Howto enable virtio_rng for the kvm-client?

[udo]

Hi,
I tried to get an better entropy inside an kvm-guest (I know that haveged is the right tool for that, but inside this distro I can't used them).

With rngd (rng-tools) I should be able to get better random inside the VM - if I have an connected random-device.

With libvirt I must create the random generator in the client config like this

   <rng model='virtio'>
     <backend model='random'>/dev/random</backend>
   </rng>

How I get the same with pve?

Udo

 

[spirit]

Maybe you can try to add the device with

args: -object rng-random,filename=/dev/hwrng,id=rng0 -device virtio-rng-pci,rng=rng0

?

 

[udo]

Hi Spirit,
with this args the VM don't start:

kvm: -device virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3: PCI: slot 3 function 0 not available for virtio-balloon-pci, in use by virtio-rng-pci
start failed: command '/usr/bin/kvm -id 106 -chardev 'socket,id=qmp,path=/var/run/qemu-server/106.qmp,server,nowait' -mon 'chardev=qmp,mode=control' -pidfile /var/run/qemu-server/106.pid -daemonize -smbios 'type=1,uuid=a4d86df8-7492-44b3-80d8-f6df9ba1bb35' -name test-migrate -smp '2,sockets=2,cores=1,maxcpus=2' -nodefaults -boot 'menu=on,strict=on,reboot-timeout=1000' -vga cirrus -vnc unix:/var/run/qemu-server/106.vnc,x509,password -cpu kvm64,+lahf_lm,+sep,+kvm_pv_unhalt,+kvm_pv_eoi,enforce -m 2048 -k de -object 'rng-random,filename=/dev/hwrng,id=rng0' -device 'virtio-rng-pci,rng=rng0' -device 'pci-bridge,id=pci.1,chassis_nr=1,bus=pci.0,addr=0x1e' -device 'pci-bridge,id=pci.2,chassis_nr=2,bus=pci.0,addr=0x1f' -device 'piix3-usb-uhci,id=uhci,bus=pci.0,addr=0x1.0x2' -device 'usb-tablet,id=tablet,bus=uhci.0,port=1' -device 'virtio-balloon-pci,id=balloon0,bus=pci.0,addr=0x3' -iscsi 'initiator-name=iqn.1993-08.org.debian:01:23c03d5b3063' -drive 'file=/mnt/pve_local/images/106/snap.qcow2,if=none,id=drive-ide0,format=qcow2,cache=none,aio=native,detect-zeroes=on' -device 'ide-hd,bus=ide.0,unit=0,drive=drive-ide0,id=ide0' -drive 'file=/var/lib/vz/template/iso/dl-1.8.0-rc2-2016-09-24-x86_64.iso,if=none,id=drive-ide2,media=cdrom,aio=threads' -device 'ide-cd,bus=ide.1,unit=0,drive=drive-ide2,id=ide2,bootindex=100' -netdev 'type=tap,id=net0,ifname=tap106i0,script=/var/lib/qemu-server/pve-bridge,downscript=/var/lib/qemu-server/pve-bridgedown,vhost=on' -device 'virtio-net-pci,mac=36:63:61:63:36:30,netdev=net0,bus=pci.0,addr=0x12,id=net0' -rtc 'base=localtime'' failed: exit code 1

I changed the line to "args: -object rng-random,filename=/dev/hwrng,id=rng0 -device virtio-rng-pci,rng=rng0,bus=pci.0,addr=0x4" and the VM start, but crashed at the final boot-state and the VM is powered off:

Sep 25 20:50:24 pve1 qm[29299]: start VM 106: UPID:pve1:00007273:008DA807:57E81C70:qmstart:106:root@pam:
Sep 25 20:50:24 pve1 systemd[1]: Starting 106.scope.
Sep 25 20:50:24 pve1 systemd[1]: Started 106.scope.
Sep 25 20:50:25 pve1 ovs-vsctl: ovs|00001|vsctl|INFO|Called as /usr/bin/ovs-vsctl del-port tap106i0
Sep 25 20:50:25 pve1 ovs-vsctl: ovs|00002|db_ctl_base|ERR|no port named tap106i0
Sep 25 20:50:25 pve1 ovs-vsctl: ovs|00001|vsctl|INFO|Called as /usr/bin/ovs-vsctl add-port vmbr0 tap106i0
Sep 25 20:50:26 pve1 qm[29298]: <root@pam> end task UPID:pve1:00007273:008DA807:57E81C70:qmstart:106:root@pam: OK
Sep 25 20:50:29 pve1 kernel: [92851.422664] kvm: zapping shadow pages for mmio generation wraparound
Sep 25 20:50:37 pve1 pvedaemon[28949]: command '/bin/nc6 -l -p 5900 -w 10 -e '/usr/sbin/qm vncproxy 106 2>/dev/null'' failed: exit code 1
Sep 25 20:50:37 pve1 pveproxy[14755]: worker exit
Sep 25 20:50:37 pve1 pveproxy[24388]: worker 14755 finished
Sep 25 20:50:37 pve1 pveproxy[24388]: starting 1 worker(s)
Sep 25 20:50:37 pve1 pveproxy[24388]: worker 29348 started
Sep 25 20:50:37 pve1 pvedaemon[25560]: <root@pam> starting task UPID:pve1:000072A5:008DAD11:57E81C7D:vncproxy:106:root@pam:
Sep 25 20:50:37 pve1 pvedaemon[29349]: starting vnc proxy UPID:pve1:000072A5:008DAD11:57E81C7D:vncproxy:106:root@pam:
Sep 25 20:50:39 pve1 kernel: [92861.366432] kvm [29306]: vcpu0 unhandled rdmsr: 0xc001100d
Sep 25 20:50:39 pve1 kernel: [92861.502026] kvm [29306]: vcpu1 unhandled rdmsr: 0xc001100d
Sep 25 20:51:05 pve1 pvedaemon[29349]: command '/bin/nc6 -l -p 5900 -w 10 -e '/usr/sbin/qm vncproxy 106 2>/dev/null'' failed: exit code 1
Sep 25 20:51:06 pve1 pvedaemon[25560]: <root@pam> starting task UPID:pve1:000072D7:008DB837:57E81C9A:vncproxy:106:root@pam:
Sep 25 20:51:06 pve1 pvedaemon[29399]: starting vnc proxy UPID:pve1:000072D7:008DB837:57E81C9A:vncproxy:106:root@pam:
Sep 25 20:51:07 pve1 qm[29402]: VM 106 qmp command failed - VM 106 not running

pci-bus 4 should be free:

00:00.0 Host bridge: Intel Corporation 440FX - 82441FX PMC [Natoma] (rev 02)
00:01.0 ISA bridge: Intel Corporation 82371SB PIIX3 ISA [Natoma/Triton II]
00:01.1 IDE interface: Intel Corporation 82371SB PIIX3 IDE [Natoma/Triton II]
00:01.2 USB controller: Intel Corporation 82371SB PIIX3 USB [Natoma/Triton II] (rev 01)
00:01.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
00:02.0 VGA compatible controller: Cirrus Logic GD 5446
00:03.0 Unclassified device [00ff]: Red Hat, Inc Virtio memory balloon
00:12.0 Ethernet controller: Red Hat, Inc Virtio network device
00:1e.0 PCI bridge: Red Hat, Inc. QEMU PCI-PCI bridge
00:1f.0 PCI bridge: Red Hat, Inc. QEMU PCI-PCI bridge

Udo

 

[spirit]

and if you use /dev/random instead /dev/hwrng ?

We have discussed about it last year
http://pve.proxmox.com/pipermail/pve-devel/2015-June/015388.html

Don't remember exactly how was feed the /dev/random (can be with new processors feature or physical entropy generator card,...)

 

[udo]

Hi Spirit,
thanks for the info... need to build an haveged for this system.

Udo