1337101 – [RFE] enable virtio-rng /dev/urandom by default

Bug 1337101 - [RFE] enable virtio-rng /dev/urandom by default

Summary: [RFE] enable virtio-rng /dev/urandom by default

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	ovirt-engine
Classification:	oVirt
Component:	BLL.Virt
Sub Component:
Version:	4.0.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	ovirt-4.1.0-alpha
Target Release:	4.1.0.2
Assignee:	jniederm
QA Contact:	Nisim Simsolo
Docs Contact:
URL:
Whiteboard:
Depends On:	1347669 1374227 1419924
Blocks:	1398560 1405032 1430550
TreeView+	depends on / blocked

Reported:	2016-05-18 09:57 UTC by Michal Skrivanek
Modified:	2018-01-11 06:33 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:	With this release, ‘/dev/random’ is now the default random number generator in clusters with a cluster compatibility level of ‘4.0’ and below, and ‘/dev/urandom’ is now the default random number generator in clusters with a cluster compatibility level of ‘4.1’ and above. Because these random number generators are enabled by default, the option to enable them has now been removed from the ‘New Cluster’ and ‘Edit Cluster’ windows. However, you can select the random number generator source for individual virtual machines from the ‘New Virtual Machine’ and ‘Edit Virtual Machine’ windows.
Clone Of:
Clones:	1398560 (view as bug list)
Environment:
Last Closed:	2017-03-16 14:45:35 UTC
oVirt Team:	Virt
Embargoed:
Dependent Products:
Flags:	michal.skrivanek: ovirt-4.1? nsimsolo: testing_plan_complete+ michal.skrivanek: planning_ack? michal.skrivanek: devel_ack+ rule-engine: testing_ack+

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	65142	'None'	MERGED	webadmin: Cluster random checkbox removed	2020-09-30 07:54:31 UTC
oVirt gerrit	65143	'None'	MERGED	core,restapi: random rng source is implicit	2020-09-30 07:54:25 UTC
oVirt gerrit	65144	'None'	ABANDONED	restapi: random rng source implicit - REST	2020-09-30 07:54:31 UTC
oVirt gerrit	65145	'None'	MERGED	core: random rng source implicit - configvalue	2020-09-30 07:54:25 UTC
oVirt gerrit	65647	'None'	MERGED	Cluster RNG sources doc update.	2020-09-30 07:54:24 UTC
oVirt gerrit	67470	'None'	MERGED	core: New VM has RND device by default	2020-09-30 07:54:24 UTC

Description Michal Skrivanek 2016-05-18 09:57:43 UTC

RHEL 7.1+ transparently supports improvements to entropy of random numbers. It should be safe to enable it by default for all 7.1+ guests

See http://rhelblog.redhat.com/2015/03/09/red-hat-enterprise-linux-virtual-machines-access-to-random-numbers-made-easy/ for more details

Comment 1 Michal Skrivanek 2016-05-24 11:13:30 UTC

it may be handy to enable it at cluster level earlier

Comment 2 Roy Golan 2016-05-25 08:01:27 UTC

+1 He already seeing very slow session initiation.

Hot plugging the device helped using this:

```shell
echo "<rng model='virtio'><rate period="2000" bytes="1234"/><backend model='random'>/dev/random</backend
></rng>" > rng.tmp ; virsh attach-device --live hostedEngine rng.tmp
```

Comment 3 Roy Golan 2016-05-25 08:04:38 UTC

(In reply to Roy Golan from comment #2)
> +1 He already seeing very slow session initiation.

"He" == Hosted Engine

Comment 4 David Jaša 2016-06-17 11:17:56 UTC

Please make /dev/urandom default entropy source. For discussion of safety/security, see bug 1074464#c13 and links there. In oVirt/RHEV setting, use of /dev/random may actually make quality of randomness in VMs _lower_ if enough of them drain it to the point where other VMs have to wait for randomness. /dev/urandom provides no worse randomness (once seeded which is not an issue in virt hosts, according to [1], urandom gets seeded in ~30 seconds after boot) but it provides it at any time the VM needs it.

Bug 1347642 requests addition of /dev/urandom among entropy sources for 4.1

[1] http://www.chronox.de/lrng/doc/lrng.pdf , section 3.3

Comment 5 David Jaša 2016-06-17 11:28:02 UTC

(In reply to David Jaša from comment #4)
> ... 
> Bug 1347642 requests addition of /dev/urandom among entropy sources for 4.1

I's actually bug 1347669, sorry for the noise.

Comment 6 Michal Skrivanek 2016-06-17 11:56:02 UTC

(In reply to Roy Golan from comment #2)
> +1 He already seeing very slow session initiation.
> 
> Hot plugging the device helped using this:
> 
> ```shell
> echo "<rng model='virtio'><rate period="2000" bytes="1234"/><backend
> model='random'>/dev/random</backend
> ></rng>" > rng.tmp ; virsh attach-device --live hostedEngine rng.tmp
> ```

so is it used for HE already? There's no reason why would such change have to wait on this bug

Comment 7 Michal Skrivanek 2016-06-17 14:10:39 UTC

let's use bug 1347669 and make it /dev/urandom then

Comment 9 Martin Polednik 2016-09-08 10:02:08 UTC

It's reasonable to add RNG device by default, but let's keep the checkbox to disable it - if we ever want to create minimal VM, RNG is an additional overhead.

Comment 11 Michal Skrivanek 2016-12-05 13:33:11 UTC

renaming, since in bug 1374227 we are changing to /dev/urandom

Comment 12 Sandro Bonazzola 2016-12-12 13:53:26 UTC

The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.

Comment 13 Nisim Simsolo 2017-03-14 10:03:04 UTC

Verified: 
ovirt-engine-4.1.1.4-0.1.el7
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
vdsm-4.19.7-1.el7ev.x86_64
libvirt-client-2.0.0-10.el7_3.5.x86_64
sanlock-3.4.0-1.el7.x86_64

Note You need to log in before you can comment on or make changes to this bug.