Please login or register. September 20, 2018, 12:01:30 AM

Author Topic: PRNG is not seeded, yet again  (Read 7193 times)

0 Members and 1 Guest are viewing this topic.

sbzx

  • Full Member
  • ***
  • Posts: 16
  • Karma: +0/-0
    • Operation Daily Magic Error
PRNG is not seeded, yet again
« on: December 12, 2012, 09:53:55 AM »
I've been experiencing the "PRNG is not seeded" error described here: http://www.rootvg.net/content/view/420/309/

 And "randomctl -l" mentioned in the post works well. However, I'm getting this more and more frequently. Systems seem to lose /dev/*random devices even without a reboot. I'm at 7100-01-03-1207.

Any idea what's causing this? A permanent fix perhaps? Google hasn't turned up much. Cheers. 

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1081
  • Karma: +0/-0
Re: PRNG is not seeded, yet again
« Reply #1 on: December 12, 2012, 04:46:38 PM »
It is a bit surprising for a device, or a driver to stop suddenly.

Check for messages in errpt and/or in syslog for messages perhaps.

In any case, AIX has had some patches, now at 7100-01-06-1241.

And the command /usr/sbin/randomctl is in bos.rte.security. In the SP above it is at bos.rte.security   7.1.1.18

In short, I cannot explain why it is dropping.

Note: the fileset openssh.base.server should be at 5.8.0.6101

sbzx

  • Full Member
  • ***
  • Posts: 16
  • Karma: +0/-0
    • Operation Daily Magic Error
Re: PRNG is not seeded, yet again
« Reply #2 on: December 13, 2012, 02:20:33 PM »
Errpt/syslog have nothing suspicious. Unfortunately, patching is not an option without good reason. bos.rte.security is at 7.1.1.2 as expected, and openssh.base.server is at 5.8.0.6101.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1081
  • Karma: +0/-0
Re: PRNG is not seeded, yet again
« Reply #3 on: December 13, 2012, 07:44:45 PM »
Nods. Update for no reason is never advised.

A policy I use is to be within n-2 updates. According to that policy now would be a good time to research why to update/to not update. (SP6 -2 == SP4 or higher by n-2 guideline).

I do need to learn how to better use APAR search to see something about what is in the updates.

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1081
  • Karma: +0/-0
Re: PRNG is not seeded, yet again
« Reply #4 on: December 14, 2012, 06:56:29 AM »
patching is not an option without good reason. bos.rte.security is at 7.1.1.2 as expected, and openssh.base.server is at 5.8.0.6101.
Did a bit of research, I expect the output to be a bit long - so -

my recommendations:
use SUMA to collect the latest service pack files (or ftp/http from Fix Central if you prefer)
put thes files in a directory - ASIF - you you were preparing for an update_all operation
use the command "# installp -d . -A bos.rte.security > bos.rte.security.APAR_fixes.text"
read file created to review IF you think the fixes are reason enough to patch

Note: IBM considers it "best practice" to update by complete service packs, rather than only minimal fixes. The recognized exception is when a fix is released between service pack releases. However,... to install a single fix from an APAR number

from same directory: preview command
# instfix -d . -p -k APAR_number_identified

The above command lists the filesets that will be installed. Remove the option -p to actually perform the operation.


Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1081
  • Karma: +0/-0
Re: PRNG is not seeded, yet again
« Reply #5 on: December 14, 2012, 07:03:11 AM »
some extra info:

my 7.1 systems are at 7100-01-05-1228, and bos.rte.security is at level bos.rte.security.7.1.1.17

Michael

  • Administrator
  • Hero Member
  • *****
  • Posts: 1081
  • Karma: +0/-0
Re: PRNG is not seeded, yet again
« Reply #6 on: December 14, 2012, 07:53:00 AM »
And I may have your "reason" - I do not have any issues because my test system is SLOW (still Power5):

fix:
        name = IV29569
        abstract = Unreasonable long blocking delays reading from /dev/random
        type = f
        filesets = "bos.rte.security:7.1.1.18\n\
"
        symptom = " Longer than usual blocking time waiting on reads from \n\
 /dev/random pseudo device on faster Power processors. This issue\n\
 is typically seen on idle systems; very little externel \n\
 interrups (i.e., I/O).\n\


On my system the command suggested below returns:
Quote
root@x202:[/data/suma/7101]instfix -d . -p -k IV29569
bos.rte.security 07.01.0001.0018

And this, is an applied fix, not committed:
Quote
Installation Summary
--------------------
Name                        Level           Part        Event       Result
-------------------------------------------------------------------------------
bos.rte.install             7.1.1.18        USR         APPLY       SUCCESS   
bos.rte.install             7.1.1.18        ROOT        APPLY       SUCCESS   
bos.rte.security            7.1.1.18        USR         APPLY       SUCCESS   
bos.rte.security            7.1.1.18        ROOT        APPLY       SUCCESS   
root@x202:[/data/suma/7101]lslpp -L bos.rte.security
  Fileset                      Level  State  Type  Description (Uninstaller)
  ----------------------------------------------------------------------------
  bos.rte.security          7.1.1.18    A     F    Base Security Function
« Last Edit: December 14, 2012, 08:36:41 AM by Michael »

sbzx

  • Full Member
  • ***
  • Posts: 16
  • Karma: +0/-0
    • Operation Daily Magic Error
Re: PRNG is not seeded, yet again
« Reply #7 on: December 14, 2012, 09:12:09 AM »
This sounds promising, thank you.