-
-
Notifications
You must be signed in to change notification settings - Fork 502
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uuid:uuid4() collisions #80
Comments
Which version of UUID are you using? Can you try switching to master? |
We are on
Here is a sample of the duplicated UUIDs: |
I wonder if you'll experience the same if you switch to using @ircmaxell's RandomLib. Using $uuidFactory = new \Ramsey\Uuid\UuidFactory();
$uuidFactory->setRandomGenerator(new \Ramsey\Uuid\Generator\RandomLibAdapter());
\Ramsey\Uuid\Uuid::setFactory($uuidFactory);
$uuid = \Ramsey\Uuid\Uuid::uuid4(); |
Currently I am trying to reproduce the problem with a cli script to avoid impacting the production system, if I have a test that produces collisions I will try rerun it with RandomLib. |
Can you share your test that produces collisions? Does it consistently reproduce them, and is it always reproducing them for the same UUIDs? |
Yup, would be interesting to have more information on your setup (OS version, openssl version, machine architecture (x86 vs x86_64) ... the more the better) I'm unable to get a single collision on a 12M set:
EDIT This is with OpenSSL enabled |
Try generating them on multiple servers. Part of mt_rand()'s output is based on server timestamp, so collisions are probable there (assuming openssl disabled). |
I do not have yet a script reproducing the problem (it's production traffic presenting the issue), but it happens on a single server, also as stated in the first comment we have the openssl extension enabled.
|
That's a very serious problem then. Could you check to see if the |
@ircmaxell He mentionned in the first post that it returns true :) @giorgiosironi Does it happen on any other server or only that one ? Is there a software (OS, PHP, OpenSSL) version difference between that specific server and the others that do not collide ? |
He may be getting true from the command line. That doesn't mean it can't
|
Any more word on this? @renan reported similar findings on Twitter: |
What we have done until now:
|
@giorgiosironi Did you manage to find out if |
No, because that would require forking the library and/or patching it in production which has an high development cost |
Can you put a single PHP script on one of the production machines and run it to see? |
Or maybe I misunderstood the ask. I see @aztech-dev was asking if you could see if $strong is false only when you see a collision. Sorry for the confusion. |
About the single PHP script, I did run the same code shown in #80 (comment) in the affected servers and it gave the same result of the function being present and |
@giorgiosironi I see your PHP and OpenSSL versions above. What EC2 instance type are you using, since you mentioned that you see this happening on a specific EC2 instance type? |
I am logging the collisions to see how frequent they are, if any. In the meantime I have executed the test script @aztech-dev provided in few machines:
The server of which gave me collisions is not around anymore, but was running Ubuntu 12.04.4, PHP 5.3.x and don't know the OpenSSL version. But was all from Ubuntu LTS versions. |
I don't have any data to base this on, but off the cuff, it sounds like the underlying system has a lack of randomness on it. Maybe? |
Just a thought: can you set up monitoring such that, when a collision occurs, you get a report on the read-out of the current value in If the number is > 200, then your entropy level is good. If it's < 200, then that's an indication that there's a problem. |
I've been watching this thread, because it scared the shit out of me, but I want to share some of my initial thoughts here. @giorgiosironi shared this piece of code: private static function generateBytes($length)
{
if (self::hasOpensslRandomPseudoBytes()) {
return openssl_random_pseudo_bytes($length);
}
...
} For me the scary part is the dots. What's there? mt_rand to generate uuids? In the first post in this issue he shared a piece of shell output
But this doesn't prove that openssl is actually used in the generateBytes() method. I would have liked to see a phpinfo() output from a web request where we can confim that the openssl extension was actually loaded in the webserver. Modern distro's have split the php.ini and conf.d for the cli and different sapi's. My guess is that openssl was loaded in cli, but not in webserver sapi. |
@langemeijer Here's that equivalent block of code in 3.0.0: https://github.com/ramsey/uuid/blob/3.0.0/src/Generator/RandomGeneratorFactory.php#L58-L74 Your comment makes me think it might be a good idea to "tag" a |
I confirm that we also have collissions on our uuids. We are on ec2 too. |
@matteosister Are you able to set up your environment so that you can capture information at the point a collision occurs? Specifically, what is the value of |
@matteosister Also, an example of the code you're using to generate the UUIDs, too, please. |
@ramsey we are trying to isolate the problem....and we have a suspect that something could be related to an edge case in our own code. I will report back when I'm sure. Thanks! |
@ramsey I'm running a test on 3 AWS instances (micro, small and medium), one CentOS and 2 AmazonLinux). Each one already has more than 2M (the micro has 12.134.008) without duplicates. Will keep running for a while and report back later. I'm also saving the entropy_avail with each uuid, to if i got a hit, will report the entropy as well. |
This uses openssl_random_pseudo_bytes. This is suggested for use only with with php5-openssl compiled against LibreSSL: OpenSSL copying RNG state on fork: ramsey/uuid#80 (comment) Fixed in LibreSSL: http://opensslrampage.org/post/91910269738/fix-for-the-libressl-prng-issue-under-linux Additionally, CVE-2015-8867 was fixed only in versions 5.6.12, 5.5.28, 5.4.44 and above: https://bugs.php.net/bug.php?id=70014 http://www.php.net/ChangeLog-5.php CVE-2015-8867 does not affect versions compiled against LibreSSL. For these reasons, it only is considered a LOW source of randomness, unless it is compiled against LibreSSL. The reason for this to exist at all is because of problems with the nature of /dev/urandom. For example, if we cannot open or read the file. openssl_random_pseudo_bytes should never fail.
Hi everyone. I'm having UUID collisions on my system. This thread makes it really clear is most likely a setup or system issue. I just need some guidance if anyone knows where to start troubleshooting. I'm using php:7.1.27-apache-stretch docker container and here are some of the outputs based on the some of the scripts on this issue: entropy: > 3500 I didn't want to open a new issue and attract unwanted attention but if that's going to be better I will do so. |
@callistino What is the output of this code snippet? <?php
var_dump(bin2hex(random_bytes(16))); If you get an exception, you need to fix your OS. Ask your ISP to make sure you can read |
It doesn't need to be complicated function randomUuid()
{
$bytes = random_bytes(16);
$bytes[6] = chr((ord($bytes[6]) & 0x0f) | 0x40);
$bytes[8] = chr((ord($bytes[8]) & 0x3f) | 0x80);
$id = str_split(bin2hex($bytes), 4);
return "{$id[0]}{$id[1]}-{$id[2]}-{$id[3]}-{$id[4]}-{$id[5]}{$id[6]}{$id[7]}";
} |
@spinitron you mean using that instead of |
@callistino, that's what they mean 😀 Though, in this case, that comment likely wouldn't help you, since you're already using the How are you generating the UUIDs? Can you show some sample code? Are they random UUIDs (version 4), or are you using a different version (version 1, version 5, etc.)? |
I haven't noticed any collision myself, and I am using version 4. Should I be worried? Is there any check I should do? |
There shouldn't be any collisions, so I want to fully understand the problem here before jumping to any conclusions. 😄 |
it was indeed a system issue of some sort. I rebooted and it's not happening anymore. I have a script running for a couple of days and no collisions there either. Not sure what it was at this point but I'm blaming OS, hardware and config not this library. I just wanted to get some directions as to what to test and check. |
@callistino Good to hear you were able to get around it by rebooting. Let us know if the problem occurs again. |
Just encountered this issue, not re-opening this ticket probably bumping this up. Here's our setup: multiple docker containers hosting the same app - presumably created from same image for load balancing and autoscaling:
Collision happened in less than 24 hours. Perhaps this may be the same issue as @callistino's - i.e., hardware, OS, or config. |
@abcapili What version of PHP are you using? mod_php or php-fpm? What version of ramsey/uuid? |
We are generating about 1M UUID4 a day, and we are getting several hundred collisions a day, such as:
The issue seem to be correlated with the same Apache process regenerating the same UUID after several hours. It also seem to be correlated with particular EC2 machines which presents the problem.
We checked to have
openssl_random_pseudo_bytes
and if it was using a strong algorithm:How can we debug this problem?
The text was updated successfully, but these errors were encountered: