Bug 2491739

Summary: Upgraded system can fail to boot with recent haveged updates if service has run but is not enabled
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: havegedAssignee: Jiri Hladky <hladky.jiri>
Status: VERIFIED --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: hladky.jiri, jhladky
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Adam Williamson 2026-06-23 14:38:01 UTC
In Fedora openQA, we have (or had) the FreeIPA tests set up to use haveged to avoid problems with insufficient entropy during certificate generation etc. when deploying the FreeIPA server. Before deploying FreeIPA servers, tests did 'dnf -y install haveged' then 'systemctl start haveged.service'.

Recently, FreeIPA tests on Rawhide updates suddenly started failing. The specific test that was failing is one where we boot a previous release (so Fedora 44 in this case), install haveged (to ensure we have enough entropy for FreeIPA certificate stuff), then deploy it as a FreeIPA server, then upgrade the system to the tested release and test that the server still works after the upgrade. After the recent haveged updates - 1.9.23 and 1.9.24 - the system boots to emergency mode after the upgrade.

Further testing indicates this is reproducible without FreeIPA, you just have to do the following:

1. Install Fedora 44 Server
2. Do 'dnf -y install haveged; systemctl start haveged.service' but do **NOT** do 'systemctl enable haveged.service'
3. Do system upgrade, including a repo with the 1.9.24 build: 'dnf -y --releasever=45 --repofrompath=haveged124,https://adamwill.fedorapeople.org/haveged124 --nogpgcheck system-upgrade download' (then 'dnf offline reboot' or whatever)

This should trigger the issue. It seems that having previously run the haveged service but *not* having it enabled (so it doesn't start during the upgrade and post-upgrade boots) is a key element. If the service is enabled, the bug doesn't happen.

Comment 1 Fedora Update System 2026-06-23 22:59:16 UTC
FEDORA-2026-cf1b1b3d16 (haveged-1.9.25-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-cf1b1b3d16

Comment 2 Fedora Update System 2026-06-23 22:59:20 UTC
FEDORA-2026-6a17c7864b (haveged-1.9.25-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-6a17c7864b

Comment 3 Fedora Update System 2026-06-23 23:02:04 UTC
FEDORA-EPEL-2026-504948f7d0 (haveged-1.9.25-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-504948f7d0

Comment 4 Fedora Update System 2026-06-23 23:02:08 UTC
FEDORA-EPEL-2026-40258434d5 (haveged-1.9.25-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-40258434d5

Comment 5 Fedora Update System 2026-06-23 23:02:13 UTC
FEDORA-EPEL-2026-74f2be0676 (haveged-1.9.25-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-74f2be0676

Comment 6 Jiri Hladky 2026-06-23 23:21:41 UTC
Thank you for the excellent bug report, Adam!
  
Root cause: The v1.9.24 haveged.service added --no-command (which disables the command socket) and PrivateNetwork=true. The dracut module installed this same service file into the initramfs, breaking the switch-root handoff. The haveged-switch-root.service could no longer tell the running haveged to chroot and re-exec into the real root. On systems where haveged was started but not enabled, haveged didn't survive the initramfs-to-real-root transition, creating an entropy gap that triggered emergency mode.

Fix (v1.9.25): Added a separate haveged-initramfs.service without --no-command and without PrivateNetwork=true. The dracut module now installs this file as haveged.service inside the initramfs, so the switch-root mechanism works again. The real-root service keeps the hardened configuration.

  - Upstream release: https://github.com/jirka-h/haveged/releases/tag/v1.9.25
  - Bodhi update (F44): https://bodhi.fedoraproject.org/updates/FEDORA-2026-cf1b1b3d16
  - Updates also submitted for F43, EPEL10.2, EPEL10, and EPEL9.
  - The EPEL8 v1.9.24 update has been unpushed; EPEL8 stays on v1.9.23 for now.

Testing so far: I verified the fix on a Fedora 44 VM by installing the package from koji, rebuilding the initramfs with dracut -f, and confirming with lsinitrd that the initramfs haveged.service no longer contains --no-command or PrivateNetwork=true, while the real-root service retains both. I have not yet tested the full boot scenario.

Adam, could you please help to verify the fix? Thank you!
Jirka

Comment 7 Fedora Update System 2026-06-24 01:21:16 UTC
FEDORA-2026-cf1b1b3d16 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-cf1b1b3d16`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-cf1b1b3d16

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2026-06-24 01:40:34 UTC
FEDORA-EPEL-2026-504948f7d0 has been pushed to the Fedora EPEL 10.2 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-504948f7d0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2026-06-24 01:41:10 UTC
FEDORA-EPEL-2026-40258434d5 has been pushed to the Fedora EPEL 10.3 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-40258434d5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2026-06-24 01:49:54 UTC
FEDORA-EPEL-2026-74f2be0676 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-74f2be0676

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2026-06-24 02:01:54 UTC
FEDORA-2026-6a17c7864b has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-6a17c7864b`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-6a17c7864b

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Adam Williamson 2026-06-24 08:28:50 UTC
https://openqa.stg.fedoraproject.org/tests/6576185#live should tell us whether this is good (testing the 1.9.26 update for Rawhide).

Comment 13 Fedora Update System 2026-06-24 08:57:33 UTC
FEDORA-2026-28f26f5294 (haveged-1.9.26-1.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-28f26f5294

Comment 14 Fedora Update System 2026-06-24 08:57:39 UTC
FEDORA-2026-5ddd0941a8 (haveged-1.9.26-1.fc43) has been submitted as an update to Fedora 43.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-5ddd0941a8

Comment 15 Fedora Update System 2026-06-24 08:57:44 UTC
FEDORA-EPEL-2026-e15fb7f042 (haveged-1.9.26-1.el10_2) has been submitted as an update to Fedora EPEL 10.2.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e15fb7f042

Comment 16 Fedora Update System 2026-06-24 08:57:50 UTC
FEDORA-EPEL-2026-e6d245c837 (haveged-1.9.26-1.el10_3) has been submitted as an update to Fedora EPEL 10.3.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e6d245c837

Comment 17 Fedora Update System 2026-06-24 08:57:55 UTC
FEDORA-EPEL-2026-4245f60523 (haveged-1.9.26-1.el9) has been submitted as an update to Fedora EPEL 9.
https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-4245f60523

Comment 18 Adam Williamson 2026-06-24 09:08:47 UTC
It looks like the fix is good, the test progressed past the point where it previously failed to emergency mode.

Comment 19 Jiri Hladky 2026-06-24 10:58:22 UTC
Thank you for the verification, Adam!

Comment 20 Fedora Update System 2026-06-25 16:30:34 UTC
FEDORA-2026-28f26f5294 has been pushed to the Fedora 44 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-28f26f5294`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-28f26f5294

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 21 Fedora Update System 2026-06-25 16:35:15 UTC
FEDORA-EPEL-2026-e6d245c837 has been pushed to the Fedora EPEL 10.3 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e6d245c837

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 22 Fedora Update System 2026-06-25 16:40:51 UTC
FEDORA-EPEL-2026-4245f60523 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-4245f60523

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 23 Fedora Update System 2026-06-25 16:41:30 UTC
FEDORA-EPEL-2026-e15fb7f042 has been pushed to the Fedora EPEL 10.2 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-e15fb7f042

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 24 Fedora Update System 2026-06-25 16:54:33 UTC
FEDORA-2026-5ddd0941a8 has been pushed to the Fedora 43 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2026-5ddd0941a8`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2026-5ddd0941a8

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.