[PVE-User] Debian buster inside PVE KVM

Thomas Lamprecht t.lamprecht at proxmox.com
Mon Jul 8 12:19:23 CEST 2019 

Am 7/8/19 um 12:13 PM schrieb Fabian Grünbichler:
> On Mon, Jul 08, 2019 at 09:10:48AM +0200, Thomas Lamprecht wrote:
>> Am 7/8/19 um 8:05 AM schrieb Fabian Grünbichler:
>>> On Mon, Jul 08, 2019 at 02:16:34AM +0200, Chris Hofstaedtler | Deduktiva wrote:
>>>> Hello,
>>>>
>>>> while doing some test upgrades I ran into the buster RNG problem [1],
>>>> where the newer kernel and systemd use a lot more randomness during
>>>> boot, causing startup delays.
>>>>
>>>> Very clearly noticable in dmesg:
>>>> [    1.500056] random: fast init done
>>>> [  191.700840] random: crng init done
>>>> [  191.701445] random: 7 urandom warning(s) missed due to ratelimiting
>>>>
>>>> I couldn't find a supported way of enabling virtio_rng [2] in PVE
>>>> 5.4 or the 6.0 beta. As a test, I've set "args: -device
>>>> virtio-rng-pci" and that appears to work - the VM auto-loads the
>>>> virtio_rng kmod and "crng init done" happens at ~4s after poweron.
>>>
>>> yes, that's the way to go for now.
>>>
>>>> Are there any recommendations at this time or plans for adding
>>>> virtio_rng?
>>>
>>> filed [1] to keep track of adding proper support, as it sounds like a
>>> simple enough but worthwhile feature to me :)
>>>
>>> 1: https://bugzilla.proxmox.com/show_bug.cgi?id=2264
>>>
>>
>> The request for this is a bit older, and then some concerns about
>> possible depleting the hosts entropy pool were raised.
>> Maybe we want to ship havedged, or at least recommend it in docs if no
>> other "high" bandwitdh (relatively speaking) HW rng source is
>> available on the host... ATM, I cannot find the discussion, sorry,
>> IIRC it was on a mailing list of ours..
> 
> haveged is surrounded by some controversy especially for usage inside
> VMs, since it relies on jitter via timer instructions that may or may
> not be passed through to the actual hardware, and most recommendations
> actually err on the side of "stay away unless you have no choice"(see
> 1, 2 and the stuff linked there).

OK, that are the issues I was concerned about possibly existing. Thanks
for pointing at them!

> 
> virtio-rng does have the issue of potentially depleting the host's
> entropy pool, with a proper HWRNG, this is not really an issue. it is
> possible to ratelimit the virtio-rng device (max-bytes/period
> parameter).
> 
> offering as opt-in it with the proper caveat ("only enable if your host
> can provide lots of entropy") is probably better than pointing at
> potentially problematic solutions?

Definitively.

> 
> VMs with CPU types that pass in rdrand/rdseed are also "fixed".
> 
> 1: https://wiki.debian.org/BoottimeEntropyStarvation
> 2: https://wiki.archlinux.org/index.php/Haveged
> 
h

More information about the pve-user mailing list