Start haveged before systemd-random-seed (#10328)

The haveged service file in Debian Buster specifies that haveged should start after systemd-random-seed starts (this was removed in Bullseye after systemd changes caused a bootloop). This is a bit counterproductive, since haveged is meant to be used in environments with minimal sources of entropy, but one of the checks that systemd-random-seed does is to verify that entropy is present. Therefore, override the default .service file for haveged that moves systemd-random-seed to the Before list, allowing it to start before systemd-random-seed checks the system entropy level. (systemd doesn't allow removing items from dependency/ordering entries such as After= and Before=, so the entire .service file has to be overwritten.) Note that despite this, haveged takes up to two seconds to actually start working, so systemd-random-seed may still block for about two seconds. However, this still allows other work (such as running rc.local) to proceed a bit sooner. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
2022-03-24 14:28:42 -07:00 · 2022-03-24 14:28:42 -07:00 · aafb3d00e2
commit aafb3d00e2
parent b5ab98d3a1
2 changed files with 27 additions and 0 deletions
--- a/files/build_templates/sonic_debian_extension.j2
+++ b/files/build_templates/sonic_debian_extension.j2
@ -352,6 +352,10 @@ sudo mkdir -p $FILESYSTEM_ROOT/etc/systemd/system/syslog.socket.d
 sudo cp $IMAGE_CONFIGS/syslog/override.conf $FILESYSTEM_ROOT/etc/systemd/system/syslog.socket.d/override.conf
 sudo cp $IMAGE_CONFIGS/syslog/host_umount.sh $FILESYSTEM_ROOT/usr/bin/

+# Copy haveged override file
+sudo mkdir -p $FILESYSTEM_ROOT/etc/systemd/system/
+sudo cp $IMAGE_CONFIGS/haveged/haveged.service $FILESYSTEM_ROOT_ETC/systemd/system/haveged.service
+
 # Copy system-health files
 sudo LANG=C cp $IMAGE_CONFIGS/system-health/system-health.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM
 echo "system-health.service" | sudo tee -a $GENERATED_SERVICE_FILE
--- a/files/image_config/haveged/haveged.service
+++ b/files/image_config/haveged/haveged.service
@ -0,0 +1,23 @@
+[Unit]
+Description=Entropy daemon using the HAVEGE algorithm
+Documentation=man:haveged(8) http://www.issihosts.com/haveged/
+DefaultDependencies=no
+ConditionVirtualization=!container
+After=apparmor.service systemd-tmpfiles-setup.service
+Before=sysinit.target shutdown.target systemd-random-seed.service
+
+[Service]
+EnvironmentFile=-/etc/default/haveged
+ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
+SuccessExitStatus=143
+SecureBits=noroot-locked
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_SYS_ADMIN
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+ProtectSystem=full
+ProtectHome=yes
+
+[Install]
+WantedBy=default.target