Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can you post a list of Linux capabilities haveged requires? #53

Closed
trajano opened this issue Dec 18, 2020 · 5 comments
Closed

Can you post a list of Linux capabilities haveged requires? #53

trajano opened this issue Dec 18, 2020 · 5 comments

Comments

@trajano
Copy link

trajano commented Dec 18, 2020

Can you post a list of Linux capabilities haveged requires? I want to set up Docker to run it with as little capabilities as possible.
@jirka-h
Copy link
Owner

jirka-h commented Dec 18, 2020

Hello,

please check the systemd service file:

https://github.com/jirka-h/haveged/blob/9c0f06327e075394c77286b7a927e60fd01c0b3b/init.d/service.fedora

You need
CAP_SYS_ADMIN
capability.

Please google also for
haveged docker

There are already docker images
https://github.com/harbur/docker-haveged
https://hub.docker.com/r/sequenceiq/haveged
https://stackoverflow.com/questions/26021181/not-enough-entropy-to-support-dev-random-in-docker-containers-running-in-boot2d

I hope it helps.
Jirka

@trajano
Copy link
Author

trajano commented Dec 18, 2020
edited
Loading

So it really needs CAP_SYS_ADMIN which is equivalent to privileged. I know about the docker images, there's a new feature of enabling it on Docker Swarm https://stackoverflow.com/questions/65241151/running-haveged-in-docker-swarm which I am trying to enable. Ideally I'd like to avoid CAP_SYS_ADMIN since that's full privileges. However, I think it really needs it since it accesses many different systems to get random sources.

@jirka-h
Copy link
Owner

jirka-h commented Dec 18, 2020

I see. Thanks for sharing the background information.

We need

  • ioctl access to the random device
  • read-write access to the /proc virtual file system

According to the man page
https://man7.org/linux/man-pages/man4/random.4.html
(or check man -S4 random)

the CAP_SYS_ADMIN capability is indeed required. I'm sorry.

ioctl(2) interface
The following ioctl(2) requests are defined on file descriptors connected to either /dev/random or /dev/urandom.  All requests performed will interact with the input entropy pool impacting both /dev/random and /dev/urandom.
The CAP_SYS_ADMIN capability is required for all requests except RNDGETENTCNT.

@trajano
Copy link
Author

trajano commented Dec 19, 2020

@jirka-h no need to be sorry, it is justfified. Unfortunately I can't verify it in the end because docker/for-win#9853

@jirka-h
Copy link
Owner

jirka-h commented Dec 20, 2020

Well, that's unfortunate.

I'm going to close it for now. Feel free to reopen it if there is some progress.

@jirka-h jirka-h closed this as completed Dec 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@trajano @jirka-h