RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1965318 - fix a number of bugs in rng-tools
Summary: fix a number of bugs in rng-tools
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rng-tools
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: beta
: 9.0 Beta
Assignee: Vladis Dronov
QA Contact: Vilém Maršík
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-27 12:44 UTC by Vladis Dronov
Modified: 2023-08-08 02:59 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 21:57:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Vladis Dronov 2021-05-27 12:44:29 UTC 
This bug was initially created as a copy of Bug #1955522.

Description of problem:

1) rpminspect fails on the "pathmigration" test for rng-tools-6.12-2.el9 due to hardcoded incorrect %_sbindir:

> path-migration:
> ---------------
> 1) File /sbin/rngd found should be in /usr/sbin on x86_64

https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/36241461?focus=tc:osci.brew-build.rpminspect.static-analysis
http://artifacts.osci.redhat.com/testing-farm/9d1ed40c-05f1-46f0-9382-22392984986e/work-rpminspect3FlYCZ/rpminspect/execute/data/pathmigration/output.txt

2) there is a request from ProdSec to make rngd to run as non-root (see bz1692435)

3) if we make rngd to run as non-root, it fails with an error due to permissions on /dev/hwrng:

May 04 17:13:29 rhel9 rngd[523]: [hwrng ]: Initialization Failed

527   17:00:07 openat(AT_FDCWD, "/dev/hwrng", O_RDONLY|O_NOCTTY) = -1 EACCES (Permission denied)
Comment 1 Vladis Dronov 2021-05-27 13:26:19 UTC 
suggestions on how to test:

1) just check the path for rngd binary, it should be in /usr/sbin. current (wrong) path is:

# rpm -q rng-tools
rng-tools-6.12-1.el9.x86_64

# rpm -ql rng-tools | grep sbin
/sbin/rngd

2) just check that /sbin/rngd is run as rngd user:

# ps -ef |grep rngd
rngd         824       1 99 15:24 ?        00:00:07 /sbin/rngd -f

3) just check there there are no failing messages for hwrng in a log:

# journalctl -b | grep rngd
Comment 2 Vladis Dronov 2021-05-27 17:59:59 UTC 
test build: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=37032590

# rpm -q rng-tools
rng-tools-6.12-4.el9.x86_64

# rpm -ql rng-tools | grep sbin
/usr/sbin/rngd

# ps -ef |grep rngd
rngd         539       1 13 19:56 ?        00:00:13 /usr/sbin/rngd -f --fill-watermark=0

[root@rhel9 ~]# journalctl -b | grep rngd
May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: Initializing available sources
May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [hwrng ]: Initialized             <<< THIS LINE IS WHERE IT WAS FAILING BEFORE
May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [rdrand]: Enabling RDRAND rng support
May 27 19:56:39 rhel9.vsd.localdomain rngd[539]: [rdrand]: Initialized
Comment 3 Vladis Dronov 2021-06-01 07:58:27 UTC 
Hello, Vilem,
Could you please also grant qa_ack+ for this bz? It is fixing the
same issues for rng-tools as previous bzs, but for the RHEL-9.
I need the release+ to do the push to the c9s repo. The testing
steps are simple and I've mentioned them in the #c1.
Comment 4 Vilém Maršík 2021-06-01 16:33:55 UTC 
Acking. Also confirming the problem 3 in rng-tools-6.8-4.el8.x86_64 (the others are already fixed):
# journalctl -b | grep hwrng
Jun 01 12:10:17 intel-denlow-r-02.lab.eng.rdu2.redhat.com rngd[40142]: Failed to init entropy source hwrng
# ls -l /dev/hwrng
crw-------. 1 root root 10, 183 May 31 23:57 /dev/hwrng
# rpm -ql rng-tools | grep sbin
/usr/sbin/rngd
# ps auxwf| grep rngd
root       41107  0.0  0.0  12136  1156 pts/0    S+   12:32   0:00              \_ grep --color=auto rngd
rngd       40570  1.0  0.0 381340  4620 ?        Ssl  12:12   0:12 /usr/sbin/rngd -f --fill-watermark=0
Comment 5 Vladis Dronov 2021-06-03 13:57:07 UTC 
a gitlab's mr has been merged: https://gitlab.com/redhat/centos-stream/rpms/rng-tools/-/merge_requests/1
Comment 24 Vilém Maršík 2021-08-06 00:04:35 UTC 
Verified, thanks for detailed testing instructions.

# wget http://download.devel.redhat.com/brewroot/work/tasks/2274/38422274/jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm http://download.devel.redhat.com/brewroot/work/tasks/6815/38436815/rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm
(...)
Downloaded: 2 files, 93K in 0.002s (43.4 MB/s)
# dnf -y install jitterentropy*rpm rng-tools*rpm && systemctl stop rngd && systemctl disable rngd
(...)
Installed:
  jitterentropy-3.0.2-2.git.409828cf.el9.x86_64                                        rng-tools-6.13-5.git.d207e0b6.el9.x86_64
Complete!
Removed /etc/systemd/system/multi-user.target.wants/rngd.service.
# /usr/sbin/rngd -f -o /dev/stdout > /tmp/rngfile
Initializing available sources
[hwrng ]: Initialization Failed
[rdrand]: Enabling RDRAND rng support
[rdrand]: Initialized
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
^C[rdrand]: Shutting down
[jitter]: Shutting down
# ls -lh /tmp/rngfile
-rw-r--r--. 1 root root 49M Aug  5 20:01 /tmp/rngfile
# cat /tmp/rngfile | /usr/bin/rngtest -c 1000
rngtest 6.13
Copyright (c) 2004 by Henrique de Moraes Holschuh
This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

rngtest: starting FIPS tests...
rngtest: bits received from input: 20000032
rngtest: FIPS 140-2 successes: 999
rngtest: FIPS 140-2 failures: 1
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 1
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=1.863; avg=16.796; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=165.856; avg=210.580; max=214.309)Mibits/s
rngtest: Program run time: 92143 microseconds
# rm -f /tmp/rngfile
# dnf -y erase jitterentropy rng-tools
(...)
Complete!
Comment 25 Vladis Dronov 2021-08-06 11:55:12 UTC 
(In reply to Vilém Maršík from comment #24)
> Verified, thanks for detailed testing instructions.

thanks a ton, Vilem, much appreciated!
Note You need to log in before you can comment on or make changes to this bug.