Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
OpenSSL pseudorandom number generator issue w/bind [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1500

PostPosted: Mon Jan 07, 2019 5:13 pm    Post subject: OpenSSL pseudorandom number generator issue w/bind [SOLVED] Reply with quote

On one of my servers, bind is not able to start. I see the following in the logs...

Code:
Jan  7 10:00:54 comp named[3831]: starting BIND 9.12.2-P2 <id:b2bf278>
Jan  7 10:00:54 comp named[3831]: built with '--prefix=/usr' '--build=i686-pc-linux-gnu' '--host=i686-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--docdir=/usr/share/doc/bind-9.12.2_p2-r1' '--htmldir=/usr/share/doc/bind-9.12.2_p2-r1/html' '--with-sysroot=/' '--libdir=/usr/lib' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--disable-dnsrps' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--disable-threads' '--with-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--without-gssapi' '--without-idnkit' '--without-libidn2' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--without-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/random' 'build_alias=i686-pc-linux-gnu' 'host_alias=i686-pc-linux-gnu' 'CFLAGS=-O3 -march=pentium4 -funroll-loops -fprefetch-loop-arrays -pipe -I/usr/include/db5.3' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
Jan  7 10:00:54 comp named[3831]: running as: named -u named -t /chroot/dns
Jan  7 10:00:54 comp named[3831]: compiled by GCC 4.9.4
Jan  7 10:00:54 comp named[3831]: compiled with OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018
Jan  7 10:00:54 comp named[3831]: linked to OpenSSL version: OpenSSL 1.0.2q  20 Nov 2018
Jan  7 10:00:54 comp named[3831]: compiled with libxml2 version: 2.9.8
Jan  7 10:00:54 comp named[3831]: linked to libxml2 version: 20908
Jan  7 10:00:54 comp named[3831]: compiled with zlib version: 1.2.11
Jan  7 10:00:54 comp named[3831]: linked to zlib version: 1.2.11
Jan  7 10:00:54 comp named[3831]: threads support is disabled
Jan  7 10:00:54 comp named[3831]: ----------------------------------------------------
Jan  7 10:00:54 comp named[3831]: BIND 9 is maintained by Internet Systems Consortium,
Jan  7 10:00:54 comp named[3831]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jan  7 10:00:54 comp named[3831]: corporation.  Support and training for BIND 9 are
Jan  7 10:00:54 comp named[3831]: available at https://www.isc.org/support
Jan  7 10:00:54 comp named[3831]: ----------------------------------------------------
Jan  7 10:00:54 comp named[3831]: using up to 4096 sockets
Jan  7 10:00:54 comp named[3831]: openssl_link.c:296: fatal error:
Jan  7 10:00:54 comp named[3831]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Jan  7 10:00:54 comp named[3831]: exiting (due to fatal error in library)
Jan  7 10:00:54 comp /etc/init.d/named[3825]: start-stop-daemon: failed to start `/usr/sbin/named'
Jan  7 10:00:54 comp /etc/init.d/named[3293]: ERROR: named failed to start


I see the following bug report, but no comments:

https://bugs.gentoo.org/673746

I also see another issue at bind-users-forum, again, no resolution:

http://bind-users-forum.2342410.n4.nabble.com/PRNG-not-seeded-service-won-t-start-td6026.html

I'm rolling back to net-dns/bind-9.11.2_p1

Current USE flags with my bind:
Code:

[ebuild   R    ] net-dns/bind-9.12.2_p2-r1::gentoo  USE="berkdb caps dlz ssl xml zlib -dnsrps -dnstap -doc -fixed-rrset -geoip -gost -gssapi -idn -ipv6 -json -ldap -libidn2 -libressl -lmdb -mysql -odbc -postgres -python -rpz (-seccomp) (-selinux) -static-libs -threads -urandom" PYTHON_TARGETS="python2_7 python3_4 python3_5 python3_6 (-python3_7)" 0 KiB


Any ideas?

Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com


Last edited by hanj on Wed Jan 09, 2019 3:05 am; edited 1 time in total
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1500

PostPosted: Tue Jan 08, 2019 2:20 am    Post subject: Reply with quote

This thread was interesting...

https://bugzilla.redhat.com/show_bug.cgi?id=1631515 [Moderator note: warning: obnoxious fast flashing banner on the linked page. -Hu]

My box is using a chroot, but do have those in the chroot..
Code:

ls -al /chroot/dns/dev/
total 0
drwxr-xr-x 2 root root   120 May 14  2014 .
drwxr-x--- 6 root named  144 Jul  4  2014 ..
crw-rw-rw- 1 root root  1, 3 May 14  2014 null
crw-rw-rw- 1 root root  1, 8 May 14  2014 random
crw-rw-rw- 1 root root  1, 5 May 14  2014 zero


Still digging...
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
Ant P.
Watchman
Watchman


Joined: 18 Apr 2009
Posts: 6920

PostPosted: Tue Jan 08, 2019 8:19 am    Post subject: Reply with quote

Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy.
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1500

PostPosted: Tue Jan 08, 2019 2:46 pm    Post subject: Reply with quote

Ant P. wrote:
Is this immediately after bootup? Try putting `sysctl kernel.random.entropy_avail | logger` in a startup script and see what gets written to syslog, it may be that's too low. Values over 1000 are healthy.


Nope.. not after boot up. I've confirmed this on 3 boxes now. 2 boxes have not rebooted in a while, while the 3rd was after a fresh reboot. Also, I didn't specify, all 3 named are in a chroot.

hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
Hu
Administrator
Administrator


Joined: 06 Mar 2007
Posts: 22480

PostPosted: Wed Jan 09, 2019 2:44 am    Post subject: Reply with quote

You have some of the nodes. You don't have urandom. Does it help to add that?

Also, please next time include a warning before linking to anything with such a horrible flashing banner. Some administrator who clearly cannot be trusted with access to bugzilla.redhat.com thought it'd be cute to include the following in all their pages:
Code:
<div id="no-js-message">This site requires JavaScript to be enabled to function correctly, please enable it.</div>
Code:
#no-js-message {
    background-color: #c40000;
    color: white;
    font-weight: bold;
    padding: 15px;
    animation: 1s linear 0s normal none infinite running nojs;
    border-radius: 4px;
    text-align: center;
    font-size: 14pt;
}
1s?!

The message isn't even right. The site works fine, if you can ignore the extremely distracting flash effect. I'm just glad I didn't have an epileptic looking over my shoulder.


Last edited by Hu on Wed Jan 09, 2019 3:07 am; edited 1 time in total
Back to top
View user's profile Send private message
hanj
Veteran
Veteran


Joined: 19 Aug 2003
Posts: 1500

PostPosted: Wed Jan 09, 2019 3:04 am    Post subject: Reply with quote

Hu wrote:
You have some of the nodes. You don't have urandom. Does it help to add that?


Thanks so much! I did add that.. and it worked!

Code:
crw-r--r-- 1 root root  1, 9 Jan  8 19:54 urandom


For anyone else that has problems...

Code:
cd /chroot/dns/dev
mknod urandom c 1 9


Thanks!
hanji
_________________
Server Admin Blog - Uno-Code.com
Back to top
View user's profile Send private message
guid0
Guru
Guru


Joined: 06 Jul 2003
Posts: 377
Location: The Netherlands / Nederland

PostPosted: Mon Jun 17, 2019 10:29 am    Post subject: Reply with quote

For those hitting this issue, I ran into the same troubles but needed a different fix.

Code:
Jun 17 12:19:48 ns1 named[1050]: openssl_link.c:296: fatal error:
Jun 17 12:19:48 ns1 named[1050]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Jun 17 12:19:48 ns1 named[1050]: exiting (due to fatal error in library)


My chroot is in /var/chroot/dns and since my regular /var was mounted with the 'nodev' option it turned out that this filesystem option was causing the same SSL issue.

I simply remounted /var without -o nodev and was able to recover services.

Will look into this again at some other time in order to see if we can restore 'nodev' on the filesystem.

Cheers,
guid0
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum