[Beowulf] /dev/random entropy on stateless/headless nodes
Stuart Barkley
stuartb at 4gh.net
Mon Feb 28 06:59:57 PST 2011
Thanks for the various suggestions. I'm fairly well versed on the
theory of /dev/{,u}random but was surprised when our diskless nodes
had no entropy source in practice.
My current concern is letting users get some good randomness for
initializing their own random number generators (gsl, etc).
I'll recommend users use /dev/urandom instead of /dev/random. This
alone should be sufficient for non-cryptographic purposes and appears
to be the correct system usage.
I'll leave the science issues (<http://arxiv.org/abs/1102.4666> and
<http://arxiv.org/abs/cond-mat/0609584>) to the scientists. I was
surprised to see that gsl only supports a single integer for seeding
their algorithms. Perhaps its related.
A secondary concern is nodes where the cryptographic randomness of
/dev/random is required (mostly ssl web servers, but I will need to
inventory).
<http://www.pinkas.net/PAPERS/gpr06.pdf> gives a description of the
Linux kernel internals (as of 2004). It indicates that the kernel
already does some baseline initialization (probably) sufficient for
/dev/urandom.
Since initial state isn't explicitly stated, throwing node name/mac
addresses/boot time and maybe a few other things into the entropy pool
at boot time should be good enough to prime /dev/urandom to prevent
repetition on reboot. Something like:
(date; hostname; uptime; ifconfig; qstat) > /dev/random
in a start up script should at least not harm anything.
I would like to see letting network interrupts be enabled to feed
entropy into /dev/random. This currently looks like it involves
building custom device drivers (with IRQF_SAMPLE_RANDOM and/or
SA_SAMPLE_RANDOM enabled).
egd/prngd look like reasonable ways to provide a local network service
to provide random data to also feed into things that need it. I think
they are overkill for now (and I haven't fully reviewed the internals
either).
Thanks for the ideas,
Stuart
--
I've never been lost; I was once bewildered for three days, but never lost!
-- Daniel Boone
More information about the Beowulf
mailing list