Slow performance using /dev/random in docker desktop WSL2

Question

Context :

I have a JAVA Web Application running on a Docker Linux container . The application uses a FIPS 3RD party library to do some cryptographic operations. Such library makes heavy use of /dev/random when it's deployed in Linux environments. I can neither modify the library nor replace it.

To develop/test the application, I use Docker Desktop for Windows . If I deploy the application using the WSL1 engine, the application runs smoothly. However, if I instruct Docker Desktop to use the WSL2 engine , the application starts lagging during cryptographic operations ...

Question :

Is there a solution for this?

Answer 1

Before applying any of these solutions, check if missing of entropy is your real problem ... To do that execute these commands (in your docker host and in your container):

cat /proc/sys/kernel/random/entropy_avail

It should return a number greater that 1000 ...

dd if=/dev/random of=/dev/null bs=1024 count=1 iflag=fullblock

It should return fast! (Sources: haveged and rng-tools )

Solutions:

For Windows Users (those of you that run DockerDestop for Windows):

1. Keep using the WSL1 engine with Docker Desktop.
2. If the previous solution is not possible, execute this :

docker pull harbur/haveged

docker run --privileged -d harbur/haveged

Explanation : This will run a docker container that executes the haveged daemon/process as CMD. Such process, plus --privileged flag, will feed your host /dev/random with entropy, avoiding blocking issues.

For Linux users (those running Linux as docker host):

1. Map as a volume/mount-point your host's /dev/urandom to your container's /dev/random . This will trick your container, and when it use /dev/random , it will be using your host's /dev/urandom , which never blocks by design. People may argue that's insecure, but that is out the scope of this question.

2. Install in your docker host , a software that increments the entropy pool, like haveged or rng-tools (if you have a hardware TRNG)

Final thoughts and conclusions:

1. /dev/random and /dev/urandom in a docker container point to /dev/random and /dev/urandom of the docker host. I don't have any documentation that backups this, except these: Missing Entropy and How docker handles /dev/(u)random request ... and the experimental fact that if I access the WSL2 docker-desktop-distro (using wsl -d docker-desktop ) and I execute the dd command described previously, I can see how the entropy is reduced both in the host and the container (and viceversa) ... This is why using solutions, like deploying the haveged container or installing haveged in the docker host, work.

2. According to haveged link, such software is deprecated because its logic is now included in linux kernels v5.6 ... This could mean that if your docker host is running a Linux Kernel equals or greater to the version 5.6, you won't need to do anything of this because /dev/random will never block.

3. I tried to install haveged in the WSL2 docker distro ( docker-desktop ), but such distro does not allow you to execute apt-get ...