<div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Mo., 29. Juni 2020 um 14:04 Uhr schrieb Jérémy ROSEN <<a href="mailto:jeremy.rosen@smile.fr">jeremy.rosen@smile.fr</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le lun. 29 juin 2020 à 10:29, Norbert Lange <<a href="mailto:nolange79@gmail.com" target="_blank">nolange79@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Mo., 29. Juni 2020 um 09:31 Uhr schrieb Jérémy ROSEN <<a href="mailto:jeremy.rosen@smile.fr" target="_blank">jeremy.rosen@smile.fr</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Well<div>I still think you need Before=systemd-random-seed.service and I don't understand why you are reluctant to add it.</div><div>(Honestly, I think the Before= and your work to make it an early boot service should be upstreamed)</div><div><br></div><div>So, i'm a bit reluctant to give my reviewed-by. Again, it's not worse than it was, but if you want</div><div>to make sure that all services that need randomness are correctly started after haveged, then</div><div>you have to add that Before=</div></div></blockquote><div><br></div><div>Again, this doesn't help, and might actually hurt.</div><div><br>- systemd-random-seed.service could actually add better (real) entropy.<br> (Upstream actually had an After systemd-random-seed.service for that reason).</div><div>- a before on a "persistent" service does not really block, while accessing the kernels random source when it's not uninitialised will,<br></div><div> so random consumers are already implicitly waiting for haveged - when they need entropy and not a moment before.</div><div> </div></div></div></blockquote><div>I'm not sure what you mean by "persistent" in that context. </div><div>I also think there is a confusion on what Before= does....</div><div>Before=systemd-random-seed.service means that systemd-random-seed will be spawned after haveged is READY (in</div><div>the Type= sense of READY)</div><div><br></div><div>unfortunately, it seems haveged does not synchronize with systemd at all and indeed, in the case of haveged,</div><div>Before= will only sync the point where systemd spawns the coresponding processes.</div></div></div></blockquote><div><br></div><div>So you agree it's pointless?<br>It does not make haveged start faster, it will delay systemd-random-seed a ridiculous small amount.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>I am not very convinced on what you said about another source being "better". Either you are OK with the value </div><div>proposition of haveged and you count it as good entropy or you are not and you don't use haveged at all...</div></div></div></blockquote><div><br></div><div>I don't use haveged as good source for entropy, I use it because otherwise the system won't boot for ages.</div><div>You don't even have a measure on how much entropy the jitter adds.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>now... my main point is that services that need good entopy will synchronize after systemd-random-seed.service.</div><div>This is documented by systemd and means that the processes will only be spawned after the RNG is ready and</div><div>will not wait for entropy at all. That's the whole point of syncing after systemd-random-seed.</div></div></div></blockquote><div><br></div><div>Yes, and none of this is affected by adding a Before dependency.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>So i understand your point about the implicit sync point added by the kernel's "RGN is ready" bit, but I still think</div><div>that adding my sync point is "the way it's meant to be"</div></div></div></blockquote><div><br></div><div>Some concrete example of where this "actually" helps would be needed, let alone an explanation why upstream, debian and</div><div>AFAIR fedora had haveged ordered *after* systemd-random-seed (likely before they figured out this could deadlock with the</div><div>seed being on an network drive).</div><div><br></div><div>So it:</div><div>- Wont help</div><div>- the sync point is already systemd-random-seed</div><div>- arguably if you are paranoid about secure random numbers you will disable haveged in favor of true entropy,</div><div> then can consider blocking on systemd-random-seed.</div><div> </div><div>Norbert</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div>Anyway, at this point I think we should just agree to disagree and it's not that relevant.</div><div>I still don't consider that the proper approch, but I still don't think this should block that patch. Everything else is fine by me.</div></div></div></blockquote><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>I won't block the patch going in if a BR maintainer want to commit it, but i'd like to understand why you are reluctant</div><div>to add that</div></div></blockquote><div><br></div><div>Haveged is not entropy, it's a substitute. I dont know how many times I need to point that out.</div><div>The less dependencies, the faster the system can startup (and lesser chances of some stoopid deadlocks).</div><div><br></div><div>Look at the history for service.fedora [1], which is now the blueprint for the v2 patch,</div><div>I considered just adding a switch to install the upstream service file,</div><div>but this adds several heavy isolation options that are overkill for most uses,</div><div>and add dependencies (upstream just removed one of these, because it created a cycle).</div><div><br></div><div>[1] - <a href="https://github.com/jirka-h/haveged/commits/master/init.d/service.fedora" target="_blank">https://github.com/jirka-h/haveged/commits/master/init.d/service.fedora</a></div><div><br></div><div>Norbert</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div><div>Regards</div><div>Jeremy</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 26 juin 2020 à 00:39, Norbert Lange <<a href="mailto:nolange79@gmail.com" target="_blank">nolange79@gmail.com</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Jeremy,<br>
<br>
Can you have a look and add your reviewed-by pls?<br>
No drastic changes from v1, except adding a few isolation options from<br>
the upstream fedora service file.<br>
<br>
Am Mi., 10. Juni 2020 um 00:42 Uhr schrieb Norbert Lange <<a href="mailto:nolange79@gmail.com" target="_blank">nolange79@gmail.com</a>>:<br>
><br>
> Drop default dependencies, haveged needs nothing but<br>
> local sockets and /dev/random.<br>
><br>
> The service file now mostly matches the upstream fedora file,<br>
> except alot of isolation options have been dropped.<br>
> The benefit for a completely controlled system is small,<br>
> and those option would pull in dependencies, delaying<br>
> entropy being filled up.<br>
><br>
> Signed-off-by: Norbert Lange <<a href="mailto:nolange79@gmail.com" target="_blank">nolange79@gmail.com</a>><br>
> ---<br>
> package/haveged/haveged.service | 22 +++++++++++++++++-----<br>
> 1 file changed, 17 insertions(+), 5 deletions(-)<br>
><br>
> diff --git a/package/haveged/haveged.service b/package/haveged/haveged.service<br>
> index 91035c6711..cfdaa93a37 100644<br>
> --- a/package/haveged/haveged.service<br>
> +++ b/package/haveged/haveged.service<br>
> @@ -1,10 +1,22 @@<br>
> [Unit]<br>
> -Description=Entropy Harvesting Daemon<br>
> -Documentation=man:haveged(8)<br>
> +# inspiration from upstream init.d/service.fedora<br>
> +Description=Entropy Daemon based on the HAVEGE algorithm<br>
> +Documentation=man:haveged(8) <a href="http://www.issihosts.com/haveged/" rel="noreferrer" target="_blank">http://www.issihosts.com/haveged/</a><br>
> +DefaultDependencies=no<br>
> +# This would wait for filesystems, but we only need /dev/random,<br>
> +# which is certainly available after systemd initialised<br>
> +# After=systemd-tmpfiles-setup-dev.service<br>
> +Before=sysinit.target shutdown.target systemd-journald.service<br>
><br>
> [Service]<br>
> -ExecStart=/usr/sbin/haveged -F -w 1024 -v 1<br>
> -SuccessExitStatus=143<br>
> +ExecStart=/usr/sbin/haveged -w 1024 -v 1 --Foreground<br>
> +Restart=always<br>
> +SuccessExitStatus=137 143<br>
> +<br>
> +# Only simple isolation methods that dont pull in dependencies<br>
> +CapabilityBoundingSet=CAP_SYS_ADMIN<br>
> +SecureBits=noroot-locked<br>
> +ProtectSystem=full<br>
><br>
> [Install]<br>
> -WantedBy=multi-user.target<br>
> +WantedBy=sysinit.target<br>
> --<br>
> 2.26.2<br>
><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><table border="0" style="border-collapse:collapse;border-spacing:0px;color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px;padding:20px"><tbody><tr><td style="padding:0px 30px 0px 0px;font-size:13px;color:rgb(255,128,84);text-align:center"><a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/Logo-new.png" alt="SMILE" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"> </a><br><br><p style="margin:0px 0px 10px">20 rue des Jardins<br>92600 Asnières-sur-Seine</p></td><td style="padding:0px 0px 0px 20px;border-left:1px solid rgb(59,127,254);font-size:13px;color:rgb(255,128,84)"><div style="font-size:14px"><b>Jérémy ROSEN</b></div><div style="color:rgb(59,127,254)">Architecte technique<br></div><br><div style="color:rgb(59,127,254)"><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/mail.png" alt="email" width="12" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="mailto:jeremy.rosen@smile.fr" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">jeremy.rosen@smile.fr</a> </span><br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/phone.png" alt="phone" width="10" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"></span> +33 6 88 25 87 42 <br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/web.png" alt="url" width="12" height="12" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">http://www.smile.eu</a></span></div><br><div><span><a href="https://twitter.com/GroupeSmile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-twitter.png" alt="Twitter" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.facebook.com/smileopensource" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-facebook.png" alt="Facebook" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.linkedin.com/company/smile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-linkedin.png" alt="LinkedIn" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://github.com/Smile-SA" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-github.png" alt="Github" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span></div></td></tr></tbody></table><br style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><div style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><a href="https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="https://signature.smile.eu/assets/img/bandeaux_signature_mail_yocto.gif.gif" alt="Découvrez l’univers Smile, rendez-vous sur smile.eu" border="0" style="border: 0px; vertical-align: middle;"></a></div></div></div></div></div>
</blockquote></div></div>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr"><div dir="ltr"><div><div dir="ltr"><table border="0" style="border-collapse:collapse;border-spacing:0px;color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px;padding:20px"><tbody><tr><td style="padding:0px 30px 0px 0px;font-size:13px;color:rgb(255,128,84);text-align:center"><a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/Logo-new.png" alt="SMILE" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"> </a><br><br><p style="margin:0px 0px 10px">20 rue des Jardins<br>92600 Asnières-sur-Seine</p></td><td style="padding:0px 0px 0px 20px;border-left:1px solid rgb(59,127,254);font-size:13px;color:rgb(255,128,84)"><div style="font-size:14px"><b>Jérémy ROSEN</b></div><div style="color:rgb(59,127,254)">Architecte technique<br></div><br><div style="color:rgb(59,127,254)"><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/mail.png" alt="email" width="12" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="mailto:jeremy.rosen@smile.fr" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">jeremy.rosen@smile.fr</a> </span><br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/phone.png" alt="phone" width="10" height="10" style="border: 0px; vertical-align: middle; margin-right: 5px;"></span> +33 6 88 25 87 42 <br><span style="white-space:nowrap"><img src="http://ftp.smile.fr/client/Communication/signature/img/web.png" alt="url" width="12" height="12" style="border: 0px; vertical-align: middle; margin-right: 5px;"> <a href="http://www.smile.eu/" style="background-color:transparent;color:rgb(59,127,254)" target="_blank">http://www.smile.eu</a></span></div><br><div><span><a href="https://twitter.com/GroupeSmile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-twitter.png" alt="Twitter" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.facebook.com/smileopensource" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-facebook.png" alt="Facebook" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://www.linkedin.com/company/smile" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-linkedin.png" alt="LinkedIn" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span> <span><a href="https://github.com/Smile-SA" style="background-color:transparent;color:rgb(221,72,20);margin-right:5px" target="_blank"><img src="http://ftp.smile.fr/client/Communication/signature/img/rs-github.png" alt="Github" style="border: 0px; vertical-align: middle; max-width: 100%; height: auto;"></a></span></div></td></tr></tbody></table><br style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><div style="color:rgb(51,51,51);font-family:Raleway,regular;font-size:14px"><a href="https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature" style="background-color:transparent;color:rgb(221,72,20)" target="_blank"><img src="https://signature.smile.eu/assets/img/bandeaux_signature_mail_yocto.gif.gif" alt="Découvrez l’univers Smile, rendez-vous sur smile.eu" border="0" style="border: 0px; vertical-align: middle;"></a></div></div></div></div></div></div>
</blockquote></div></div>