Univention Bugzilla – Bug 37459
System Setup hangs for a long time at "Einrichten der Init-Skripte"
Last modified: 2015-09-02 12:58:28 CEST
A couple of times I found that the setup process of an AD Member (Master) was hanging for a long time at the message "Einrichten der Init-Skripte". Apparently this happens when the entropy pool is exhausted during the generation of Diffie-Hellman keys for postfix. setup.log shows ============================================================= Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ============================================================= and the process list shows ============================================================= 13998 ? S 0:01 /usr/bin/python2.7 /usr/sbin/univention-management-console-server restart 16418 ? S 0:01 \_ /usr/bin/python2.7 /usr/sbin/univention-management-console-module -m setup -s /var/run/univention-management-console/13998-1420554369518.socket -d 2 -l de_DE.UTF-8 17466 ? Sl 0:01 \_ /usr/bin/python2.7 /usr/sbin/univention-management-console-module -m setup -s /var/run/univention-management-console/13998-1420556108150.socket -d 2 -l de_DE.UTF-8 17491 ? S 0:00 \_ /bin/bash /usr/lib/univention-system-setup/scripts/setup-join.sh 15613 ? S 0:00 \_ /bin/sh /usr/share/univention-mail-postfix/create-dh-parameter-files.sh 15616 ? R 1:50 \_ openssl gendh -out /etc/postfix/dh_2048.pem.tmp -2 2048 =============================================================
Workaround for test setups: mv /dev/random /dev/random.orig; ln -s /dev/urandom /dev/random
*** Bug 37947 has been marked as a duplicate of this bug. ***
Maybe the (general) installation of the package "haveged" is an solution. Or are there any security concerns?
+1 for haveged. Concerning security: I think we should go for the version from wheezy-backports, because: - since haveged version 1.5, entropy can be tested at runtime (http://www.issihosts.com/haveged/ais31.html) - run-time tests have been improved in versions 1.6 and 1.9 - wheezy ships version 1.4 - jessie / wheezy-backports ship version 1.9.1 (latest) Concerning speed: In a test environment I am using haveged from squeeze-backports (version 1.1) on a UCS 3.2-5 where I regularly need to create authentication keys for corosync. With haveged, the key creation time dropped from ~10 minutes to ~2 minutes.
r59467 | Bug #35923 EC2: Disable PFS for mail Until an EGD is installed PFS has been disabled for our Jenkins tests as this is a PITA for everybody running tests and generating Appliances (Erik, Felix) Please revert the 1. hunk of the change to branches/ucs-4.0/ucs-4.0-1/test/ucs-ec2-tools/examples/jenkins/utils/utils.sh if this bug is resolved.
(In reply to Philipp Hahn from comment #5) > r59467 | Bug #35923 EC2: Disable PFS for mail > Until an EGD is installed PFS has been disabled for our Jenkins tests as > this is a PITA for everybody running tests and generating Appliances (Erik, > Felix) As discussed, please revert the commit. It changes the UCS setup and we wouldn't recognize errors in this area and we have a problem if someone uses the images productively.
r59488 | Revert "Bug #35923 EC2: Disable PFS for mail"
Using /dev/random instead of /dev/urandom does not make sense for this: /dev/urandom is completely adequate for key derivation <http://blog.cr.yp.to/20140205-entropy.html> At most a "head -c 16 /dev/random" at the start of the machine would be required to assure a unique state of the RNG to counter the case that the machine boots with absolutely no entropy.
Wouldn't it be possible if we start the generation as background process?
(In reply to Stefan Gohmann from comment #9) > Wouldn't it be possible if we start the generation as background process? In Univention Apps, I've configured both installation of haveged and execution of the DH parameter job as background process.
We may want to use/create/ship a reasonable strong DH parameter group once as default. We may either pick one from https://tools.ietf.org/html/rfc3526 or create one ourselves once and for all. We should allow/document for the customer how to change it, see http://crypto.stackexchange.com/questions/1999/is-it-safer-to-generate-your-own-diffie-hellman-primes-or-to-use-those-defined-i .
OpenLDAP also wants a DH param file: Bug #38685 We should provide some common functionality/data via univention-ssl: /usr/share/univention-ssl/dh_2048.pem ... The defaults from RFC3526 wget -q -O- 'https://wiki.openssl.org/index.php/Diffie-Hellman_parameters' | sed -ne '/g_dh2048_sz/,/^$/{s/^ *"\|\\n"\|";//gp}' >dh_2048.pem /usr/share/univention-ssl/create-dh-parameter-files Create new DH parameter file through temporary file
See also Bug 38685 Comment 4: * take the https://bettercrypto.org/static/dhparams/group14.pem as default. By default openssl dhparam should not be required to be called at all for installations. * make the nightly DH parameter creation optional (not active by default for new installations) * Use "openssl dhparam" instead of "gendh"
* DH parameters are not created at installation time any more. Precalculated DH parameters for 512 and 2048 bit are provided in the package. The 512 bit file is self generated, the 2048 bit files is from RFC 3526. * A one time generation of DH parameters is scheduled for the next day. * The default of the UCRV mail/postfix/cron/recreate/dh/parameter is changed to not recreate the DH parameters every night (→ deactivated by default). The cronjob of existing installations is not changed (→ They keep recreating their files every night, if they don't change the UCRV). * "openssl gendh …" was replaced with "openssl dhparam …". Commit: 62960 YAML: 62961 PS: It was commited to 4.1 too, to keep it in sync. But in 4.1 a unification of DH parameter files may be implemented (see Bug #39158).
Is there a reason why the two files dh_2048.pem and dh_512.pem are installed to /usr/share/postfix and not /usr/share/univention-mail-postfix/? OK - Do not create DH parameters at installation time OK - schedule one time generation of DH parameters for the next day OK - provide precalculated 512 and 2048 bit DH parameters OK - change default of UCRV mail/postfix/cron/recreate/dh/parameter to not recreate DH parameters every night, existing cronjob not changed OK - YAML
Precalculated DH parameter files are now installed in correct place. Commit: 63233 YAML: 63234
OK - YAML OK - univention-mail-postfix OK - merged to 4.1
<http://errata.univention.de/ucs/4.0/296.html>