New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"import random" blocks on entropy collection on Linux with low entropy #69606
Comments
When imported, the random module creates and seeds an implicit instance, even when it is never used. The RNG is seeded from os.urandom, which as of python 3.5 uses the potentially blocking getrandom() call. This causes problems e.g. on our build VMs that don't have true entropy, so getrandom() blocks forever -- unlike /dev/urandom, getrandom() in kernel waits until 128 bits of true entropy are available to reseed the RNG. And as it happens, the usual setup.py will very indirectly "import random" somewhere deep in its dependencies. I can foresee a similar issue if someone uses python early in the boot process. A possible workaround is to monkeypatch os.urandom (in this particular case, to return a string of zeroes and remove randomness entirely to get reproducible builds) |
"The RNG is seeded from os.urandom, which as of python 3.5 uses the potentially blocking getrandom() call." Hum ok, so your issue is specific to Linux. "This causes problems e.g. on our build VMs that don't have true entropy, so getrandom() blocks forever" Hum, the problem was already fixed some months/years ago: you must attach a RNG virtio device to your VM. Python is just one example, a lot of applications need entropy. "A possible workaround is to monkeypatch os.urandom (in this particular case, to return a string of zeroes and remove randomness entirely to get reproducible builds)" An unsafe *workaround* is to install haveged, a daemon generating entropy using the CPU. |
On 18.10.2015 23:09, STINNER Victor wrote:
yes, should have specified that, sorry
i disagree that this is a good solution; similar to your haveged Unless a program specifically uses randomness, it should not need to |
If your OS has no entropy at all, you will have much more severe |
Just install rngd and setup it to user /dev/urandom as entropy source. I think thread is closed :) |
I knew the subtle difference between reading from /dev/urandom and |
Man getrandom() As of Linux 3.19, the following bug exists:
So, is it goot to use this syscall now? |
Hi, Марк Коренберг added the comment:
I saw a fix proposed on the LKML but it looks like it was not merged. getrandom(n, GRND_NONBLOCK) behaviour depends if /dev/urandom was Can you reproduce the bug? Which kind of applications can hang because I would prefer to continue to use getrandom() syscall on Linux, avoid Maybe we can try to document the behaviour of os.urandom() for signal |
Here is a patch for os.urandom() documentation. What do you think? |
let me reiterate that what I consider a bug is the fact that "import random" statement calls os.urandom (which per the proposed documentation may sometimes block) IOW, "import random" may sometimes block, even though it is not actually used at any point (could be pulled in through some dependencies) |
I think Jan has a point there. An import should not cause the whole interpreter to hang. Wouldn't it be possible to have the getrandom() call be done lazily to avoid this and only have it block when the RNG from the random is actually being used ? Or alternatively, make things more robust by avoiding to call the API on systems which are known to have blocking problems and then reverting to using /dev/urandom directly instead ? Note that the RNG does already use a fallback solution for systems which don't provide os.urandom. Also note that os.urandom() is documented (indirectly via man 4 urandom) to not be blocking. If it blocks on some systems, we should add a work-around for those, just like Python/random.c does for Solaris. BTW: Is there a way to determine whether enough entropy has been gathered without doing a blocking call ? This could be used to find out whether getrandom() will potentially block. |
attaching a first draft of what i'd consider a solution? not sure if this is the right way to go, and i don't know how to write a test for an import statement |
I can confirm that I'm affected by the same issue. Booting a simple Linux system on a Qemu ARM platform, the python startup hangs during 25 seconds due to the call to getrandom(). I am not doing anything with Python, just starting the Python interpreter: # strace -t -o strace.log python
random: nonblocking pool is initialized
Python 3.5.0 (default, Dec 23 2015, 15:11:18)
[GCC 5.1.1 20150608] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
# grep -A 2 getrandom strace.log
14:43:50 getrandom("\245\362a=\305\32Z\263\364\352j\223\0017\302q\361M\336+\2722>[", 24, 0) = 24
14:44:35 ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
14:44:35 mmap2(NULL, 262144, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x76baf000 As you can see, 25 seconds blocked due to the getrandom() system call. Makes the Python interpreter not really usable anymore. I would understand if Python would do when I need to generate cryptographically secure random numbers. But at this point, I am just starting the interpreter, nothing else. This is a regression from Python 3.4.3. |
Obviously I did my math wrong: it waits 45 seconds in getrandom(), not 25 seconds. See my strace log. |
getrandom() is used to initialize the randomized hash function. Set |
FWIW, the random.patch from matejcik makes me uncomfortable. It feels like a hack that obscures the code, would confound linters and type checkers, and would create more problems than it would solve. |
The issue is more general than just "import random", Python reads entropy at startup to initialize a random seed for its randomized hash function: see the issue bpo-26839. |
unlike bpo-26839, however, there is no workaround for "import random". |
I still believe the underlying system API use should be fixed rather than all the different instances where it gets used. getrandom() should not block. If it does on a platform, that's a bug on that platform and Python should revert to the alternative of using /dev/urandom directly (or whatever other source of randomness is available). Disabling hash randomization is not a good workaround for the issue, since it will definitely pop up in other areas as well. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: