Bug 37459 - System Setup hangs for a long time at "Einrichten der Init-Skripte"
System Setup hangs for a long time at "Einrichten der Init-Skripte"
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Mail
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Daniel Tröder
Felix Botner
:
: 37947 (view as bug list)
Depends on:
Blocks: 38685 39158
  Show dependency treegraph
 
Reported: 2015-01-06 16:09 CET by Arvid Requate
Modified: 2015-09-02 12:58 CEST (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-01-06 16:09:45 CET
A couple of times I found that the setup process of an AD Member (Master) was hanging for a long time at the message "Einrichten der Init-Skripte".

Apparently this happens when the entropy pool is exhausted during the generation of Diffie-Hellman keys for postfix. setup.log shows

=============================================================
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
=============================================================

and the process list shows

=============================================================
13998 ?        S      0:01 /usr/bin/python2.7 /usr/sbin/univention-management-console-server restart
16418 ?        S      0:01  \_ /usr/bin/python2.7 /usr/sbin/univention-management-console-module -m setup -s
 /var/run/univention-management-console/13998-1420554369518.socket -d 2 -l de_DE.UTF-8
17466 ?        Sl     0:01  \_ /usr/bin/python2.7 /usr/sbin/univention-management-console-module -m setup -s
 /var/run/univention-management-console/13998-1420556108150.socket -d 2 -l de_DE.UTF-8
17491 ?        S      0:00      \_ /bin/bash /usr/lib/univention-system-setup/scripts/setup-join.sh
15613 ?        S      0:00          \_ /bin/sh /usr/share/univention-mail-postfix/create-dh-parameter-files.sh
15616 ?        R      1:50              \_ openssl gendh -out /etc/postfix/dh_2048.pem.tmp -2 2048
=============================================================
Comment 1 Arvid Requate univentionstaff 2015-01-21 22:06:54 CET
Workaround for test setups:

mv /dev/random /dev/random.orig; ln -s /dev/urandom /dev/random
Comment 2 Erik Damrose univentionstaff 2015-03-06 10:19:55 CET
*** Bug 37947 has been marked as a duplicate of this bug. ***
Comment 3 Sönke Schwardt-Krummrich univentionstaff 2015-03-06 10:44:28 CET
Maybe the (general) installation of the package "haveged" is an solution. Or are there any security concerns?
Comment 4 Michael Grandjean univentionstaff 2015-03-15 21:24:03 CET
+1 for haveged. 

Concerning security: 
I think we should go for the version from wheezy-backports, because: 

- since haveged version 1.5, entropy can be tested at runtime (http://www.issihosts.com/haveged/ais31.html)
- run-time tests have been improved in versions 1.6 and 1.9
- wheezy ships version 1.4
- jessie / wheezy-backports ship version 1.9.1 (latest)


Concerning speed:
In a test environment I am using haveged from squeeze-backports (version 1.1) on a UCS 3.2-5 where I regularly need to create authentication keys for corosync. With haveged, the key creation time dropped from ~10 minutes to ~2 minutes.
Comment 5 Philipp Hahn univentionstaff 2015-03-27 11:19:45 CET
r59467 | Bug #35923 EC2: Disable PFS for mail
 Until an EGD is installed PFS has been disabled for our Jenkins tests as this is a PITA for everybody running tests and generating Appliances (Erik, Felix)

Please revert the 1. hunk of the change to branches/ucs-4.0/ucs-4.0-1/test/ucs-ec2-tools/examples/jenkins/utils/utils.sh if this bug is resolved.
Comment 6 Stefan Gohmann univentionstaff 2015-03-29 20:22:42 CEST
(In reply to Philipp Hahn from comment #5)
> r59467 | Bug #35923 EC2: Disable PFS for mail
>  Until an EGD is installed PFS has been disabled for our Jenkins tests as
> this is a PITA for everybody running tests and generating Appliances (Erik,
> Felix)

As discussed, please revert the commit. It changes the UCS setup and we wouldn't recognize errors in this area and we have a problem if someone uses the images productively.
Comment 7 Philipp Hahn univentionstaff 2015-03-29 20:50:54 CEST
r59488 | Revert "Bug #35923 EC2: Disable PFS for mail"
Comment 8 Janek Walkenhorst univentionstaff 2015-04-17 15:01:25 CEST
Using /dev/random instead of /dev/urandom does not make sense for this:

/dev/urandom is completely adequate for key derivation
<http://blog.cr.yp.to/20140205-entropy.html>

At most a "head -c 16 /dev/random" at the start of the machine would be required to assure a unique state of the RNG to counter the case that the machine boots with absolutely no entropy.
Comment 9 Stefan Gohmann univentionstaff 2015-07-03 20:19:14 CEST
Wouldn't it be possible if we start the generation as background process?
Comment 10 Stefan Gohmann univentionstaff 2015-07-04 21:39:53 CEST
(In reply to Stefan Gohmann from comment #9)
> Wouldn't it be possible if we start the generation as background process?

In Univention Apps, I've configured both installation of haveged and execution of the DH parameter job as background process.
Comment 11 Arvid Requate univentionstaff 2015-07-06 12:03:22 CEST
We may want to use/create/ship a reasonable strong DH parameter group once as default.

We may either pick one from https://tools.ietf.org/html/rfc3526 or create one ourselves once and for all.

We should allow/document for the customer how to change it, see http://crypto.stackexchange.com/questions/1999/is-it-safer-to-generate-your-own-diffie-hellman-primes-or-to-use-those-defined-i .
Comment 12 Philipp Hahn univentionstaff 2015-07-06 15:19:29 CEST
OpenLDAP also wants a DH param file: Bug #38685

We should provide some common functionality/data via univention-ssl:

/usr/share/univention-ssl/dh_2048.pem ...
   The defaults from RFC3526
 wget -q -O- 'https://wiki.openssl.org/index.php/Diffie-Hellman_parameters' |
 sed -ne '/g_dh2048_sz/,/^$/{s/^ *&quot;\|\\n&quot;\|&quot;;//gp}' >dh_2048.pem

/usr/share/univention-ssl/create-dh-parameter-files
  Create new DH parameter file through temporary file
Comment 13 Arvid Requate univentionstaff 2015-07-20 17:59:00 CEST
See also Bug 38685 Comment 4:

* take the https://bettercrypto.org/static/dhparams/group14.pem as default. By default openssl dhparam should not be required to be called at all for installations.

* make the nightly DH parameter creation optional (not active by default for new installations)

* Use "openssl dhparam" instead of "gendh"
Comment 14 Daniel Tröder univentionstaff 2015-08-12 16:50:47 CEST
* DH parameters are not created at installation time any more. Precalculated DH parameters for 512 and 2048 bit are provided in the package. The 512 bit file is self generated, the 2048 bit files is from RFC 3526.
* A one time generation of DH parameters is scheduled for the next day.
* The default of the UCRV mail/postfix/cron/recreate/dh/parameter is changed to not recreate the DH parameters every night (→ deactivated by default). The cronjob of existing installations is not changed (→ They keep recreating their files every night, if they don't change the UCRV).
* "openssl gendh …" was replaced with "openssl dhparam …".

Commit: 62960
YAML: 62961

PS: It was commited to 4.1 too, to keep it in sync. But in 4.1 a unification of DH parameter files may be implemented (see Bug #39158).
Comment 15 Felix Botner univentionstaff 2015-08-25 10:33:00 CEST
Is there a reason why the two files dh_2048.pem and dh_512.pem are installed to /usr/share/postfix and not /usr/share/univention-mail-postfix/?


OK - Do not create DH parameters at installation time
OK - schedule one time generation of DH parameters for the next day
OK - provide precalculated 512 and 2048 bit DH parameters
OK - change default of UCRV mail/postfix/cron/recreate/dh/parameter to not
     recreate DH parameters every night, existing cronjob not changed

OK - YAML
Comment 16 Daniel Tröder univentionstaff 2015-08-25 12:00:40 CEST
Precalculated DH parameter files are now installed in correct place.

Commit: 63233
YAML: 63234
Comment 17 Felix Botner univentionstaff 2015-08-25 12:53:11 CEST
OK - YAML

OK - univention-mail-postfix
OK - merged to 4.1
Comment 18 Janek Walkenhorst univentionstaff 2015-09-02 12:58:28 CEST
<http://errata.univention.de/ucs/4.0/296.html>