diff --git a/Dockerfile b/Dockerfile index 8409629be..39ab54fbe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -214,6 +214,15 @@ RUN wget -O /linux.tar.xz "https://cdn.kernel.org/pub/linux/kernel/v${LINUX_VERS ln -sT "linux-$LINUX_VERSION" /usr/src/linux; \ [ -d /usr/src/linux ] +# apply kernel entropy patch from 5.4; this same patch was backported in Debian in 5.3.9-1 +# - https://git.kernel.org/linus/50ee7529ec4500c88f8664560770a7a1b65db72b +# - https://salsa.debian.org/kernel-team/linux/commit/c323c453b2485a33bfb33635a07f3a50bc1db1ee +# - https://lists.debian.org/debian-boot/2019/11/msg00077.html +# specifically, this solves the problem of early-boot entropy (SSH key generation, for example), avoiding the need for userspace solutions like haveged +RUN wget -O kernel-entropy.patch 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=50ee7529ec4500c88f8664560770a7a1b65db72b'; \ + patch -p1 --input "$PWD/kernel-entropy.patch" --directory /usr/src/linux; \ + rm kernel-entropy.patch + RUN { \ echo '#!/usr/bin/env bash'; \ echo 'set -Eeuo pipefail'; \ @@ -331,20 +340,6 @@ RUN echo 'for i in /usr/local/etc/profile.d/*.sh ; do if [ -r "$i" ]; then . $i; # install kernel headers so we can use them for building xen-utils, etc RUN make -C /usr/src/linux INSTALL_HDR_PATH=/usr/local headers_install -# https://lkml.org/lkml/2018/4/12/711 (https://github.com/boot2docker/boot2docker/pull/1322) -# https://github.com/jirka-h/haveged/releases -ENV HAVEGED_VERSION 1.9.4 -RUN wget -O /haveged.tgz "https://github.com/jirka-h/haveged/archive/${HAVEGED_VERSION}.tar.gz"; \ - mkdir /usr/src/haveged; \ - tar --extract --file /haveged.tgz --directory /usr/src/haveged --strip-components 1; \ - rm /haveged.tgz -# https://debbugs.gnu.org/11064 (libtool eats "-static", gcc doesn't mind getting "--static" even more than once) -RUN ( cd /usr/src/haveged && ./configure LDFLAGS='-static --static' ); \ - make -C /usr/src/haveged/src -j "$(nproc)" haveged; \ - cp -v /usr/src/haveged/src/haveged usr/local/sbin/; \ - strip usr/local/sbin/haveged; \ - tcl-chroot haveged --run 1 - # http://download.virtualbox.org/virtualbox/ # updated via "update.sh" ENV VBOX_VERSION 5.2.34 diff --git a/files/bootsync.sh b/files/bootsync.sh index 3a20be937..39f59425f 100755 --- a/files/bootsync.sh +++ b/files/bootsync.sh @@ -71,10 +71,6 @@ done /usr/local/etc/init.d/acpid start -# https://github.com/boot2docker/boot2docker/pull/1322 -/etc/init.d/haveged conditional -# (if the system doesn't have enough entropy, "dockerd" hangs without any output until it get a sufficient amount) - if [ -e /var/lib/boot2docker/bootsync.sh ]; then sh /var/lib/boot2docker/bootsync.sh fi diff --git a/files/init.d/haveged b/files/init.d/haveged deleted file mode 100755 index 64d1e52d5..000000000 --- a/files/init.d/haveged +++ /dev/null @@ -1,78 +0,0 @@ -#!/bin/sh -set -e - -# https://lkml.org/lkml/2018/4/12/711 -# https://github.com/boot2docker/boot2docker/pull/1322 - -if [ "$(id -u)" != 0 ]; then - echo >&2 "error: must be root to invoke $0" - exit 1 -fi - -# https://github.com/jirka-h/haveged/blob/1.9.4/init.d/sysv.lsb - -PIDFILE='/var/run/haveged.pid' -pid() { - if [ -s "$PIDFILE" ]; then - local pid - pid="$(cat "$PIDFILE")" - if ps "$pid" > /dev/null 2>&1; then - echo "$pid" - return 0 - fi - fi - return 1 -} - -start() { - if pid="$(pid)"; then - echo >&2 "error: haveged is already running ($pid)" - exit 1 - fi - - echo 'Starting haveged' - - mkdir -p /var/lib/boot2docker/log - - # https://github.com/jirka-h/haveged/blob/1.9.4/init.d/sysv.lsb#L41 - haveged -w 1024 -v 1 -p "$PIDFILE" -} - -stop() { - if pid="$(pid)"; then - echo "Stopping haveged ($pid)" - kill "$pid" - fi -} - -restart() { - stop - start -} - -# only start the daemon if it's determined that we probably need to -conditional() { - # https://bugs.debian.org/923675#72 - if [ -e /sys/devices/virtual/misc/hw_random/rng_current ] && rngCurrent="$(cat /sys/devices/virtual/misc/hw_random/rng_current)" && [ "${rngCurrent:-none}" != 'none' ]; then - # hardware RNG likely present, do not start software RNG - return - fi - if grep -q '^flags\b.*\brdrand\b' /proc/cpuinfo; then - # CPU has RNG functionality, do not start software RNG - return - fi - - # given the default poolsize of 4096, 120 is ~3% of the total pool - if currentEntropy="$(cat /proc/sys/kernel/random/entropy_avail)" && [ "$currentEntropy" -gt 120 ]; then - # if we appear to have an OK amount of entropy already, skip software RNG - return - fi - - # "fire it up" - start -} - -case "$1" in - start|stop|restart|conditional) "$1" ;; - *) echo "Usage $0 {start|stop|restart|conditional}"; exit 1 ;; -esac