[Users] virtio-rng / crypto inside vms

Fri Dec 13 11:58:43 UTC 2013

Entropy starvation isn't that common so for the vast majority of users it's not something that concerns them.
But obviously it's important enough that we invested in creating a paravirtualized solution.

RHEL 6.4 and 6.5 includes support within QEMU for virt-rng but not in libvirt.
RHEL 6.6 will pickup the appropriate libvirt support for virtio-rng and it is in RHEL 7 beta.
If I remember correctly it's in fedora 19 and later.
If you are compiling your own then you need a QEMU version 1.3 or later and libvirt 1.0.3 or later.

virt-rng is something we'd like to finish off in 3.4 it's effectively done already.
The challenge will be where it's supported - since EL6 hosts won't be able to use it unless we get creative.

If you're running on ovirt 3.2+ now with Fedora 19+ hosts then you can use a vdsm hook[1] to configure virt-rng for your guests.
The XML required to inject in the hook would be relatively simple[2]

On the topic of EL6 (before 6.6 comes out) then there is a way to work around this.
libvirt has a mechanism to pass through qemu command line options[3] . It's somewhere inbetween a great hack and a risky solution - but it's certainly helped up out many times. With this qemu namespace option in libvirt you could easily make it work in a custom hook on EL6.

Aic

[1] http://www.ovirt.org/VDSM-Hooks
[2] http://libvirt.org/formatdomain.html#elementsRng
[3] http://libvirt.org/drvqemu.html#qemucommand

----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: users at ovirt.org
> Sent: Friday, December 13, 2013 3:32:22 AM
> Subject: Re: [Users] virtio-rng / crypto inside vms
> 
> Answering myself, it seems
> virtio-rng will be in 3.4:
> https://bugzilla.redhat.com/show_bug.cgi?id=977079
> 
> But I don't find it in the planning:
> 
> https://docs.google.com/spreadsheet/ccc?key=0AuAtmJW_VMCRdHJ6N1M3d1F1UTJTS1dSMnZwMF9XWVE&usp=sharing#gid=0
> 
> Nevertheless it would be cool if someone could give some advice
> how to handle entropy until 3.4 gets released
> (and I have time to upgrade).
> 
> Am 13.12.2013 09:09, schrieb Sven Kieske:
> > Hi,
> > 
> > I'm just wondering: How is the state
> > of the virtio-rng implementation?
> > 
> > I'm asking because I need to regenerate
> > ssh host keys in newly deployed vms.
> > 
> > (I seem to be the only person, or everybody
> > else has found the solution, or nobody thinks
> > about security, or a mixture of the above?)
> > 
> > Additional I found no really guidance
> > on how much entropy bits should be
> > available to generate a secure key
> > inside a vm, beside these numbers:
> > 
> > http://www.ietf.org/rfc/rfc1750.txt
> > suggests about 128 bits of entropy
> > for a single cryptographic operation.
> > 
> > various other sources mention ranges
> > between 100-200 or even at least 4096
> > entropy bits.
> > 
> > Would it be a workaround to add a virtual
> > sound device and use this one for /dev/random ?
> > (But it would be useless if you have no real sound hardware I
> > guess).
> > 
> > Additional when you want to regenerate host keys in e.g. Ubuntu
> > 3 Keys get generated so you need even more entropy to be on the
> > save side.
> > 
> > If you got any links to best practices or some
> > good news regarding the state of virtio-rng that would be awesome.
> > 
> > Currently my vms have around 130-160 entropy bits available.
> > 
> 
> --
> Mit freundlichen Grüßen / Regards
> 
> Sven Kieske
> 
> Systemadministrator
> Mittwald CM Service GmbH & Co. KG
> Königsberger Straße 6
> 32339 Espelkamp
> T: +49-5772-293-100
> F: +49-5772-293-333
> https://www.mittwald.de
> Geschäftsführer: Robert Meyer
> St.Nr.: 331/5721/1033, USt-IdNr.: DE814773217, HRA 6640, AG Bad
> Oeynhausen
> Komplementärin: Robert Meyer Verwaltungs GmbH, HRB 13260, AG Bad
> Oeynhausen
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
>