Web lists-archives.com

Re: Handling of entropy during boot




Am 10.01.19 um 15:51 schrieb Stefan Fritsch:
> On Thu, 10 Jan 2019, Michael Biebl wrote:
>>> ACK, we also had to do the same in Grml[.org] and our latest release
>>> (2018.12). Now we automatically enable haveged when users boot using
>>> the ssh boot option (which is something Grml specific, taking care
>>> of setting user password and invoking the ssh service).
>>
>> And this is a perfect example why crediting the seed file (#914297) is
>> not a solution to this problem.
> 
> While I still think this case should be handled by documentation, let's 
> try to find a way forward that we can agree upon.
> 
> I think the absolute minimum we need something that prints a big fat 
> warning during boot if the RNG is not yet initialized, points out that 
> further services may block and that the admin should add entropy sources 
> like virtio-rng or rdrand. The time when this warning should be printed 
> should probably be before network is started, because if the admin has 
> configured vpn services in /etc/network/interfaces, those will already 
> block because of lack of entropy.
> 
> A second thing we need is a service that finishes when the RNG is 
> initialized and that has a suitable large timeout for starting (maybe one 
> day?). Services that need randomness can then depend on that service and 
> don't need to set their own timeout to huge values. Also it is a lot 
> easier to see what's wrong if the "wait for RNG" service is blocking than 
> if some random network service is blocking.
> 
> More things should be done but maybe we can figure those out while we 
> implement the above two things. Can we agree on this?
> 

I'd prefer having this documented in the release notes:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916690
with possible solutions like installing haveged, configuring virtio-rng,
etc. depending on the situation.

Michael

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

Attachment: signature.asc
Description: OpenPGP digital signature