What is random number entropy?
--
Jody Garnett
On 27 January 2017 at 05:15, Daniel Araujo Miranda <miranda....@dpf.gov.br>
wrote:
> Hello everyone,
>
> TLDR: Change the line "securerandom.source=file:/dev/random" in
> "/etc/java-8-openjdk/security/java.security" to point to /dev/urandom
> instead to start a clean geoserver install in 13 seconds instead of 6
> minutes. Be mindful of security implications.
>
> I have been puzzled by some time why geoserver 2.10 and 2.10.1 took
> about 6 minutes to start in a kvm virtual machine, with a newly copied
> war file to the tomcat folder (/var/lib/tomcat8/webapps/ in my case).
> Nobody else seemed to have that problem and I was unable to identify
> meaningful log messages or anything different with my installation to
> ask a proper question here. I found out that the random number generator
> was not getting enough entropy to even start up a new session in tomcat.
> I finally noticed the the following line in
> /var/log/tomcat8/catalina.out which exposed the problem:
>
> INFO: Creation of SecureRandom instance for session ID generation using
> [SHA1PRNG] took [313,537] milliseconds.
>
> (In my defense, we use the comma as a decimal separator in Brazil, so
> the above time seemed to be 0.3 seconds at a glance)
>
> Changing securerandom.source from /dev/random to /dev/urandom in
> java.security solved the problem immediately. I decided to exchange a
> bit of security for a faster startup. Please BE AWARE OF THE SECURITY
> IMPLICATIONS if you do that. My accessment is that it is a reasonable
> tradeoff IN MY CASE.
>
> How to test:
>
> -take a fresh ubuntu 16.4 server "minimal virtual machine"
> installation in a KVM host
>
> -Install tomcat8
>
> -Download geoserver, jai and jai_imageio
>
> -Unpack everything in their proper places (see
> http://docs.geoserver.org/stable/en/user/production/java.html)
>
> -after tomcat stops unpacking the geoserver war, run:
>
> service tomcat8 stop && service tomcat8 start && time curl -vvhttp://
> 127.0.0.1:8080/geoserver/web
>
> That will take an arbitrary amount of time to complete, depending on how
> much entropy your VM has access to. If it is on a busy network and you
> type a lot on the console, it may finish sooner, if it is completely
> isolated and you are using a virtual terminal instead of ssh, it may
> take a long time. In my case it took 6 minutes with very light ssh
> console usage and a quiet network. Making more usage of the ssh console
> brought the time down to 3 minutes.
>
> Change the entropy source from /dev/random to /dev/urandom and you will
> see times for that test around 10 seconds.
>
> Best,
> Daniel
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Geoserver-users mailing list
> Geoserver-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
