[blfs-support] Unbound slow to start with recent kernels on some machines

Douglas R. Reno renodr2002 at gmail.com
Thu Jul 19 05:45:16 PDT 2018

On Wed, Jul 18, 2018 at 8:04 PM Ken Moffat <zarniwhoop at ntlworld.com> wrote:

> On Sat, Jun 02, 2018 at 10:02:39PM +0100, Ken Moffat wrote:
> > I've been seeing problems on some of my machines with recent kernels
> > (first noticed in 4.17-rc, but it also now happends in 4.16.4 or
> > later).  The problem is that instead of unbound taking a handful of
> > seconds to start (often, it is all-but immediate), on the affected
> > machines it now takes up to two and a half minutes.
> >
> Finally, making slow progress on this.  The problem is caused by the
> fix for CVE-2018-1108.  A little while ago Ted Ts'o offered a patch,
> possibly as an RFC, to use entropy from the hwrng (unsafe for
> critical things like key generation, but it allows less-important
> things, e.g. in systemd units, to run and therefore it lets the box
> boot in the absence of real entropy.
> Apparently he did this because fedora are starting to derive
> "entropy" from jitter so that e.g. VMs can boot in a meaningful
> time.
> For my haswell that was great, but for my kaveri it made no
> difference - turns out that the kaveri does NOT have a hwrng (I
> enabled the option, and /dev/hwrng exists, but reading it with dd
> reports 'No such file').
> And the patch which introduced this fix can no-longer be reverted,
> parts of the file, at least in 4.18-rc5, have been rewritten.
> What I will now be looking at is twofold:
> 1. start the random bootscript earlier (currently it is S25, but
> unbound is S21; S15 - just after sysklogd - looks likely).
> For systemd, I've no idea how to change the dependencies.

While option 2 is nice, for systemd, it'll be a one-liner configuration

We could probably even do it as a sed.

We'd have to change it to Requires=haveged
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linuxfromscratch.org/pipermail/blfs-support/attachments/20180719/c828c5af/attachment.html>

More information about the blfs-support mailing list