Description of problem: The redhat version of openswan.spec runs 'newhostkey' on package install. This is a mistake and should not be done. There are good reasons why the original openswan package does this on *first startup* and not at install time. If there is no random available, the whole install procedure hangs. Unfortunately, this is exactly what happens on xen kernels. It just does not have enough entropy to create a 2048bit RSA key, so yum will be hanging forever. Version-Release number of selected component (if applicable): openswan-2.4.5-2.1 kernel-xen-2.6.18-1.2726.fc6, How reproducible: Not tried, but since I know what's happening, I'm sure it always happens. Steps to Reproduce: 1. Install fc6test3 2. xenguest-install a new xen, reboot, login 3. yum install openswan Actual results: hanging yum forever, and after ctrl-c/d, openswan is not properly installed Expected results: the obvious Additional info: From the specfile: %post %{do_userland} chkconfig --add ipsec if [ ! -e /etc/ipsec.d/hostkey.secrets ];then ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets fi exit 0 Don't perform this action at install time. I will change the openswan check for ipsec.secrets to support this fedora file layout, so it will generate the above filename on FC. This will be in openswan-2.4.7. So this %post operation will then no longer be neccessary. Note that openswan generates the raw RSA key in the backgroun at startup, so no hangs at startup would happen on xen's with no entropy. In the meantime, it is better for users not to have a hanging yum and to have to manually run "ipsec newhostkey" for those who want to use raw RSA keys.
This is still an issue on FC6. Everyone who installs openswan in a xenu using anavonda, rpm or yum have their install process hanging for ever. I raised the urgency of this bug.
note: openswan 2.4.7rc3 will be released today, and the final release will follow in a day or two. It supports the new style ipsec.secrets from fedora, so removing the newhostkey bit in rpm is enough, and first startup, openswan will fork a key generation in the background (similarly to when no /etc/ipsec.secrets exists). If you only want to do a quickfix/workound, just comment out the ipsec newhostkey command - it is causing much more pain then it solves.
This should really get fixed before the FC7test1 freeze. How long should an item marked "urgent" by upstream be ignored?
sorry, it took so long.