On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev wrote:

On 5/19/16 3:41 PM, Josef Reidinger wrote:

...

On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev wrote:

...

Cross-posting to Factory...

Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:

cat /proc/sys/kernel/random/entropy_avail 16

while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37

Googling about the topic suggests using dev/urandom, but it's not secure enough...

http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...

Any ideas?

serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt

Best regards

Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/

Josef

Log shows that it starts and then stops quickly. Is it normal?

[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ OK ] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.

..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.

It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you. Josef -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 19 May 2016 at 16:51, Josef Reidinger wrote:

On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev wrote:

...

On 5/19/16 3:41 PM, Josef Reidinger wrote:

...

On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev wrote:

...

Cross-posting to Factory...

Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:

cat /proc/sys/kernel/random/entropy_avail 16

while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37

Googling about the topic suggests using dev/urandom, but it's not secure enough...

http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...

Any ideas?

serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt

Best regards

Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/

Josef

Log shows that it starts and then stops quickly. Is it normal?

[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.

..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.

It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.

Josef

Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved https://bugzilla.suse.com/show_bug.cgi?id=955141 Regards, Richard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org

On 05/19/2016 06:43 PM, Josef Reidinger wrote:

On Thu, 19 May 2016 17:37:49 +0200 Richard Brown wrote:

...

On 19 May 2016 at 16:51, Josef Reidinger wrote:

...

On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev wrote:

...

On 5/19/16 3:41 PM, Josef Reidinger wrote:

...

On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev wrote:

...

Cross-posting to Factory...

Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:

cat /proc/sys/kernel/random/entropy_avail 16

while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37

Googling about the topic suggests using dev/urandom, but it's not secure enough...

http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...

Any ideas?

serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt

Best regards Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/

Josef

Log shows that it starts and then stops quickly. Is it normal?

[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.

..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm. It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.

Josef

Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved

https://bugzilla.suse.com/show_bug.cgi?id=955141

Regards,

Richard Ah, I am not aware of it. Basically YaST installation expect that haveged is run by default ( in past it is started by yast itself, but then it was changed, so yast no longer start it itself ).

Josef

Some more debugging: http://paste.opensuse.org/30909917 cat /proc/sys/kernel/random/entropy_avail 63 May 19 18:38:34 linux rngd[7566]: read error May 19 18:38:34 linux rngd[7566]: No entropy sources working, exiting rngd ............... May 19 18:38:50 linux obsstoragesetup[8043]: gpg: Generating a default OBS instance key May 19 18:43:49 linux systemd[1]: obsstoragesetup.service start operation timed out. Terminating. If i boot the qcow2 image directly on qemu-kvm gpg keygen is blazing fast: May 19 17:25:00 obs-server obsstoragesetup[8145]: Generating OBS default GPG key ....gpg: keyring `/srv/obs/gnupg/secring. May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: keyring `/srv/obs/gnupg/pubring.gpg' created May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: Generating a default OBS instance key May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: done May 19 17:25:00 obs-server obsstoragesetup[8145]: done obs-server:~ # cat /proc/sys/kernel/random/entropy_avail 3727 obs-server:~ # journalctl | grep "rngd" May 19 17:24:44 linux systemd[1]: Starting Start the rngd daemon... May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux systemd[1]: Started Start the rngd daemon. -- Shyukri Shyukriev http://susestudio.com

On 19 May 2016 at 17:43, Josef Reidinger wrote:

On Thu, 19 May 2016 17:37:49 +0200 Richard Brown wrote:

...

On 19 May 2016 at 16:51, Josef Reidinger wrote:

...

On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev wrote:

...

On 5/19/16 3:41 PM, Josef Reidinger wrote:

...

On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev wrote:

...

Cross-posting to Factory...

Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:

cat /proc/sys/kernel/random/entropy_avail 16

while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37

Googling about the topic suggests using dev/urandom, but it's not secure enough...

http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...

Any ideas?

serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt

Best regards

Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/

Josef

Log shows that it starts and then stops quickly. Is it normal?

[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.

..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.

It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.

Josef

Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved

https://bugzilla.suse.com/show_bug.cgi?id=955141

Regards,

Richard

Ah, I am not aware of it. Basically YaST installation expect that haveged is run by default ( in past it is started by yast itself, but then it was changed, so yast no longer start it itself ).

Josef

Yeah I'm still waiting for an indication from someone knowledgeable and authoritative to decide what the intended/acceptable behaviour is. If YaST's current behaviour is correct (it's understandable, on that I totally agree) and nothing else is going to take over it's old role of starting haveged, then I expect to see documentation for users on how to start haveged as part of their installation when the entropy is needed. Then I'll be quite comfortable helping shyurki and others by having openQA automatically do that as part of it's testing. But right now I feel this is stuck in a bit of limbo, and I do not want to put workarounds for it in openQA which could ultimately mask the problem until it's too late and users are putting this out in the real world and finding they don't have sufficient entropy to install *SUSE in certain circumstances. Who do you think would be a good idea to poke about this? Marcus Meissner? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org