#4210 Call generate-rndc-key.sh during ipa-server-install
Closed: Fixed None Opened 10 years ago by sbose.

If /etc/rndc.key does not exists it will be created during the startup of named by calling /usr/libexec/generate-rndc-key.sh. To generate a random key /dev/random is read which can only produce random numbers if there is enough entropy in the kernel's entropy pool.

While running ipa-adtrust-install a lot random data is needed during the installation of the KDC, the Certificate Server etc. This might leave the entropy pool pretty empty. As a result generate-rndc-key.sh might block until enough entropy is collected to produce the needed amount of random data.

Since systemd has by default a 2 minute timeout to start a service starting IPA in the end of ipa-server-install might fail because starting named times out.

To solve this I would suggest to call generate-rndc-key.sh during ipa-server-install, if --setup-dns is given. This will help to get around any external timeouts and we might even explain that this operation might need some time and can be speed up by with the help of disk and network I/O.


Implementation note: We could read value from /proc/sys/kernel/random/entropy_avail file and print message like "your system is running out of entropy, expect long delays" if the value is < 200 or so.

I think this bug should be fixed soon, installing and running IPA on VMs is really painful.

Replying to [comment:3 pspacek]:

Implementation note: We could read value from /proc/sys/kernel/random/entropy_avail file and print message like "your system is running out of entropy, expect long delays" if the value is < 200 or so.

Would it make sense, to do this check before every operation which requires large amount of entropy? So not only before calling /usr/libexec/generate-rndc-key.sh , but before installing KDC, etc?

Hmm, I have no idea how it could be done. I don't think it is a very good idea to do it all the time, but maybe I'm wrong.

Replying to [comment:9 pspacek]:

Hmm, I have no idea how it could be done. I don't think it is a very good idea to do it all the time, but maybe I'm wrong.

I think it could be done at least a few times during installation process, because as my experience, at the beginning of an installation, there is enough entropy to use /dev/random smoothly, but after some time, it depletes, so checking entropy at the first time only, would result in that everything is OK. Maybe check only before KDC and generate-rndc-key.sh would be my proposal.

See https://bugzilla.redhat.com/show_bug.cgi?id=1087061, there is one more use case we should cover.

I would indeed do following:

  • Have a call to check entropy and produce warning if it is below defined threshold
  • Perform the check before the Kerberos container step and before generate-rndc-key.sh is run

Other checks are not needed at this point IMO.

What about dogtag, does it need some entropy to create the CA keys?

Probably yes, potentially in pkicreate function? CCing Ade to advise.

We did not see many failures or complains about PKI installation though. Most of the complains were about Kerberos installation + the actual failures in DNS.

Let me make clear that named fails to start because of Systemd timeout. It is not named issue :-)

master:

  • 71c6d2f Call generate-rndc-key.sh during ipa-server-install

Metadata Update from @sbose:
- Issue assigned to amisnyov
- Issue set to the milestone: FreeIPA 4.0 Backlog

7 years ago

Login to comment on this ticket.

Metadata