编程知识 cdmana.com

Slow startup of springboot program and random number and entropy pool strategy on JVM

Problem description

It's easy to have a... In an online environment java It's very time consuming to start an application , It can be found in the log that session Caused by the random number problem

o.a.c.util.SessionIdGeneratorBase        : Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [170,241] milliseconds.

analysis

stay Springboot There are built-in tomcat, stay tomcat In the optimization document given , One is about random number generation , Adopted “ Entropy source ”(entropy source) The strategy of .

He mentioned tomcat7 Of session id The generation of is mainly through java.security.SecureRandom Generate random number to realize , The random number algorithm uses ”SHA1PRNG”

private String secureRandomAlgorithm = "SHA1PRNG";

stay sun/oracle Of jdk in , The provider of this algorithm depends on the random data provided by the operating system at the bottom , stay linux On , Related to this is /dev/random and /dev/urandom. The difference for :

/dev/random It's a blocking generator
When reading ,/dev/random The device will return random bytes less than the total entropy pool noise ./dev/random It can generate high randomness public key or one-time codebook . If entropy pool is empty , Yes /dev/random The read operation of will be blocked , Until enough ambient noise is collected

and /dev/urandom It's a non blocking generator :
dev/random A copy of this is /dev/urandom (”unlocked”, Nonblocking random number generator ), It reuses the data in the entropy pool to produce pseudo-random data . This is right. /dev/urandom The read operation of will not block , But the entropy of its output may be less than /dev/random Of . It can be used as a pseudo-random number generator to generate lower strength passwords , Not recommended for generating high-strength long-term passwords .

It doesn't mean that /dev/urandom It's not a high-intensity pseudo-random number generator , This discussion can be seen in this discussion :/dev/urandom A story that has to be told

resolvent

Method 1

stay jre/lib/security/java.security This file contains

securerandom.source=file:/dev/random

Change it to

securerandom.source=file:/dev/./urandom

Method 2

Add the following system properties to the startup parameters

-Djava.security.egd=file:/dev/./urandom

This system property egd Represents the entropy collection daemon (entropy gathering daemon), But why is the value here in dev and random Add a point between them ? It's because of one jdk Of bug, In this bug There's feedback from someone in your connection securerandom.source Set to /dev/urandom It's still used /dev/random, There are alternative solutions , One of the workarounds is to securerandom.source Set to /dev/./urandom Talent

Say more

stay Docker How to add system parameters in

First, in the build Mirror image To use ENTRYPOINT for instance

FROM jdk:alpine-security8
WORKDIR /

# Solve the problem of Chinese garbled code 
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8

ADD sms-server.jar sms-server.jar
ADD application.properties application.properties
ADD bootstrap.properties bootstrap.properties
ENV TZ=Asia/Shanghai
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
## Use the following command    add to -e JAVA_OPT It doesn't work 
#ENTRYPOINT ["java","-jar","sms-server.jar"]
## You have to use this command 
ENTRYPOINT java ${JAVA_OPTS} -jar sms-server.jar

Then add the corresponding... To the start command -e Parameters are OK for instance

docker run --name sms-server-security \
##  The following can be 
-e JAVA_OPTS='-Djava.security.egd=file:/dev/./urandom' \
-e spring.cloud.nacos.discovery.server-addr=192.169.1.82:8848 \
-e spring.cloud.nacos.config.server-addr=192.169.1.82:8848 \
-e spring.cloud.nacos.config.ext-config[0].data-id=sms-server-node1.properties \
-p 8070:8090  \
-v /opt/sms_server/log:/log \
-v /opt/sms_server/nacos:/root/nacos \
-d \
3a1c93c34756

Reference resources

https://hongjiang.info/jvm-random-and-entropy-source/

版权声明
本文为[Read and recite the documents]所创,转载请带上原文链接,感谢
https://cdmana.com/2020/12/20201225142454441g.html

Scroll to Top