9:49 a.m.
I got this error when trying to use /dev/urandom as a backend for
virtio-rng. Is there a reason for that? Plain qemu allows you to
specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
but I think for cases where people don't care / throwaway appliances,
we should allow /dev/urandom. The main reason is that it doesn't
block.
Patch attached.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
10:10 a.m.
On Tue, Mar 22, 2016 at 14:49:42 +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for
virtio-rng. Is there a reason for that? Plain qemu allows you to
specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
The original implementation didn't do any verification. Later before
releasing the feature it was decided that we should actually babysit the
users in this case:
commit 4932ef4502bc515a7d33e09e763118b7d763cd69
Author: Eric Blake <eblake(a)redhat.com>
Date: Mon Mar 4 15:42:07 2013 -0700
rng: restrict passthrough names to known-good files
There is some controversy[1] on the qemu list on whether qemu should
have ever allowed arbitrary file name passthrough, or whether it
should be restricted to JUST /dev/random and /dev/hwrng. It is
always easier to add support for additional filenames than it is
to remove support for something once released, so this patch
restricts libvirt 1.0.3 (where the virtio-random backend was first
supported) to just the two uncontroversial names, letting us defer
to a later date any decision on whether supporting arbitrary files
makes sense. Additionally, since qemu 1.4 does NOT support
/dev/fdset/nnn fd passthrough for the backend, limiting to just
two known names means that we don't get tempted to try fd
passthrough where it won't work.
[1]https://lists.gnu.org/archive/html/qemu-devel/2013-03/threads.html#00023
* src/conf/domain_conf.c (virDomainRNGDefParseXML): Only allow
/dev/random and /dev/hwrng.
* docs/schemas/domaincommon.rng: Flag invalid files.
* docs/formatdomain.html.in (elementsRng): Document this.
* tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-random.args:
Update test to match.
* tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-random.xml:
Likewise.
Peter
10:20 a.m.
On Tue, Mar 22, 2016 at 02:49:42PM +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for
virtio-rng. Is there a reason for that? Plain qemu allows you to
specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
but I think for cases where people don't care / throwaway appliances,
we should allow /dev/urandom. The main reason is that it doesn't
block.
Having it block is desirable, even for throwaway appliances like
libguestfs, as even if the appliance is throway, the work they
do should not be assumed to be throwaway. For example if libguestfs
is creating or modifying a LUKS volume in a disk image, the guestfs
appliance is throwaway, but the resulting LUKS volume with cryptographic
keys lives for ever
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
9:09 a.m.
On Tue, Mar 22, 2016 at 02:49:42PM +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for
virtio-rng. Is there a reason for that? Plain qemu allows you to
specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
but I think for cases where people don't care / throwaway appliances,
we should allow /dev/urandom. The main reason is that it doesn't
block.
Can we look at this again. I'm pretty convinced after reading that
bugzilla that libvirt is plain wrong about this, even for important
appliances. As long as the *host* has seeded the PRNG with real
entropy, seeding guests from /dev/urandom is fine.
Anyway for now I've had to disable virtio-rng in the libguestfs
libvirt backend (it's used by the direct backend, using /dev/urandom).
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
3151
days inactive
3165
days old
3 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Peter Krempa -
Richard W.M. Jones