Bug 1374227 - Add /dev/urandom as entropy source for virtio-rng
Summary: Add /dev/urandom as entropy source for virtio-rng
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: BLL.Virt
Version: 4.0.0
Hardware: Unspecified
OS: Unspecified
medium
high vote
Target Milestone: ovirt-4.1.0-alpha
: 4.1.0.2
Assignee: jniederm
QA Contact: Nisim Simsolo
URL:
Whiteboard:
: 1347271 (view as bug list)
Depends On: 1074464 1347642 1347669 1419924
Blocks: 1337101 1398560 1405032 1421510 1430550
TreeView+ depends on / blocked
 
Reported: 2016-09-08 09:51 UTC by Martin Polednik
Modified: 2017-03-16 14:47 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1347669
Environment:
Last Closed: 2017-03-16 14:47:11 UTC
oVirt Team: Virt
rule-engine: ovirt-4.1+
nsimsolo: testing_plan_complete+
rule-engine: planning_ack+
rule-engine: devel_ack+
mavital: testing_ack+


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 59031 master MERGED rng: allow urandom as virtio rng entropy source 2016-09-12 14:37:26 UTC
oVirt gerrit 65442 master NEW webadmin, core: random renamed to urandom in VM dialog 2016-10-25 19:38:43 UTC
oVirt gerrit 65668 master MERGED core: Update RNG source for non-cluster entities 2016-11-22 12:54:49 UTC
oVirt gerrit 65762 master MERGED core: Updating RNG devices on Cluster change 2016-11-22 12:41:42 UTC
oVirt gerrit 65763 master MERGED webadmin, core: Reflecting template settings to VMs 2016-11-25 13:49:10 UTC
oVirt gerrit 65778 master NEW urandom RNG source added 2016-10-27 12:18:27 UTC
oVirt gerrit 65779 master POST restapi: 'urandom' required RNG source ignored 2016-10-31 21:33:33 UTC
oVirt gerrit 65926 master POST core: 'urandom' and 'random' considered equal 2016-11-02 17:00:38 UTC
oVirt gerrit 66752 master MERGED webadmin: Allow VM custom compatibility for urandom rng 2016-11-25 14:24:14 UTC
oVirt gerrit 67050 master MERGED restapi: Reflecting template RNG settings to new VM 2016-12-01 14:50:33 UTC
oVirt gerrit 67210 master MERGED core: Update RNG source for non-cluster entities 2016-11-23 11:26:44 UTC
oVirt gerrit 67469 master MERGED core: Fix of NPE when creating new instance type 2016-12-01 14:50:51 UTC

Description Martin Polednik 2016-09-08 09:51:39 UTC
+++ This bug was initially created as a clone of Bug #1347669 +++

Description of problem:
/dev/urandom is perfectly fine source of randomness once seeded (see bug 1074464#c13 for discussion and references) and from 7.3 on, libvirt won't refuse it as a source of randomness (see blocking bugs). oVirt/RHEV should therefore enable it as a backend for virtio-rng from 4.1 on at latest.

Version-Release number of selected component (if applicable):
4.0

How reproducible:
always

Steps to Reproduce:
1. try to use /dev/urandom as a randomnes source in Edit VM -> Random generator
2.
3.

Actual results:
only /dev/random and /dev/hwrng are available

Expected results:
/dev/urandom is available to choose as well

Additional info:

--- Additional consideration for ovirt-engine
Currently, VDSM can report up to 2 sources: random and hwrng. New source cannot be added due to 1374216, therefore current implementation of VDSM doesn't report new source but changes semantics of "random" source.

The semantics are now as follows:
"random" RNG source means support of "random" and "urandom" sources

"urandom" is the source engine should send to VDSM when "random" checkbox is ticked.

Comment 1 Red Hat Bugzilla Rules Engine 2016-09-08 09:52:07 UTC
Bug tickets must have version flags set prior to targeting them to a release. Please ask maintainer to set the correct version flags and only then set the target milestone.

Comment 2 Yaniv Kaul 2016-11-01 11:45:17 UTC
I'm missing something here. Wouldn't it make more sense to do a simple change in VDSM only - if it's supported, use 'urandom'. Otherwise, use 'random'.
Why do we need Engine changes, for example?

Comment 3 jniederm 2016-11-01 12:26:26 UTC
IIUIC the problem with such vdsm only change might be that user will not be able to find out what RNG source is actually used. The UI would always show 'random'. Plus it would introduce an inconsistency between VM descriptor that is being send on VM startup from engine to vdsm and the actual VM configuration.
And both 'random' and 'urandom' are present on almost all linux systems so it would also mean that after upgrade 4.0 -> 4.1 even VMs in 4.0 clusters will get 'urandom' (despite expecting 'random').

Comment 4 Yaniv Kaul 2016-11-01 12:29:22 UTC
(In reply to jniederm from comment #3)
> IIUIC the problem with such vdsm only change might be that user will not be
> able to find out what RNG source is actually used. The UI would always show
> 'random'. Plus it would introduce an inconsistency between VM descriptor
> that is being send on VM startup from engine to vdsm and the actual VM
> configuration.
> And both 'random' and 'urandom' are present on almost all linux systems so
> it would also mean that after upgrade 4.0 -> 4.1 even VMs in 4.0 clusters
> will get 'urandom' (despite expecting 'random').

Understood - but keep in mind that it's a libvirt issue of not supporting 'urandom' - until 7.3. You need to make sure that all hosts support it (for migration, for example). I thought the best path would have been to hide this detail from everyone as much as possible.

Comment 5 Eyal Edri 2016-11-23 07:22:12 UTC
This is now failing CI:

http://jenkins.ovirt.org/view/experimental%20jobs/job/test-repo_ovirt_experimental_master/3562/\

While running log-collector, this error shows:

ERROR: _get_hypervisors_from_api: urandom is not a valid RngSource

Comment 6 Sandro Bonazzola 2016-12-12 13:54:16 UTC
The fix for this issue should be included in oVirt 4.1.0 beta 1 released on December 1st. If not included please move back to modified.

Comment 7 Tomas Jelinek 2016-12-13 08:12:55 UTC
*** Bug 1347271 has been marked as a duplicate of this bug. ***

Comment 8 Nisim Simsolo 2017-03-08 15:11:58 UTC
Verification builds:
ovirt-engine-4.1.1.3-0.1.el7
vdsm-4.19.7-1.el7ev.x86_64
libvirt-client-2.0.0-10.el7_3.5.x86_64
qemu-kvm-rhev-2.6.0-28.el7_3.6.x86_64
sanlock-3.4.0-1.el7.x86_64

Comment 9 Lucy Bopf 2017-03-14 04:53:16 UTC
Removing the doc text and setting requires_doc_text to '-', as this change is already described in bug 1337101.


Note You need to log in before you can comment on or make changes to this bug.