Bug 2077036
| Summary: | recent rng-tools updates to run udevadm --settle hang in container [rhel-9.0.0.z] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | RHEL Program Management Team <pgm-rhel-tools> |
| Component: | rng-tools | Assignee: | Vladis Dronov <vdronov> |
| Status: | CLOSED ERRATA | QA Contact: | Vilém Maršík <vmarsik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | core-kernel-mgr, dbohanno, sbroz, vdronov, vmarsik |
| Target Milestone: | rc | Keywords: | Triaged, ZStream |
| Target Release: | 9.0 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2075977 | Environment: | |
| Last Closed: | 2022-06-28 14:58:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2075977 | ||
| Bug Blocks: | 2079379 | ||
|
Comment 2
Vladis Dronov
2022-04-22 14:32:12 UTC
simpple test plan: 0) ensure no config and 'rngd' user exists from previous installations # userdel -r rngd # rm -f /etc/sysconfig/rngd* 1) grab rngd daemon package from brew via links above 2) install it 3) verify that both service files DO NOT contain "udevadm" command: # grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service <none> 4) verify that 'rngd' user have home directory set as '/' and pwck do not return an error related to 'rngd' user: # getent passwd rngd # pwck 5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked, then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of "rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code: # ./rngtestzero.sh ; echo $? # ./rngtesturandom.sh ; echo $? # ./rngtestjitter.sh ; echo $? 6) clean up # dnf -y erase rng-tools # rm -f rng-tools*rpm Thanks for sharing your testplan. Almost working on RHEL-9.0.0-updates-20220425.d.0 x86_64, except the optional rngtestzero.sh has 100% of FIPS failures. What do you think about that? --- # rpm -q rng-tools package rng-tools is not installed # userdel -r rngd userdel: user 'rngd' does not exist # rm -f /etc/sysconfig/rngd* # wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3738/44793738/rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64.rpm # dnf install rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64.rpm (...) Installed: jitterentropy-3.3.1-2.el9.x86_64 rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64 Complete! # grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service # getent passwd rngd rngd:x:987:987:Random Number Generator Daemon:/:/sbin/nologin # pwck # wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3710/44793710/rng-tools-6.14-4.git.b2b7934e.el9_0.src.rpm # rpm2cpio rng-tools-6.14-4.git.b2b7934e.el9_0.src.rpm | cpio --extract --make-directories --no-absolute-filenames 163 blocks # tar xvfz rng-tools-6.14.tar.gz (...) # cd rng-tools-6.14/tests/ # vim rngtestzero.sh # vim rngtesturandom.sh # vim rngtestjitter.sh # ./rngtestzero.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 0 rngtest: FIPS 140-2 successes: 0 rngtest: FIPS 140-2 failures: 100 rngtest: FIPS 140-2(2001-10-10) Monobit: 100 rngtest: FIPS 140-2(2001-10-10) Poker: 100 rngtest: FIPS 140-2(2001-10-10) Runs: 100 rngtest: FIPS 140-2(2001-10-10) Long run: 100 rngtest: FIPS 140-2(2001-10-10) Continuous run: 100 rngtest: input channel speed: (min=9.313; avg=15.652; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=529.819; avg=854.547; max=908.261)Mibits/s rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s rngtest: Program run time: 2595 microseconds 0 # ./rngtesturandom.sh ; echo $? rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=9.313; avg=15.143; max=18.626)Gibits/s rngtest: FIPS tests speed: (min=147.856; avg=204.038; max=214.309)Mibits/s rngtest: output channel speed: (min=20000000000.000; avg=44444444444.444; max=0.000)bits/s rngtest: Program run time: 10170 microseconds 0 # ./rngtestjitter.sh ; echo $? Disabling 0: Hardware RNG Device (hwrng) Disabling 2: Intel RDRAND Instruction RNG (rdrand) Disabling 1: TPM RNG Device (tpm) Initializing available sources [jitter]: Initializing AES buffer [jitter]: Enabling JITTER rng support [jitter]: Initialized rngtest: bits received from input: 2000064 rngtest: bits sent to output: 2000000 rngtest: FIPS 140-2 successes: 100 rngtest: FIPS 140-2 failures: 0 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 0 rngtest: FIPS 140-2(2001-10-10) Runs: 0 rngtest: FIPS 140-2(2001-10-10) Long run: 0 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=108.991; avg=433.095; max=544.957)Mibits/s rngtest: FIPS tests speed: (min=136.239; avg=142.244; max=145.599)Mibits/s rngtest: output channel speed: (min=10000000000.000; avg=26666666666.667; max=0.000)bits/s rngtest: Program run time: 2693506 microseconds killing 0 Okay, rngtestzero.sh should be designed to run on blocks of zeros, and 100% FIPS failure is expected here. Setting verified:tested. [CI] [GATING] [DONE] rng-tools-6.14-5.git.b2b7934e.el9_0 passed gating because all required tests passed rng-tools-6.14-5.git.b2b7934e.el9_0 successfully moved from rhel-9.0.0-z-gate into rhel-9.0.0-z-candidate brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44939775 osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/44939775 additional test step for a new build: 1) there were an issue with user/group creation in certain cases. test: set "USERGROUPS_ENAB no" in /etc/login.defs ensure no rngd user and group exist, check the seeting: # getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd USERGROUPS_ENAB no id: ‘rngd’: no such user install a package ensure user and group exist and rngd user has rngd group (NOT some other) with the same command: # getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd run the service. it should start without errors: (a pause is needed for the jitter lib to initialize) systemctl start rngd ; sleep 5 ; systemctl status rngd *** Bug 2079379 has been marked as a duplicate of this bug. *** Same build as for stage1, is this correct? ===== The build is passing the additional test from Comment #10 on RHEL-9.0.0-updates-20220504.0 : # getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd USERGROUPS_ENAB no id: ‘rngd’: no such user # dnf install http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.14/5.git.b2b7934e.el9_0/x86_64/rng-tools-6.14-5.git.b2b7934e.el9_0.x86_64.rpm (...) Installed: rng-tools-6.14-5.git.b2b7934e.el9_0.x86_64 Complete! # getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd rngd:x:987:987:Random Number Generator Daemon:/:/sbin/nologin rngd:x:987: USERGROUPS_ENAB no uid=987(rngd) gid=987(rngd) groups=987(rngd) # systemctl start rngd ; sleep 5 ; systemctl status rngd ● rngd.service - Hardware RNG Entropy Gatherer Daemon Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2022-05-04 17:13:31 EDT; 5s ago Main PID: 22013 (rngd) Tasks: 5 (limit: 48592) Memory: 2.1M CPU: 19.874s CGroup: /system.slice/rngd.service └─22013 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon. May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Disabling 7: PKCS11 Entropy generator (pkcs11) May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Disabling 5: NIST Network Entropy Beacon (nist) May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Initializing available sources May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [hwrng ]: Initialized May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [rdrand]: Enabling RDRAND rng support May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [rdrand]: Initialized May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [jitter]: Initializing AES buffer (In reply to Vilém Maršík from comment #12) > Same build as for stage1, is this correct? i'm not sure what do you mean as "stage 1", the latest build i mean is mentioned in #c9, rng-tools-6.14-5.git.b2b7934e.el9_0. it looks like yes, this build passes the last test, thank you! Okay, setting verified. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:5243 |