9
FROM openjdk:8-jdk-alpine
VOLUME /tmp
ARG JAR_FILE
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

The above Dockerfile sample is from the official Spring Boot guide for docker. I would like to know what the security property is used for since I don't usually set that up when running the app on my local development environment but it seems to come up on various containerization guides. Cheers!

xdzc
  • 1,421
  • 1
  • 17
  • 23

2 Answers2

11

The purpose of that security property is to speed up tomcat startup. By default the library used to generate random number in JVM on Unix systems relies on /dev/random. On docker containers there isn't enough entropy to support /dev/random. See Not enough entropy to support /dev/random in docker containers running in boot2docker. The random number generator is used for session ID generation. Changing it to /dev/urandom will make the startup process faster.

Similar question Slow startup on Tomcat 7.0.57 because of SecureRandom

b0gusb
  • 4,283
  • 2
  • 14
  • 33
  • Is it actual in case with Spring Web Flux and Netty? – Denis.E Dec 17 '19 at 09:10
  • 1
    @Denis.E I am not entirely sure but it seems that Netty has similar issues [#3419](https://github.com/netty/netty/issues/3419). The difference is that netty times out after 3 seconds and use a hard-coded random number if the seed uniquifier cannot be initialized. See [ThreadLocalRandom](https://netty.io/4.0/xref/io/netty/util/internal/ThreadLocalRandom.html) – b0gusb Dec 17 '19 at 12:31
2

From Java 9 through Java 11 (LTS), this option is to increase the entropy of random numbers generated by the java.security.SecureRandom class whilst avoiding the risk of having the code blocked unexpectedly. It configures the JVM:

  1. To seed the SecureRandom class using the /dev/urandom special file on Unix-like OSes to avoid having the code unexpectedly blocked due to lack of entropy.
  2. To use the Deterministic Random Bit Generator (DRBG) mechanisms
    described in NIST 800-90Ar1. These mechanisms implement modern algorithms as strong as SHA-512 and AES-256.
dbaltor
  • 2,737
  • 3
  • 24
  • 36
  • 1
    According to the JDK 8 Security Enhancements official Oracle document, the /dev/./urandom workaround is no more necessary from JDK 8. https://docs.oracle.com/javase/8/docs/technotes/guides/security/enhancements-8.html But this answer says java 9 through 11, so I was wondering if it is still useful ? – jambriz Mar 26 '21 at 20:21
  • 1
    The extra `/./` sets the strongest SecureRandom implementation available (DRBG in Java 11) to be used regardless the underpinning platform. `urandom` avoids getting the code blocked unexpectedly. – dbaltor Mar 27 '21 at 21:15