[PATCH 0/2] sshd-regen-keys: Fix boot hang on low end hardware

[PATCH 0/2] sshd-regen-keys: Fix boot hang on low end hardware

[Florian Bezdeka]

Hi,

when booting a Debian 11 based ISAR image with sshd-regen-keys 
enabled on low end systems it could happen that the first boot 
took too long so that the configured timeout for serial console 
systemd units was hit.

It turned out that running sshd-regen-keys in parallel to
systemd-random-seed is not the best idea. Patch one fixes that by
moving the start of sshd-regen-keys after the point in time where 
systemd-random-seed completed.

Patch two fixes two warnings that were discovered on Debian 11. I
tested that with Debian 10 as well. Worked as expected.

Best regards,
Florian

Florian Bezdeka (2):
  sshd-regen-keys: Start key generation after entropy seed
  sshd-regen-keys: Fix some systemd obsolete warnings about using syslog

 .../sshd-regen-keys/files/sshd-regen-keys.service              | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

-- 
2.31.1

[PATCH 1/2] sshd-regen-keys: Start key generation after entropy seed

[Florian Bezdeka]

Especially on low-end systems (including arm on qemu) it could happen
that the key generation took extremly long. As side effect some other
services (like the ones for serial consoles) run into the configured
timeouts.

[ TIME ] Timed out waiting for device /dev/hvc0.
[DEPEND] Dependency failed for Serial Getty on hvc0.
[ TIME ] Timed out waiting for device /dev/ttyAMA0.
[DEPEND] Dependency failed for Serial Getty on ttyAMA0.

Delaying the key generation to the point in time where
systemd-random-seed finished solves this problem. My current
understanding is that the regeneration is waiting for enough entropy
which is being seeded in parallel.

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---
 .../sshd-regen-keys/files/sshd-regen-keys.service                | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index a05e1a9..4d0a8c6 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -3,6 +3,7 @@ Description=Regenerate sshd host keys
 DefaultDependencies=no
 Conflicts=shutdown.target
 After=systemd-remount-fs.service
+After=systemd-random-seed.service
 Before=shutdown.target sshd.service
 ConditionPathIsReadWrite=/etc
 
-- 
2.31.1

[PATCH 2/2] sshd-regen-keys: Fix some systemd obsolete warnings about using syslog

[Florian Bezdeka]

Fixes the following warnings:

[   11.450104] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:15:
[   11.450806] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:16:
	Standard output type syslog is obsolete, automatically updating to journal.
	Please update your unit file, and consider removing the setting altogether.

Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
---
 .../sshd-regen-keys/files/sshd-regen-keys.service               | 2 --
 1 file changed, 2 deletions(-)

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index 4d0a8c6..ebcee86 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -13,8 +13,6 @@ RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
 ExecStart=/usr/sbin/sshd-regen-keys.sh
 ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
-StandardOutput=syslog
-StandardError=syslog
 
 [Install]
 WantedBy=sysinit.target
-- 
2.31.1

Re: [PATCH 2/2] sshd-regen-keys: Fix some systemd obsolete warnings about using syslog

[Jan Kiszka]

On 08.10.21 09:47, Florian Bezdeka wrote:
> Fixes the following warnings:
> 
> [   11.450104] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:15:
> [   11.450806] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:16:
> 	Standard output type syslog is obsolete, automatically updating to journal.
> 	Please update your unit file, and consider removing the setting altogether.
> 

Interesting. We are using that downstream as well, sometimes to divert
from syslog, sometimes to append the console (syslog+console). Do you
know what exactly is deprecated?

Jan

> Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
> ---
>  .../sshd-regen-keys/files/sshd-regen-keys.service               | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 4d0a8c6..ebcee86 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -13,8 +13,6 @@ RemainAfterExit=yes
>  Environment=DEBIAN_FRONTEND=noninteractive
>  ExecStart=/usr/sbin/sshd-regen-keys.sh
>  ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> -StandardOutput=syslog
> -StandardError=syslog
>  
>  [Install]
>  WantedBy=sysinit.target
> 

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux

Re: [PATCH 2/2] sshd-regen-keys: Fix some systemd obsolete warnings about using syslog

[Bezdeka, Florian]

On Fri, 2021-10-08 at 10:23 +0200, Jan Kiszka wrote:
> On 08.10.21 09:47, Florian Bezdeka wrote:
> > Fixes the following warnings:
> > 
> > [   11.450104] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:15:
> > [   11.450806] systemd[1]: /lib/systemd/system/sshd-regen-keys.service:16:
> > 	Standard output type syslog is obsolete, automatically updating to journal.
> > 	Please update your unit file, and consider removing the setting altogether.
> > 
> 
> Interesting. We are using that downstream as well, sometimes to divert
> from syslog, sometimes to append the console (syslog+console). Do you
> know what exactly is deprecated?

Just found some info in the systemd changelog/news [1] and the hint
that the system administrator can change the default of StandardOutput
and StandardError in /etc/systemd/system.conf which would be
overwritten when defined in unit files. That's why the recommendation
is to remove this options from unit files at all.

Replacements are journal and journal+console.

[1] https://github.com/systemd/systemd/blob/6706384a89ae0c462e7172588c80667190c4d9e2/NEWS#L724
> 
> Jan
> 
> > Signed-off-by: Florian Bezdeka <florian.bezdeka@siemens.com>
> > ---
> >  .../sshd-regen-keys/files/sshd-regen-keys.service               | 2 --
> >  1 file changed, 2 deletions(-)
> > 
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index 4d0a8c6..ebcee86 100644
> > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -13,8 +13,6 @@ RemainAfterExit=yes
> >  Environment=DEBIAN_FRONTEND=noninteractive
> >  ExecStart=/usr/sbin/sshd-regen-keys.sh
> >  ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > -StandardOutput=syslog
> > -StandardError=syslog
> >  
> >  [Install]
> >  WantedBy=sysinit.target
> > 
> 

Re: [PATCH 0/2] sshd-regen-keys: Fix boot hang on low end hardware

[Anton Mikanovich]

On 8.10.21 10:47, Florian Bezdeka wrote:
> Hi,
>
> when booting a Debian 11 based ISAR image with sshd-regen-keys
> enabled on low end systems it could happen that the first boot
> took too long so that the configured timeout for serial console
> systemd units was hit.
>
> It turned out that running sshd-regen-keys in parallel to
> systemd-random-seed is not the best idea. Patch one fixes that by
> moving the start of sshd-regen-keys after the point in time where
> systemd-random-seed completed.
>
> Patch two fixes two warnings that were discovered on Debian 11. I
> tested that with Debian 10 as well. Worked as expected.
>
> Best regards,
> Florian
>
> Florian Bezdeka (2):
>    sshd-regen-keys: Start key generation after entropy seed
>    sshd-regen-keys: Fix some systemd obsolete warnings about using syslog
>
>   .../sshd-regen-keys/files/sshd-regen-keys.service              | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
>
This patchset should be rebased on current next.

-- 
Anton Mikanovich
Promwad Ltd.
External service provider of ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn, Germany
+49 (89) 122 67 24-0
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov