overlord/devicestate: switch to ssh-keygen for device key generation

[vosst]

Switch to ssh-keygen for device key generation.

Please note that placement of key files in /tmp is temporary and we are awaiting advice on where to put the files.

[pedronis]

some comments

[pedronis]

we need to think where to best put these, though we know ssh-keygen will make sure they are root only accessible

[pedronis]

an approach we use when we have things that invoke external commands is having:

sshGenerateKeyImpl this function
var sshGenerateKey = sshGenerateKeyImpl
MockSshGenarateKey

so most tests would Mock this function with something that doesn't fork/exec,
and a couple would test the real thing. It's worth only if the whole devicestate suite is much slower than on master

[vosst]

I did a couple of test runs and both master and this branch take mostly the same time, differences are in the range of milliseconds.

[chipaca]

FWIW we also have testutil.MockCommand

[pedronis]

we probably want to use osutil.OutputErr here:

out, err := cmd.CombinedOutput()
if err != nil {
return nil, osutil.OutputErr(out, err)
}

[vosst]

Thanks, fixed.

[pedronis]

this is a left over from before noticing that Decode doesn't return an error actually

[vosst]

Thanks, fixed.

[tyhicks]

Hello - I was asked to take a look at this and was told that the change was for first-boot performance reasons on rpi2 and others.

I'm not a fan of this change since ssh-keygen is an external program and has a configuration file that we're not in control of. I feel like we should enable khwrng since most of these ARM chips have hardware random number generators and then take a better look into why Go's RSA keygen routine is taking so long.

I hear that @vosst is working on gathering some performance numbers between Go and OpenSSH keygen routines.

[vosst]

@tyhicks Thanks for your remarks. We are putting this PR up for review early as we treat it as a fallback right now. We already did the work of enabling hwrng and have it participate in the kernel's entropy gathering process. I'm deep diving into Go's rsa key generation algorithm and compare it to the one used by ssh-keygen.

[ogra1]

@tyhicks even with the khwrng enabled the key generation in Go takes minutes while ssh-keygen takes seconds ... apparently there are some deep changes in Go needed to fix this as i understand. the ssh-keygen switch is only thought as an interim solution til Go itself can be fixed.

[ogra1]

testable images with this change included are at http://people.canonical.com/~ogra/snappy/all-snaps/ssh-keygen-test/

[setharnold]

Is there any reason why 25519 keys aren't being generated instead? IIRC those are just 32 bytes of randomness with a few bits set specifically to ensure that the resulting key is on the curve. No primality testing, no probabilistic generation, etc.

Thanks

[mwhudson]

then take a better look into why Go's RSA keygen routine is taking so long

My understanding is that it's just less sophisticated. IIRC (and this maybe wrong), the performance of generating RSA keys is dominated by the performance of running the Miller-Rabin primality test which is dominated by the performance of Montgomery multiplication. openssl has hyper-optimized assembly montgomery multiplication routines, Go doesn't.

[vosst]

@mwhudson yup, I'm taking cpu profiles right now, and Go's BigInt operations that are repeatedly used in the primality tests seem to be the bottleneck here. I will follow up with more data.

See for example golang/go#15833.

Simple profiling is here: https://gist.github.com/vosst/cb3d16e1f1596baf6ccb989d6b1897a7
Results for x86_64 (Core i7): https://www.NoFile.io/f/2ExcAuaQpgO

[ogra1]

http://paste.ubuntu.com/24312862/ has a set of captured data from 16 installs in a row (freshly flashed SD card each) with an image using this patch, the key generation with this takes between 10 and 20 seconds (compared to 5-15 minutes using the Go routine)

[zyga]

There's a failure in one of the tests. That test is pretty racy and I saw it fail many times recently:

FAIL: overlord_test.go:360: overlordSuite.TestEnsureLoopPrune

overlord_test.go:384:
    c.Assert(st.Change(chg1.ID()), Equals, chg1)
... obtained *state.Change = (*state.Change)(nil)
... expected *state.Change = &state.Change{state:(*state.State)(0xc820369dc0), id:"1", kind:"abort", summary:"...", status:0, clean:false, data:state.customData{}, taskIDs:[]string{"1"}, lanes:0, ready:(chan struct {})(0xc82020a6c0), spawnTime:time.Time{sec:63626902304, nsec:782578764, loc:(*time.Location)(0x110fa80)}, readyTime:time.Time{sec:63626902304, nsec:884419528, loc:(*time.Location)(0x110fa80)}}

[zyga]

There's some formatting errors as well:

Formatting wrong in following files:
/home/travis/gopath/src/github.com/snapcore/snapd/overlord/devicestate/handlers.go

I suspect you want to try gofmt -s (simplify)

[vosst]

Applied gofmt -s (did not know about -s).

[chipaca]

does rsa_generate_key take ownership of the strings? otherwise you're leaking them

[vosst]

Good catch, forgot to push the respective commit.

[pedronis]

why still using files on disk now?

[vosst]

Mainly because building up an rsa.PrivateKey is non-trivial and I'm using the parsing functions to get the job done. I haven't looked too deeply if I could leverage the openssl PEM encoding functions to place the encoded key into memory.

[zyga]

Is this exhaustive? Do we need a default "unknown error" type case?

[vosst]

I modelled the enumeration as exhaustive as possible, aiming to capture all possible error conditions. For that, I left out the generic error code.

[zyga]

How about calling this snapd_... so that various snapd C functions have a common prefix?

[vosst]

Done.

[zyga]

I suspect this is undesired

[vosst]

Yes, fixed.

[zyga]

Ditto for prefixing those with some snapd specific prefix.

[vosst]

Done.

[pedronis]

seems there is something like BIO_new_mem_buf we could use instead

[vosst]

Indeed, I adjusted the code to use it and avoid any sort of out-of-band file operations.

[ogra1]

thomas asked me to do another round of tests after switching to direct openssl calls from shelling out to ssh-keygen ... http://paste.ubuntu.com/24334125/ has the results of 15 installs from the "Generating device key" step to "Mark system seeded". numbers do not seem much different from the ssh-keygen case, in average the key generation is around 10sec with 4sec being the fastest and about 30sec being the slowest.

[pedronis]

some comments

[pedronis]

I would call this one generateRSAKey(keyLength int) ...
and at this point probably better to split this out also to a generate_rsa_key.go file

[vosst]

Done.

[pedronis]

s/Failed to/cannot/, no final dot, same for all errors here

[vosst]

Done.

[pedronis]

should be lowercase except for RSA etc, "...: could not"

[vosst]

Done.

[pedronis]

cannot

[vosst]

Done.

[pedronis]

this is more of a serialization/memory error now than I/O, no?

[vosst]

We cannot really tell. Might fail due to an issue in allocating memory by the underlying BIO memory writer.

[pedronis]

we should check that ->memory is not NULL ?

[vosst]

Done.

[pedronis]

what's the purpose of this?

[vosst]

It's obsolete now, removed.

[pedronis]

thanks, a few more small comments

[pedronis]

this applies also to the lib version?

[pedronis]

can keyLength be just an int?

[pedronis]

s/IO/MARSHAL/ s/persist/marshal/

otherwise it sounds this is about disk which is not the case anymore

[vosst]

Done.

[pedronis]

this is something we should have done before, we can unlock around this:
st.Unlock()
keyPari, err := ...
st.Lock()

[vosst]

Done.

[pedronis]

s/IO/MARSHAL/

[vosst]

Done.

[tyhicks]

What directory are we in when creating this? Should an absolute path be specified instead of blindly going with the current working directory?

[vosst]

I will happily rely on security's guidance here.

[tyhicks]

I don't have a specific suggestion as I'm not sure what directory snapd typically uses for this sort of thing. Ideally, it should only be readable/writable by root.

@niemeyer any suggestions?

[tyhicks]

/run/snapd/ feels like the right place but I noticed that it isn't always created. For example, a test system of mine with no snaps installed does not have /run/snapd/ but it is created once a snap is installed.

I see it is referenced in dirs/dirs.go with the SnapRunNsDir variable. It is probably best that someone more active in snapd development advises you on if it is appropriate to use for your case.

[ogra1]

this is moot, this function is used during the firstboot process of Ubuntu Core IoT images to generate the device key ... i dont think when using snapd on a desktop this function is used at all, you can be sure that /run/snapd exists and snapd is running at that point.

[pedronis]

what ogra said is not fully true, we will use/might use this also on classic at some point, it's safer to create that dir here as well if it doesn't exist

[vosst]

Done.

[zyga]

Do we properly depend on this in our packaging?

[vosst]

Both runtime and build time dependency list openssh-client (for Ubuntu at least).

[zyga]

@morphis FYI: potential new dependency for packaging

[niemeyer]

A few trivial comments below.

Please get a review by @tyhicks on this one as well.

[niemeyer]

That's misleading. If we can't take < 1024, let's panic instead and force the test to read correctly.

[vosst]

Done.

[niemeyer]

This file would be better as crypto.go or similar, so it implies a better scope than this one function.

[vosst]

Done.

[niemeyer]

It would be better to have this as a dynamically named temporary file instead of a fixed one. Otherwise we can get hard to debug issues because of concurrently running logic.

[vosst]

Done.

[niemeyer]

This is strconv.Itoa.

[vosst]

Done.

[niemeyer]

Is the second parameter there an error?

If so, might be useful to have the hint of what was broken:

if err != nil {
        return nil, fmt.Errorf("cannot decode PEM block: %v", err)
}

[vosst]

The second parameter is the remainder of the input after decoding one block.

[niemeyer]

A couple of trivials, but LGTM anyway.

Thanks for all the work on this fix!

[niemeyer]

This may now be defer os.RemoveAll(tempDir) directly.

[vosst]

Done.

[niemeyer]

This reads slightly odd. Having them in their own var lines might be nicer in this particular case.

[vosst]

Done.

[zyga]

Looks good, I'll review remaining discussion and merge if all feedback is addressed.

[zyga]

Thank you for handling this detail :-)

[zyga]

Why do we unlock the state here? To run an external program?

[zyga]

@morphis ^^ FYI