waldoj
commented
10 years ago lack of hardware means it can't generate enough random bits to fill PGPs needs
This is fascinating.
Open krusynth opened 10 years ago
waldoj
commented
10 years ago lack of hardware means it can't generate enough random bits to fill PGPs needs
This is fascinating.
krusynth
commented
10 years ago I know, right? I noticed the keygen was hanging forever, and assumed it was a lack of RAM issue. Once that didn't fix it, I found this:
And then a bunch of threads saying you can generate entropy via keyboard, mouse, and harddrive spinning. Lack of all of these means it doesn't generate bits? I'm no expert on entropy or anything, so I might be misconfusinating the issue.
krusynth
commented
10 years ago If Lavarand doesn't end up matching a curve of e I'd be astounded. Everything is e. ;)
mtigas
commented
10 years ago lack of hardware means it can't generate enough random bits to fill PGPs needs
Hm... For dev environments maybe we should default the settings to use a small PGP key size (like 1024bit) instead of the very paranoid 4096bits currently set in the gpginit command — then have the local_settings.py override this for production environments. Should save people a lot of grief.
@krues8dr: If you want to see if this helps out your Vagrant box: can you try editing /authentication/authapp/management/commands/gpginit.py, changing the key sizes down to 1024, then try setting up the GPG key again?
You could also try to install haveged which artificially increases the Linux entropy pool (which is unsafe for a user-facing website in production, but good enough for a dev VM).
krusynth
commented
10 years ago Thanks, but I think I've already got past that point with rng-tools and am no longer receiving the lack-of-entropy error. This is a different error, and I'm still receiving it with 1024 bits. Again, I think this is related to the different homedir being used for key generation, or maybe needing gpg-agent ? I'm not entirely sure.
@mtigas Have you gotten this to run on anything outside of OS X? I know @vzvenyach is running it on Ubuntu with no problems. Could be something of the selinux variety as well, or other RHEL-specific concerns, due to the better security model.
mtigas
commented
10 years ago @krues8dr Can't test it out again until I get home later today — but no reason why it shouldn’t run smoothly on Linux, too. (For other VMs, I've definitely had crypto issues unless I set up haveged — not sure how well rng-tools + system PRNG compare to using that to fill.)
Might want to nuke the gpgdata directory and try doing the init again. Also, setting GNUPG_BINARY should be to the actual GPG binary and not a symlink (i.e. GNUPG_BINARY="/usr/bin/gpg2" instead of "/usr/bin/gpg")
(Also helpful to help you get up and running: python2.7 manage.py gpginit | grep -e "^GNUPG_IDENTITY" >> local_settings.py.)
Will be back with more later tonight.
vdavez
commented
10 years ago Just wanted to let you know that haveged worked wonders on an EC2 instance.
krusynth
commented
10 years ago Hey guys, I've tried using haveged but still getting the same error on CentOS. I tried launching it with -w 4096 and also decreasing the key size in /authentication/authapp/management/commands/gpginit.py but it hasn't resolved the issue.
vdavez
commented
10 years ago What version of centos?
krusynth
commented
10 years ago 6.4.2. This one, in fact:
https://github.com/2creatives/vagrant-centos/releases/download/v6.4.2/centos64-x86_64-20140116.box
vdavez
commented
10 years ago Right-o. Will try tonight.
krusynth
commented
10 years ago Thanks @vzvenyach ! Here's the Vagrantfile I'm using: https://gist.github.com/krues8dr/4a1528f05c5216e983b0
vdavez
commented
10 years ago Thinking out loud. Any chance it's the 512 memory?
krusynth
commented
10 years ago I tried bumping that to 2Gb but no luck.
vdavez
commented
10 years ago Harrumph. Ok. Will give it a go when I get to a PC? Any progress on the documents view?
krusynth
commented
10 years ago Nope, spent all my time on that so far. I think I'll need that to get rolling, or is there already some fixture data I can load to get up and running?
vdavez
commented
10 years ago Right. One other ask. Can you use ipython to give more debug details?
vdavez
commented
10 years ago Can you run this command? cat /proc/sys/kernel/random/entropy_avail
krusynth
commented
10 years ago Using pdb to debug isn't getting me anywhere - it's occurring in a separate thread and for some reason it's not letting me drill down. Weird.
I've got 4096 for entropy_avail; I added setting the -w flag in the haveged init script to bump it up from 1024.
vdavez
commented
10 years ago Huh. It's hanging for me too. I've done this on several ubuntu machines now and it works fine, but CentOS definitely is behaving differently. Will keep banging away... just an update
vdavez
commented
10 years ago Couldn't figure this out, but made headway on the documents view...
I struggled all weekend to get this up and running, but still can't get the keygen step to run without error. Here's a summary of what I've done, based on Dave's work in the dockerfile:
I'm using python 2.7 because there appears to be 2.7-requiring packages among those
requirements.txt, but I can't remove 2.6 entirely becauseyumneeds it. I'm also having to runrngdfromrng-tools(not listed above), since I'm running on a Vagrant box, and lack of hardware means it can't generate enough random bits to fill PGPs needs.The error is:
but it still says that the key is being generated. Further debugging shows that the error code is 65535, which I think may have something to do with the non-user homedir?