RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1812120 - OpenSSH fails to start in LXC container with error "Failed to seed from getrandom: Function not implemented"
Summary: OpenSSH fails to start in LXC container with error "Failed to seed from getra...
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: openssh
Version: 8.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Jakub Jelen
QA Contact: Ondrej Moriš
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-10 14:47 UTC by f.eichenberger
Modified: 2020-11-04 01:33 UTC (History)
2 users (show)

Fixed In Version: openssh-8.0p1-5.el8
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2020-11-04 01:32:00 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github CentOS sig-cloud-instance-images issues 161 0 None open ssh does not work for centos:8 container on ppc64le 2020-10-27 15:30:28 UTC
Red Hat Bugzilla 1330000 0 unspecified CLOSED kernel: Backport getrandom system call 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2020:4439 0 None None None 2020-11-04 01:32:10 UTC

Description f.eichenberger 2020-03-10 14:47:41 UTC
Description of problem:
This happens on a CentOS 8 LXC container running on a CentOS 7 Host (or anything with a Kernel < 3.17).

OpenSSH fails to start due to a failing SYSCALL to not implemented function "getrandom".
Normally it should fallback to /dev/urandom, at least I presume that's why OpenSSL has no issues.

Rebuilding OpenSSH in this environment it doesn't throw this error.
I suspect it's the compiled-in (or not) OpenSSL support.

Version-Release number of selected component (if applicable):
openssh.x86_64                              8.0p1-4.el8_1                          @BaseOS      
openssh-clients.x86_64                      8.0p1-4.el8_1                          @BaseOS      
openssh-server.x86_64                       8.0p1-4.el8_1                          @BaseOS 

How reproducible:

Steps to Reproduce:
1. Set up a CentOS 8 LXC container on a host with Kernel < 3.17 (for instance CentOS 7)
2. Start OpenSSH in container

Actual results:
Mar 10 10:06:18 devel-el8-test systemd[1]: Starting OpenSSH server daemon...
Mar 10 10:06:18 devel-el8-test sshd[196]: Failed to seed from getrandom: Function not implemented
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Main process exited, code=exited, status=255/n/a
Mar 10 10:06:18 devel-el8-test systemd[1]: sshd.service: Failed with result 'exit-code'.
Mar 10 10:06:18 devel-el8-test systemd[1]: Failed to start OpenSSH server daemon.

Expected results:
sshd up and running (using fallback for seeding, like openssl (presumably) does)

Additional info:
I know CentOS 8 is shipped with Kernel 4.18, where this isn't an issue, but running on shared components is common (for example Docker).

Just found the attached issue regarding CentOS 8 Docker container, didn't found much otherwise, besides the whole "/dev/random" story around the Kernel.

Thank you for any assistance :)

Comment 7 f.eichenberger 2020-03-13 14:31:26 UTC
Nevermind, the Kernel in use was much too old, runs fine after updating CentOS 7.

The getrandom syscal was backported to CentOS 7 Kernel 3.10.0-544 (see bugzilla #1330000).

Issue can be closed.

Comment 8 Jakub Jelen 2020-03-16 08:26:10 UTC
Thank you for figuring out the issue and coming back. But lets keep this one open and fix it in the next release, as there was never intention to depend on the getrandom syscall.

Comment 14 errata-xmlrpc 2020-11-04 01:32:00 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (openssh bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.