aafb3d00e2
The haveged service file in Debian Buster specifies that haveged should start after systemd-random-seed starts (this was removed in Bullseye after systemd changes caused a bootloop). This is a bit counterproductive, since haveged is meant to be used in environments with minimal sources of entropy, but one of the checks that systemd-random-seed does is to verify that entropy is present. Therefore, override the default .service file for haveged that moves systemd-random-seed to the Before list, allowing it to start before systemd-random-seed checks the system entropy level. (systemd doesn't allow removing items from dependency/ordering entries such as After= and Before=, so the entire .service file has to be overwritten.) Note that despite this, haveged takes up to two seconds to actually start working, so systemd-random-seed may still block for about two seconds. However, this still allows other work (such as running rc.local) to proceed a bit sooner. Signed-off-by: Saikrishna Arcot <sarcot@microsoft.com>
24 lines
643 B
Desktop File
24 lines
643 B
Desktop File
[Unit]
|
|
Description=Entropy daemon using the HAVEGE algorithm
|
|
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
|
|
DefaultDependencies=no
|
|
ConditionVirtualization=!container
|
|
After=apparmor.service systemd-tmpfiles-setup.service
|
|
Before=sysinit.target shutdown.target systemd-random-seed.service
|
|
|
|
[Service]
|
|
EnvironmentFile=-/etc/default/haveged
|
|
ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
|
|
SuccessExitStatus=143
|
|
SecureBits=noroot-locked
|
|
NoNewPrivileges=yes
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN
|
|
PrivateTmp=yes
|
|
PrivateDevices=yes
|
|
PrivateNetwork=yes
|
|
ProtectSystem=full
|
|
ProtectHome=yes
|
|
|
|
[Install]
|
|
WantedBy=default.target
|