CentOS7 Tomcat 启动过程很慢,JVM上的随机数与熵池策略

1. CentOS7 Tomcat 启动过程很慢

在centos启动官方的tomcat时,启动过程很慢,需要几分钟,经过查看日志,发现耗时在这里:是session引起的随机数问题导致的:

<code class="hljs css has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">14<span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">-Jul-2016</span> 04<span class="hljs-pseudo" style="color: rgb(0, 0, 0); box-sizing: border-box;">:14</span><span class="hljs-pseudo" style="color: rgb(0, 0, 0); box-sizing: border-box;">:22</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.900</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">INFO</span> <span class="hljs-attr_selector" style="color: rgb(0, 136, 0); box-sizing: border-box;">[localhost-startStop-1]</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">org</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.apache</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.catalina</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.util</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.SessionIdGenerator</span><span class="hljs-class" style="box-sizing: border-box; color: rgb(155, 112, 63);">.createSecureRandom</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">Creation</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">of</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">SecureRa</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">ndom</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">instance</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">for</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">session</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">ID</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">generation</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">using</span> <span class="hljs-attr_selector" style="color: rgb(0, 136, 0); box-sizing: border-box;">[SHA1PRNG]</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">took</span> <span class="hljs-attr_selector" style="color: rgb(0, 136, 0); box-sizing: border-box;">[142,673]</span> <span class="hljs-tag" style="color: rgb(0, 0, 0); box-sizing: border-box;">milliseconds</span>.</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li></ul>

2. JVM上的随机数与熵池策略

在apache-tomcat官方文档:如何让tomcat启动更快里面提到了一些启动时的优化项,其中一项是关于随机数生成时,采用的“熵源”(entropy source)的策略。

他提到tomcat7的session id的生成主要通过Java.security.SecureRandom生成随机数来实现,随机数算法使用的是”SHA1PRNG”

<code class="hljs cs has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">private</span> String secureRandomAlgorithm = <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"SHA1PRNG"</span>;</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul>

在sun/Oracle的jdk里,这个算法的提供者在底层依赖到操作系统提供的随机数据,在Linux上,与之相关的是/dev/random和/dev/urandom,对于这两个设备块的描述以前也见过讨论随机数的文章,wiki中有比较详细的描述,摘抄过来,先看/dev/random :

在读取时,/dev/random设备会返回小于熵池噪声总数的随机字节。/dev/random可生成高随机性的公钥或一次性密码本。若熵池空了,对/dev/random的读操作将会被阻塞,直到收集到了足够的环境噪声为止

而 /dev/urandom 则是一个非阻塞的发生器:

dev/random的一个副本是/dev/urandom (”unlocked”,非阻塞的随机数发生器),它会重复使用熵池中的数据以产生伪随机数据。这表示对/dev/urandom的读取操作不会产生阻塞,但其输出的熵可能小于/dev/random的。它可以作为生成较低强度密码的伪随机数生成器,不建议用于生成高强度长期密码。
另外wiki里也提到了为什么linux内核里的随机数生成器采用SHA1散列算法而非加密算法,是为了避开法律风险(密码出口限制)。

回到tomcat文档里的建议,采用非阻塞的熵源(entropy source),通过java系统属性来设置:

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">-Djava<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.security</span><span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.egd</span>=file:/dev/./urandom</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li></ul>

catalina.sh

<code class="hljs lua has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">if</span> <span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">[[ "$JAVA_OPTS" != *-Djava.security.egd=* ]]</span>; <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">then</span> JAVA_OPTS=<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"$JAVA_OPTS -Djava.security.egd=file:/dev/./urandom"</span> fi</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li></ul>

这个系统属性egd表示熵收集守护进程(entropy gathering daemon),但这里值为何要在dev和random之间加一个点呢?是因为一个jdk的bug,在这个bug的连接里有人反馈及时对 securerandom.source 设置为 /dev/urandom 它也仍然使用的 /dev/random,有人提供了变通的解决方法,其中一个变通的做法是对securerandom.source设置为 /dev/./urandom 才行。也有人评论说这个不是bug,是有意为之。

我看了一下我当前所用的jdk7的java.security文件里,配置里仍使用的是/dev/urandom:

# Select the source of seed data for SecureRandom. By default an
# attempt is made to use the entropy gathering device specified by
# the securerandom.source property. If an exception occurs when
# accessing the URL then the traditional system/thread activity
# algorithm is used.
#
# On Solaris and Linux systems, if file:/dev/urandom is specified and it
# exists, a special SecureRandom implementation is activated by default.
# This “NativePRNG” reads random bytes directly from /dev/urandom.
#
# On Windows systems, the URLs file:/dev/random and file:/dev/urandom
# enables use of the Microsoft CryptoAPI seed functionality.
#
securerandom.source=file:/dev/urandom

我不确定jdk7里,这个 /dev/urandom 也同那个bug报告里所说的等同于 /dev/random;要使用非阻塞的熵池,这里还是要修改为/dev/./urandom 呢,还是jdk7已经修复了这个问题,就是同注释里的意思,只好验证一下。

使用bug报告里给出的代码:

<code class="hljs java has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;"><span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">import</span> java.security.SecureRandom; class JRand { <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">public</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">static</span> <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">void</span> <span class="hljs-title" style="box-sizing: border-box;">main</span>(String args[]) <span class="hljs-keyword" style="color: rgb(0, 0, 136); box-sizing: border-box;">throws</span> Exception { System.out.println(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"Ok: "</span> + SecureRandom.getInstance(<span class="hljs-string" style="color: rgb(0, 136, 0); box-sizing: border-box;">"SHA1PRNG"</span>).nextLong()); } }</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li></ul>

然后设置不同的系统属性来验证,先是在我的mac上:

<code class="hljs avrasm has-numbering" style="display: block; padding: 0px; color: inherit; box-sizing: border-box; font-family: 'Source Code Pro', monospace;font-size:undefined; white-space: pre; border-radius: 0px; word-wrap: normal; background: transparent;">% time java -Djava<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.security</span><span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.egd</span>=file:/dev/urandom JRand <span class="hljs-label" style="box-sizing: border-box;">Ok:</span> <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">8609191756834777000</span> java -Djava<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.security</span><span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.egd</span>=file:/dev/urandom JRand <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.11</span>s user <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.03</span>s system <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">115</span>% cpu <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.117</span> total % time java -Djava<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.security</span><span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.egd</span>=file:/dev/./urandom JRand <span class="hljs-label" style="box-sizing: border-box;">Ok:</span> -<span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">3573266464480299009</span> java -Djava<span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.security</span><span class="hljs-preprocessor" style="color: rgb(68, 68, 68); box-sizing: border-box;">.egd</span>=file:/dev/./urandom JRand <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.11</span>s user <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.03</span>s system <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">116</span>% cpu <span class="hljs-number" style="color: rgb(0, 102, 102); box-sizing: border-box;">0.116</span> total</code><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li></ul><ul class="pre-numbering" style="box-sizing: border-box; position: absolute; width: 50px; top: 0px; left: 0px; margin: 0px; padding: 6px 0px 40px; border-right-width: 1px; border-right-style: solid; border-right-color: rgb(221, 221, 221); list-style: none; text-align: right; background-color: rgb(238, 238, 238);"><li style="box-sizing: border-box; padding: 0px 5px;">1</li><li style="box-sizing: border-box; padding: 0px 5px;">2</li><li style="box-sizing: border-box; padding: 0px 5px;">3</li><li style="box-sizing: border-box; padding: 0px 5px;">4</li><li style="box-sizing: border-box; padding: 0px 5px;">5</li><li style="box-sizing: border-box; padding: 0px 5px;">6</li><li style="box-sizing: border-box; padding: 0px 5px;">7</li><li style="box-sizing: border-box; padding: 0px 5px;">8</li><li style="box-sizing: border-box; padding: 0px 5px;">9</li><li style="box-sizing: border-box; padding: 0px 5px;">10</li><li style="box-sizing: border-box; padding: 0px 5px;">11</li><li style="box-sizing: border-box; padding: 0px 5px;">12</li><li style="box-sizing: border-box; padding: 0px 5px;">13</li><li style="box-sizing: border-box; padding: 0px 5px;">14</li><li style="box-sizing: border-box; padding: 0px 5px;">15</li></ul>

可以看到/dev/urandom和 /dev/./urandom 的执行时间差不多,有点纳闷,再仔细看一下wiki里说的:

FreeBSD操作系统实现了256位的Yarrow算法变体,以提供伪随机数流。与Linux的/dev/random不同,FreeBSD的/dev/random不会产生阻塞,与Linux的/dev/urandom相似,提供了密码学安全的伪随机数发生器,而不是基于熵池。而FreeBSD的/dev/urandom则只是简单的链接到了/dev/random。
尽管在我的mac上/dev/urandom并不是/dev/random的链接,但mac与bsd内核应该是相近的,/dev/random也是非阻塞的,/dev/urandom是用来兼容linux系统的,这两个随机数生成器的行为是一致的。参考这里

然后再到一台ubuntu系统上测试:

% time java -Djava.security.egd=file:/dev/urandom JRand
Ok: 6677107889555365492
java -Djava.security.egd=file:/dev/urandom JRand
0.14s user 0.02s system 9% cpu 1.661 total

% time java -Djava.security.egd=file:/dev/./urandom JRand
Ok: 5008413661952823775
java -Djava.security.egd=file:/dev/./urandom JRand
0.12s user 0.02s system 99% cpu 0.145 total
这回差异就完全体现出来了,阻塞模式的熵池耗时用了1.6秒,而非阻塞模式则只用了0.14秒,差了一个数量级,当然代价是转换为对cpu的开销了。

// 补充,连续在ubuntu上测试几次/dev/random方式之后,导致熵池被用空,被阻塞了60秒左右。应用服务器端要避免这种方式。

本条目发布于2014-06-25。属于java、programming分类,被贴了 freebsd、java、linux、mac、os、random、tomcat 标签。

原文: http://hongjiang.info/jvm-random-and-entropy-source/

补充:本人在Centos7.2下搭建的tomcat8,启动很慢,是上述原因导致,但采用上述策略没有解决tomcat启动慢的问题,

因为catalina.sh添加相应代码后提示找不到-Djava.security.egd=file:/dev/./urandom

后来直接配置jdk securerandom.source为urandom解决:

打开$JAVA_PATH/jre/lib/security/java.security这个文件,找到securerandom.source配置项

修改为:

securerandom.source=file:/dev/./urandom

Leave a Reply

Your email address will not be published. Required fields are marked *