[opensuse-factory] Increase entropy in openQA?
Cross-posting to Factory... Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows: cat /proc/sys/kernel/random/entropy_avail 16 while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37 Googling about the topic suggests using dev/urandom, but it's not secure enough... http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-... Any ideas? serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt Best regards -- Shyukri Shyukriev http://susestudio.com SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 19 May 2016 15:12:57 +0300
Shyukri Shyukriev
Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/ Josef -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal? [ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [[32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm. ..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm. -- Shyukri Shyukriev http://susestudio.com SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 19 May 2016 16:45:44 +0300
Shyukri Shyukriev
On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [[32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.
It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you. Josef -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, May 19, 2016 at 4:51 PM, Josef Reidinger
On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev
wrote: On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.
It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you. This is how it is done in OBS https://github.com/openSUSE/obs-build/commit/919a83ff3c46ebb33d2b8a9ddcec78a...
I guess openQA doesn't define -object rng-random,filename=$rng_dev,id=rng0
Josef -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 19 May 2016 at 16:51, Josef Reidinger
On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev
wrote: On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.
It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.
Josef
Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved https://bugzilla.suse.com/show_bug.cgi?id=955141 Regards, Richard -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Thu, 19 May 2016 17:37:49 +0200
Richard Brown
On 19 May 2016 at 16:51, Josef Reidinger
wrote: On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev
wrote: On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.
It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.
Josef
Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved
https://bugzilla.suse.com/show_bug.cgi?id=955141
Regards,
Richard
Ah, I am not aware of it. Basically YaST installation expect that haveged is run by default ( in past it is started by yast itself, but then it was changed, so yast no longer start it itself ). Josef -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 05/19/2016 06:43 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 17:37:49 +0200 Richard Brown
wrote: On 19 May 2016 at 16:51, Josef Reidinger
wrote: On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev
wrote: On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm. It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.
Josef
Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved
https://bugzilla.suse.com/show_bug.cgi?id=955141
Regards,
Richard Ah, I am not aware of it. Basically YaST installation expect that haveged is run by default ( in past it is started by yast itself, but then it was changed, so yast no longer start it itself ).
Josef
Some more debugging: http://paste.opensuse.org/30909917 cat /proc/sys/kernel/random/entropy_avail 63 May 19 18:38:34 linux rngd[7566]: read error May 19 18:38:34 linux rngd[7566]: No entropy sources working, exiting rngd ............... May 19 18:38:50 linux obsstoragesetup[8043]: gpg: Generating a default OBS instance key May 19 18:43:49 linux systemd[1]: obsstoragesetup.service start operation timed out. Terminating. If i boot the qcow2 image directly on qemu-kvm gpg keygen is blazing fast: May 19 17:25:00 obs-server obsstoragesetup[8145]: Generating OBS default GPG key ....gpg: keyring `/srv/obs/gnupg/secring. May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: keyring `/srv/obs/gnupg/pubring.gpg' created May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: Generating a default OBS instance key May 19 17:25:00 obs-server obsstoragesetup[8145]: gpg: done May 19 17:25:00 obs-server obsstoragesetup[8145]: done obs-server:~ # cat /proc/sys/kernel/random/entropy_avail 3727 obs-server:~ # journalctl | grep "rngd" May 19 17:24:44 linux systemd[1]: Starting Start the rngd daemon... May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux systemd[1]: Started Start the rngd daemon. -- Shyukri Shyukriev http://susestudio.com
On Thu, May 19, 2016 at 3:11 PM, Shyukri Shyukriev
obs-server:~ # journalctl | grep "rngd" May 19 17:24:44 linux systemd[1]: Starting Start the rngd daemon... May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux rngd[7610]: read error May 19 17:24:44 linux systemd[1]: Started Start the rngd daemon.
I saw this one too but I am not sure it is the same kernel problem .. a /dev/hrwng device is registered even though there is no possible way for it to work.. /sys/devices/virtual/misc/hw_random rng_available is empty and/or /sys/devices/virtual/misc/hw_random rng_current is none. either there is no driver for the device or none is bound to it.. yet it shows up in the fileystem. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 19 May 2016 at 17:43, Josef Reidinger
On Thu, 19 May 2016 17:37:49 +0200 Richard Brown
wrote: On 19 May 2016 at 16:51, Josef Reidinger
wrote: On Thu, 19 May 2016 16:45:44 +0300 Shyukri Shyukriev
wrote: On 5/19/16 3:41 PM, Josef Reidinger wrote:
On Thu, 19 May 2016 15:12:57 +0300 Shyukri Shyukriev
wrote: Cross-posting to Factory...
Hello All, I'm struggling with testing OBS Appliances ( https://openqa.opensuse.org/group_overview/17 ) which uses gpg keygen during setup. Checking the appliance started with openQA QEMU_VIRTIO_RNG=1 options shows:
cat /proc/sys/kernel/random/entropy_avail 16
while on o.o.o w/o QEMU_VIRTION_RNG entropy_avail is ~37
Googling about the topic suggests using dev/urandom, but it's not secure enough...
http://linux-audit.com/gpg-key-generation-not-enough-random-bytes-available/ http://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-...
Any ideas?
serial0 log https://openqa.opensuse.org/tests/196141/file/serial0.txt
Best regards
Hi Shyukri, in installation when we need good enough pool of entropy we use haveged service - http://www.issihosts.com/haveged/
Josef
Log shows that it starts and then stops quickly. Is it normal?
[ 27.093445] systemd[1]: Starting Entropy Daemon based on the HAVEGE algorithm... Starting Entropy Daemon based on the HAVEGE algorithm... [ [32m OK [0m] Started Entropy Daemon based on the HAVEGE algorithm. [ 27.105412] systemd[1]: Started Entropy Daemon based on the HAVEGE algorithm.
..... [ 27.355541] systemd[1]: Stopped Entropy Daemon based on the HAVEGE algorithm.
It looks strange for me. I see that yast only stops haveged after unmounting disks, which should not be your case. So maybe check logs who stops it. As enabled haveged can really help you.
Josef
Josef, haveged during the install not seem to be working at all - I reported a similar issue in SLE 12 SP1 which is still unresolved
https://bugzilla.suse.com/show_bug.cgi?id=955141
Regards,
Richard
Ah, I am not aware of it. Basically YaST installation expect that haveged is run by default ( in past it is started by yast itself, but then it was changed, so yast no longer start it itself ).
Josef
Yeah I'm still waiting for an indication from someone knowledgeable and authoritative to decide what the intended/acceptable behaviour is. If YaST's current behaviour is correct (it's understandable, on that I totally agree) and nothing else is going to take over it's old role of starting haveged, then I expect to see documentation for users on how to start haveged as part of their installation when the entropy is needed. Then I'll be quite comfortable helping shyurki and others by having openQA automatically do that as part of it's testing. But right now I feel this is stuck in a bit of limbo, and I do not want to put workarounds for it in openQA which could ultimately mask the problem until it's too late and users are putting this out in the real world and finding they don't have sufficient entropy to install *SUSE in certain circumstances. Who do you think would be a good idea to poke about this? Marcus Meissner? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Cristian Rodríguez
-
Dinar Valeev
-
Josef Reidinger
-
Richard Brown
-
Shyukri Shyukriev