Red Hat Bugzilla – Bug 209395
openswan hangs on install in xenu
Last modified: 2007-11-30 17:11:45 EST
Description of problem:
The redhat version of openswan.spec runs 'newhostkey' on package install.
This is a mistake and should not be done. There are good reasons why the
original openswan package does this on *first startup* and not at install time.
If there is no random available, the whole install procedure hangs.
Unfortunately, this is exactly what happens on xen kernels. It just does not
have enough entropy to create a 2048bit RSA key, so yum will be hanging forever.
Version-Release number of selected component (if applicable):
Not tried, but since I know what's happening, I'm sure it always happens.
Steps to Reproduce:
1. Install fc6test3
2. xenguest-install a new xen, reboot, login
3. yum install openswan
hanging yum forever, and after ctrl-c/d, openswan is not properly installed
From the specfile:
chkconfig --add ipsec
if [ ! -e /etc/ipsec.d/hostkey.secrets ];then
ipsec newhostkey --output /etc/ipsec.d/hostkey.secrets
Don't perform this action at install time.
I will change the openswan check for ipsec.secrets to support this fedora
file layout, so it will generate the above filename on FC. This will be in
openswan-2.4.7. So this %post operation will then no longer be neccessary.
Note that openswan generates the raw RSA key in the backgroun at startup,
so no hangs at startup would happen on xen's with no entropy.
In the meantime, it is better for users not to have a hanging yum and to have to
manually run "ipsec newhostkey" for those who want to use raw RSA keys.
This is still an issue on FC6. Everyone who installs openswan in a xenu using
anavonda, rpm or yum have their install process hanging for ever. I raised the
urgency of this bug.
note: openswan 2.4.7rc3 will be released today, and the final release will
follow in a day or two. It supports the new style ipsec.secrets from fedora, so
removing the newhostkey bit in rpm is enough, and first startup, openswan will
fork a key generation in the background (similarly to when no /etc/ipsec.secrets
If you only want to do a quickfix/workound, just comment out the ipsec
newhostkey command - it is causing much more pain then it solves.
This should really get fixed before the FC7test1 freeze. How long should an item
marked "urgent" by upstream be ignored?
sorry, it took so long.