you'll see numerous calls
> > to getrandom().
> 
> Incidentally there is
> https://github.com/systemd/systemd/commit/abdcb688a8a82807cb5f864babdba91c859ac5f8
> 
> This patch is not yet in the Debian package.
> 
> I'm well aware that this potentially affects quite a lot of packages,
> but I can only repeat that systemd-random-seed is not the answer here.
> 
> I fear that indeed the only option is to review each and every service
> during boot which requests randomness, unless the change in
> openssl/kernel is reverted.


No, that's wrong. This will introduce security issues in those services.

> I don't think making haveged essential would make sense, as this problem
> manifests typically in containerized or virtualized environments.
> For the later, if using KVM, the best option afaik is to use virtio-rng.
> 
> And yes, at this point I think the only solution is to document this in
> the release notes.

No. This needs discussion on debian-devel, or if there is no consensous, 
the technical committe.



More information about the Pkg-systemd-maintainers mailing list