[Bug 61180] New: Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 61180] New: Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

            Bug ID: 61180
           Summary: Change log level of
                    sessionIdGeneratorBase.createRandom to warn rather
                    than info
           Product: Tomcat 8
           Version: 8.0.x-trunk
          Hardware: All
                OS: All
            Status: NEW
          Severity: trivial
          Priority: P2
         Component: Catalina
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ----

I was just asked a question in #tomcat about why a user's tomcat installation
was taking ~36 minutes to start. After looking at their logging I immediately
noticed:

INFO [localhost-startStop-1]
org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of
SecureRandom instance for session ID generation using [SHA1PRNG] took
[2,157,784] milliseconds.

showing that the machine had low entropy. I knew that from experience, however
the user had no idea that was the issue because the logging looked normal to
them (no WARN or ERROR messages). Can we change the log level of the
sessionIdGeneratorBase.createRandom message to WARN rather than INFO so if it
takes longer than 100 ms to generate a random users are made aware? A WARN
message will at least make them look twice at the error line and google it as a
potential issue, which should yield the wiki page
(https://wiki.apache.org/tomcat/HowTo/FasterStartUp#Entropy_Source).

Also, the wording in the wiki page makes this sound like it should be a warning
anyway:

"You will see warning in the logs when this happens"

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

Coty Sutherland <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |Beginner

--- Comment #1 from Coty Sutherland <[hidden email]> ---
This is the definition of a "Beginner" issue IMO :)

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

--- Comment #2 from Piotr Chlebda <[hidden email]> ---
Hi,
I'm newby as a tomcat contributor and I'd like to take this issue.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

--- Comment #3 from Coty Sutherland <[hidden email]> ---
Taking another look at the code around the info message I think we may need to
add another check to see if the delay time is larger than 100 ms. If we make
this a warning message as-is I think that everyone's log may have a warning in
it. Should we print an info message if the delay is less than some number (like
30 seconds) and a warning if the delay is greater?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

Mark Thomas <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #4 from Mark Thomas <[hidden email]> ---
I don't see the message on my new(ish) desktop nor my old(ish) laptop. If the
threshold is too low for some systems, we can look at increasing it. My
instinct is that 100ms will be plenty of time for that block of code unless
there is an entropy problem,

I also took the opportunity to clean up some formatting and I added a changelog
entry.

Thanks to Piotr Chlebda for the patch.

Fixed in:
- trunk for 9.0.0.M22 onwards
- 8.5.x for 8.5.16 onwards
- 8.0.x for 8.0.45 onwards
- 7.0.x for 7.0.79 onwards

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

--- Comment #5 from Piotr Chlebda <[hidden email]> ---
1) Would that be another bug for that ?
2)I'd like to make sure that my PR was ok, since it was only at trunk (version
9). Are there any requirments for PR for other version(8.5.x,8.0.x,7.0.x) ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

--- Comment #6 from Mark Thomas <[hidden email]> ---
(In reply to Piotr Chlebda from comment #5)
> 1) Would that be another bug for that ?

Maybe. We need to wait and see if we get any such reports. I'd be surprised to
get such a report where there wasn't an underlying entropy problem.


> 2)I'd like to make sure that my PR was ok, since it was only at trunk
> (version 9). Are there any requirments for PR for other
> version(8.5.x,8.0.x,7.0.x) ?

Bug fixes to trunk are back-ported to earlier versions. The back-ports normally
apply cleanly so no further work is required.

It would be helpful to include a changelog entry when you fix a bug. It saves
the committers a few minutes writing it themselves.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 61180] Change log level of sessionIdGeneratorBase.createRandom to warn rather than info

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61180

--- Comment #7 from Piotr Chlebda <[hidden email]> ---
Thanks Mark Thomas for a quick response.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]