What exactly does "-Djava.security.egd=file:/dev/./urandom" do when containerizing a Spring Boot application

Question

FROM openjdk:8-jdk-alpine
VOLUME /tmp
ARG JAR_FILE
COPY ${JAR_FILE} app.jar
ENTRYPOINT ["java","-Djava.security.egd=file:/dev/./urandom","-jar","/app.jar"]

The above Dockerfile sample is from the official Spring Boot guide for docker. I would like to know what the security property is used for since I don't usually set that up when running the app on my local development environment but it seems to come up on various containerization guides. Cheers!

Answer 1

The purpose of that security property is to speed up tomcat startup. By default the library used to generate random number in JVM on Unix systems relies on /dev/random. On docker containers there isn't enough entropy to support /dev/random. See Not enough entropy to support /dev/random in docker containers running in boot2docker. The random number generator is used for session ID generation. Changing it to /dev/urandom will make the startup process faster.

Similar question Slow startup on Tomcat 7.0.57 because of SecureRandom

Answer 2

From Java 9 through Java 11 (LTS), this option is to increase the entropy of random numbers generated by the java.security.SecureRandom class whilst avoiding the risk of having the code blocked unexpectedly. It configures the JVM:

1. To seed the SecureRandom class using the /dev/urandom special file on Unix-like OSes to avoid having the code unexpectedly blocked due to lack of entropy.
2. To use the Deterministic Random Bit Generator (DRBG) mechanisms
   described in NIST 800-90Ar1. These mechanisms implement modern algorithms as strong as SHA-512 and AES-256.