mike, as i've described above, my entropy never sticks around. I have been able to get it to increase with "du /usr" or "emerge sync", but in then decreases over the next 1-5 minutes to 0.

I wasn't even able to get it to increase until after I'd rebooted 2 or 3 times, then all of a sudden "du /usr" would cause an increase, where previously it had no effect...

_________________
Programs that crash have been proven to be less useful than those that don't.
• Apple TechNote 117 •

fremont root # pstree
init-+-apache2---11*[apache2]
     |-authdaemond.pla---5*[authdaemond.pla]
     |-bdflush
     |-4*[courierlogger]
     |-4*[couriertcpd]
     |-devfsd
     |-jfsCommit
     |-jfsIO
     |-jfsSync
     |-keventd
     |-kjournald
     |-klogd
     |-ksoftirqd_CPU0
     |-kswapd
     |-kupdated
     |-login---bash---pstree
     |-master-+-pickup
     |        `-qmgr
     |-mdrecoveryd
     |-mysqld_safe---mysqld---mysqld---2*[mysqld]
     |-saslauthd---4*[saslauthd]
     |-sshd---sshd---sshd---bash---mutt
     `-syslogd

I usually have at least one ssh session running.

yeah, it'll be nice, but it's gonna be a long day. I teach English in a \ junior high here in japan (and speak VERY little japanese myself) and tomorrow the entire 8th grade is going to "ski school" and I get to help teach! I'm excited, but kinda worried. I'm a good skier, and not a bad ski instructor,... but if I get beginners, the language barrier + ski terror is gonna be hard to overcome...

anyways, it'll still be a good time i hope!

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •

hey at lest you wont be in a small office all day

oh, i was only half-a$$ed complaining...

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •

Just to chime in as well.

I have auth_digest_module running without a problem

but my entropy is 0 as well.

Adam

Yeah, I think that as long as you have entropy when you start apache2 (and auth_digest), then you're fine. (I don't know if it's only the first start, or every restart, that needs to pull some entropy)....

Just from what I scanned around the net though, not having entropy can do some wacky things to your system, and you may not realize why. So I think we need to figure out what's going on here soon!...

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •

My entropy has been hovering between 3500 and 3900 all morning. It was in the low hundreds last night and seems to have been replenished while the Linode was idle. It was dipping below 100 early yesterday and nothing has changed to explain the difference.

The likely causes of entropy depletion:

- generation of session keys for SSL, etc (support for this theory: users of headless machines reporting IMAP-SSL mail folders take ages to open when entropy_avail is too low - you have to wait for a system event to generate some more randomness),

- randomisation of TCP initial sequence numbers (although the TCP stack doesn't block when entropy_avail is too low).

The likely causes of too little entropy being generated:

- Linode hosts (and other remote servers) are headless so there are no keyboard or mouse event interrupts which are two of the main entropy sources on workstations (this is a known problem and was addressed by adding network activity timing as an entropy source),

- Linodes use ATA RAID arrays with caches in the controllers and perform disk caching at the host level, thus generating a lot less interrupts than an standard ATA controller coupled with small system caches (support for this theory: the first use (today) of du /usr pumped the entropy up from 3666 to 3825, the second time (around a minute later) and the third time (ten minutes later) it had no effect),

- Use of NIC interrupt timing as an entropy source used to be a kernel compile time option with the default set to 'off' - perhaps caker can tell us if this is on in our kernels? - plus Linode NICs have large packet queues, reducing entropy generation even if it is on plus (again) not all NIC drivers pass the data to the kernel anyway.

Question:

How is the (hardware derived) data needed for entropy generation passed from the host to the Linodes? (Do all Linodes see all interrupt timing data, only data related to their own operations or does UML fake this somehow?)

Which kernel option is this?


e1000 in polling mode



Looking at the UML source, it appears (to me at least) that each UML has its own random sub-system, not relying on the host for available entropy. Interrupts are kept private to each UML, so reads/writes to UBD devices and your ethernet device will generate interrupts (among other things).

-Chris

I was thinking of CONFIG_NET_RANDOM but now I'm at home and have had another look I don't think it's relevant to this discussion.

I guess the issue is that something is eating mine (and mike's) entropy. So even if it does get bumped up during idle time, it is immediately eaten again, therefore always showing 0 entropy_avail.

Right now my server is running nothing but the default processes that are in caker's setup, and something is taking up my entropy. Tonight, when I get home, I will set up a new disk image with a clean install, and see if I have this problem. It should work correctly out-of-the-box, right?

pclissold, how old is your system? I'm sure you've done lots of configuring to it, but have you done anything that you think might be related to this?

...

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •

Okay, to give out the solutions I've found to starting Apache2 without commenting out auth_digest.

First:



So if you can get your entrophy up temporarily, then Apache2 should work fine until next restart?

Secondly, re-emerge Apache2 with the following options:



So, this is apparently "less secure", but negliably so?

Third, solve all entropy problems by moving /dev/random and creating a link from /dev/urandom to /dev/random.

Again, of questionable security, see above.

Fourth, recompile the kernel to use another source of random data.

This would probably not be any use, because it seems our issue isn't creating random entropy, but maintaining it...


Anyway, hopefully someone will figure out why we are losing entropy at crazy rates. I'm working on it, but am really stuck. Scouring the internet, I've found many people suffering the same issues, but no reasons for these issues, and only the solutions listed above. I'm still hunting, though...

- j

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •

System was built Dec 2003 - Gentoo with the following USE flags:

USE="-oss -apm -arts -avi -cups -foomaticdb -gtk -imlib -kde -gnome -mad  -mikmod -motif -opengl -qt -svga -truetype -X -xmms -xv acl apache2 cscope curl imap innodb java maildir mysql perl sasl socks5"

I installed and configured the usual suspects (apache2, courier, cyrus-sasl, mysql, postfix), all from the standard portage tree. Nothing out of the ordinary.

The /dev/random vs /dev/urandom debate raged in the kernel list a few years ago. The consensus appeared to be that /dev/urandom is sufficient unless either:

- SHA1 was compromised, or
- the NSA was after you.

In case 1, SSH (and we all) are screwed regardless of our choice of entropy source. In case 2, you probably have more important things to worry about than Linode security.

okay, i just reinstalled Gentoo from the LCP. first thing I did when connecting, was

cat /proc/sys/kernel/random/entropy_avail

and I had some. Did the ole "du /usr", got a bunch more. AND IT STAYED. kept catting the avail, and it actually grew sometimes.

My pstree is the exact same as the one I posted above, so what is up here? weird.

I guess I'm just going to start over. Not a fun prospect, but I want to figure out what is causing this, so I guess I'll check after EVERY thing I do...

- j

p.s. by the way, anyone know how I'd go about replacing /dev/random with /dev/urandom? I was going to just mv /dev/random and then create a link to urandom, but I can't move /dev/random...

_________________
Programs that crash have been proven to be less useful than those that don't.

• Apple TechNote 117 •