Re: [OE-core] [PATCH 1/2] dropbear/openssh: Lower priority of key generation
Met vriendelijke groet / kind regards, Mike Looijmans System Expert TOPIC Embedded Products B.V. Materiaalweg 4, 5681 RJ Best The Netherlands T: +31 (0) 499 33 69 69 E: mike.looijm...@topicproducts.com W: www.topicproducts.com Please consider the environment before printing this e-mail On 18-09-2020 19:55, Richard Purdie via lists.openembedded.org wrote: On Fri, 2020-09-18 at 10:45 -0700, Khem Raj wrote: On 9/17/20 11:00 PM, Richard Purdie wrote: Where we have images with PAM+systemd, serial login can be extremely slow. The load generated by key generation does slow down the rest of the boot process. this is a good find. So I wonder if its because we have entropy starvation. I see that we do enable virtio-rng while launching qemu so something to look in this area perhaps. I did check and the virtio rng is alive and well in the image. Its the CPU usage of the key generation that partly causes the issue. Another solution is to just have it create smaller keys. The computation time seems to grow exponential with the bit count, a 2048 size key can take 10 times longer than a 1024 bit key to generate, and a 4096 may take 10x that again. There's been a move to 4096 sizes keys lately, pushing the CPU use even further. Unless you're controlling a nuclear power plant or so, that's a bit excessive. -- Mike Looijmans -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142715): https://lists.openembedded.org/g/openembedded-core/message/142715 Mute This Topic: https://lists.openembedded.org/mt/76925740/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 1/2] dropbear/openssh: Lower priority of key generation
On Fri, 2020-09-18 at 10:45 -0700, Khem Raj wrote: > > On 9/17/20 11:00 PM, Richard Purdie wrote: > > Where we have images with PAM+systemd, serial login can be > > extremely > > slow. The load generated by key generation does slow down the rest > > of the boot process. > > > > this is a good find. So I wonder if its because we have entropy > starvation. I see that we do enable virtio-rng while launching qemu > so something to look in this area perhaps. I did check and the virtio rng is alive and well in the image. Its the CPU usage of the key generation that partly causes the issue. Cheers, Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142664): https://lists.openembedded.org/g/openembedded-core/message/142664 Mute This Topic: https://lists.openembedded.org/mt/76925740/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 1/2] dropbear/openssh: Lower priority of key generation
On 9/17/20 11:00 PM, Richard Purdie wrote: Where we have images with PAM+systemd, serial login can be extremely slow. The load generated by key generation does slow down the rest of the boot process. this is a good find. So I wonder if its because we have entropy starvation. I see that we do enable virtio-rng while launching qemu so something to look in this area perhaps. Lower the priority level of these systemd services, since we'd prefer to have the rest of the system boot more effectively. This doesn't "solve" the slow systemd boot issues but does help. Signed-off-by: Richard Purdie --- meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service | 1 + meta/recipes-core/dropbear/dropbear/dropbearkey.service | 1 + 2 files changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 603c33787f1..fd81793d511 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -6,3 +6,4 @@ RequiresMountsFor=/var /run ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service index c49053d57c7..71a12a6110c 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service @@ -11,3 +11,4 @@ Type=oneshot ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key RemainAfterExit=yes +Nice=10 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142663): https://lists.openembedded.org/g/openembedded-core/message/142663 Mute This Topic: https://lists.openembedded.org/mt/76925740/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/2] dropbear/openssh: Lower priority of key generation
Where we have images with PAM+systemd, serial login can be extremely slow. The load generated by key generation does slow down the rest of the boot process. Lower the priority level of these systemd services, since we'd prefer to have the rest of the system boot more effectively. This doesn't "solve" the slow systemd boot issues but does help. Signed-off-by: Richard Purdie --- meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service | 1 + meta/recipes-core/dropbear/dropbear/dropbearkey.service | 1 + 2 files changed, 2 insertions(+) diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service index 603c33787f1..fd81793d511 100644 --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service @@ -6,3 +6,4 @@ RequiresMountsFor=/var /run ExecStart=@LIBEXECDIR@/sshd_check_keys Type=oneshot RemainAfterExit=yes +Nice=10 diff --git a/meta/recipes-core/dropbear/dropbear/dropbearkey.service b/meta/recipes-core/dropbear/dropbear/dropbearkey.service index c49053d57c7..71a12a6110c 100644 --- a/meta/recipes-core/dropbear/dropbear/dropbearkey.service +++ b/meta/recipes-core/dropbear/dropbear/dropbearkey.service @@ -11,3 +11,4 @@ Type=oneshot ExecStart=@BASE_BINDIR@/mkdir -p ${DROPBEAR_RSAKEY_DIR} ExecStart=@SBINDIR@/dropbearkey -t rsa -f ${DROPBEAR_RSAKEY_DIR}/dropbear_rsa_host_key RemainAfterExit=yes +Nice=10 -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#142640): https://lists.openembedded.org/g/openembedded-core/message/142640 Mute This Topic: https://lists.openembedded.org/mt/76925740/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-