RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2077036 - recent rng-tools updates to run udevadm --settle hang in container [rhel-9.0.0.z]
Summary: recent rng-tools updates to run udevadm --settle hang in container [rhel-9.0....
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: rng-tools
Version: 9.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: 9.0
Assignee: Vladis Dronov
QA Contact: Vilém Maršík
URL:
Whiteboard:
: 2079379 (view as bug list)
Depends On: 2075977
Blocks: 2079379
TreeView+ depends on / blocked
 
Reported: 2022-04-20 14:04 UTC by RHEL Program Management Team
Modified: 2023-08-08 03:02 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2075977
Environment:
Last Closed: 2022-06-28 14:58:57 UTC
Type: ---
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-119426 0 None None None 2022-04-20 14:21:53 UTC
Red Hat Product Errata RHBA-2022:5243 0 None None None 2022-06-28 14:59:00 UTC

Comment 2 Vladis Dronov 2022-04-22 14:32:12 UTC 
[CI] [GATING] [DONE] rng-tools-6.14-4.git.b2b7934e.el9_0 passed gating because all required tests passed
90z brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44793702
90z brew: https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1984328
90z osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/44793702
Comment 4 Vladis Dronov 2022-04-25 15:15:55 UTC 
simpple test plan:

0) ensure no config and 'rngd' user exists from previous installations

# userdel -r rngd
# rm -f /etc/sysconfig/rngd*

1) grab rngd daemon package from brew via links above

2) install it

3) verify that both service files DO NOT contain "udevadm" command:

# grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service 
<none>

4) verify that 'rngd' user have home directory set as '/' and pwck do not return an error related to 'rngd' user:

# getent passwd rngd

# pwck

5) optional: general functional tests. they reside in a source tarball. so rng-tools.src.rpm should be unpacked,
then .tar.gz inside it should be unpacked. go to tests/ in source dir. edit scripts - remove "../" in front of
"rngd" and "rngtest" so binaries installed from the package are used. run tests checking the return code:

# ./rngtestzero.sh ; echo $?
# ./rngtesturandom.sh ; echo $?
# ./rngtestjitter.sh ; echo $?

6) clean up

# dnf -y erase rng-tools
# rm -f rng-tools*rpm
Comment 5 Vilém Maršík 2022-04-25 20:50:20 UTC 
Thanks for sharing your testplan. Almost working on RHEL-9.0.0-updates-20220425.d.0 x86_64, except the optional rngtestzero.sh has 100% of FIPS failures. What do you think about that?

---

# rpm -q rng-tools
package rng-tools is not installed
# userdel -r rngd
userdel: user 'rngd' does not exist
# rm -f /etc/sysconfig/rngd*
# wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3738/44793738/rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64.rpm
# dnf install rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64.rpm
(...)
Installed:
  jitterentropy-3.3.1-2.el9.x86_64                                               rng-tools-6.14-4.git.b2b7934e.el9_0.x86_64
Complete!
# grep udevadm /usr/lib/systemd/system/rngd.service /usr/lib/systemd/system/rngd-wake-threshold.service
# getent passwd rngd
rngd:x:987:987:Random Number Generator Daemon:/:/sbin/nologin
# pwck
# wget http://download.eng.bos.redhat.com/brewroot/work/tasks/3710/44793710/rng-tools-6.14-4.git.b2b7934e.el9_0.src.rpm
# rpm2cpio rng-tools-6.14-4.git.b2b7934e.el9_0.src.rpm | cpio --extract --make-directories --no-absolute-filenames
163 blocks
# tar xvfz rng-tools-6.14.tar.gz
(...)
# cd rng-tools-6.14/tests/
# vim rngtestzero.sh
# vim rngtesturandom.sh
# vim rngtestjitter.sh
# ./rngtestzero.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 0
rngtest: FIPS 140-2 successes: 0
rngtest: FIPS 140-2 failures: 100
rngtest: FIPS 140-2(2001-10-10) Monobit: 100
rngtest: FIPS 140-2(2001-10-10) Poker: 100
rngtest: FIPS 140-2(2001-10-10) Runs: 100
rngtest: FIPS 140-2(2001-10-10) Long run: 100
rngtest: FIPS 140-2(2001-10-10) Continuous run: 100
rngtest: input channel speed: (min=9.313; avg=15.652; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=529.819; avg=854.547; max=908.261)Mibits/s
rngtest: output channel speed: (min=0.000; avg=0.000; max=0.000)bits/s
rngtest: Program run time: 2595 microseconds
0
# ./rngtesturandom.sh ; echo $?
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=9.313; avg=15.143; max=18.626)Gibits/s
rngtest: FIPS tests speed: (min=147.856; avg=204.038; max=214.309)Mibits/s
rngtest: output channel speed: (min=20000000000.000; avg=44444444444.444; max=0.000)bits/s
rngtest: Program run time: 10170 microseconds
0
# ./rngtestjitter.sh ; echo $?
Disabling 0: Hardware RNG Device (hwrng)
Disabling 2: Intel RDRAND Instruction RNG (rdrand)
Disabling 1: TPM RNG Device (tpm)
Initializing available sources
[jitter]: Initializing AES buffer
[jitter]: Enabling JITTER rng support
[jitter]: Initialized
rngtest: bits received from input: 2000064
rngtest: bits sent to output: 2000000
rngtest: FIPS 140-2 successes: 100
rngtest: FIPS 140-2 failures: 0
rngtest: FIPS 140-2(2001-10-10) Monobit: 0
rngtest: FIPS 140-2(2001-10-10) Poker: 0
rngtest: FIPS 140-2(2001-10-10) Runs: 0
rngtest: FIPS 140-2(2001-10-10) Long run: 0
rngtest: FIPS 140-2(2001-10-10) Continuous run: 0
rngtest: input channel speed: (min=108.991; avg=433.095; max=544.957)Mibits/s
rngtest: FIPS tests speed: (min=136.239; avg=142.244; max=145.599)Mibits/s
rngtest: output channel speed: (min=10000000000.000; avg=26666666666.667; max=0.000)bits/s
rngtest: Program run time: 2693506 microseconds
killing
0
Comment 6 Vilém Maršík 2022-04-26 10:45:04 UTC 
Okay, rngtestzero.sh should be designed to run on blocks of zeros, and 100% FIPS failure is expected here. Setting verified:tested.
Comment 9 Vladis Dronov 2022-04-28 15:51:28 UTC 
[CI] [GATING] [DONE] rng-tools-6.14-5.git.b2b7934e.el9_0 passed gating because all required tests passed
rng-tools-6.14-5.git.b2b7934e.el9_0 successfully moved from rhel-9.0.0-z-gate into rhel-9.0.0-z-candidate

brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=44939775
osci: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/44939775
Comment 10 Vladis Dronov 2022-04-29 09:43:19 UTC 
additional test step for a new build:

1) there were an issue with user/group creation in certain cases. test:

set "USERGROUPS_ENAB no" in /etc/login.defs

ensure no rngd user and group exist, check the seeting:

# getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd
USERGROUPS_ENAB no
id: ‘rngd’: no such user

install a package

ensure user and group exist and rngd user has rngd group (NOT some other) with the same command:

# getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd

run the service. it should start without errors:
(a pause is needed for the jitter lib to initialize)

systemctl start rngd ; sleep 5 ; systemctl status rngd
Comment 11 Vladis Dronov 2022-04-30 14:20:30 UTC 
*** Bug 2079379 has been marked as a duplicate of this bug. ***
Comment 12 Vilém Maršík 2022-05-04 21:16:35 UTC 
Same build as for stage1, is this correct?

=====

The build is passing the additional test from Comment #10 on RHEL-9.0.0-updates-20220504.0 :

#  getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd
USERGROUPS_ENAB no
id: ‘rngd’: no such user
# dnf install http://download.eng.brq.redhat.com/brewroot/packages/rng-tools/6.14/5.git.b2b7934e.el9_0/x86_64/rng-tools-6.14-5.git.b2b7934e.el9_0.x86_64.rpm
(...)
Installed:
  rng-tools-6.14-5.git.b2b7934e.el9_0.x86_64
Complete!
#  getent passwd rngd ; getent group rngd ; grep USERGROUPS_ENAB /etc/login.defs ; id rngd
rngd:x:987:987:Random Number Generator Daemon:/:/sbin/nologin
rngd:x:987:
USERGROUPS_ENAB no
uid=987(rngd) gid=987(rngd) groups=987(rngd)
# systemctl start rngd ; sleep 5 ; systemctl status rngd
● rngd.service - Hardware RNG Entropy Gatherer Daemon
     Loaded: loaded (/usr/lib/systemd/system/rngd.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2022-05-04 17:13:31 EDT; 5s ago
   Main PID: 22013 (rngd)
      Tasks: 5 (limit: 48592)
     Memory: 2.1M
        CPU: 19.874s
     CGroup: /system.slice/rngd.service
             └─22013 /usr/sbin/rngd -f --fill-watermark=0 -x pkcs11 -x nist

May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com systemd[1]: Started Hardware RNG Entropy Gatherer Daemon.
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Disabling 7: PKCS11 Entropy generator (pkcs11)
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Disabling 5: NIST Network Entropy Beacon (nist)
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: Initializing available sources
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [hwrng ]: Initialized
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [rdrand]: Enabling RDRAND rng support
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [rdrand]: Initialized
May 04 17:13:31 intel-chiefriver-04.khw2.lab.eng.bos.redhat.com rngd[22013]: [jitter]: Initializing AES buffer
Comment 13 Vladis Dronov 2022-05-05 11:40:20 UTC 
(In reply to Vilém Maršík from comment #12)
> Same build as for stage1, is this correct?

i'm not sure what do you mean as "stage 1", the latest build i mean is mentioned in #c9, rng-tools-6.14-5.git.b2b7934e.el9_0.
it looks like yes, this build passes the last test, thank you!
Comment 14 Vilém Maršík 2022-05-10 16:15:02 UTC 
Okay, setting verified.
Comment 18 errata-xmlrpc 2022-06-28 14:58:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (rng-tools bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:5243
Note You need to log in before you can comment on or make changes to this bug.