** Description changed:

+ [Impact]
+ 
+  * backport upstream fix to avoid issues with newer kernels handling of 
+    getrandom calls
+ 
+  * The Bionic kernel itself doesn't have the changes yet that made this 
+    much more common to show up in cloud environments, but when the cosmic 
+    kernel will be available as HWE it will also affect Bionic.
+ 
+ [Test Case]
+ 
+  * The actual testcase is just "start the service".
+    To simplify you can ignore the service and directly start it in a 
+    console in "no detach" mode
+    $ chronyd -d
+ 
+  * The more complex part on the test is the condition under which this 
+    becomes an issue, which is in low entropy environments.
+    The real cases are due to changes in the upstream kernel at ~4.17
+    and examples can be found on the linked discussions as well as the 
+    Debian bug.
+ 
+ [Regression Potential]
+ 
+  * The change itself only adds "one more" case to the conditions that
+    let it fall back to urandom. Never the less this can be considered a 
+    security risk as discussed in the linked mail threads.
+    To be sure on that I added security as an extra reviewer on the first 
+    MP for this before pushing it into any release.
+    See [4] for the ack by Seth.
+    Other than that 
+ 
+ [Other Info]
+  
+  * n/a
+ 
+ ----
+ 
  Started in a discussion at [1] And eventually finalized in [2] and a
  commit at [3]
  
  We need to avoid systems hanging due to the long delay on start especially 
with kernel >=4.17 IIRC.
  Since this will soon be released with Cosmic and HWE Kernels for Bionic we 
don't want cloud instances to suddenly initialize much slower.
  
  TL;DR: The fallback always was to urandom, it just got a new case to do
  so, which is not being able to deliver enough entropy.
  
  Since this has a rather low but potential security drawback [2] I also
  will ping the security people to check and [n]ack this.
  
  [1]: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-users/2018/04/msg00036.html
- [2]: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-users/2018/05/msg00060.html
 
+ [2]: 
https://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-users/2018/05/msg00060.html
  [3]: 
https://git.tuxfamily.org/chrony/chrony.git/commit/?id=7c5bd948bb7e21fa0ee22f29e97748b2d0360319
+ [4]: 
https://code.launchpad.net/~paelzer/ubuntu/+source/chrony/+git/chrony/+merge/353232/comments/919347

** Bug watch added: Debian Bug tracker #906276
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906276

** Also affects: chrony (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906276
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1787366

Title:
  avoid service start hang due to random changes

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chrony/+bug/1787366/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to