[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#916690: marked as done (document getrandom changes causing entropy starvation)

Your message dated Tue, 7 May 2019 22:24:59 +0200
with message-id <45f35697-4fec-3fcf-3e9b-e348337de280@debian.org>
and subject line Re: Bug#916690: [release-notes] document getrandom changes causing entropy starvation
has caused the Debian Bug report #916690,
regarding document getrandom changes causing entropy starvation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
916690: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916690
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apache2
Version: 2.4.37-1
Severity: important

Recently apache2 has been failing to come up on initial startup, ultimately
hitting systemd's timeout and getting killed. After startup, though, I was able
to manually start apache2 with "systemctl start apache2". Poking strace in
there I noticed it seemed to be blocking on a call to getrandom:

697   getpid()                          = 697
697   openat(AT_FDCWD, "/dev/urandom", O_RDONLY) = 10
697   fstat(10, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 9), ...}) = 0
697   openat(AT_FDCWD, "/dev/random", O_RDONLY) = 11
697   fstat(11, {st_mode=S_IFCHR|0666, st_rdev=makedev(1, 8), ...}) = 0
697   openat(AT_FDCWD, "/dev/srandom", O_RDONLY) = -1 ENOENT (No such file or directory)
697   futex(0x7f52ad56c928, FUTEX_WAKE_PRIVATE, 2147483647) = 0
697   getrandom( <unfinished ...>
587   <... wait4 resumed> 0x7ffe3ecf748c, 0, NULL) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
697   <... getrandom resumed> 0x5577627046e0, 32, 0) = ? ERESTARTSYS (To be restarted if SA_RESTART is set)
587   --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=1, si_uid=0} ---
697   --- SIGTERM {si_signo=SIGTERM, si_code=SI_USER, si_pid=1, si_uid=0} ---
587   +++ killed by SIGTERM +++
697   +++ killed by SIGTERM +++

Which I'd suspect has something to do with apache or some library it depends on
moving to getrandom, which (I believe) blocks of the entropy pool isn't good
enough yet. It looks like openssh is affected by something similar:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=912087

The difference with openssh, though, is that it eventually does come up as its
systemd config allows it to be retried. apache2, on the other hand, does not
allow this. Which means on systems that have poor entropy sources (like virtual
machines) the machine will start, but apache2 will never come up until it's
manually started.

I'm not certain where the actual bug is here, maybe this is something systemd
should be able to block on, but in either case I wouldn't be surprised if this
starts affecting users of apache in virtual environments specifically.

-- Package-specific info:

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apache2 depends on:
ii  apache2-bin    2.4.37-1
ii  apache2-data   2.4.37-1
ii  apache2-utils  2.4.37-1
ii  dpkg           1.19.2
ii  lsb-base       9.20170808
ii  mime-support   3.61
ii  perl           5.28.0-3
ii  procps         2:3.3.15-2

Versions of packages apache2 recommends:
ii  ssl-cert  1.0.39

Versions of packages apache2 suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-36+b1

Versions of packages apache2-bin depends on:
ii  libapr1                  1.6.3-3
ii  libaprutil1              1.6.1-3+b1
ii  libaprutil1-dbd-sqlite3  1.6.1-3+b1
ii  libaprutil1-ldap         1.6.1-3+b1
ii  libbrotli1               1.0.7-1
ii  libc6                    2.27-8
ii  libcurl4                 7.61.0-1
ii  libjansson4              2.11-1
ii  libldap-2.4-2            2.4.46+dfsg-5+b1
ii  liblua5.2-0              5.2.4-1.1+b2
ii  libnghttp2-14            1.34.0-1
ii  libpcre3                 2:8.39-11
ii  libssl1.1                1.1.1-2
ii  libxml2                  2.9.4+dfsg1-7+b2
ii  perl                     5.28.0-3
ii  zlib1g                   1:1.2.11.dfsg-1

Versions of packages apache2-bin suggests:
pn  apache2-doc                                      <none>
pn  apache2-suexec-pristine | apache2-suexec-custom  <none>
ii  w3m [www-browser]                                0.5.3-36+b1

Versions of packages apache2 is related to:
ii  apache2      2.4.37-1
ii  apache2-bin  2.4.37-1

-- Configuration Files:
/etc/apache2/apache2.conf changed:
DefaultRuntimeDir ${APACHE_RUN_DIR}
PidFile ${APACHE_PID_FILE}
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 5
User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}
HostnameLookups Off
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel debug
IncludeOptional mods-enabled/*.load
IncludeOptional mods-enabled/*.conf
Include ports.conf
<Directory />
	Options FollowSymLinks
	AllowOverride None
	Require all denied
</Directory>
<Directory /usr/share>
	AllowOverride None
	Require all granted
</Directory>
<Directory /var/www/>
	Options Indexes FollowSymLinks
	AllowOverride None
	Require all granted
</Directory>
AccessFileName .htaccess
<FilesMatch "^\.ht">
	Require all denied
</FilesMatch>
LogFormat "%v:%p %h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
LogFormat "%h %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %O" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
IncludeOptional conf-enabled/*.conf
IncludeOptional sites-enabled/*.conf

/etc/apache2/sites-available/000-default.conf changed:
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
        Redirect 404 /
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>


-- no debconf information

--- End Message ---
--- Begin Message --- 
On Thu, 14 Mar 2019 13:18:37 +0100 Paul Gevers <elbrus@debian.org> wrote:
> I asked DLange on IRC and he is willing to come up with a proper text
> for this in due time if the situation can't be improved.

And so he did. Pushed in
https://salsa.debian.org/ddp-team/release-notes/commit/5f76abd and
follow up commit.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature


--- End Message ---
Reply to: