1

I have a Linux device with several services of my own.
Kernel: 4.14.151
systemd: systemd 249 (249.11-0ubuntu3.12)

My services are written as sysvinit services and automatically generated as systemd services using the /run/systemd/generator.early.
Everything worked fine until I wanted to call /usr/bin/ssh-keygen -t ed25519 ... from one of my services.
At that moment, my call to ssh-keygen gets blocked until systemd-random-seed.service is done. But it's not done, it gets to timeout. So the whole boot takes a lot of time.

  • I understand systemd-random-seed.service is in charge of starting the entropy pool for randomness, that's why ssh-keygen is blocked.
  • But, why do they go into dead lock? I would expect systemd-random-seed.service to finish unrelated to ssh-keygen.
  • Before my changes, systemd-random-seed.service took ~16 seconds. (I can see using systemd-analyze blame and systemd-analyze plot > chain.svg.
  • After my changes it can get to 10 minutes timeout.
  • Regardless of my change. Meaning, without adding ssh-keygen call to one of my services, I've tried to remove one of my sysvinit service. Doing that makes systemd-random-seed.service even more unpredictable - it finishes after 2-6 minutes.
  • My purpose was re-writing my sysvinit service as a systemd service After=systemd-random-seed.service so it will surely pass.

The bottom line is systemd-random-seed.service is not clear to me.
Can you please explain its behavior? Why doesn't it start regardless of ssh-keygen?
How can I start another service after it finishes?

Improve this question
3
  • Is this running on a VM? Are you using an egd? Commented Mar 13 at 11:04
  • @symcbean not a VM. I don't know what egd is. Commented Mar 13 at 11:07
  • 1
    egd = entropy gathering daemon; if you were running a VM then one should be provisioned as part of the guest tools. haveged, as mentioned by frostshutz, will work on baremetal and most vms. Commented Mar 13 at 11:24

2 Answers 2

Reset to default
1

systemd-random-seed loads a seed from a file /var/lib/systemd/random-seed, which is nearly instant, unless your filesystem is not mounted or network attached or really slow for other reasons.

The file is subsequently overwritten with a new seed to be used the next time the system reboots.

And this is where systemd-random-seed could hang, because it waits for the random pool to be fully initialized, before writing a new seed.

man 8 systemd-random-seed.service:

This new seed is retrieved synchronously from the kernel, which means the service will not complete start-up until the random pool is fully initialized. On entropy-starved systems this may take a while.

This is usually a problem with older kernels only. Newer kernels no longer block random thanks to a revamped random device initialization and algorithm.

If running a newer kernel version is not possible, you could try alternative entropy providers like haveged, maybe it helps.

Improve this answer
4
  • My fs is a rootfs initialized from a .initrd file. The disk is mounted using a udev service. But systemd-random-seed.service hangs a lot after. Commented Mar 13 at 11:18
  • 1
    @hudac Yeah, that was a common issue, for many years. Kernel solved most of these only relatively recently (since v5.8+ or so, your kernel is quite a lot older). I still use haveged everywhere today, as well as my own random seed logic in early initramfs. Doesn't cost me anything and fixes issues like yours. Commented Mar 13 at 11:23
  • 1
    @hudac You can also try to enable SYSTEMD_RANDOM_SEED_CREDIT (implemented since systemd 243, according to the manpage), however systemd recommends to do this only if you have a unique seed that changes every boot. Not sure if I understood correctly whether you're generating this each boot (could be an issue) or mounting a persistent disk somewhere (should be fine). With systemd itself crediting entropy, that might be enough for the kernel to consider the random device properly initialized and stop blocking (for /dev/urandom, anyway). Commented Mar 13 at 16:22
  • 1
    haveged did solve the issue. Thank you. Commented Mar 16 at 8:10
0

put a "/var/lib/systemd/random-seed" to your initrd manually.

Or make some tweaks on tools which responsible for creating initrd to add it automatically.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.