[PVE-User] Debian buster inside PVE KVM
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Jul 8 12:13:37 CEST 2019
On Mon, Jul 08, 2019 at 09:10:48AM +0200, Thomas Lamprecht wrote:
> Am 7/8/19 um 8:05 AM schrieb Fabian Grünbichler:
> > On Mon, Jul 08, 2019 at 02:16:34AM +0200, Chris Hofstaedtler | Deduktiva wrote:
> >> Hello,
> >>
> >> while doing some test upgrades I ran into the buster RNG problem [1],
> >> where the newer kernel and systemd use a lot more randomness during
> >> boot, causing startup delays.
> >>
> >> Very clearly noticable in dmesg:
> >> [ 1.500056] random: fast init done
> >> [ 191.700840] random: crng init done
> >> [ 191.701445] random: 7 urandom warning(s) missed due to ratelimiting
> >>
> >> I couldn't find a supported way of enabling virtio_rng [2] in PVE
> >> 5.4 or the 6.0 beta. As a test, I've set "args: -device
> >> virtio-rng-pci" and that appears to work - the VM auto-loads the
> >> virtio_rng kmod and "crng init done" happens at ~4s after poweron.
> >
> > yes, that's the way to go for now.
> >
> >> Are there any recommendations at this time or plans for adding
> >> virtio_rng?
> >
> > filed [1] to keep track of adding proper support, as it sounds like a
> > simple enough but worthwhile feature to me :)
> >
> > 1: https://bugzilla.proxmox.com/show_bug.cgi?id=2264
> >
>
> The request for this is a bit older, and then some concerns about
> possible depleting the hosts entropy pool were raised.
> Maybe we want to ship havedged, or at least recommend it in docs if no
> other "high" bandwitdh (relatively speaking) HW rng source is
> available on the host... ATM, I cannot find the discussion, sorry,
> IIRC it was on a mailing list of ours..
haveged is surrounded by some controversy especially for usage inside
VMs, since it relies on jitter via timer instructions that may or may
not be passed through to the actual hardware, and most recommendations
actually err on the side of "stay away unless you have no choice"(see
1, 2 and the stuff linked there).
virtio-rng does have the issue of potentially depleting the host's
entropy pool, with a proper HWRNG, this is not really an issue. it is
possible to ratelimit the virtio-rng device (max-bytes/period
parameter).
offering as opt-in it with the proper caveat ("only enable if your host
can provide lots of entropy") is probably better than pointing at
potentially problematic solutions?
VMs with CPU types that pass in rdrand/rdseed are also "fixed".
1: https://wiki.debian.org/BoottimeEntropyStarvation
2: https://wiki.archlinux.org/index.php/Haveged
More information about the pve-user
mailing list