Should Virtio's RNG (hw_rng) be mentioned here as well (http://redhatstackblog.redhat.com/2014/03/11/an-icehouse-sneak-peek-openstack-compute-nova/)? Also, I'm not sure a sourceforge project with only 11 downloads is really the way we want to guide enterprise-level customer, I'd feel more comfortable removing EGD reference.
There is an OpenStack Summit presentation on this, but I can't view it at the moment over my connection: https://www.openstack.org/summit/san-diego-2012/openstack-summit-sessions/presentation/entropy-or-lack-thereof-in-openstack-instances
Current Text:
"Fortunately, a cloud architect may address these issues by providing a high quality source of entropy to the cloud instances. This can be done by having enough hardware random number generators (HRNG) in the cloud to support the instances. In this case, "enough" is somewhat domain specific. For everyday operations, a modern HRNG is likely to produce enough entropy to support 50-100 compute nodes. High bandwidth HRNGs, such as the RdRand instruction available with Intel Ivy Bridge and newer processors could potentially handle more nodes. For a given cloud, an architect needs to understand the application requirements to ensure that sufficient entropy is available.
Once the entropy is available in the cloud, the next step is getting that entropy into the instances. Tools such as the entropy gathering daemon (EGD) provide a way to fairly and securely distribute entropy through a distributed system. Support exists for using the EGD as an entropy source for LibVirt.
Compute support for these features is not generally available, but it would only require a moderate amount of work for implementors to integrate this functionality."
Recommended update:
"Fortunately, high-quality sources of entropy do exist. The Virtio RNG is a random number generator that uses /dev/random as the source of entropy by default, however can be configured to use a hardware RNG. The Virtio RNG is enabled using the hw_rng property of the metadata used to create the instance."
-----------------------------------
Built: 2014-07-25T19:09:41 00:00
git SHA: 1db5fb0b64b4c2707bf2e7a970a7536aaa3bc8f7
URL: http://docs.openstack.org/security-guide/content/security-services-for-instances.html
source File: file:/home/jenkins/workspace/security-doc-tox-doc-publishdocs/security-guide/ch_security-services-for-instances.xml
xml:id: security-services-for-instances
Fix proposed to branch: master
Review: https:/