linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
To: Kurt Roeckx <kurt@roeckx.be>,
	912087@bugs.debian.org,
	"Package Development List for OpenSSL packages." 
	<pkg-openssl-devel@alioth-lists.debian.net>,
	Theodore Ts'o <tytso@mit.edu>,
	linux-kernel@vger.kernel.org
Cc: "Bernhard Übelacker" <bernhardu@mailbox.org>,
	pkg-systemd-maintainers@lists.alioth.debian.org,
	debian-ssh@lists.debian.org, 912087-submitter@bugs.debian.org
Subject: Re: Bug#912087: openssh-server: Slow startup after the upgrade to 7.9p1
Date: Tue, 30 Oct 2018 01:18:08 +0100	[thread overview]
Message-ID: <20181030001807.7wailpm37mlinsli@breakpoint.cc> (raw)
In-Reply-To: <20181029223334.GH10011@roeckx.be>

On 2018-10-29 23:33:34 [+0100], Kurt Roeckx wrote:
> On Mon, Oct 29, 2018 at 09:58:20PM +0100, Sebastian Andrzej Siewior wrote:
> > On 2018-10-29 18:22:08 [+0100], Kurt Roeckx wrote:
> > > So I believe this is not an openssl issue, but something in the
> > > order that the kernel's RNG is initialized and openssh is started.
> > > Potentionally the RNG isn't initialized at all and you actually
> > > have to wait for the kernel to get it's random data from the slow
> > > way.
> > > 
> > > So I'm reassigning this to systemd and openssh-server, I have no
> > > idea where the problem really is.
> > 
> > I see it, too. So during boot someone invokes "sshd -t" which invokes
> 
> That's:
> ExecStartPre=/usr/sbin/sshd -t
> 
> > 	getrandom(, 32, 0)
> > and this blocks.
> 
> And did systemd-random-seed.service get run before that?

Yes, but it does not matter from what I can see in the code. On my
system this writes 512 to /dev/urandom at timestamp 11.670639. But sshd
does this:

  sshd-2638  [004] .......    22.445819: __x64_sys_getrandom: 1| 32 0
sshd asks for 32 bytes (flags = 0)

  sshd-2638  [004] .......    22.445824: __x64_sys_getrandom: 2
-> crng_ready() is not true so we wait_for_random_bytes()

  sshd-3164  [004] .......   117.577454: __x64_sys_getrandom: 3
-> "crng init done", sshd's getrandom() resumed.

The problem is that the entropy is added but the entropy count is not
increased. So we wait.

Using ioctl(/dev/urandom, RNDADDENTROPY, ) instead writting to
/dev/urandom would do the trick. Or using RNDADDTOENTCNT to increment
the entropy count after it was written. Those two are documented in
random(4). Or RNDRESEEDCRNG could be used to force crng to be reseeded.
It does also the job, too.

Ted, is there any best practise what to do with the seed which as
extrected from /dev/urandom on system shutdown? Using RNDADDTOENTCNT to
speed up init or just write to back to urandom and issue RNDRESEEDCRNG?

> Kurt

Sebastian

       reply	other threads:[~2018-10-30  0:18 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20181029223334.GH10011@roeckx.be>
2018-10-30  0:18 ` Sebastian Andrzej Siewior [this message]
2018-10-30 14:15   ` Bug#912087: openssh-server: Slow startup after the upgrade to 7.9p1 Theodore Y. Ts'o
2018-10-30 18:37     ` Kurt Roeckx
2018-10-30 20:51       ` Theodore Y. Ts'o
2018-10-31 11:21         ` Sebastian Andrzej Siewior
2018-10-31 22:41           ` Theodore Y. Ts'o
2018-11-01 22:18             ` Sebastian Andrzej Siewior
2018-11-01 23:50               ` Theodore Y. Ts'o
2018-11-02  0:24                 ` Kurt Roeckx
2018-11-02  2:13                   ` Theodore Y. Ts'o
2018-11-04  0:18                 ` Sebastian Andrzej Siewior

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181030001807.7wailpm37mlinsli@breakpoint.cc \
    --to=sebastian@breakpoint.cc \
    --cc=912087-submitter@bugs.debian.org \
    --cc=912087@bugs.debian.org \
    --cc=bernhardu@mailbox.org \
    --cc=debian-ssh@lists.debian.org \
    --cc=kurt@roeckx.be \
    --cc=linux-kernel@vger.kernel.org \
    --cc=pkg-openssl-devel@alioth-lists.debian.net \
    --cc=pkg-systemd-maintainers@lists.alioth.debian.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).