4

I'm trying to run code on a machine where /dev/random does not fill up quickly, and a java program I'm trying to use is hanging for lack of random numbers.

/dev/urandom produces "not as good" random numbers, but isn't blocking, and for this case I'd rather have less randomness and completing, than better randomness but never completing.

I tried passing this to java

-Djava.security.egd=file:/dev/./urandom

But it didn't fix anything("/dev/urandom" has problems in places, whereas "/dev/./urandom" works everywhere, which is why I used that path). Is there a way to do this?

I've now tried:

file:/dev/./urandom
file://dev/./urandom
file:///dev/./urandom
file:/dev/urandom
file://dev/urandom
file:///dev/urandom

none have worked

Greg Dougherty
  • 3,281
  • 8
  • 35
  • 58
  • 2
    See [myths about `/dev/urandom`](https://www.2uo.de/myths-about-urandom/). – Martin Zeitler Aug 24 '21 at 16:08
  • 1
    It might be better to look at ways of setting your system up to fill random quicker. https://security.stackexchange.com/questions/89/feeding-dev-random-entropy-pool gives some examples on how to do this – DevWithZachary Aug 24 '21 at 16:09
  • @DevWithZachary unfortunately I don't control the system, so that's not one of my options. All the other machines on the cluster fill up their random just fine (yes, i have a bug report in) – Greg Dougherty Aug 24 '21 at 22:08
  • Java already uses /dev/urandom for the `nextBytes()` call. Perhaps you can show the code that's causing your problems, the version of Java you're using, and the platform it's running on. – President James K. Polk Aug 24 '21 at 22:35
  • @PresidentJamesK.Polk I can't. the code is in GATK 3.8. Java *, u202, teh last free Oracle version – Greg Dougherty Aug 24 '21 at 23:07
  • I assume Java * should be Java 8, the * being above the 8 key, at least on my keyboard. – President James K. Polk Aug 24 '21 at 23:24
  • Well, as far as I can tell from reading the source code for NativePRNG, `getSeed()` may use /dev/random but `nextBytes()` uses /dev/urandom. So use `nextBytes()`. – President James K. Polk Aug 24 '21 at 23:26

1 Answers1

0

fileurl do require 2-3 forward slashes (according to RFC 1738):

-Djava.security.egd=file://dev/./urandom
-Djava.security.egd=file://dev/urandom

  • That system may only support the NativePRNG, but not the SHA1PRNG algorithm. Here it's explained: What java.security.egd option is for? To see what is available: cat /dev/./urandom and cat /dev/urandom. manpages state, that one can simply create the devices, in case they don't exist.

  • There still is the possibility, that Java code might do blocking I/O.

  • With containers this can also lead to performance issues:

The /dev/random device is a scarce shared system resource that Linux Container tenants likely have not realised they are sharing. When they all try to use it at the same time they are effectively causing a denial of service on each other.

Martin Zeitler
  • 1
  • 19
  • 155
  • 216