[Users] virtio-rng / crypto inside vms
acathrow at redhat.com
Fri Dec 13 11:58:43 UTC 2013
Entropy starvation isn't that common so for the vast majority of users it's not something that concerns them.
But obviously it's important enough that we invested in creating a paravirtualized solution.
RHEL 6.4 and 6.5 includes support within QEMU for virt-rng but not in libvirt.
RHEL 6.6 will pickup the appropriate libvirt support for virtio-rng and it is in RHEL 7 beta.
If I remember correctly it's in fedora 19 and later.
If you are compiling your own then you need a QEMU version 1.3 or later and libvirt 1.0.3 or later.
virt-rng is something we'd like to finish off in 3.4 it's effectively done already.
The challenge will be where it's supported - since EL6 hosts won't be able to use it unless we get creative.
If you're running on ovirt 3.2+ now with Fedora 19+ hosts then you can use a vdsm hook to configure virt-rng for your guests.
The XML required to inject in the hook would be relatively simple
On the topic of EL6 (before 6.6 comes out) then there is a way to work around this.
libvirt has a mechanism to pass through qemu command line options . It's somewhere inbetween a great hack and a risky solution - but it's certainly helped up out many times. With this qemu namespace option in libvirt you could easily make it work in a custom hook on EL6.
----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: users at ovirt.org
> Sent: Friday, December 13, 2013 3:32:22 AM
> Subject: Re: [Users] virtio-rng / crypto inside vms
> Answering myself, it seems
> virtio-rng will be in 3.4:
> But I don't find it in the planning:
> Nevertheless it would be cool if someone could give some advice
> how to handle entropy until 3.4 gets released
> (and I have time to upgrade).
> Am 13.12.2013 09:09, schrieb Sven Kieske:
> > Hi,
> > I'm just wondering: How is the state
> > of the virtio-rng implementation?
> > I'm asking because I need to regenerate
> > ssh host keys in newly deployed vms.
> > (I seem to be the only person, or everybody
> > else has found the solution, or nobody thinks
> > about security, or a mixture of the above?)
> > Additional I found no really guidance
> > on how much entropy bits should be
> > available to generate a secure key
> > inside a vm, beside these numbers:
> > http://www.ietf.org/rfc/rfc1750.txt
> > suggests about 128 bits of entropy
> > for a single cryptographic operation.
> > various other sources mention ranges
> > between 100-200 or even at least 4096
> > entropy bits.
> > Would it be a workaround to add a virtual
> > sound device and use this one for /dev/random ?
> > (But it would be useless if you have no real sound hardware I
> > guess).
> > Additional when you want to regenerate host keys in e.g. Ubuntu
> > 3 Keys get generated so you need even more entropy to be on the
> > save side.
> > If you got any links to best practices or some
> > good news regarding the state of virtio-rng that would be awesome.
> > Currently my vms have around 130-160 entropy bits available.
> Mit freundlichen Grüßen / Regards
> Sven Kieske
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
> Users mailing list
> Users at ovirt.org
More information about the Users