[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized

Florian Weimer fweimer at redhat.com
Wed Apr 30 05:10:56 PDT 2014


On 04/30/2014 01:14 PM, Daniel P. Berrange wrote:
> On Tue, Apr 29, 2014 at 08:43:38PM +0200, Florian Weimer wrote:
>> The message at <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html>
>> contains two boot traces from virtual machines which show that the
>> SSH key is generated before the kernel pool is sufficiently seeded.
>
> I'm wondering if the VMs that ostree is creating are being given a
> virtio-rng device ? If not that would probably be a good idea to
> enable to allow them to get entropy. VMs are generally starved of
> entropy even beyond the initial boot up stage, so a virtual RNG is
> generally useful.

Interesting suggestion.  I just used virt-manager to create the VM.  I 
don't see any trace for "rng" or "random" in the domain XML file.  If it 
is supported, I think it should be enabled by default.

(But I see a similar issue on bare metal.)

-- 
Florian Weimer / Red Hat Product Security Team


More information about the systemd-devel mailing list