Red Hat Bugzilla – Bug 1303756
candlepin uses /dev/random instead of /dev/urandom, leading to slow startup times
Last modified: 2017-03-22 18:41:24 EDT
Description of problem:
We are currently in the process of finding items that may impact Satellite performance. We found recently that candlepin makes calls to /dev/random instead of /dev/urandom in some cases.
# lsof /dev/random
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
java 6465 tomcat 41r CHR 1,8 0t0 1032 /dev/random
java 6465 tomcat 43r CHR 1,8 0t0 1032 /dev/random
java 6465 tomcat 44r CHR 1,8 0t0 1032 /dev/random
java 6465 tomcat 119r CHR 1,8 0t0 1032 /dev/random
Some users have noted that after increasing their entropy counter via tools like 'haveged', performance increased. However, /dev/urandom should be acceptable to use instead of /dev/random.
Version-Release number of selected component (if applicable): 0.9.51
How reproducible: every time (measured via tomcat startup time)
Steps to Reproduce:
note: I have not tried this on physical HW, only VMs.
1. yum install -y lsof; lsof /dev/random
2. stop rngd service and tomcat, ensure "lsof /dev/random" is empty
3. drain /dev/random: "cat /dev/random > /dev/null", wait a few seconds
4. check "/proc/sys/kernel/random/entropy_avail" and ensure it's a low number (less than 50)
5. start tomcat, check startup time
Actual results: extremely slow startup. This likely affects other areas as well but startup time is the easiest one to check.
Expected results: same startup speed whether or not rngd is running
Additional info: http://www.2uo.de/myths-about-urandom/ has info about /dev/random vs /dev/urandom
I think it's fine to switch to /dev/urandom, but it's not something that we control. The entropy source is either set via a system property (set via tomcat.conf for example) or within $JAVA_HOME/jre/lib/security/java.security. Neither of those methods are things within the control of the Candlepin RPM. Configuring the settings in those files is more an issue for the Katello installer, so I'm reassigning to that component.
Be forewarned that are are some issue with JVM's not respecting what's set in java.security. See