Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1689939

Summary: [OSP13] Default random number generation in nova.conf
Product: Red Hat OpenStack Reporter: Attila Fazekas <afazekas>
Component: openstack-novaAssignee: Stephen Finucane <stephenfin>
Status: CLOSED ERRATA QA Contact: OSP DFG:Compute <osp-dfg-compute>
Severity: medium Docs Contact:
Priority: medium    
Version: 13.0 (Queens)CC: amcleod, dasmith, eglynn, jhakimra, kchamart, lyarwood, mbooth, mburns, ramishra, sbauza, sgordon, stephenfin, vromanso
Target Milestone: ---Keywords: Triaged, ZStream
Target Release: 13.0 (Queens)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-nova-17.0.9-7.el7ost Doc Type: Bug Fix
Doc Text:
Previously, `/dev/random` was used as the source of entropy for instances. `/dev/random` is blocking, which can result in performance issues when creating multiple instances on a host. With this update, `/dev/urandom` is used as the source of entropy for instances. `/dev/urandom` is non-blocking and does not have the same limitations as `/dev/random`. As a result, the generation of entropy no longer has a significant performance impact when creating multiple instances on a host.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-30 17:13:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Attila Fazekas 2019-03-18 13:31:46 UTC 
Description of problem:
The guest (especially rhel7 and rhel8) , likes to have lot of entropy at boot time,
otherwise the boot might be delayed by 30 sec and the meantime the guest forbids non root (cloud-user) login.  

https://wiki.openstack.org/wiki/LibvirtVirtioRng

    [libvirt]
    rng_dev_path=/dev/random

You can suggest in the documentation to switch it to /dev/urandom ,
In practice it is safe to use /dev/urandom , but there are some gray area at the baremetal hosts very early boot time (>>99.99% percent it is secure when an actual vm can start, but not 100%)
Comment 1 Kashyap Chamarthy 2019-03-22 15:16:32 UTC 
Nova already defaults to `/dev/urandom`.

See this commit[*]:

commit 814bfd937238cbd211ea30805c36ae682cfd7b48 
Author: Kashyap Chamarthy <kchamart>
Date:   Fri Jun 22 12:11:56 2018 +0200

    conf: libvirt: Make `/dev/urandom` the default for 'rng_dev_path'

    Since libvirt 1.3.4, any RNG (Random Number Generator) device path (that
    returns random numbers when read!) is accepted.  However, the
    recommended source of entropy is `/dev/urandom` (it is non-blocking; and
    doesn't have the same limitations of `dev/random`, which is a legacy
    interface).

    Therefore, make `/dev/urandom` the default RNG for 'rng_dev_path' config
    attribute; adjust the relevant tests.  Also update the documention to
    reflect this change.

    Change-Id: Ia39402a045ffb1943463b5741655d84071613e8c
    Signed-off-by: Kashyap Chamarthy <kchamart>
    Reported-by: Daniel P. Berrangé <berrange>

    
[*] http://git.openstack.org/cgit/openstack/nova/commit/?id=814bfd937238
Comment 2 Stephen Finucane 2019-03-22 15:27:46 UTC 
As noted by Kashyap, this is already the case since OSP 14. What is the ask here? Is Director or the documentation using something different?
Comment 3 Attila Fazekas 2019-03-25 09:41:23 UTC 
Good ;-)

I would like to have some kind of rng in osp10 and osp13 by default as well.
I checked several other commit maybe it is the case already.
Comment 5 Stephen Finucane 2019-03-29 14:57:40 UTC 
(In reply to Attila Fazekas from comment #3)
> Good ;-)
> 
> I would like to have some kind of rng in osp10 and osp13 by default as well.
> I checked several other commit maybe it is the case already.

Hmm, I don't think that's something we can do as it would be a change in behavior for existing users. I'm not sure if this is exposed by Director though. If not, perhaps exposing that would be an option. I will discuss with my team.
Comment 6 Stephen Finucane 2019-03-29 17:07:35 UTC 
We discussed this at a team meeting today and agreed that this is more a bug than an RFE, so we would like to fix this for OSP 13 but not OSP 10, which only accepts critical fixes going forward. I've updated the subject accordingly.
Comment 7 Kashyap Chamarthy 2019-04-01 10:12:56 UTC 
The doc text mostly looks good.  Suggest to define what "blocking" means in the 'Consequence' section.  Here's a potential "diff":

- '/dev/random' is blocking, which can result in performance issues when
-  creating multiple instances on a given host.
+ '/dev/random' is "blocking" (as in, it waits until sufficient entropy
+ is available), which can result in performance degradation when  
+ creating multiple instances on a given host.
Comment 14 errata-xmlrpc 2019-04-30 17:13:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0924