[chrony-users] Chrony vs. Linux RNG

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]



Hello!

I test stable/LTS kernels to help Greg KH and just updated to 4.16.4-rc1.
This contains a few patches that are supposed to help with CVEs around
randomness, and which cause an interesting catch-22 that affects chrony,
hence this mail.

The patches in question are in the stable queue and can be found under the
"random-*" prefix at:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-4.16

Not sure exactly which patch is "at fault" because I don't feel like bisecting
this mess and it's unlikely to be reverted anyway.

The initial symptom was that starting chronyd on boot seemed to "hang",
but eventually continued after ~30 secs or so, working fine as usual, so
I blamed Gremlins and continued.

Since the symptom reliably reproduced on two other machines I investigated
further and eventually found that it relates to access of the CRNG: as soon
as "random: crng init done" appeared in the kernel log, chrony would start
up without delay. Apparently accessing the CRNG now blocks in early phases
of the boot process, when not enough entropy has been collected - which is
typically the time when chrony is started as well. This can make e.g. a
headless server without concurrent background activity take a *really* long
time to boot: in one instance I measured a blocked boot process taking over
a minute instead of the usual 5 seconds. IMHO furiously pinging a booting
remote host is not really a solution, though it does seem to help. :)

Long story short, is there something chrony can do to avoid this?
Why does it need to access any random number generators in the first
place?

For now I just quick-fixed this issue for myself by starting chrony in the
background, allowing the system to boot and so creating more entropy faster -
but I realize of course the downside of adjusting time later etc.

Thanks!
Holger

--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/