Hello Devs. After upgrading bind to net-dns/bind-9.12.2_p2-r1 named fails to start with. Dec 26 11:31:24 lordcritical named[5852]: running as: named -u named -t /chroot/dns Dec 26 11:31:24 lordcritical named[5852]: compiled by GCC 7.3.0 Dec 26 11:31:24 lordcritical named[5852]: compiled with OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Dec 26 11:31:24 lordcritical named[5852]: linked to OpenSSL version: OpenSSL 1.0.2p 14 Aug 2018 Dec 26 11:31:24 lordcritical named[5852]: compiled with libxml2 version: 2.9.8 Dec 26 11:31:24 lordcritical named[5852]: linked to libxml2 version: 20908 Dec 26 11:31:24 lordcritical named[5852]: compiled with zlib version: 1.2.11 Dec 26 11:31:24 lordcritical named[5852]: linked to zlib version: 1.2.11 Dec 26 11:31:24 lordcritical named[5852]: threads support is enabled Dec 26 11:31:24 lordcritical named[5852]: ---------------------------------------------------- Dec 26 11:31:24 lordcritical named[5852]: BIND 9 is maintained by Internet Systems Consortium, Dec 26 11:31:24 lordcritical named[5852]: Inc. (ISC), a non-profit 501(c)(3) public-benefit Dec 26 11:31:24 lordcritical named[5852]: corporation. Support and training for BIND 9 are Dec 26 11:31:24 lordcritical named[5852]: available at https://www.isc.org/support Dec 26 11:31:24 lordcritical named[5852]: ---------------------------------------------------- Dec 26 11:31:24 lordcritical named[5852]: adjusted limit on open files from 4096 to 1048576 Dec 26 11:31:24 lordcritical named[5852]: found 2 CPUs, using 2 worker threads Dec 26 11:31:24 lordcritical named[5852]: using 1 UDP listener per interface Dec 26 11:31:24 lordcritical named[5852]: using up to 4096 sockets Dec 26 11:31:24 lordcritical named[5852]: openssl_link.c:296: fatal error: Dec 26 11:31:24 lordcritical named[5852]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Dec 26 11:31:24 lordcritical named[5852]: exiting (due to fatal error in library) Downgrading to net-dns/bind-9.11.2_p1 solves the problem for now. There are lots of complaints in the internet about the very same error. So I guess there is something wrong with that version. Reproducible: Always lordcritical ~ # emerge --info Portage 2.3.51 (python 2.7.15-final-0, default/linux/amd64/17.0, gcc-7.3.0, glibc-2.27-r6, 4.14.90 x86_64) ================================================================= System uname: Linux-4.14.90-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-gentoo-2.6 KiB Mem: 1940336 total, 1510292 free KiB Swap: 1048572 total, 1048572 free Timestamp of repository gentoo: Mon, 24 Dec 2018 13:00:01 +0000 Head commit of repository gentoo: 5aa585fafd78b219688d993d6d26d5102501ec43 sh bash 4.4_p12 ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1 app-shells/bash: 4.4_p12::gentoo dev-java/java-config: 2.2.0-r3::gentoo dev-lang/perl: 5.24.3-r1::gentoo dev-lang/python: 2.7.15::gentoo, 3.4.8::gentoo, 3.6.5::gentoo dev-util/cmake: 3.9.6::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/openrc: 0.34.11::gentoo sys-apps/sandbox: 2.13::gentoo sys-devel/autoconf: 2.69-r4::gentoo sys-devel/automake: 1.13.4::gentoo, 1.14.1::gentoo, 1.15.1-r2::gentoo sys-devel/binutils: 2.28.1::gentoo, 2.29.1-r1::gentoo, 2.30-r4::gentoo sys-devel/gcc: 6.4.0-r1::gentoo, 7.3.0-r3::gentoo sys-devel/gcc-config: 1.8-r1::gentoo sys-devel/libtool: 2.4.6-r3::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers) sys-libs/glibc: 2.27-r6::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-verify-jobs: 1 sync-rsync-verify-metamanifest: yes sync-rsync-extra-opts: sync-rsync-verify-max-age: 24 x-portage location: /usr/local/portage masters: gentoo priority: 0 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=nehalem -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=nehalem -pipe" DISTDIR="/usr/portage/distfiles" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_GB.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" PKGDIR="/usr/portage/packages" PORTAGE_BINHOST="https://netcup.meine-oma.de" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 berkdb bzip2 cli crypt cxx dri fortran gdbm iconv ipv6 libtirpc mmx multilib ncurses nls nptl openmp pam pcre readline seccomp sse sse2 ssl tcpd unicode xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
I'm having this issue on three servers. I had to roll back to get the service back.
I did not have the urandom node in my chroot. I added that it started.
(In reply to lou from comment #2) > I did not have the urandom node in my chroot. I added that it started. lou, your comment leads me to a "more proper" solution: - install net-dns/bind[urandom] - re-run emerge --config '=net-dns/bind-<your_bin_version>' and /dev/urandom will be created in the chroot dir.
I experienced the same following an upgrade. It seems bind has changed the default behaviour for the random number generator. Earlier packages used /dev/random as the source, with an optional use flag of urandom to use /dev/urandom instead. Since Bind's change to use OpenSSL's pseudorandom number generator, it now requires /dev/urandom regardless of use flag. It looks like the ebuild needs updating to cater for the upstream change.
Confirming net-dns/bind[urandom] with CHROOT configured does resolve this issue. Removing CHROOT also permits bind to start. I agree that the ebuild should be reviewed to accommodate upstreams change without further user intervention. This oversight can negativity impact someones critical dns deployment.
This is still a problem with net-dns/bind-9.15.2: emerge -vDNu net-dns/bind emerge --config '=net-dns/bind-9.15.2' The install and config complete without reported error. However, there is no "/chroot/dns/dev/urandom" created. Note that is required for named ("net-dns/bind-9.15.2") to start. The workaround is to run: cd /chroot/dns/dev mknod urandom c 1 9 "named" then starts fine. FYI: The system log start errors reported when trying to start without "/chroot/dns/dev/urandom" are: named[3181]: openssl_link.c:164: fatal error: named[3181]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) named[3181]: exiting (due to fatal error in library) /etc/init.d/named[3179]: start-stop-daemon: failed to start `/usr/sbin/named' Thanks in advance for a future fix. Regards, Martin
Had the same problem with 9.14.4. Just-Installed versions: 9.14.4^t(04:06:11 09/24/19)(caps ipv6 readline -doc -gssapi -idn -libedit -libressl -xml) I had the same problem: /var/log/messages had: Sep 25 21:20:46 janus named[3315]: openssl_link.c:166: fatal error: Sep 25 21:20:46 janus named[3315]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ) Sep 25 21:20:46 janus named[3315]: exiting (due to fatal error in library) Sep 25 21:20:46 janus /etc/init.d/named[3313]: start-stop-daemon: failed to start `/usr/sbin/named' Sep 25 21:20:46 janus /etc/init.d/named[3284]: ERROR: named failed to start The work-around described in Martin's update on this bug at 2019-09-02 18:14:55 UTC fixed the problem.
This is very much still an existing issue. No explanation on to why or how this was marked as resolved. During my installation I found the urandom still needs to be copied over. https://github.com/ASoft-se/Gentoo-HAI/pull/55/files
(In reply to Christian Nilsson from comment #8) > This is very much still an existing issue. > No explanation on to why or how this was marked as resolved. > > During my installation I found the urandom still needs to be copied over. > https://github.com/ASoft-se/Gentoo-HAI/pull/55/files It was closed, supposedly, because it was fixed back then. It has been accidentally re-introduced but should be fixed again by: https://github.com/gentoo/gentoo/commit/6e8faaad077caf9048e2c5a132ddade0b0b316aa#diff-48e2e169b4ac644113233aa81b09fe764cc3afc52bcd95fb75830fcc150efa1d Can you confirm emerge --config net-dns/bind and/or restarting bind with the chroot option being set fixed it for you and created, if necessary, the /dev/urandom device?
Yes, my mistake, main reason was due to this being marked as resolved/obsolete without any explanation. BUG #793860 also exists, and has a working fix. Thanks, and sorry for misunderstanding.
lets finally mark it resolved then.
