X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-lj1-f176.google.com (mail-lj1-f176.google.com [209.85.208.176]) by lists.alpinelinux.org (Postfix) with ESMTP id 8A1655C63B7 for ; Mon, 17 Sep 2018 08:41:24 +0000 (GMT) Received: by mail-lj1-f176.google.com with SMTP id q127-v6so12411450ljq.11 for ; Mon, 17 Sep 2018 01:41:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=duniel-no.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=OBTV9A7YsO0VS8le7w8SUFalWtUw9jMYPkxAHun3I8Q=; b=ZMH5A6fQQEBbxOq2e1I82ZSWTkHo8oa6Cjg4bhcPOiz6fRSKfYLob/thRt7HXLXBuP TTxJq+YE/HH/Mz31uYPQ41h/nrrDrsapc+6qoVYAtqnBJK7j1TPQvM8Z/DmlAzKekFVS v9NWEMf3ICYip47PYBkeX1u6/+9TgJFB+QwnYjKVf6Z9usziots7a5+DLa5tkaldhLVD UfrE8RS18tEVm5HrXZr7Q6m1Le/QM+i8QXGpS4oFgxaGBSXJXsX7AqfIqAKJuu1Rif1G zoXfYX654IhgErNpIUm9nX7Wr8z/M1SegYNmhnLe1QWUbl+IyHW4Msmtir5Vrop7FNs0 JiUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=OBTV9A7YsO0VS8le7w8SUFalWtUw9jMYPkxAHun3I8Q=; b=sDGmkYPDkVKOWd/oNdQhMi4tkWlKQ/OOk8X/R482jrKn6Whcyfn3I4WFfsB05CjM/8 dzI3KH/xnyAgeQN3rqNxE9inPmDeSfGfQ7nsnHFt/SDjTqc5PG/+C9xSDPr2srvbkgYz xiJ5ZsDct/YXTB5QePQc+cVc025pTn0MEW2fsK1HQUzXtkxihvrFzznVgY1B/L7dj8Qk 2W+UB9k/3HmVT2siM5+gyV02bDnRoQPOk8tgjn01ZrSWPEiuLh6EO4qlRjc2Z6LfgL7M 8ttaS1GMaxX63gfRedCkvaWTVYDVYfun68WXBeXfYRYj1K97C3PEZm0nb29SvaakSltq lxlw== X-Gm-Message-State: APzg51BmYImOV6qu5kay5vB6mFut7Gh6jiCaOZlUOZ17+v24J03YqLq9 4QsrCouBnAkquBCK9yp75y6ixjzIlM/2sJfcbcIUR6YJgJ0= X-Google-Smtp-Source: ANB0VdaEl/1UXUFcYmSumxkb7fuR4RUEXcq7Hx54zlTZXz1Vo5aoAo2ihNSxS4PHjHjTQgzKsM42xRYh7Juue4f1hJ8= X-Received: by 2002:a2e:8147:: with SMTP id t7-v6mr15584334ljg.32.1537173683440; Mon, 17 Sep 2018 01:41:23 -0700 (PDT) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 2002:ab3:5d17:0:0:0:0:0 with HTTP; Mon, 17 Sep 2018 01:41:03 -0700 (PDT) In-Reply-To: <20180917103238.07f063d1@ncopa-desktop.copa.dup.pw> References: <20180916235803.GA5606@homura.localdomain> <20180917103238.07f063d1@ncopa-desktop.copa.dup.pw> From: Daniel Isaksen Date: Mon, 17 Sep 2018 10:41:03 +0200 Message-ID: Subject: Re: [alpine-devel] SSL connections hang on boot in Alpine VMs To: Natanael Copa Cc: Drew DeVault , Alpine Development Content-Type: multipart/alternative; boundary="0000000000005c228005760d2301" --0000000000005c228005760d2301 Content-Type: text/plain; charset="UTF-8" Also consider installing haveged, it's a tiny daemon that generates entropy for the system. I believe the kernel also uses both HID and hardware (in this case, emulated) RNG devices - such as ncopa says. To check the system entropy (< ~200 is bad, > ~1000 is good), run cat /proc/sys/kernel/random/entropy_avail. ----- Sincerely / Med vennlig hilsen, Daniel Isaksen (https://duniel.no) On Mon, Sep 17, 2018 at 10:32 AM, Natanael Copa wrote: > Hi! > > It sounds like /dev/random runs out of entropy in your vm. > > Does it help to add `-device virtio-rng-pci`? > > https://wiki.qemu.org/Features/VirtIORNG > > -nc > > On Sun, 16 Sep 2018 19:58:03 -0400 > Drew DeVault wrote: > > > Hey guys. I'm dealing with a super bizzare issue and I'm hoping I might > > find some help here. I have a script which creates qcow2 images with > > Alpine installed: > > > > https://git.sr.ht/~sircmpwn/builds.sr.ht/tree/images/alpine/genimg > > > > Running this as root on an Alpine machine will produce a bootable qcow2 > > you can feed into qemu to reproduce my problem: > > > > qemu-system-x86_64 \ > > -m 2048 \ > > -net nic,model=virtio -net user,hostfwd=tcp::8022-:22 \ > > -cpu host \ > > -enable-kvm \ > > -nographic \ > > -drive file="root.img.qcow2",media= > disk,snapshot=on,if=virtio > > > > You can then SSH in with `ssh -p 8022 builds@localhost`, with no > > password. This user is in the sudoers file. You should then be able to > > `curl http://example.org` to see that it can communicate fine with the > > outside world. However, when you run `curl https://example.org`, it will > > simply hang. It's not a problem specific to curl, as it can also be > > reproduced with `openssl s_client example.org:443`. > > > > Here's what makes it really weird: the problem goes away if you `apk del > > alpine-sdk && apk add alpine-sdk`. I took one Alpine image on which the > > problem was reproducable, and another after reinstalling alpine-sdk, and > > diffed the filesystems - the only thing I saw here was /etc/apk/world > > shook up beyond the capability of my diff tool. If no one has ideas I'm > > going to try writing some scripts to make the differences in between > > these files more apparent. > > > > I build these images nightly. The problem first started appearing > > sometime between 2018-09-06 20:36 UTC and 2018-09-07 20:36 UTC. I looked > > over the commits to aports during that time (and a few days on either > > end just to be sure), and found no leads. I also sorted > > git.alpinelinux.org by date modified and looked over the same dates in > > other Alpine repos, and left similarly empty-handed. > > > > Does anyone have any ideas? > > > > -- > > Drew DeVault > > > > > > --- > > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > > Help: alpine-devel+help@lists.alpinelinux.org > > --- > > > > > > --- > Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org > Help: alpine-devel+help@lists.alpinelinux.org > --- > > --0000000000005c228005760d2301 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Also consider installing= haveged, it's a tiny daemon that generates entropy for the= system.

=
I believe the kernel= also uses both HID and hardware (in this case, emulated) RNG devices - suc= h as ncopa says.

To che= ck the system entropy (< ~200 is bad, > ~1000 is good), run cat=C2=A0/proc/sys/kernel/random/entropy_= avail.

-----
Sincerely / Med vennlig hilsen,
Daniel Isaksen= <d@duniel.no> (= https://duniel.no)

On Mon, Sep 17, 2018 at 10:32 AM, Natanael C= opa <ncopa@alpinelinux.org> wrote:
Hi!

It sounds like /dev/random runs out of entropy in your vm.

Does it help to add `-device virtio-rng-pci`?

https://wiki.qemu.org/Features/VirtIORNG

-nc

On Sun, 16 Sep 2018 19:58:03 -0400
Drew DeVault <sir@cmpwn.com> wro= te:

> Hey guys. I'm dealing with a super bizzare issue and I'm hopin= g I might
> find some help here. I have a script which creates qcow2 images with > Alpine installed:
>
> https://git.sr.ht/~sircmpwn/<= wbr>builds.sr.ht/tree/images/alpine/genimg
>
> Running this as root on an Alpine machine will produce a bootable qcow= 2
> you can feed into qemu to reproduce my problem:
>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0qemu-system-x86_64 \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-m 2048 \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-net nic,model= =3Dvirtio -net user,hostfwd=3Dtcp::8022-:22 \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-cpu host \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-enable-kvm \ >=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-nographic \
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0-drive file=3D&q= uot;root.img.qcow2",media=3Ddisk,snapshot=3Don,if=3Dvirtio
>
> You can then SSH in with `ssh -p 8022 builds@localhost`, with no
> password. This user is in the sudoers file. You should then be able to=
> `curl http://example.org` to see that it can communicate fine with the > outside world. However, when you run `curl https://example.org`, it will=
> simply hang. It's not a problem specific to curl, as it can also b= e
> reproduced with `openssl s_client example.org:443`.
>
> Here's what makes it really weird: the problem goes away if you `a= pk del
> alpine-sdk && apk add alpine-sdk`. I took one Alpine image on = which the
> problem was reproducable, and another after reinstalling alpine-sdk, a= nd
> diffed the filesystems - the only thing I saw here was /etc/apk/world<= br> > shook up beyond the capability of my diff tool. If no one has ideas I&= #39;m
> going to try writing some scripts to make the differences in between > these files more apparent.
>
> I build these images nightly. The problem first started appearing
> sometime between 2018-09-06 20:36 UTC and 2018-09-07 20:36 UTC. I look= ed
> over the commits to aports during that time (and a few days on either<= br> > end just to be sure), and found no leads. I also sorted
> git.alpinelinux.org by date modified and looked over the same dat= es in
> other Alpine repos, and left similarly empty-handed.
>
> Does anyone have any ideas?
>
> --
> Drew DeVault
>
>
> ---
> Unsubscribe:=C2=A0 alpine-devel+unsubscribe@lists.alpinelinux.org > Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0alpine-devel+help@lists.alpinelinux.org<= /a>
> ---
>



---
Unsubscribe:=C2=A0 alpine-devel+unsubscribe@lists.alpinelinux.org
Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0alpine-devel+help@lists.alpinelinux.org ---


--0000000000005c228005760d2301-- --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---