Problem scenario

At some point, an instance of a microservice suddenly has a high CPU load:

Many database links have been established at the same time:

Other instances do not have this phenomenon.

Problem orientation

The database is not slow because there are a lot of links to the database. Check the SQL statistics of the database during this period.

Among them, this micro service is the hot SQL of this period of time, the execution is not slow. So what went wrong? Possibly due to GC, SafePoint, or taking too long to acquire locks (see Java Monitoring JFR full solution), we dumped the JFR and looked at safePoint, GC, and Monitor Blocked events.

First look at the GC and find that it is all Young GC and GC pause times are acceptable.

Then safePoint, although safePoint was collected, the pause time was not very long.

Finally, when we look at the Java Monitor Block, we find that there are many long lock waits:

Stack shows that blocking in: void sun. Security. The provider. SecureRandom. EngineNextBytes (byte []), it is a classic problem, Java is Random, reference code: NativePRNG

// name of the *System* property, takes precedence over PROP_RNDSOURCE
private static final String PROP_EGD = "java.security.egd";
// name of the *Security* property
private static final String PROP_RNDSOURCE = "securerandom.source";

private static final boolean useLegacyDSA =
    Boolean.parseBoolean(GetPropertyAction.privilegedGetProperty
        ("jdk.security.legacyDSAKeyPairGenerator"));

static final String URL_DEV_RANDOM = "file:/dev/random";
static final String URL_DEV_URANDOM = "file:/dev/urandom";
Copy the code

There are two types of seed for generating random numbers, one is “file:/dev/random” and the other is “file:/dev/urandom”, specified by setting the system property java.security.egd, default is “file:/dev/random”.

Two Random principles and solutions

Before Linux 4.8:

After Linux 4.8:

The default “file:/dev/random” blocks when the entropy pool is low, and “file:/dev/urandom” does not. For us, “file:/dev/urandom” is sufficient, so -djava.security.egd =file:/dev/./urandom sets the system property to urandom to reduce blocking.