How to get enough entropy into Docker containers?

python docker ssl random-number-generator entropy-pool

Whenever I cat /proc/sys/kernel/random/entropy_avail inside my Docker containers (Linux 5.10 based), I get a double-digit result, which is apparently laughably low. Supposedly anything below 4 digits is bad, and keeping it close to 4096 (the max) is ideal.

I've read about an entropy-gathering daemon called haveged, but it is supposedly obsolete since Linux kernel 5.6, so I'm not sure that that's the right solution anymore.

Why is my entropy so low inside my Docker containers running the 5.10 kernel, and what can I do to fix it?

I originally discovered this when a Python "quote of the day" script kept choosing the same few quotes. I wasn't manually seeding Python's standard Random module, but according to its documentation and source code, it's supposed to self-seed from system entropy (directly via getentropy(3) or get getrandom(2) if available, which I assume they would be on a typical modern Linux environment, or via /dev/random or /dev/urandom otherwise, or fall back to using the system time and PID as a last resort). So I guess my entropy was so low that getentropy(3) was returning poor entropy? Anyway, manually seeding Python's Random module with the system time worked around that problem.

However, now I'm worried that my web servers doing TLS, and my authentication servers, all of which run in similar Docker containers, might not have enough entropy to generate strong keys and one-time-pads and challenges and whatnot. So I want to get to the bottom of how to guarantee that my Docker containers are getting enough entropy to do their jobs well.

This isn't critical national infrastructure or something where installing a hardware RNG module would be appropriate. These are just cloud-hosted Docker containers, so I'm hoping for a solution I can implement within my Docker containers/images.


Since you're talking to the kernel, it's not really related to docker at all:

$ cat /proc/sys/kernel/random/entropy_avail
3771

$ docker run -it --rm busybox cat /proc/sys/kernel/random/entropy_avail
3781

$ cat /proc/sys/kernel/random/entropy_avail
3800

If you get more entropy on the host, you'll have more entropy in the container.

Related

Send iPhone slow-mo video to non-iPhone user
What is the difference between "restore backup" and "restore iPhone" in iTunes?
What is the use of Background App Refresh?
Where does the Apple Workout app "save" completed workouts?
Preview seems to have corrupted PDF and lost all text and arrow annotations
"This item is temporarily unavailable" When Installing Yosemite
Bind Volume controls to non-Apple keyboard without 3rd party software on macOS Sierra
Apple Magic Keyboard connected in Wired mode - turn Bluetooth off
How to clear cache of a specific application in iOS?
How does App Store "complete my bundle" work when I've spent more than the bundle cost?
Black or displaced screen when screen sharing headless mac mini on macOS 10.12
Upgrade bash without using the terminal to fix iterm issue dyld: Library not loaded: /usr/local/opt/readline/lib/libreadline.6.dylib