How to Fix Entropy Pool Issue on RHEL 5.x

entropy-poolhp-server-automationrhel5

RHEL 5.x has an entropy-generation problem (held-over from kernel 2.4). Following directions from here has produced little-to-no results:

How to increase entropy pool on a 2.6 kernel RHEL/Fedora system without keyboard/mouse.

A good source of entropy is needed for random number generation. This affects services that go via SSL amongst other things. In 2.6 kernels the entropy sources of a system are keyboard, mouse and some IRQ interrupts.
There are two random number sources on linux – /dev/random and /dev/urandom. /dev/random will block if there is nothing left in the entropy bit bucket. If your system does not have keyboard and mouse, you can use 'rngd' daemon to perform the task.
You can see the entropy valu using following command.
    #cat /proc/sys/kernel/random/entropy_avail  
Now, start the 'rngd' daemon using following command and monitor the entropy on the system.
    #rngd -r /dev/urandom -o /dev/random -f -t 1
    #watch -n 1 cat /proc/sys/kernel/random/entropy_avail

What other fixes are available for this issue?

background

There is a known issue (on HP's side) with one component in the current version of Server Automation that takes a long time to startup due to a small entropy pool on RHEL 5. I'm trying to find a workaround until/unless it's fixed on the vendor's part.

Best Answer

As has been pointed out, colocated servers, lacking that random human being to create entropy, generally don't have much of it to spare. If you have a physical server with a spare USB port, and a demonstrable need for high-grade entropy, you could do worse than get yourself an Entropy Key. I don't normally recommend specific products on SF, but I rather like this one, and it does the job nicely.

Here's the depth of my pool before fitting the key: pool depth before key

and here's the pool after: pool depth after key

Declaration of interest: I have no connection with the makers except that I bought one of their products, at full price, and like it.

Edit (July 2015): the Entropy Key website has for some time said that they're out of stock, and they don't know when they'll have more made. However, OneRNG, a project to make a completely-open, verifiable, USB-connected entropy generator, was fully funded on kickstarter, and at the time of writing intends to start selling them via a webstore once their kickstarter obligations are fulfilled.

Related Solutions

RHEL 5 Network Connectivity Issue

When you ping google.com, did it resolve? In other words, did it come up and say

 msimmons@newcastle:~$ ping google.com
 PING google.com (74.125.127.100) 56(84) bytes of data.

Or did it say

 ping: unknown host google.com

Assuming it said the first, your DNS is fine. At that point, lets look into the routing:

Here's mine:

 msimmons@newcastle:~$ route -n
 Kernel IP routing table
 Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
 10.x.x.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
 0.0.0.0         10.x.x.1        0.0.0.0         UG    0      0        0 eth0

Since I'm on an internal network, everything destined for 10.x.x.0/24 (the /24 comes from the "genmask" column) goes out the local ethernet card.

Everything else (0.0.0.0/0) goes to 10.x.x.1, my gateway. My guess is that this line is probably absent or messed up on yours.

If you have a relatively simple network configuration, and that line is missing, you can issue this command as root:

 # route add default gw 10.x.x.1

Where 10.x.x.1 is your default gateway.

EDIT

Alright, given the new information, it looks like your routes are fine. Where is the server that you were pinging located? On the local segment, or remote?

Anyway, lets see where the connection dies:

 traceroute -n www.google.com

Chances are really good that you'll at least get a response from your gateway, 10.x.x.1. Anything past that means your gateway is routing traffic to you. If you don't get responses, that may indicate a network firewall causing the problem.

Of course, there's still the chance that you're getting traffic, but that your gateway is filtering ICMP packets. It would be diagnostic to try telnetting to google and pretending to be a web browser:

msimmons@newcastle:~$ telnet www.google.com 80
Trying 66.102.1.104...
Connected to www.l.google.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 OK
Date: Mon, 10 Aug 2009 19:20:19 GMT
Expires: -1
Cache-Control: private, max-age=0
...

You type the "GET / HTTP/1.0" then hit enter twice...though really, if you get the "connected to..." part, you're probably good.

Update once you've tried this!

Linux – Feeding the kernels entropy source from other machines and/or increasing its maximum size

If you are ready to get a bit wild, how about audio entropy daemon or video entropy daemon? Just put some video or audio clip running and let them generate the randomness for you.

A bit less wild method would be timer entropy daemon.

background

Best Answer

Related Solutions

RHEL 5 Network Connectivity Issue

Linux – Feeding the kernels entropy source from other machines and/or increasing its maximum size

Related Topic