← Back to team overview

kernel-packages team mailing list archive

[Bug 575669] Re: Rapid depletion of entropy pool

 

Christopher,

Can you explain how the commit you linked to resolves this issue? The
commit seems to place process permissions checks on /proc/pid/stat and
/proc/pid/wchan. I do not see how this affects the available entropy
unless entropy is being depleted by unauthorized processes accessing
those endpoints, which does not seem very likely to me. I doubt I will
have time to test trusty before it is released, but once released I will
test within a virtual server to see if this issue has been resolved.

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/575669

Title:
  Rapid depletion of entropy pool

Status in “linux” package in Ubuntu:
  Confirmed

Bug description:
  I was noticing that on several of my servers the available entropy has
  been exceedingly low for the last 6-7 months.  My guess is this
  problem began with Ubuntu 9.10 and continues in Ubuntu 10.04.  I came
  across some useful information here:

  http://lkml.org/lkml/2010/4/5/19

  And I confirmed that running:

  watch cat /proc/sys/kernel/random/entropy_avail

  will rapidly deplete the entropy pool.  But running the python script:

  import sys, time
  while True:
    sys.stdout.write(open('/proc/sys/kernel/random/entropy_avail', 'r').read())
    time.sleep(1)

  will not rapidly deplete the entropy pool.  This seems to support the
  hypothesis that entropy is being drained with each launch of a process
  which has been linked to the glibc randomized stack protector.  Some
  information about that can be found here:

  http://sourceware.org/ml/libc-alpha/2008-10/msg00006.html

  As many people who have run virtual servers can attest, low entropy on
  a server can cause a number of difficult to diagnose performance
  problems as processes block trying to access /dev/random.  Low entropy
  may also lead to a reduction in security for various cryptographic
  services.

  I'm not an expert in these matters and have limited ability to test as
  many of my servers are running older versions but it does appear that
  those older versions do not have this behavior.  This could also be a
  kernel issue but I thought I would start here and see if others can
  replicate this problem and help in diagnosing the issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/575669/+subscriptions