没有足够的熵来支持在 boot2docker 中运行的 docker 容器中的/dev/random [英] Not enough entropy to support /dev/random in docker containers running in boot2docker

问题描述

在虚拟化 Linux 系统中耗尽熵似乎是一个常见问题(例如 /dev/random Extremely慢?，让 linux 缓冲/dev/random).尽管使用了硬件随机数生成器 (HRNG)，但使用了熵收集守护进程，例如 HAVEGED 经常被建议.然而，熵收集守护进程 (EGD) 不能在 Docker 容器内运行，它必须由主机提供.

Running out of entropy in virtualized Linux systems seems to be a common problem (e.g. /dev/random Extremely Slow?, Getting linux to buffer /dev/random). Despite of using a hardware random number generator (HRNG) the use of a an entropy gathering daemon like HAVEGED is often suggested. However an entropy gathering daemon (EGD) cannot be run inside a Docker container, it must be provided by the host.

对于基于 Ubuntu、RHEL 等 linux 发行版的 docker 主机，使用 EGD 效果很好.让这样的守护进程在 boot2docker 内工作——它基于 Tiny Core Linux (TCL)——似乎是另一回事.虽然TCL有扩展机制，但是熵收集守护进程的扩展好像没有.

Using an EGD works fine for docker hosts based on linux distributions like Ubuntu, RHEL, etc. Getting such a daemon to work inside boot2docker - which is based on Tiny Core Linux (TCL) - seems to be another story. Although TCL has a extension mechanism, an extension for an entropy gathering daemon doesn't seem to be available.

因此，EGD 似乎是在(生产)托管环境中运行 docker 容器的合适解决方案，但是如何在 boot2docker 中解决它以进行开发/测试?

So an EGD seems like a proper solution for running docker containers in a (production) hosting environment, but how to solve it for development/testing in boot2docker?

由于在 boot2docker 中运行 EGD 似乎太难了，我想简单地使用/dev/urandom 而不是/dev/random.使用/dev/urandom 的安全性稍差一些，但对于大多数不生成长期加密密钥的应用程序来说仍然可以.至少在 boot2docker 中进行开发/测试应该没问题.

Since running an EGD in boot2docker seemed too difficult, I thought about simply using /dev/urandom instead of /dev/random. Using /dev/urandom is a litte less secure, but still fine for most applications which are not generating long-term cryptographic keys. At least it should be fine for development/testing inside boot2docker.

推荐答案

我刚刚意识到，将/dev/urandom 从主机作为/dev/random 安装到容器中很简单:

I just realized, that it is simple as mounting /dev/urandom from the host as /dev/random into the container:

$ docker run -v /dev/urandom:/dev/random ...

结果如预期:

$ docker run --rm -it -v /dev/urandom:/dev/random ubuntu dd if=/dev/random of=/dev/null bs=1 count=1024
1024+0 records in
1024+0 records out
1024 bytes (1.0 kB) copied, 0.00223239 s, 459 kB/s

至少我现在知道如何构建自己的 boot2docker 镜像了 ;-)

At least I know how to build my own boot2docker images now ;-)

这篇关于没有足够的熵来支持在 boot2docker 中运行的 docker 容器中的/dev/random的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！