Snappy

systemd-random-seed fails to start because /var/lib/systemd/random-seed is read only

Bug #1462954 reported by Simon Eisenmann on 2015-06-08
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snappy
Status tracked in Trunk
15.04
Fix Released
High
Unassigned
Trunk
Fix Released
High
filippo carugati
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

The systemd-random-seed service fails to start on boot, because it cannot write /var/lib/systemd/random-seed file.

This is very bad as the Snappy device will not have any entropy stored after subsequent boots. The file should be made writable, so the service can store entropy there for the next boot.

Leaves the problem of first boot though. Snappy images should not ship with a random-seed. This means on first boot there is little to no entropy.

If the Kernel does not have http://lkml.iu.edu/hypermail/linux/kernel/1312.1/04772.html (essentiall <= 3.14) this means that first boot stuff (eg SSH keys) are generated with very poor entropy.

See original description
Simon Eisenmann (longsleep) on 2015-06-08
description: updated
Jamie Strandboge (jdstrand) wrote :

FYI, /var/lib/systemd/random-seed is intended to be writable:

$ grep random /etc/system-image/writable-paths
# random seed
/var/lib/systemd/random-seed auto persistent transition none

Martin Pitt (pitti) wrote :

This was supposed to be fixed by https://launchpad.net/ubuntu/+source/ubuntu-core-config/0.6.12 but apparently there's a startup ordering problem?

Simon Eisenmann (longsleep) wrote :

None of the writeable mounts in /var/lib/systemd seem to work here.

Simon Eisenmann (longsleep) wrote :

The problem is that writable mounts are bind mounts and when initrd transfers the entries from /etc/system-image/writable-paths to fstab it checks first that the target does exist. See initrd/scripts/ubuntu-core-rootfs in handle_writable_paths function.

That way it will never be able to mount anything writable which does not exist in the first place.

Martin Pitt (pitti) wrote :

Sorry for the unintended duplicate comment #15.

Indeed "sudo touch /var/lib/systemd/random-seed" fixes this. So we need to pre-create this file in ubuntu-core-config so that we have something to bind mount to.

filippo carugati (pippothebest) wrote :

pippo@pippo-VGN-NR10E-S:~$ systemctl status system-random-seed.service
● system-random-seed.service
   Loaded: not-found (Reason: No such file or directory)
   Active: inactive (dead)

Jens Elkner (jelmd) wrote :

And this prevents ZFS boot, when /var is a separate ZFS, because than it cannot be mounted:
dir is not empty!

Wondering, why it cannot be placed below /run/ ...

John Lenton (chipaca) wrote :

Jens, that sounds like a completely different bug. Unless you're running a ubuntu core device off zfs with a very customised gadget... :-)

John Lenton (chipaca) wrote :

Filippo, where is that?

Oliver Grawert (ogra) wrote :

@jens the random-seed file is used to hold the last seed value, so when you boot there is info how the last random seed looked like to make sure the new seed is not identical this time, to guarantee randomness across reboots.

the /run filesystem is a tmpfs and wiped on each reboot so the file needs to be placed on a persistent place in the filesystem.

also, as john said, we do not actually support zfs based snappy ubuntu-core yet, how did you create this image ?

@filippo: the service is called systemd-random-seed.service, not system-random-seed.service

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers