getrandom() before forking daemon is blocking init system
Aki Tuomi
aki.tuomi at open-xchange.com
Tue Mar 5 18:53:48 EET 2019
> On 05 March 2019 at 18:51 William Taylor via dovecot <dovecot at dovecot.org> wrote:
>
>
> On Tue, Mar 05, 2019 at 05:39:28PM +0100, Axel Burri via dovecot wrote:
> > Hello
> >
> > When booting from a slow machine, I can observe dovecot blocking the
> > whole boot process. I traced it down to the getrandom() system call in
> > lib/randgen.c, which blocks until the random number generator is
> > initialized (dmesg "random: crng init done"). This can take up to three
> > minutes (!) on my machine, as there is not much entropy available (no
> > hardware RNG, network VPN is also waiting for random).
> >
> > Unfortunately dovecot calls getrandom() before forking a daemon, which
> > as a consequence blocks the whole init process (OpenRC on Gentoo Linux).
> >
> > I believe this behavior has changed in kernel 4.14:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v4.14.40&id=6e513bc20ca63f594632eca4e1968791240b8f18
> >
> > Quoting getrandom(2):
> > "If the urandom source has not yet been initialized, then getrandom()
> > will block, unless GRND_NONBLOCK is specified in flags."
> >
> >
> > Dovecot: 2.3.4.1 (f79e8e7e4)
> >
> > Linux: 4.19.26-gentoo #2 SMP Thu Feb 28 20:30:23 CET 2019 x86_64 AMD
> > G-T40E Processor AuthenticAMD GNU/Linux
> >
> >
> > Regards,
> >
> > Axel
> >
>
> It should either block or fail to start. I personally like the idea of
> blocking so it starts up successfully.
>
> Have you tried installing an entropy daemon or something to provide more
> entropy? I've seen people suggest haveged before.
>
> On a side note.. I thought you want to call getrandom() after forking
> otherwise all children have the same rng sequence.
>
Entropy daemon is very recommended for your server in any case, otherwise you'll have lots of trouble with SSL.
Aki
More information about the dovecot
mailing list