[libvirt] "file '/dev/urandom' is not a supported random source"

I got this error when trying to use /dev/urandom as a backend for virtio-rng. Is there a reason for that? Plain qemu allows you to specify /dev/urandom and seems to work OK. There's a tetchy bugzilla on this subject: https://bugzilla.redhat.com/show_bug.cgi?id=1074464 but I think for cases where people don't care / throwaway appliances, we should allow /dev/urandom. The main reason is that it doesn't block. Patch attached. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com Fedora Windows cross-compiler. Compile Windows programs, test, and build Windows installers. Over 100 libraries supported. http://fedoraproject.org/wiki/MinGW

On Tue, Mar 22, 2016 at 14:49:42 +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for virtio-rng. Is there a reason for that? Plain qemu allows you to specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
The original implementation didn't do any verification. Later before releasing the feature it was decided that we should actually babysit the users in this case: commit 4932ef4502bc515a7d33e09e763118b7d763cd69 Author: Eric Blake <eblake@redhat.com> Date: Mon Mar 4 15:42:07 2013 -0700 rng: restrict passthrough names to known-good files There is some controversy[1] on the qemu list on whether qemu should have ever allowed arbitrary file name passthrough, or whether it should be restricted to JUST /dev/random and /dev/hwrng. It is always easier to add support for additional filenames than it is to remove support for something once released, so this patch restricts libvirt 1.0.3 (where the virtio-random backend was first supported) to just the two uncontroversial names, letting us defer to a later date any decision on whether supporting arbitrary files makes sense. Additionally, since qemu 1.4 does NOT support /dev/fdset/nnn fd passthrough for the backend, limiting to just two known names means that we don't get tempted to try fd passthrough where it won't work. [1]https://lists.gnu.org/archive/html/qemu-devel/2013-03/threads.html#00023 * src/conf/domain_conf.c (virDomainRNGDefParseXML): Only allow /dev/random and /dev/hwrng. * docs/schemas/domaincommon.rng: Flag invalid files. * docs/formatdomain.html.in (elementsRng): Document this. * tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-random.args: Update test to match. * tests/qemuxml2argvdata/qemuxml2argv-virtio-rng-random.xml: Likewise. Peter

On Tue, Mar 22, 2016 at 02:49:42PM +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for virtio-rng. Is there a reason for that? Plain qemu allows you to specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
but I think for cases where people don't care / throwaway appliances, we should allow /dev/urandom. The main reason is that it doesn't block.
Having it block is desirable, even for throwaway appliances like libguestfs, as even if the appliance is throway, the work they do should not be assumed to be throwaway. For example if libguestfs is creating or modifying a LUKS volume in a disk image, the guestfs appliance is throwaway, but the resulting LUKS volume with cryptographic keys lives for ever Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Tue, Mar 22, 2016 at 02:49:42PM +0000, Richard W.M. Jones wrote:
I got this error when trying to use /dev/urandom as a backend for virtio-rng. Is there a reason for that? Plain qemu allows you to specify /dev/urandom and seems to work OK.
There's a tetchy bugzilla on this subject:
https://bugzilla.redhat.com/show_bug.cgi?id=1074464
but I think for cases where people don't care / throwaway appliances, we should allow /dev/urandom. The main reason is that it doesn't block.
Can we look at this again. I'm pretty convinced after reading that bugzilla that libvirt is plain wrong about this, even for important appliances. As long as the *host* has seeded the PRNG with real entropy, seeding guests from /dev/urandom is fine. Anyway for now I've had to disable virtio-rng in the libguestfs libvirt backend (it's used by the direct backend, using /dev/urandom). Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into KVM guests. http://libguestfs.org/virt-v2v
participants (3)
-
Daniel P. Berrange
-
Peter Krempa
-
Richard W.M. Jones