[OE-core][RFC] openssh: Start key generation in multi-user mode

All of lore.kernel.org
 help / color / mirror / Atom feed

* [OE-core][RFC] openssh: Start key generation in multi-user mode
@ 2020-09-22  0:44 Joshua Watt
  2020-09-22  5:13 ` Khem Raj
  0 siblings, 1 reply; 3+ messages in thread
From: Joshua Watt @ 2020-09-22  0:44 UTC (permalink / raw)
  To: openembedded-core; +Cc: alex.kiernan, raj.khem, richard.purdie, Joshua Watt

The sshkeygen uses a lot of CPU time which delays booting (especially in
the case where no SSH connection is going to happen), but we also want
to be proactive about generating it early so that the first SSH login
doesn't have to wait a long time.

Starting the key generation when the sockets are created (which is
pretty early in the boot process) slows down the boot due to high CPU
usage, so as a compromise start it no later than multi-user mode when
things have typically settled down. Note that if an SSH connection comes
in before multi-user.target is reached, key generation will be started
immediately.

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
---
 meta/recipes-connectivity/openssh/openssh/sshd.socket        | 1 -
 meta/recipes-connectivity/openssh/openssh/sshd@.service      | 1 +
 .../recipes-connectivity/openssh/openssh/sshdgenkeys.service | 5 +++++
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
index 8d76d62309..12c39b26b5 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
+++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
@@ -1,6 +1,5 @@
 [Unit]
 Conflicts=sshd.service
-Wants=sshdgenkeys.service
 
 [Socket]
 ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
index 9d9965e624..40fd38730a 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
@@ -1,5 +1,6 @@
 [Unit]
 Description=OpenSSH Per-Connection Daemon
+Wants=sshdgenkeys.service
 After=sshdgenkeys.service
 
 [Service]
diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
index fd81793d51..52617ec275 100644
--- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
+++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
@@ -7,3 +7,8 @@ ExecStart=@LIBEXECDIR@/sshd_check_keys
 Type=oneshot
 RemainAfterExit=yes
 Nice=10
+
+[Install]
+# Start key generation no later than multi-user mode so that we can hopefully
+# have it generated before the first SSH connection
+WantedBy=multi-user.target
-- 
2.28.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [OE-core][RFC] openssh: Start key generation in multi-user mode
  2020-09-22  0:44 [OE-core][RFC] openssh: Start key generation in multi-user mode Joshua Watt
@ 2020-09-22  5:13 ` Khem Raj
  2020-09-22 12:55   ` Joshua Watt
  0 siblings, 1 reply; 3+ messages in thread
From: Khem Raj @ 2020-09-22  5:13 UTC (permalink / raw)
  To: Joshua Watt
  Cc: Patches and discussions about the oe-core layer, Alex Kiernan,
	Richard Purdie

On Mon, Sep 21, 2020 at 5:45 PM Joshua Watt <jpewhacker@gmail.com> wrote:
>
> The sshkeygen uses a lot of CPU time which delays booting (especially in
> the case where no SSH connection is going to happen), but we also want
> to be proactive about generating it early so that the first SSH login
> doesn't have to wait a long time.
>
> Starting the key generation when the sockets are created (which is
> pretty early in the boot process) slows down the boot due to high CPU
> usage, so as a compromise start it no later than multi-user mode when
> things have typically settled down. Note that if an SSH connection comes
> in before multi-user.target is reached, key generation will be started
> immediately.
>
> Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> ---
>  meta/recipes-connectivity/openssh/openssh/sshd.socket        | 1 -
>  meta/recipes-connectivity/openssh/openssh/sshd@.service      | 1 +
>  .../recipes-connectivity/openssh/openssh/sshdgenkeys.service | 5 +++++
>  3 files changed, 6 insertions(+), 1 deletion(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> index 8d76d62309..12c39b26b5 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> @@ -1,6 +1,5 @@
>  [Unit]
>  Conflicts=sshd.service
> -Wants=sshdgenkeys.service
>
>  [Socket]
>  ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> index 9d9965e624..40fd38730a 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
> +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> @@ -1,5 +1,6 @@
>  [Unit]
>  Description=OpenSSH Per-Connection Daemon
> +Wants=sshdgenkeys.service
>  After=sshdgenkeys.service
>
>  [Service]
> diff --git a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> index fd81793d51..52617ec275 100644
> --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> @@ -7,3 +7,8 @@ ExecStart=@LIBEXECDIR@/sshd_check_keys
>  Type=oneshot
>  RemainAfterExit=yes
>  Nice=10
> +
> +[Install]
> +# Start key generation no later than multi-user mode so that we can hopefully
> +# have it generated before the first SSH connection
> +WantedBy=multi-user.target

This looks better than what we have. Please do something similar for
dropbearkey.service as well.
I also wonder if we need After anchor but I would not worry too much about it.

> --
> 2.28.0
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [OE-core][RFC] openssh: Start key generation in multi-user mode
  2020-09-22  5:13 ` Khem Raj
@ 2020-09-22 12:55   ` Joshua Watt
  0 siblings, 0 replies; 3+ messages in thread
From: Joshua Watt @ 2020-09-22 12:55 UTC (permalink / raw)
  To: Khem Raj
  Cc: Patches and discussions about the oe-core layer, Alex Kiernan,
	Richard Purdie

[-- Attachment #1: Type: text/plain, Size: 3098 bytes --]

On Tue, Sep 22, 2020, 12:14 AM Khem Raj <raj.khem@gmail.com> wrote:

> On Mon, Sep 21, 2020 at 5:45 PM Joshua Watt <jpewhacker@gmail.com> wrote:
> >
> > The sshkeygen uses a lot of CPU time which delays booting (especially in
> > the case where no SSH connection is going to happen), but we also want
> > to be proactive about generating it early so that the first SSH login
> > doesn't have to wait a long time.
> >
> > Starting the key generation when the sockets are created (which is
> > pretty early in the boot process) slows down the boot due to high CPU
> > usage, so as a compromise start it no later than multi-user mode when
> > things have typically settled down. Note that if an SSH connection comes
> > in before multi-user.target is reached, key generation will be started
> > immediately.
> >
> > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
> > ---
> >  meta/recipes-connectivity/openssh/openssh/sshd.socket        | 1 -
> >  meta/recipes-connectivity/openssh/openssh/sshd@.service      | 1 +
> >  .../recipes-connectivity/openssh/openssh/sshdgenkeys.service | 5 +++++
> >  3 files changed, 6 insertions(+), 1 deletion(-)
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd.socket
> b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> > index 8d76d62309..12c39b26b5 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshd.socket
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd.socket
> > @@ -1,6 +1,5 @@
> >  [Unit]
> >  Conflicts=sshd.service
> > -Wants=sshdgenkeys.service
> >
> >  [Socket]
> >  ExecStartPre=@BASE_BINDIR@/mkdir -p /var/run/sshd
> > diff --git a/meta/recipes-connectivity/openssh/openssh/sshd@.service
> b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> > index 9d9965e624..40fd38730a 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshd@.service
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshd@.service
> > @@ -1,5 +1,6 @@
> >  [Unit]
> >  Description=OpenSSH Per-Connection Daemon
> > +Wants=sshdgenkeys.service
> >  After=sshdgenkeys.service
> >
> >  [Service]
> > diff --git
> a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > index fd81793d51..52617ec275 100644
> > --- a/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > +++ b/meta/recipes-connectivity/openssh/openssh/sshdgenkeys.service
> > @@ -7,3 +7,8 @@ ExecStart=@LIBEXECDIR@/sshd_check_keys
> >  Type=oneshot
> >  RemainAfterExit=yes
> >  Nice=10
> > +
> > +[Install]
> > +# Start key generation no later than multi-user mode so that we can
> hopefully
> > +# have it generated before the first SSH connection
> > +WantedBy=multi-user.target
>
> This looks better than what we have. Please do something similar for
> dropbearkey.service as well.
> I also wonder if we need After anchor but I would not worry too much about
> it.
>

Yes, it may need After=multi-user.target, otherwise it might start earlier
than you want


> > --
> > 2.28.0
> >
>

[-- Attachment #2: Type: text/html, Size: 4132 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2020-09-22 12:55 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-09-22  0:44 [OE-core][RFC] openssh: Start key generation in multi-user mode Joshua Watt
2020-09-22  5:13 ` Khem Raj
2020-09-22 12:55   ` Joshua Watt

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.