OpenStack Compute (nova)

RFE: Add a virtio-rng device to Nova instances by default

Bug #1789868 reported by Dr. David Alan Gilbert
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Medium
Kashyap Chamarthy

Bug Description

What do we want: Entropy!
When do we want it: By default!

Nova don't add a RNG to the guests by default; this seems a serious problem - the guests should get a good entropy source to ensure that everything during boot gets randomised, and also you sometimes get hangs where guests are starved of entropy (there are some newer guest kernels that seem more prone to this, but still it's a more general problem).

Old arguments for why we didn't have a virtio-rng by default:
   a) We were using hosts /dev/random and it could block - we moved to urandom and that problem doesn't exist any more
   b) We didn't have windows drivers? We do now

(IMHO this is fairly important - we really should have the RNG)

See original description
Tags: libvirt
Kashyap Chamarthy (kashyapc)
tags: added: libvirt
Changed in nova:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Kashyap Chamarthy (kashyapc)
description: updated
Revision history for this message
Kashyap Chamarthy (kashyapc) wrote :

For Windows, IIUC, these are the Virtio drivers:drivers:

https://docs.pagure.org/docs-fedora/create-windows-vms-using-virtio.html

Revision history for this message
Kashyap Chamarthy (kashyapc) wrote :

Hmm, looking at Nova's Git history, we _had_ a default (/dev/random) by default:

    commit b94550f4199f858e5be491a97a2bc04959b9dcd3
    Author: Vladik Romanovsky <email address hidden>
    Date: Thu Jan 16 16:13:44 2014 -0500

        libvirt: configuration element for a random number generator device

        This configuration exposes a paravirtual random number generator device,
        with a default backend set to a hosts /dev/random

        An optional rate element can be provided in order to limit the consumption
        of host's entropy by the guest.

        Partially implements blueprint libvirt-rng-device
        Change-Id: Id1be32a307473aec2ff0b54b43b2ca3547d74b84

But it was removed:

    commit 605677ca57961b5edbb2e89abb15d0f34ca93678
    Author: Mark McLoughlin <email address hidden>
    Date: Wed Feb 19 07:24:17 2014 +0000

        libvirt: remove explicit /dev/random rng default

        libvirt (or rather qemu) will default to /dev/random if no rng device
        path is specified i.e.

          <rng model='virtio'>
            <backend model='random'/>
          </rng>

        It's preferable for us to not duplicate this default to allow for a
        future where libvirt or the hypervisor needs to make more intelligent
        decisions about the default device to use.

        Also, improve the unit tests to catch this issue.

        Change-Id: Ia0f922f7de575496972b4dfa9d56aa22205f1758

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/616603

Changed in nova:
status: Triaged → In Progress
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: Kashyap Chamarthy (kashyapc) → s10 (vlad-esten)
s10 (vlad-esten)
Changed in nova:
assignee: s10 (vlad-esten) → nobody
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: nobody → s10 (vlad-esten)
s10 (vlad-esten)
Changed in nova:
assignee: s10 (vlad-esten) → nobody
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: nobody → s10 (vlad-esten)
OpenStack Infra (hudson-openstack)
Changed in nova:
assignee: s10 (vlad-esten) → Kashyap Chamarthy (kashyapc)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/616603
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=de512f2c025429b72ade5a5ec38a6f1bde60af3c
Submitter: Zuul
Branch: master

commit de512f2c025429b72ade5a5ec38a6f1bde60af3c
Author: Kashyap Chamarthy <email address hidden>
Date: Thu Sep 20 11:16:40 2018 +0200

    libvirt: Add a default VirtIO-RNG device to guests

    tl;dr: We're adding the default VirtIO-RNG device to ensure guests are
           not starved of entropy (and thus not hang) during boot time.

    Background
    ----------

    From Nova Git history, commit b94550f419 ("libvirt: configuration
    element for a random number generator device") _did_ add a default RNG
    device (but with its entropy source to the undesirable '/dev/random').
    However, the default RNG device was immediately removed in another
    commit (605677c -- "libvirt: remove explicit /dev/random rng default"),
    with this rationale:

        libvirt (or rather qemu) will default to /dev/random if no rng device
        path is specified [...]

        It's preferable for us to not duplicate this default to allow for a
        future where libvirt or the hypervisor needs to make more intelligent
        decisions about the default device to use.

    The above reasoning doesn't hold up, because:

    (a) libvirt does not make "policy" decisions, such as choosing an
        entropy source (or any other such). Therefore Nova, as a management
        application, should make the decision here.

    (b) More importantly, when QEMU exposes a VirtIO-RNG device to the
        guest, that device needs a source of entropy; and QEMU by default
        uses the legacy and problematic `/dev/random` as the source —
        instead of the preferred `/dev/urandom`. So QEMU's default for
        VirtIO-RNG devices is not sufficient, and Nova should not rely on
        it. (Discussion[+] on 'qemu-devel' list to consider changing QEMU's
        default.)

                        * * *

    In this patch:

      - Make Nova configure a VirtIO-RNG device by default for guests.
        (Which will be using `/dev/urandom` as the default entropy source.)
        This will also work for Windows guests, when using VirtIO-Win
        drivers[*] on the Linux host.

      - The 'hw_rng_model' image metadata property is now rendered
        (temporarily) useless -- as it's not used anywhere outside the
        _add_rng_device() method. But we don't want to deprecate it yet, as
        we may extend it (see code comment for details); docucment that.

    [*] https://docs.pagure.org/docs-fedora/create-windows-vms-using-virtio.html
    [+] https://lists.nongnu.org/archive/html/qemu-devel/2018-09/msg02724.html
        -- "[RFC] Virtio RNG: Consider changing the default entropy source to
        /dev/urandom?"

    Closes-Bug: #1789868

    Change-Id: I28e66c9640c38d23b8c0dbd0b05f5260bfcf6d30
    Signed-off-by: Kashyap Chamarthy <email address hidden>

Changed in nova:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.