View previous topic :: View next topic |
Author |
Message |
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Mon Jan 07, 2019 5:13 pm Post subject: OpenSSL pseudorandom number generator issue w/bind [SOLVED] |
|
|
On one of my servers, bind is not able to start. I see the following in the logs...
Code: | Jan 7 10:00:54 comp named[3831]: starting BIND 9.12.2-P2 <id:b2bf278>
Jan 7 10:00:54 comp named[3831]: built with '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.12.2_p2-r1' '--htmldir=/usr/share/doc/bind-9.12.2_p2-r1/html' '--with-sysroot=/' '--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--disable-threads' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--without-gssapi' '--without-idnkit' '--without-libidn2' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/random' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
Jan 7 10:00:54 comp named[3831]: running as: named -u named -t /chroot/dns
Jan 7 10:00:54 comp named[3831]: compiled by GCC 4.9.4
Jan 7 10:00:54 comp named[3831]: compiled with OpenSSL version: OpenSSL 1.0.2q 20 Nov 2018
Jan 7 10:00:54 comp named[3831]: linked to OpenSSL version: OpenSSL 1.0.2q 20 Nov 2018
Jan 7 10:00:54 comp named[3831]: compiled with libxml2 version: 2.9.8
Jan 7 10:00:54 comp named[3831]: linked to libxml2 version: 20908
Jan 7 10:00:54 comp named[3831]: compiled with zlib version: 1.2.11
Jan 7 10:00:54 comp named[3831]: linked to zlib version: 1.2.11
Jan 7 10:00:54 comp named[3831]: threads support is disabled
Jan 7 10:00:54 comp named[3831]: ----------------------------------------------------
Jan 7 10:00:54 comp named[3831]: BIND 9 is maintained by Internet Systems Consortium,
Jan 7 10:00:54 comp named[3831]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan 7 10:00:54 comp named[3831]: corporation. Support and training for BIND 9 are
Jan 7 10:00:54 comp named[3831]: available at https://www.isc.org/support
Jan 7 10:00:54 comp named[3831]: ----------------------------------------------------
Jan 7 10:00:54 comp named[3831]: using up to 4096 sockets
Jan 7 10:00:54 comp named[3831]: openssl_link.c:296: fatal error:
Jan 7 10:00:54 comp named[3831]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Jan 7 10:00:54 comp named[3831]: exiting (due to fatal error in library)
Jan 7 10:00:54 comp /etc/init.d/named[3825]: start-stop-daemon: failed to start `/usr/sbin/named'
Jan 7 10:00:54 comp /etc/init.d/named[3293]: ERROR: named failed to start |
I see the following bug report, but no comments:
https://bugs.gentoo.org/673746
I also see another issue at bind-users-forum, again, no resolution:
http://bind-users-forum.2342410.n4.nabble.com/PRNG-not-seeded-service-won-t-start-td6026.html
I'm rolling back to net-dns/bind-9.11.2_p1
Current USE flags with my bind:
Code: |
[ebuild R ] net-dns/bind-9.12.2_p2-r1::gentoo USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB |
Any ideas?
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com
Last edited by hanj on Wed Jan 09, 2019 3:05 am; edited 1 time in total |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jan 08, 2019 2:20 am Post subject: |
|
|
This thread was interesting...
https://bugzilla.redhat.com/show_bug.cgi?id=1631515 [Moderator note: warning: obnoxious fast flashing banner on the linked page. -Hu]
My box is using a chroot, but do have those in the chroot..
Code: |
ls -al /chroot/dns/dev/
total 0
drwxr-xr-x 2 root root 120 May 14 2014 .
drwxr-x--- 6 root named 144 Jul 4 2014 ..
crw-rw-rw- 1 root root 1, 3 May 14 2014 null
crw-rw-rw- 1 root root 1, 8 May 14 2014 random
crw-rw-rw- 1 root root 1, 5 May 14 2014 zero |
Still digging... _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
Ant P. Watchman
Joined: 18 Apr 2009 Posts: 6920
|
Posted: Tue Jan 08, 2019 8:19 am Post subject: |
|
|
Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy. |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Tue Jan 08, 2019 2:46 pm Post subject: |
|
|
Ant P. wrote: | Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy. |
Nope.. not after boot up. I've confirmed this on 3 boxes now. 2 boxes have not rebooted in a while, while the 3rd was after a fresh reboot. Also, I didn't specify, all 3 named are in a chroot.
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 22480
|
Posted: Wed Jan 09, 2019 2:44 am Post subject: |
|
|
You have some of the nodes. You don't have urandom. Does it help to add that?
Also, please next time include a warning before linking to anything with such a horrible flashing banner. Some administrator who clearly cannot be trusted with access to bugzilla.redhat.com thought it'd be cute to include the following in all their pages: Code: | <div id="no-js-message">This site requires JavaScript to be enabled to function correctly, please enable it.</div> |
Code: | #no-js-message {
background-color: #c40000;
color: white;
font-weight: bold;
padding: 15px;
animation: 1s linear 0s normal none infinite running nojs;
border-radius: 4px;
text-align: center;
font-size: 14pt;
} | 1s?!
The message isn't even right. The site works fine, if you can ignore the extremely distracting flash effect. I'm just glad I didn't have an epileptic looking over my shoulder.
Last edited by Hu on Wed Jan 09, 2019 3:07 am; edited 1 time in total |
|
Back to top |
|
|
hanj Veteran
Joined: 19 Aug 2003 Posts: 1500
|
Posted: Wed Jan 09, 2019 3:04 am Post subject: |
|
|
Hu wrote: | You have some of the nodes. You don't have urandom. Does it help to add that? |
Thanks so much! I did add that.. and it worked!
Code: | crw-r--r-- 1 root root 1, 9 Jan 8 19:54 urandom |
For anyone else that has problems...
Code: | cd /chroot/dns/dev
mknod urandom c 1 9 |
Thanks!
hanji _________________ Server Admin Blog - Uno-Code.com |
|
Back to top |
|
|
guid0 Guru
Joined: 06 Jul 2003 Posts: 377 Location: The Netherlands / Nederland
|
Posted: Mon Jun 17, 2019 10:29 am Post subject: |
|
|
For those hitting this issue, I ran into the same troubles but needed a different fix.
Code: | Jun 17 12:19:48 ns1 named[1050]: openssl_link.c:296: fatal error:
Jun 17 12:19:48 ns1 named[1050]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Jun 17 12:19:48 ns1 named[1050]: exiting (due to fatal error in library) |
My chroot is in /var/chroot/dns and since my regular /var was mounted with the 'nodev' option it turned out that this filesystem option was causing the same SSL issue.
I simply remounted /var without -o nodev and was able to recover services.
Will look into this again at some other time in order to see if we can restore 'nodev' on the filesystem.
Cheers,
guid0 |
|
Back to top |
|
|
|