no_entropy

Summary

entropy source unavailable

Help

the OS rejected a getrandom syscall; check the sandbox / seccomp policy

Details

When this fires

A getrandom syscall failed inside nanook-auth. Two callers can hit this: Identity::generate (during nanook keygen, when seeding a fresh ed25519 secret) and Signer::sign (per request, generating the 32-byte nonce). On Linux this is rare because the kernel almost always has entropy; when it does fire, the cause is usually a sandbox denying the syscall.

What to check

• Allow getrandom in any seccomp filter or systemd SystemCallFilter= covering the agent or nanook ctl.
• Container runtimes occasionally block /dev/urandom reads; mount it through.
• On early-boot embedded or restricted CI runners, wait until the entropy pool is initialized before invoking nanook.

If getrandom truly is unavailable, nanook cannot operate safely, so fix the sandbox rather than working around it.