由3.10升級到4.14內核後,啓動系統random的初始化需要比較長的時間。通過dmesg | grep -I randdom 發現需要400多秒才能初始化完成。
dmesg | grep -i random
[ 0.051406] random: get_random_bytes called from setup_net+0x33/0x120 with crng_init=0
[ 0.637733] random: hwclock: uninitialized urandom read (8 bytes read)
[ 0.821425] random: sh: uninitialized urandom read (8 bytes read)
[ 11.923501] random: fast init done
[ 13.111697] random: modprobe: uninitialized urandom read (8 bytes read)
[ 20.464349] random: modprobe: uninitialized urandom read (8 bytes read)
[ 20.475650] random: head: uninitialized urandom read (8192 bytes read)
[ 23.335865] random: modprobe: uninitialized urandom read (8 bytes read)
[ 28.286856] random: modprobe: uninitialized urandom read (8 bytes read)
[ 28.747431] random: modprobe: uninitialized urandom read (8 bytes read)
[ 33.718262] random: modprobe: uninitialized urandom read (8 bytes read)
[ 33.736726] random: modprobe: uninitialized urandom read (8 bytes read)
[ 429.269251] random: crng init done
所以一些應用程序在調用random的函數可能會阻塞。
通過調查發現有兩個解決方案,內核的方式和用戶態的方式
方案一:打入以下內核patch
內核的patch:https://lkml.org/lkml/2018/7/17/1279
增加了config RANDOM_TRUST_CPU這個選項,默認此選擇沒有打開。
大致的意思是,此選項是信任cpu處理器的廠商,他們會產生沒有危險用戶的random的行爲。也列舉了反例,列舉了美國製裁中國,中國決定自給自足CPU。憑什麼就相信intel,不相信解放軍控制的公司等
用戶態的方案:
Haveged使用HAVEGE(HArdware Volatile Entropy Gathering and Expansion)來維護一個1M的隨機字節池,
當/dev/random中的隨機位供應低於設備的低水位時(/proc/sys/kernel/random/entropy_avail),這個隨機字節池用於填充/dev/random。
容器裏可以使用如下:
1 wget http://download-ib01.fedoraproject.org/pub/epel/7/x86_64/Packages/h/haveged-1.9.1-1.el7.x86_64.rpm
2 rpm -ivh haveged-1.9.1-1.el7.x86_64.rpm
3 運行haveged -w 1024 -v 1
服務器可以使用:
yum install haveged -y
systemctl start haveged
systemctl enable haveged