|Summary:||Add /dev/urandom as entropy source for virtio-rng|
|Product:||[oVirt] ovirt-engine||Reporter:||Martin Polednik <mpoledni>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Nisim Simsolo <nsimsolo>|
|Version:||4.0.0||CC:||bgraveno, bugs, djasa, eedri, jniederm, lbopf, mavital, michal.skrivanek, nsimsolo, tjelinek, ykaul|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2017-03-16 14:47:11 UTC||Type:||Bug|
|oVirt Team:||Virt||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1074464, 1347642, 1347669, 1419924|
|Bug Blocks:||1337101, 1398560, 1405032, 1421510, 1430550|
Description Martin Polednik 2016-09-08 09:51:39 UTC
+++ This bug was initially created as a clone of Bug #1347669 +++ Description of problem: /dev/urandom is perfectly fine source of randomness once seeded (see bug 1074464#c13 for discussion and references) and from 7.3 on, libvirt won't refuse it as a source of randomness (see blocking bugs). oVirt/RHEV should therefore enable it as a backend for virtio-rng from 4.1 on at latest. Version-Release number of selected component (if applicable): 4.0 How reproducible: always Steps to Reproduce: 1. try to use /dev/urandom as a randomnes source in Edit VM -> Random generator 2. 3. Actual results: only /dev/random and /dev/hwrng are available Expected results: /dev/urandom is available to choose as well Additional info: --- Additional consideration for ovirt-engine Currently, VDSM can report up to 2 sources: random and hwrng. New source cannot be added due to 1374216, therefore current implementation of VDSM doesn't report new source but changes semantics of "random" source. The semantics are now as follows: "random" RNG source means support of "random" and "urandom" sources "urandom" is the source engine should send to VDSM when "random" checkbox is ticked.
Comment 1 Red Hat Bugzilla Rules Engine 2016-09-08 09:52:07 UTC
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.
Comment 2 Yaniv Kaul 2016-11-01 11:45:17 UTC
I'm missing something here. Wouldn't it make more sense to do a simple change in VDSM only - if it's supported, use 'urandom'. Otherwise, use 'random'. Why do we need Engine changes, for example?
Comment 3 jniederm 2016-11-01 12:26:26 UTC
IIUIC the problem with such vdsm only change might be that user will not be able to find out what RNG source is actually used. The UI would always show 'random'. Plus it would introduce an inconsistency between VM descriptor that is being send on VM startup from engine to vdsm and the actual VM configuration. And both 'random' and 'urandom' are present on almost all linux systems so it would also mean that after upgrade 4.0 -> 4.1 even VMs in 4.0 clusters will get 'urandom' (despite expecting 'random').
Comment 4 Yaniv Kaul 2016-11-01 12:29:22 UTC
(In reply to jniederm from comment #3) > IIUIC the problem with such vdsm only change might be that user will not be > able to find out what RNG source is actually used. The UI would always show > 'random'. Plus it would introduce an inconsistency between VM descriptor > that is being send on VM startup from engine to vdsm and the actual VM > configuration. > And both 'random' and 'urandom' are present on almost all linux systems so > it would also mean that after upgrade 4.0 -> 4.1 even VMs in 4.0 clusters > will get 'urandom' (despite expecting 'random'). Understood - but keep in mind that it's a libvirt issue of not supporting 'urandom' - until 7.3. You need to make sure that all hosts support it (for migration, for example). I thought the best path would have been to hide this detail from everyone as much as possible.
Comment 5 Eyal Edri 2016-11-23 07:22:12 UTC
This is now failing CI: http://jenkins.ovirt.org/view/experimental%20jobs/job/test-repo_ovirt_experimental_master/3562/\ While running log-collector, this error shows: ERROR: _get_hypervisors_from_api: urandom is not a valid RngSource
Comment 6 Sandro Bonazzola 2016-12-12 13:54:16 UTC
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.
Comment 7 Tomas Jelinek 2016-12-13 08:12:55 UTC
*** Bug 1347271 has been marked as a duplicate of this bug. ***
Comment 8 Nisim Simsolo 2017-03-08 15:11:58 UTC
Verification builds: ovirt-engine-126.96.36.199-0.1.el7 vdsm-4.19.7-1.el7ev.x86_64 libvirt-client-2.0.0-10.el7_3.5.x86_64 qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64 sanlock-3.4.0-1.el7.x86_64