Hi there, i've found a big problem running ispconfig on openvz. I've tried to gnerate dkim and dnssec for configuration and i've found that the process stop in waiting for something. After a bit of debug i've read that it uses haveged for random number generation, so i've gone to check if demon was running and found... Code: /etc/init.d/haveged status ● haveged.service - Entropy daemon using the HAVEGE algorithm Loaded: loaded (/lib/systemd/system/haveged.service; enabled) Active: failed (Result: exit-code) since mar 2016-10-04 14:42:50 CEST; 9s ago Docs: man:haveged(8) http://www.issihosts.com/haveged/ Main PID: 8742 (code=exited, status=1/FAILURE) I've started debug the problem, and found that openvz has low entropy, and probably for that service will not start. This is only my problem, or can be fixed in some ways?
Haveged is normally the component that fixes the low entropy problem on virtualized servers. Do you havy any errors in the logs when you try to start haveged?
I've no errors on haveged, nor in syslog, simply seems not starting... Code: root@dns1:~# /etc/init.d/haveged start [ ok ] Starting haveged (via systemctl): haveged.service. root@dns1:~# /etc/init.d/haveged status ● haveged.service - Entropy daemon using the HAVEGE algorithm Loaded: loaded (/lib/systemd/system/haveged.service; enabled) Active: failed (Result: exit-code) since mar 2016-10-04 16:27:59 CEST; 3s ago Docs: man:haveged(8) http://www.issihosts.com/haveged/ Process: 16340 ExecStart=/usr/sbin/haveged --Foreground --verbose=1 --write=1024 (code=exited, status=1/FAILURE) Main PID: 16340 (code=exited, status=1/FAILURE) root@dns1:~# Seems a problem on openvz, Ubuntu machine has same problem.
Ok, the server.sh was freezed, i've to kill and all seems to go well now. I've found the error from wich dnsssec will not be generated: Code: DNSSEC ERROR: We are low on entropy. Not generating new Keys for domain.tld. Please consider installing package haveged. Obviouslly haveged is installed, but not starting
Curious on this, that does seem to be the case, and in checking haveged isn't running in any openvz containers. What it looks like so far is you want to run it on the hardware node and maybe increase the low water mark in /etc/default/haveged (eg. '-w 4000'), but it's not usable inside the container.
I've investigated a bit... so... - /etc/init.d/haveged start is not wokring - entropy is very low then i've done this test - lunched simply havenged binary - havenged is running - entropy is high as result of this, DNSSEC is working in ispconfig....
Hmm, ok. so it must be a problem in the haveged start script when haveged is working when invoked manually or the startscripts needs to be replaced by a systemd unit? Which OS do you have on that server?
I've tried to restart server, but haveged not starting up. I've tried to restart with both Code: service haveged restart and Code: /etc/init.d/haveged restart In both cases service won't come up. Here some logs.. Code: ● haveged.service - Entropy daemon using the HAVEGE algorithm Loaded: loaded (/lib/systemd/system/haveged.service; enabled) Active: failed (Result: exit-code) since mer 2016-10-05 09:33:29 CEST; 1s ago Docs: man:haveged(8) http://www.issihosts.com/haveged/ Process: 8525 ExecStart=/usr/sbin/haveged --Foreground --verbose=1 --write=1024 (code=exited, status=1/FAILURE) Main PID: 8525 (code=exited, status=1/FAILURE) ott 05 09:33:28 dns1 systemd[1]: Started Entropy daemon using the HAVEGE algorithm. ott 05 09:33:29 dns1 haveged[8525]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 4.8.2 ITV); collect: 128K ott 05 09:33:29 dns1 haveged[8525]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 21/40; sz: 32709/60538 ott 05 09:33:29 dns1 haveged[8525]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 7.99795 ott 05 09:33:29 dns1 haveged[8525]: haveged: fills: 0, generated: 0 ott 05 09:33:29 dns1 systemd[1]: haveged.service: main process exited, code=exited, status=1/FAILURE ott 05 09:33:29 dns1 systemd[1]: Unit haveged.service entered failed state. ott 05 09:33:29 dns1 haveged[8525]: haveged: Fail:set_watermark()! ott 05 09:33:29 dns1 haveged[8525]: haveged starting up
Exact same errors here; it seems to die from the init script because of the --write=1024, so it dies with that `haveged: Fail:set_watermark()!` message. Running just `haveged --verbose=1` does continue running, but I don't think it's doing anything, as I see `haveged: RNDADDENTROPY failed!`. The daemon is running, but it can't add entropy. What did help me is bumping up the -w/--write setting in the hardware node. This would line up with https://vpsboard.com/topic/3791-running-haveged-to-enhance-your-system-entropy/ ... though I sure thought haveged used to run correctly in openvz containers. I'm guessing my memory is bad and I probably didn't actually test that it stayed running, but there's a small chance it used to work and now doesn't. Is there any openvz capability that would allow the container to add entropy? (This is on openvz 6 kernel, I'm hoping to have an openvz 7 up fairly soon to test as well.)
Also me i've found this article, the strange thing is that launching directly the binary haveged all works right, dunno why...
I have ISPConfig in a LXC container running Debian 9 and i have the same problem with haveged. I have added in bind_plugin.inc.php a call to /usr/sbin/haveged before dnssec-keygen and dnssec-signzone execution Code: exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. '/usr/sbin/haveged;'. 'dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE '.escapeshellcmd($domain).';'. 'dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE '.escapeshellcmd($domain)); Code: exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'. '/usr/sbin/haveged;'. 'dnssec-signzone -A -e +1382400 -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -N increment -o '.escapeshellcmd($domain).' -t '.$filespre.escapeshellcmd($domain)); I think this haveged call will be needed when ISPConfig run in a virtualization environment because haveged service is not working in these cases. This work fine for me.
Probably would be worth a new thread for a different system platform. Iirc you simply need to run haveged on the host node and the container will be fine.