From aafb3d00e2211fc71b1c3a61a44a494c554a39a3 Mon Sep 17 00:00:00 2001 From: Saikrishna Arcot Date: Thu, 24 Mar 2022 14:28:42 -0700 Subject: [PATCH] Start haveged before systemd-random-seed (#10328) The haveged service file in Debian Buster specifies that haveged should start after systemd-random-seed starts (this was removed in Bullseye after systemd changes caused a bootloop). This is a bit counterproductive, since haveged is meant to be used in environments with minimal sources of entropy, but one of the checks that systemd-random-seed does is to verify that entropy is present. Therefore, override the default .service file for haveged that moves systemd-random-seed to the Before list, allowing it to start before systemd-random-seed checks the system entropy level. (systemd doesn't allow removing items from dependency/ordering entries such as After= and Before=, so the entire .service file has to be overwritten.) Note that despite this, haveged takes up to two seconds to actually start working, so systemd-random-seed may still block for about two seconds. However, this still allows other work (such as running rc.local) to proceed a bit sooner. Signed-off-by: Saikrishna Arcot --- .../build_templates/sonic_debian_extension.j2 | 4 ++++ files/image_config/haveged/haveged.service | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 files/image_config/haveged/haveged.service diff --git a/files/build_templates/sonic_debian_extension.j2 b/files/build_templates/sonic_debian_extension.j2 index 29a7eb2dca..4d4f4b37bc 100644 --- a/files/build_templates/sonic_debian_extension.j2 +++ b/files/build_templates/sonic_debian_extension.j2 @@ -352,6 +352,10 @@ sudo mkdir -p $FILESYSTEM_ROOT/etc/systemd/system/syslog.socket.d sudo cp $IMAGE_CONFIGS/syslog/override.conf $FILESYSTEM_ROOT/etc/systemd/system/syslog.socket.d/override.conf sudo cp $IMAGE_CONFIGS/syslog/host_umount.sh $FILESYSTEM_ROOT/usr/bin/ +# Copy haveged override file +sudo mkdir -p $FILESYSTEM_ROOT/etc/systemd/system/ +sudo cp $IMAGE_CONFIGS/haveged/haveged.service $FILESYSTEM_ROOT_ETC/systemd/system/haveged.service + # Copy system-health files sudo LANG=C cp $IMAGE_CONFIGS/system-health/system-health.service $FILESYSTEM_ROOT_USR_LIB_SYSTEMD_SYSTEM echo "system-health.service" | sudo tee -a $GENERATED_SERVICE_FILE diff --git a/files/image_config/haveged/haveged.service b/files/image_config/haveged/haveged.service new file mode 100644 index 0000000000..361b1114b1 --- /dev/null +++ b/files/image_config/haveged/haveged.service @@ -0,0 +1,23 @@ +[Unit] +Description=Entropy daemon using the HAVEGE algorithm +Documentation=man:haveged(8) http://www.issihosts.com/haveged/ +DefaultDependencies=no +ConditionVirtualization=!container +After=apparmor.service systemd-tmpfiles-setup.service +Before=sysinit.target shutdown.target systemd-random-seed.service + +[Service] +EnvironmentFile=-/etc/default/haveged +ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS +SuccessExitStatus=143 +SecureBits=noroot-locked +NoNewPrivileges=yes +CapabilityBoundingSet=CAP_SYS_ADMIN +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +ProtectSystem=full +ProtectHome=yes + +[Install] +WantedBy=default.target