1337101 – [RFE] enable virtio-rng /dev/urandom by default

Bug 1337101 - [RFE] enable virtio-rng /dev/urandom by default

Summary: [RFE] enable virtio-rng /dev/urandom by default

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Virt
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.1.0-alpha
Target Release:	4.1.0.2
Assignee:	jniederm
QA Contact:	Nisim Simsolo
Docs Contact:
URL:
Whiteboard:
Depends On:	1347669 1374227 1419924
Blocks:	1398560 1405032 1430550
TreeView+	depends on / blocked

Reported:	2016-05-18 09:57 UTC by Michal Skrivanek
Modified:	2018-01-11 06:33 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Clones:	1398560 (view as bug list)
Environment:
Last Closed:	2017-03-16 14:45:35 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	michal.skrivanek: ovirt-4.1? nsimsolo: testing_plan_complete+ michal.skrivanek: planning_ack? michal.skrivanek: devel_ack+ rule-engine: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	65142	'None'	MERGED	webadmin: Cluster random checkbox removed	2020-09-30 07:54:31 UTC
oVirt gerrit	65143	'None'	MERGED	core,restapi: random rng source is implicit	2020-09-30 07:54:25 UTC
oVirt gerrit	65144	'None'	ABANDONED	restapi: random rng source implicit - REST	2020-09-30 07:54:31 UTC
oVirt gerrit	65145	'None'	MERGED	core: random rng source implicit - configvalue	2020-09-30 07:54:25 UTC
oVirt gerrit	65647	'None'	MERGED	Cluster RNG sources doc update.	2020-09-30 07:54:24 UTC
oVirt gerrit	67470	'None'	MERGED	core: New VM has RND device by default	2020-09-30 07:54:24 UTC

Description Michal Skrivanek 2016-05-18 09:57:43 UTC

RHEL 7.1+ transparently supports improvements to entropy of random numbers. It should be safe to enable it by default for all 7.1+ guests

See http://rhelblog.redhat.com/2015/03/09/red-hat-enterprise-linux-virtual-machines-access-to-random-numbers-made-easy/ for more details

Comment 1 Michal Skrivanek 2016-05-24 11:13:30 UTC

it may be handy to enable it at cluster level earlier

Comment 2 Roy Golan 2016-05-25 08:01:27 UTC

+1 He already seeing very slow session initiation.

Hot plugging the device helped using this:

```shell
echo "<rng model='virtio'><rate period="2000" bytes="1234"/><backend model='random'>/dev/random</backend
></rng>" > rng.tmp ; virsh attach-device --live hostedEngine rng.tmp
```

Comment 3 Roy Golan 2016-05-25 08:04:38 UTC

(In reply to Roy Golan from comment #2)
> +1 He already seeing very slow session initiation.

"He" == Hosted Engine

Comment 4 David Jaša 2016-06-17 11:17:56 UTC

Please make /dev/urandom default entropy source. For discussion of safety/security, see bug 1074464#c13 and links there. In oVirt/RHEV setting, use of /dev/random may actually make quality of randomness in VMs _lower_ if enough of them drain it to the point where other VMs have to wait for randomness. /dev/urandom provides no worse randomness (once seeded which is not an issue in virt hosts, according to [1], urandom gets seeded in ~30 seconds after boot) but it provides it at any time the VM needs it.

Bug 1347642 requests addition of /dev/urandom among entropy sources for 4.1

[1] http://www.chronox.de/lrng/doc/lrng.pdf , section 3.3

Comment 5 David Jaša 2016-06-17 11:28:02 UTC

(In reply to David Jaša from comment #4)
> ... 
> Bug 1347642 requests addition of /dev/urandom among entropy sources for 4.1

I's actually bug 1347669, sorry for the noise.

Comment 6 Michal Skrivanek 2016-06-17 11:56:02 UTC

(In reply to Roy Golan from comment #2)
> +1 He already seeing very slow session initiation.
> 
> Hot plugging the device helped using this:
> 
> ```shell
> echo "<rng model='virtio'><rate period="2000" bytes="1234"/><backend
> model='random'>/dev/random</backend
> ></rng>" > rng.tmp ; virsh attach-device --live hostedEngine rng.tmp
> ```

so is it used for HE already? There's no reason why would such change have to wait on this bug

Comment 7 Michal Skrivanek 2016-06-17 14:10:39 UTC

let's use bug 1347669 and make it /dev/urandom then

Comment 9 Martin Polednik 2016-09-08 10:02:08 UTC

It's reasonable to add RNG device by default, but let's keep the checkbox to disable it - if we ever want to create minimal VM, RNG is an additional overhead.

Comment 11 Michal Skrivanek 2016-12-05 13:33:11 UTC

renaming, since in bug 1374227 we are changing to /dev/urandom

Comment 12 Sandro Bonazzola 2016-12-12 13:53:26 UTC

The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.

Comment 13 Nisim Simsolo 2017-03-14 10:03:04 UTC

Verified: 
ovirt-engine-4.1.1.4-0.1.el7
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
vdsm-4.19.7-1.el7ev.x86_64
libvirt-client-2.0.0-10.el7_3.5.x86_64
sanlock-3.4.0-1.el7.x86_64

Note You need to log in before you can comment on or make changes to this bug.