Bug 1303756

Summary: candlepin uses /dev/random instead of /dev/urandom, leading to slow startup times
Product: [Retired] Katello Reporter: Chris Duryee <cduryee>
Component: InstallerAssignee: Katello Bug Bin <katello-bugs>
Status: CLOSED EOL QA Contact: Katello QA List <katello-qa-list>
Severity: low Docs Contact:
Priority: medium    
Version: 2.0CC: awood, bcourt
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-27 19:41:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1435022    

Description Chris Duryee 2016-02-01 20:56:14 UTC 
Description of problem:

We are currently in the process of finding items that may impact Satellite performance. We found recently that candlepin makes calls to /dev/random instead of /dev/urandom in some cases.

# lsof /dev/random
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    6465 tomcat   41r   CHR    1,8      0t0 1032 /dev/random
java    6465 tomcat   43r   CHR    1,8      0t0 1032 /dev/random
java    6465 tomcat   44r   CHR    1,8      0t0 1032 /dev/random
java    6465 tomcat  119r   CHR    1,8      0t0 1032 /dev/random

Some users have noted that after increasing their entropy counter via tools like 'haveged', performance increased. However, /dev/urandom should be acceptable to use instead of /dev/random.

Version-Release number of selected component (if applicable): 0.9.51


How reproducible: every time (measured via tomcat startup time)

Steps to Reproduce:

note: I have not tried this on physical HW, only VMs.

1. yum install -y lsof; lsof /dev/random
2. stop rngd service and tomcat, ensure "lsof /dev/random" is empty
3. drain /dev/random: "cat /dev/random > /dev/null", wait a few seconds
4. check "/proc/sys/kernel/random/entropy_avail" and ensure it's a low number (less than 50)
5. start tomcat, check startup time

Actual results: extremely slow startup. This likely affects other areas as well but startup time is the easiest one to check.

Expected results: same startup speed whether or not rngd is running


Additional info: http://www.2uo.de/myths-about-urandom/ has info about /dev/random vs /dev/urandom
Comment 3 Alex Wood 2016-03-07 18:52:38 UTC 
I think it's fine to switch to /dev/urandom, but it's not something that we control.  The entropy source is either set via a system property (set via tomcat.conf for example) or within $JAVA_HOME/jre/lib/security/java.security.  Neither of those methods are things within the control of the Candlepin RPM.  Configuring the settings in those files is more an issue for the Katello installer, so I'm reassigning to that component.

Be forewarned that are are some issue with JVM's not respecting what's set in java.security.  See

http://bugs.java.com/view_bug.do?bug_id=6202721