Description of problem: The guest (especially rhel7 and rhel8) , likes to have lot of entropy at boot time, otherwise the boot might be delayed by 30 sec and the meantime the guest forbids non root (cloud-user) login. https://wiki.openstack.org/wiki/LibvirtVirtioRng [libvirt] rng_dev_path=/dev/random You can suggest in the documentation to switch it to /dev/urandom , In practice it is safe to use /dev/urandom , but there are some gray area at the baremetal hosts very early boot time (>>99.99% percent it is secure when an actual vm can start, but not 100%)
Nova already defaults to `/dev/urandom`. See this commit[*]: commit 814bfd937238cbd211ea30805c36ae682cfd7b48 Author: Kashyap Chamarthy <kchamart> Date: Fri Jun 22 12:11:56 2018 +0200 conf: libvirt: Make `/dev/urandom` the default for 'rng_dev_path' Since libvirt 1.3.4, any RNG (Random Number Generator) device path (that returns random numbers when read!) is accepted. However, the recommended source of entropy is `/dev/urandom` (it is non-blocking; and doesn't have the same limitations of `dev/random`, which is a legacy interface). Therefore, make `/dev/urandom` the default RNG for 'rng_dev_path' config attribute; adjust the relevant tests. Also update the documention to reflect this change. Change-Id: Ia39402a045ffb1943463b5741655d84071613e8c Signed-off-by: Kashyap Chamarthy <kchamart> Reported-by: Daniel P. Berrangé <berrange> [*] http://git.openstack.org/cgit/openstack/nova/commit/?id=814bfd937238
As noted by Kashyap, this is already the case since OSP 14. What is the ask here? Is Director or the documentation using something different?
Good ;-) I would like to have some kind of rng in osp10 and osp13 by default as well. I checked several other commit maybe it is the case already.
(In reply to Attila Fazekas from comment #3) > Good ;-) > > I would like to have some kind of rng in osp10 and osp13 by default as well. > I checked several other commit maybe it is the case already. Hmm, I don't think that's something we can do as it would be a change in behavior for existing users. I'm not sure if this is exposed by Director though. If not, perhaps exposing that would be an option. I will discuss with my team.
We discussed this at a team meeting today and agreed that this is more a bug than an RFE, so we would like to fix this for OSP 13 but not OSP 10, which only accepts critical fixes going forward. I've updated the subject accordingly.
The doc text mostly looks good. Suggest to define what "blocking" means in the 'Consequence' section. Here's a potential "diff": - '/dev/random' is blocking, which can result in performance issues when - creating multiple instances on a given host. + '/dev/random' is "blocking" (as in, it waits until sufficient entropy + is available), which can result in performance degradation when + creating multiple instances on a given host.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0924