Bug 1812120

Summary: OpenSSH fails to start in LXC container with error "Failed to seed from getrandom: Function not implemented"
Product: Red Hat Enterprise Linux 8 Reporter: f.eichenberger
Component: opensshAssignee: Jakub Jelen <jjelen>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: high Docs Contact:
Priority: medium    
Version: 8.0CC: omoris, tmraz
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-8.0p1-5.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-04 01:32:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description f.eichenberger 2020-03-10 14:47:41 UTC
Description of problem:
This happens on a CentOS 8 LXC container running on a CentOS 7 Host (or anything with a Kernel < 3.17).

OpenSSH fails to start due to a failing SYSCALL to not implemented function "getrandom".
Normally it should fallback to /dev/urandom, at least I presume that's why OpenSSL has no issues.

Rebuilding OpenSSH in this environment it doesn't throw this error.
I suspect it's the compiled-in (or not) OpenSSL support.

Version-Release number of selected component (if applicable):
openssh.x86_64                              8.0p1-4.el8_1                          @BaseOS      
openssh-clients.x86_64                      8.0p1-4.el8_1                          @BaseOS      
openssh-server.x86_64                       8.0p1-4.el8_1                          @BaseOS 

How reproducible:
Always


Steps to Reproduce:
1. Set up a CentOS 8 LXC container on a host with Kernel < 3.17 (for instance CentOS 7)
2. Start OpenSSH in container

Actual results:
Mar 10 10:06:18 devel-el8-test systemd[1]: Starting OpenSSH server daemon...
Mar 10 10:06:18 devel-el8-test sshd[196]: Failed to seed from getrandom: Function not implemented
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Failed with result 'exit-code'.
Mar 10 10:06:18 devel-el8-test systemd[1]: Failed to start OpenSSH server daemon.

Expected results:
sshd up and running (using fallback for seeding, like openssl (presumably) does)

Additional info:
I know CentOS 8 is shipped with Kernel 4.18, where this isn't an issue, but running on shared components is common (for example Docker).

Just found the attached issue regarding CentOS 8 Docker container, didn't found much otherwise, besides the whole "/dev/random" story around the Kernel.


Thank you for any assistance :)

Comment 7 f.eichenberger 2020-03-13 14:31:26 UTC
Nevermind, the Kernel in use was much too old, runs fine after updating CentOS 7.

The getrandom syscal was backported to CentOS 7 Kernel 3.10.0-544 (see bugzilla #1330000).


Issue can be closed.

Comment 8 Jakub Jelen 2020-03-16 08:26:10 UTC
Thank you for figuring out the issue and coming back. But lets keep this one open and fix it in the next release, as there was never intention to depend on the getrandom syscall.

Comment 14 errata-xmlrpc 2020-11-04 01:32:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4439