Devuan bug report logs - #316
Package 'haveged' wont start on Devuan Beowulf due to broken PID file specification

Package: haveged; Reported by: Mike Tubby <mike@tubby.org>; Keywords: debian beowulf; Forwarded to https://bugs.debian.org/911604; Maintainer for haveged is (unknown).
Set bug forwarded-to-address to 'https://bugs.debian.org/911604'. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.devuan.org. Full text available.
Added tag(s) beowulf and debian. Request was from Mark Hindley <mark@hindley.org.uk> to 316-submit@bugs.devuan.org. Full text available.

Message received at 316@bugs.devuan.org:


Received: (at 316) by bugs.devuan.org; 14 Jan 2020 19:10:02 +0000
Return-Path: <mark@hindley.org.uk>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by doc.devuan.org with IMAP (fetchmail-6.4.0.beta4)
	for <debbugs@localhost> (single-drop); Tue, 14 Jan 2020 19:10:02 +0000 (UTC)
Received: from mx.hindley.org.uk (mohindley.plus.com [81.174.245.179])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 2A30FF60C22
	for <316@bugs.devuan.org>; Tue, 14 Jan 2020 20:01:15 +0100 (CET)
Received: from apollo.hindleynet ([192.168.1.3] helo=apollo)
	by mx.hindley.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
	(Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1irRRC-0000YB-0j
	for 316@bugs.devuan.org; Tue, 14 Jan 2020 19:01:14 +0000
Received: from mark by apollo with local (Exim 4.84_2)
	(envelope-from <mark@hindley.org.uk>)
	id 1irRRB-000537-20
	for 316@bugs.devuan.org; Tue, 14 Jan 2020 19:01:13 +0000
Date: Tue, 14 Jan 2020 19:01:13 +0000
From: Mark Hindley <mark@hindley.org.uk>
To: 316@bugs.devuan.org
Subject: Re: Package 'haveged' wont start on Devuan Beowulf due to broken PID
 file specification
Message-ID: <20200114190112.GA19370@hindley.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Debbugs-No-Ack: No Thanks
User-Agent: Mutt/1.5.23 (2014-03-12)
X-Spam-Status: No, score=0.0 required=5.0 tests=FAKE_REPLY_C,SPF_PASS
	autolearn=disabled version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

Control: tag -1 beowulf debian

Mike

Thanks.

This seems to be Debian #911604 which is fixed in version 1.9.1-8,
but not buster.

At least there is a configuration workaround.

Mark

Information forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#316; Package haveged. Full text available.

Message received at submit@bugs.devuan.org:


Received: (at submit) by bugs.devuan.org; 12 Apr 2019 21:40:07 +0000
Return-Path: <mike@tubby.org>
Delivered-To: devuanbugs@dyne.org
Received: from tupac3.dyne.org [195.169.149.119]
	by fulcanelli with IMAP (fetchmail-6.3.26)
	for <debbugs@localhost> (single-drop); Fri, 12 Apr 2019 23:40:06 +0200 (CEST)
Received: from relay1.thorcom.net (relay1.thorcom.net [195.171.43.32])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by vm6.ganeti.dyne.org (Postfix) with ESMTPS id 41EA8F608E6
	for <submit@bugs.devuan.org>; Fri, 12 Apr 2019 23:37:32 +0200 (CEST)
Authentication-Results: vm6.ganeti.dyne.org;
	dkim=pass (2048-bit key; unprotected) header.d=tubby.org header.i=@tubby.org header.b="LydBlxO8";
	dkim-atps=neutral
Received: from public.tubby.org ([82.68.212.67])
	by relay1.thorcom.net with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.92)
	(envelope-from <mike@tubby.org>)
	id 1hF3rX-0002W7-AU
	for submit@bugs.devuan.org; Fri, 12 Apr 2019 22:37:31 +0100
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tubby.org;
	 s=mail; h=Content-Type:MIME-Version:Date:Message-ID:Subject:From:To:Sender:
	Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
	Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
	In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
	List-Post:List-Owner:List-Archive;
	bh=l2b5VVDCI3T/HlbW9cGibmJvLPnX0y3oJ+54UylBjD4=; b=LydBlxO8icmHiN9TdOI1v0pQfS
	3ZND6Tj6wnAFO2b4vCL2SGQaVURaCqHidN+2CJj2ObymvOC8yGp/j+2BKMOq9/AOLJiAU5P0Cb5Wg
	kySXnDTQEDP2KenWhnjpjExTlPxxuIT4Neafi+zOeUsfgyTVNeirgJUE9wXgXYnQ/1RhvuboqObXN
	OzKCXneUHLfQat9MLiFZ9WkHSsQUK7WLiEnxF69dXhgCQNzyk9OxlFARev+Hl7UcF45gXaYgju5J4
	J8bpWAeLgPH5uyGJj4BDtkqGr8XdnjnpvP8xaH8V8V9aUGQfPq5Zyn7t1Q2nWuP2I4086U6XqWfMo
	I4aEf10A==;
Received: from gate.tubby.org ([82.68.212.65] helo=[192.168.144.20])
	by public.tubby.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
	(Exim 4.90_1)
	(envelope-from <mike@tubby.org>)
	id 1hF3rW-00075r-Mi
	for submit@bugs.devuan.org; Fri, 12 Apr 2019 22:37:30 +0100
To: submit@bugs.devuan.org
From: Mike Tubby <mike@tubby.org>
Subject: Package 'haveged' wont start on Devuan Beowulf due to broken PID file
 specification
Message-ID: <49a7eb19-8e49-64e5-e42e-9fd7b109d65c@tubby.org>
Date: Fri, 12 Apr 2019 22:37:29 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.6.1
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="------------759921CCF242D01BAEF80700"
Content-Language: en-GB
X-Spam-Status: No, score=-0.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,SPF_PASS autolearn=disabled
	version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on tupac3.dyne.org

This is a multi-part message in MIME format.
--------------759921CCF242D01BAEF80700
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit

Package: haveged
Version: 1.9.1-6

Dell R210-II servers upgraded to Beowulf on 12th April 2019, now package 
'haveged' (entropy daemon) fails to start:
     a) at boot
     b) via 'service haveged start'
     c) from the command line, if the PID file is specified

All attempts at running haveged result in an apparmor/audit as follows:

Apr 12 21:54:41 ns0 kernel: [ 4684.518633] audit: type=1400 
audit(1555102481.459:19): apparmor="DENIED" operation="mknod" 
profile="/usr/sbin/haveged" *name="/run/haveged.pid"* pid=9474 
comm="haveged" requested_mask="c" denied_mask="c" fsuid=0 ouid=0

With apparmor suggesting that haveged is being refused permission for 
haveged to make a node, for the pid file


Stopping apparmor with 'aa-teardown' allows haveged to start as expected:

root@ns0:/etc/apparmor.d/local# aa-teardown
Unloading AppArmor profiles
root@ns0:/etc/apparmor.d/local# service haveged restart
[ ok ] Restarting entropy daemon: haveged.
root@ns0:/etc/apparmor.d/local# ps ax | grep haveged
  9741 ?        Ss     0:00 /usr/sbin/haveged -w 1024
  9761 pts/0    S+     0:00 grep haveged
root@ns0:/etc/apparmor.d/local#

Haveged is documented as using the path /var/run/haveged.pid by default 
and not /run/haveged.pid.  Checking the binary with 'strings' confirms this:

root@ns0:/etc/apparmor.d/local# strings /usr/sbin/haveged | grep pid
getpid
pidfile
/var/run/haveged.pid
daemon pidfile, default: /var/run/haveged.pid
root@ns0:/etc/apparmor.d/local#


Adding an entry to /etc/apparmor.d/local/usr.sbin.haveged as follows:

root@ns0:/etc/apparmor.d/local# cat usr.sbin.haveged
# Site-specific additions and overrides for usr.sbin.haveged.
# For more details, please see /etc/apparmor.d/local/README.

/var/run/haveged.pid rw,
/run/haveged.pid rw,

Allows haveged to work as expected.


Clearly something with haveged and/or apparmor is broken here...


Mike



--------------759921CCF242D01BAEF80700
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 8bit

<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Package: haveged<br>
    Version: 1.9.1-6<br>
    <br>
    Dell R210-II servers upgraded to Beowulf on 12th April 2019, now
    package 'haveged' (entropy daemon) fails to start:<br>
        a) at boot<br>
        b) via 'service haveged start'<br>
        c) from the command line, if the PID file is specified<br>
    <br>
    <p>All attempts at running haveged result in an apparmor/audit as
      follows:</p>
    <p><tt>Apr 12 21:54:41 ns0 kernel: [ 4684.518633] audit: type=1400
        audit(1555102481.459:19): apparmor="DENIED" operation="mknod"
        profile="/usr/sbin/haveged" <b><font color="#ff0000">name="/run/haveged.pid"</font></b>
        pid=9474 comm="haveged" requested_mask="c" denied_mask="c"
        fsuid=0 ouid=0</tt><br>
      <br>
    </p>
    <p>With apparmor suggesting that haveged is being refused permission
      for haveged to make a node, for the pid file<br>
    </p>
    <p><br>
    </p>
    <p>Stopping apparmor with 'aa-teardown' allows haveged to start as
      expected:</p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> aa-teardown</tt><tt><br>
      </tt><tt>Unloading AppArmor profiles</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> service haveged restart</tt><tt><br>
      </tt><tt>[ ok ] Restarting entropy daemon: haveged.</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> ps ax | grep haveged</tt><tt><br>
      </tt><tt> 9741 ?        Ss     0:00 /usr/sbin/haveged -w 1024</tt><tt><br>
      </tt><tt> 9761 pts/0    S+     0:00 grep haveged</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a></tt><br>
      <br>
    </p>
    <p>Haveged is documented as using the path /var/run/haveged.pid by
      default and not /run/haveged.pid.  Checking the binary with
      'strings' confirms this:<br>
    </p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> strings /usr/sbin/haveged |
        grep pid</tt><tt><br>
      </tt><tt>getpid</tt><tt><br>
      </tt><tt>pidfile</tt><tt><br>
      </tt><tt>/var/run/haveged.pid</tt><tt><br>
      </tt><tt>daemon pidfile, default: /var/run/haveged.pid</tt><tt><br>
      </tt><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a></tt><br>
    </p>
    <p><br>
    </p>
    <p>Adding an entry to /etc/apparmor.d/local/usr.sbin.haveged as
      follows:</p>
    <p><tt><a class="moz-txt-link-abbreviated" href="mailto:root@ns0:/etc/apparmor.d/local#">root@ns0:/etc/apparmor.d/local#</a> cat usr.sbin.haveged</tt><tt><br>
      </tt><tt># Site-specific additions and overrides for
        usr.sbin.haveged.</tt><tt><br>
      </tt><tt># For more details, please see
        /etc/apparmor.d/local/README.</tt><tt><br>
      </tt><tt><br>
      </tt><tt>/var/run/haveged.pid rw,</tt><tt><br>
      </tt><tt>/run/haveged.pid rw,</tt><br>
      <br>
    </p>
    <p>Allows haveged to work as expected.</p>
    <p><br>
    </p>
    <p>Clearly something with haveged and/or apparmor is broken here...</p>
    <p><br>
    </p>
    <p>Mike</p>
    <p><br>
    </p>
  </body>
</html>

--------------759921CCF242D01BAEF80700--


Acknowledgement sent to Mike Tubby <mike@tubby.org>:
New bug report received and forwarded. Copy sent to owner@bugs.devuan.org. Full text available.
Report forwarded to devuan-bugs@lists.dyne.org, owner@bugs.devuan.org:
bug#316; Package haveged. Full text available.

Devuan BTS -- Powered by Debian bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.

Devuan Bugs Owner <owner@bugs.devuan.org>.
Last modified: Sun, 31 May 2020 18:39:02 UTC