6

RHEL 5.x has an entropy-generation problem (held-over from kernel 2.4). Following directions from here has produced little-to-no results:

How to increase entropy pool on a 2.6 kernel RHEL/Fedora system without keyboard/mouse.

A good source of entropy is needed for random number generation. This affects services that go via SSL amongst other things. In 2.6 kernels the entropy sources of a system are keyboard, mouse and some IRQ interrupts. There are two random number sources on linux - /dev/random and /dev/urandom. /dev/random will block if there is nothing left in the entropy bit bucket. If your system does not have keyboard and mouse, you can use 'rngd' daemon to perform the task. You can see the entropy valu using following command. 

    #cat /proc/sys/kernel/random/entropy_avail

Now, start the 'rngd' daemon using following command and monitor the entropy on the system.

    #rngd -r /dev/urandom -o /dev/random -f -t 1
    #watch -n 1 cat /proc/sys/kernel/random/entropy_avail

What other fixes are available for this issue?

background

There is a known issue (on HP's side) with one component in the current version of Server Automation that takes a long time to startup due to a small entropy pool on RHEL 5. I'm trying to find a workaround until/unless it's fixed on the vendor's part.

warren
  • 17,829
  • 23
  • 82
  • 134
  • 1
    Where does it say in your links that this affects 2.6 as well? – Mark Wagner Aug 22 '11 at 22:23
  • If you need lots of entropy, you could [buy more](http://www.entropykey.co.uk/). See also: http://vincentsanders.blogspot.com/2011/08/year-of-entropy.html – Zoredache Aug 22 '11 at 22:27
  • @embobo - in the quoted segment for what I have already tried (from http://www.vglug.info/how-increase-entropy-pool-2-6-kernel-rhel-fedora-system-without-keyboard-mouse) – warren Aug 22 '11 at 22:41
  • 1
    @warren, You really haven't made it clear what the problem is. Do you actually need more entropy for something, or are you just worried about this. So you ran those two commands, did anything change at all? Are you still not getting enough entropy? Or what. – Zoredache Aug 22 '11 at 22:48
  • @Zoredache : yes - I need more entropy in the pool for SSL-based components to an application I'm running; startup times *should* be on the order of 10-15 minutes, but on RHEL 5 it's upwards of 20 due to the entropy issue. And I thought I had made it clear that running `rngd` hadn't helped ("little-to-no results") – warren Aug 22 '11 at 23:03
  • 1
    No, that doesn't make it very clear. I was hoping you would say something like while I am doing nnn the output of `cat /proc/sys/kernel/random/entropy_avail` tends to be at or near zero constantly, but when the system is idle it tends to be around ~140. Is it not refilling at all? Or is it just refilling to slowly for your needs. – Zoredache Aug 22 '11 at 23:10
  • @Zoredache - ahh ... the entropy pool actually *falls* while running the `rngd` tool as directed in the above quote – warren Aug 22 '11 at 23:32
  • @warren let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/1159/discussion-between-zoredache-and-warren) – Zoredache Aug 22 '11 at 23:36

4 Answers4

3

As has been pointed out, colocated servers, lacking that random human being to create entropy, generally don't have much of it to spare. If you have a physical server with a spare USB port, and a demonstrable need for high-grade entropy, you could do worse than get yourself an Entropy Key. I don't normally recommend specific products on SF, but I rather like this one, and it does the job nicely.

Here's the depth of my pool before fitting the key: pool depth before key

and here's the pool after: pool depth after key

Declaration of interest: I have no connection with the makers except that I bought one of their products, at full price, and like it.

Edit (July 2015): the Entropy Key website has for some time said that they're out of stock, and they don't know when they'll have more made. However, OneRNG, a project to make a completely-open, verifiable, USB-connected entropy generator, was fully funded on kickstarter, and at the time of writing intends to start selling them via a webstore once their kickstarter obligations are fulfilled.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
1

I don't know how much entropy you need, but you could use the HTTP API on random.org to feed entropy into your system (try rand_add). Or you could use something like the Entropy Gathering Daemon.

Klox
  • 173
  • 1
  • 7
  • 1
    From a security point of view, using publicly observable (or even changeable) random sources is not a good idea. – Paŭlo Ebermann Aug 23 '11 at 21:25
  • 1
    You're right. If warren wanted to use the random.org API for business use, I would recommend using HTTPS and paying for the random.org service to establish trust through a financal and legal agreement. – Klox Aug 23 '11 at 21:33
1

Change the t parameter to .1 or .001

Grayd8
  • 11
  • 1
0

Also found this article, "Cut your WebLogic startup time in half on Linux", via a coworker this week.

The problem is worse in VMs than on physical machines because there is a lack of "driver noise".

update 31 Mar 2016

You can also run haveged. Or try twuewand.

Community
  • 1
warren
  • 17,829
  • 23
  • 82
  • 134