I've upgraded my VMs to the 10.3 point release and can confirm that
cryptographic services (SSH and others) start quite rapidly now on
system boot.
Thanks, all!
-Michael
Apologies for the late reply. I can certainly test on some of my VMs if
you're willing to provide packages.
Reading over Linus' explanation of deriving jitter from the CPU's cycle
counter, while I'm no cryptographer, I might have some concerns about
the quality of the entropy that will be
> The release notes for buster do mention this issue and provide a
> link to:
>
> https://wiki.debian.org/BoottimeEntropyStarvation
>
> which has your Haveged solution as one of its suggestions.
>
D'oh! Serves me right for just skimming the release notes, then. After
doing some in-depth
Package: linux-image-4.19.0-5-amd64
Version: 4.19.0-5
Issue:
==
After upgrading to Debian Buster, Xen PV guests' entropy pool is too
low to start cryptographic services in a timely manner. This results in
30+ second delays in the startup of services such as SSH. If I connect
to the VM's
I've tested the workaround successfully. Added `pti=off` to my kernel's
boot arguments, updated GRUB, and it started as intended.
Benoît,
Just to be sure, since you're loading your guests' kernels directly
like that, you're passing pti=off via the `extra` config line in your
domU config files,
This also apparently affects at least PV guests. Upgrading a PV domU to
kernel 4.9.110-1 and rebooting yields the following output via xl's
console:
Loading Linux 4.9.0-6-amd64 ...
Loading Linux 4.9.0-7-amd64 ...
Loading initial ramdisk ... [ vmlinuz-4.9.0-7-
amd6 2.69MiB 66% 1.67MiB/s ]
[
Package: linux-image-4.9.0-7-amd64
Version: 4.9.110-1
Description:
After installing the latest Stretch kernel, 4.9.110-1, on a server
running Xen Hypervisor 4.8, bootstrapping the kernel fails. GRUB loads
the hypervisor as normal, which then attempts to load the Dom0 kernel.
Once
On further investigation, Arne's absolutely right. I upgraded the
kernel back to 4.9.88-1 from Debian Security and installed 'haveged'
(another random number generator). Everything started quickly and
normally after a reboot. Turns out I hadn't noticed this on any of my
other virtual servers
Package: linux-image-4.9.0-6-amd64
Version: 4.9.88-1
Issue:
==
Kernel "linux-image-4.9.0-6-amd64," version 4.9.88-1, breaks systemd
startup of RPC, Kerberos KDC services.
Description:
After upgrading to the latest Stretch kernel (4.9.88-1), RPC and KDC
services time out
Aha! Okay, that certainly explains some things. I didn't realize PVH
was a "use at your own risk" tech preview in Xen 4.8 and kernel 4.9.
Luckily, my infrastructure didn't rely on PVH to start with; I can go
back to conventional PV or HVM with no problem.
Thanks for investigating!
-Michael
Package: linux-image-amd64
Version: 4.9+80+deb9u
Not sure if this needs to go to the Debian Kernel team or Debian Xen
team, so please feel free to reclassify as necessary. I'm leaning
toward this being a kernel bug, as the Xen packages had not changed
when this issue was introduced; only the
11 matches
Mail list logo
