[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914297: apache2: getrandom call blocks on first startup, systemd kills with timeout

Package: apache2
Version: 2.4.37-1
Severity: important

Recently apache2 has been failing to come up on initial startup, ultimately
hitting systemd's timeout and getting killed. After startup, though, I was able
to manually start apache2 with "systemctl start apache2". Poking strace in
there I noticed it seemed to be blocking on a call to getrandom:

697   getpid()                          = 697
697   openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 10
697   fstat(10, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
697   openat(AT_FDCWD, "/dev/random", O_RDONLY) = 11
697   fstat(11, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0
697   openat(AT_FDCWD, "/dev/srandom", O_RDONLY) = -1 ENOENT (No such file or directory)
697   futex(0x7f52ad56c928, FUTEX_WAKE_PRIVATE, 2147483647) = 0
697   getrandom( <unfinished ...>
587   <... wait4 resumed> 0x7ffe3ecf748c, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
697   <... getrandom resumed> 0x5577627046e0, 32, 0) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
587   --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=1, si_uid=0} ---
697   --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=1, si_uid=0} ---
587   +++ killed by SIGTERM +++
697   +++ killed by SIGTERM +++

Which I'd suspect has something to do with apache or some library it depends on
moving to getrandom, which (I believe) blocks of the entropy pool isn't good
enough yet. It looks like openssh is affected by something similar:


The difference with openssh, though, is that it eventually does come up as its
systemd config allows it to be retried. apache2, on the other hand, does not
allow this. Which means on systems that have poor entropy sources (like virtual
machines) the machine will start, but apache2 will never come up until it's
manually started.

I'm not certain where the actual bug is here, maybe this is something systemd
should be able to block on, but in either case I wouldn't be surprised if this
starts affecting users of apache in virtual environments specifically.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.37-1
ii  apache2-data   2.4.37-1
ii  apache2-utils  2.4.37-1
ii  dpkg           1.19.2
ii  lsb-base       9.20170808
ii  mime-support   3.61
ii  perl           5.28.0-3
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-36+b1

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.3-3
ii  libaprutil1              1.6.1-3+b1
ii  libaprutil1-dbd-sqlite3  1.6.1-3+b1
ii  libaprutil1-ldap         1.6.1-3+b1
ii  libbrotli1               1.0.7-1
ii  libc6                    2.27-8
ii  libcurl4                 7.61.0-1
ii  libjansson4              2.11-1
ii  libldap-2.4-2            2.4.46+dfsg-5+b1
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.34.0-1
ii  libpcre3                 2:8.39-11
ii  libssl1.1                1.1.1-2
ii  libxml2                  2.9.4+dfsg1-7+b2
ii  perl                     5.28.0-3
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-36+b1

Versions of packages apache2 is related to:
ii  apache2      2.4.37-1
ii  apache2-bin  2.4.37-1

-- Configuration Files:
/etc/apache2/apache2.conf changed:
DefaultRuntimeDir ${APACHE_RUN_DIR}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
<Directory /usr/share>
	AllowOverride None
	Require all granted
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
AccessFileName .htaccess
<FilesMatch "^\.ht">
	Require all denied
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
        Redirect 404 /
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

-- no debconf information

Reply to: