I'm having an issue related to#15825. As in#15825, I am unable to start a Coder workspace using an Ubuntu image newer than 22.04, but (per#15423) the remediation seems to be to "Improve agent connection troubleshooting". The issue (for me) runs deeper in that, when using a working Coder image, I also cannotcurl orwget anhttps url whendocker running a newer Ubuntu image. For example: Ubuntu22.04 (success) $ docker run --rm -it ubuntu:22.04# apt update && apt install -y curl ; curl --version ; curl https://www.google.com > /dev/null ; echo $?...curl 7.81.0 (x86_64-pc-linux-gnu) libcurl/7.81.0 OpenSSL/3.0.2 zlib/1.2.11 brotli/1.0.9 zstd/1.4.8 libidn2/2.3.2 libpsl/0.21.0 (+libidn2/2.3.2) libssh/0.9.6/openssl/zlib nghttp2/1.43.0 librtmp/2.3 OpenLDAP/2.5.18Release-Date: 2022-01-05...0
Ubuntu24.04 (failure) $ docker run --rm -it ubuntu:24.04# apt update && apt install -y curl ; curl https://www.google.com > /dev/null ; echo $?...curl 8.5.0 (x86_64-pc-linux-gnu) libcurl/8.5.0 OpenSSL/3.0.13 zlib/1.3 brotli/1.1.0 zstd/1.5.5 libidn2/2.3.7 libpsl/0.21.2 (+libidn2/2.3.7) libssh/0.10.6/openssl/zlib nghttp2/1.59.0 librtmp/2.3 OpenLDAP/2.6.7Release-Date: 2023-12-06, security patched: 8.5.0-2ubuntu10.6...curl: (35) Insufficient randomness35
Ubuntu24.10 (failure) $ docker run --rm -it ubuntu:24.10# apt update && apt install -y curl ; curl https://www.google.com > /dev/null ; echo $?...curl 8.9.1 (x86_64-pc-linux-gnu) libcurl/8.9.1 OpenSSL/3.3.1 zlib/1.3.1 brotli/1.1.0 zstd/1.5.6 libidn2/2.3.7 libpsl/0.21.2 libssh2/1.11.0 nghttp2/1.62.1 librtmp/2.3 OpenLDAP/2.6.8Release-Date: 2024-07-31, security patched: 8.9.1-2ubuntu2.2...curl: (35) Insufficient randomness35
And an examplewget failure: # wget https://www.google.com--2025-04-09 17:05:46-- https://www.google.com/Could not seed PRNG; consider using --random-file.OpenSSL: error:12800067:DSO support routines::could not load the shared libraryOpenSSL: error:12800067:DSO support routines::could not load the shared libraryOpenSSL: error:07880025:common libcrypto routines::reason(37)OpenSSL: error:0308010C:digital envelope routines::unsupportedOpenSSL: error:12000090:random number generator::unable to fetch drbgDisabling SSL due to encountered errors.
Per thecurl discussion here:curl/curl#11022
@anthonyryan1 reported success recompilingcurl using version 3.1.1 of OpenSSL.@nhorman resolved a partner issue for OpenSSL here:openssl/openssl#20826 with the message associated curl discussion seems to have resolved this with a libcurl update marking as inactive, will be closed at the completion of 3.4 dev without further input
Some issues with this resolution: - I assume that since both
curl andwget are affected, anything that uses OpenSSL is affected. None of the newer Ubuntu images use PPAs with packages whereapt install contains a fix. It is onerous to require individuals to recompile every affected tool off of OpenSSL 3.1.1 (I did not verify@anthonyryan1's fix works). - If a fix was made in OpenSSL 3.1.1, it has since regressed. The
ubuntu:24.10 test above showscurl failing even though compiled with OpenSSL 3.3.1.
I'm not claiming the problem is inherently a Coder problem, nor an AWS, OpenSSL,curl, orwget, etc. problem. But, I want to raise this issue somewhere, and I would like to be able to use newer versions of Ubuntu with Coder, so I made the issue here. All that said, I understand fixing the underlying issue is a bit of a Hail Mary. |