Available entropy on CoreOS nodes builds up slowly
Environment
- OpenShift Container Platform (OCP) 4.x
- Red Hat CoreOS (RHCOS) 4.x
Issue
An application frequently generates random strings using /dev/random. If tested on a developers machine everything works fine but there are performance issues when running inside OCP.
Resolution
- There is no working solution available as
rng-tools
are not part of RHCOS. - As a workaround an image with
rng-tools
andrngd
can be deployed as daemonset on the worker nodes.
- Create Project:
oc new-project ocp-rngd
- Apply privileged SCC to default project ServiceAccount:
oc adm policy add-scc-to-user privileged system:serviceaccount:ocp-rngd:default
- Create DaemonSet to run rngd on each node:
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
kubernetes.io/description: |
This daemonset launches the the rngd daemon on all nodes to improve CoreOS available entropy.
labels:
app: rng-daemon
name: rng-daemon
namespace: ocp-rngd
spec:
selector:
matchLabels:
app: rng-daemon
template:
metadata:
labels:
app: rng-daemon
spec:
containers:
- name: rngd
image: docker.io/linuxkit/rng-tools:d77676ea6ae229b779868e5eff4600f59b0eb0d8
command:
- rngd
args:
- -f
- -r
- /dev/urandom
- -o
- /dev/random
securityContext:
runAsUser: 0
privileged: true
nodeSelector:
kubernetes.io/os: linux
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- The best solution would be to make
rng-tools
available in RHCOS and be able to startrngd
via themachine-config-operator
Root Cause
Low entropy is a common issue in virtual environments. The available entropy depends on many factors. If the available entropy is below a threshold of approximately 1000 it can cause a decrease in performance for applications depending on it.
Diagnostic Steps
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:16 UTC 2020
3877
[core@rhcosnode ~]$ date;cat /dev/random > /dev/null
Fri Jul 10 09:08:22 UTC 2020
^C
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:25 UTC 2020
177
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:27 UTC 2020
334
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:30 UTC 2020
571
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:32 UTC 2020
727
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:34 UTC 2020
853
[core@rhcosnode ~]$ date;cat /proc/sys/kernel/random/entropy_avail
Fri Jul 10 09:08:36 UTC 2020
902
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments