<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Marco, can you please join the discussion? Below some findings from Alexandre.</div><div><br></div><div>Thank!'s!<br><br>Greets,<br>Stefan<div><br></div><div>Excuse my typo s<span style="font-size: 13pt;">ent from my mobile phone.</span></div></div><div><br>Am 01.06.2015 um 18:52 schrieb Alexandre DERUMIER <<a href="mailto:aderumier@odiso.com">aderumier@odiso.com</a>>:<br><br></div><blockquote type="cite"><div><span>I had look for some more informations about virtio-rng</span><br><span></span><br><span><a href="https://lists.fedoraproject.org/pipermail/devel/2013-February/177909.html">https://lists.fedoraproject.org/pipermail/devel/2013-February/177909.html</a></span><br><span></span><br><span></span><br><span>"BTW, virtio-rng really only works well if you have a hardware RNG in the</span><br><span>host.  Otherwise, the host kernel will take too much time (a few</span><br><span>minutes) before producing enough entropy to feed the FIPS tests in the</span><br><span>guest, and during this time the host will be entropy-starved."</span><br><span></span><br><span>So I don't known if it's a good idea to enable it by default. (performance ?)</span><br><span>It need to be tested.</span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>With ivy-bridge processor,</span><br><span>It's possible to pass RDRAND to guest (I don't have checked if qemu is filtering it or not), without virtio-ring.</span><br><span></span><br><span>or possible to map it on host to /dev/random but it's require an additionnal daemon</span><br><span></span><br><span>"RDRAND only hands out random numbers.  We plan to add QEMU support for</span><br><span>using RDRAND directly (with whitening, similar to rngd), but it is not</span><br><span>in yet.  Right now what you do is use rngd in the host to feed</span><br><span>/dev/random with random numbers from RDRAND, connect /dev/random to</span><br><span>virtio-rng."</span><br><span></span><br><span></span><br><span>With new Broadwell processor, it's directly feeding /dev/random, so in this case we can use virtio-ring by default.</span><br><span></span><br><span></span><br><span></span><br><span></span><br><span>But the article here:</span><br><span><a href="http://rhelblog.redhat.com/2015/03/09/red-hat-enterprise-linux-virtual-machines-access-to-random-numbers-made-easy/">http://rhelblog.redhat.com/2015/03/09/red-hat-enterprise-linux-virtual-machines-access-to-random-numbers-made-easy/</a></span><br><span></span><br><span>say that changed has been done rhel7.1 (no patch reference), to don't have need of daemon for ivy-bridge.</span><br><span></span><br><span></span><br><span>I'll try to dig a little bit more tomorrow</span><br><span></span><br><span>----- Mail original -----</span><br><span>De: "dietmar" <<a href="mailto:dietmar@proxmox.com">dietmar@proxmox.com</a>></span><br><span>À: "Stefan Priebe" <<a href="mailto:s.priebe@profihost.ag">s.priebe@profihost.ag</a>>, "aderumier" <<a href="mailto:aderumier@odiso.com">aderumier@odiso.com</a>></span><br><span>Cc: "pve-devel" <<a href="mailto:pve-devel@pve.proxmox.com">pve-devel@pve.proxmox.com</a>></span><br><span>Envoyé: Lundi 1 Juin 2015 17:39:25</span><br><span>Objet: Re: [pve-devel] Qemu / virtio-rng-pci</span><br><span></span><br><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Sure. I'm just thinking about the check regarding Qemu 2.3. I would also </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>like to use it for older qemu versions / installations. </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><span></span><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><blockquote type="cite"><span>Is there no other way to support it and not to break live migration? </span><br></blockquote></blockquote></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>I don't see how to do it, adding a new pci device by default will break live </span><br></blockquote><blockquote type="cite"><span>migration. </span><br></blockquote><blockquote type="cite"><span>Or we need to add a new option in vmid.conf </span><br></blockquote><blockquote type="cite"><span></span><br></blockquote><blockquote type="cite"><span>@Dietmar : any opinion ? </span><br></blockquote><span></span><br><span>I don't really want a new option for that... </span><br></div></blockquote></body></html>