Page MenuHomePhabricator
Create Task
Maniphest T109239

Ensure mailman VM setup has adequate entropy for STARTTLS
Closed, ResolvedPublic
Actions

Description

Per Mark in T82576#902820, the blocker to enabling STARTTLS was that in the past doing so "would use up (starve) all random entropy because of the many deliveries, and then block. But with newer hardware and potentially hw RNGs, the situation may be better now. We can test it again."

It is possible that no action is explicitly needed, if there is a hardware RNG on the virtualization host and if the individual VMs are able to utilize it as a source for entropy. If this is not the case, one possible solution would be to have haveged running on the virtualization host and the virtio-rng kernel module loaded in guests.

Related Objects
Search...

Event Timeline

ori created this task.Aug 16 2015, 10:06 PM
ori assigned this task to Dzahn.
ori raised the priority of this task from to High.
ori updated the task description. (Show Details)
ori added projects: acl*sre-team, Wikimedia-Mailing-lists.
ori added a parent task: T82576: Enable STARTTLS (both inbound and outbound) on lists.
ori added subscribers: ori, MZMcBride, Dzahn and 5 others.
JohnLewis moved this task from Backlog to Jessie/Upgrade (2.x) on the Wikimedia-Mailing-lists board.Aug 16 2015, 10:07 PM
Nemo_bis subscribed.Aug 17 2015, 5:02 AM
Dzahn added a comment.Aug 18 2015, 1:05 AM

re: hardware RNG:

< Dagmar> mutante: Ask they guy running the VM host. If he starts laughing halfway through your question, that hardware isn't present

< Dagmar> Mainly it's only IBM's ESX hosts that will

< Dagmar> When in doubt, stuff the output of dmesg into /dev/urandom along with a few lines of free verse poetry

< Dagmar> It's also very easy to come up with some "mostly random crap" to seed the system's entropy pool with

< barfod> instead rely on more advanced functions like arc4random()

< Dagmar> barfod: Dude I've used /dev/mic and burped into it

Dzahn mentioned this in T109467: write migration plan for mailman.Aug 22 2015, 12:17 AM
Dzahn added a comment.Aug 24 2015, 11:45 PM

cajoel gave hardware RNGs to Faidon and Mark, not sure if we'll need them yet

Dzahn reassigned this task from Dzahn to faidon.Aug 24 2015, 11:47 PM
Dzahn removed a parent task: T105756: Mailman Upgrade (Jessie & Mailman 2.x) and migration to a VM.
Platonides subscribed.Sep 2 2015, 9:20 PM
faidon closed this task as Resolved.Sep 21 2015, 11:47 AM

fermium now has TLS now and I've been watching /proc/sys/kernel/random/entropy_avail. I don't see any issues with entropy so far. I think these entropy-depleting exim issues are GnuTLS bugs of the past and not applicable to modern systems.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits