Available entropy on CoreOS nodes builds up slowly

Solution Verified - Updated -

Environment

  • OpenShift Container Platform (OCP) 4.x
  • Red Hat CoreOS (RHCOS) 4.x

Issue

An application frequently generates random strings using /dev/random. If tested on a developers machine everything works fine but there are performance issues when running inside OCP.

Resolution

  • There is no working solution available as rng-tools are not part of RHCOS.
  • As a workaround an image with rng-tools and rngd can be deployed as daemonset on the worker nodes.
  1. Create Project:
oc new-project ocp-rngd
  1. Apply privileged SCC to default project ServiceAccount:
oc adm policy add-scc-to-user privileged system:serviceaccount:ocp-rngd:default
  1. Create DaemonSet to run rngd on each node:
apiVersion: apps/v1
kind: DaemonSet
metadata:
  annotations:
    kubernetes.io/description: |
      This daemonset launches the the rngd daemon on all nodes to improve CoreOS available entropy.
  labels:
    app: rng-daemon
  name: rng-daemon
  namespace: ocp-rngd
spec:
  selector:
    matchLabels:
      app: rng-daemon
  template:
    metadata:
      labels:
        app: rng-daemon
    spec:
      containers:
      - name: rngd
        image: docker.io/linuxkit/rng-tools:d77676ea6ae229b779868e5eff4600f59b0eb0d8
        command:
        - rngd
        args:
        - -f
        - -r
        - /dev/urandom
        - -o
        - /dev/random
        securityContext:
          runAsUser: 0
          privileged: true
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
      - effect: NoSchedule
        key: node-role.kubernetes.io/master
        operator: Exists
  • The best solution would be to make rng-tools available in RHCOS and be able to start rngd via the machine-config-operator

Root Cause

Low entropy is a common issue in virtual environments. The available entropy depends on many factors. If the available entropy is below a threshold of approximately 1000 it can cause a decrease in performance for applications depending on it.

Diagnostic Steps

[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:16 UTC 2020
3877
[core@rhcosnode ~]$ date;cat /dev/random > /dev/null
Fri Jul 10 09:08:22 UTC 2020
^C
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:25 UTC 2020
177
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:27 UTC 2020
334
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:30 UTC 2020
571
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:32 UTC 2020
727
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:34 UTC 2020
853
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:36 UTC 2020
902

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Was this helpful?

Yes No
We appreciate your feedback. Leave a comment if you would like to provide more detail.
It looks like we have some work to do. Leave a comment to let us know how we could improve.

Get notified when this content is updated

You'll get an email whenever this content is updated or others comment. You can manage all of your notifications in your profile

Comments