save-entropy errors on jail after update to 5.4-RELEASE

[Alexander Rusinov]

Renato Botelho wrote:

>I updated my box and a jail that runs inside this box to 5.4-RELEASE yesterday.
>
>After it, I'm receiving emails from this jail with error messages
>about /usr/libexec/save-entropy
>
>I'm receiving messages like this:
>
>mv: /var/db/entropy/saved-entropy.7: No such file or directory
>mv: /var/db/entropy/saved-entropy.5: No such file or directory
>override r--------  operator/operator for
>/var/db/entropy/saved-entropy.5? (y/n [n]) not overwritten
>override r--------  operator/operator for
>/var/db/entropy/saved-entropy.4? (y/n [n]) not overwritten
>override r--------  operator/operator for
>/var/db/entropy/saved-entropy.3? (y/n [n]) not overwritten
>override r--------  operator/operator for
>/var/db/entropy/saved-entropy.2? (y/n [n]) not overwritten
>
>here is the files inside the jail:
>
>renato at data:~> sudo ls -l /var/db/entropy/
>total 16
>-r--------  1 operator  operator  2048 May 11 10:33 saved-entropy.1
>-r--------  1 operator  operator  2048 May 11 10:33 saved-entropy.2
>-r--------  1 operator  operator  2048 May 11 10:22 saved-entropy.3
>-r--------  1 operator  operator  2048 May 11 10:22 saved-entropy.4
>-r--------  1 operator  operator  2048 May 11 10:11 saved-entropy.5
>-r--------  1 operator  operator  2048 May 11 10:11 saved-entropy.6
>-r--------  1 operator  operator  2048 May 11 10:00 saved-entropy.7
>-r--------  1 operator  operator  2048 May 11 10:00 saved-entropy.8
>
>Anybody could help me to fix it?
>
>thanks in advance
>  
>
I suspect this happens because of concurrent access to /dev/random from 
multiple save-entropy scripts launched exactly as the same time by 
jailed cron daemons.

I got rid of those emails by putting
entropy_dir="NO"
into rc.conf of all jails. I'm not shure, is this secure?

Also consider enabling cron time jitter for jailed crons, by putting 
something like this into jail rc.conf:
cron_flags="-J10"

-- 
Alexander Rusinov