Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 47107 - /dev/random on a server without a hardware number generator.
Summary: /dev/random on a server without a hardware number generator.
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-04-07 08:23 UTC by Jens Maus
Modified: 2004-04-08 00:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jens Maus 2004-04-07 08:23:23 UTC 
On a server system without any hardware number generator it happens that /dev/random blocks because of not enough entropy available. The entropy for it is collected from keyboard mouse and/or device interrupts. But on a server system with lots of memory and without any keyboard or mouse it happens that not enough entropy is available and blocks the system if anyone tries to access /dev/random.
 
As one solution the software can access /dev/urandom instead which is not so much random than /dev/random but 1. it doesn't block and the randomness of /dev/urandom is in most cases really enough. But to get all software using /dev/urandom instead those software has been either patched or /dev/random linked to /dev/urandom, which is of course not the best solution and also not easily possibly with devfs installed.
 
As there are the "rng-tools" package for using hardware number generators such as i8x0 or AMD hardware this package can be used to obtain enough entropy for /dev/random - but unfortunatly most of the motherboards out there doesn't serve these hardware components these days. 
 
Therefore the most decent solution for getting /dev/random non-blocking for non hardware generator supported server systems is to use the rng-tools package with a patche /etc/init.d/rngd start() function in which the rng-daemon is used with /dev/urandom like this:

-- cut here --
start() {
        ebegin "Starting hardware RNG daemon"
        if [ -e /dev/hw_random ]; then
                start-stop-daemon --start --quiet --exec /usr/sbin/rngd -- -b -r /dev/hw_random
                eend $? "Failed to start hardware RNG daemon"
        elif [ -e /dev/hwrandom ]; then
                start-stop-daemon --start --quiet --exec /usr/sbin/rngd -- -b -r /dev/hwrandom
                eend $? "Failed to start hardware RNG daemon"
        elif [ -e /dev/i810_rng ]; then
                start-stop-daemon --start --quiet --exec /usr/sbin/rngd -- -b -r /dev/i810_rng
                eend $? "Failed to start hardware RNG daemon"
        else
                einfo "No hardware RNG found, using /dev/urandom"
                start-stop-daemon --start --quiet --exec /usr/sbin/rngd -- -b -r /dev/urandom
                eend $? "Failed to start hardware RNG daemon"
        fi
}
-- cut here --

This way /dev/random will be non-blocking on those systems and apache or/and libsasl doesn't have any problem in using /dev/random anymore if necessary.

Reproducible: Always
Steps to Reproduce:
1. call "head -c 1024 /dev/random" several times and see it blocking if the mouse/keyboard is not used
2. Imaging that you don't have a keyboard or mouse so that the entropy isn't enough
3. use the "rng-tools" and use the other start() method to get /dev/urandom used instead.
Actual Results:  
After the fix /dev/random is non blocking anymore and apache and/or libsasl works like a charme 
without blocking in several other situations.

Expected Results:  
the rng-tools should start up the daemon with /dev/urandom as the input source if no hardware 
random generator device is found and if course the "rng-tools" should be considered as being the 
default on a standa gentoo installation or at least the documentation should cover that blocking system 
and inform the user about the alternative in using the "rng-tools" package.

Please check apache and/or the MD5 routines in libsasl as they are using /dev/random and are 
therefore blocking if the entropy is too low. And there are probably dozen other tools/utilities/
programs out there using /dev/random and blocking if it doesn't have enough random data left.
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-04-07 20:53:16 UTC 
the kernel also collects entropy from disk/network timing, and in many cases this provides more than enough entropy. however I do think using rngd to do a  feedback input definetly has a place (/me recalls too many people reporting the blocking for input bugs...)
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-04-07 21:11:22 UTC 
in cvs now.
Comment 3 Jens Maus 2004-04-08 00:20:41 UTC 
Just as an addition. IMHO This topic should also be raised in the Installation Handbook of gentoo linux as configurating/using the RNG tools correctly is a very important part of the installation as this could lead to many different problems if one doesn't know that /dev/random is the cause for all his/her hangs.

And please explain what you exactly changed in the cvs now concerning the rng-tools? As I really think they should be included in each default installation. Believe me, I have 2 servers here which ran out of entropy because they have heaps of memory so lots of disk access is anyway cached. It is really easy to reproduce that /dev/random blocks, so using a hardware random generator or the rng daemon on gentoo is a mandatory thing.