[Bug 1269073] Re: test_tomcat_daemon smoke test failure on images with 3.13 kernel

Robie Basak 1269073 at bugs.launchpad.net
Thu Jan 16 13:39:15 UTC 2014


> Using /dev/urandom does resolve the issue, but is it as secure?

There are more things that could happen to make it less secure now. My
understanding: though the early entropy is going to /dev/urandom now,
there may be more things that feed from /dev/urandom (thus using that
entropy up), and there is nothing to hold Tomcat back to wait for more
entropy like there was before.

Must Tomcat block everything while it is waiting for entropy, or does
the system still boot?

Fundamentally, the issue is that the system needs an early entropy
source, and VMs have little. The kernel decides what is safe and
available to use, and so if Tomcat wants high quality entropy and the
kernel now says to wait, it'll have to wait.

I wonder if there is a bigger picture solution to this. What if, for
example, an external source could optionally provide some entropy to the
VM for early boot? cloud-init could take it then, for example, and feed
the kernel, at least for the first-ever boot. Disadvantages: you have to
trust the host more than you did before; the fed entropy would be have
stored, and thus vulnerable to compromise; people may do it wrong.
Though I'm no expert, and something like this definitely needs to be
checked by an expert before doing it.

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to tomcat7 in Ubuntu.
https://bugs.launchpad.net/bugs/1269073

Title:
  test_tomcat_daemon smoke test failure on images with 3.13 kernel

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1269073/+subscriptions



More information about the Ubuntu-server-bugs mailing list