209395 – openswan hangs on install in xenu

Bug 209395 - openswan hangs on install in xenu

Summary: openswan hangs on install in xenu

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openswan
Sub Component:
Version:	6
Hardware:	other
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-10-05 04:21 UTC by Paul Wouters
Modified:	2007-11-30 22:11 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-01-26 10:20:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Paul Wouters 2006-10-05 04:21:05 UTC

Description of problem:
The redhat version of openswan.spec runs 'newhostkey' on package install.
This is a mistake and should not be done. There are good reasons why the
original openswan package does this on *first startup* and not at install time.
If there is no random available, the whole install procedure hangs.

Unfortunately, this is exactly what happens on xen kernels. It just does not
have enough entropy to create a 2048bit RSA key, so yum will be hanging forever.

Version-Release number of selected component (if applicable):
openswan-2.4.5-2.1
kernel-xen-2.6.18-1.2726.fc6,

How reproducible:
Not tried, but since I know what's happening, I'm sure it always happens.

Steps to Reproduce:
1. Install fc6test3
2. xenguest-install a new xen, reboot, login
3. yum install openswan

  
Actual results:
hanging yum forever, and after ctrl-c/d, openswan is not properly installed

Expected results:
the obvious

Additional info:

From the specfile:

%post %{do_userland}
chkconfig --add ipsec
if [ ! -e /etc/ipsec.d/hostkey.secrets ];then
    ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets
fi
exit 0

Don't perform this action at install time.

I will change the openswan check for ipsec.secrets to support this fedora
file layout, so it will generate the above filename on FC. This will be in
openswan-2.4.7. So this %post operation will then no longer be neccessary.
Note that openswan generates the raw RSA key in the backgroun at startup,
so no hangs at startup would happen on xen's with no entropy.

In the meantime, it is better for users not to have a hanging yum and to have to
manually run "ipsec newhostkey" for those who want to use raw RSA keys.

Comment 1 Paul Wouters 2006-11-01 18:12:43 UTC

This is still an issue on FC6. Everyone who installs openswan in a xenu using
anavonda, rpm or yum have their install process hanging for ever. I raised the
urgency of this bug.

Comment 2 Paul Wouters 2006-11-01 18:15:26 UTC

note: openswan 2.4.7rc3 will be released today, and the final release will
follow in a day or two. It supports the new style ipsec.secrets from fedora, so
removing the newhostkey bit in rpm is enough, and first startup, openswan will
fork a key generation in the background (similarly to when no /etc/ipsec.secrets
exists).

If you only want to do a quickfix/workound, just comment out the ipsec
newhostkey command - it is causing much more pain then it solves.

Comment 3 Paul Wouters 2007-01-26 02:47:01 UTC

This should really get fixed before the FC7test1 freeze. How long should an item
marked "urgent" by upstream be ignored?

Comment 4 Harald Hoyer 2007-01-26 10:20:28 UTC

sorry, it took so long.

Note You need to log in before you can comment on or make changes to this bug.