Jody, tl;dr: the pool used to create the random numbers has the entropy.
Linux maintains a pool of entropy from nondeterministic sources such as device timings, interrupts, mouse and keyboard activity, and so on. The entropy pool is then used to seed a pseudo-random number generator. The resulting random numbers from /dev/random are very high quality. The problem with /dev/random is that it is blocking; it is easy to drain the pool, at which point reads will block until more entropy is available. /dev/urandom continues to produce pseudo-random bytes regardless of the pool entropy estimate (it does not block); its bytes may be suitable for most cryptographic purposes . See: https://en.wikipedia.org/wiki//dev/random Recently booted machines have little entropy. Virtual machines are are also vulnerable as they are often restarted (and have no hardware of their own to provide good-quality entropy). Kind regards, Ben. On 28/01/17 10:18, Jody Garnett wrote: > What is random number entropy? > > -- > Jody Garnett > > On 27 January 2017 at 05:15, Daniel Araujo Miranda <[email protected]> > wrote: > >> Hello everyone, >> >> TLDR: Change the line "securerandom.source=file:/dev/random" in >> "/etc/java-8-openjdk/security/java.security" to point to /dev/urandom >> instead to start a clean geoserver install in 13 seconds instead of 6 >> minutes. Be mindful of security implications. >> >> I have been puzzled by some time why geoserver 2.10 and 2.10.1 took >> about 6 minutes to start in a kvm virtual machine, with a newly copied >> war file to the tomcat folder (/var/lib/tomcat8/webapps/ in my case). >> Nobody else seemed to have that problem and I was unable to identify >> meaningful log messages or anything different with my installation to >> ask a proper question here. I found out that the random number generator >> was not getting enough entropy to even start up a new session in tomcat. >> I finally noticed the the following line in >> /var/log/tomcat8/catalina.out which exposed the problem: >> >> INFO: Creation of SecureRandom instance for session ID generation using >> [SHA1PRNG] took [313,537] milliseconds. >> >> (In my defense, we use the comma as a decimal separator in Brazil, so >> the above time seemed to be 0.3 seconds at a glance) >> >> Changing securerandom.source from /dev/random to /dev/urandom in >> java.security solved the problem immediately. I decided to exchange a >> bit of security for a faster startup. Please BE AWARE OF THE SECURITY >> IMPLICATIONS if you do that. My accessment is that it is a reasonable >> tradeoff IN MY CASE. >> >> How to test: >> >> -take a fresh ubuntu 16.4 server "minimal virtual machine" >> installation in a KVM host >> >> -Install tomcat8 >> >> -Download geoserver, jai and jai_imageio >> >> -Unpack everything in their proper places (see >> http://docs.geoserver.org/stable/en/user/production/java.html) >> >> -after tomcat stops unpacking the geoserver war, run: >> >> service tomcat8 stop && service tomcat8 start && time curl -vvhttp:// >> 127.0.0.1:8080/geoserver/web >> >> That will take an arbitrary amount of time to complete, depending on how >> much entropy your VM has access to. If it is on a busy network and you >> type a lot on the console, it may finish sooner, if it is completely >> isolated and you are using a virtual terminal instead of ssh, it may >> take a long time. In my case it took 6 minutes with very light ssh >> console usage and a quiet network. Making more usage of the ssh console >> brought the time down to 3 minutes. >> >> Change the entropy source from /dev/random to /dev/urandom and you will >> see times for that test around 10 seconds. >> >> Best, >> Daniel >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, SlashDot.org! http://sdm.link/slashdot >> _______________________________________________ >> Geoserver-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Geoserver-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/geoserver-users > -- Ben Caradoc-Davies <[email protected]> Director Transient Software Limited <http://transient.nz/> New Zealand ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
