RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1975588 - recent updates to run udevadm --settle hang in container
Summary: recent updates to run udevadm --settle hang in container
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rng-tools
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: beta
: 9.0 Beta
Assignee: Vladis Dronov
QA Contact: Vilém Maršík
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-24 01:27 UTC by Ian Wienand
Modified: 2023-08-08 02:59 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-12-07 21:57:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Ian Wienand 2021-06-24 01:27:38 UTC 
Description of problem:

It seems that the change at [1] related to [2] has started to run "udevadm trigger --sysname-match=hw_random --settle" in the rpm post script.

I do not think this is safe to run in a container.

We run an image build process inside a docker container and dnf has started going into a infinite hang.  Upon investigation it's waiting on "udevadm trigger --sysname-match=hw_random --settle".

---
└─dnf /usr/bin/dnf -v -y install lsof grubby git-core initscripts which redhat-lsb-core sudo python3-policycoreutils cloud-utils-growpart selinux-policy-targeted NetworkManager kernel python3 dhcp-client ...
 └─sh /var/tmp/rpm-tmp.rZ2cHF 1
  └─udevadm trigger --sysname-match=hw_random --settle
---

This dnf run is installing

---
2021-06-24 00:32:01.584 | >  rng-tools                      x86_64  6.8-5.el8                       baseos      60 k
---

When I run the udevadmin settle command inside the container, it just hangs, as is happening from the dnf call.

I have to admit my knowledge of udev interactions inside a container is minimal.  This has started affecting us after [3] was pulled into centos-8-stream.  I note that the service doesn't appear to run if containerised [4] (ConditionVirtualization=!container) so I feel like this udevadm should be behind a similar check in the post script to avoid this package getting installed and hanging the installation process.

[1] https://gitlab.com/redhat/centos-stream/rpms/rng-tools/-/commit/e5f8325b42bfcea2e9064ee709423e5779228413
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1965318
[3] https://git.centos.org/rpms/rng-tools/c/76ff02e1942a201bdd9a3bf415768d9b28f27810?branch=c8s
[4] https://gitlab.com/redhat/centos-stream/rpms/rng-tools/-/blob/c9s/rngd.service#L3
Comment 1 Vladis Dronov 2021-07-03 19:40:09 UTC 
hello, Ian,
thank you for reporting this. indeed, udevadm call lacks the ConditionVirtualization=!container
guard. i'm posting a fix and i need to wait for Mon to approve this bz from qe side.
Comment 5 Vilém Maršík 2021-08-05 23:20:27 UTC 
Thanks for the detailed testing instructions, making this a real no-brainer.  Just sorry for the delay, people set me NEEDINFO when they need to test bugs, and I then miss real needinfos in between.

Tested. 

# wget http://download.devel.redhat.com/brewroot/work/tasks/2274/38422274/jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm http://download.devel.redhat.com/brewroot/work/tasks/6815/38436815/rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm
(...)
2021-08-05 19:14:25 (26.3 MB/s) - ‘jitterentropy-3.0.2-2.git.409828cf.el9.x86_64.rpm’ saved [30933/30933]
2021-08-05 19:14:25 (23.9 MB/s) - ‘rng-tools-6.13-5.git.d207e0b6.el9.x86_64.rpm’ saved [64537/64537]
FINISHED --2021-08-05 19:14:25--
(...)
# dnf -y install jitterentropy*rpm rng-tools*rpm
(...)
Installed:
  jitterentropy-3.0.2-2.git.409828cf.el9.x86_64                                        rng-tools-6.13-5.git.d207e0b6.el9.x86_64
Complete!
# grep Condition /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
/usr/lib/systemd/system/rngd.service:ConditionVirtualization=!container
/usr/lib/systemd/system/rngd-wake-threshold.service:ConditionVirtualization=!container
# dnf -y erase jitterentropy rng-tools
(...)
[root@hpe-z220-03 ~]# rm -f jitterentropy*rpm rng-tools*rpm
Comment 6 Vladis Dronov 2021-08-06 12:20:02 UTC 
(In reply to Vilém Maršík from comment #5)
> Thanks for the detailed testing instructions, making this a real no-brainer.
> Just sorry for the delay, people set me NEEDINFO when they need to test
> bugs, and I then miss real needinfos in between.

thanks, Vilem, much appreciated!
yes, communications are suboptimal sometimes, i hope we will overcome this.
Comment 9 Ned 2021-12-14 08:22:53 UTC 
Thanks for the fix. I have the same problem but the fix does not help me.

I have el8 running on a server. The server does not have systemd-udevd running (not needed and therefore removed by standard hardening procedure). This means that the command

   udevadm trigger --sysname-match=hw_random --settle

also hangs indefinitely.

I propose to change the solution to include all cases in which we know beforehand that udevadm cannot run successfully. Not all of these cases are related to virtualisation.

Perhaps one could use a test like

    # systemctl is-active systemd-udevd
    inactive

Alternatively we could check whether the --timeout option to udevadm could help in these cases (a more simple solution perhaps)?

Alas, no:

    # man udevadm | grep timeout
       -t, --timeout=SECONDS
       -t, --timeout=seconds

    # udevadm trigger --timeout=10 --sysname-match=hw_random --settle
    trigger: unrecognized option '--timeout=10'

Apparently the --timeout parameter is not accepted for the trigger subcommand :-(


It would be good to have a solution.  On one server I had one dnf-automatic process run for several weeks before I noticed the block.  This has potential security implications because no new updates were installed while the (unimportant) post-install blocked rpmdb indefinitely.
Comment 10 Vladis Dronov 2022-02-23 16:45:34 UTC 
(In reply to Ned from comment #9)
> Thanks for the fix. I have the same problem but the fix does not help me.

hi, Ned, thanks for the bug report. the scripts were reworked to un-tie rng-tools from udevadm + other minor fixes.
unfortunately, it will take some time for fixes to reach RHEL releases, so i can provide you a candidate build of
rng-tools with fixes for you version of RHEL if needed.
Comment 11 Ned 2022-02-23 18:10:36 UTC 
Dear Vladis,
Many thanks, I have a workaround for the moment.  Looking forward to the proper solution!
Best regards,
Ned
Note You need to log in before you can comment on or make changes to this bug.