Description of problem: After upgrade to Fedora 25, ocserv's KDC proxy stopped working. Journal output says there is a problem with randomness source reported by GNUTLS: ocserv-0.11.4-1.fc25.x86_64 # journalctl -u ocserv -f -- Logs begin at Sat 2014-11-01 17:38:46 CET. -- Sep 14 07:27:56 id.vda.li systemd[1]: Starting OpenConnect SSL VPN server... Sep 14 07:27:56 id.vda.li ocserv[2537]: Setting 'plain' as primary authentication method Sep 14 07:27:56 id.vda.li ocserv[2537]: Enabling 'gssapi' as authentication method Sep 14 07:27:56 id.vda.li ocserv[2537]: Enabling 'gssapi' as authentication method Sep 14 07:27:56 id.vda.li ocserv[2537]: Setting 'file' as supplemental config option Sep 14 07:28:06 id.vda.li systemd[1]: ocserv.service: PID file /var/run/ocserv.pid not readable (yet?) after start: No such file or directory Sep 14 07:28:06 id.vda.li ocserv[2608]: main: initialized ocserv 0.11.4 Sep 14 07:28:06 id.vda.li ocserv[2609]: sec-mod: reading supplemental config from files Sep 14 07:28:06 id.vda.li systemd[1]: Started OpenConnect SSL VPN server. Sep 14 07:28:06 id.vda.li ocserv[2609]: sec-mod: sec-mod initialized (socket: /var/lib/ocserv/ocserv.sock.2608) Sep 14 07:28:32 id.vda.li ocserv[2613]: GnuTLS error (at worker-vpn.c:585): Error in the system's randomness device. Sep 14 07:28:32 id.vda.li ocserv[2608]: main: X.X.X.X:50280 user disconnected (reason: unspecified, rx: 0, tx: 0) Unfortunately, nothing can point to exact issue. audit.log does not have any indications that ocserv daemon process couldn't write to /dev/random or /dev/urandom. gnutls-cli-debug cannot connect to the ocserv as ocserv just drops connection immediately due to GNUTLS error. gnutls-cli when run on the same host against an Apache server running on the same host works just fine. Looking at similar errors in search engines, I can see Debian users complaining about nzbt showing the same problem in daemon mode when built against gnutls. Unfortunately, no recipe was provided there other than rebuilding against OpenSSL. I'm filing the bug against ocserv but feel free to move to gnutls if that is the real place where the issue happens.
Ok, tracing ocserv shows following: -------------------------------------------------------------------------- [pid 2781] clock_gettime(CLOCK_REALTIME, {1473832277, 955959216}) = 0 [pid 2781] brk(NULL) = 0x563df2640000 [pid 2781] brk(NULL) = 0x563df2640000 [pid 2781] brk(0x563df263b000) = 0x563df263b000 [pid 2781] brk(NULL) = 0x563df263b000 [pid 2781] getrandom(0x7ffd1021dc90, 32, 0) = -1 EPERM (Operation not permitted) [pid 2781] sendto(7, "<27>Sep 14 07:51:17 ocserv[2781]: GnuTLS error (at worker-vpn.c:585): Error in the system's randomness device.", 110, MSG_NOSIGNAL, NULL, 0) = 110 [pid 2781] exit_group(1) = ? -------------------------------------------------------------------------- So, gnutls started using getrandom() call but environment is not set to allow it. I'm running 4.8.0-0.rc5.git1.1.fc25.x86_64 kernel. Both bug 1172273 and 1329996 sound not very optimistic in getting getrandom() to glibc. Can we back out use of getrandom() in gnutls or at least try other means if that one is failing?
This is, at the very least, a blocker for use of ocserv in Fedora 25.
Yes gnutls uses getrandom() in F25 using the syscall() interface. If you set isolate-worker=false would that work? If yes, then I need to update ocserv's allowed set of system calls to include getrandom().
https://gitlab.com/ocserv/ocserv/commit/cc1dbf1c246375c175b4392e3c6ca2139b0c355a
Yes, changing 'isolate-workers' to 'true' helped.
ocserv-0.11.4-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-86f48d69f1
To get deeper into the issue, getrandom() was detected on gnutls library initialization, and the getrandom handlers were set to obtain randomness. However, once the child process started with limited privileges in terms of syscalls gnutls failed. Given that this is supposed to happen (seccomp filter), I guess this is a legitimate bug for ocserv rather than something that should be addressed in gnutls.
ocserv-0.11.4-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-86f48d69f1
ocserv-0.11.4-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
ocserv-0.11.5-1.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f145304e25
ocserv-0.11.5-1.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.