headers
Oded Arbel | 1 Oct 2003 14:31
Picon

Help, Help, I've ran out of entropy!


Hi list.

I'm having a problem with a server, where apparently I don't have any entropy 
left in /dev/random :
# sysctl -A | grep random
kernel.random.entropy_avail = 0

and of course - every call to /dev/random blocks. the server in question is a 
headless box, so of course no entropy is generated by HID devices such as 
mouse and keyboard, but IIRC dev/random should also be filled by disc access 
(of which there is a lot) and maybe network (I remember a discussion on 
turning off entropy feeding from the NICs, but I don't remember if it was 
actually carried out).

The kernel is 2.4.21 with grsecurity patches, and I was wandering if anyone 
has any idea what I can do now - can I somehow seed dev/random by hand ? 
All the file systems are reiserFS, which raises the following question - is it 
possible that reiserFS block I/O does not generate entropy ?

--

-- 
Oded

::..
When you do not know what you are doing, do it neatly.

=================================================================
To unsubscribe, send mail to linux-il-request@... with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@...
(Continue reading)

Permalink | Reply | 16 comments |
headers
Yedidyah Bar-David | 1 Oct 2003 14:51
Picon
Picon
Favicon

Re: Help, Help, I've ran out of entropy!

Hi,

Debian has a package called 'reseed' that seems to do just that (by
getting random data from random.org, but you can probably make it
use some other random data). I never tried it myself, though, and I
can also suggest that you buy hardware for that, if it's an important
server (e.g. i810 boards have it onboard).
--

-- 
Didi

=================================================================
To unsubscribe, send mail to linux-il-request@... with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@...
Permalink | Reply | 1 comment |
headers
Muli Ben-Yehuda | 1 Oct 2003 14:54

Re: Help, Help, I've ran out of entropy!

On Wed, Oct 01, 2003 at 03:31:44PM +0300, Oded Arbel wrote:
> 
> Hi list.
>  
> I'm having a problem with a server, where apparently I don't have any entropy 
> left in /dev/random :
> # sysctl -A | grep random
> kernel.random.entropy_avail = 0
> 
> and of course - every call to /dev/random blocks. the server in question is a 
> headless box, so of course no entropy is generated by HID devices such as 
> mouse and keyboard, but IIRC dev/random should also be filled by disc access 
> (of which there is a lot) and maybe network (I remember a discussion on 
> turning off entropy feeding from the NICs, but I don't remember if it was 
> actually carried out).

Some NICs generate entropy, some don't. Which depends on your kernel
version and possibly runtime configuration. 

> The kernel is 2.4.21 with grsecurity patches, and I was wandering if anyone 
> has any idea what I can do now - can I somehow seed dev/random by
hand ? 

Why not use /dev/urandom? that one never blocks. 

> All the file systems are reiserFS, which raises the following
> question - is it  possible that reiserFS block I/O does not generate
> entropy ? 

It's possile, yes. Looking at the code (2.4.23-pre5, but I doubt there
(Continue reading)

Permalink | Reply | 5 comments |
headers
Oded Arbel | 1 Oct 2003 15:21
Picon

Re: Help, Help, I've ran out of entropy!

On Wednesday 01 October 2003 15:51, Yedidyah Bar-David wrote:
> Hi,
>
> Debian has a package called 'reseed' that seems to do just that (by
> getting random data from random.org, but you can probably make it
> use some other random data). I never tried it myself, though, and I

reseeds seeds /dev/urandom, which doesn't help me. I tried to get it to seed /
dev/random, but apparently it doesn't like getting input.

> can also suggest that you buy hardware for that, if it's an important
> server (e.g. i810 boards have it onboard).

Additional hardware is currently not an option for me.

--

-- 
Oded

::..
Saint:  A dead sinner revised and edited.
	-- Ambrose Bierce

=================================================================
To unsubscribe, send mail to linux-il-request@... with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@...
Permalink | Reply | 0 comments |
headers
Oded Arbel | 1 Oct 2003 15:35
Picon

Re: Help, Help, I've ran out of entropy!

On Wednesday 01 October 2003 15:54, Muli Ben-Yehuda wrote:
> On Wed, Oct 01, 2003 at 03:31:44PM +0300, Oded Arbel wrote:
> > I'm having a problem with a server, where apparently I don't have any
> > entropy left in /dev/random :
> > # sysctl -A | grep random
> > kernel.random.entropy_avail = 0

> Why not use /dev/urandom? that one never blocks.

1. its lower quality
2. Its not my software, and I don't feel like messing around with the source 
code right now. I'll do that if I'll have no choice, but seeing as /dev/
random is important to have, I though I'd try to deal with the source of the 
problem first.

> It's possile, yes. Looking at the code (2.4.23-pre5, but I doubt there
> were major changes in this area in the vanilla kernels), 

I'm not using vanilla - I prefer buttermilk myself, but I have grsecurity 
patches. AFAIK, grsecurity shouldn't turn off any entropy generation - it 
relies on good quality entropy pool to add more randomacity to stuff the 
kernel does.

> the relevant 
> function is add_blkdev_randomness, which works at the block layer, not
> the file system layer, so it doesn't have much to do with
> reiserfs. 

Then, could you please offer a hypothesis as to why my dev/random is empty ?
(Continue reading)

Permalink | Reply | 4 comments |
headers
Eli Billauer | 1 Oct 2003 16:45
Picon

Re: Help, Help, I've ran out of entropy!

Hello Oded & list.

Could you please be more detailed about what you need this for? Is it 
the internal TCP-sequence number generator, or do you have some 
application that is hungry for a lot of random data? How random does it 
really have to be?

Eli

Oded Arbel wrote:

>Hi list.
> 
>I'm having a problem with a server, where apparently I don't have any entropy 
>left in /dev/random :
># sysctl -A | grep random
>kernel.random.entropy_avail = 0
>
>and of course - every call to /dev/random blocks. the server in question is a 
>headless box, so of course no entropy is generated by HID devices such as 
>mouse and keyboard, but IIRC dev/random should also be filled by disc access 
>(of which there is a lot) and maybe network (I remember a discussion on 
>turning off entropy feeding from the NICs, but I don't remember if it was 
>actually carried out).
>
>The kernel is 2.4.21 with grsecurity patches, and I was wandering if anyone 
>has any idea what I can do now - can I somehow seed dev/random by hand ? 
>All the file systems are reiserFS, which raises the following question - is it 
>possible that reiserFS block I/O does not generate entropy ?
>
(Continue reading)

Permalink | Reply | 2 comments |
headers
Muli Ben-Yehuda | 1 Oct 2003 15:47

Re: Help, Help, I've ran out of entropy!

On Wed, Oct 01, 2003 at 04:35:23PM +0300, Oded Arbel wrote:
> On Wednesday 01 October 2003 15:54, Muli Ben-Yehuda wrote:
> > On Wed, Oct 01, 2003 at 03:31:44PM +0300, Oded Arbel wrote:
> > > I'm having a problem with a server, where apparently I don't have any
> > > entropy left in /dev/random :
> > > # sysctl -A | grep random
> > > kernel.random.entropy_avail = 0
> 
> > Why not use /dev/urandom? that one never blocks.
> 
> 1. its lower quality

I don't know what's your application, but I really doubt it matters. 

> 2. Its not my software, and I don't feel like messing around with the source 
> code right now. I'll do that if I'll have no choice, but seeing as /dev/
> random is important to have, I though I'd try to deal with the source of the 
> problem first.

Unix 101: use a symlink. Even better, recreate /dev/random with
/dev/urandom's minor number for this application. 

> > It's possile, yes. Looking at the code (2.4.23-pre5, but I doubt there
> > were major changes in this area in the vanilla kernels), 
> 
> I'm not using vanilla - I prefer buttermilk myself, but I have grsecurity 
> patches. AFAIK, grsecurity shouldn't turn off any entropy generation - it 
> relies on good quality entropy pool to add more randomacity to stuff the 
> kernel does.
(Continue reading)

Permalink | Reply | 2 comments |
headers
Shachar Shemesh | 1 Oct 2003 15:48

Re: Help, Help, I've ran out of entropy!

Oded Arbel wrote:

>I'm not using vanilla - I prefer buttermilk myself, but I have grsecurity 
>patches. AFAIK, grsecurity shouldn't turn off any entropy generation - it 
>relies on good quality entropy pool to add more randomacity to stuff the 
>kernel does.
>
..

>Then, could you please offer a hypothesis as to why my dev/random is empty ?
>  
>
Maybe something grsecurity is doing in the kernel is deplating your 
randomness pool?

          Shachar

--

-- 
Shachar Shemesh
Open Source integration consultant
Home page & resume - http://www.shemesh.biz/

=================================================================
To unsubscribe, send mail to linux-il-request@... with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@...
Permalink | Reply | 0 comments |
headers
Oded Arbel | 1 Oct 2003 16:20
Picon

Re: Help, Help, I've ran out of entropy!

On Wednesday 01 October 2003 16:47, Muli Ben-Yehuda wrote:

> > > Why not use /dev/urandom? that one never blocks.
> >
> > 1. its lower quality
>
> I don't know what's your application, but I really doubt it matters.
>
> > 2. Its not my software, and I don't feel like messing around with the
> > source code right now. I'll do that if I'll have no choice, but seeing as
> > /dev/ random is important to have, I though I'd try to deal with the
> > source of the problem first.
>
> Unix 101: use a symlink. Even better, recreate /dev/random with
> /dev/urandom's minor number for this application.

You are probably right on both issues, but I know how to implement 
work-arounds - this isn't my problem, I've put a work-around in place the 
minute I figured out why the server isn't working.
I'd like to get some help where I don't have enough know-how and experience - 
understanding why /dev/random is empty and how to replenish it.

> > I'm not using vanilla - I prefer buttermilk myself, but I have grsecurity
> > patches. AFAIK, grsecurity shouldn't turn off any entropy generation - it
> > relies on good quality entropy pool to add more randomacity to stuff the
> > kernel does.
>
> Have you verified that it's not doing anything fishy?

Ah.. no. I don't know how - I'm not intimate with grsecurity. can you offer
(Continue reading)

Permalink | Reply | 1 comment |
headers
Oded Arbel | 1 Oct 2003 16:26
Picon

Re: Help, Help, I've ran out of entropy!

On Wednesday 01 October 2003 17:45, Eli Billauer wrote:

> Could you please be more detailed about what you need this for? Is it 
> the internal TCP-sequence number generator, or do you have some
> application that is hungry for a lot of random data? 

Some internal software wants random data.

> How random does it really have to be?

not terribly. I moved to /dev/urandom, but would really like to know why /dev/
random is empty and why doesn't it replenishes fast enough, or maybe at all - 
I turned off all userland randomacity consumers, and I still the pool is 
empty. on my workstation (which has user input to get random data from), the 
pool replenishes within seconds.

--

-- 
Oded

::..
Customer: A primitive life form at the bottom of the food chain.

=================================================================
To unsubscribe, send mail to linux-il-request@... with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@...
Permalink | Reply | 1 comment |

Gmane