在boot2docker中运行的docker容器中没有足够的熵来支持/ dev / random [英] Not enough entropy to support /dev/random in docker containers running in boot2docker

问题描述

虚拟化Linux系统中的熵耗尽似乎是一个常见的问题（例如： / dev / random Extremely慢？，让linux缓冲/ dev / random ） 。尽管使用硬件随机数生成器（HRNG），但是使用熵收集守护程序，如 HAVEGED 经常被建议。然而，熵收集守护程序（EGD）不能在Docker容器内运行，它必须由主机提供。

使用EGD对基于linux的docker主机工作正常Ubuntu，RHEL等发行版本。在这个基于Tiny Core Linux（TCL）的boot2docker中，这样一个守护进程似乎是另一个故事。虽然TCL具有扩展机制，但是对于熵收集守护进程的扩展似乎不是可用的。

因此，EGD似乎是在（生产）托管环境中运行docker容器的适当解决方案，但是如何解决它用于开发/测试在boot2docker中？

由于在boot2docker中运行EGD似乎太难了，我想到只需使用/ dev / urandom而不是/ dev / random。使用/ dev / urandom是不太安全的，但对于大多数不会产生长期加密密钥的应用程序来说仍然很好。至少它应该适用于boot2docker内的开发/测试。

解决方案

我刚才意识到，将/ dev / urandom从主机/ dev / random放入容器很简单：

  $ docker run -v / dev / urandom：/ dev / random ... 
  

结果符合预期：

  $ docker运行--rm -it -v / dev / urandom：/ dev / random ubuntu dd if = / dev / random of = / dev / null bs = 1 count = 1024 
 1024 + 0 record in 
 1024 + 0记录输出
 1024字节（1.0 kB）复制，0.00223239 s，459 kB / s 
  

至少我现在知道如何构建自己的boot2docker图像; - ）

Running out of entropy in virtualized Linux systems seems to be a common problem (e.g. /dev/random Extremely Slow?, Getting linux to buffer /dev/random). Despite of using a hardware random number generator (HRNG) the use of a an entropy gathering daemon like HAVEGED is often suggested. However an entropy gathering daemon (EGD) cannot be run inside a Docker container, it must be provided by the host.

Using an EGD works fine for docker hosts based on linux distributions like Ubuntu, RHEL, etc. Getting such a daemon to work inside boot2docker - which is based on Tiny Core Linux (TCL) - seems to be another story. Although TCL has a extension mechanism, an extension for an entropy gathering daemon doesn't seem to be available.

So an EGD seems like a proper solution for running docker containers in a (production) hosting environment, but how to solve it for development/testing in boot2docker?

Since running an EGD in boot2docker seemed too difficult, I thought about simply using /dev/urandom instead of /dev/random. Using /dev/urandom is a litte less secure, but still fine for most applications which are not generating long-term cryptographic keys. At least it should be fine for development/testing inside boot2docker.

解决方案

I just realized, that it is simple as mounting /dev/urandom from the host as /dev/random into the container:

$ docker run -v /dev/urandom:/dev/random ...

The result is as expected:

$ docker run --rm -it -v /dev/urandom:/dev/random ubuntu dd if=/dev/random of=/dev/null bs=1 count=1024
1024+0 records in
1024+0 records out
1024 bytes (1.0 kB) copied, 0.00223239 s, 459 kB/s

At least I know how to build my own boot2docker images now ;-)

这篇关于在boot2docker中运行的docker容器中没有足够的熵来支持/ dev / random的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！