spreed-webrtc
spreed-webrtc copied to clipboard
strukturag
[Docker] Skip key generation on startup
Right now, the docker container attempts to do some key generation(s) on startup, to create some self-signed certs. This is improper behavior in a production environment: I'm running spreed behind a TLS-terminating proxy, so it should not be generating keys/certs of its own.
How can I suppress this behavior?
To clarify, this is a problem because it hangs when generating the keys, as /dev/random runs out of entropy and there's not enough going on to make more quickly, so I'm left with a dead server.
All right, i see your point. We will add an environment variable to turn of the implicit TLS listener (and with it the need for certificate creation).
Why is it even using /dev/random ? http://sockpuppet.org/blog/2014/02/25/safely-generate-random-numbers/
Good point, i guess i copied this over from Spreedbox. That should be changed to /dev/urandom for these Docker deployments.
Interesting. I did not know that about urandom, leon. I was still under the impression random was considered a better source of entropy. Thanks for the info. :)
Actually, is there any workaround now for this issue? Means even when I'm specifying certs and keys in server.conf it still hangs on "Creating new server secrets ..."
Maybe you could implement haveged for better entropy within the container, that might speedup the creation of the certs. It is available for most distros. http://www.issihosts.com/haveged/
I tried havaged, but it didn't seem to help. I think it was because there was no initial entropy from a previous boot in a new image, but perhaps I was just doing it wrong. :)
I'm pretty sure this is fixed now anyways, though... it hasn't bothered me in quite a while.
open a second shell on the same machine and run: rngd -f -r /dev/urandom as root.
