Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 673746

Summary: net-dns/bind-9.12.2_p2-r1 - named: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Product: Gentoo Linux Reporter: Thomas Stein <himbeere>
Component: Current packagesAssignee: Mikle Kolyada (RETIRED) <zlogene>
Status: RESOLVED FIXED    
Severity: normal CC: bug, chutzpah, idl0r, luke, m_gentoobug, nikize, sam, tb
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Stein 2018-12-26 10:52:17 UTC 
Hello Devs.

After upgrading bind to net-dns/bind-9.12.2_p2-r1 named fails to start with.

Dec 26 11:31:24 lordcritical named[5852]: running as: named -u named -t /chroot/dns
Dec 26 11:31:24 lordcritical named[5852]: compiled by GCC 7.3.0
Dec 26 11:31:24 lordcritical named[5852]: compiled with OpenSSL version: OpenSSL 1.0.2p  14 Aug 2018
Dec 26 11:31:24 lordcritical named[5852]: linked to OpenSSL version: OpenSSL 1.0.2p  14 Aug 2018
Dec 26 11:31:24 lordcritical named[5852]: compiled with libxml2 version: 2.9.8
Dec 26 11:31:24 lordcritical named[5852]: linked to libxml2 version: 20908
Dec 26 11:31:24 lordcritical named[5852]: compiled with zlib version: 1.2.11
Dec 26 11:31:24 lordcritical named[5852]: linked to zlib version: 1.2.11
Dec 26 11:31:24 lordcritical named[5852]: threads support is enabled
Dec 26 11:31:24 lordcritical named[5852]: ----------------------------------------------------
Dec 26 11:31:24 lordcritical named[5852]: BIND 9 is maintained by Internet Systems Consortium,
Dec 26 11:31:24 lordcritical named[5852]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Dec 26 11:31:24 lordcritical named[5852]: corporation.  Support and training for BIND 9 are 
Dec 26 11:31:24 lordcritical named[5852]: available at https://www.isc.org/support
Dec 26 11:31:24 lordcritical named[5852]: ----------------------------------------------------
Dec 26 11:31:24 lordcritical named[5852]: adjusted limit on open files from 4096 to 1048576
Dec 26 11:31:24 lordcritical named[5852]: found 2 CPUs, using 2 worker threads
Dec 26 11:31:24 lordcritical named[5852]: using 1 UDP listener per interface
Dec 26 11:31:24 lordcritical named[5852]: using up to 4096 sockets
Dec 26 11:31:24 lordcritical named[5852]: openssl_link.c:296: fatal error:
Dec 26 11:31:24 lordcritical named[5852]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Dec 26 11:31:24 lordcritical named[5852]: exiting (due to fatal error in library)

Downgrading to net-dns/bind-9.11.2_p1 solves the problem for now. There are lots of complaints in the internet about the very same error. So I guess there is something wrong with that version.

Reproducible: Always




lordcritical ~ # emerge --info
Portage 2.3.51 (python 2.7.15-final-0, default/linux/amd64/17.0, gcc-7.3.0, glibc-2.27-r6, 4.14.90 x86_64)
=================================================================
System uname: Linux-4.14.90-x86_64-Intel_Core_Processor_-Skylake,_IBRS-with-gentoo-2.6
KiB Mem:     1940336 total,   1510292 free
KiB Swap:    1048572 total,   1048572 free
Timestamp of repository gentoo: Mon, 24 Dec 2018 13:00:01 +0000
Head commit of repository gentoo: 5aa585fafd78b219688d993d6d26d5102501ec43
sh bash 4.4_p12
ld GNU ld (Gentoo 2.28.1 p1.0) 2.28.1
app-shells/bash:          4.4_p12::gentoo
dev-java/java-config:     2.2.0-r3::gentoo
dev-lang/perl:            5.24.3-r1::gentoo
dev-lang/python:          2.7.15::gentoo, 3.4.8::gentoo, 3.6.5::gentoo
dev-util/cmake:           3.9.6::gentoo
dev-util/pkgconfig:       0.29.2::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/openrc:          0.34.11::gentoo
sys-apps/sandbox:         2.13::gentoo
sys-devel/autoconf:       2.69-r4::gentoo
sys-devel/automake:       1.13.4::gentoo, 1.14.1::gentoo, 1.15.1-r2::gentoo
sys-devel/binutils:       2.28.1::gentoo, 2.29.1-r1::gentoo, 2.30-r4::gentoo
sys-devel/gcc:            6.4.0-r1::gentoo, 7.3.0-r3::gentoo
sys-devel/gcc-config:     1.8-r1::gentoo
sys-devel/libtool:        2.4.6-r3::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 4.13::gentoo (virtual/os-headers)
sys-libs/glibc:           2.27-r6::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-metamanifest: yes
    sync-rsync-extra-opts: 
    sync-rsync-verify-max-age: 24

x-portage
    location: /usr/local/portage
    masters: gentoo
    priority: 0

ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=nehalem -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-O2 -march=nehalem -pipe"
DISTDIR="/usr/portage/distfiles"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_GB.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
PKGDIR="/usr/portage/packages"
PORTAGE_BINHOST="https://netcup.meine-oma.de"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="acl amd64 berkdb bzip2 cli crypt cxx dri fortran gdbm iconv ipv6 libtirpc mmx multilib ncurses nls nptl openmp pam pcre readline seccomp sse sse2 ssl tcpd unicode xattr zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon plan sheets stage words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="mmx mmxext sse sse2" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-1" POSTGRES_TARGETS="postgres9_5 postgres10" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_6" RUBY_TARGETS="ruby23" USERLAND="GNU" VIDEO_CARDS="amdgpu fbdev intel nouveau radeon radeonsi vesa dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, MAKEOPTS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 lou 2019-01-08 02:11:48 UTC 
I'm having this issue on three servers. I had to roll back to get the service back.
Comment 2 lou 2019-01-09 03:05:26 UTC 
I did not have the urandom node in my chroot. I added that it started.
Comment 3 Thomas Beutin 2019-01-30 16:03:59 UTC 
(In reply to lou from comment #2)
> I did not have the urandom node in my chroot. I added that it started.

lou, your comment leads me to a "more proper" solution:

 - install net-dns/bind[urandom]
 - re-run emerge --config '=net-dns/bind-<your_bin_version>'

and /dev/urandom will be created in the chroot dir.
Comment 4 Paul Maddock 2019-02-10 18:23:34 UTC 
I experienced the same following an upgrade.

It seems bind has changed the default behaviour for the random number generator. Earlier packages used /dev/random as the source, with an optional use flag of urandom to use /dev/urandom instead.

Since Bind's change to use OpenSSL's pseudorandom number generator, it now requires /dev/urandom regardless of use flag.

It looks like the ebuild needs updating to cater for the upstream change.
Comment 5 nic 2019-03-01 20:44:35 UTC 
Confirming net-dns/bind[urandom] with CHROOT configured does resolve this issue.

Removing CHROOT also permits bind to start.

I agree that the ebuild should be reviewed to accommodate upstreams change without further user intervention. This oversight can negativity impact someones critical dns deployment.
Comment 6 Martin 2019-09-02 18:14:55 UTC 
This is still a problem with net-dns/bind-9.15.2:

emerge -vDNu net-dns/bind
emerge --config '=net-dns/bind-9.15.2'

The install and config complete without reported error.

However, there is no "/chroot/dns/dev/urandom" created.

Note that is required for named ("net-dns/bind-9.15.2") to start.

The workaround is to run:

cd /chroot/dns/dev
mknod urandom c 1 9

"named" then starts fine.


FYI:

The system log start errors reported when trying to start without "/chroot/dns/dev/urandom" are:

named[3181]: openssl_link.c:164: fatal error:
named[3181]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
named[3181]: exiting (due to fatal error in library)
/etc/init.d/named[3179]: start-stop-daemon: failed to start `/usr/sbin/named'



Thanks in advance for a future fix.

Regards,
Martin
Comment 7 John L. Poole 2019-09-26 04:35:54 UTC 
Had the same problem with 9.14.4.
Just-Installed versions:  9.14.4^t(04:06:11 09/24/19)(caps ipv6 readline -doc -gssapi -idn -libedit -libressl -xml)

I had the same problem: /var/log/messages had:

Sep 25 21:20:46 janus named[3315]: openssl_link.c:166: fatal error:
Sep 25 21:20:46 janus named[3315]: OpenSSL pseudorandom number generator cannot be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)
Sep 25 21:20:46 janus named[3315]: exiting (due to fatal error in library)
Sep 25 21:20:46 janus /etc/init.d/named[3313]: start-stop-daemon: failed to start `/usr/sbin/named'
Sep 25 21:20:46 janus /etc/init.d/named[3284]: ERROR: named failed to start

The work-around described in Martin's update on this bug at 2019-09-02 18:14:55 UTC fixed the problem.
Comment 8 Christian Nilsson 2021-07-18 09:14:54 UTC 
This is very much still an existing issue.
No explanation on to why or how this was marked as resolved.

During my installation I found the urandom still needs to be copied over.
https://github.com/ASoft-se/Gentoo-HAI/pull/55/files
Comment 9 Christian Ruppert (idl0r) gentoo-dev 2021-07-20 15:16:49 UTC 
(In reply to Christian Nilsson from comment #8)
> This is very much still an existing issue.
> No explanation on to why or how this was marked as resolved.
> 
> During my installation I found the urandom still needs to be copied over.
> https://github.com/ASoft-se/Gentoo-HAI/pull/55/files

It was closed, supposedly, because it was fixed back then. It has been accidentally re-introduced but should be fixed again by: https://github.com/gentoo/gentoo/commit/6e8faaad077caf9048e2c5a132ddade0b0b316aa#diff-48e2e169b4ac644113233aa81b09fe764cc3afc52bcd95fb75830fcc150efa1d
Can you confirm emerge --config net-dns/bind and/or restarting bind with the chroot option being set fixed it for you and created, if necessary, the /dev/urandom device?
Comment 10 Christian Nilsson 2021-07-21 12:43:11 UTC 
Yes, my mistake, main reason was due to this being marked as resolved/obsolete without any explanation. BUG #793860 also exists, and has a working fix.

Thanks, and sorry for misunderstanding.
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2021-07-21 12:44:58 UTC 
lets finally mark it resolved then.