uninitialized urandom read
作者:互联网
由3.10升级到4.14内核后,启动系统random的初始化需要比较长的时间。通过dmesg | grep -I randdom 发现需要400多秒才能初始化完成。
dmesg | grep -i random
[ 0.051406] random: get_random_bytes called from setup_net+0x33/0x120 with crng_init=0
[ 0.637733] random: hwclock: uninitialized urandom read (8 bytes read)
[ 0.821425] random: sh: uninitialized urandom read (8 bytes read)
[ 11.923501] random: fast init done
[ 13.111697] random: modprobe: uninitialized urandom read (8 bytes read)
[ 20.464349] random: modprobe: uninitialized urandom read (8 bytes read)
[ 20.475650] random: head: uninitialized urandom read (8192 bytes read)
[ 23.335865] random: modprobe: uninitialized urandom read (8 bytes read)
[ 28.286856] random: modprobe: uninitialized urandom read (8 bytes read)
[ 28.747431] random: modprobe: uninitialized urandom read (8 bytes read)
[ 33.718262] random: modprobe: uninitialized urandom read (8 bytes read)
[ 33.736726] random: modprobe: uninitialized urandom read (8 bytes read)
[ 429.269251] random: crng init done
所以一些应用程序在调用random的函数可能会阻塞。
通过调查发现有两个解决方案,内核的方式和用户态的方式
方案一:打入以下内核patch
内核的patch:https://lkml.org/lkml/2018/7/17/1279
增加了config RANDOM_TRUST_CPU这个选项,默认此选择没有打开。
大致的意思是,此选项是信任cpu处理器的厂商,他们会产生没有危险用户的random的行为。也列举了反例,列举了美国制裁中国,中国决定自给自足CPU。凭什么就相信intel,不相信解放军控制的公司等
用户态的方案:
Haveged使用HAVEGE(HArdware Volatile Entropy Gathering and Expansion)来维护一个1M的随机字节池,
当/dev/random中的随机位供应低于设备的低水位时(/proc/sys/kernel/random/entropy_avail),这个随机字节池用于填充/dev/random。
容器里可以使用如下:
1 wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/h/haveged-1.9.1-1.el7.x86_64.rpm
2 rpm -ivh haveged-1.9.1-1.el7.x86_64.rpm
3 运行haveged -w 1024 -v 1
服务器可以使用:
yum install haveged -y
systemctl start haveged
systemctl enable haveged
标签:uninitialized,read,random,bytes,urandom,modprobe 来源: https://blog.csdn.net/xiaofeng_yan/article/details/101073770