[systemd-devel] Delaying (SSH) key generation until the urandom pool is initialized
Daniel P. Berrange
berrange at redhat.com
Wed Apr 30 05:28:59 PDT 2014
On Wed, Apr 30, 2014 at 02:10:56PM +0200, Florian Weimer wrote:
> On 04/30/2014 01:14 PM, Daniel P. Berrange wrote:
> >On Tue, Apr 29, 2014 at 08:43:38PM +0200, Florian Weimer wrote:
> >>The message at <https://mail.gnome.org/archives/ostree-list/2014-February/msg00010.html>
> >>contains two boot traces from virtual machines which show that the
> >>SSH key is generated before the kernel pool is sufficiently seeded.
> >
> >I'm wondering if the VMs that ostree is creating are being given a
> >virtio-rng device ? If not that would probably be a good idea to
> >enable to allow them to get entropy. VMs are generally starved of
> >entropy even beyond the initial boot up stage, so a virtual RNG is
> >generally useful.
>
> Interesting suggestion. I just used virt-manager to create the VM.
> I don't see any trace for "rng" or "random" in the domain XML file.
> If it is supported, I think it should be enabled by default.
I'm told that it isn't turned on by default, but you can add it to
a VM post-install. Since it feeds VMs from the host's /dev/random
or /dev/hwrng, there was a question mark as to whether it was right
to enable it by default or not, and if so what kind of rate limiting
might be wanted by default.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the systemd-devel
mailing list