# ls -l /usr/lib64/opensc-pkcs11.so 
-rwxr-xr-x 1 root root 250840 May 13 10:33 /usr/lib64/opensc-pkcs11.so
# rpm -qf /usr/lib64/opensc-pkcs11.so
opensc-0.20.0-6.fc32.x86_64
#

rngd is not in a chroot or similar as far as I can see.
And yes, we run multiple rngd instances, because entropy.

That's related with the problem, but it is yet another problem; an application in fedora should not use a particular smart card driver like opensc, but go through p11-kit-proxy instead:
https://docs.fedoraproject.org/en-US/packaging-guidelines/Pkcs11Support/

I'm seeing this issue also without opensc installed. It probably should not try to load that .so file if it does not exist.

(In reply to udo from comment #1)
> # ls -l /usr/lib64/opensc-pkcs11.so 
> -rwxr-xr-x 1 root root 250840 May 13 10:33 /usr/lib64/opensc-pkcs11.so

Maybe it is not in your initramfs? In my case, the error message happens while my system is still in initramfs (judging from timestamps). `lsinitrd /boot/initramfs-…` should give you details.

Why would rngd and thus /usr/lib64/opensc-pkcs11.so be in initramfs?

The service file does not tell me it needs to be in the ramdisk:

# cat /usr/lib/systemd/system/rngd.service
[Unit]
Description=Hardware RNG Entropy Gatherer Daemon

[Service]
ExecStart=/sbin/rngd -f

[Install]
WantedBy=multi-user.target

Nor did I configure anything to put rngd there.
So if this happens (how?) by design, why not take the dependencies into account?
Or why not delay startup until rootfs etc are mounted?

Also:
If rngd is started from initramfs, then what entropy sources are used besides the non-present /dev/hwrng?
What happens after mounting rootfs when rngds are started for my two known entropy sources?
I see two rngd processes, not three...

It looks like there is a related merge request open:
https://src.fedoraproject.org/rpms/rng-tools/pull-request/1#



(In reply to udo from comment #5)
> Why would rngd and thus /usr/lib64/opensc-pkcs11.so be in initramfs?

I don't exactly know but lsinitrd lists:
> /etc/systemd/system/sysinit.target.wants/rngd.service -> /usr/lib/systemd/system/rngd.service

Interestingly, this dependency is not present on my disk (only in initramfs). It looks like it is being auto-generated by /usr/lib/dracut/modules.d/06rngd/module-setup.sh which has this install function:

> install() {
>     inst rngd
>     inst_simple "${moddir}/rngd.service" "${systemdsystemunitdir}/rngd.service"
>     # make sure dependant libs are installed too
>     inst_libdir_file opensc-pkcs11.so
> 
>     systemctl -q --root "$initdir" add-wants sysinit.target rngd.service
> }

On the other hand:
Do I understand correctly that you *do have* opensc installed? If yes, then the issue I am seeing may be different from yours and I should probably open a separate bug report.


(In reply to udo from comment #6)
> Also:
> If rngd is started from initramfs, then what entropy sources are used
> besides the non-present /dev/hwrng?

In my case, according to syslog (`journalctl -b`), rngd tries the following entropy sources:
* hwrng (does not work if /dev/hwrng is not present)
* rdrand
* jitter
* pkcs11
* rtlsdr


(In reply to udo from comment #6)
> What happens after mounting rootfs when rngds are started for my two known
> entropy sources?
> I see two rngd processes, not three...

According to syslog (`journalctl -b`), rngd is being stopped just before switching root, i.e. switching from initramfs to the newly mounted rootfs.
> rngd[215]: [jitter]: Shutting down
> systemd[1]: Starting Cleanup udev Database...
> systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
> systemd[1]: systemd-tmpfiles-setup-dev.service: Succeeded.
> systemd[1]: Stopped Create Static Device Nodes in /dev.
> systemd[1]: kmod-static-nodes.service: Succeeded.
> systemd[1]: Stopped Create list of static device nodes for the current kernel.
> systemd[1]: systemd-vconsole-setup.service: Succeeded.
> systemd[1]: Stopped Setup Virtual Console.
> systemd[1]: rngd.service: Succeeded.
> systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
> systemd[1]: rngd.service: Consumed 7.699s CPU time.
> systemd[1]: initrd-udevadm-cleanup-db.service: Succeeded.
> systemd[1]: Finished Cleanup udev Database.
> audit[1]: […]
> systemd[1]: Reached target Switch Root.
> systemd[1]: Starting Switch Root...
> systemd[1]: Switching root.

After switching the rootfs, rngd is being started again. You can also see that from the different PID in syslog. When started from real rootfs, rngd does not try to load the non-existing opensc-pkcs11.so lib for me.

most probably, indeed, the "No such file or directory" error is emitted by the rngd run from the initramfs.
the initramfs does not contain /usr/lib64/opensc-pkcs11.so so this error (udo, could you please verify your
initramfs misses opensc-pkcs11.so?).

with the recent update to dracut adding "inst_libdir_file opensc-pkcs11.so" to the "06rngd/module-setup.sh"
(thanks, Christian, for mentioning), dracut should add this library to an initramfs image.

testing on my f32:

# rpm -q rng-tools opensc
rng-tools-6.9-3.fc32.x86_64
opensc-0.20.0-6.fc32.x86_64

# dracut -f

# lsinitrd /boot/initramfs-5.10.18-100.fc32.x86_64.img | grep -e rng -e opensc -e modules:
dracut modules:
rngd        <<=== draut rngd module is used
lrwxrwxrwx   1 root     root           36 May 29  2020 etc/systemd/system/sysinit.target.wants/rngd.service -> /usr/lib/systemd/system/rngd.service
-rwxr-xr-x   1 root     root      2048512 May 13  2020 usr/lib64/libopensc.so.6.0.0
lrwxrwxrwx   1 root     root           30 May 29  2020 usr/lib64/libopensc.so.6 -> ../../lib64/libopensc.so.6.0.0
-rwxr-xr-x   1 root     root       250840 May 13  2020 usr/lib64/opensc-pkcs11.so
-rw-r--r--   1 root     root          147 Mar  4  2020 usr/lib/systemd/system/rngd.service
-rwxr-xr-x   1 root     root        81544 Jan 30  2020 usr/sbin/rngd

# reboot

# journalctl -u rngd -b
-- Logs begin at Sun 2019-12-15 21:55:22 CET, end at Wed 2021-03-24 15:55:53 CET. --
Mar 24 15:54:49 f32host rngd[257]: Initializing available sources
Mar 24 15:54:49 f32host rngd[257]: [hwrng ]: Initialized
Mar 24 15:54:49 f32host rngd[257]: [rdrand]: Enabling RDSEED rng support
Mar 24 15:54:49 f32host rngd[257]: [rdrand]: Initialized
Mar 24 15:54:49 f32host rngd[257]: [jitter]: Initializing AES buffer
Mar 24 15:54:49 f32host rngd[257]: [jitter]: Unable to obtain AES key, disabling AES in JITTER source
Mar 24 15:54:49 f32host rngd[257]: [jitter]: Enabling JITTER rng support
Mar 24 15:54:49 f32host rngd[257]: [jitter]: Initialized
Mar 24 15:54:49 f32host rngd[257]: [pkcs11]: Unable to load pkcs11 engine: (null)
Mar 24 15:54:49 f32host rngd[257]: [pkcs11]: Initialization Failed
Mar 24 15:54:50 f32host rngd[257]: [hwrng ]: Shutting down
Mar 24 15:54:50 f32host rngd[257]: [rdrand]: Shutting down
Mar 24 15:54:50 f32host rngd[257]: [jitter]: Shutting down
Mar 24 15:54:50 f32host rngd[257]: [jitter]: Closing thread 0
Mar 24 15:54:50 f32host systemd[1]: Stopping Hardware RNG Entropy Gatherer Daemon...
Mar 24 15:54:50 f32host rngd[257]: [jitter]: Closing thread 1
Mar 24 15:54:50 f32host rngd[257]: [jitter]: Closing thread 2
Mar 24 15:54:50 f32host rngd[257]: [jitter]: Closing thread 3
Mar 24 15:54:50 f32host systemd[1]: rngd.service: Succeeded.
Mar 24 15:54:50 f32host systemd[1]: Stopped Hardware RNG Entropy Gatherer Daemon.
Mar 24 15:54:50 f32host systemd[1]: rngd.service: Consumed 2.748s CPU time.
*** the above was happening in initramfs before switchroot
*** the below in in the normal system after switchroot
Mar 24 15:54:50 f32host systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
Mar 24 15:54:50 f32host rngd[505]: Initializing available sources
Mar 24 15:54:50 f32host rngd[505]: [hwrng ]: Initialized
Mar 24 15:54:50 f32host rngd[505]: [rdrand]: Enabling RDSEED rng support
Mar 24 15:54:50 f32host rngd[505]: [rdrand]: Initialized
Mar 24 15:54:50 f32host rngd[505]: [jitter]: Initializing AES buffer
Mar 24 15:54:52 f32host rngd[505]: [jitter]: Enabling JITTER rng support
Mar 24 15:54:52 f32host rngd[505]: [jitter]: Initialized
Mar 24 15:54:52 f32host rngd[505]: [pkcs11]: No pkcs11 slots available
Mar 24 15:54:52 f32host rngd[505]: [pkcs11]: Initialization Failed

no errors, so it is needed to rebuild initramfs with a recent dracut to solve the initial issue.
please, inform if there are more concerns re: this bz.

On a fresh Fedora 33 installation with
rng-tools-6.12-1.fc33.x86_64
opensc-0.21.0-1.fc33.x86_64
this issue seems to be solved for me too. I cannot see the warning/error any more.

thank you for a testing and confirmation, Christian, great news.
with that, i'm closing this bz, please, feel free to reopen if something.

Can't say whether it is "still" or "again" but rngd.service failed on my Fedora 37. Installing opensc and restarting the service fixed it. Shouldn't there be a dependency on the package if the services fails when opensc is not installed?

@dreua : Do you see the same error message as in comment #0 or do you see a different error message?

(In reply to udo from comment #0)
> […]
> [    3.563776] rngd[259]: [pkcs11]: PKCS11 Engine
> /usr/lib64/opensc-pkcs11.so Error: No such file or directory
> [    3.563776] rngd[259]: [pkcs11]: Initialization Failed
> […]

As for the dependency: A developer mentioned that the missing dependency is by design in bug #1845854. I've reopened that one, suggesting to reconsider a weak dependency. Let's wait for the maintainer's opinion on that.

i would suggest to continue this in bz1845854 since this bz
is definitely for another issue (rngd run from the initramfs).
bz1845854 is exactly for case when opensc is not installed.

(In reply to David Auer from comment #11)
> Can't say whether it is "still" or "again" but rngd.service failed on my
> Fedora 37. Installing opensc and restarting the service fixed it. Shouldn't
> there be a dependency on the package if the services fails when opensc is
> not installed?

Hi, David, thank you for a report and let me still reply here. rngd is shipped
with pkcs11 entropy source disabled by default for quite some time:

/etc/sysconfig/rngd:
RNGD_ARGS="-x pkcs11 -x nist"

A system admin / devops person should consider implications enabling pkcs11
source which are exaclty opensc being required. So if you've modified rngd's
default args, you should consider installing opensc manually, since this is
not default configuration.

Anyway, I'd suggest we continue in bz1845854.

Hey, sorry for the late replay: I removed opensc again but could not reproduce the failed service. Not sure whether there was some script or some side effect changing a configuration or cleaning something up. I don't think I changed anything in the configuration but I haven't reinstalled since 2015, so this may be due to some old configurations that haven't been properly upgraded.

I read in the other issue you mentioned that rng-tools isn't installed by default anymore, so maybe the easiest solution for people like me is to remove it.

Anyway, thank you very much for your input and maintenance of these packages!

(In reply to David Auer from comment #15)
> Hey, sorry for the late replay

Thanks for a reply, David, it is nice to read it!