Bug 1812120 - OpenSSH fails to start in LXC container with error "Failed to seed from getrandom: Function not implemented"
Summary: OpenSSH fails to start in LXC container with error "Failed to seed from getra...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-10 14:47 UTC by f.eichenberger
Modified: 2020-04-06 08:24 UTC (History)
2 users (show)

Fixed In Version: openssh-8.0p1-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github CentOS sig-cloud-instance-images issues 161 None open ssh does not work for centos:8 container on ppc64le 2020-07-10 04:38:10 UTC
Red Hat Bugzilla 1330000 None None None 2020-03-13 14:31:26 UTC

Description f.eichenberger 2020-03-10 14:47:41 UTC
Description of problem:
This happens on a CentOS 8 LXC container running on a CentOS 7 Host (or anything with a Kernel < 3.17).

OpenSSH fails to start due to a failing SYSCALL to not implemented function "getrandom".
Normally it should fallback to /dev/urandom, at least I presume that's why OpenSSL has no issues.

Rebuilding OpenSSH in this environment it doesn't throw this error.
I suspect it's the compiled-in (or not) OpenSSL support.

Version-Release number of selected component (if applicable):
openssh.x86_64                              8.0p1-4.el8_1                          @BaseOS      
openssh-clients.x86_64                      8.0p1-4.el8_1                          @BaseOS      
openssh-server.x86_64                       8.0p1-4.el8_1                          @BaseOS 

How reproducible:
Always


Steps to Reproduce:
1. Set up a CentOS 8 LXC container on a host with Kernel < 3.17 (for instance CentOS 7)
2. Start OpenSSH in container

Actual results:
Mar 10 10:06:18 devel-el8-test systemd[1]: Starting OpenSSH server daemon...
Mar 10 10:06:18 devel-el8-test sshd[196]: Failed to seed from getrandom: Function not implemented
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Failed with result 'exit-code'.
Mar 10 10:06:18 devel-el8-test systemd[1]: Failed to start OpenSSH server daemon.

Expected results:
sshd up and running (using fallback for seeding, like openssl (presumably) does)

Additional info:
I know CentOS 8 is shipped with Kernel 4.18, where this isn't an issue, but running on shared components is common (for example Docker).

Just found the attached issue regarding CentOS 8 Docker container, didn't found much otherwise, besides the whole "/dev/random" story around the Kernel.


Thank you for any assistance :)

Comment 7 f.eichenberger 2020-03-13 14:31:26 UTC
Nevermind, the Kernel in use was much too old, runs fine after updating CentOS 7.

The getrandom syscal was backported to CentOS 7 Kernel 3.10.0-544 (see bugzilla #1330000).


Issue can be closed.

Comment 8 Jakub Jelen 2020-03-16 08:26:10 UTC
Thank you for figuring out the issue and coming back. But lets keep this one open and fix it in the next release, as there was never intention to depend on the getrandom syscall.


Note You need to log in before you can comment on or make changes to this bug.