haveged won't run in OpenVZ container - cannot follow recommendations

[Harald Kastner]

Hi @all,

I experienced bad bbb-performance in my latest 1.1 installation, just missed to install "haveged" as recommended so I did now.

Installation of the packages worked fine, but starting haveged failed everytime I tried.

Now this is just to confirm that haveged won't run in OpenVZ container.

1. Startup with standard settings:

● haveged.service - Entropy daemon using the HAVEGE algorithm
   Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
Condition: start condition failed at Mon 2017-05-29 11:10:29 CEST; 4min 17s ago
           ConditionVirtualization=!container was not met
     Docs: man:haveged(8)
           http://www.issihosts.com/haveged/

looking into haveged.service shows (complete file):

[Unit]
Description=Entropy daemon using the HAVEGE algorithm
Documentation=man:haveged(8) http://www.issihosts.com/haveged/
DefaultDependencies=no
ConditionVirtualization=!container <<<<<<<<<<<<<<<<<<<<<<<<<<<<< !!!
After=systemd-random-seed.service
Before=sysinit.target shutdown.target systemd-journald.service

[Service]
EnvironmentFile=-/etc/default/haveged
ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS
SuccessExitStatus=143
SecureBits=noroot-locked
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_SYS_ADMIN
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=full
ProtectHome=yes

[Install]
WantedBy=default.target

where I changed for the next try

...
ConditionVirtualization=yes
...

2. Startup with changed settings:

● haveged.service - Entropy daemon using the HAVEGE algorithm
   Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2017-05-29 11:28:18 CEST; 1min 9s ago
     Docs: man:haveged(8)
           http://www.issihosts.com/haveged/
  Process: 1604 ExecStart=/usr/sbin/haveged --Foreground --verbose=1 $DAEMON_ARGS (code=exited, status=1/FAILURE)
 Main PID: 1604 (code=exited, status=1/FAILURE)

May 29 11:28:18 c7735 systemd[1]: Started Entropy daemon using the HAVEGE algorithm.
May 29 11:28:18 c7735 haveged[1604]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 5.2.1 ITV); collect: 128K
May 29 11:28:18 c7735 haveged[1604]: haveged: cpu: (L4 VC); data: 32K (L2 L4); inst: 32K (L2 L4); idx: 19/40; sz: 31614/64718
May 29 11:28:18 c7735 haveged[1604]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B):  last entropy estimate 7.99763
May 29 11:28:18 c7735 haveged[1604]: haveged: fills: 0, generated: 0
May 29 11:28:18 c7735 haveged[1604]: haveged: Fail:set_watermark()! <<<<<<<<<<<<<<<<<<<<<<< !!!
May 29 11:28:18 c7735 haveged[1604]: haveged starting up
May 29 11:28:18 c7735 systemd[1]: haveged.service: Main process exited, code=exited, status=1/FAILURE
May 29 11:28:18 c7735 systemd[1]: haveged.service: Unit entered failed state.
May 29 11:28:18 c7735 systemd[1]: haveged.service: Failed with result 'exit-code'.

3. Starting with different command line and changed settings:

root@c7735:/# haveged --Foreground --verbose=1
haveged starting up
haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 5.2.1 ITV); collect: 128K
haveged: cpu: (L4 VC); data: 32K (L2 L4); inst: 32K (L2 L4); idx: 19/40; sz: 31614/64718
haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B):  last entropy estimate 7.99848
haveged: fills: 0, generated: 0
haveged: RNDADDENTROPY failed! <<<<<<<<<<<<<<<<<<<<<<<<<<< !!!

Led me to: http://manpages.ubuntu.com/manpages/xenial/man8/haveged.8.html

and testing:

root@c7735:/# cat /proc/sys/kernel/osrelease
2.6.32-042stab120.6
root@c7735:/# cat /proc/sys/kernel/random/poolsize
4096
root@c7735:/# cat /proc/sys/kernel/random/write_wakeup_threshold
4096
root@c7735:/# echo test > /dev/random
root@c7735:/# echo $?
0
root@c7735:/# echo test > /proc/sys/kernel/random/write_wakeup_threshold
bash: /proc/sys/kernel/random/write_wakeup_threshold: Permission denied
root@c7735:/# echo $?
1
root@c7735:/#

So we have two confirmed errors here:

Fail:set_watermark() Unable to write to /proc/sys/kernel/random/write_wakeup_threshold

RNDADDENTROPY failed! Call to ioctl(2) to add entropy failed

So the dependencies are accessible (/dev/random writeable too but not /proc/sys/kernel/random/write_wakeup_threshold - as it should).

Conclusio: in OpenVZ haveged won't run, so installing bbb in OpenVZ should be avoided.

Please check my results, hope this is helpful for others on OpenVZ.

Cheers, Harald

[Chad Pilkey]

Some quick googling seems to corroborate your findings. I couldn't find a good alternative to increase entropy in an OpenVZ container either.

[Fred Dixon]

Harald,

Thanks for sharing this (and the detailed analysis).  You'll definitely help others who are looking at using OpenVZ containers.

Regards,.. Fred

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-Setup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-setup+unsub...@googlegroups.com.
To post to this group, send email to bigbluebutton-setup@googlegroups.com.
Visit this group at https://groups.google.com/group/bigbluebutton-setup.
For more options, visit https://groups.google.com/d/optout.

--

BigBlueButton Developer

http://bigbluebutton.org/

@bigbluebutton