Shadowsocks-libev: Entrophy Collection Error on KVM Linux

Created on 12 Nov 2017  ·  20Comments  ·  Source: shadowsocks/shadowsocks-libev

Entrophy Collection Error on KVM Linux

What version of shadowsocks-libev are you using?

THE LATEST

What operating system are you using?

CentOS7 on KVM

What did you do?

Normally started ss-redir
service shadowsocks-libev@redir start

What did you expect to see?

Enough entrophy being collected, ss-redir works pretty fast

What did you see instead?

Nov 12 20:14:38 johnssz-cn sudo[3447]: 2017-11-12 20:14:38 INFO: initializing ci
phers... rc4-md5
Nov 12 20:14:38 johnssz-cn sudo[3447]: 2017-11-12 20:14:38 INFO: This system doe
sn't provide enough entropy to quickly generate high-quality random numbers
Nov 12 20:14:38 johnssz-cn sudo[3447]: Installing the rng-utils/rng-tools or hav
eged packages may help.
Nov 12 20:14:38 johnssz-cn sudo[3447]: On virtualized Linux environments, also c
onsider using virtio-rng.
Nov 12 20:14:38 johnssz-cn sudo[3447]: The service will not start until enough e
ntropy has been collected.
Nov 12 20:14:38 johnssz-cn sudo[3447]: 2017-11-12 20:14:38 INFO: UDP relay enabl
ed
Nov 12 20:14:38 johnssz-cn sudo[3447]: 2017-11-12 20:14:38 INFO: listening at 0.
0.0.0:1080
Nov 12 20:14:38 johnssz-cn sudo[3447]: 2017-11-12 20:14:38 INFO: running from ro
ot user

What is your config in detail (with all sensitive info masked)?

{
"server":"",
"server_port":8388,
"local_address":"0.0.0.0",
"local_port":1080,
"password":"",
"timeout":300,
"method":"rc4-md5",
"fast_open": false
}

Additionals:

Service Configuration

# Content in '[email protected]'
[Service]
User=root
CapabilityBoundingSet=~CAP_SYS_ADMIN
ExecStart=
ExecStartPre=/etc/shadowsocks/ss-up.sh
ExecStart=/usr/bin/sudo -u root /usr/bin/ss-redir -u -c /etc/shadowsocks/shadowsocks.json 
ExecStopPost=/etc/shadowsocks/ss-down.sh
question
Source
picture oakaigh

All 20 comments

On virtualized Linux environments, also consider using virtio-rng.
HOW CAN I CONFIGURE virtio-rng ON MY Virtual Private Server?
Actually once it suceeded establishing connections and worked super fast!

oakaigh picture oakaigh on 12 Nov 2017
😕1

I don't use CentOS, but I use to sudo apt install rng-tools to avoid it in Ubuntu.

Package: rng-tools
Version: 5-0ubuntu3
...
Description: Daemon to use a Hardware TRNG
The rngd daemon acts as a bridge between a Hardware TRNG (true random number
generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's
PRNG (pseudo-random number generator).
.
It tests the data received from the TRNG using the FIPS 140-2 (2002-10-10)
tests to verify that it is indeed random, and feeds the random data to the
kernel entropy pool.
.
This increases the bandwidth of the /dev/random device, from a source that
does not depend on outside activity. It may also improve the quality
(entropy) of the randomness of /dev/random.
.
A TRNG kernel module such as hw_random, or some other source of true
entropy that is accessible as a device or fifo, is required to use this
package.
.
This is an unofficial version of rng-tools which has been extensively
modified to add multithreading and a lot of new functionality.

So, maybe you'd like to try yum install rng-tools or yum install haveged. (I'm not sure about the package name)

This is work on KVM/XEN only. OpenVZ dose not support any of these packages.

kimw picture kimw on 12 Nov 2017
👍1

Oh that reminds me. IAM USING OpenVZ! How can I handle this

oakaigh picture oakaigh on 13 Nov 2017

Read https://github.com/jedisct1/libsodium-doc/tree/master/usage

wongsyrone picture wongsyrone on 13 Nov 2017

Now it seems that the message disappears, but still it can’t connect. I am sure it’s not the problem of my ssserver. Note that I succeeded in using sslocal (not libev version) as a SOCKS5 client server

oakaigh picture oakaigh on 13 Nov 2017

Is the connection problem related to the entropy collection?

oakaigh picture oakaigh on 13 Nov 2017

Add -v to your command line and post the log here.

madeye picture madeye on 13 Nov 2017

Oh it’s a little bit fuzzy
After I enabled verbose mode the message reappeared!

2017-11-13 10:12:47 INFO: initializing ciphers... rc4-md5 2017-11-13 10:12:47 INFO: This system doesn't provide enough entropy to quickly generate high-quality random numbersInstalling the rng-utils/rng-tools or haveged packages may help.On virtualized Linux environments, also consider using virtio-rng.The service will not start until enough entropy has been collected. 2017-11-13 10:12:47 INFO: UDP relay enabled 2017-11-13 10:12:47 INFO: listening at 0.0.0.0:1080 2017-11-13 10:12:47 INFO: running from root user
oakaigh picture oakaigh on 13 Nov 2017

rc4-md5 depends on libsodium?

oakaigh picture oakaigh on 13 Nov 2017

I didn't see any useful information from your log.

There is no connection log that shows you are accessing the server.

madeye picture madeye on 13 Nov 2017

Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=703, recv=703Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048Nov 13 11:07:23 johnssz-cn sudo[6796]: 2017-11-13 11:07:23 INFO: redir to 47.52.174.112:8388, len=2048, recv=2048[root@johnssz-cn system]#

oakaigh picture oakaigh on 13 Nov 2017

Oh! It all works fine here, why?

oakaigh picture oakaigh on 13 Nov 2017

How can I test the connection on my server?

oakaigh picture oakaigh on 13 Nov 2017

But I was using it in a different way
I use iptables to redirect the transparent proxy traffic to my frontend sniproxy

oakaigh picture oakaigh on 13 Nov 2017

Proxy traffic globalization, how can I do this?

oakaigh picture oakaigh on 13 Nov 2017

This’s actually what I mean

oakaigh picture oakaigh on 13 Nov 2017 
I use iptables to redirect the transparent proxy traffic to my frontend sniproxy

I don't think it works. The correct way is forwarding the traffic to your ss-server.

madeye picture madeye on 13 Nov 2017

Reference:
https://lightsing.me/da-yi-ge-gong-yong-fan-xiang-dai-li/

🤣😂 that’s what I mean. My question is how to configure iptables to make them (iptables and sniproxy and ss-redir) work cooperatively

oakaigh picture oakaigh on 13 Nov 2017

public SNI proxy secured by Shadowsocks.

oakaigh picture oakaigh on 13 Nov 2017

Whatever... all problems have been resolved! Thank u guys!

oakaigh picture oakaigh on 14 Nov 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

rule2c picture rule2c  ·  4Comments
jzp820927 picture jzp820927  ·  3Comments
mcmxciv picture mcmxciv  ·  3Comments
qianguozheng picture qianguozheng  ·  4Comments
zent00 picture zent00  ·  3Comments