/qubes-issues

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Haveged service not started in debian-9 template #2161

Closed
marmarek opened this Issue Jul 9, 2016 · 18 comments

Comments

Assignees
No one assigned
Labels
Projects
None yet
Milestone
  Release 3.2 updates
3 participants
@marmarek @unman @qubesos-bot
@marmarek
Member

marmarek commented Jul 9, 2016

Qubes OS version (e.g., R3.1):

R3.2

Affected TemplateVMs (e.g., fedora-23, if applicable):

debian-9

Expected behavior:

Haveged service installed and running by default.

Actual behavior:

Haveged service installed but not running.

Steps to reproduce the behavior:

  1. Start a VM based on debian-9 template
  2. Check if service is running: systemctl status haveged

Collected data:

● haveged.service - Entropy daemon using the HAVEGE algorithm
   Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:haveged(8)
           http://www.issihosts.com/haveged/
root@test-inst-backend:~# cat /lib/systemd/system/haveged.service
[Unit]
Description=Entropy daemon using the HAVEGE algorithm
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
DefaultDependencies=no
ConditionVirtualization=!container
After=systemd-random-seed.service
Before=sysinit.target shutdown.target systemd-journald.service

[Service]
EnvironmentFile=-/etc/default/haveged
ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
SuccessExitStatus=143
SecureBits=noroot-locked
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SYS_ADMIN
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=full
ProtectHome=yes

[Install]
WantedBy=default.target
root@test-inst-backend:~# ls -l /etc/systemd/system/default.target.wants/
total 0
lrwxrwxrwx 1 root root 35 Jan 12 07:03 haveged.service -> /lib/systemd/system/haveged.service
lrwxrwxrwx 1 root root 53 Jan 12 07:09 systemd-readahead-collect.service -> /lib/systemd/system/systemd-readahead-collect.service
lrwxrwxrwx 1 root root 52 Jan 12 07:09 systemd-readahead-replay.service -> /lib/systemd/system/systemd-readahead-replay.service
root@test-inst-backend:~# ls -l /etc/systemd/system/default.target
lrwxrwxrwx 1 root root 37 Jan 12 07:09 /etc/systemd/system/default.target -> /lib/systemd/system/multi-user.target
root@test-inst-backend:~# ls -l /etc/systemd/system/multi-user.target.wants/
total 0
lrwxrwxrwx 1 root root 31 Jan 12 06:45 atd.service -> /lib/systemd/system/atd.service
lrwxrwxrwx 1 root root 32 Jan 12 06:33 cron.service -> /lib/systemd/system/cron.service
lrwxrwxrwx 1 root root 40 Jan 12 07:09 cups-browsed.service -> /lib/systemd/system/cups-browsed.service
lrwxrwxrwx 1 root root 40 Jan 12 07:02 ModemManager.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx 1 root root 38 May 12 01:19 networking.service -> /lib/systemd/system/networking.service
lrwxrwxrwx 1 root root 42 Jan 12 07:09 NetworkManager.service -> /lib/systemd/system/NetworkManager.service
lrwxrwxrwx 1 root root 36 Jan 12 07:09 pppd-dns.service -> /lib/systemd/system/pppd-dns.service
lrwxrwxrwx 1 root root 37 Jan 12 07:09 qubes-dvm.service -> /lib/systemd/system/qubes-dvm.service
lrwxrwxrwx 1 root root 42 Jan 12 07:09 qubes-firewall.service -> /lib/systemd/system/qubes-firewall.service
lrwxrwxrwx 1 root root 43 Jan 12 07:09 qubes-gui-agent.service -> /lib/systemd/system/qubes-gui-agent.service
lrwxrwxrwx 1 root root 48 Jan 12 07:09 qubes-meminfo-writer.service -> /lib/systemd/system/qubes-meminfo-writer.service
lrwxrwxrwx 1 root root 43 Jan 12 07:09 qubes-misc-post.service -> /lib/systemd/system/qubes-misc-post.service
lrwxrwxrwx 1 root root 44 Jan 12 07:09 qubes-mount-dirs.service -> /lib/systemd/system/qubes-mount-dirs.service
lrwxrwxrwx 1 root root 44 Jan 12 07:09 qubes-netwatcher.service -> /lib/systemd/system/qubes-netwatcher.service
lrwxrwxrwx 1 root root 41 Jan 12 07:09 qubes-network.service -> /lib/systemd/system/qubes-network.service
lrwxrwxrwx 1 root root 46 Jan 12 07:09 qubes-qrexec-agent.service -> /lib/systemd/system/qubes-qrexec-agent.service
lrwxrwxrwx 1 root root 44 Jan 12 07:09 qubes-update-check.timer -> /lib/systemd/system/qubes-update-check.timer
lrwxrwxrwx 1 root root 47 Jan 12 07:09 qubes-updates-proxy.service -> /lib/systemd/system/qubes-updates-proxy.service
lrwxrwxrwx 1 root root 36 Jan 12 06:29 remote-fs.target -> /lib/systemd/system/remote-fs.target
lrwxrwxrwx 1 root root 35 Jan 12 06:34 rsyslog.service -> /lib/systemd/system/rsyslog.service
lrwxrwxrwx 1 root root 32 Jan 12 07:09 sudo.service -> /lib/systemd/system/sudo.service
lrwxrwxrwx 1 root root 44 Jan 12 07:09 systemd-networkd.service -> /lib/systemd/system/systemd-networkd.service
lrwxrwxrwx 1 root root 44 Jan 12 07:09 systemd-resolved.service -> /lib/systemd/system/systemd-resolved.service
lrwxrwxrwx 1 root root 31 May 12 01:31 tor.service -> /lib/systemd/system/tor.service
lrwxrwxrwx 1 root root 42 Jan 12 07:09 wpa_supplicant.service -> /lib/systemd/system/wpa_supplicant.service

Probably the reason is usage of default.target.wants instead of multi-user.target.wants.

@marmarek marmarek added bug C: templates P: minor C: Debian labels Jul 9, 2016

@marmarek marmarek added this to the Release 3.2 milestone Jul 9, 2016

@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Oct 17, 2016

Member

@marmarek It's not just the use of default.target. The Debian config also has PrivateTmp=1
Both of those need to be changed in template.
Member

unman commented Oct 17, 2016

@marmarek It's not just the use of default.target. The Debian config also has PrivateTmp=1
Both of those need to be changed in template.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 17, 2016

Member

What is wrong with PrivateTmp=1?
Member

marmarek commented Oct 17, 2016

What is wrong with PrivateTmp=1?
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Oct 17, 2016

Member

Nothing, but I think the effect of the Debian ordering means that haveged is started early. While this seems to work in the Template, it doesn't work in the VMs based on it.
To retain PrivateTmp it's necessary to push the start later - removing sysinit from the BEFORE line would do, I think, and also taking out DefaultDependencies=no
Member

unman commented Oct 17, 2016

Nothing, but I think the effect of the Debian ordering means that haveged is started early. While this seems to work in the Template, it doesn't work in the VMs based on it.
To retain PrivateTmp it's necessary to push the start later - removing sysinit from the BEFORE line would do, I think, and also taking out DefaultDependencies=no
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 17, 2016

Member

I still can't see why PrivateTmp can't work on early started service in TemplateBasedVM. Some implicit ordering?
Member

marmarek commented Oct 17, 2016

I still can't see why PrivateTmp can't work on early started service in TemplateBasedVM. Some implicit ordering?
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Oct 18, 2016

Member

No idea - it looks to me as if it won't start in a template based VM before basic.target, although it will in Template. The dependency list doesn't seem to help much.
Member

unman commented Oct 18, 2016

No idea - it looks to me as if it won't start in a template based VM before basic.target, although it will in Template. The dependency list doesn't seem to help much.
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Oct 18, 2016

Member

systemd-analyze?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
Member

marmarek commented Oct 18, 2016

systemd-analyze?

Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Oct 18, 2016

Member

I've tried it and produced numerous pretty plots. None of them get to the heart of the issue, at least for me. Also significant that haveged can starts earlier in a template that in a template based VM. I'll keep poking about, and let you know conclusions.
Member

unman commented Oct 18, 2016

I've tried it and produced numerous pretty plots. None of them get to the heart of the issue, at least for me. Also significant that haveged can starts earlier in a template that in a template based VM. I'll keep poking about, and let you know conclusions.
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Nov 13, 2016

Member

Question - how late in the boot can haveged start and still be useful?
Member

unman commented Nov 13, 2016

Question - how late in the boot can haveged start and still be useful?
@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Nov 13, 2016

Member

Since we do provide initial random seed from dom0, it may be late.
Member

marmarek commented Nov 13, 2016

Since we do provide initial random seed from dom0, it may be late.
@unman

This comment has been minimized.

Show comment
Hide comment
@unman

unman Nov 13, 2016

Member

OK- then

DefaultDependencies=no
ConditionVirtualization=!container
After=apparmor.service systemd-random-seed.service systemd-tmpfiles-setup.service

and

[Install]
WantedBy=multi-user.target

seems to work fine, and retains PrivateTmp
I'll check if this is needed in xenial too and then put in a PR
Member

unman commented Nov 13, 2016

OK- then

DefaultDependencies=no
ConditionVirtualization=!container
After=apparmor.service systemd-random-seed.service systemd-tmpfiles-setup.service

and

[Install]
WantedBy=multi-user.target

seems to work fine, and retains PrivateTmp
I'll check if this is needed in xenial too and then put in a PR

@unman unman referenced this issue in QubesOS/qubes-core-agent-linux Nov 14, 2016

Merged

Add systemd override for haveged in xenial and stretch. #25

@marmarek marmarek modified the milestones: Release 3.2, Release 3.2 updates Nov 19, 2016

@marmarek marmarek closed this in marmarek/old-qubes-core-agent-linux@41e3d59 Dec 4, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 12, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc23 has been pushed to the r3.2 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update
Member

marmarek commented Dec 12, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc23 has been pushed to the r3.2 testing repository for the Fedora fc23 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-fc23-cur-test label Dec 12, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 12, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc24 has been pushed to the r3.2 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update
Member

marmarek commented Dec 12, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc24 has been pushed to the r3.2 testing repository for the Fedora fc24 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-fc24-cur-test label Dec 12, 2016

@marmarek

This comment has been minimized.

Show comment
Hide comment
@marmarek

marmarek Dec 12, 2016

Member

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc25 has been pushed to the r3.2 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update
Member

marmarek commented Dec 12, 2016

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc25 has been pushed to the r3.2 testing repository for the Fedora fc25 template.
To test this update, please install it with the following command:

sudo yum update --enablerepo=qubes-vm-r3.2-current-testing

Changes included in this update

@marmarek marmarek added the r3.2-fc25-cur-test label Dec 12, 2016

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc23 has been pushed to the r3.2 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc23 has been pushed to the r3.2 stable repository for the Fedora fc23 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-fc23-stable and removed r3.2-fc23-cur-test labels Jan 8, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc24 has been pushed to the r3.2 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc24 has been pushed to the r3.2 stable repository for the Fedora fc24 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-fc24-stable and removed r3.2-fc24-cur-test labels Jan 8, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc25 has been pushed to the r3.2 stable repository for the Fedora fc25 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package python2-dnf-plugins-qubes-hooks-3.2.15-1.fc25 has been pushed to the r3.2 stable repository for the Fedora fc25 template.
To install this update, please use the standard update command:

sudo yum update

Changes included in this update

@qubesos-bot qubesos-bot added r3.2-fc25-stable and removed r3.2-fc25-cur-test labels Jan 8, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-agent_3.2.15-1+deb8u1 has been pushed to the r3.2 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-agent_3.2.15-1+deb8u1 has been pushed to the r3.2 testing repository for the Debian jessie template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing jessie-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r3.2-jessie-cur-test label Jan 8, 2017

@qubesos-bot

This comment has been minimized.

Show comment
Hide comment
@qubesos-bot

qubesos-bot Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-agent_3.2.15-1+deb9u1 has been pushed to the r3.2 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

qubesos-bot commented Jan 8, 2017

Automated announcement from builder-github

The package qubes-core-agent_3.2.15-1+deb9u1 has been pushed to the r3.2 testing repository for the Debian stretch template.
To test this update, first enable the testing repository in /etc/apt/sources.list.d/qubes-*.list by uncommenting the line containing stretch-testing, then use the standard update command:

sudo apt-get update && sudo apt-get dist-upgrade

Changes included in this update

@qubesos-bot qubesos-bot added the r3.2-stretch-cur-test label Jan 8, 2017

marmarek added a commit to marmarek/old-qubes-core-agent-linux that referenced this issue May 22, 2017

@marmarek
debian: make haveged.service patch less intrusive... 
...but installed on all Debian versions. This is mostly required by
vebose file list in debian/qubes-core-agent.install. But also make it
use new options when upstream will set them.

QubesOS/qubes-issues#2161
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
Loading status checks…
34fa6e7

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Jun 9, 2017

Closed

core-agent-linux v4.0.0 (r4.0) #68

marmarek added a commit to marmarek/qubes-core-agent-linux that referenced this issue Mar 21, 2018

@marmarek
debian: make haveged.service patch less intrusive... 
...but installed on all Debian versions. This is mostly required by
vebose file list in debian/qubes-core-agent.install. But also make it
use new options when upstream will set them.

QubesOS/qubes-issues#2161

(cherry picked from commit 34fa6e7)
Verified
This commit was signed with a verified signature.
@marmarek marmarek Marek Marczykowski-Górecki
GPG key ID: 063938BA42CFA724 Learn about signing commits
9b6abb9

@qubesos-bot qubesos-bot referenced this issue in QubesOS/updates-status Mar 22, 2018

Closed

core-agent-linux v3.2.27 (r3.2) #463

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment