long time for starting sshd (wait for crng init done ?)

long time for starting sshd (wait for crng init done ?)

[star]

From yocto 2.5 to 2.7 I noticed a change in booting. The kernel stops for around 85 seconds.
It seems to me that starting sshd takes time until crng init is done.
In 2.5 it doesn't wait for that. How can I avoid that?
Maybe I have to add that I use a recipe that adds keys as rootfs is usually r/o.

Another think I have observed (which is not clear to me): I don't get a message from system message bus anymore. ???

Instead of it udevd complains about "specific group 'kvm' unknown. Looking into source there are  mentioned:
# The static_node is required on s390x and ppc (they are using MODULE_ALIAS)
So, can I safely ignore that (use ARM).

Re: long time for starting sshd (wait for crng init done ?)

[Mikko.Rapeli]

Hi,

On Mon, May 13, 2019 at 01:07:45PM +0200, star@gmx.li wrote:
> >From yocto 2.5 to 2.7 I noticed a change in booting. The kernel stops for around 85 seconds.
> It seems to me that starting sshd takes time until crng init is done.
> In 2.5 it doesn't wait for that. How can I avoid that?
> Maybe I have to add that I use a recipe that adds keys as rootfs is usually r/o.

Depends on your HW platform, kernel version etc, but one possible solution
is installing rng-tools binary package which starts rngd at boot.

See http://lists.openembedded.org/pipermail/openembedded-core/2019-May/282021.html

-Mikko

> Another think I have observed (which is not clear to me): I don't get a message from system message bus anymore. ???
> 
> Instead of it udevd complains about "specific group 'kvm' unknown. Looking into source there are  mentioned:
> # The static_node is required on s390x and ppc (they are using MODULE_ALIAS)
> So, can I safely ignore that (use ARM).
> 
> 
> -- 
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto

Re: long time for starting sshd (wait for crng init done ?)

[Mark Hatle]

On 5/13/19 2:07 PM, star@gmx.li wrote:
> From yocto 2.5 to 2.7 I noticed a change in booting. The kernel stops for around 85 seconds.
> It seems to me that starting sshd takes time until crng init is done.
> In 2.5 it doesn't wait for that. How can I avoid that?
> Maybe I have to add that I use a recipe that adds keys as rootfs is usually r/o.
> 
> Another think I have observed (which is not clear to me): I don't get a message from system message bus anymore. ???
> 
> Instead of it udevd complains about "specific group 'kvm' unknown. Looking into source there are  mentioned:
> # The static_node is required on s390x and ppc (they are using MODULE_ALIAS)
> So, can I safely ignore that (use ARM).
> 
> 

There was recently a discussion on this in the oe-core mailing list (Search for
"[OE-core] [PATCH 2/2] openssh: usable sshd depends on rngd from rng-tools", be
sure to read the whole thread.)  Assuming you are using certain cryptography
resources, the system is waiting for enough entropy for a good random number set.

Often you may need to enable rngd, or up the quality of the kernel hardware
random number generators, as many are set very low.  (Often the hardware random
number generator you have is of sufficient quality that the quality level can be
increased to generate random numbers more quickly.)

Be aware of the ramifications if you make these changes to your system -- as
faster entropy generation does not necessarily equal quality.  There are
numerous incorrect assumptions about entropy and the kernel for these.  Above
all else, do not use /dev/urandom as an entropy source for /dev/random.  That is
simply not safe to do.

What you do NOT want to do is figure out that you are booting 10k boards in a
factory and they all end up getting exactly the same random numbers and thus
identical keys.  (Yes this has happened in the past!)

--Mark

Re: long time for starting sshd (wait for crng init done ?)

[star]

> Gesendet: Montag, 13. Mai 2019 um 13:45 Uhr
> Von: Mikko.Rapeli@bmw.de
> An: star@gmx.li
> Cc: yocto@yoctoproject.org
> Betreff: Re: [yocto] long time for starting sshd (wait for crng init done ?)
>
> Hi,
>
> On Mon, May 13, 2019 at 01:07:45PM +0200, star@gmx.li wrote:
> > >From yocto 2.5 to 2.7 I noticed a change in booting. The kernel stops for around 85 seconds.
> > It seems to me that starting sshd takes time until crng init is done.
> > In 2.5 it doesn't wait for that. How can I avoid that?
> > Maybe I have to add that I use a recipe that adds keys as rootfs is usually r/o.
>
> Depends on your HW platform, kernel version etc, but one possible solution
> is installing rng-tools binary package which starts rngd at boot.
>
> See http://lists.openembedded.org/pipermail/openembedded-core/2019-May/282021.html
>
> -Mikko

With that in fact to boot time decreases. It stop for a 10..20s after "failed to init entropy", but this is far less than w/o it.
Nevertheless, I didn't have stops at all in 2.5, as cnrg init finished only after booting (login message) and boot time is important.

run-parts: /etc/network/if-pre-up.d/nfsroot: exit status 1
Starting random number generator daemon
Initalizing available sources

Failed to init entropy source hwrng

Enabling JITTER rng support

Initalizing entropy source jitter

.
random: crng init done
Starting OpenBSD Secure Shell server: sshd


>
> > Another think I have observed (which is not clear to me): I don't get a message from system message bus anymore. ???
> >
> > Instead of it udevd complains about "specific group 'kvm' unknown. Looking into source there are  mentioned:
> > # The static_node is required on s390x and ppc (they are using MODULE_ALIAS)
> > So, can I safely ignore that (use ARM).
> >
> >
> > --
> > _______________________________________________
> > yocto mailing list
> > yocto@yoctoproject.org
> > https://lists.yoctoproject.org/listinfo/yocto