Axel Burri
2019-Mar-05 16:39 UTC
getrandom() before forking daemon is blocking init system
Hello When booting from a slow machine, I can observe dovecot blocking the whole boot process. I traced it down to the getrandom() system call in lib/randgen.c, which blocks until the random number generator is initialized (dmesg "random: crng init done"). This can take up to three minutes (!) on my machine, as there is not much entropy available (no hardware RNG, network VPN is also waiting for random). Unfortunately dovecot calls getrandom() before forking a daemon, which as a consequence blocks the whole init process (OpenRC on Gentoo Linux). I believe this behavior has changed in kernel 4.14: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.40&id=6e513bc20ca63f594632eca4e1968791240b8f18 Quoting getrandom(2): "If the urandom source has not yet been initialized, then getrandom() will block, unless GRND_NONBLOCK is specified in flags." Dovecot: 2.3.4.1 (f79e8e7e4) Linux: 4.19.26-gentoo #2 SMP Thu Feb 28 20:30:23 CET 2019 x86_64 AMD G-T40E Processor AuthenticAMD GNU/Linux Regards, Axel
William Taylor
2019-Mar-05 16:51 UTC
getrandom() before forking daemon is blocking init system
On Tue, Mar 05, 2019 at 05:39:28PM +0100, Axel Burri via dovecot wrote:> Hello > > When booting from a slow machine, I can observe dovecot blocking the > whole boot process. I traced it down to the getrandom() system call in > lib/randgen.c, which blocks until the random number generator is > initialized (dmesg "random: crng init done"). This can take up to three > minutes (!) on my machine, as there is not much entropy available (no > hardware RNG, network VPN is also waiting for random). > > Unfortunately dovecot calls getrandom() before forking a daemon, which > as a consequence blocks the whole init process (OpenRC on Gentoo Linux). > > I believe this behavior has changed in kernel 4.14: > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.40&id=6e513bc20ca63f594632eca4e1968791240b8f18 > > Quoting getrandom(2): > "If the urandom source has not yet been initialized, then getrandom() > will block, unless GRND_NONBLOCK is specified in flags." > > > Dovecot: 2.3.4.1 (f79e8e7e4) > > Linux: 4.19.26-gentoo #2 SMP Thu Feb 28 20:30:23 CET 2019 x86_64 AMD > G-T40E Processor AuthenticAMD GNU/Linux > > > Regards, > > Axel >It should either block or fail to start. I personally like the idea of blocking so it starts up successfully. Have you tried installing an entropy daemon or something to provide more entropy? I've seen people suggest haveged before. On a side note.. I thought you want to call getrandom() after forking otherwise all children have the same rng sequence.
> On 05 March 2019 at 18:51 William Taylor via dovecot <dovecot at dovecot.org> wrote: > > > On Tue, Mar 05, 2019 at 05:39:28PM +0100, Axel Burri via dovecot wrote: > > Hello > > > > When booting from a slow machine, I can observe dovecot blocking the > > whole boot process. I traced it down to the getrandom() system call in > > lib/randgen.c, which blocks until the random number generator is > > initialized (dmesg "random: crng init done"). This can take up to three > > minutes (!) on my machine, as there is not much entropy available (no > > hardware RNG, network VPN is also waiting for random). > > > > Unfortunately dovecot calls getrandom() before forking a daemon, which > > as a consequence blocks the whole init process (OpenRC on Gentoo Linux). > > > > I believe this behavior has changed in kernel 4.14: > > > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.40&id=6e513bc20ca63f594632eca4e1968791240b8f18 > > > > Quoting getrandom(2): > > "If the urandom source has not yet been initialized, then getrandom() > > will block, unless GRND_NONBLOCK is specified in flags." > > > > > > Dovecot: 2.3.4.1 (f79e8e7e4) > > > > Linux: 4.19.26-gentoo #2 SMP Thu Feb 28 20:30:23 CET 2019 x86_64 AMD > > G-T40E Processor AuthenticAMD GNU/Linux > > > > > > Regards, > > > > Axel > > > > It should either block or fail to start. I personally like the idea of > blocking so it starts up successfully. > > Have you tried installing an entropy daemon or something to provide more > entropy? I've seen people suggest haveged before. > > On a side note.. I thought you want to call getrandom() after forking > otherwise all children have the same rng sequence. >Entropy daemon is very recommended for your server in any case, otherwise you'll have lots of trouble with SSL. Aki
Reasonably Related Threads
- getrandom() before forking daemon is blocking init system
- getrandom() before forking daemon is blocking init system
- getrandom waits for a long time when /dev/random is insufficiently read from
- getrandom waits for a long time when /dev/random is insufficiently read from
- getrandom waits for a long time when /dev/random is insufficiently read from