Discussion:
[freenet-dev] Not enough entropy
Jano
2008-07-18 11:21:33 UTC
Permalink
Since the last version #1153, my node takes a very long time to start (half an
hour or more). Trying to load the homepage gives a page saying that "Freenet
is starting up", and below:

Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.

This node runs in an unattended box, so any entropy sources will be non-human.
I have read somewhere that /dev/random is slow to refill and can be exhausted
easily if used too much. Could this be part of the problem?

The full log displayed in that page is:

INFO | jvm 2 | 2008/07/18 13:03:31 | INFO: Optimized native BigInteger
library 'net/i2p/util/libjbigi-linux-pentium3.so' loaded from resource
ERROR | wrapper | 2008/07/18 13:11:50 | Startup failed: Timed out waiting for
signal from JVM.
ERROR | wrapper | 2008/07/18 13:11:50 | JVM did not exit on request, terminated
INFO | wrapper | 2008/07/18 13:11:50 | JVM exited on its own while waiting to
kill the application.
STATUS | wrapper | 2008/07/18 13:11:50 | JVM exited in response to signal
SIGKILL (9).
STATUS | wrapper | 2008/07/18 13:11:54 | Reloading Wrapper configuration...
STATUS | wrapper | 2008/07/18 13:11:54 | Launching a JVM...
INFO | jvm 3 | 2008/07/18 13:11:55 | Wrapper (Version 3.2.3)
http://wrapper.tanukisoftware.org
INFO | jvm 3 | 2008/07/18 13:11:55 | Copyright 1999-2006 Tanuki Software, Inc.
All Rights Reserved.
INFO | jvm 3 | 2008/07/18 13:11:55 |
INFO | jvm 3 | 2008/07/18 13:11:55 | freenet.jar built with freenet-ext.jar
Build #20 r18484
INFO | jvm 3 | 2008/07/18 13:11:55 | Attempting to load the NativeThread
library
[jar:file:/home/user/fn07/node/freenet-ext.jar!/freenet/support/io/libNativeThread-i386.so]
INFO | jvm 3 | 2008/07/18 13:11:55 | Using the NativeThread implementation
(base nice level is 14)
INFO | jvm 3 | 2008/07/18 13:11:55 | Created log files
INFO | jvm 3 | 2008/07/18 13:11:55 | Initializing Node using Freenet Build
#1153 r20933 and freenet-ext Build #20 r18484 with Sun Microsystems Inc. JVM
version 1.6.0_06 running on i386 Linux 2.6.24-19-generic
INFO | jvm 3 | 2008/07/18 13:11:56 | Starting FProxy on 127.0.0.1:8888
INFO | jvm 3 | 2008/07/18 13:11:56 | INFO: Native CPUID
library 'freenet/support/CPUInformation/libjcpuid-x86-linux.so' loaded from
resource
INFO | jvm 3 | 2008/07/18 13:11:56 | INFO: Optimized native BigInteger
library 'net/i2p/util/libjbigi-linux-pentium3.so' loaded from resource
Florent Daignière
2008-07-18 12:24:34 UTC
Permalink
Post by Jano
Since the last version #1153, my node takes a very long time to start (half an
hour or more). Trying to load the homepage gives a page saying that "Freenet
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be non-human.
I have read somewhere that /dev/random is slow to refill and can be exhausted
easily if used too much. Could this be part of the problem?
This is the problem.

Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
Jano
2008-07-18 13:59:38 UTC
Permalink
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.

***

It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Florent Daignière
2008-07-18 14:02:18 UTC
Permalink
Post by Jano
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.
***
It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Before #1153 we were using urandom... and yes that was insecure.

I might introduce some code to generate hard-drive accesses in 1154.
Cory Nelson
2008-07-18 14:27:42 UTC
Permalink
On Fri, Jul 18, 2008 at 7:02 AM, Florent Daignière
Post by Florent Daignière
Post by Jano
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.
***
It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Before #1153 we were using urandom... and yes that was insecure.
I might introduce some code to generate hard-drive accesses in 1154.
You might want to check out HAVEGE: http://www.irisa.fr/caps/projects/hipsor/

It takes advantage of branch mispredictions to give high quality
randomness. The algorithm
Florent Daignière
2008-07-18 14:47:36 UTC
Permalink
Post by Cory Nelson
On Fri, Jul 18, 2008 at 7:02 AM, Florent Daignière
Post by Florent Daignière
Post by Jano
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.
***
It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Before #1153 we were using urandom... and yes that was insecure.
I might introduce some code to generate hard-drive accesses in 1154.
You might want to check out HAVEGE: http://www.irisa.fr/caps/projects/hipsor/
It takes advantage of branch mispredictions to give high quality
randomness. The algorithm is quite simple.
Are you aware that freenet is written in java? :) We can't rely on
architecture-specific problems to generate the entropy we need.

We are already using a cryptographically secure PRNG (Yarrow); The
node stalls because it can't gather the entropy needed to seed it.

NextGen$
Cory Nelson
2008-07-18 14:57:39 UTC
Permalink
On Fri, Jul 18, 2008 at 7:47 AM, Florent Daignière
Post by Florent Daignière
Post by Cory Nelson
On Fri, Jul 18, 2008 at 7:02 AM, Florent Daignière
Post by Florent Daignière
Post by Jano
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.
***
It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Before #1153 we were using urandom... and yes that was insecure.
I might introduce some code to generate hard-drive accesses in 1154.
You might want to check out HAVEGE: http://www.irisa.fr/caps/projects/hipsor/
It takes advantage of branch mispredictions to give high quality
randomness. The algorithm is quite simple.
Are you aware that freenet is written in java? :) We can't rely on
architecture-specific problems to generate the entropy we need.
We are already using a cryptographically secure PRNG (Yarrow); The
node stalls because it can't gather the entropy needed to seed it.
If Java has some way to read the hardware timestamp, that's all that
is needed. Even if not - you guys already have some 3rd party native
library for bignum, right? HAVEGE is better than Yarrow or any PRNG
could hope to be - what's wrong with another lib if it means
randomness tha
Florent Daignière
2008-07-18 15:12:56 UTC
Permalink
Post by Cory Nelson
On Fri, Jul 18, 2008 at 7:47 AM, Florent Daignière
Post by Florent Daignière
Post by Cory Nelson
On Fri, Jul 18, 2008 at 7:02 AM, Florent Daignière
Post by Florent Daignière
Post by Jano
Post by Florent Daignière
Post by Jano
Since the last version #1153, my node takes a very long time to start (half
an hour or more). Trying to load the homepage gives a page saying that
Not enough entropy is available!
There isn't enough entropy available on your system... Freenet won't start
until it can gather enough.
This node runs in an unattended box, so any entropy sources will be
non-human. I have read somewhere that /dev/random is slow to refill and can
be exhausted easily if used too much. Could this be part of the problem?
This is the problem.
Launch a "find / >/dev/null" from a different shell and that should help
the OS to refill the entropy pool.
I'm going to try this, it's been two hours now with the node stuck waiting.
***
It worked. I know /dev/urandom is less secure, is there a likely possibility of
attacks if urandom is used instead?
Before #1153 we were using urandom... and yes that was insecure.
I might introduce some code to generate hard-drive accesses in 1154.
You might want to check out HAVEGE: http://www.irisa.fr/caps/projects/hipsor/
It takes advantage of branch mispredictions to give high quality
randomness. The algorithm is quite simple.
Are you aware that freenet is written in java? :) We can't rely on
architecture-specific problems to generate the entropy we need.
We are already using a cryptographically secure PRNG (Yarrow); The
node stalls because it can't gather the entropy needed to seed it.
If Java has some way to read the hardware timestamp, that's all that
is needed. Even if not - you guys already have some 3rd party native
library for bignum, right? HAVEGE is better than Yarrow or any PRNG
could hope to be - what's wrong with another lib if it means
randomness that can't run out?
Native libraries are a PITA to maintain. That alone is a good reason why
not to use HAVEGE...

Freenet's prng doesn't run out of entropy... the OS' does when freenet
tries to seed its PRNG. If the user is concerned about that he can
install HAVEGE's kernel module so that he won't have any problem.

In the mean time, I am going to implement something which will do some
disk accesses in order to help the OS's PRNG to refill its entropy pool.

NextGen$

Continue reading on narkive:
Loading...