[pve-devel] Qemu / virtio-rng-pci

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Thu Jun 4 08:22:51 CEST 2015 

Am 03.06.2015 um 22:55 schrieb Alexandre DERUMIER:
>>> The problem is that the implementation done by redhat of the interface is 
>>> not very good and it can result in hanging qemu processes
> 
> That's what I understand if you don't have hardware to generate enough fast entropy on host.
> (entropy starvation if a lot of qemu guest acces to host /dev/random).
> 
> I think it can be solved by :
> 
> 1) host : hardware entropy ---> virtio-ring guest
> 2) host : >=ivybridge (RDRAND) + rngd daemon  to feed /dev/random    ---> virtio-ring guest
> 3) host : >=broadwell (RDSEED) (hardware /dev/random)  --->virtio-ring guest 
> 4) guest > qemu 2.3 >=ivibridge (RDRAND) + rngd daemon in guest to feed /dev/random
> 

Not sure whether this helps. At least the kernel does not trust RDRAND /
RDSEED. So it does not generate entropy of it. It just uses it to XOR
the seed.

For example see:
http://www.theregister.co.uk/2013/09/10/torvalds_on_rrrand_nsa_gchq/

Stefan

> ----- Mail original -----
> De: "Stefan Priebe" <s.priebe at profihost.ag>
> À: "dietmar" <dietmar at proxmox.com>, "aderumier" <aderumier at odiso.com>
> Cc: "pve-devel" <pve-devel at pve.proxmox.com>
> Envoyé: Mercredi 3 Juin 2015 20:41:48
> Objet: Re: [pve-devel] Qemu / virtio-rng-pci
> 
> Am 03.06.2015 um 17:29 schrieb Dietmar Maurer: 
>>>> Well, the patch check the version of qemu or the machine option or 
>>>> forcemachine from qemu live migration. 
>>>
>>> Ah ok sorry didn't saw this. But I still think it's bad to rely on qemu 
>>> versions. 
>>> What about a pve compatibility flag in the conf file which gets only reset on 
>>> a fresh start? Might be also useful for suspends or snapshots? So it would be 
>>> possible to change options or defaults without the need to change qemu 
>>> version? 
>>
>> I usually try to avoid complex things unless I really need them ... 
>>
>> It is also unclear to me if you need the virtio-rng-pci device, or is the 
>> problem solved by those new CPU flags? 
>>
> 
> Sorry for all those noise. We discussed this today in our office. The 
> problem is that the implementation done by redhat of the interface is 
> not very good and it can result in hanging qemu processes. At least this 
> is what i ready on some fedora postings. 
> 
> So we go for havaged in each VM. Sorry for the noise ;-( 
> 
> Greets, 
> Stefan 
>

More information about the pve-devel mailing list