Ubuntu
chrony package

Merge ~paelzer/ubuntu/+source/chrony:fix-slow-init-bionic into ubuntu/+source/chrony:ubuntu/bionic-devel

  1. Git
  2. lp:~paelzer/ubuntu/+source/chrony
  3. fix-slow-init-bionic
  4. Merge into ubuntu/bionic-devel
Proposed by Christian Ehrhardt 
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 577926ce6e9090225c218368494c614ca8f8554a
Merge reported by: Christian Ehrhardt 
Merged at revision: 577926ce6e9090225c218368494c614ca8f8554a
Proposed branch: ~paelzer/ubuntu/+source/chrony:fix-slow-init-bionic
Merge into: ubuntu/+source/chrony:ubuntu/bionic-devel
Diff against target: 73 lines (+51/-0)
3 files modified
debian/changelog (+8/-0)
debian/patches/lp-1787366-fall-back-to-urandom.patch (+42/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
Canonical Server packageset reviewers Pending
git-ubuntu developers Pending
Review via email: mp+353397@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Trivial single patch backport from upstream in preparation of newer kernels.
4.17 should have been the one bringing the random changes, if not they will hit sooner or later.
Please follow the liks from the Bug Description for some background on this.

Note: added a ~ubuntu-security review slot for the potential drawback of the lower quality bits which might in theory make it easier to spoof replies.

Bug: https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1787366
PPA for Testing: https://launchpad.net/~ci-train-ppa-service/+archive/ubuntu/3361

This was acked from a security POV in https://code.launchpad.net/~paelzer/ubuntu/+source/chrony/+git/chrony/+merge/353232 and now just needs packaging review to make sure we didn't miss something on making this available for Bionic.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Tests on Bionic passed as well: https://bileto.ubuntu.com/excuses/3361/bionic.html

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

review: Approve
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/chrony
 * [new tag] upload/3.2-4ubuntu4.2 -> upload/3.2-4ubuntu4.2

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading chrony_3.2-4ubuntu4.2.dsc: done.
  Uploading chrony_3.2-4ubuntu4.2.debian.tar.xz: done.
  Uploading chrony_3.2-4ubuntu4.2_source.buildinfo: done.
  Uploading chrony_3.2-4ubuntu4.2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index cfa85ad..7e2efd8 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,11 @@
6+chrony (3.2-4ubuntu4.2) bionic; urgency=medium
7+
8+ * d/p/lp-1787366-fall-back-to-urandom.patch: avoid hangs when starting
9+ the service on newer kernels by falling back to urandom.
10+ (LP: #1787366, Closes: #906276)
11+
12+ -- Christian Ehrhardt <christian.ehrhardt@canonical.com> Mon, 20 Aug 2018 11:36:18 +0200
13+
14 chrony (3.2-4ubuntu4.1) bionic; urgency=medium
15
16 * debian/usr.sbin.chronyd:
17diff --git a/debian/patches/lp-1787366-fall-back-to-urandom.patch b/debian/patches/lp-1787366-fall-back-to-urandom.patch
18new file mode 100644
19index 0000000..48585f8
20--- /dev/null
21+++ b/debian/patches/lp-1787366-fall-back-to-urandom.patch
22@@ -0,0 +1,42 @@
23+From 7c5bd948bb7e21fa0ee22f29e97748b2d0360319 Mon Sep 17 00:00:00 2001
24+From: Miroslav Lichvar <mlichvar@redhat.com>
25+Date: Thu, 17 May 2018 14:16:58 +0200
26+Subject: [PATCH] util: fall back to reading /dev/urandom when getrandom()
27+ blocks
28+
29+With recent changes in the Linux kernel, the getrandom() system call may
30+block for a long time after boot on machines that don't have enough
31+entropy. It blocks the chronyd's initialization before it can detach
32+from the terminal and may cause a chronyd service to fail to start due
33+to a timeout.
34+
35+At least for now, enable the GRND_NONBLOCK flag to make the system call
36+non-blocking and let the code fall back to reading /dev/urandom (which
37+never blocks) if the system call failed with EAGAIN or any other error.
38+
39+This makes the start of chronyd non-deterministic with respect to files
40+that it needs to open and possibly also makes it slightly easier to
41+guess the transmit/receive timestamp in client requests until the
42+urandom source is fully initialized.
43+
44+Author: Christian Ehrhardt <christian.ehrhardt@canonical.com>
45+Original-Author: Miroslav Lichvar <mlichvar@redhat.com>
46+Origin: backport, https://git.tuxfamily.org/chrony/chrony.git/commit/?id=7c5bd948bb7e21fa0ee22f29e97748b2d0360319
47+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1787366
48+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906276
49+Last-Update: 2018-08-16
50+---
51+ util.c | 2 +-
52+ 1 file changed, 1 insertion(+), 1 deletion(-)
53+
54+--- a/util.c
55++++ b/util.c
56+@@ -1224,7 +1224,7 @@ get_random_bytes_getrandom(char *buf, un
57+ if (disabled)
58+ break;
59+
60+- if (getrandom(rand_buf, sizeof (rand_buf), 0) != sizeof (rand_buf)) {
61++ if (getrandom(rand_buf, sizeof (rand_buf), GRND_NONBLOCK) != sizeof (rand_buf)) {
62+ disabled = 1;
63+ break;
64+ }
65diff --git a/debian/patches/series b/debian/patches/series
66index 947a7d5..872c0b2 100644
67--- a/debian/patches/series
68+++ b/debian/patches/series
69@@ -1,3 +1,4 @@
70 lp1589780-sys_linux-don-t-keep-CAP_SYS_TIME-with-x-option.patch
71 lp-1718227-ignore-non-up-down-events-in-nm-dispatcher.patch
72 lp-1718227-nm-dispatcher-for-networkd.patch
73+lp-1787366-fall-back-to-urandom.patch

Subscribers

People subscribed via source and target branches