Hi Sander, Lukas, On 05/23/2018 02:32 PM, Lukas Tribus wrote: > Hello, > > On 23 May 2018 at 13:10, Sander Hoentjen <[email protected]> wrote: >> I can confirm the issue is gone when I don't use chroot. I will try to >> see if I can get more info like a strace soon. I won't be able to today >> though. Thanks Lucas and Emeric! > > 1.8.9 with 1.1.1-pre6 chrooted is now running for me for more than 22 > hours. I don't see the same issue. > > So are probably we are facing a different issue. > > > > Lukas >
This issue was due to openssl-1.1.1 which re-seed after an elapsed time or number of request. If /dev/urandom is used as seeding source when haproxy is chrooted it fails to re-open /dev/urandom .... By defaut the openssl-1.1.1 configure script uses the syscall getrandom as seeding source and fallback on /dev/urandom if not available. So you don't face the issue if your openssl-1.1.1 is compiled to use getrandom But getrandom syscall is available only since kernel > 3.17 and the main point: for glibc > 2.25. With openssl-1.1.1 you can check this this way: # ./openssl-1.1.1/openssl version -r Seeding source: getrandom-syscall R, Emeric
