Openvz: haveged, dnssec and dkim

Discussion in 'Installation/Configuration' started by diablo666, Oct 4, 2016.

  1. diablo666

    diablo666 Active Member HowtoForge Supporter

    Hi there,
    i've found a big problem running ispconfig on openvz.
    I've tried to gnerate dkim and dnssec for configuration and i've found that the process stop in waiting for something.
    After a bit of debug i've read that it uses haveged for random number generation, so i've gone to check if demon was running and found...
    Code:
    /etc/init.d/haveged status
    ● haveged.service - Entropy daemon using the HAVEGE algorithm
       Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
       Active: failed (Result: exit-code) since mar 2016-10-04 14:42:50 CEST; 9s ago
         Docs: man:haveged(8)
               http://www.issihosts.com/haveged/
    Main PID: 8742 (code=exited, status=1/FAILURE)
    
    I've started debug the problem, and found that openvz has low entropy, and probably for that service will not start. This is only my problem, or can be fixed in some ways?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Haveged is normally the component that fixes the low entropy problem on virtualized servers. Do you havy any errors in the logs when you try to start haveged?
     
  3. diablo666

    diablo666 Active Member HowtoForge Supporter

    I've no errors on haveged, nor in syslog, simply seems not starting...

    Code:
    root@dns1:~# /etc/init.d/haveged start
    [ ok ] Starting haveged (via systemctl): haveged.service.
    root@dns1:~# /etc/init.d/haveged status
    ● haveged.service - Entropy daemon using the HAVEGE algorithm
       Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
       Active: failed (Result: exit-code) since mar 2016-10-04 16:27:59 CEST; 3s ago
         Docs: man:haveged(8)
               http://www.issihosts.com/haveged/
      Process: 16340 ExecStart=/usr/sbin/haveged --Foreground --verbose=1 --write=1024 (code=exited, status=1/FAILURE)
    Main PID: 16340 (code=exited, status=1/FAILURE)
    root@dns1:~#
    
    Seems a problem on openvz, Ubuntu machine has same problem.
     
  4. diablo666

    diablo666 Active Member HowtoForge Supporter

    Mmmm panel is completing blocked, adding task in queue...
     
  5. diablo666

    diablo666 Active Member HowtoForge Supporter

    Ok, the server.sh was freezed, i've to kill and all seems to go well now.
    I've found the error from wich dnsssec will not be generated:
    Code:
    DNSSEC ERROR: We are low on entropy. Not generating new Keys for domain.tld. Please consider installing package haveged.
    Obviouslly haveged is installed, but not starting :)
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Curious on this, that does seem to be the case, and in checking haveged isn't running in any openvz containers. What it looks like so far is you want to run it on the hardware node and maybe increase the low water mark in /etc/default/haveged (eg. '-w 4000'), but it's not usable inside the container.
     
  7. diablo666

    diablo666 Active Member HowtoForge Supporter

    I've investigated a bit... so...
    - /etc/init.d/haveged start is not wokring
    - entropy is very low
    then i've done this test
    - lunched simply havenged binary
    - havenged is running
    - entropy is high
    as result of this, DNSSEC is working in ispconfig....
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, ok. so it must be a problem in the haveged start script when haveged is working when invoked manually or the startscripts needs to be replaced by a systemd unit? Which OS do you have on that server?
     
  9. diablo666

    diablo666 Active Member HowtoForge Supporter

    I've tried to restart server, but haveged not starting up.
    I've tried to restart with both
    Code:
    service haveged restart
    and
    Code:
    /etc/init.d/haveged restart
    In both cases service won't come up.
    Here some logs..
    Code:
    ● haveged.service - Entropy daemon using the HAVEGE algorithm
       Loaded: loaded (/lib/systemd/system/haveged.service; enabled)
       Active: failed (Result: exit-code) since mer 2016-10-05 09:33:29 CEST; 1s ago
         Docs: man:haveged(8)
               http://www.issihosts.com/haveged/
      Process: 8525 ExecStart=/usr/sbin/haveged --Foreground --verbose=1 --write=1024 (code=exited, status=1/FAILURE)
    Main PID: 8525 (code=exited, status=1/FAILURE)
    
    ott 05 09:33:28 dns1 systemd[1]: Started Entropy daemon using the HAVEGE algorithm.
    ott 05 09:33:29 dns1 haveged[8525]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 4.8.2 ITV); collect: 128K
    ott 05 09:33:29 dns1 haveged[8525]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 21/40; sz: 32709/60538
    ott 05 09:33:29 dns1 haveged[8525]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B):  last entropy estimate 7.99795
    ott 05 09:33:29 dns1 haveged[8525]: haveged: fills: 0, generated: 0
    ott 05 09:33:29 dns1 systemd[1]: haveged.service: main process exited, code=exited, status=1/FAILURE
    ott 05 09:33:29 dns1 systemd[1]: Unit haveged.service entered failed state.
    ott 05 09:33:29 dns1 haveged[8525]: haveged: Fail:set_watermark()!
    ott 05 09:33:29 dns1 haveged[8525]: haveged starting up
    
     
  10. ganewbie

    ganewbie Member HowtoForge Supporter

    I have the same problem and not sure what to do.
    I am on debian Wheezy
    Thanks
     
  11. diablo666

    diablo666 Active Member HowtoForge Supporter

    @ganewbie try simply to run binary
    Code:
    havenged
    temporary fix but i think will work.
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Exact same errors here; it seems to die from the init script because of the --write=1024, so it dies with that `haveged: Fail:set_watermark()!` message. Running just `haveged --verbose=1` does continue running, but I don't think it's doing anything, as I see `haveged: RNDADDENTROPY failed!`. The daemon is running, but it can't add entropy. What did help me is bumping up the -w/--write setting in the hardware node.

    This would line up with https://vpsboard.com/topic/3791-running-haveged-to-enhance-your-system-entropy/ ... though I sure thought haveged used to run correctly in openvz containers. I'm guessing my memory is bad and I probably didn't actually test that it stayed running, but there's a small chance it used to work and now doesn't. Is there any openvz capability that would allow the container to add entropy? (This is on openvz 6 kernel, I'm hoping to have an openvz 7 up fairly soon to test as well.)
     
  13. diablo666

    diablo666 Active Member HowtoForge Supporter

    Also me i've found this article, the strange thing is that launching directly the binary haveged all works right, dunno why...
     
  14. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks all
     
  15. Gozalbes

    Gozalbes New Member

    I have ISPConfig in a LXC container running Debian 9 and i have the same problem with haveged.
    I have added in bind_plugin.inc.php a call to /usr/sbin/haveged before dnssec-keygen and dnssec-signzone execution
    Code:
        exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
            '/usr/sbin/haveged;'.
            'dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellcmd($domain).';'.
            'dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellcmd($domain));
    
    Code:
        exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
                 '/usr/sbin/haveged;'.
                 'dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain));
        
    I think this haveged call will be needed when ISPConfig run in a virtualization environment because haveged service is not working in these cases.
    This work fine for me.
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Probably would be worth a new thread for a different system platform.

    Iirc you simply need to run haveged on the host node and the container will be fine.
     
    Last edited: Aug 21, 2020
  17. Gozalbes

    Gozalbes New Member

    It is indeed a better solution and seems to work well.
    Thanks.
     

Share This Page