| Summary: | ocserv kdcproxy stopped to work in Fedora 25 due to GNUTLS error | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alexander Bokovoy <abokovoy> |
| Component: | ocserv | Assignee: | Nikos Mavrogiannopoulos <nmavrogi> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | nmavrogi |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ocserv-0.11.4-3.fc25 ocserv-0.11.5-1.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-10-10 17:47:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
Alexander Bokovoy
2016-09-14 05:44:34 UTC
Ok, tracing ocserv shows following:
--------------------------------------------------------------------------
[pid 2781] clock_gettime(CLOCK_REALTIME, {1473832277, 955959216}) = 0
[pid 2781] brk(NULL) = 0x563df2640000
[pid 2781] brk(NULL) = 0x563df2640000
[pid 2781] brk(0x563df263b000) = 0x563df263b000
[pid 2781] brk(NULL) = 0x563df263b000
[pid 2781] getrandom(0x7ffd1021dc90, 32, 0) = -1 EPERM (Operation not permitted)
[pid 2781] sendto(7, "<27>Sep 14 07:51:17 ocserv[2781]: GnuTLS error (at worker-vpn.c:585): Error in the system's randomness device.", 110, MSG_NOSIGNAL, NULL, 0) = 110
[pid 2781] exit_group(1) = ?
--------------------------------------------------------------------------
So, gnutls started using getrandom() call but environment is not set to allow it.
I'm running 4.8.0-0.rc5.git1.1.fc25.x86_64 kernel.
Both bug 1172273 and 1329996 sound not very optimistic in getting getrandom() to glibc. Can we back out use of getrandom() in gnutls or at least try other means if that one is failing?
This is, at the very least, a blocker for use of ocserv in Fedora 25. Yes gnutls uses getrandom() in F25 using the syscall() interface. If you set isolate-worker=false would that work? If yes, then I need to update ocserv's allowed set of system calls to include getrandom(). Yes, changing 'isolate-workers' to 'true' helped. ocserv-0.11.4-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-86f48d69f1 To get deeper into the issue, getrandom() was detected on gnutls library initialization, and the getrandom handlers were set to obtain randomness. However, once the child process started with limited privileges in terms of syscalls gnutls failed. Given that this is supposed to happen (seccomp filter), I guess this is a legitimate bug for ocserv rather than something that should be addressed in gnutls. ocserv-0.11.4-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-86f48d69f1 ocserv-0.11.4-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. ocserv-0.11.5-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f145304e25 ocserv-0.11.5-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. |