Re: BIND and /var/arandom missing fix]

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

J.D. Carlson
On Thu, Nov 01, 2007 at 01:53:09PM -0600, Theo de Raadt wrote:

> > I have a server running OpenBSD 4.2-current and acting as a
> > name server. It always has these messages in the /var/log/daemon
> > file upon startup:
> >
> >  Oct 27 05:51:38 racine named[3780]: could not open entropy \
> >  source  /dev/arandom: file not found
> >  Oct 27 05:51:38 racine named[3780]: using pre-chroot entropy \
> >  source  /dev/arandom
> >
> > That never bothered me, until I needed to use Men and Mice
> > DNS Server Controller management tools on my OBSD name server,
> > but that is another story.
>
> Ignore the messages.  They mean nothing.  Our BIND, when running,
> does not use that stupid mechanism for entropy.

I have ignored them, for a number of years and never worried about
it.  But management dictates we move to Men and Mice to manage dns.
If I run their DNS Server Controller under linux emulation and the
OpenBSD named is running as a chroot, it looks for a /dev/random or
/dev/arandom inside the chroot.  It fails if it is not there:

 Men and Mice DNS Server Controller for BIND[32343]: Unable to
 initalize crypting library. Random device not readable.

So my choice was to give up OpenBSD as our name servers (never!) and
run Linux or FreeBSD (also never!), or run OBSD named without
the chroot.  It seemed like a compromise I could live with.

Men and Mice doesn't officially support OpenBSD, but it was semi-easy
to get it running under linux emulation for the Server Controller.

J.D. Carlson

Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

Stuart Henderson
On 2007/11/01 22:46, J.D. Carlson wrote:

>
> I have ignored them, for a number of years and never worried about
> it.  But management dictates we move to Men and Mice to manage dns.
> If I run their DNS Server Controller under linux emulation and the
> OpenBSD named is running as a chroot, it looks for a /dev/random or
> /dev/arandom inside the chroot.  It fails if it is not there:
>
>  Men and Mice DNS Server Controller for BIND[32343]: Unable to
>  initalize crypting library. Random device not readable.
>
> So my choice was to give up OpenBSD as our name servers (never!) and
> run Linux or FreeBSD (also never!), or run OBSD named without
> the chroot.  It seemed like a compromise I could live with.

There's nothing magic about device nodes, you can just create
them yourself. See mknod(1) and /dev/MAKEDEV.

Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

J.D. Carlson
On Fri, Nov 02, 2007 at 07:31:22AM +0000, Stuart Henderson wrote:

> On 2007/11/01 22:46, J.D. Carlson wrote:
> >
> > I have ignored them, for a number of years and never worried about
> > it.  But management dictates we move to Men and Mice to manage dns.
> > If I run their DNS Server Controller under linux emulation and the
> > OpenBSD named is running as a chroot, it looks for a /dev/random or
> > /dev/arandom inside the chroot.  It fails if it is not there:
> >
> >  Men and Mice DNS Server Controller for BIND[32343]: Unable to
> >  initalize crypting library. Random device not readable.
> >
> > So my choice was to give up OpenBSD as our name servers (never!) and
> > run Linux or FreeBSD (also never!), or run OBSD named without
> > the chroot.  It seemed like a compromise I could live with.
>
> There's nothing magic about device nodes, you can just create
> them yourself. See mknod(1) and /dev/MAKEDEV.
>
To have them work the partition can not be mounted nodev, which /var is. I
shoukd have said it fails if it doesn't work.  A simple test was to run

dd if=/var/dev/arandom bs=1 count=5

after I created the device. It fails if the partition is mounted nodev.

Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

Matt Rowley
> To have them work the partition can not be mounted nodev, which /var is. I
> shoukd have said it fails if it doesn't work.  A simple test was to run

Why not make /var/named its own partition?  I.e., one mounted without nodev.

cheers,
Matt

Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

J.D. Carlson
On Fri, Nov 02, 2007 at 08:46:53AM -0400, Matt Rowley wrote:
> > To have them work the partition can not be mounted nodev, which /var is. I
> > shoukd have said it fails if it doesn't work.  A simple test was to run
>
> Why not make /var/named its own partition?  I.e., one mounted without nodev.
>
Actually, I made /var/named/dev its own partition, like I said in the very first
message.  Limiting exposure even more.

Reply | Threaded
Open this post in threaded view
|

Re: BIND and /var/arandom missing fix]

Unix Fan
In reply to this post by J.D. Carlson
I'm failing to see the problem, but really.. Linux emulation for mission critical applications just has "Bad Idea" written all over it..



I personally don't see a problem with creating an additional partition which allows such pseudo devices though...