Hello, I have a server with IPv6 configured. It takes 5-10 minutes to refresh keys every time I run "emerge --sync": " * Running emerge --sync >>> Syncing repository 'gentoo' into '/usr/portage'... * Using keys from /usr/share/openpgp-keys/gentoo-release.asc * Refreshing keys via WKD ... " tcpdump shows attempts to connect to www.gentoo.org ipv6 address, however there is no respond from it: 09:11:26.158138 IP6 2401:df40:2::9:241b:1a6e.40628 > 2a04:4e42:600::649.443: Flags [S], seq 2426953407, win 64800, options [mss 1440,sackOK,TS val 3605581822 ecr 0,nop,wscale 7], length 0 09:11:28.344830 IP6 2401:df40:2::9:241b:1a6e.40628 > 2a04:4e42:600::649.443: Flags [S], seq 2426953407, win 64800, options [mss 1440,sackOK,TS val 3605584008 ecr 0,nop,wscale 7], length 0 09:11:32.398234 IP6 2401:df40:2::9:241b:1a6e.40628 > 2a04:4e42:600::649.443: Flags [S], seq 2426953407, win 64800, options [mss 1440,sackOK,TS val 3605588062 ecr 0,nop,wscale 7], length 0 09:11:40.158717 IP6 2401:df40:2::9:241b:1a6e.55150 > 2a04:4e42:400::649.443: Flags [S], seq 310372584, win 64800, options [mss 1440,sackOK,TS val 2387287421 ecr 0,nop,wscale 7], length 0 09:11:41.171471 IP6 2401:df40:2::9:241b:1a6e.55150 > 2a04:4e42:400::649.443: Flags [S], seq 310372584, win 64800, options [mss 1440,sackOK,TS val 2387288434 ecr 0,nop,wscale 7], length 0 emerge --info Portage 3.0.17 (python 3.9.2-final-0, default/linux/amd64/17.1, gcc-10.2.0, glibc-2.32-r7, 5.4.97 x86_64) ================================================================= System uname: Linux-5.4.97-x86_64-QEMU_Virtual_CPU_version_2.5+-with-glibc2.32 KiB Mem: 4013440 total, 591660 free KiB Swap: 1048572 total, 1043452 free Timestamp of repository gentoo: Tue, 30 Mar 2021 01:15:01 +0000 Head commit of repository gentoo: 457a663b6029a270e881e4acedb4e10a3c5bc0e7 Head commit of repository pentoo: 6811d845121debea38c80dd648c9fc30bd9ee2a6 sh bash 5.0_p18 ld GNU ld (Gentoo 2.35.1 p2) 2.35.1 app-shells/bash: 5.0_p18::gentoo dev-java/java-config: 2.3.1::gentoo dev-lang/perl: 5.30.3::gentoo dev-lang/python: 3.9.2::gentoo dev-util/cmake: 3.18.5::gentoo dev-util/pkgconfig: 0.29.2::gentoo sys-apps/baselayout: 2.7::gentoo sys-apps/openrc: 0.42.1-r1::gentoo sys-apps/sandbox: 2.20::gentoo sys-devel/autoconf: 2.69-r5::gentoo sys-devel/automake: 1.13.4-r2::gentoo, 1.16.2-r1::gentoo sys-devel/binutils: 2.35.1-r1::gentoo sys-devel/gcc: 10.2.0-r5::gentoo sys-devel/gcc-config: 2.3.3::gentoo sys-devel/libtool: 2.4.6-r6::gentoo sys-devel/make: 4.3::gentoo sys-kernel/linux-headers: 5.10::gentoo (virtual/os-headers) sys-libs/glibc: 2.32-r7::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://140.127.177.17/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 24 local-overlay location: /usr/local/portage masters: gentoo priority: 0 pentoo location: /var/lib/layman/pentoo sync-type: git sync-uri: https://github.com/pentoo/pentoo-overlay masters: gentoo priority: 50 ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="@FREE" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/easy-rsa /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -pipe" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--quiet-build" ENV_UNSET="CARGO_HOME DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN GOPATH PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned qa-unresolved-soname-deps sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="https://ftp.iij.ad.jp/pub/linux/gentoo/" LANG="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="acl amd64 berkdb bzip2 cli crypt dri fortran gdbm iconv ipv6 libglvnd libtirpc multilib mysql ncurses nls nptl openmp pam pcre readline seccomp split-usr ssl tcpd unicode xattr zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="libinput" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LUA_SINGLE_TARGET="lua5-1" LUA_TARGETS="lua5-1" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-3 php7-4" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_9" PYTHON_TARGETS="python3_9" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq proto steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
there is also a problem with retrieving gpg key: bash$ gpg --debug all --auto-key-locate wkd -vvvvv --locate-keys developer@gentoo.org gpg: DBG: chan_5 <- OK Dirmngr 2.2.27 at your service gpg: DBG: connection to the dirmngr established gpg: DBG: chan_5 -> GETINFO version gpg: DBG: chan_5 <- D 2.2.27 gpg: DBG: chan_5 <- OK gpg: DBG: chan_5 -> WKD_GET -- developer@gentoo.org gpg: DBG: chan_5 <- S SOURCE https://gentoo.org gpg: DBG: chan_5 <- S PROGRESS tick ? 0 0 gpg: DBG: chan_5 <- S WARNING http_redirect_cleanup 0 changed from 'https://gentoo.org/.well-known/openpgpkey/hu/8ssm33j13uke6j94cmw3gbu58o49bf8z?l=developer' to 'https://www.gentoo.org/.well-known/openpgpkey/hu/8ssm33j13uke6j94cmw3gbu58o49bf8z?l=developer' gpg: WARNING: unacceptable HTTP redirect from server was cleaned up gpg: (further info: changed from 'https://gentoo.org/.well-known/openpgpkey/hu/8ssm33j13uke6j94cmw3gbu58o49bf8z?l=developer' to 'https://www.gentoo.org/.well-known/openpgpkey/hu/8ssm33j13uke6j94cmw3gbu58o49bf8z?l=developer') gpg: DBG: chan_5 <- S PROGRESS tick ? 0 0 gpg: DBG: chan_5 <- ERR 167772218 No data <Dirmngr> gpg: error retrieving 'developer@gentoo.org' via WKD: No data gpg: error reading key: No data gpg: DBG: chan_5 -> BYE
I get same issue
Same for me
(In reply to Anton Bolshakov from comment #1) > there is also a problem with retrieving gpg key: > bash$ gpg --debug all --auto-key-locate wkd -vvvvv --locate-keys > developer@gentoo.org > I think you need to escape the @ somehow. Searching by name works, joe will retrieve my key. Are you still affected by this? (In reply to Alexey Shvetsov from comment #2) > I get same issue With what version? 2.2 branch alone has had numerous fixes that could have resolved these issues. From 2.2.35: * dirmngr: Make WKD lookups work for resolvers not handling SRV records. [T4729] The report on this specifically involves gentoo: https://dev.gnupg.org/T4729 From 2.2.34: dirmngr: Avoid initial delay on the first keyserver access in presence of --no-use-tor. [rGdde88897e2]
I have gpg 2.2.41 and have this problem as well. # gpg --debug all --auto-key-locate wkd -vvvvv --locate-keys developer@gentoo.org gpg: reading options from '[cmdline]' gpg: using character set 'utf-8' gpg: enabled debug flags: packet mpi crypto filter iobuf memory cache memstat trust hashing ipc clock lookup extprog gpg: enabled compatibility flags: gpg: DBG: [not enabled in the source] start gpg: directory '/root/.gnupg' created gpg: DBG: fd_cache_invalidate (/root/.gnupg/pubring.kbx) gpg: DBG: iobuf-1.0: open '/root/.gnupg/pubring.kbx' desc=file_filter(fd) fd=3 gpg: DBG: iobuf-1.0: close 'file_filter(fd)' gpg: DBG: /root/.gnupg/pubring.kbx: close fd/handle 3 gpg: DBG: fd_cache_close (/root/.gnupg/pubring.kbx) new slot created gpg: DBG: iobuf-*.*: ioctl '/root/.gnupg/pubring.kbx' invalidate gpg: DBG: fd_cache_invalidate (/root/.gnupg/pubring.kbx) gpg: DBG: did (/root/.gnupg/pubring.kbx) gpg: keybox '/root/.gnupg/pubring.kbx' created gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: using pgp trust model gpg: DBG: [not enabled in the source] keydb_new gpg: DBG: [not enabled in the source] keydb_search enter gpg: DBG: keydb_search: 1 search descriptions: gpg: DBG: keydb_search 0: SUBSTR: 'developer@gentoo.org' gpg: DBG: keydb_search: searching keybox (resource 0 of 1) gpg: DBG: keydb_search: searched keybox (resource 0 of 1) => EOF gpg: DBG: [not enabled in the source] keydb_search leave (not found) gpg: no running Dirmngr - starting '/usr/bin/dirmngr' gpg: waiting for the dirmngr to come up ... (5s) gpg: DBG: chan_5 <- # Home: /root/.gnupg gpg: DBG: chan_5 <- # Config: /root/.gnupg/dirmngr.conf gpg: DBG: chan_5 <- OK Dirmngr 2.2.41 at your service gpg: connection to dirmngr established gpg: DBG: chan_5 -> GETINFO version gpg: DBG: chan_5 <- D 2.2.41 gpg: DBG: chan_5 <- OK gpg: DBG: chan_5 -> WKD_GET -- developer@gentoo.org gpg: DBG: chan_5 <- S SOURCE https://openpgpkey.gentoo.org gpg: DBG: chan_5 <- ERR 167772218 No data <Dirmngr> gpg: error retrieving 'developer@gentoo.org' via WKD: No data gpg: error reading key: No data gpg: DBG: chan_5 -> BYE gpg: DBG: [not enabled in the source] stop gpg: keydb: handles=1 locks=0 parse=0 get=0 gpg: build=0 update=0 insert=0 delete=0 gpg: reset=0 found=0 not=1 cache=0 not=0 gpg: kid_not_found_cache: count=0 peak=0 flushes=0 gpg: sig_cache: total=0 cached=0 good=0 bad=0 gpg: random usage: poolsize=600 mixed=0 polls=0/0 added=0/0 outmix=0 getlvl1=0/0 getlvl2=0/0 gpg: rndjent stat: collector=0x0000000000000000 calls=0 bytes=0 gpg: secmem usage: 0/65536 bytes in 0 blocks Nothing helpful from gpg, though. Is there any way to set a timeout? Also, I noticed that `traceroute openpgpkey.gentoo.org` works while `traceroute6 openpgpkey.gentoo.org` doesn't: $ traceroute openpgpkey.gentoo.org traceroute to openpgpkey.gentoo.org (89.16.167.134), 30 hops max, 60 byte packets [...nodes omitted...] 18 te0-0-0-2.cr4.yrk.bytemark.co.uk (130.180.202.57) 157.861 ms 141.308 ms 140.387 ms 19 po1.ar2.dc1.yo26.yrk.bytemark.co.uk (91.223.58.33) 140.495 ms 140.481 ms 141.127 ms 20 * www.gentoo.org (89.16.167.134) 139.547 ms * $ traceroute6 openpgpkey.gentoo.org traceroute to openpgpkey.gentoo.org (2001:41c8:0:936::136), 30 hops max, 80 byte packets [...nodes omitted...] 14 te0-0-0-2.cr4.yrk.bytemark.co.uk (2001:41c8:0:10c::1) 138.821 ms 140.788 ms 139.801 ms 15 po1.ar2.dc1.yo26.yrk.bytemark.co.uk (2001:41c8:0:110::2) 133.374 ms 134.327 ms 134.405 ms 16 * * * [..."* * *" omitted...] 30 * * *
Hit by this bug this morning as well: * Refreshing keys via WKD ... [ ok ] >>> Starting rsync with rsync://[2a00:1828:a00d:ffff::6]/gentoo-portage... >>> Checking server timestamp ... timed out rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(713) [Receiver=3.2.7] >>> Retrying... >>> Starting retry 1 of 3 with rsync://[2a01:90:200:10::1a]/gentoo-portage >>> Checking server timestamp ... timed out rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at rsync.c(713) [Receiver=3.2.7] >>> Retrying... >>> Starting retry 2 of 3 with rsync://89.238.71.6/gentoo-portage >>> Checking server timestamp ... Welcome to turnstone.gentoo.org / rsync.gentoo.org
(In reply to Bob Deblier from comment #6) > Hit by this bug this morning as well: This sounds like a different problem - it's not do with refreshing keys hanging.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/portage.git/commit/?id=9268a92b9666eaaf263999b18220c0d56d8c476c commit 9268a92b9666eaaf263999b18220c0d56d8c476c Author: Sam James <sam@gentoo.org> AuthorDate: 2023-08-13 04:36:04 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-08-17 06:52:55 +0000 sync: rsync, git: respect --debug for gemato Respect --debug and pass it down to gemato so we get nice debugging output when e.g. 'refreshing keys' is stuck. Bug: https://bugs.gentoo.org/646194 Bug: https://bugs.gentoo.org/647696 Bug: https://bugs.gentoo.org/691666 Bug: https://bugs.gentoo.org/779766 Bug: https://bugs.gentoo.org/873133 Bug: https://bugs.gentoo.org/906875 Bug: https://github.com/projg2/gemato/issues/7 Bug: https://github.com/projg2/gemato/issues/25 Signed-off-by: Sam James <sam@gentoo.org> lib/portage/sync/modules/git/git.py | 15 +++++++++++++-- lib/portage/sync/modules/rsync/rsync.py | 11 +++++++++-- lib/portage/sync/syncbase.py | 12 ++++++++---- 3 files changed, 30 insertions(+), 8 deletions(-)
same here, works only after uncommenting "precedence ::ffff:0:0/96 100" in /etc/gai.conf
(In reply to Leonid Kopylov from comment #9) > same here, works only after uncommenting "precedence ::ffff:0:0/96 100" in > /etc/gai.conf Exactly the same problem, presentation, and workaround here.
Sync took a very long time, but worked. But eselect repository enable/list fails with timeout. After changing /etc/gai.conf no more problems.
(In reply to Leonid Kopylov from comment #9) > same here, works only after uncommenting "precedence ::ffff:0:0/96 100" in > /etc/gai.conf Same here. Thanks for this.
Story time Also has this hang (again). Had an ipv6 connection, that was not routing traffic, after resolving that it worked again. Was also playing with dns, and when all requests for gentoo.org errored because of dnssec failure, this also hanged forever. Tried to investigate a bit, and can reproduce it easily by just blocking all ipv6 traffic with nftables. And then [~] % python Python 3.12.7 (main, Oct 4 2024, 10:11:28) [GCC 13.3.1 20240920] on linux Type "help", "copyright", "credits" or "license" for more information. >>> import requests >>> requests.get("https://gentoo.org", timeout=1) Without a timeout this will hang forever as documented https://requests.readthedocs.io/en/latest/user/advanced/#timeouts With a timeout, it will retry with ipv4 (as documented) and work, or give an error and not hang forever Editted /usr/lib/python3.12/site-packages/portage/sync/syncbase.py to pass a timeout=5 to gemato, and that seemed to work. Then i noticed patches already existing on this bug, please merge :)
There's https://github.com/gentoo/portage/pull/1374 which is pending a response to review comments / figuring out how to handle them. What are you referring to?
Yes, that timeout would solve all the hangs i've had
