-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 8/11/16 11:10 PM, Marat Khalili wrote:
> From what I saw, this behavior of /dev/random is totally normal on
> an idle Linux system.
There seems to be some confusion about /dev/random on Linux systems.
Yes, the behavior described here is normal: when the system comes up,
there is very little entropy available on /dev/random. /dev/random
needs random events to occur in order to provide that entropy, and
those events are things like I/O interrupt timings, etc.
IIRC, Linux relies on the keyboard to generate lots of those events
and, on a server, the keyboard by definition doesn't get used. So
other events are required to fill that entropy pool. So, after a
reboot, the entropy pool is "shallow".
/dev/random is supposed to be a source of high-quality randomness
/dev/urandom is supposed to be a source of low-quality randomness
> Just do not ever use /dev/random.
The choice of which to use is up to you, but remember that low-quality
randomness gets you low-quality crypto keys. But to say that one
should "not ever use /dev/random" is really bad advice.
- -chris
[1] https://en.wikipedia.org/wiki//dev/random#Linux
> --
>
> With Best Regards, Marat Khalili
>
> On July 30, 2016 6:04:42 AM GMT+03:00, Nick Williams
> <nicholas@xxxxxxxxxxxxxxxxxxxx> wrote:
>
> It took me a while to get back to this (it’s not a
> mission-critical server, but I have hit a point where I really do
> need to get it working again).
>
> `apachectl restart` hung for many, many minutes without any input,
> and I eventually quit it. I ran it again with `strace -Ff
> apachectl restart`. Towards the end it had read all of the vhost
> config files and opened up the request and error logs configured in
> them, and it read the media types config file:
>
> [pid 22537] read(35, "# This file maps Internet media "..., 4096) =
> 4096
>
> But after that is where things got weird:
>
> [pid 22537] mmap(NULL, 8192, PROT_READ|PROT_WRITE,
> MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f73aff27000 [pid 22537]
> open("/dev/random", O_RDONLY|O_CLOEXEC) = 35 [pid 22537] read(35, "
> p$\242\33\241", 1024) = 6 [pid 22537] read(35,
> "\205\31\345\274A\336", 1018) = 6 [pid 22537] read(35,
> "\335\16\7\370\343\311", 1012) = 6 [pid 22537] read(35,
> "\265\362\20}F\234", 1006) = 6 [pid 22537] read(35,
> "\223}\\\0+\242", 1000) = 6 [pid 22537] read(35,
>
> Each `read` line there took about a full minute. It’s spending
> FOREVER reading from /dev/random. That led me to try to read from
> /dev/random, and it is only generating a byte every few seconds. I
> don’t know why, but /dev/random appears to be borked on this
> machine.
>
> I changed ssl-global.conf to use /dev/urandom instead of
> /dev/random, and it started right up in a matter of seconds.
>
> I know this is now off-topic, but does anyone know why /dev/random
> would suddenly be gathering almost no entropy? I have never had
> this problem on this system before.
>
> Thanks,
>
> Nick
>
>> On Jul 16, 2016, at 9:56 PM, Frank Gingras <thumbs@xxxxxxxxxx
>> <mailto:thumbs@xxxxxxxxxx>> wrote:
>>
>> Try to use apachectl restart instead to bypass your init
>> scripts. The latter are likely to hide actual errors that would
>> appear on STDERR.
>>
>> If apachectl restart still gives you that error, perhaps your
>> distro mangled it as well. Then, I would use strace with httpd
>> -X to get the complete picture.
>>
>> On Sat, Jul 16, 2016 at 6:47 AM, Nicholas Williams
>> <nicholas@xxxxxxxxxxxxxxxxxxxx
>> <mailto:nicholas@xxxxxxxxxxxxxxxxxxxx>> wrote:
>>
>> I have a server running OpenSUSE 42.1 with stock Apache HTTPD 2
>> installed from the package manager. It has been running without
>> issue for well over a year. We've restarted the service and the
>> server since then without issue. The service always starts on
>> its own when the server boots.
>>
>> Last night we had a power failure. The sever came up fine. All
>> services, including MySQL, started fine. No obvious issues appear
>> anywhere. But HTTPD didn't start automatically. So I logged in to
>> the server to investigate and try to start it.
>>
>> `service apache2 status` said FAILED with no details.
>> `/var/log/apache2/error_log` showed nothing since the day before
>> the power failure.
>>
>> `service apache2 start` hung for about 2 minutes, and then said
>> FAILED with no details. `/var/log/apache2/error_log` still showed
>> nothing since the day before the power failure. There was nothing
>> in the system log since my log-in to the server.
>>
>> So I tried `strace -Ff service apache2 start`. The only thing I
>> see suspicious is it calls open on
>> `/run/systemd/ask-password-block`. It appears it times out after
>> never receiving a password. But I have no idea why it would do
>> that. None of my SSL certificates have passphrases, and I've
>> always been able to start HTTPD without a password.
>>
>> I'm at a loss here. Any suggestions?
>>
>> Thanks,
>>
>> Nick
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx> For additional
>> commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> <mailto:users-help@xxxxxxxxxxxxxxxx>
>>
>>
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXriQqAAoJEBzwKT+lPKRYrIkQAJZ5F/JwdhzvOb/XvfGyn9lq
BCo5/QujcAoR62a5BByex1Y81u7HujYDzfr3LGZ1SWX1g9MfRc7Qf92GOZfW4EoA
+zEoucuGm212BAU2OS3VvTsWP6+3brr9ikCrqIMBwx4eFW3XcHimImMZhnHuE+/o
CwKDfR9dUgkW6/4zkj16ojrzelW36g4Fu3TbGsSmUbzMCbXSttXxdDPhwxPG+Au+
jFszo6SE2Zo0JkrUe8F/ApISfz3WFH24f7/DqszgnRICyor8St5kdEUGuzp3jYy0
ELjg6TiuDfxGw9VsnM6NJmVnW1zTOwzp4guuTUPzOYNhjAzxPn2mTvnuu/Ta6Dov
d603w8al3ANUFRYSFF5WxsYEfeV10nJmEHRkfN3MxAjXvvyX/oG4FGbNzNk2hMGm
PK1K8sKHYWPgHetdi5h9TwsL9557GJxF6mFxyRJW1PgcX19wWw/W8JEcexsG71bX
bDjehgZkBgf/lAcTQQpGwnRMMoROGcgtVyrfIFjEqAAF347y4sbqJFF+6tyktEEG
5RjaGwlTTFeI1gabBVJRSjj4hjaR4GLw8S5mrX8QLoVaaKUIXvgZcG7jqkilhpvP
WtNPoF43d68t9Y5eGITXgTznV3uqjUD8p6e1LGsmef4bcCqq8FxbKw+KpqNaAugM
zkemvqIvC/SyV2Sgs079
=Tmk7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|