Bug 209395 - openswan hangs on install in xenu
openswan hangs on install in xenu
Product: Fedora
Classification: Fedora
Component: openswan (Show other bugs)
other Linux
urgent Severity urgent
: ---
: ---
Assigned To: Harald Hoyer
Depends On:
  Show dependency treegraph
Reported: 2006-10-05 00:21 EDT by Paul Wouters
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-01-26 05:20:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2006-10-05 00:21:05 EDT
Description of problem:
The redhat version of openswan.spec runs 'newhostkey' on package install.
This is a mistake and should not be done. There are good reasons why the
original openswan package does this on *first startup* and not at install time.
If there is no random available, the whole install procedure hangs.

Unfortunately, this is exactly what happens on xen kernels. It just does not
have enough entropy to create a 2048bit RSA key, so yum will be hanging forever.

Version-Release number of selected component (if applicable):

How reproducible:
Not tried, but since I know what's happening, I'm sure it always happens.

Steps to Reproduce:
1. Install fc6test3
2. xenguest-install a new xen, reboot, login
3. yum install openswan

Actual results:
hanging yum forever, and after ctrl-c/d, openswan is not properly installed

Expected results:
the obvious

Additional info:

From the specfile:

%post %{do_userland}
chkconfig --add ipsec
if [ ! -e /etc/ipsec.d/hostkey.secrets ];then
    ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets
exit 0

Don't perform this action at install time.

I will change the openswan check for ipsec.secrets to support this fedora
file layout, so it will generate the above filename on FC. This will be in
openswan-2.4.7. So this %post operation will then no longer be neccessary.
Note that openswan generates the raw RSA key in the backgroun at startup,
so no hangs at startup would happen on xen's with no entropy.

In the meantime, it is better for users not to have a hanging yum and to have to
manually run "ipsec newhostkey" for those who want to use raw RSA keys.
Comment 1 Paul Wouters 2006-11-01 13:12:43 EST
This is still an issue on FC6. Everyone who installs openswan in a xenu using
anavonda, rpm or yum have their install process hanging for ever. I raised the
urgency of this bug.
Comment 2 Paul Wouters 2006-11-01 13:15:26 EST
note: openswan 2.4.7rc3 will be released today, and the final release will
follow in a day or two. It supports the new style ipsec.secrets from fedora, so
removing the newhostkey bit in rpm is enough, and first startup, openswan will
fork a key generation in the background (similarly to when no /etc/ipsec.secrets

If you only want to do a quickfix/workound, just comment out the ipsec
newhostkey command - it is causing much more pain then it solves.
Comment 3 Paul Wouters 2007-01-25 21:47:01 EST
This should really get fixed before the FC7test1 freeze. How long should an item
marked "urgent" by upstream be ignored?
Comment 4 Harald Hoyer 2007-01-26 05:20:28 EST
sorry, it took so long.

Note You need to log in before you can comment on or make changes to this bug.