11:09 a.m.
Hi,
I'm just wondering: How is the state
of the virtio-rng implementation?
I'm asking because I need to regenerate
ssh host keys in newly deployed vms.
(I seem to be the only person, or everybody
else has found the solution, or nobody thinks
about security, or a mixture of the above?)
Additional I found no really guidance
on how much entropy bits should be
available to generate a secure key
inside a vm, beside these numbers:
http://www.ietf.org/rfc/rfc1750.txt
suggests about 128 bits of entropy
for a single cryptographic operation.
various other sources mention ranges
between 100-200 or even at least 4096
entropy bits.
Would it be a workaround to add a virtual
sound device and use this one for /dev/random ?
(But it would be useless if you have no real sound hardware I guess).
Additional when you want to regenerate host keys in e.g. Ubuntu
3 Keys get generated so you need even more entropy to be on the
save side.
If you got any links to best practices or some
good news regarding the state of virtio-rng that would be awesome.
Currently my vms have around 130-160 entropy bits available.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
11:32 a.m.
Answering myself, it seems
virtio-rng will be in 3.4:
https://bugzilla.redhat.com/show_bug.cgi?id=977079
But I don't find it in the planning:
https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJT...
Nevertheless it would be cool if someone could give some advice
how to handle entropy until 3.4 gets released
(and I have time to upgrade).
Am 13.12.2013 09:09, schrieb Sven Kieske:
Hi,
I'm just wondering: How is the state
of the virtio-rng implementation?
I'm asking because I need to regenerate
ssh host keys in newly deployed vms.
(I seem to be the only person, or everybody
else has found the solution, or nobody thinks
about security, or a mixture of the above?)
Additional I found no really guidance
on how much entropy bits should be
available to generate a secure key
inside a vm, beside these numbers:
http://www.ietf.org/rfc/rfc1750.txt
suggests about 128 bits of entropy
for a single cryptographic operation.
various other sources mention ranges
between 100-200 or even at least 4096
entropy bits.
Would it be a workaround to add a virtual
sound device and use this one for /dev/random ?
(But it would be useless if you have no real sound hardware I guess).
Additional when you want to regenerate host keys in e.g. Ubuntu
3 Keys get generated so you need even more entropy to be on the
save side.
If you got any links to best practices or some
good news regarding the state of virtio-rng that would be awesome.
Currently my vms have around 130-160 entropy bits available.
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
2:58 p.m.
Entropy starvation isn't that common so for the vast majority of users it's not
something that concerns them.
But obviously it's important enough that we invested in creating a paravirtualized
solution.
RHEL 6.4 and 6.5 includes support within QEMU for virt-rng but not in libvirt.
RHEL 6.6 will pickup the appropriate libvirt support for virtio-rng and it is in RHEL 7
beta.
If I remember correctly it's in fedora 19 and later.
If you are compiling your own then you need a QEMU version 1.3 or later and libvirt 1.0.3
or later.
virt-rng is something we'd like to finish off in 3.4 it's effectively done
already.
The challenge will be where it's supported - since EL6 hosts won't be able to use
it unless we get creative.
If you're running on ovirt 3.2+ now with Fedora 19+ hosts then you can use a vdsm
hook[1] to configure virt-rng for your guests.
The XML required to inject in the hook would be relatively simple[2]
On the topic of EL6 (before 6.6 comes out) then there is a way to work around this.
libvirt has a mechanism to pass through qemu command line options[3] . It's somewhere
inbetween a great hack and a risky solution - but it's certainly helped up out many
times. With this qemu namespace option in libvirt you could easily make it work in a
custom hook on EL6.
Aic
[1] http://www.ovirt.org/VDSM-Hooks
[2] http://libvirt.org/formatdomain.html#elementsRng
[3] http://libvirt.org/drvqemu.html#qemucommand
----- Original Message -----
From: "Sven Kieske" <S.Kieske(a)mittwald.de>
To: users(a)ovirt.org
Sent: Friday, December 13, 2013 3:32:22 AM
Subject: Re: [Users] virtio-rng / crypto inside vms
Answering myself, it seems
virtio-rng will be in 3.4:
https://bugzilla.redhat.com/show_bug.cgi?id=977079
But I don't find it in the planning:
https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJT...
Nevertheless it would be cool if someone could give some advice
how to handle entropy until 3.4 gets released
(and I have time to upgrade).
Am 13.12.2013 09:09, schrieb Sven Kieske:
> Hi,
>
> I'm just wondering: How is the state
> of the virtio-rng implementation?
>
> I'm asking because I need to regenerate
> ssh host keys in newly deployed vms.
>
> (I seem to be the only person, or everybody
> else has found the solution, or nobody thinks
> about security, or a mixture of the above?)
>
> Additional I found no really guidance
> on how much entropy bits should be
> available to generate a secure key
> inside a vm, beside these numbers:
>
> http://www.ietf.org/rfc/rfc1750.txt
> suggests about 128 bits of entropy
> for a single cryptographic operation.
>
> various other sources mention ranges
> between 100-200 or even at least 4096
> entropy bits.
>
> Would it be a workaround to add a virtual
> sound device and use this one for /dev/random ?
> (But it would be useless if you have no real sound hardware I
> guess).
>
> Additional when you want to regenerate host keys in e.g. Ubuntu
> 3 Keys get generated so you need even more entropy to be on the
> save side.
>
> If you got any links to best practices or some
> good news regarding the state of virtio-rng that would be awesome.
>
> Currently my vms have around 130-160 entropy bits available.
>
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
Oeynhausen
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
10:52 p.m.
haveged is worth mentioning as pretty good alternative solution
http://www.issihosts.com/haveged/
Cheers,
Juergen
On Fri, Dec 13, 2013 at 9:32 AM, Sven Kieske <S.Kieske(a)mittwald.de> wrote:
Answering myself, it seems
virtio-rng will be in 3.4:
https://bugzilla.redhat.com/show_bug.cgi?id=977079
But I don't find it in the planning:
https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJT...
Nevertheless it would be cool if someone could give some advice
how to handle entropy until 3.4 gets released
(and I have time to upgrade).
Am 13.12.2013 09:09, schrieb Sven Kieske:
> Hi,
>
> I'm just wondering: How is the state
> of the virtio-rng implementation?
>
> I'm asking because I need to regenerate
> ssh host keys in newly deployed vms.
>
> (I seem to be the only person, or everybody
> else has found the solution, or nobody thinks
> about security, or a mixture of the above?)
>
> Additional I found no really guidance
> on how much entropy bits should be
> available to generate a secure key
> inside a vm, beside these numbers:
>
> http://www.ietf.org/rfc/rfc1750.txt
> suggests about 128 bits of entropy
> for a single cryptographic operation.
>
> various other sources mention ranges
> between 100-200 or even at least 4096
> entropy bits.
>
> Would it be a workaround to add a virtual
> sound device and use this one for /dev/random ?
> (But it would be useless if you have no real sound hardware I guess).
>
> Additional when you want to regenerate host keys in e.g. Ubuntu
> 3 Keys get generated so you need even more entropy to be on the
> save side.
>
> If you got any links to best practices or some
> good news regarding the state of virtio-rng that would be awesome.
>
> Currently my vms have around 130-160 entropy bits available.
>
--
Mit freundlichen Grüßen / Regards
Sven Kieske
Systemadministrator
Mittwald CM Service GmbH & Co. KG
Königsberger Straße 6
32339 Espelkamp
T: +49-5772-293-100
F: +49-5772-293-333
https://www.mittwald.de
Geschäftsführer: Robert Meyer
St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad Oeynhausen
Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad Oeynhausen
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users
--
Sent from the Delta quadrant using Borg technology!
3995
days inactive
3997
days old
3 comments
3 participants
participants (3)
-
Andrew Cathrow -
squadra -
Sven Kieske