This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: [Xen-devel] dom0 and domU /dev/urandom generating to

To: Keir Fraser <Keir.Fraser@xxxxxxxxxxxx>
Subject: Re: [Xen-users] Re: [Xen-devel] dom0 and domU /dev/urandom generating too less entropy
From: Robbie Dinn <robbie@xxxxxxxxxxxx>
Date: Thu, 11 Oct 2007 12:44:36 +0100
Cc: Stephan Seitz <s.seitz@xxxxxxxxxxxx>, XEN Devel - listmembers <xen-devel@xxxxxxxxxxxxxxxxxxx>, XEN User - listmembers <xen-users@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 11 Oct 2007 04:45:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
In-reply-to: <C3338EE1.EB45%Keir.Fraser@xxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <C3338EE1.EB45%Keir.Fraser@xxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird (X11/20060911)
Keir Fraser wrote:
> On 10/10/07 21:00, "Stephan Seitz" <s.seitz@xxxxxxxxxxxx> wrote:
>> Do you know about a workaround, or maybe the possibility for another
>> (xen-specific) RNG
>> besides of /dev/urandom ?
> I'm surprised you see failures. By my understanding, /dev/urandom is always
> supposed to return the request number of bytes, but their randomness depends
> on the amount of entropy currently in the pool. Perhaps sshd explicitly
> interrogates urandom to find out how much entropy it has gathered?
I haven't checked (I am too laxy to strace it) but I believe that sshd
is using /dev/random not /dev/urandom. You can see how much entropy is
available by cat'ing /proc/sys/kernel/random/entropy_avail .
> Anyway, the domU kernel gathers entropy from the interrupt delivery times of
> the netfront and blkfront drivers. This is similar to what a native kernel
> does. It's not clear how we can easily improve on that without e.g.,
> plumbing through a hardware RNG to domUs.

I had a similar problem on a mail server providing a pop3 service. Every
time a client machine connected to the pop3 daemon (cyrus imap actually),
it consumed entropy. More entropy was consumed for each connection
than was provided by the packets arriving. The machine ran of entropy
and stopped providing bytes via /dev/random. The pop3 daemon ground
to a halt because it was waiting to read bytes from /dev/random.

The work around was to feed entropy into the random number generator.
There is a user space tool to do this called 'rngd'.

The correct way to do this would be, as you say, to get the the entropy
from outside the domU. I used a dirty hack instead, I ran

/sbin/rngd --rng-device=/dev/urandom

Yes is wrong and evil but it got me up and running again.

Xen-devel mailing list